Status of TCS211 on C139

Mychaela Falconia falcon at ivan.Harhan.ORG
Sat Nov 14 19:49:52 CET 2015 

Hi David,

> Apart from this I'm now convinced of what I already suspected -
> that you are a fuckin' genius.

:-)

> I just flashed the C139 and everything just goes as you say it should :-)

Glad to hear that EU-region C139s work as well as the US-region ones
I'm developing on.

> but the MTN menu (that's the network I'm testing on - currently notorious
> for doing bad stuff and getting heavily fined in Nigeria ^_~) is actually
> very pretty - much more so than on the original firmware.

Wow, you got to exercise the SIM toolkit feature!  Explanation: there
exists a mechanism for a SIM to add its own menus to the UI of a phone,
and of course the handset firmware has to facilitate this mechanism.
TI's firmware does implement this feature, but I never looked at it in
any depth as Operator 310260's SIMs here don't use it.  Glad to hear
that it actually works (and even looks pretty as you say) instead of
crashing the fw. :)

> It's tempting to use this as main phone for a while as I could do the battery
> charging on the un-modded c139 I have, but a current limitation is that the
> screen does not power itself off as yet, which will hammer the batteries?

Yes, it will hammer the batteries, and probably the LEDs that light
the display as well.

> I will do an expanded howto from your instructions, similar to the things
> I wrote for leo2moko

In that howto you should make a clear explanation as to which steps
are necessary when going from Mot/Compal's original fw to FreeCalypso
for the first time vs. the steps that are needed when reflashing from
one FC fw version to another.  (The latter will definitely be needed
as the fw is still very much in development.)  There are 3 cases to
consider:

1. Initially installing FreeCalypso on a phone that never had it
   before: you need to reflash the boot sector, flash the main fw
   image and initialize the FFS like you did.

2. Reflashing from one FC fw version to another: just reflash the main
   image.  Skip the dangerous reflashing of the boot sector, and don't
   erase the FFS sectors either - this way the IMEISV and other stuff
   you have put in your own FFS will still be there.

3. A phone has been flashed with FreeCalypso once, then reverted to
   original fw, then you would like to flash FreeCalypso again: in
   this case you do need to reflash the boot sector again, but the FFS
   from the earlier FC installation should still be there, so don't
   erase those FFS sectors, boot the new FC fw and see if it still has
   the IMEISV you programmed the first time.

> 1. Is it accurate to say that this c139 firmware is sibling/cousin to
> leo2moko for the freerunner, ie still with binary blobs, but with the major
> difference that on the C139 the replacement firmware drives the gui?

Yes, pretty accurate: it still has binary blobs for most of the GSM
radio protocol stack, and it builds with TI's proprietary compiler.
It is indeed a cousin to leo2moko in that it's built from the same
starting point (both the source parts and the binary libs), but the
main differences are:

(a) This tcs211-c139 fw drives the handset UI as you said;

(b) In the case of the Freerunner there is no real difference between
    previous firmwares and leo2moko, hence going from moko11 to moko12
    is no different from going moko10->moko11: it's just a minor
    version update, not a real change.  But in the case of Mot C139
    there is no relation at all between Mot's original fw and ours;
    our fw is an alien on Mot's hardware.  This alien situation is the
    reason why we have to initialize our own FFS and set our own
    IMEISV, and can't just use the factory original like we do on the
    Freerunner.

> 2. The binary dump can be used to revert to the compal original firmware?

Yes.

> I'm guessing the custom bootloader also gets overwritten to revert
> to the standard?

Yes, the bootloader has to be rewritten whenever one flashes between
official fw and ours in either direction, and even from one official
fw version to another.  The only time when one can leave the boot
sector alone and only reflash starting at 0x10000 is when reflashing
from one FreeCalypso fw version to another.

> What would be the command to revert if that was desired?

flash erase-program-boot backup.bin 10000
flash erase 10000 360000
flash program-bin 10000 backup.bin 10000 360000

The net effect of these 3 commands is that the first 0x370000 bytes of
the flash (the region which Mot/Compal allocated for the firmware
image - as opposed to FFS or other data - on this hw model) will be
reprogrammed with the bits from the backup file.

I recommend this particular command sequence (reflashing the initial
0x10000 bytes first with flash erase-program-boot, then the rest of
the fw image with regular flash erase and flash program-bin commands)
because restoring an original fw after FreeCalypso requires reflashing
the dangerous boot sector, hence flash erase-program-boot is called
for safety.  Doing the entire sector (0x10000 bytes) with flash erase-
program-boot rather than just 0x2000 (the length of the boot code) is
recommended for less technical users who may not know the detailed
characteristics of the specific proprietary fw version they are
restoring.  If that specific fw version happens to have a "bad"
bootloader that checks the word at 0x2060 for the 0xDDDDDDDD magic
(a lot of us t-girls sure wish our bra cups were that big - scnr),
then the window of bricking vulnerability extends past 0x2000 up to
that 0x2060 word.

M~

More information about the Community mailing list