FreeCalypso > hg > freecalypso-sw
annotate doc/Compal-unlock @ 486:c8e12b7bbd0b
gsm-fw/gpf/conf/gpf_tst_drv.c: added
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> | 
|---|---|
| date | Sun, 29 Jun 2014 20:09:08 +0000 | 
| parents | 2d8ab1b0df8d | 
| children | 3f67d5bf96ef | 
| rev | line source | 
|---|---|
| 425 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 1 Using FreeCalypso tools to unlock Motorola C1xx phones | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 2 ====================================================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 3 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 4 The ultimate goal of the FreeCalypso project is to produce our own complete GSM | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 5 dumbphone firmware which We the People fully own, control and compile from | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 6 source ourselves, running at first on some selected pre-existing hardware | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 7 targets, and then ultimately on our own Free Dumb Phone hardware. While that | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 8 goal is still far past the visible horizon, what can we do in the meantime to | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 9 make our current forced use of existing proprietary dumbphone firmwares a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 10 little more tolerable? This article presents one such hack: using FreeCalypso | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 11 loadtools to dump the flash content of Compal phones for analysis, including | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 12 TIFFS, and to replace one existing proprietary fw version with another, e.g., | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 13 to remove carrier branding and the associated SIM restriction. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 14 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 15 Serial access | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 16 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 17 Mot C1xx (Compal) phones have a 2.5 mm headset jack that dual-functions as a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 18 debug/programming serial port. In hardware terms, there is an electrically | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 19 controlled switch (MUX) inside that switches the external jack between the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 20 analog headset signals and the digital serial ones; this switch is controlled | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 21 by a GPIO signal from the Calypso. The hardware power-up state of this switch | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 22 is serial; Mot/Compal's standard fw switches it to headset upon boot, but the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 23 serial setting persists long enough to use it to break into the bootloader. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 24 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 25 Bootloader | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 26 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 27 The Calypso DBB (digital baseband) chip used in these phones has an on-chip | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 28 boot ROM, but it also has a hardware pin that enables or disables this boot | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 29 ROM, and unfortunately these phones have it disabled. If the boot ROM were | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 30 enabled in hardware, it would provide an unstoppable and unbrickable way to | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 31 take control of the device through the externally-accessible serial port like | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 32 we have on Openmoko and Pirelli phones, but unfortunately the hardware we have | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 33 available is not wired that way. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 34 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 35 However, Mot/Compal's standard firmware on these phones includes a bootloader, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 36 a part that executes before any of the rest of the fw image is allowed to | 
| 426 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 37 execute or is made use of in any way, and this Compal-specific bootloader has a | 
| 425 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 38 provision for interrupting the boot process and diverting it to an externally- | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 39 supplied piece of code loaded over the serial line. Older fw versions have | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 40 this feature enabled unconditionally, but some of the newer versions have a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 41 malfeature whereby the serial boot interrupt and code download possibility may | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 42 be disabled. Some C1xx phones out in the wild, particularly all North American | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 43 C139s with TracFone branding, have such maliciously-locked firmware in them. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 44 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 45 Fortunately though, these maliciously-locked firmwares (or at least the most | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 46 common TFC139 one) have been found to have another hole through which we can | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 47 break in, as described here: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 48 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 49 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004451.html | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 50 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004455.html | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 51 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 52 We can exploit this hole in the TFC139 firmware to gain code execution access | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 53 to the Calypso, and then use the latter to reprogram the flash, replacing the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 54 ultra-malicious firmware with some other version that, although still | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 55 proprietary, is a little less evil. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 56 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 57 Making first contact | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 58 ==================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 59 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 60 If you have a C1xx phone which you are seeking to free, your first step should | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 61 be to try breaking in with fc-loadtool, using the Compal bootloader method. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 62 With the phone powered off, but containing a charged battery (SIM present or | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 63 absent, doesn't matter), proceed as follows: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 64 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 65 1. Connect the serial or USB-serial cable between your PC or other host and the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 66 target phone's headset jack. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 67 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 68 2. On the host end, run fc-loadtool like this: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 69 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 70 C11x/123: fc-loadtool -h compal /dev/ttyXXX | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 71 C139/140: fc-loadtool -h compal -c 1003 /dev/ttyXXX | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 72 C155/156: fc-loadtool -h c155 /dev/ttyXXX | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 73 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 74 3. Press the power button on the phone. A momentary press is sufficient and | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 75 recommended: the hardware powers up and causes the boot code to run exactly | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 76 the same whether the power button is pressed momentarily or held down. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 77 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 78 Normal phone power-up requires the button to be held down because the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 79 standard firmware does a check fairly late in the boot process to see if the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 80 power button is still held down, and commands the hardware (the ABB) to | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 81 power off if it is not - it is a standard feature to prevent phones from | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 82 turning themselves on inadvertently from accidental momentary presses of | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 83 that button. But if the goal is to cause the boot code to run, but not to | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 84 boot the regular fw all the way, a momentary press is ideal. