Project

General

Profile

CalypsoRomloader » History » Version 10

laforge, 01/15/2017 01:50 PM

1 9 steve-m
{{>toc}}
2 1 steve-m
3 9 steve-m
h1. [[CalypsoRomloader]]
4
5
6 1 steve-m
The Romloader is a serial bootloader inside the maskrom of the Calypso/lite/plus DBB.
7
8 9 steve-m
It can be mapped to the reset-vector (0x000000) on the Calypso by pulling the nIBOOT pin to low, or via the EXTRA_CONF register, and if activated, it checks both UARTs (MODEM and IRDA) for incoming activation commands for a certain amount of time, if nothing is received, it checks if the powerbutton is still pressed, if yes it jumps to the application code in the flash memory.
9
10 1 steve-m
If the flash-memory is unprogrammed (checks a few flash locations for that), it stays activated and waits for incoming commands.
11
12
So even on devices which use their own bootloader stored inside the flash, it could be activated by pulling nIBOOT low (but which is inaccessible on most phones).
13 3 laforge
14 9 steve-m
We have implemented support for interfacing this loader from our [[osmocon]] program.
15 1 steve-m
16
There are currently 3 known variants:
17
18
19 9 steve-m
h2. "non-secure"-Romloader on Calypso/lite
20
21
22 1 steve-m
The "non-secure" variant, which is used on the Calypso/Calypso lite and which we support with osmocon.
23
It doesn't require a "key".
24
25 9 steve-m
It is known to be used by the Motorola W220, BenQ Siemens A38, the [[OpenMoko]] devices (Neo 1973 & Freerunner), as well as on many other Calypso phones (LG, Bird).
26 1 steve-m
27
28 9 steve-m
h2. "secure"-Romloader on Calypso/lite
29
30
31
This one -seems to be used on some newer Calypso batches-, and is known to be used on the Alcatel VLE5 series.
32 1 steve-m
In order to activate it, you have to send a "key" (which seems to be the first block stored inside the flash).
33 9 steve-m
Basic reverse engineering is done, but nothing working yet, at least we know the "key" for the Alcatel VLE5 phones.
34
35
*Update:* As it turned out, there is no secure loader on the Calypso sitting in the bootrom - Alcatel just put a slightly
36 1 steve-m
modified version of the Calypso plus secure loader in the flash. Thus, it's possible to load code when pulĺing nIBOOT to low, since then the regular romloader becomes active.
37
38
39 9 steve-m
h2. "secure"-Romloader on Calypso plus
40
41
42 1 steve-m
This variant is very similar to the one on the Calypso, it requires a key, too, and has some different structure of the branch address.
43
It also seems to cooperate in some way with a second loader stored inside the flash.
44
We know the key for the Motorola C261 (which is manufactured by Compal).
45
46
47
48
49 9 steve-m
h2. Romloader support in osmocon
50
51
52 1 steve-m
For downloading code to a romloader target, connect your serial cable as with the Compal devices, start osmocon with the "-m romload" switch, and push the power button shortly.
53
Osmocon will activate the loader, download the code in blocks, submit a checksum and send a branch command to 0x820000.
54 8 steve-m
55 9 steve-m
For instructions how to run this on an OpenMoko device, see [[OpenMoko]].
Add picture from clipboard (Maximum size: 48.8 MB)