CalypsoRomloader » History » Version 11
fixeria, 07/11/2018 11:18 AM
1 | 1 | steve-m | h1. [[CalypsoRomloader]] |
---|---|---|---|
2 | 9 | steve-m | |
3 | 11 | fixeria | {{>toc}} |
4 | 9 | steve-m | |
5 | 1 | steve-m | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
6 | |||
7 | 9 | steve-m | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory. |
8 | |||
9 | 1 | steve-m | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
10 | |||
11 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
12 | 3 | laforge | |
13 | 9 | steve-m | We have implemented support for interfacing this loader from our [[osmocon]] program. |
14 | 1 | steve-m | |
15 | There are currently 3 known variants: |
||
16 | |||
17 | |||
18 | 9 | steve-m | h2. "non-secure"-Romloader on Calypso/lite |
19 | |||
20 | |||
21 | 1 | steve-m | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
22 | It doesn't require a "key". |
||
23 | |||
24 | 9 | steve-m | It is known to be used by the Motorola W220, BenQ Siemens A38, the [[OpenMoko]] devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
25 | 1 | steve-m | |
26 | |||
27 | 9 | steve-m | h2. "secure"-Romloader on Calypso/lite |
28 | |||
29 | |||
30 | This one -seems to be used on some newer Calypso batches-, and is known to be used on the Alcatel VLE5 series. |
||
31 | 1 | steve-m | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
32 | 9 | steve-m | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones. |
33 | |||
34 | *Update:* As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly |
||
35 | 1 | steve-m | modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active. |
36 | |||
37 | |||
38 | 9 | steve-m | h2. "secure"-Romloader on Calypso plus |
39 | |||
40 | |||
41 | 1 | steve-m | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
42 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
43 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
44 | |||
45 | |||
46 | |||
47 | |||
48 | 9 | steve-m | h2. Romloader support in osmocon |
49 | |||
50 | |||
51 | 1 | steve-m | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
52 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
53 | 8 | steve-m | |
54 | 9 | steve-m | For instructions how to run this on an OpenMoko device, see [[OpenMoko]]. |