CalypsoRomloader » History » Version 1
steve-m, 02/19/2016 10:48 PM
| 1 | 1 | steve-m | [[PageOutline]] |
|---|---|---|---|
| 2 | = CalypsoRomloader = |
||
| 3 | |||
| 4 | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
||
| 5 | |||
| 6 | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it jumps to the application code in the flash memory.[[BR]] |
||
| 7 | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
||
| 8 | |||
| 9 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
| 10 | |||
| 11 | There are currently 3 known variants: |
||
| 12 | |||
| 13 | == "non-secure"-Romloader on Calypso/lite == |
||
| 14 | |||
| 15 | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
||
| 16 | It doesn't require a "key". |
||
| 17 | |||
| 18 | It is known to be used by the Motorola W220, BenQ Siemens A38, the OpenMoko devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
||
| 19 | |||
| 20 | == "secure"-Romloader on Calypso/lite == |
||
| 21 | |||
| 22 | This one seems to be used on some newer Calypso batches, and is known to be used on the Alcatel VLE5 series. |
||
| 23 | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
||
| 24 | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones. |
||
| 25 | |||
| 26 | == "secure"-Romloader on Calypso plus == |
||
| 27 | |||
| 28 | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
||
| 29 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
| 30 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
| 31 | |||
| 32 | |||
| 33 | |||
| 34 | == Romloader support in osmocon == |
||
| 35 | |||
| 36 | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
||
| 37 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
| 38 | |||
| 39 | For anyone who wants to try this out on an OpenMoko device, use |
||
| 40 | {{{ |
||
| 41 | $ echo 0 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
| 42 | $ echo 1 >/sys/bus/platform/devices/neo1973-pm-gsm.0/power_on |
||
| 43 | }}} |
||
| 44 | |||
| 45 | to control the GSM Module. |
||
| 46 | |||
| 47 | Since the Romloader itself uses 512 Byte of the RAM above 0x800000, we need a different memory layout, but for testing you can use loader.osmoload.bin, which can be loaded to 0x820000. |
||
| 48 | |||
| 49 | {{{ |
||
| 50 | $ ./osmocon -p /dev/ttyUSB0 -m romload ../../target/firmware/board/compal_e88/loader.osmoload.bin |
||
| 51 | }}} |
||
| 52 | * Push the power-on button of your phone (short push, not like a regular phone boot!) |
||
| 53 | * Observe output resembling the following |
||
| 54 | {{{ |
||
| 55 | Sending beacon... |
||
| 56 | Sending beacon... |
||
| 57 | Sending beacon... |
||
| 58 | Sending beacon... |
||
| 59 | got 1 bytes from modem, data looks like: 3e |
||
| 60 | got 1 bytes from modem, data looks like: 69 |
||
| 61 | Received ident ack from phone, sending parameter sequence |
||
| 62 | read_file(../../target/firmware/board/compal_e88/loader.osmoload.bin): file_size=14580, hdr_len=0, dnload_len=14583 |
||
| 63 | Received parameter ack from phone, starting download |
||
| 64 | Used blocksize for download is 1024 bytes |
||
| 65 | Preparing block 1, block checksum is 0x93 |
||
| 66 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 67 | handle_write_block(): Block 0 finished |
||
| 68 | Received block ack from phone |
||
| 69 | Preparing block 2, block checksum is 0x3b |
||
| 70 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 71 | handle_write_block(): Block 1 finished |
||
| 72 | Received block ack from phone |
||
| 73 | Preparing block 3, block checksum is 0x79 |
||
| 74 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 75 | handle_write_block(): Block 2 finished |
||
| 76 | Received block ack from phone |
||
| 77 | Preparing block 4, block checksum is 0x83 |
||
| 78 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 79 | handle_write_block(): Block 3 finished |
||
| 80 | Received block ack from phone |
||
| 81 | Preparing block 5, block checksum is 0xe5 |
||
| 82 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 83 | handle_write_block(): Block 4 finished |
||
| 84 | Received block ack from phone |
||
| 85 | Preparing block 6, block checksum is 0x6a |
||
| 86 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 87 | handle_write_block(): Block 5 finished |
||
| 88 | Received block ack from phone |
||
| 89 | Preparing block 7, block checksum is 0x98 |
||
| 90 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 91 | handle_write_block(): Block 6 finished |
||
| 92 | Received block ack from phone |
||
| 93 | Preparing block 8, block checksum is 0x86 |
||
| 94 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 95 | handle_write_block(): Block 7 finished |
||
| 96 | Received block ack from phone |
||
| 97 | Preparing block 9, block checksum is 0x0f |
||
| 98 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 99 | handle_write_block(): Block 8 finished |
||
| 100 | Received block ack from phone |
||
| 101 | Preparing block 10, block checksum is 0xa1 |
||
| 102 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 103 | handle_write_block(): Block 9 finished |
||
| 104 | Received block ack from phone |
||
| 105 | Preparing block 11, block checksum is 0x07 |
||
| 106 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 107 | handle_write_block(): Block 10 finished |
||
| 108 | Received block ack from phone |
||
| 109 | Preparing block 12, block checksum is 0x5c |
||
| 110 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 111 | handle_write_block(): Block 11 finished |
||
| 112 | Received block ack from phone |
||
| 113 | Preparing block 13, block checksum is 0x68 |
||
| 114 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 115 | handle_write_block(): Block 12 finished |
||
| 116 | Received block ack from phone |
||
| 117 | Preparing block 14, block checksum is 0x1c |
||
| 118 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 119 | handle_write_block(): Block 13 finished |
||
| 120 | Received block ack from phone |
||
| 121 | Preparing the last block, filling 630 bytes, block checksum is 0x54 |
||
| 122 | handle_write_block(): 1024 bytes (1024/1024) |
||
| 123 | handle_write_block(): Block 14 finished |
||
| 124 | Finished, sent 14 blocks in total |
||
| 125 | Received block ack from phone |
||
| 126 | Sending checksum: 0xdd |
||
| 127 | Checksum on phone side matches, let's branch to your code |
||
| 128 | Branching to 0x00820000 |
||
| 129 | Received branch ack, your code is running now! |
||
| 130 | |||
| 131 | |||
| 132 | OSMOCOM Calypso loader (revision 7025e5c-modified) |
||
| 133 | ====================================================================== |
||
| 134 | Running on compal_e88 in environment osmoload |
||
| 135 | |||
| 136 | |||
| 137 | }}} |
