CalypsoRomloader » History » Version 1
steve-m, 02/19/2016 10:48 PM
1 | 1 | steve-m | [[PageOutline]] |
---|---|---|---|
2 | = CalypsoRomloader = |
||
3 | |||
4 | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
||
5 | |||
6 | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it jumps to the application code in the flash memory.[[BR]] |
||
7 | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
||
8 | |||
9 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
10 | |||
11 | There are currently 3 known variants: |
||
12 | |||
13 | == "non-secure"-Romloader on Calypso/lite == |
||
14 | |||
15 | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
||
16 | It doesn't require a "key". |
||
17 | |||
18 | It is known to be used by the Motorola W220, BenQ Siemens A38, the OpenMoko devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
||
19 | |||
20 | == "secure"-Romloader on Calypso/lite == |
||
21 | |||
22 | This one seems to be used on some newer Calypso batches, and is known to be used on the Alcatel VLE5 series. |
||
23 | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
||
24 | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones. |
||
25 | |||
26 | == "secure"-Romloader on Calypso plus == |
||
27 | |||
28 | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
||
29 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
30 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
31 | |||
32 | |||
33 | |||
34 | == Romloader support in osmocon == |
||
35 | |||
36 | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
||
37 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
38 | |||
39 | For anyone who wants to try this out on an OpenMoko device, use |
||
40 | {{{ |
||
41 | $ echo 0 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
42 | $ echo 1 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
43 | }}} |
||
44 | |||
45 | to control the GSM Module. |
||
46 | |||
47 | Since the Romloader itself uses 512 Byte of the RAM above 0x800000, we need a different memory layout, but for testing you can use loader.osmoload.bin, which can be loaded to 0x820000. |
||
48 | |||
49 | {{{ |
||
50 | $ ./osmocon -p /dev/ttyUSB0 -m romload ../../target/firmware/board/compal_e88/loader.osmoload.bin |
||
51 | }}} |
||
52 | * Push the power-on button of your phone (short push, not like a regular phone boot!) |
||
53 | * Observe output resembling the following |
||
54 | {{{ |
||
55 | Sending beacon... |
||
56 | Sending beacon... |
||
57 | Sending beacon... |
||
58 | Sending beacon... |
||
59 | got 1 bytes from modem, data looks like: 3e |
||
60 | got 1 bytes from modem, data looks like: 69 |
||
61 | Received ident ack from phone, sending parameter sequence |
||
62 | read_file(../../target/firmware/board/compal_e88/loader.osmoload.bin): file_size=14580, hdr_len=0, dnload_len=14583 |
||
63 | Received parameter ack from phone, starting download |
||
64 | Used blocksize for download is 1024 bytes |
||
65 | Preparing block 1, block checksum is 0x93 |
||
66 | handle_write_block(): 1024 bytes (1024/1024) |
||
67 | handle_write_block(): Block 0 finished |
||
68 | Received block ack from phone |
||
69 | Preparing block 2, block checksum is 0x3b |
||
70 | handle_write_block(): 1024 bytes (1024/1024) |
||
71 | handle_write_block(): Block 1 finished |
||
72 | Received block ack from phone |
||
73 | Preparing block 3, block checksum is 0x79 |
||
74 | handle_write_block(): 1024 bytes (1024/1024) |
||
75 | handle_write_block(): Block 2 finished |
||
76 | Received block ack from phone |
||
77 | Preparing block 4, block checksum is 0x83 |
||
78 | handle_write_block(): 1024 bytes (1024/1024) |
||
79 | handle_write_block(): Block 3 finished |
||
80 | Received block ack from phone |
||
81 | Preparing block 5, block checksum is 0xe5 |
||
82 | handle_write_block(): 1024 bytes (1024/1024) |
||
83 | handle_write_block(): Block 4 finished |
||
84 | Received block ack from phone |
||
85 | Preparing block 6, block checksum is 0x6a |
||
86 | handle_write_block(): 1024 bytes (1024/1024) |
||
87 | handle_write_block(): Block 5 finished |
||
88 | Received block ack from phone |
||
89 | Preparing block 7, block checksum is 0x98 |
||
90 | handle_write_block(): 1024 bytes (1024/1024) |
||
91 | handle_write_block(): Block 6 finished |
||
92 | Received block ack from phone |
||
93 | Preparing block 8, block checksum is 0x86 |
||
94 | handle_write_block(): 1024 bytes (1024/1024) |
||
95 | handle_write_block(): Block 7 finished |
||
96 | Received block ack from phone |
||
97 | Preparing block 9, block checksum is 0x0f |
||
98 | handle_write_block(): 1024 bytes (1024/1024) |
||
99 | handle_write_block(): Block 8 finished |
||
100 | Received block ack from phone |
||
101 | Preparing block 10, block checksum is 0xa1 |
||
102 | handle_write_block(): 1024 bytes (1024/1024) |
||
103 | handle_write_block(): Block 9 finished |
||
104 | Received block ack from phone |
||
105 | Preparing block 11, block checksum is 0x07 |
||
106 | handle_write_block(): 1024 bytes (1024/1024) |
||
107 | handle_write_block(): Block 10 finished |
||
108 | Received block ack from phone |
||
109 | Preparing block 12, block checksum is 0x5c |
||
110 | handle_write_block(): 1024 bytes (1024/1024) |
||
111 | handle_write_block(): Block 11 finished |
||
112 | Received block ack from phone |
||
113 | Preparing block 13, block checksum is 0x68 |
||
114 | handle_write_block(): 1024 bytes (1024/1024) |
||
115 | handle_write_block(): Block 12 finished |
||
116 | Received block ack from phone |
||
117 | Preparing block 14, block checksum is 0x1c |
||
118 | handle_write_block(): 1024 bytes (1024/1024) |
||
119 | handle_write_block(): Block 13 finished |
||
120 | Received block ack from phone |
||
121 | Preparing the last block, filling 630 bytes, block checksum is 0x54 |
||
122 | handle_write_block(): 1024 bytes (1024/1024) |
||
123 | handle_write_block(): Block 14 finished |
||
124 | Finished, sent 14 blocks in total |
||
125 | Received block ack from phone |
||
126 | Sending checksum: 0xdd |
||
127 | Checksum on phone side matches, let's branch to your code |
||
128 | Branching to 0x00820000 |
||
129 | Received branch ack, your code is running now! |
||
130 | |||
131 | |||
132 | OSMOCOM Calypso loader (revision 7025e5c-modified) |
||
133 | ====================================================================== |
||
134 | Running on compal_e88 in environment osmoload |
||
135 | |||
136 | |||
137 | }}} |