New phone discovery - Sony Ericsson K200i/K220i

Mychaela Falconia falcon at freecalypso.org
Mon Oct 31 17:49:59 UTC 2022


Vadim Yanitskiy <axilirator at gmail.com> wrote:

> There exists a tool for flashing old Sony Ericsson phones called
> pstool (search for 'PSTool_SE_ODM_free' in your favorite search
> engine). It's a Windows executable with a custom GUI, and with some
> additional clarifications specifically for "big Russian specialists"
> :P

I haven't tried running this software, neither under Wine nor under
real Windows (the only way I would ever do the latter would be an on a
fully isolated, air-gapped test machine), but I added it to our FTP
collection:

ftp://ftp.freecalypso.org/pub/GSM/Sony_Ericsson/pstool_se_odm_free.zip

> Both J110i and J120i are likely variants of
> J100i with some minor differences (correct me if I am wrong).

I have no personal experiences with either model, but I concur with
Vadim's educated guess, based on what this Windows-based hacker
community tool apparently supports.

> * Flash: SPANSION S71PL129NB0HFW4B (16 MiB NOR + 4 Mib XRAM),

It is _almost_ the same flash+RAM chip as in Pirelli DP-L10 and on our
own FCDEV3B, but with only 4 MiB of RAM instead of 8 MiB.  Experiments
with fc-loadtool revealed that the second flash chip select is on
Calypso nCS2, and a little digging in the firmware dump with a
disassembler shows that the RAM chip select is nCS1 - the usual one.

> I was able to get the FreeCalypso loadagent running:
> https://people.osmocom.org/fixeria/dump/se_k200i/info.txt

Because the hardware of this model happens to be the same as
FreeCalypso hw family in those aspects that are relevant to fc-loadtool
and related tools, I am going to instruct people to use -h fcfam on
this model, without creating a new custom target for loadtools suite.

> The DSP ROM is a well-known version 3606:

For those who aren't as well-versed in different Calypso DSP ROM
versions: 3606 is the only version of practical relevance, it is the
version present in the Calypso chip inside Openmoko GTA02 (the device
that launched what later became FreeCalypso), inside all phones
supported by OBB, and inside all FC hardware products.

Besides this practically-ubiquitous version 3606, only two other
versions existed in the history of our dear Calypso, to my knowledge:
3311 and 3416.  Dumps of all 3 versions are posted on our FTP site.
The dump of 3311 was taken from a real TI-made D-Sample board from
2002; the dump of 3416 was taken by way of me buying a few pieces of
that historical Calypso chip version and populating one of them on an
FCDEV3B.

> I was also able to get unmodified OsmocomBB layer1 firmware (the J100i
> variant) running and even got the basic Rx functionality working:
>
> * cell_log is able to find cells,
> * ccch_scan happily decodes BCCH/AGCH/PCH messages.

This level of success with GSM Rx indicates that at least the two Rita
control signals (TSP chip enable and reset strobe) are wired to TSPEN2
and TSPACT0 per TI's canon: in order to get successful Rx, OBB layer1
must have programmed the frequency synthesizer in the Rita xcvr for
the right downlink frequency and told it to activate Rx, which requires
successful communication from Calypso to Rita.

However, what we don't know are the following bits:

* Which TSPACT is wired to the PA's Enable input?
* Which TSPACT is wired to the PA's Band Select input?
* Which TSPACT signals control the antenna switch, and exactly how?

Also while we have easily identified the PA chip (it is SKY77318,
datasheet readily available, basically same as our previously familiar
SKY77328), we don't know what the ASM (antenna switch module) or FEM
(front end module) is.  In the photos I see components that look like
Rx SAW filters (hard to see because shieldcan walls are in the way),
so it looks like an arrangement with separate ASM and Rx SAW filters,
as opposed to a fully integrated FEM.  But neither I nor Vadim ever
identified the specific ASM in this phone, so we can only guess what
control signals it has.  The most "canonical" arrangement would be one
control signal that turns on low band Tx and another that turns on
high band Tx, but we still don't know:

* Which TSPACT signals drive these two ASM controls, and in which order?
* The buffer they go through, is it inverting or non-inverting?

> At the moment of writing this announcement, K200i is neither supported
> by OsmocomBB nor by FreeCalypso. The big problem here is that we could
> not find the board schematics, so we don't have sufficient knowledge
> on how the RFFE control signals are routed.

Yup.  Furthermore, I reason that on embedded devices of this kind it
is actually possible to damage hardware through careless firmware
experimentation!  I see two ways how wrong fw can potentially cause hw
damage:

1) Calypso GPIO or multifunction pin misconfiguration that results in
a shorted output or driver conflict.  Suppose you configure some
Calypso GPIO or multifunction pin as an output when it was meant to be
an input - if it's externally shorted to GND but you drive high, or if
it is wired to the output of some other chip and the two chips drive
opposite logic values, then you'll have excessive current flowing,
which I reason could damage hw depending on how long that bad condition
persists.

2) Forcing RF PA output through incorrectly-set antenna switch: that PA
is mighty, up to 2 W in low bands and up to 1 W in high bands, so what
will happen if the PA is turned on but the antenna switch is not set
correctly for Tx in the right band?  I am a little fuzzy on how these
ASMs and FEMs work internally, due to severe lack of proper documentation
from component vendors, but I reason that forcing mighty PA output
through a wrong switch path could probably damage it too, again
depending on how long the bad condition persists.

One troublesome behaviour which I have seen both in OsmocomBB community
*and* among the more unscrupulous abusers/misusers of FreeCalypso (no,
not Vadim, I am talking about a certain other Russian here, a certain
very very bad person who is now banned from FC community) is that
people will often mindlessly take a firmware image built for one
(known, properly supported) hw target and run it on a *different*
Calypso device, probably naively thinking that it might "just work".
Well, let me tell ya - by my reasoning above, you could actually
damage your hw by being so careless!

> Now I am giving the podium to Mychaela, I am sure she has more to say :P

I have ordered one K200i phone from ebay, coming from Germany
(couldn't find any nearer-to-me sellers!), and ebay emails tell me
it's on its way to me.  If/when I receive it successfully, I will do
some poking around.  However, I could only find the 900+1800 MHz
version, and because I don't transmit on EU band frequencies in USA,
I will be very limited in my GSM testing of this phone - basically
limited to what I can do in a cabled setup with no radiated
transmissions.  From what I can tell from Vadim's photos, this phone
has an internal RF test port of the same type as Mot C139, SE J100i,
Pirelli DP-L10 etc, which is Murata SWD/SWF.

M~


More information about the Community mailing list