FreeCalypso > hg > freecalypso-tools

comparison doc/TIFFS-Overview @ 0:e7502631a0f9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial import from freecalypso-sw rev 1033:5ab737ac3ad7
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 11 Jun 2016 00:13:35 +0000
parents
children 579441d7dcd8
comparison
equal deleted inserted replaced
-1:000000000000 0:e7502631a0f9
1 All TI GSM firmwares known to this author (FreeCalypso developer Space Falcon)
2 implement some kind of flash file system, or FFS. Several different FFS code
3 implementations, and correspondingly several different on-flash data formats,
4 have been used throughout the history of TI's involvement in the wireless
5 terminal business. The FFS incarnation of primary interest to the FreeCalypso
6 project is the one invented by Mads Meisner-Jensen at TI in the early 2000s
7 (at least according to the comments in the sources available to us), and it is
8 relevant to us in the following ways:
9
10 * When targeting the GSM modem in Openmoko's GTA01/02 smartphones, we need to
11 work with the original FFS from the factory (call it MokoFFS), the same FFS
12 as used by the mokoN firmwares: this FFS contains the IMEI and the RF
13 calibration values from the factory, which we most certainly don't want to go
14 without.
15
16 * The Leonardo firmware semi-src which we are using as the reference for
17 building our own full source, multi-target GSM fw contains a turnkey-working
18 implementation of this very FFS, using the on-flash format in question and
19 providing run-time APIs expected by the rest of the GSM fw suite. Following
20 the principle of ``if it ain't broke, don't fix it'', we can use this FFS not
21 only on the gtamodem target, but also on other targets, including those where
22 we would be starting from a blank state and thus have the freedom to use
23 whatever FFS we like.
24
25 * The original proprietary fw on the Pirelli DP-L10 phone also happens to use
26 an FFS in the same format. Pirelli's FFS does *not* contain the IMEI or any
27 of the RF calibration values though, and trying to reuse it directly for our
28 own FC GSM fw seems to be more trouble than benefit - so we'll probably have
29 our fw start with a blank TIFFS instead - but there is still insight to be
30 gained from in-vitro examination of captured Pirelli FFS images.
31
32 Naming
33 ======
34
35 I have previously referred to the FFS format in question as Mokopir-FFS or
36 MPFFS, from "Moko" and "Pirelli". I was originally hesitant to call it TIFFS,
37 as lacking the source code, I had no way of knowing whether the FFS format and
38 implementation were of TI's own invention, or something that TI licensed as a
39 black box from one of their many proprietary software partners. (I was unable
40 to identify it as any well-known, industry-standard FFS format, but absence of
41 evidence is not evidence of absence.) But now that we have TI's original source
42 code which implements this FFS (first the MV100-0.1.rar source, then the full
43 Leonardo one), complete with comments and a HISTORY file, we know that our FFS
44 was invented and implemented by someone named Mads Meisner-Jensen at TI - I'm
45 guessing in the SSA group in Nice, France.
46
47 I am now making a naming transition from MPFFS to TIFFS: there is really no
48 link between this FFS format and the Openmoko+Pirelli duo, other than the
49 happenstance of me having first encountered this FFS on these two GSM device
50 brands, and the name TIFFS is more neutrally-descriptive.
51
52 What it is
53 ==========
54
55 In a rare departure from TI's norm (most of TI's GSM firmware and associated
56 development tools suffer from heavy Windows poisoning), what I call TIFFS is
57 very Unixy. It is a file system with a hierarchical directory tree structure
58 and with Unixy forward-slash-separated, case-sensitive pathnames; the semantics
59 of "what is a file" and "what is a directory" are exactly the same as in UNIX;
60 and TIFFS even supports symlinks, although that support is a little under-
61 developed, and apparently no FFS symlinks were ever used in any production GSM
62 device. Thus the FFS implemented in TI-based GSM devices (modems and
63 "dumbphones") is really no different from, for example, JFFS2 in embedded Linux
64 systems.
65
66 (The only traditional UNIX file system features which are missing in TIFFS are
67 the creation/modification/access timestamps and the ownership/permission
68 fields.)
69
70 The FFS in a GSM device typically stores two kinds of content:
71
72 * Factory data: IMEI, RF calibration values, device make/model/revision
73 ID strings etc. These files are expected to be programmed on the factory
74 production line and not changed afterward.