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 85 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 86 If your phone has a bootloader without the malicious lock in it, the above | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 87 procedure should result in fc-loadtool gaining full access to the target and | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 88 landing you at a loadtool> prompt. You can dump the flash content and analyse | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 89 it, etc. If you would like to change to a different fw version (to remove the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 90 SIM lock / carrier branding or for any other reason), see the corresponding | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 91 later section of this article. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 92 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 93 Alternative method | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 94 ================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 95 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 96 If the above procedure fails to gain access to the Calypso because the boot | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 97 code in the phone never offers a serial download opportunity, the alternate | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 98 break-in method should be tried, going through the full running firmware | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 99 instead of just the bootloader part thereof. Proceed as follows: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 100 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 101 1. Remove the SIM (if there was one to begin with) and put the charged battery | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 102 back in. Charge the battery if necessary, using the standard charging | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 103 function of the existing fw. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 104 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 105 2. Power the phone up for normal boot: hold the power button down like a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 106 regular user would, without fc-loadtool or other serial break-in tools. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 107 The fw will boot up, notice the lack of a SIM, and the display will read | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 108 "SIM card absent" or something to that effect, depending on the fw version. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 109 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 110 3. Key in this magic sequence: **16379#. A hidden "Trace Switch" menu should | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 111 appear, with the choices being "Trace On" and "Earphone". Select "Trace On". | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 112 The electrically controlled hardware switch mentioned earlier in this article | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 113 should now be set back to the UART, bringing the latter out to the headset | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 114 jack. Because Mot/Compal's firmware is based on TI's reference architecture, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 115 the interface presented by the running fw on this serial port is TI's RVTMUX, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 116 albeit at 57600 baud instead of TI's default of 115200. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 117 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 118 4. Connect the headset jack serial cable if it wasn't already connected, and | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 119 run this FreeCalypso hack-utility: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 120 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 121 tfc139 /dev/ttyXXX | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 122 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 123 Compal's firmware has some non-standard commands of their own invention added | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 124 to TI's RVT/ETM interface, and one of these commands is a raw memory write. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 125 Our tfc139 hack-utility will try to break into the phone (gain code execution | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 126 access) by using this Compal ETM command to write a little payload into a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 127 particular RAM location (beginning of IRAM), and then doing more memory writes | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 128 by the same method, seeking to smash the stack and cause control to be | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 129 transferred to the sent payload by overwriting a function return address on the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 130 stack. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 131 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 132 If the stack smashing hack succeeds, the code injected by tfc139 will send a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 133 message out the serial port indicating this success, and then re-enable the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 134 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 135 wait forever for a serial code download following its standard protocol. If | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 136 tfc139 gets the success indication from the target, it will announce this | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 137 success and direct you to run: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 138 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 139 fc-loadtool -h compal -c none /dev/ttyXXX | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 140 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 141 Do as it says. The -c none option tells fc-loadtool to skip compalstage and | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 142 proceed directly to feeding loadagent to the Calypso boot ROM. You should now | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 143 be in full control of the phone via fc-loadtool. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 144 | 
| 433 
2d8ab1b0df8d
rvinterf/doc/tfc139.usage: written
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
427diff
changeset | 145 There is one additional quirk worth mentioning. It appears that Mot/Compal's | 
| 427 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 146 main fw (at least TF's version 8.8.17, which is the version we break into with | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 147 tfc139; other versions are anyone's guess) keeps resetting the RTC alarm | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 148 registers in the Calypso DBB as it runs, always keeping the alarm time in the | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 149 near future relative to the current time. When one breaks into this firmware | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 150 with tfc139 and takes over the control of the device with fc-loadtool, this | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 151 alarm time will almost certainly be reached, and the RTC alarm will go off. | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 152 This alarm has no effect on loadtool operation (i.e., it cannot reset the CPU | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 153 or otherwise wrestle control away from loadtool, so it doesn't add any bricking | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 154 risk), but it has one quite surprising effect upon exit, i.e., when you are | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 155 done with your loadtool session and give it the exit command. | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 156 | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 157 Loadtool's configured default exit action for this target is to send a power-off | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 158 command to the Iota ABB, leaving the device cleanly powered off. However, if | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 159 the RTC alarm has gone off previously during the session, the ABB will instantly | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 160 power the phone back on, and put it through a new boot cycle. The firmware | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 161 (again, the only version this stuff can be tested on is the one that works with | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 162 tfc139) handles this special form of boot rather oddly: it proceeds to the same | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 163 end state it would have reached via a normal power button hold-down boot | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 164 (powered on with the "Insert SIM" message on the LCD), but it reaches this state | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 165 almost instantly, without going through the power-on LCD logo and buzz phase. | 
