A new Mot C139/140 boot code version found in the wild

[Mychaela Falconia]

Hello everyone,

Our most recent contributor Ajay has sent me the flash dump which he
made from his C139 phone - the one he was having issues with - and
this particular firmware version turns out to be quite remarkable in
that it contains a boot code version with one significant difference
from what we've been used to previously.  The firmware flash dump
along with some commentary can be found here:

ftp://ftp.freecalypso.org/pub/GSM/Compal/c139-india-boot1004.zip

Remember the -c 1003 option to fc-loadtool which is needed when
operating on C139/140 phones that have some official fw version in
them, but not when operating on a C11x/12x phone or on a C139 that has
FreeCalypso fw flashed?  Mot/Compal's official C139/140 boot code
expects all serially downloaded code images to have some signature
bytes at a rather incovenient location (about 15 KiB into the image,
thus making it the minimum required image size); the "plain" version
of compalstage (used when you specify just -h compal) is only 32 bytes,
but the -c 1003 switches to a padded 15332 byte long version.

So what are these required signature bytes then?  All C139/140 boot
code versions seen prior to today expected these signature bytes to be
"1003" (ASCII), hence that is the signature which has been supplied by
all community tools that operate on these phones, both ours and
Osmocom's.  But the boot code version contained in the firmware image
sent by Ajay expects these signature bytes to be "1004" instead!
Because both our fc-loadtool -h compal -c 1003 and Osmocom's
osmocon -m c140xor send "1003" in the signature bytes, the result was
that neither tool could gain bootloader access to Ajay's C139, just as
if the bootloader had been locked down - even though it wasn't.  (The
boot code in this fw version does include the provision for locking
the bootloader, but Ajay's flash dump shows that the lock was NOT
activated - thus it still stands that to this day not one EU band C1xx
phone has ever been encountered in the wild with the bootloader locked
down, only North American ones.)

The solution: I have just pushed a change into the freecalypso-tools
repository adding a new version of the compalstage binary that has the
signature bytes set to "1004" instead of "1003".  You can either fetch
and compile the latest code from Bitbucket (you'll need the ARM7
toolchain in this case), or you can download the compalstage-1004.*
files I posted here:

ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/

Either way, once you have compalstage-1004.bin installed, just specify
-c 1004 instead of -c 1003 in the fc-loadtool command line, and it
should work with both old and new C139/140 boot code versions.  The
actual comparison check performed by that boot code is an inequality,
thus sending "1004" should be good for all fw versions - thus the
previous -c 1003 option is being kept only for backward compatibility
with existing usage.

For Ajay: now that we know that your previous fw version was unlocked,
but there was a signature version incompatibility, I recommend that
you reflash your phone back to its original state.  You should proceed
as follows:

1. Download and install compalstage-1004.bin as above.

2. With a fully charged battery inserted, the serial cable connected
   and the phone powered off (the state after removing and reinserting
   the battery and NOT pressing the power button), run this command:

   fc-loadtool -h compal -c 1004 /dev/ttyXXX

3. Press the red power button on the phone, and loadtool should gain
   access.

4. Once at the loadtool> prompt, flash your original fw dump back into
   the phone as follows:

   flash erase-program-boot flashdump.bin 10000
   flash erase 10000 3f0000
   flash program-bin 10000 flashdump.bin 10000

You told me off-list that your original goal was to turn the phone
into a sniffer with the use of OsmocomBB tools; once you have restored
your C139 to its original firmware, if you would like to use OsmocomBB
tools with it, just edit osmocon.c and change the definition of
phone_magic[] from "1003" to "1004".

At this point a general reminder is in order.  Simon Tatham's FAQ
"How to Report Bugs Effectively":

http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

Most of it is not too applicable to FreeCalypso, to Mot C1xx phones or
to the present situation, but one part of it is very applicable: look
for the section titled "So then I tried . . .".  Just like in Simon's
FAQ, when you are dealing with the finicky and brickable Mot C1xx
phones, you need to be an antelope and not a mongoose.  In Ajay's
case, you saw that your C139 wasn't working either with OsmocomBB
tools or with fc-loadtool, you assumed that the phone had a locked
bootloader (a reasonable assumption under the circumstances in
question, but it should have been treated as a hypothesis rather than
a firm conclusion), and then once you successfully gained access via
tfc139, you proceeded to the quite drastic step of reflashing the phone
to a different firmware version - flashing a North American fw version
into an EU band phone, no less!  In this case you acted very much like
the mongoose in Simon Tatham's parable, and while you were very lucky
in that you didn't actually brick your phone, such bricking is a very
real possibility when acting like a mongoose.  Instead you should have
acted like an antelope: made a flash dump with fc-loadtool after
gaining access with tfc139, solicited advice on this list, and NOT
initiated any flash write operations.  Again, you were lucky and your
phone appears to be fully recoverable, but something to note for
future reference, and for others reading the same.

Happy hacking,
M~