CalypsoRomloader » History » Version 4
laforge, 02/19/2016 10:48 PM
update with gta0x firmware images, no need to abuse compal images anymore
1 | 1 | steve-m | [[PageOutline]] |
---|---|---|---|
2 | = CalypsoRomloader = |
||
3 | |||
4 | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
||
5 | |||
6 | 2 | steve-m | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory.[[BR]] |
7 | 1 | steve-m | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
8 | |||
9 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
10 | |||
11 | 3 | laforge | We have implemented support for interfacing this loader from our [wiki:osmocon] program. |
12 | |||
13 | 1 | steve-m | There are currently 3 known variants: |
14 | |||
15 | == "non-secure"-Romloader on Calypso/lite == |
||
16 | |||
17 | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
||
18 | It doesn't require a "key". |
||
19 | |||
20 | It is known to be used by the Motorola W220, BenQ Siemens A38, the OpenMoko devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
||
21 | |||
22 | == "secure"-Romloader on Calypso/lite == |
||
23 | |||
24 | 2 | steve-m | This one ~~seems to be used on some newer Calypso batches~~, and is known to be used on the Alcatel VLE5 series. |
25 | 1 | steve-m | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
26 | 2 | steve-m | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones.[[BR]] |
27 | '''Update:''' As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly |
||
28 | modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active. |
||
29 | 1 | steve-m | |
30 | == "secure"-Romloader on Calypso plus == |
||
31 | |||
32 | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
||
33 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
34 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
35 | |||
36 | |||
37 | |||
38 | == Romloader support in osmocon == |
||
39 | |||
40 | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
||
41 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
42 | |||
43 | For anyone who wants to try this out on an OpenMoko device, use |
||
44 | {{{ |
||
45 | $ echo 0 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
46 | $ echo 1 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
47 | }}} |
||
48 | |||
49 | 2 | steve-m | to control the GSM Module. (We now have dedicated binaries for the OpenMoko devices) |
50 | 1 | steve-m | |
51 | {{{ |
||
52 | 4 | laforge | $ ./osmocon -p /dev/ttyUSB0 -m romload ../../target/firmware/board/gta0x/loader.osmoload.bin |
53 | 1 | steve-m | }}} |
54 | * Push the power-on button of your phone (short push, not like a regular phone boot!) |
||
55 | * Observe output resembling the following |
||
56 | {{{ |
||
57 | Sending beacon... |
||
58 | Sending beacon... |
||
59 | Sending beacon... |
||
60 | Sending beacon... |
||
61 | got 1 bytes from modem, data looks like: 3e |
||
62 | got 1 bytes from modem, data looks like: 69 |
||
63 | Received ident ack from phone, sending parameter sequence |
||
64 | 4 | laforge | read_file(../../target/firmware/board/gta0x/loader.osmoload.bin): file_size=14580, hdr_len=0, dnload_len=14583 |
65 | 1 | steve-m | Received parameter ack from phone, starting download |
66 | Used blocksize for download is 1024 bytes |
||
67 | Preparing block 1, block checksum is 0x93 |
||
68 | handle_write_block(): 1024 bytes (1024/1024) |
||
69 | 2 | steve-m | handle_write_block(): Block 1 finished |
70 | 1 | steve-m | Received block ack from phone |
71 | Preparing block 2, block checksum is 0x3b |
||
72 | handle_write_block(): 1024 bytes (1024/1024) |
||
73 | 2 | steve-m | handle_write_block(): Block 2 finished |
74 | 1 | steve-m | Received block ack from phone |
75 | Preparing block 3, block checksum is 0x79 |
||
76 | handle_write_block(): 1024 bytes (1024/1024) |
||
77 | 2 | steve-m | handle_write_block(): Block 3 finished |
78 | 1 | steve-m | Received block ack from phone |
79 | Preparing block 4, block checksum is 0x83 |
||
80 | handle_write_block(): 1024 bytes (1024/1024) |
||
81 | 2 | steve-m | handle_write_block(): Block 4 finished |
82 | 1 | steve-m | Received block ack from phone |
83 | Preparing block 5, block checksum is 0xe5 |
||
84 | handle_write_block(): 1024 bytes (1024/1024) |
||
85 | 2 | steve-m | handle_write_block(): Block 5 finished |
86 | 1 | steve-m | Received block ack from phone |
87 | Preparing block 6, block checksum is 0x6a |
||
88 | handle_write_block(): 1024 bytes (1024/1024) |
||
89 | 2 | steve-m | handle_write_block(): Block 6 finished |
90 | 1 | steve-m | Received block ack from phone |
91 | Preparing block 7, block checksum is 0x98 |
||
92 | handle_write_block(): 1024 bytes (1024/1024) |
||
93 | 2 | steve-m | handle_write_block(): Block 7 finished |
94 | 1 | steve-m | Received block ack from phone |
95 | Preparing block 8, block checksum is 0x86 |
||
96 | handle_write_block(): 1024 bytes (1024/1024) |
||
97 | 2 | steve-m | handle_write_block(): Block 8 finished |
98 | 1 | steve-m | Received block ack from phone |
99 | Preparing block 9, block checksum is 0x0f |
||
100 | handle_write_block(): 1024 bytes (1024/1024) |
||
101 | 2 | steve-m | handle_write_block(): Block 9 finished |
102 | 1 | steve-m | Received block ack from phone |
103 | Preparing block 10, block checksum is 0xa1 |
||
104 | handle_write_block(): 1024 bytes (1024/1024) |
||
105 | 2 | steve-m | handle_write_block(): Block 10 finished |
106 | 1 | steve-m | Received block ack from phone |
107 | Preparing block 11, block checksum is 0x07 |
||
108 | handle_write_block(): 1024 bytes (1024/1024) |
||
109 | 2 | steve-m | handle_write_block(): Block 11 finished |
110 | 1 | steve-m | Received block ack from phone |
111 | Preparing block 12, block checksum is 0x5c |
||
112 | handle_write_block(): 1024 bytes (1024/1024) |
||
113 | 2 | steve-m | handle_write_block(): Block 12 finished |
114 | 1 | steve-m | Received block ack from phone |
115 | Preparing block 13, block checksum is 0x68 |
||
116 | handle_write_block(): 1024 bytes (1024/1024) |
||
117 | 2 | steve-m | handle_write_block(): Block 13 finished |
118 | 1 | steve-m | Received block ack from phone |
119 | Preparing block 14, block checksum is 0x1c |
||
120 | handle_write_block(): 1024 bytes (1024/1024) |
||
121 | 2 | steve-m | handle_write_block(): Block 14 finished |
122 | 1 | steve-m | Received block ack from phone |
123 | Preparing the last block, filling 630 bytes, block checksum is 0x54 |
||
124 | handle_write_block(): 1024 bytes (1024/1024) |
||
125 | 2 | steve-m | handle_write_block(): Block 15 finished |
126 | Finished, sent 15 blocks in total |
||
127 | 1 | steve-m | Received block ack from phone |
128 | Sending checksum: 0xdd |
||
129 | Checksum on phone side matches, let's branch to your code |
||
130 | Branching to 0x00820000 |
||
131 | Received branch ack, your code is running now! |
||
132 | |||
133 | |||
134 | OSMOCOM Calypso loader (revision 7025e5c-modified) |
||
135 | ====================================================================== |
||
136 | 4 | laforge | Running on gta0x in environment osmoload |
137 | 1 | steve-m | |
138 | |||
139 | }}} |