75
76 * Dynamic data written into the FFS in normal device operation: when you use a
77 "dumbphone" running TI-based firmware, every time you store something "on the
78 phone" or in "non-volatile memory", that item is actually stored in the FFS.
79 (Where else, if you think of it?) That includes contacts and received SMS
80 stored "on the phone" instead of the SIM, any selections you make in the
81 settings/preferences menus which persist across reboots (power cycles), call
82 history etc.
83
84 It needs to be noted that the "dynamic data" aspect of FFS usage applies not
85 only to complete phones, but also to modems like the one used in the GTA01/02.
86 One would naively think that non-volatile storage of data in flash outside of
87 factory programming would be needed only in a device with its own UI, and that
88 a modem subservient to external AT commands would be completely stateless
89 across reboot/power cycles; but that is not the case in actuality. TI's GSM
90 firmwares, including the Openmoko ones (the "standard" mokoN), are designed to
91 always "mount" their FFS with read/write access; TI's FFS implementation in the
92 firmware has no concept of a "read-only mount".
93
94 I am still investigating just what kinds of data are routinely written into the
95 non-volatile FFS by the firmware in normal operation on devices like the GTA0x
96 modem, but there most definitely are some.
97
98 There is no hard separation between "static" and "dynamic" data in the file
99 system structure; TIFFS is thus akin to an embedded Linux system with just a
100 single root file system containing both "static" files like userland binaries
101 and "dynamic" ones like configuration files under /etc which the user is
102 expected to edit with vi after logging into the box, or log and similar files
103 created by the system itself under /var, for example.
104
105 Where it lives
106 ==============
107
108 The type of flash memory used in Calypso GSM modems and "dumbphones" is called
109 NOR flash. This NOR flash memory is physically divided (by the design of the
110 flash chip itself) into units called "sectors" or more descriptively, erase
111 blocks. The typical NOR flash sector size (in Calypso GSM devices) ranges from
112 64 KiB in the GTA02 modem's NOR flash (4 MiB total) to 256 KiB in the
113 S71PL129NC0 flash+RAM chip used in the Pirelli DP-L10 (16 MiB of flash total).
114 The key physical property is that any bit may be changed from a '1' to a '0' at
115 any time, in any combination, but resetting of '0' bits back to ones can be
116 done only on the granularity of these largish sectors, in an operation called
117 "sector erase".
118
119 The location of TIFFS within the flash memory of a given GSM device is defined
120 by the firmware design of that device, but is always some integral number of
121 contiguous flash sectors. Some examples:
122
123 * On the GTA01/02 GSM modem, FFS occupies 7 sectors of 64 KiB each, starting at
124 flash offset 0x380000.
125
126 * On the Pirelli DP-L10, the FFS used by the original proprietary fw occupies
127 18 sectors of 256 KiB each (for 4.5 MiB in total), starting at the beginning
128 of the 2nd flash chip select (0x02000000 in the ARM7 address space).
129
130 * On Motorola/Compal C139/140 phones, the FFS used by the original proprietary
131 fw occupies 5 sectors of 64 KiB each (320 KiB in total), starting at 0x370000.
132 C11x/123 use smaller FFS configurations, whereas C155/156 seem to have
133 switched to some other FFS format, different from our familiar TIFFS.
134
135 * The smallest real FFS configuration called for by the table in dev.c in TI's
136 original Leonardo fw source is 3 sectors of 64 KiB each; the same table also
137 sports a 4 KiB x 4 configuration for RAM-based testing (emulation of FFS in
138 RAM without real flash).
139
140 * The largest FFS configuration that has been envisioned by the original
141 designers seems to be somewhere around 128 sectors.
142
143 Each flash sector used for TIFFS begins with this 6-byte signature:
144
145 46 66 73 23 10 02
146
147 The first 4 bytes are 'Ffs#' in ASCII, and the following two bytes are the
148 format version number of 0x0210 in little-endian byte order. The following two
149 bytes give a count of how many times that sector has been erased and rewritten
150 (FF FF in "fresh" or "virgin" FFS images), and the following byte indicates
151 that block's role and status in the FFS life cycle.
