Firmware bring-up status

Das Signal das.signal at freecalypso.org
Mon May 11 13:40:58 CEST 2015 

Hi all,

I'd like to provide you with an update of recent developments:

In order to be able to help Mychaela with the debugging of the
GSM stack bring-up, I planned to flash a firmware recovered from
an old ftp by Mychaela for the C138, on my chinese C118; this
model has a 4MB flash that makes it suitable for this larger
than usual image, and also happens to have the JTAG pins exposed.
Now this firmware image is particularly interesting from a debug
point of view, since it is accompanied by the .map output file
generated by TI's compiler, hence all the names of functions and
memory locations are known.

At first I tried flashing with OsmocomBB's osmoload tool. Even
though I did everything by the book (or rather, by the wiki),
the programming failed after the erase command, at the first
block -- so without JTAG, the phone would have been bricked.
This is actually the second time I encounter an issue with this
flashing program, so I strongly recommend to avoid osmoload.

In order to recover from this, I was able to JTAG the small piece
of code developed by Mychaela to force the phone into ROM.
>From there the classic fc-loadtool could be used to flash the phone.
After flashing I was first greeted by the message "FFS formatting"
(so I guess the calibration values are gone, but it's ok since I
made a backup of the flash contents). The good news is, the phone
displayed the logo then successfully attached itself to the network!
I then made a phone call. With this firmware working as it should,
I'll now try to enable full RVF trace output to get a good reference
point to which compare against.

For the reference, here are the commands I used to unbrick and
reflash this C118:

$ openocd -f interface/flyswatter.cfg -f target/ti_calypso.cfg
...
> reset;halt                                                                                    
TAP calypso.dsp does not have IDCODE
JTAG tap: calypso.arm tap/device found: 0x3100e02f (mfg: 0x017, part: 0x100e, ver: 0x3)
svf processing file: "/usr/local/share/openocd/scripts/target/ti_calypso.svf"
svf file programmed successfully for 7 commands
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0xa00000d3 pc: 0x00000000
> load_image calypso/sw/target-utils/compalstage/compalstage-plain.bin 0x800000 bin
32 bytes written at address 0x00800000
downloaded 32 bytes in 0.004056s (7.705 KiB/s)
> resume 0x800000

Since the phone is now in ROM loader mode, I commented out the line
"compal-stage plain" in /usr/local/share/freecalypso/compal.init
Then I used fc-loadtool to properly flash the firmware:

$ ./fc-loadtool -h compal /dev/ttyUSB0
Sending beacons to /dev/ttyUSB0
Got beacon response, attempting download
<p command successful, switching to 115200 baud
Sending image payload
Sending checksum
<c command successful, sending <b
<b command successful: downloaded image should now be running!

FreeCalypso loadagent running
Loaded via UART 0 (MODEM) at baud rate #0
TCXO clock input autodetected to be 26 MHz

Executing init script compal.init
Script command: w16 fffffb00 00A3
Script command: w16 fffffb02 00A3
Script command: w16 fffffb10 0300
loadtool> flash info
Flash device type: cfi-4M
Bank 0 base address: 00000000
Performing CFI query
CFI query successful: total size 400000, 71 sectors, command set style 0003
Bank 0 total size: 400000
Sectors in bank 0: 71 (2 regions)
Command set style: Intel
loadtool> flash erase 0x0 0x270000
Erasing 39 sector(s)
.......................................
loadtool> flash program-bin 0x0 R87.2.1.03.img
Setting flash base address: INFB 0
Clearing Intel flash SR
Programming flash: 2516992 (0x266800) bytes
0x266800 bytes programmed (100%)

--DS

More information about the Community mailing list