Project

General

Profile

Support #3801

dump flash of Sony Ericsson SJ100i

Added by laforge 3 months ago. Updated 11 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OsmocomBB Firmware
Target version:
-
Start date:
02/13/2019
Due date:
% Done:

100%

Resolution:
Spec Reference:

Description

I've ordered two SJ100[i] from eBay. Once they arrive, please dump the flash of at least one of them.

Vadim has described how to perform the firmware dumping at https://osmocom.org/issues/3582#note-11

There was a hint by @falconia that 0x400000 shall be used instead of 0x200000 when using osmoload, as the flash size apparently is larger.

flashdump-clean.bin flashdump-clean.bin 4 MB falconia, 03/06/2019 04:34 AM

Related issues

Related to OsmocomBB - Feature #3582: Merge reading of factory RF calibration valuesStalled2018-09-21

History

#1 Updated by laforge 3 months ago

  • Related to Feature #3582: Merge reading of factory RF calibration values added

#2 Updated by falconia 3 months ago

Today I have received the SE J100i phone which Harald sent me, I successfully constructed the necessary serial cable, and successfully read out the flash with fc-loadtool. However, I am not sure whether or not it would be a good idea (ethically speaking) to post the raw flash dump publicly, as the FFS sectors contain the previous owner's private personal info: phone numbers in the +49 country code, SMS messages in German and what looks like a 26201 IMSI. However, just like I suspected, this SE J100i phone has the same firmware architecture as Mot C1xx phones from the same Compal ODM, and just like on those more common Mot C1xx phones, the FFS is strictly non-essential. If the FFS sectors are erased with an external raw flash writer tool like fc-loadtool and the phone is booted up normally after such erasure, the firmware automatically creates a new clean FFS format on the first boot - it even displays an "FFS Formatting" message on the LCD as it does that, and then the phone functions normally, except that it is squeaky-clean of any previous user data.

I have performed the just-described FFS cleaning after saving the original flash dump, and then made another dump with fc-loadtool after the firmware has written a new clean FFS in the place of the erased one. This clean flash dump is attached; as for the original unredacted one, I can send it privately to Harald for analysis and disposition.

The FFS configuration on this phone is exactly the same as on Motorola C139/140: classic TIFFS format (not the FM6R used on C155/156), 5 sectors of 64 KiB each starting at 0x370000. And just like on all Mot C1xx variants, this FFS holds only users' personal data and nothing vital: no RF calibration records and no IMEI. The /pcm/IMEI file is a dud, no actual IMEI in there. On the other hand, there is an 8 KiB flash sector at 0x3FC000 with factory records in Compal's format, just like on Mot C1xx phones, and sure enough, the RF calibration values are in there - use the same location and parsing algorithm as on C139/140.

#3 Updated by roh 11 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

already done by falconia

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)