Flashing the Motorola C139 with the Magnetite freecalypso firmware

This writeup describes the replacement of the C139's stock firmware with a preview release from the freecalypso project. It's important to note that the freecalypso port to the C139 is currently (October 2016) not one of the projects primary goals. This release is not ready for the end user; it's known that battery charging does not work and the gui is prone to crash. The progress since the last release in November 2015 is that the screen does now switch off when the phone is idle. Even in the current unfinished state, it is possible to place and receive calls and exchange SMS messages. To try this firmware on something other than your main phone, you will need a PC running GNU/Linux or some other unix like system and a T191 unlock cable to connect your C139's audio jack to the PC's USB port.

There are various suggested sources for the T191 unlock cable at osmocomBB site, but since official FreeCalypso branded cables are available from George at UberWaves, please consider supporting this supplier by ordering from uberwaves@gmail.com.

There are considerable additional developmental challenges for the C139 compared to the Openmoko phones in that (for instance) the calypso firmware for this model is responsible for driving the gui. The chosen solution is to piece together code from two separate dumpster truck recovered versions of TI's official firmware. The project's goal to dispense with TI's compiler and switch to GCC has not been realized in this release, but a compiled binary is available if like me you want to avoid the necessity of a wine install on the PC.

If you want to compile the replacement firmware from source code, you'll need a wine setup on the PC to run TI's compiler. If like me you want to duck this step, there is a binary release. See here if you do want to compile from source code.

Preparing your PC

latest version of fc-host-tools is here

You will need a build environment on your PC to compile the fc-host-tools suite of utilities. In case you used earlier releases of freecalypso tools to flash the neofreerunner, it's important to know that the fc-loadtool utility is now included in fc-host-tools release. This version of fc-loadtool supercedes earlier releases; it is a requirement for working with the C139 and retains functionality needed for the neofreerunner.

Only a couple of the utilities are needed for flashing the firmware by end users and neither of these have external dependencies. To avoid compilation problems due to missing libraries, edit the third line of rvinterf/etmsync/Makefile:-

PROGS=	fc-dspapidump fc-fsio fc-getpirimei fc-pirhackinit
to be
PROGS=	fc-dspapidump fc-fsio
The usual make and make install commands will put the compiled fc-host-tools in the /usr/local directory tree.

Decompress the binary release and open a terminal window in the directory where you put this.

Preparing your C139

The battery should be sound and fully charged. Simply power off the phone and remove the SIM and make a note of the IMEI number behind the battery, then connect the phone's audio jack to a USB port on the PC with the T191 unlock cable.

The flash operation - a preamble and warning

The warning being that the C139 is eminently and permanently brickable if the commands at the loadtool> prompt are not issued correctly.

There are three possible separate scenarios for this flash operation:-

To minimize the risk of bricking, the flash operation is split into three distinct phases. In the second scenario, the replacement of the bootloader (the major risk) does not need to be repeated.

Connecting PC and C139 with the fc-loadtool utility

This describes the first scenario in full, but notes situations in which certain steps should be omitted. In the terminal window opened in the directory that contains the firmware run the command (assuming the PC allocates /dev/ttyUSB0 to the phone)

fc-loadtool -h compal -c 1003 /dev/ttyUSB0

you will see this output:-

root@mapoko # fc-loadtool -h compal -c 1003 /dev/ttyUSB0
Using Compal stage image /usr/local/share/freecalypso/compalstage-1003.bin
Waiting for PROMPT1 from target (/dev/ttyUSB0) at 115200 baud
at this point press the red power button and terminal output will continue, in full you should see:-
root@mapoko # fc-loadtool -h compal -c 1003 /dev/ttyUSB0
Using Compal stage image /usr/local/share/freecalypso/compalstage-1003.bin
Waiting for PROMPT1 from target (/dev/ttyUSB0) at 115200 baud
Received PROMPT1, sending download command
Received PROMPT2, sending download image
Received ACK; downloaded image should now be running!
Sending beacons to /dev/ttyUSB0
Got beacon response, attempting download
<p command successful, switching to 115200 baud
Sending image payload
...................................................................
................Sending checksum
<c command successful, sending <b
<b command successful: downloaded image should now be running!

FreeCalypso loadagent running
Loaded via UART 0 (MODEM) at baud rate #0
TCXO clock input autodetected to be 26 MHz

Executing init script compal.init
Script command: w16 fffffb00 00A3
Script command: w16 fffffb02 00A3
Script command: w16 fffffb10 0300
loadtool>
The -c 1003 switch can be omitted if this is an upgrade and the freecalypso bootloader has already been installed. Although doing this improves the efficiency of fc-loadtool a little, it is harmless to retain it whatever the C139's firmware status.

Backing up the stock firmware

This is a sane precaution even if you think you will never want to revert to original firmware. At the loadtool> prompt:-

flash dump2bin my_c139.bin

This command will take 10 to 15 minutes to complete; the output in the terminal should appear thus:-

loadtool> flash dump2bin my_c139.bin
Performing CFI query
CFI query successful: total size 400000, 71 sectors, command set style 0003
Requesting initial CRC-32 of the area from target...
got B2CC218D
Requesting memory dump...
Rx 4194304 out of 4194304 bytes (100%)
Requesting another CRC-32 of the area from target...
match, dump successful
loadtool>
At this point you could issue an exit command at the loadtool> prompt thus powering off the phone with original firmware still in place. Although this howto continues to be split into sections, from here on consider this to be a single job to be completed uninterrupted at least up to the point where all work at the loadtool prompt has been done.

