Hi Osmocom and FreeCalypso communities, I would like to disclose my recent discovery, which so far was discussed within a small group of Osmocom members and with Mychaela Falconia.
==== A bit of history ==== There exists a tool for flashing old Sony Ericsson phones called pstool (search for 'PSTool_SE_ODM_free' in your favorite search engine). It's a Windows executable with a custom GUI, and with some additional clarifications specifically for "big Russian specialists" :P Unlike the more famous SETool2 Lite, which does support a wide range of phones based on SEMC's own A1 DB2xxx and A2 DB3xxx chipsets, the pstool is limited to only a few phone models (all listed in GUI): * J100i, J110i, J120i, * K200i, K220i. Among them is Sony Ericsson J100i [1], a Calypso based phone designed by Compal, on which you can already run custom OsmocomBB or FreeCalypso firmware. Both J110i and J120i are likely variants of J100i with some minor differences (correct me if I am wrong). [1] https://osmocom.org/projects/baseband/wiki/SonyEricssonJ100i My curiosity was piqued when I saw K200i/K220i in the dropdown list of the pstool. I ordered a few phones on a local advertising site assuming that they may also be based on Calypso. And... yes, they are! ==== Hardware ==== For those who are interested to see the inside, here are some photos: https://people.osmocom.org/fixeria/dump/se_k200i/board/ Some highlights (from Mychaela's E-mail): * Calypso 751992A (C035, final DSP ROM version 3606, full 512 KiB IRAM), * RF: Familiar Iota TWL3025 ABB and Rita, PA SKY77318, * Flash: SPANSION S71PL129NB0HFW4B (16 MiB NOR + 4 Mib XRAM), * Winbond W56932DYX - probably a ringtone melody player? According to [2], K220i is identical to K200i with the only difference that the former has an FM radio receiver. If anyone has a K220i, I would be interested to see the board photos though. [2] https://mobile-review.com/review/sonyericsson-k200.shtml ==== Software ==== I was able to get the FreeCalypso loadagent running: https://people.osmocom.org/fixeria/dump/se_k200i/info.txt and managed to dump the raw flash contents: https://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash1.bin https://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash2.bin The DSP ROM is a well-known version 3606: https://people.osmocom.org/fixeria/dump/se_k200i/dspromdump.txt I was also able to get unmodified OsmocomBB layer1 firmware (the J100i variant) running and even got the basic Rx functionality working: * cell_log is able to find cells, * ccch_scan happily decodes BCCH/AGCH/PCH messages. What's really nice about the K200i is that (unlike the J100i) it has the Calypso boot ROM unlocked, just like Pirelli DP-L10 [3]. This makes it impossible to brick the phone by erasing the flash. [3] https://osmocom.org/projects/baseband/wiki/PirelliDPL10 ==== Summary ==== At the moment of writing this announcement, K200i is neither supported by OsmocomBB nor by FreeCalypso. The big problem here is that we could not find the board schematics, so we don't have sufficient knowledge on how the RFFE control signals are routed. Figuring this out (be it hw-based or fw-based approach) is quite a big effort, and I doubt there will be a commercial interest to sponsor this. In any case, I believe it's a nice *potential* target, so I created a wiki page [4] with all the relevant information about K200i. [4] https://osmocom.org/projects/baseband/wiki/SonyEricssonK200i Now I am giving the podium to Mychaela, I am sure she has more to say :P Best regards, Vadim.
