Gigaset C430 Hacking » History » Version 3
manawyrm, 11/21/2022 02:40 PM
| 1 | 1 | manawyrm | h1. Gigaset C430 Hacking |
|---|---|---|---|
| 2 | |||
| 3 | {{>toc}} |
||
| 4 | |||
| 5 | 2 | manawyrm | h2. Overview |
| 6 | |||
| 7 | 1 | manawyrm | The C430HX/A phones use a Dialog/Renesas SC14441 SoC, which is a fully integrated DECT handset IC, with all peripherals built in. |
| 8 | The firmware is stored on an external Quad-SPI flash chip (MX25U1635E), 2 MByte. |
||
| 9 | |||
| 10 | The CPU inside the SC14441 is a CompactRISC CR16c plus-architecture. |
||
| 11 | |||
| 12 | {{thumbnail(IMG_2138.JPG)}} |
||
| 13 | |||
| 14 | 2 | manawyrm | The firmware can be modded by unsoldering the SPI flash chip and flashing it in an external programmer (like a MiniPro TL866): |
| 15 | 1 | manawyrm | |
| 16 | {{thumbnail(IMG_6053.JPG)}} |
||
| 17 | 2 | manawyrm | |
| 18 | *Be careful when trying to flash the SPI flash in-circuit! The phone runs at 1.8V I/O voltage! Do not apply 3.3V to any parts of the system externally!* |
||
| 19 | |||
| 20 | The SPI flash IC is being accessed at 82.944MHz, using Quad-SPI. |
||
| 21 | Trying to run jumper wires from the SOIC footprint out to an external socket can be accomplished, but needs to be done very carefully, ideally with shielded wires, kept as short as possible. Even with a pretty reasonable setup, the phone will be unstable in this configuration. |
||
| 22 | It might be possible to lower the SPI clock frequency to a more reasonable value somehow. |
||
| 23 | |||
| 24 | h2. Documentation |
||
| 25 | |||
| 26 | Not much info is available about the SC14441 (except for a single page overview), but a datasheet for the similar SC14480 SoC is floating around online. |
||
| 27 | The SC14480 has many of the same registers and peripherals and the register maps are highly useful for looking at the SC14441/C430 firmware. |
||
| 28 | |||
| 29 | Gigaset also offers a GPL download .tar.gz for another product from their DECT lineup for one of their DECT base stations, which is running GPL software. |
||
| 30 | This tarball contains a full GNU toolchain and a bunch of other interesting things: https://cms.gigaset.com/opensource/GigasetElements/gigaset_elements_bl26_opensource.tar.gz |
||
| 31 | |||
| 32 | Ghidra can decompile the firmware image for the phones with the cr16c architecture. |
||
| 33 | You'll need to map the flash memory at 0xF0000 and some volatile peripheral registers at 0xFF4000 - 0xFFC00. |
||
| 34 | 3 | manawyrm | !xocetzhvijs.png! |
| 35 | 2 | manawyrm | |
| 36 | h2. Mods |
||
| 37 | |||
| 38 | h3. Custom ringtones |
||
| 39 | |||
| 40 | |||
| 41 | |||
| 42 | h3. Ni-MH battery charge configuration |