| 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 166 Odd, but harmless. This explanation has been included to save other hackers | 
| 433 
2d8ab1b0df8d
rvinterf/doc/tfc139.usage: written
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
427diff
changeset | 167 the hours of bewildered head-scratching I spent chasing this quirk down. | 
| 427 
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
426diff
changeset | 168 | 
| 425 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 169 Dumping and reloading flash | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 170 =========================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 171 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 172 Once you break in with fc-loadtool (either through the bootloader or through | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 173 tfc139), the first step you should do is make a dump (backup) of the flash: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 174 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 175 loadtool> flash dump2bin flashdump.bin | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 176 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 177 Before you do any flash write (erase or program) operations, please realise | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 178 that these phones are brickable. Because the Calypso boot ROM is disabled at | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 179 the board level (Calypso DBB's nIBOOT configuration input is tied high directly | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 180 underneath the BGA package!), when the phone powers up, the ARM7 core starts | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 181 executing instructions directly out of the flash, from address 0. Therefore, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 182 flash sector 0 must contain good working boot code (one that allows serial code | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 183 download access for recovery) at all times. If you erase this sector or fill | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 184 it with some garbage (anything other than good working boot code) and then power | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 185 the phone off or otherwise lose control of it, the phone will be unrecoverably | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 186 bricked! | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 187 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 188 On most C1xx models there seems to be no way to access the Calypso's JTAG | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 189 signals, hence no possibility of using JTAG to unbrick a bricked phone. And | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 190 because the flash chip is a micro-BGA, it is quite unlikely that one could | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 191 successfully desolder it, program it in a standalone flash chip programmer, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 192 and then put it back on the board. Thus if you brick your C1xx phone, then | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 193 most likely it is truly toast. You've been warned! | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 194 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 195 That being said, if your phone came with a maliciously locked bootloader, such | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 196 that you had to use tfc139 to break in, then replacing that bootloader with a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 197 non-malware version is pretty much a necessity, and taking the chance of | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 198 bricking the phone becomes a necessary risk. Even if the bootloader version in | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 199 your C1xx is free of the locking malfeature, if you need to reflash the main fw | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 200 to a different version, one still needs to erase and reprogram the dangerous | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 201 sector: on C11x/123 and C139/140 the main fw image starts at 0x2000, but the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 202 erase block boundary doesn't come until 0x10000. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 203 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 204 The good news, however, is that fc-loadtool has special support for rewriting | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 205 the boot sector on Compal phones with minimal risk of bricking. The command is: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 206 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 207 flash erase-program-boot binfile [length] | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 208 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 209 The first argument is the name of the file (in straight binary format) | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 210 containing the new boot code; the second argument (always interpreted as hex) | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 211 is the number of bytes to program, always starting at 0. If only one argument | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 212 is given, the length of the file is used instead, which must not exceed the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 213 length of flash sector 0: 64 KiB on C11x/123 and C139/140, or 8 KiB on C155/156. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 214 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 215 This special command minimizes the bricking vulnerability window by loading the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 216 entirety of the new boot code to be programmed into a scratchpad RAM buffer on | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 217 the target first (no problem because it's 64 KiB max), then commanding loadagent | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 218 (the code that actually runs on the Calypso when you use fc-loadtool) to perform | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 219 the "atomic" operation of erasing flash sector 0, then immediately reprogramming | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 220 it with the bits that are already in scratchpad RAM on the phone. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 221 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 222 With this approach the phone will only be bricked if the battery dies or is | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 223 physically yanked out of the phone in the time window between the beginning of | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 224 the erase operation and the last critical bit of the new boot code being | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 225 programmed - on the order of a second or two, or if the flash operations fail | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 226 for some reason. However, the phone will *not* be bricked with this approach | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 227 if the serial connection between fc-loadtool or the target gets broken during | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 228 the window in question, or if the host machine running fc-loadtool crashes: no | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 229 flash operations start until loadtool gives the go-ahead command to loadagent, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 230 and once loadagent receives the latter command, it will proceed till completion | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 231 without caring if loadtool is still there or not. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 232 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 233 Of course the conventional flash erase and flash program-bin commands will be | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 234 happy to operate on flash sector 0 just like any other sector, but doing so is | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 235 NOT recommended, as the window of vulnerability for bricking would then be | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 236 considerably greater. