Re: Sony Ericsson K200i with SAMSUNG flash

Fri, 01 Dec 2023 02:33:21 -0800 

Hi Mychaela,

On 01.12.2023 15:47, Mychaela Falconia wrote:

* The IMEI reported by the phone starts with the '35617701' prefix we
saw, but the label behind the battery has a completely different IMEI
with a different prefix '35871701'.

A refurbished phone with mismatched plastic case and motherboard?



most likely.  Though the new phone is in a rather sad condition: 
multiple cracks, something is dangling inside when I shake it.



The only difference between R1AA003 and R1AA008 I could find so far is
AMR codec support: the former does not list it in the hidden "Service"
menu.  We can compare further by looking at the MS Classmark bits.

Can you please remind me exactly which MS Classmark bits indicate AMR
codec support?  I thought this info wasn't present in any Classmark, I
thought you had to make a test call and look at the speech version list
in the Bearer capability IE in the CC Setup message to get this info -
please clarify.  In any case, I would find rather shocking to see*any*
fw from late-Calypso era that disables AMR.  Referring to my last
OsmoDevCall presentation...



Of course the MS Classmark does not contain any bits related to the 
codec support.  I meant to say the Bearer Capability, but wrote this 
instead.  In any case, for the sake of completeness, I will compare both 
the Bearer Capability and the Classmark between those firmware versions 
and post my findings here soon.



Intrigued by the presence of this write-protection (which we haven't
encountered in any other Calypso GSM device until now), I took the
time to thoroughly study various flash datasheets.  I got interesting
news: on both Spansion and Samsung flash chips that are used in these
SE K2x0 phones, the implemented sector write-protection scheme is much
more sophisticated than I remembered, and it isn't fixed in hardware
with high-voltage programming equipment - we can actually lock and
unlock sectors via software commands!

On traditional AMD flashes, the kind I worked on for the first time
right around 24 y ago, the only way to change sector lock/unlock state
was to apply 12V to some pin and feed raw program/erase pulses to the
chip - an operation which only an external device programmer can do,
not something that can be done on a chip inside a system.  But the
newer Spansion and Samsung flashes that matter for us here, they still
have non-volatile bits that control sector lock/unlock state (write-
protected or not), but there is no more high-voltage circuit
requirement - everything is programmed under regular in-circuit
conditions.  There are several different security schemes available:
under some security schemes it is indeed impossible to unlock sectors
(irreversible write-protection in hardware), but under other security
schemes it*is*  possible to unlock write-protected sectors via sw
commands!


Very interesting!


Please pull my latest code from freecalypso-tools Hg repository -
fc-loadtool got a new 'flash lock-state' command which I just now
implemented and haven't documented yet.  Please run these commands on
your SE K2x0 phones (both Spansion and Samsung flash versions) and
share the results:

flash lock-state
flash2 lock-state

These commands read and report the current state of all sector locking
and security policy bits in the flash chip; based on the results, we
should be able to tell if we can unlock all of the flash in software.


Please find the results below:

=== SAMSUNG flash ===

loadtool> flash lock-state
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible
Global status word 3: 0000
Global status word 7: 0000
Sector at 0x0: locked
Sector at 0x2000: unlocked
Sector at 0x4000: unlocked
Sector at 0x6000: unlocked
Sector at 0x8000: unlocked
Sector at 0xA000: unlocked
Sector at 0xC000: unlocked
Sector at 0xE000: unlocked
Sector at 0x10000: locked
Sector at 0x20000: unlocked
Sector at 0x30000: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector group at 0x7C0000: unlocked
Password Protection Mode lock: 0000
Persistent Protection Mode lock: 0000

loadtool> flash2 lock-state
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible
Global status word 3: 0000
Global status word 7: 0000
Sector group at 0x0: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector at 0x7C0000: unlocked
Sector at 0x7D0000: unlocked
Sector at 0x7E0000: unlocked
Sector at 0x7F0000: unlocked
Sector at 0x7F2000: unlocked
Sector at 0x7F4000: unlocked
Sector at 0x7F6000: unlocked
Sector at 0x7F8000: unlocked
Sector at 0x7FA000: unlocked
Sector at 0x7FC000: unlocked
Sector at 0x7FE000: unlocked


=== Spansion flash ===

loadtool> flash lock-state
Autodetecting flash chip type
Basic device ID: 0001 227E
AMD-style extended ID device, reading extended ID
Extended ID: 2221 2200
Spansion PL129J or PL129N, looking at CFI
Found PL129N
Global status word 3: 0080
Sector at 0x0: locked
Sector at 0x10000: locked
Sector at 0x20000: unlocked
Sector at 0x30000: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector group at 0x7C0000: unlocked
PL-N Lock Register: FFFF

loadtool> flash2 lock-state
Autodetecting flash chip type
Basic device ID: 0001 227E
AMD-style extended ID device, reading extended ID
Extended ID: 2221 2200
Spansion PL129J or PL129N, looking at CFI
Found PL129N
Global status word 3: 0080
Sector group at 0x0: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector at 0x7C0000: unlocked
Sector at 0x7D0000: unlocked
Sector at 0x7E0000: unlocked
Sector at 0x7F0000: unlocked

--
Best regards,
Vadim.
_______________________________________________
Community mailing list
Community@freecalypso.org
https://www.freecalypso.org/mailman/listinfo/community






















					Reply via email to