Project

General

Profile

CalypsoRomloader » History » Version 7

Anonymous, 02/19/2016 10:48 PM
fix typo

1 1 steve-m
[[PageOutline]]
2
= CalypsoRomloader =
3
4
The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB.
5
6 2 steve-m
It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory.[[BR]]
7 1 steve-m
If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands.
8
9
So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones).
10
11 3 laforge
We have implemented support for interfacing this loader from our [wiki:osmocon] program.
12
13 1 steve-m
There are currently 3 known variants:
14
15
== "non-secure"-Romloader on Calypso/lite ==
16
17
The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon.
18
It doesn't require a "key".
19
20
It is known to be used by the Motorola W220, BenQ Siemens A38, the OpenMoko devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird).
21
22
== "secure"-Romloader on Calypso/lite ==
23
24 2 steve-m
This one ~~seems to be used on some newer Calypso batches~~, and is known to be used on the Alcatel VLE5 series.
25 1 steve-m
In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash).
26 2 steve-m
Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones.[[BR]]
27
'''Update:''' As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly
28
modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active.
29 1 steve-m
30
== "secure"-Romloader on Calypso plus ==
31
32
This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address.
33
It also seems to cooperate in some way with a second loader stored inside the flash.
34
We know the key for the Motorola C261 (which is manufactured by Compal).
35
36
37
38
== Romloader support in osmocon ==
39
40
For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly.
41
Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000.
42
43
For anyone who wants to try this out on an OpenMoko device, use
44
{{{
45
$ echo 0 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on
46
$ echo 1 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on
47
}}}
48
49 2 steve-m
to control the GSM Module. (We now have dedicated binaries for the OpenMoko devices)
50 1 steve-m
51
{{{
52 4 laforge
$ ./osmocon -p /dev/ttyUSB0 -m romload ../../target/firmware/board/gta0x/loader.osmoload.bin
53 1 steve-m
}}}
54
 * Push the power-on button of your phone (short push, not like a regular phone boot!)
55
 * Observe output resembling the following
56
{{{
57
Sending beacon...
58
Sending beacon...
59
Sending beacon...
60
Sending beacon...
61
got 1 bytes from modem, data looks like: 3e 
62
got 1 bytes from modem, data looks like: 69 
63
Received ident ack from phone, sending parameter sequence
64 4 laforge
read_file(../../target/firmware/board/gta0x/loader.osmoload.bin): file_size=14580, hdr_len=0, dnload_len=14583
65 1 steve-m
Received parameter ack from phone, starting download
66
Used blocksize for download is 1024 bytes 
67
Preparing block 1, block checksum is 0x93 
68
handle_write_block(): 1024 bytes (1024/1024)
69 2 steve-m
handle_write_block(): Block 1 finished
70 1 steve-m
Received block ack from phone
71
Preparing block 2, block checksum is 0x3b 
72
handle_write_block(): 1024 bytes (1024/1024)
73 2 steve-m
handle_write_block(): Block 2 finished
74 1 steve-m
Received block ack from phone
75
Preparing block 3, block checksum is 0x79 
76
handle_write_block(): 1024 bytes (1024/1024)
77 2 steve-m
handle_write_block(): Block 3 finished
78 1 steve-m
Received block ack from phone
79
Preparing block 4, block checksum is 0x83 
80
handle_write_block(): 1024 bytes (1024/1024)
81 2 steve-m
handle_write_block(): Block 4 finished
82 1 steve-m
Received block ack from phone
83
Preparing block 5, block checksum is 0xe5 
84
handle_write_block(): 1024 bytes (1024/1024)
85 2 steve-m
handle_write_block(): Block 5 finished
86 1 steve-m
Received block ack from phone
87
Preparing block 6, block checksum is 0x6a 
88
handle_write_block(): 1024 bytes (1024/1024)
89 2 steve-m
handle_write_block(): Block 6 finished
90 1 steve-m
Received block ack from phone
91
Preparing block 7, block checksum is 0x98 
92
handle_write_block(): 1024 bytes (1024/1024)
93 2 steve-m
handle_write_block(): Block 7 finished
94 1 steve-m
Received block ack from phone
95
Preparing block 8, block checksum is 0x86 
96
handle_write_block(): 1024 bytes (1024/1024)
97 2 steve-m
handle_write_block(): Block 8 finished
98 1 steve-m
Received block ack from phone
99
Preparing block 9, block checksum is 0x0f 
100
handle_write_block(): 1024 bytes (1024/1024)
101 2 steve-m
handle_write_block(): Block 9 finished
102 1 steve-m
Received block ack from phone
103
Preparing block 10, block checksum is 0xa1 
104
handle_write_block(): 1024 bytes (1024/1024)
105 2 steve-m
handle_write_block(): Block 10 finished
106 1 steve-m
Received block ack from phone
107
Preparing block 11, block checksum is 0x07 
108
handle_write_block(): 1024 bytes (1024/1024)
109 2 steve-m
handle_write_block(): Block 11 finished
110 1 steve-m
Received block ack from phone
111
Preparing block 12, block checksum is 0x5c 
112
handle_write_block(): 1024 bytes (1024/1024)
113 2 steve-m
handle_write_block(): Block 12 finished
114 1 steve-m
Received block ack from phone
115
Preparing block 13, block checksum is 0x68 
116
handle_write_block(): 1024 bytes (1024/1024)
117 2 steve-m
handle_write_block(): Block 13 finished
118 1 steve-m
Received block ack from phone
119
Preparing block 14, block checksum is 0x1c 
120
handle_write_block(): 1024 bytes (1024/1024)
121 2 steve-m
handle_write_block(): Block 14 finished
122 1 steve-m
Received block ack from phone
123
Preparing the last block, filling 630 bytes, block checksum is 0x54 
124
handle_write_block(): 1024 bytes (1024/1024)
125 2 steve-m
handle_write_block(): Block 15 finished
126
Finished, sent 15 blocks in total
127 1 steve-m
Received block ack from phone
128
Sending checksum: 0xdd 
129
Checksum on phone side matches, let's branch to your code
130
Branching to 0x00820000
131
Received branch ack, your code is running now!
132
133
134
OSMOCOM Calypso loader (revision 7025e5c-modified)
135
======================================================================
136 4 laforge
Running on gta0x in environment osmoload
137 1 steve-m
138
139
}}}
140 5 steve-m
141
142
== Note on OpenMoko and SHR ==
143
144
There is slight difference in device naming in SHR running on Neo Freerunner and Calypso chip might be more timing-sensitive so commands should be adjusted as follows:
145
{{{
146
$ ./osmocon -i 13 -m romload -p /dev/ttySAC0 ../../target/firmware/board/gta0x/layer1.highram.bin
147
}}}
148
and
149
{{{
150
echo 0 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on                                                                       
151
echo 1 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on
152
}}}
153
154
N. B. Make sure to check that nothing uses modem before executing commands above by running 
155
{{{
156
fuser /dev/ttySAC0
157
}}}
158 6 steve-m
AND
159
disable ogsmd, ousaged, ophoned via /etc/frameworkd.conf
160 7 steve-m
161 6 steve-m
fsogsmd could be prevented from accessing modem by commenting following variables in /etc/freesmartphone/conf/GTA02/fsogsmd.conf
162
{{{
163
device_port
164
modem_access
165
}}}
Add picture from clipboard (Maximum size: 48.8 MB)