CalypsoRomloader » History » Version 3
laforge, 02/19/2016 10:48 PM
link to osmocon
1 | 1 | steve-m | [[PageOutline]] |
---|---|---|---|
2 | = CalypsoRomloader = |
||
3 | |||
4 | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
||
5 | |||
6 | 2 | steve-m | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory.[[BR]] |
7 | 1 | steve-m | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
8 | |||
9 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
10 | |||
11 | 3 | laforge | We have implemented support for interfacing this loader from our [wiki:osmocon] program. |
12 | |||
13 | 1 | steve-m | There are currently 3 known variants: |
14 | |||
15 | == "non-secure"-Romloader on Calypso/lite == |
||
16 | |||
17 | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
||
18 | It doesn't require a "key". |
||
19 | |||
20 | It is known to be used by the Motorola W220, BenQ Siemens A38, the OpenMoko devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
||
21 | |||
22 | == "secure"-Romloader on Calypso/lite == |
||
23 | |||
24 | 2 | steve-m | This one ~~seems to be used on some newer Calypso batches~~, and is known to be used on the Alcatel VLE5 series. |
25 | 1 | steve-m | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
26 | 2 | steve-m | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones.[[BR]] |
27 | '''Update:''' As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly |
||
28 | modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active. |
||
29 | 1 | steve-m | |
30 | == "secure"-Romloader on Calypso plus == |
||
31 | |||
32 | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
||
33 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
34 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
35 | |||
36 | |||
37 | |||
38 | == Romloader support in osmocon == |
||
39 | |||
40 | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
||
41 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
42 | |||
43 | For anyone who wants to try this out on an OpenMoko device, use |
||
44 | {{{ |
||
45 | $ echo 0 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
46 | $ echo 1 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
47 | }}} |
||
48 | |||
49 | 2 | steve-m | to control the GSM Module. (We now have dedicated binaries for the OpenMoko devices) |
50 | 1 | steve-m | |
51 | Since the Romloader itself uses 512 Byte of the RAM above 0x800000, we need a different memory layout, but for testing you can use loader.osmoload.bin, which can be loaded to 0x820000. |
||
52 | |||
53 | {{{ |
||
54 | $ ./osmocon -p /dev/ttyUSB0 -m romload ../../target/firmware/board/compal_e88/loader.osmoload.bin |
||
55 | }}} |
||
56 | * Push the power-on button of your phone (short push, not like a regular phone boot!) |
||
57 | * Observe output resembling the following |
||
58 | {{{ |
||
59 | Sending beacon... |
||
60 | Sending beacon... |
||
61 | Sending beacon... |
||
62 | Sending beacon... |
||
63 | got 1 bytes from modem, data looks like: 3e |
||
64 | got 1 bytes from modem, data looks like: 69 |
||
65 | Received ident ack from phone, sending parameter sequence |
||
66 | read_file(../../target/firmware/board/compal_e88/loader.osmoload.bin): file_size=14580, hdr_len=0, dnload_len=14583 |
||
67 | Received parameter ack from phone, starting download |
||
68 | Used blocksize for download is 1024 bytes |
||
69 | Preparing block 1, block checksum is 0x93 |
||
70 | handle_write_block(): 1024 bytes (1024/1024) |
||
71 | 2 | steve-m | handle_write_block(): Block 1 finished |
72 | 1 | steve-m | Received block ack from phone |
73 | Preparing block 2, block checksum is 0x3b |
||
74 | handle_write_block(): 1024 bytes (1024/1024) |
||
75 | 2 | steve-m | handle_write_block(): Block 2 finished |
76 | 1 | steve-m | Received block ack from phone |
77 | Preparing block 3, block checksum is 0x79 |
||
78 | handle_write_block(): 1024 bytes (1024/1024) |
||
79 | 2 | steve-m | handle_write_block(): Block 3 finished |
80 | 1 | steve-m | Received block ack from phone |
81 | Preparing block 4, block checksum is 0x83 |
||
82 | handle_write_block(): 1024 bytes (1024/1024) |
||
83 | 2 | steve-m | handle_write_block(): Block 4 finished |
84 | 1 | steve-m | Received block ack from phone |
85 | Preparing block 5, block checksum is 0xe5 |
||
86 | handle_write_block(): 1024 bytes (1024/1024) |
||
87 | 2 | steve-m | handle_write_block(): Block 5 finished |
88 | 1 | steve-m | Received block ack from phone |
89 | Preparing block 6, block checksum is 0x6a |
||
90 | handle_write_block(): 1024 bytes (1024/1024) |
||
91 | 2 | steve-m | handle_write_block(): Block 6 finished |
92 | 1 | steve-m | Received block ack from phone |
93 | Preparing block 7, block checksum is 0x98 |
||
94 | handle_write_block(): 1024 bytes (1024/1024) |
||
95 | 2 | steve-m | handle_write_block(): Block 7 finished |
96 | 1 | steve-m | Received block ack from phone |
97 | Preparing block 8, block checksum is 0x86 |
||
98 | handle_write_block(): 1024 bytes (1024/1024) |
||
99 | 2 | steve-m | handle_write_block(): Block 8 finished |
100 | 1 | steve-m | Received block ack from phone |
101 | Preparing block 9, block checksum is 0x0f |
||
102 | handle_write_block(): 1024 bytes (1024/1024) |
||
103 | 2 | steve-m | handle_write_block(): Block 9 finished |
104 | 1 | steve-m | Received block ack from phone |
105 | Preparing block 10, block checksum is 0xa1 |
||
106 | handle_write_block(): 1024 bytes (1024/1024) |
||
107 | 2 | steve-m | handle_write_block(): Block 10 finished |
108 | 1 | steve-m | Received block ack from phone |
109 | Preparing block 11, block checksum is 0x07 |
||
110 | handle_write_block(): 1024 bytes (1024/1024) |
||
111 | 2 | steve-m | handle_write_block(): Block 11 finished |
112 | 1 | steve-m | Received block ack from phone |
113 | Preparing block 12, block checksum is 0x5c |
||
114 | handle_write_block(): 1024 bytes (1024/1024) |
||
115 | 2 | steve-m | handle_write_block(): Block 12 finished |
116 | 1 | steve-m | Received block ack from phone |
117 | Preparing block 13, block checksum is 0x68 |
||
118 | handle_write_block(): 1024 bytes (1024/1024) |
||
119 | 2 | steve-m | handle_write_block(): Block 13 finished |
120 | 1 | steve-m | Received block ack from phone |
121 | Preparing block 14, block checksum is 0x1c |
||
122 | handle_write_block(): 1024 bytes (1024/1024) |
||
123 | 2 | steve-m | handle_write_block(): Block 14 finished |
124 | 1 | steve-m | Received block ack from phone |
125 | Preparing the last block, filling 630 bytes, block checksum is 0x54 |
||
126 | handle_write_block(): 1024 bytes (1024/1024) |
||
127 | 2 | steve-m | handle_write_block(): Block 15 finished |
128 | Finished, sent 15 blocks in total |
||
129 | 1 | steve-m | Received block ack from phone |
130 | Sending checksum: 0xdd |
||
131 | Checksum on phone side matches, let's branch to your code |
||
132 | Branching to 0x00820000 |
||
133 | Received branch ack, your code is running now! |
||
134 | |||
135 | |||
136 | OSMOCOM Calypso loader (revision 7025e5c-modified) |
||
137 | ====================================================================== |
||
138 | Running on compal_e88 in environment osmoload |
||
139 | |||
140 | |||
141 | }}} |