152
153 How it works
154 ============
155
156 Just like JFFS2 and other high-quality flash file systems, TIFFS is designed to
157 recover gracefully from any possible power failure or crash: one can yank the
158 battery from the GSM device (or induce a firmware crash) at the most mis-
159 opportune moment in the middle of an FFS write operation, and the FFS is
160 expected to recover on the next boot cycle. I won't be able to document here
161 all gory details of exactly how this goal is achieved, partly because I haven't
162 studied the code to the requisite level of depth myself yet, but all of the
163 responsible code lives under gsm-fw/services/ffs in this freecalypso-sw source
164 tree; feel free to study it.
165
166 In its "normal" or "clean" state (i.e., when not in the middle of a write
167 operation or recovery from an ungracefully interrupted one), a TIFFS instance
168 consists of the following 3 types of blocks:
169
170 * One block containing inode records, indicated by AB in its type/flags/status
171 byte in the block header;
172 * N-2 blocks (where N is the total number of flash sectors allocated for the
173 FFS) containing (or waiting to be filled with) data chunks - indicated by BD
174 in the type/flags/status byte;
175 * One "free" block, indicated by BF - destined to become a new AB or a new BD
176 at some point.
177
178 Each object written into the FFS (file, directory or symlink) consists of a
179 16-byte inode record written into the AB block and a data chunk written into
180 one of the BD blocks. The data chunk includes the name of the object, hence
181 one is required even for directories. Data chunks are contiguous, uncompressed,
182 and subject to an upper size limit of 2048 or 8192 bytes, depending on the FFS
183 configuration. Files larger than this limit are stored in a "segmented" form,
184 giving rise to a 4th inode or object type (after file, directory and symlink):
185 segment. Each segment of a segmented file consists of not only a data chunk,
186 but also an inode record for the segment, which gives the location of the data
187 chunk and ties the segment object into the overall FFS structure, making it
188 accessible.
189
190 Because aside from complete sector erasure, flash memory bits can only
191 transition from '1' to '0' but not the other way around, overwriting an existing
192 file with some new content (an operation which any reasonable file system must
193 implement in some way) cannot be done in place. Instead like most flash file
194 systems, TIFFS implements this common operation by writing the new version of
195 the file to a new location (previously blank flash) and then invalidating the
196 old version - and doing all that while keeping in mind the possibility of an
197 ungraceful crash or powerdown at any moment, and the requirement of recovering
198 gracefully from any such event.
199
200 Of course as an FFS receives more write activity, even if one keeps overwriting
201 some existing files with new content of the same size, without adding to the
202 visible total content size (think du(1) command), eventually all remaining blank
203 flash space will fill up. At that point (or at some earlier point, depending
204 on the FFS design and/or configuration) the FFS has to invoke a compaction or
205 reclamation or garbage collection procedure: any "mixed" blocks containing both
206 valid and stale data are transitioned into a "stale-only" state by having the
207 active data moved to a new block, and then the "all stale" blocks are subjected
208 to sector erasure, becoming new blank sectors. The logic responsible for these
209 operations once again needs to be resilient to the possibility of a crash or
210 powerdown occurring at the most mis-opportune moment, and it also needs to
211 implement flash wear leveling: there is a physical limit to how many times a
212 given flash sector can be erased and rewritten before it goes bad.
213
214 All of the above are common and well-known principles, successfully implemented
215 in well-known flash file systems such as JFFS2 in Linux. TIFFS is absolutely
216 no different in this regard; for the implementation details, read the source
217 code.
218
219 How this FFS comes into being
220 =============================
221
222 (This section is only relevant to you if you plan on physically producing your
223 own GSM phones or modems on your own factory production line, like this author
224 fancies doing in the not-too-distant future, or if you simply enjoy knowing
225 how it is done.)
226
227 To my knowledge, TI never used or produced a tool akin to mkfs.jffs2 in the
228 embedded Linux world, which would produce a TIFFS image complete with some
229 initial directory and file content "in vitro". Instead it appears that the FFS
230 instances found in shipped products such as Openmoko phones have been created
231 "in vivo" by TI's firmware running on the device itself during the "production
232 test" phase.
