# HG changeset patch # User Mychaela Falconia # Date 1446261975 0 # Node ID 8eb7cb176a704f1eb6360ec6464d5cbcd2f07af0 # Parent 79657f9c577202cbb61f88c2a462a98631ce9f63 compal-flash-boot-for-fc/README added diff -r 79657f9c5772 -r 8eb7cb176a70 compal-flash-boot-for-fc/README --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/compal-flash-boot-for-fc/README Sat Oct 31 03:26:15 2015 +0000 @@ -0,0 +1,31 @@ +Compal phones have malicious wiring in their PCBs to disable Calypso's internal +boot ROM (nIBOOT input tied high instead of low). Therefore, flash sector 0 +must always contain working boot code that allows the possibility of new code +download over the headset jack UART, and jumps to the main firmware in the rest +of the flash if no such download is taking place. In the absence of such good +boot code in flash sector 0 the phone is bricked. + +Compal's own firmwares for these phones do feature a bootloader just as +described, but it has one defect: they put the boundary between the boot code +and the main firmware at address 0x2000, but the flash erase unit boundary +does not come until 0x10000. Therefore, every time the main fw needs to be +reflashed, flash sector 0 has to be erased and reprogrammed, creating a +bricking vulnerability. + +Because Compal's original flash layout does not allow us to reuse their +bootloader totally untouched while replacing the main fw, and we'll have to +reflash our own version of the boot code at least the first time we reflash a +given phone from its official fw to FreeCalypso, we can take the liberty of +using a slightly patched version of Compal's boot code - with Compal's official +firmwares the bootloader part differs slightly from one fw version to the next +anyway. + +The version of Compal's flash boot code built in this directory is intended to +be used with FreeCalypso firmwares. It is based on one of Compal's versions +that has no malicious features (no check of flash word 0x2060 and no requirement +of "1003" signature in the serially downloaded images at the most inconvenient +location), and it has been patched to transfer control to the main fw at 0x10058 +instead of 0x20F8, i.e., main fw images are to be flashed at 0x10000 without +touching flash sector 0. Interrupt and exception version redirections have also +been patched accordingly; the specific interface between the boot code and the +main fw now mimics that of TI's TCS211 reference fw.