Flashing the freecalypso bootloader

Continue at the loadtool> prompt with

flash erase-program-boot compal-flash-boot-for-fc.bin

loadtool> flash erase-program-boot compal-flash-boot-for-fc.bin
Performing CFI query
CFI query successful: total size 400000, 71 sectors, command set style 0003
Loading new boot code into target RAM at 820000
.................................
Verifying CRC-32 in target RAM
match (05ED5A80)
Commanding flash erase+program operation on the target
Operation complete, final SR: 80
This stage should be omitted in a freecalypso to freecalypso upgrade (the second scenario), but is essential in the other two scenarios.

Flashing the main firmware image

This step will be necessary in all of our three scenarios; again at the loadtool> prompt:-

flash erase 10000 2A0000

followed by

flash program-bin 10000 fwimage.bin

loadtool> flash erase 10000 290000
Erasing 41 sector(s)
.........................................
loadtool> flash program-bin 10000 mfw-build.progbin
Setting flash base address: INFB 0
Clearing Intel flash SR
Programming flash: 2662648 (0x28a0f8) bytes
0x28a0f8 bytes programmed (100%)
Verifying CRC-32 of programmed flash area
match (7B19FF5E)
As with the original firmware image backup step, this will take a number of minutes to complete.

Creating space for the aftermarket flash file system

Once more at the loadtool> prompt:-

flash erase 3C0000 30000

loadtool> flash erase 3C0000 30000
Erasing 3 sector(s)
...

This step should never be necessary more than once; even if you reverted to the original stock firmware after an earlier freecalypso install, the freecalypo's flash file system will remain in place.

Now close the loadtool session with an exit command which also powers off the phone. Note that to this point, throughout the loadtool session, there is no output on the phone's LCD screen. It is here that it is safe to take a break if desired.

Initialising the flash file system and setting the IMEISV

Once again, it should never be necessary to repeat this step, it only being required in our first scenario. However, if the previous flash erase command was inadvertently run a second time, that error is recoverable by also repeating the initializations in this section.

The phone can be disconnected from the unlock cable, but the SIM should remain removed. Power on the phone, the LCD screen should light up and stop at an Insert SIM message. Rather than do that, reconnect the unlock cable if it was disconnected and run the fc-fsio utility:-

fc-fsio -p /dev/ttyUSB0

We now format the flash file system and create directories in it with these commands at the fsio> prompt, which should complete without output:-

format /

and

mk-std-dirs

The IMEISV is a 16 digit number that supposedly uniquely identifies your handset; this is not the place to discuss the merits or otherwise of deviating from the factory set one you should have noted earlier. It may be only 14 or 15 digits long in which case pad with 0s at the end as necessary. Until this step the handset has no IMEISV as far as the freecalypso firmware is concerned and that must be fixed before powering up with the SIM inserted. At the fc-fsio> prompt:-

set-imeisv fc XXXXXXXX-YYYYYY-ZZ

The punctuating hyphons are optional and can be placed anywhere - note that below I've edited the actual command and it's output for privacy reasons :-)

fsio> set-imeisv fc XXXXXXXX-YYYYYY-ZZ
Writing "XX XX XX XX YY YY YY ZZ" into /etc/IMEISV
In addition to lacking knowledge of the factory set IMEISV the freecalypso firmware does not know if you have a EU or US model. The appropriate commands are:-

set-rfcap dual-eu

(if you have 900+1800 MHz hardware) or

fsio> set-rfcap dual-us

(if you have 850+1900 MHz hardware)
fsio> set-rfcap dual-eu
Writing "00 0B 41 00 00 00 00 00  50 00 00 A5 05 00 C0 00" into /gsm/com/
Issue an exit command at the fsio> and power off the phone by holding down the red button. Insert the SIM and power the phone up at which point it should connect to the network as normal.

Reverting to factory firmware

You must have course have taken a backup prior to installing freecalypso. Despite doing that myself I have no intention to revert to the original firmware (currently I'm testing freecalypso on a spare C139), so for the sake of completion I'll finish with the lead developers notes on how this should be done at a loadtool> prompt.

flash erase-program-boot my_c139.bin 10000
flash erase 10000 360000
flash program-bin 10000 my_c139.bin 10000 360000

The net effect of these 3 commands is that the first 0x370000 bytes of the flash (the region which Mot/Compal allocated for the firmware image - as opposed to FFS or other data - on this hw model) will be reprogrammed with the bits from the backup file.

I recommend this particular command sequence (reflashing the initial 0x10000 bytes first with flash erase-program-boot, then the rest of the fw image with regular flash erase and flash program-bin commands) because restoring an original fw after FreeCalypso requires reflashing the dangerous boot sector, hence flash erase-program-boot is called for safety.

Doing the entire sector (0x10000 bytes) with flash erase- program-boot rather than just 0x2000 (the length of the boot code) is recommended for less technical users who may not know the detailed characteristics of the specific proprietary fw version they are restoring. If that specific fw version happens to have a "bad" bootloader that checks the word at 0x2060 for the 0xDDDDDDDD magic, then the window of bricking vulnerability extends past 0x2000 up to that 0x2060 word.