233
234 The process seems to go like this:
235
236 * When the printed circuit board is physically populated with components such
237 as the Calypso chip and the flash chip, the latter can be blank - if the
238 board design has the nIBOOT pin pulled low, enabling the Calypso boot ROM
239 (Openmoko and Pirelli both good on this one, but shame on Compal!), there is
240 no need to preprogram the flash chip with anything prior to populating it on
241 the board, and the device remains fully unbrickable at all times afterward.
242
243 * When the assembled board is powered up for the first time, with completely
244 blank flash, the Calypso boot ROM will sit there and patiently wait for a
245 code download on either of its two UARTs.
246
247 * Using TI's FLUID (Flash Loader Utility Independent of Device) or FreeCalypso's
248 fc-loadtool free replacement, the factory production station loads the main
249 firmware image into the flash. Note, it is just the firmware image at this
250 step, and the FFS sectors remain blank.
251
252 * The board is commanded to reboot (or power-cycled), and the firmware image
253 boots for the first time.
254
255 * TI's FFS implementation code in their standard firmware reacts to all blank
256 flash in the FFS sectors as follows: it performs what they call the preformat
257 operation, writing the TIFFS signature and a BF state byte into every FFS
258 sector, but the main "format" operation, which sets up the AB/BD block roles,
259 creates the root inode and makes the FFS ready to accept the creation of its
260 first directories and files, is not done automatically.
261
262 In order to perform the FFS format operation and then fill the new FFS with
263 whatever directories and files are deemed needed to be present in "fresh"
264 shipping products, the factory production station connects to the just-booted
265 firmware running on the target via the RVT/ETM protocol (see the RVTMUX
266 write-up), and sends "test mode" commands to this running firmware. These
267 "FFS test mode" (or TMFFS) commands include the format operation, an mkdir
268 operation to create directories, and a "file write" operation akin to doing
269 'cat > /dir/whatever/file', creating files in FFS and storing any desired data
270 in them.
271
272 The IMEI is assigned and written into FFS in this process, but it is not the
273 only data item that will be unique for each individual device made. Much more
274 important are the RF calibration values: I have yet to learn exactly what is
275 being (or needs to be) measured, how these measurements are performed (under
276 what conditions; what external test equipment is needed), and how these measured
277 and recorded RF calibration values affect GSM device operation, but this TI
278 presentation gives some clues:
279
280 ftp://ftp.ifctf.org/pub/GSM/Calypso/rf_calibration.pdf
281
282 All of these calibration values are stored in a bunch of files under the
283 /gsm/rf subtree, and these files seem to be "owned" by the L1 code. The latter
284 has RAM data structures which correspond to these files; upon normal boot the
285 initialization code looks in FFS, and if it finds any of the RF calibration
286 files, it reads each present file into the corresponding RAM data structure,
287 overwriting the compiled-in defaults. It appears (slightly uncertain because I
288 have not yet reintegrated the code in question into our own gsm-fw) that the RF
289 calibration files in FFS come into being as follows:
290
291 * The RF calibration code in L1 (i.e., part of the main GSM fw) performs the
292 measurements and stores results in its RAM data structures as commanded by
293 the production test station through the "test mode" interface;
294
295 * A final test mode command directs the above L1 code to write its RAM data
296 structures into FFS.
297
298 Once I actually learn this RF calibration process properly in connection with
299 building my own Calypso-based GSM "dumbphone", I'll be able to say exactly what
300 it would take to recreate these RF calibration values if they are lost. But
301 until then the only advice I can give is to make a backup copy of your modem
302 FFS with fc-loadtool, and to save it securely.
303
304 Compal and Pirelli differences
305 ==============================
306
307 The above description refers to TI's vanilla reference version, and it seems
308 like Openmoko (FIC) was the only phone/modem manufacturer who followed it
309 without major deviations. In contrast, both Compal (Mot C1xx) and Foxconn
310 (Pirelli DP-L10) moved the vital per-unit factory data (IMEI and RF calibration)
311 out of the FFS into their own ad hoc flash data structures (which are very
312 difficult to reverse-engineer and make use of, unfortunately), leaving their FFS
313 only for less critical data.
314
315 In Compal's case (at least on the C139 model with which I have extensive
316 personal experience) the FFS stores only users' personal information and nothing
317 more. One can turn the phone off, use fc-loadtool to erase the FFS sectors, and
318 boot the regular fw back up; the fw will automatically do a new FFS format (it
319 even displays a message on the LCD as it does so) and carry on happily as a
320 "fresh" or "blank", perfectly functional and usable phone.
