New phone discovery - Sony Ericsson K200i/K220i
Vadim Yanitskiy
axilirator at gmail.com
Mon Oct 31 11:24:11 UTC 2022
Hi Osmocom and FreeCalypso communities,
I would like to disclose my recent discovery, which so far was
discussed within a small group of Osmocom members and with Mychaela
Falconia.
==== A bit of history ====
There exists a tool for flashing old Sony Ericsson phones called
pstool (search for 'PSTool_SE_ODM_free' in your favorite search
engine). It's a Windows executable with a custom GUI, and with some
additional clarifications specifically for "big Russian specialists"
:P
Unlike the more famous SETool2 Lite, which does support a wide range
of phones based on SEMC's own A1 DB2xxx and A2 DB3xxx chipsets, the
pstool is limited to only a few phone models (all listed in GUI):
* J100i, J110i, J120i,
* K200i, K220i.
Among them is Sony Ericsson J100i [1], a Calypso based phone designed
by Compal, on which you can already run custom OsmocomBB or
FreeCalypso firmware. Both J110i and J120i are likely variants of
J100i with some minor differences (correct me if I am wrong).
[1] https://osmocom.org/projects/baseband/wiki/SonyEricssonJ100i
My curiosity was piqued when I saw K200i/K220i in the dropdown list of
the pstool. I ordered a few phones on a local advertising site
assuming that they may also be based on Calypso. And... yes, they are!
==== Hardware ====
For those who are interested to see the inside, here are some photos:
https://people.osmocom.org/fixeria/dump/se_k200i/board/
Some highlights (from Mychaela's E-mail):
* Calypso 751992A (C035, final DSP ROM version 3606, full 512 KiB IRAM),
* RF: Familiar Iota TWL3025 ABB and Rita, PA SKY77318,
* Flash: SPANSION S71PL129NB0HFW4B (16 MiB NOR + 4 Mib XRAM),
* Winbond W56932DYX - probably a ringtone melody player?
According to [2], K220i is identical to K200i with the only difference
that the former has an FM radio receiver. If anyone has a K220i, I
would be interested to see the board photos though.
[2] https://mobile-review.com/review/sonyericsson-k200.shtml
==== Software ====
I was able to get the FreeCalypso loadagent running:
https://people.osmocom.org/fixeria/dump/se_k200i/info.txt
and managed to dump the raw flash contents:
https://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash1.bin
https://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash2.bin
The DSP ROM is a well-known version 3606:
https://people.osmocom.org/fixeria/dump/se_k200i/dspromdump.txt
I was also able to get unmodified OsmocomBB layer1 firmware (the J100i
variant) running and even got the basic Rx functionality working:
* cell_log is able to find cells,
* ccch_scan happily decodes BCCH/AGCH/PCH messages.
What's really nice about the K200i is that (unlike the J100i) it has
the Calypso boot ROM unlocked, just like Pirelli DP-L10 [3]. This
makes it impossible to brick the phone by erasing the flash.
[3] https://osmocom.org/projects/baseband/wiki/PirelliDPL10
==== Summary ====
At the moment of writing this announcement, K200i is neither supported
by OsmocomBB nor by FreeCalypso. The big problem here is that we could
not find the board schematics, so we don't have sufficient knowledge
on how the RFFE control signals are routed. Figuring this out (be it
hw-based or fw-based approach) is quite a big effort, and I doubt
there will be a commercial interest to sponsor this.
In any case, I believe it's a nice *potential* target, so I created a
wiki page [4] with all the relevant information about K200i.
[4] https://osmocom.org/projects/baseband/wiki/SonyEricssonK200i
Now I am giving the podium to Mychaela, I am sure she has more to say :P
Best regards,
Vadim.
More information about the Community
mailing list