Hi Mychaela and community,
I acquired another SE K200i and picked it up from the local post
department today. It's the third K200i in my collection, and this new
phone is a bit different from the two that I already have. Sharing the
details here, just in case somebody else than me and Mychaela would find
this interesting.
Below is what makes this K200i special:
* R1AA003 firmware, an older version than R1AA008, which we saw on these
two K200 specimens I have. [*]
* SAMSUNG K5L29xx_A flash (according to fc-loadtool), not SPANSION
S71PL129, which we already saw.
* The IMEI reported by the phone starts with the '35617701' prefix we
saw, but the label behind the battery has a completely different IMEI
with a different prefix '35871701'.
[*] I also found R1AD001 on the internet, which appears to be even more
recent version, but it's encrypted (binwalk shows entropy close to 0.9
across the whole file). SETool (paid version) should be able to decrypt
and flash it, but I don't have a license for it.
The only difference between R1AA003 and R1AA008 I could find so far is
AMR codec support: the former does not list it in the hidden "Service"
menu. We can compare further by looking at the MS Classmark bits.
Here is some related output of fc-loadtool (-h fcfam):
loadtool> flash info
Configured for two flash banks of up to 8 MiB each
Bank 0 base address: 03000000
Bank 1 base address: 01800000
loadtool> flash id
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible
loadtool> flash geom
Detected flash device: Samsung K5L29xx_A
Device has two banks, looking at bank 0
Bank 0 total size: 0x800000
Sectors in bank 0: 135 (2 regions)
Region 0: 8 sectors of 0x2000 bytes
Region 1: 127 sectors of 0x10000 bytes
Command set style: AMD
loadtool> flash2 geom
Detected flash device: Samsung K5L29xx_A
Device has two banks, looking at bank 1
Bank 1 total size: 0x800000
Sectors in bank 1: 135 (2 regions)
Region 0: 127 sectors of 0x10000 bytes
Region 1: 8 sectors of 0x2000 bytes
Command set style: AMD
Similarly to the ones with SPANSION flash, erasing the first flash bank
fails (the bootloader/IMEI protection?):
loadtool> flash erase 0x00 0x800000
Erasing 135 sector(s)
erase timeout, aborting
The flash dumps can be downloaded from here:
https://people.osmocom.org/fixeria/dump/se_k200i/fw/K200i-R1AA003-CXC1250829-356177013769720-flash1.bin
https://people.osmocom.org/fixeria/dump/se_k200i/fw/K200i-R1AA003-CXC1250829-356177013769720-flash2-clean.bin
--
Best regards,
Vadim.
_______________________________________________
Community mailing list
[email protected]
https://www.freecalypso.org/mailman/listinfo/community