321
322 In Pirelli's case, booting their official fw with blank FFS sectors will also
323 result in the FFS being automatically formatted, but their fw expects some
324 static "asset" files to be present in this FFS: UI graphics and language
325 strings, ringtones, firmware images for the WiFi and VoIP processors and some
326 static configuration files, about 3 MiB in total. Thus although the firmware
327 will auto-format the blank FFS sectors, it won't function normally with all of
328 these "asset" files missing. Foxconn's original factory production line station
329 must have uploaded these files to each phone via the TMFFS2 protocol, and our
330 FreeCalypso suite now features a tool that can replicate this feat: fc-fsio.
331
332 FreeCalypso support for TIFFS
333 =============================
334
335 Aside from implementing and using it in our own gsm-fw, FreeCalypso offers
336 the following support for TIFFS:
337
338 1. We have a utility for "in vitro" examination of FFS images read out of GSM
339 devices with fc-loadtool. This tiffs utility (along with mokoffs and pirffs
340 wrappers) lives in the ffstools top-level directory of the freecalypso-sw
341 source tree. This TIFFS "in vitro analyzer" utility supplants the earlier
342 mpffs-* tools, and adds some additional examination functionality. It is
343 strictly a "read only" tool, however - it is not designed for "in vitro"
344 editing of TIFFS images.
345
346 2. A number of FC tools may be strung together into a kit for editing the FFS
347 content of a GSM device, e.g., for changing the IMEI. The following pieces
348 will be involved:
349
350 * What is destined to eventually become our totally free GSM fw (the gsm-fw
351 source subtree at the top of freecalypso-sw) does not contain any of the
352 actual GSM protocol stack (or even L1) functionality yet, but it already
353 contains both the FFS code and those components (ETM and TMFFS[12]) which
354 are needed for interfacing an external "test mode shell" to this FFS
355 implementation through the RVTMUX interface. And when our gsm-fw does gain
356 the actual GSM functionality, the ability to build a minimal FFS+ETM-only
357 configuration will still be retained.
358
359 * The minimal FFS+ETM subset of gsm-fw can be built into a ramImage (runs
360 entirely from RAM via fc-xram, no flashing), and run on a physical device
361 such as the GTA0x GSM modem via the fc-xram host utility;
362
363 * After loading the ramImage, fc-xram will immediately exec our rvinterf host
364 utility (see rvinterf/README);
365
366 * Once the GSM device is running what is effectively an FFS editing agent out
367 of RAM, accessed via rvinterf over the serial channel, the user can run
368 fc-tmsh or fc-fsio, and this "test mode shell" provides commands for writing
369 things to FFS exactly like one would do in the factory production line
370 environment for which TI taylored their tools.
371
372 The "in vivo" method of editing the FFS content of a GSM device described above
373 will probably sound very convoluted, and you may find yourself asking for a way
374 to do it "in vitro" instead: read the FFS out of flash with fc-loadtool, edit
375 that image "in vitro" with some utility on your PC, and then use fc-loadtool
376 again to program it back into your device. But consider that an "in vitro" FFS
377 modification would involve erasing and rewriting all sectors of your FFS,
378 whereas an "in vivo" modification of some small file like the IMEI would be
379 just a short flash write operation without any erasures at all, i.e., kinder
380 on the flash.
381
382 In any case, the "in vivo" method is already available now because all of the
383 components involved therein are also needed for other development uses in the
384 FreeCalypso project, whereas developing a fully-functional "in vitro"
385 alternative (one that can create an FFS image "de novo" from a tree of files
386 and directories a la mkfs.jffs2, or add new files to an existing TIFFS image
387 etc) would be a good amount of extra work which we otherwise don't need - hence
388 the latter is not very likely to be written any time soon.
389
390 However, if the "in vitro" modification you seek is something trivial like
391 changing the byte content of a file such as /pcm/IMEI or /gsm/com/rfcap without
392 changing its length, you can use the existing "in vitro, read-only" tiffs host
393 utility to find the exact byte location of the file data within the TIFFS image,
394 and then use your favourite hex editor to whack whatever new byte content you
395 like at that offset.