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 237 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 238 Unlocked firmware for C139 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 239 ========================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 240 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 241 If your phone is a North American (1900+850 MHz) C139, and you are reading this | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 242 article because it came with Cingular or TracFone branding, whereas you would | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 243 like to use it with SIMs and networks of your own choosing instead, you've come | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 244 to the right place. We have an unlocked and non-carrier-branded (Mot branding | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 245 only) version of the fw that runs on these phones, and you can use FreeCalypso | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 246 loadtools to flash this version into your C139 whether it came with Cingular or | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 247 TF branding originally. Download this file: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 248 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 249 ftp.ifctf.org:/pub/GSM/Compal/c139-unlocked-fw.zip | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 250 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 251 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 252 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 253 for locked-down Tracfones) and make a backup of the original flash content. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 254 Then reflash the firmware as follows: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 255 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 256 flash erase-program-boot c139-unlocked-fw.bin 2000 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 257 flash erase 10000 360000 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 258 flash program-bin 2000 c139-unlocked-fw.bin 2000 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 259 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 260 The 3 commands given above will reflash the phone as follows: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 261 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 262 * The first 0x2000 bytes of the firmware image in c139-unlocked-fw.bin comprise | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 263 the boot code. This fw version features the "good" boot code *without* the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 264 access locking malfeature. The erase-program-boot command will erase flash | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 265 sector 0 (the entire 64 KiB sector, as the physics of the flash chip dictates) | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 266 and then immediately reprogram its first 8 KiB with the "good" boot code from | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 267 the unlocked fw image file. The remaining 56 KiB of this sector will be blank | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 268 after this step. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 269 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 270 * The following "regular" flash erase command is to erase the following 54 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 271 sectors (also of 64 KiB each) in preparation for programming the main fw | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 272 image in there. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 273 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 274 * The last command programs the bulk of the fw image into blank flash that has | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 275 been erased by the first two commands. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 276 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 277 I also recommend erasing the old FFS that was maintained by the old fw version, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 278 so that the new fw will automatically format a "virgin" FFS the first time it | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 279 boots: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 280 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 281 flash erase 370000 50000 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 282 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 283 After this procedure the phone should retain its original IMEI and factory RF | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 284 calibration values, as these are stored in the 8 KiB sector at 0x3FC000 which | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 285 is not touched per the above procedure - not in the FFS. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 286 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 287 The same procedure should be followed for flashing all firmwares for C11x/123 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 288 and C139/140 phones. In the case of C11x/123, adjust the length for the "main" | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 289 erase and program operations appropriately for the flash configuration in your | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 290 phone. | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 291 | 
| 426 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 292 One last word of caution: if you are going to flash some fw version other than | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 293 the unlocked North American C139 one discussed above, please check to see what | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 294 boot code version it includes, and whether or not that version has the | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 295 malfeature of checking the flash word at 0x2060 for the serial access control | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 296 flag. If the fw version you are seeking to play with has boot code with that | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 297 malfeature present, the bricking vulnerability window extends until you not | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 298 only program the new boot code into flash, but also program 0xDDDDDDDD into | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 299 that 0x2060 word. You've been warned. | 
| 
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: 
425diff
changeset | 300 | 
| 425 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 301 C155/156 differences | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 302 ==================== | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 303 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 304 C155/156 phones are nicer than the others in that they use a flash chip with a | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 305 "bottom boot" configuration. C11x/123 and C139/140 use "top boot" flash chips, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 306 which is why the boot code and the first 56 KiB of the main fw image live in | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 307 the same erase block on those phones. The boot code and the control hand-off | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 308 interface between it and the main fw have also been revamped in C155/156 fw, | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 309 and the new structure is: | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 310 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 311 8 KiB sector at 0: contains the boot code | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 312 7 more 8 KiB sectors starting at 0x2000: blank and unused | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 313 64 KiB sector at 0x10000: also blank and unused | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 314 64 KiB sector at 0x20000: beginning of main fw image | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 315 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 316 With this new flash layout, it is now possible to erase and program the main fw | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 317 region starting at 0x20000 without ever erasing the boot code sector or doing | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 318 any writes to it, so there is no bricking vulnerability window at all. (The | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 319 phone can still be bricked though if one types the wrong command and erases the | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 320 boot sector inadvertently, so be careful.) | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 321 | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 322 So far the only phones in this family that I laid my hacking hands on have been | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 323 North American C156 units, all from the same seller and batch (hence identical), | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 324 so I don't know if there exist any maliciously-locked boot code versions in | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 325 this family - the boot code in my C156 is free of any malfeatures. But if "bad" | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 326 versions of C155/156 boot code do exist, and if you can break into the phone | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 327 somehow, you can use the flash erase-program-boot command to rewrite the boot | 
| 
f81a931f9172
doc/Compal-unlock write-up
 Michael Spacefalcon <msokolov@ivan.Harhan.ORG> parents: diff
changeset | 328 code with minimal risk of bricking just like on the other Compal families. | 
