CalypsoRomloader » History » Version 10
laforge, 01/15/2017 01:50 PM
1 | 9 | steve-m | {{>toc}} |
---|---|---|---|
2 | 1 | steve-m | |
3 | 9 | steve-m | h1. [[CalypsoRomloader]] |
4 | |||
5 | |||
6 | 1 | steve-m | The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB. |
7 | |||
8 | 9 | steve-m | It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory. |
9 | |||
10 | 1 | steve-m | If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands. |
11 | |||
12 | So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones). |
||
13 | 3 | laforge | |
14 | 9 | steve-m | We have implemented support for interfacing this loader from our [[osmocon]] program. |
15 | 1 | steve-m | |
16 | There are currently 3 known variants: |
||
17 | |||
18 | |||
19 | 9 | steve-m | h2. "non-secure"-Romloader on Calypso/lite |
20 | |||
21 | |||
22 | 1 | steve-m | The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon. |
23 | It doesn't require a "key". |
||
24 | |||
25 | 9 | steve-m | It is known to be used by the Motorola W220, BenQ Siemens A38, the [[OpenMoko]] devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird). |
26 | 1 | steve-m | |
27 | |||
28 | 9 | steve-m | h2. "secure"-Romloader on Calypso/lite |
29 | |||
30 | |||
31 | This one -seems to be used on some newer Calypso batches-, and is known to be used on the Alcatel VLE5 series. |
||
32 | 1 | steve-m | In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash). |
33 | 9 | steve-m | Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones. |
34 | |||
35 | *Update:* As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly |
||
36 | 1 | steve-m | modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active. |
37 | |||
38 | |||
39 | 9 | steve-m | h2. "secure"-Romloader on Calypso plus |
40 | |||
41 | |||
42 | 1 | steve-m | This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address. |
43 | It also seems to cooperate in some way with a second loader stored inside the flash. |
||
44 | We know the key for the Motorola C261 (which is manufactured by Compal). |
||
45 | |||
46 | |||
47 | |||
48 | |||
49 | 9 | steve-m | h2. Romloader support in osmocon |
50 | |||
51 | |||
52 | 1 | steve-m | For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly. |
53 | Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000. |
||
54 | 8 | steve-m | |
55 | 9 | steve-m | For instructions how to run this on an OpenMoko device, see [[OpenMoko]]. |