FYI: Motorola W220

Mychaela Falconia mychaela.falconia at gmail.com
Tue May 28 20:48:15 UTC 2019


Hello FC community,

Just as an FYI, there exist some phones out there that have the
Calypso+Iota baseband chipset inside, but use one of several non-TI RF
transceivers instead of TI Rita, and some of these phones allow serial
access and have the Calypso boot ROM enabled.  A good example is
Motorola W220: although it uses a different battery form factor, it
has the same charging and headset jacks as our familiar C1xx, and the
headset jack is likewise combined with serial access.  But this model
(as well as the C168 which I had no success in cracking) was made for
Motorola by Chi-Mei rather than Compal (a different ODM), and they did
many internal things differently.  Unlike Compal phones, Mot W220 has
the Calypso boot ROM enabled, but they also used a Silabs RF
transceiver (Si4210 aka Aero II) instead of TI Rita.

I got a couple of these W220 phones from ebay, and I was easily able
to get in with fc-loadtool and dump their flash:

ftp://ftp.freecalypso.org/pub/GSM/Mot_W220/

Unfortunately their 8 MiB flash content has absolutely no recognizable
structures: the firmware is very heavily modified relative to TI's
baseline as usual (and in quite different ways than how Compal did it),
there is no FFS in TI's format (neither for user nor for factory data),
and no Compal records of the c1xx-calextr sort, which was expected
since the ODM is Chi-Mei rather than Compal.

I have added an fc-loadtool -h w220 configuration to our current
freecalypso-tools (a new FC host tools release is coming soon, as soon
as I am done documenting and testing other recent changes), making it
possible to dump and reload the flash on these phones with our tools,
but the practical usefulness of this ability is expected to be
approximately zero: their flash structure is so incomprehensible that
I was not even able to find the boundaries between the firmware proper,
user data and factory data, thus I would not even know how to replace
one official fw version with a different one, an operation which we
can do quite reliably on all C1xx phones.

And don't even think about FreeCalypso fw for this target - it is
nowhere close to my areas of interest, as in galaxies away.  My
original interest was to see if *any* of the historical phone or modem
manufs ever made a Calypso+Aero design in which they took TI's
reference fw and made absolutely minimal changes to it just to support
the different RF subsystem, but nope, Chi-Mei didn't do that - instead
they changed the entire design beyond all recognition like most manufs
did for some reason that is beyond me...

What else am I doing these days besides gathering flash dumps from
obscure and hopelessly non-supportable phones?  I have recently made
two rather big changes to our host tools:

1) The way in which fc-loadtool handles different flash chip types has
been completely revamped.  My original design from 2013 only targeted
Openmoko's modem and the Pirelli DP-L10, both using flash configurations
that don't lend themselves well to CFI-based autoconfiguration, and
both of those flashes use the AMD command set - so my original design
supported only AMD-style flash and required manual flash chip type
configuration, no autodetection.  Then in 2014 I added Compal target
support, meaning flashes with Intel-style command sets and needing at
least some autodetection, as there are many different flash variants
found in these phones.  The arrival of our own FCDEV3B hw didn't
affect anything in this realm because our FCDEV3B has exactly the same
kind of flash as the Pirelli DP-L10, but in 2018 it was discovered
that the Intel-style flashes on TI's D-Sample board and on Mot C155/156
phones have additional quirks involving partitions, making our flash
handling even more ridden with special-case hacks.  Literally yesterday
I finally got fed up with it and rearchitected it in a different way,
which will soon be documented.

2) If you have an FCDEV3B and you've been playing with it extensively,
you might have noticed this quirk: if you make an fc-loadtool entry
via the RESET button rather than PWON, and then exit loadtool, causing
the green LED to go out, then the PWON button seemingly stops working
correctly, i.e., you can do another switch-on boot only via another
RESET press, not via PWON.  The issue turns out to a be quirk in the
VRPC state machine inside the Iota ABB chip, and TI's official TCS211
fw includes a fix for this quirk in the form of a write to an
undocumented Iota register.  Replicating this fix in our target-utils
(loadagent and friends) has solved the problem; if you are interested
in the gory details, see my recently-added Calypso-test-reset article
in the freecalypso-docs Hg repository.

I need to write some more documentation, maybe give all of the new
code some more testing, and then we are going to have a new release of
FC host tools.

Hasta la Victoria, Siempre,
Mychaela aka The Mother


More information about the Community mailing list