Hi all, I'd like to provide you with an update of recent developments:
In order to be able to help Mychaela with the debugging of the GSM stack bring-up, I planned to flash a firmware recovered from an old ftp by Mychaela for the C138, on my chinese C118; this model has a 4MB flash that makes it suitable for this larger than usual image, and also happens to have the JTAG pins exposed. Now this firmware image is particularly interesting from a debug point of view, since it is accompanied by the .map output file generated by TI's compiler, hence all the names of functions and memory locations are known. At first I tried flashing with OsmocomBB's osmoload tool. Even though I did everything by the book (or rather, by the wiki), the programming failed after the erase command, at the first block -- so without JTAG, the phone would have been bricked. This is actually the second time I encounter an issue with this flashing program, so I strongly recommend to avoid osmoload. In order to recover from this, I was able to JTAG the small piece of code developed by Mychaela to force the phone into ROM. >From there the classic fc-loadtool could be used to flash the phone. After flashing I was first greeted by the message "FFS formatting" (so I guess the calibration values are gone, but it's ok since I made a backup of the flash contents). The good news is, the phone displayed the logo then successfully attached itself to the network! I then made a phone call. With this firmware working as it should, I'll now try to enable full RVF trace output to get a good reference point to which compare against. For the reference, here are the commands I used to unbrick and reflash this C118: $ openocd -f interface/flyswatter.cfg -f target/ti_calypso.cfg ... > reset;halt > TAP calypso.dsp does not have IDCODE JTAG tap: calypso.arm tap/device found: 0x3100e02f (mfg: 0x017, part: 0x100e, ver: 0x3) svf processing file: "/usr/local/share/openocd/scripts/target/ti_calypso.svf" svf file programmed successfully for 7 commands target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0xa00000d3 pc: 0x00000000 > load_image calypso/sw/target-utils/compalstage/compalstage-plain.bin 0x800000 > bin 32 bytes written at address 0x00800000 downloaded 32 bytes in 0.004056s (7.705 KiB/s) > resume 0x800000 Since the phone is now in ROM loader mode, I commented out the line "compal-stage plain" in /usr/local/share/freecalypso/compal.init Then I used fc-loadtool to properly flash the firmware: $ ./fc-loadtool -h compal /dev/ttyUSB0 Sending beacons to /dev/ttyUSB0 Got beacon response, attempting download <p command successful, switching to 115200 baud Sending image payload Sending checksum <c command successful, sending <b <b command successful: downloaded image should now be running! FreeCalypso loadagent running Loaded via UART 0 (MODEM) at baud rate #0 TCXO clock input autodetected to be 26 MHz Executing init script compal.init Script command: w16 fffffb00 00A3 Script command: w16 fffffb02 00A3 Script command: w16 fffffb10 0300 loadtool> flash info Flash device type: cfi-4M Bank 0 base address: 00000000 Performing CFI query CFI query successful: total size 400000, 71 sectors, command set style 0003 Bank 0 total size: 400000 Sectors in bank 0: 71 (2 regions) Command set style: Intel loadtool> flash erase 0x0 0x270000 Erasing 39 sector(s) ....................................... loadtool> flash program-bin 0x0 R87.2.1.03.img Setting flash base address: INFB 0 Clearing Intel flash SR Programming flash: 2516992 (0x266800) bytes 0x266800 bytes programmed (100%) --DS _______________________________________________ Community mailing list Community@freecalypso.org https://www.freecalypso.org/mailman/listinfo/community
