steve at steve-m.de
Wed Mar 17 16:00:54 UTC 2010
Nathan Fain :
> I'm starting to look at the JTAG of the c155. does anyone know the VCC
> level the IC's are running at. JTAG lines will likely be the same.
Yes, the JTAG voltage is 2,8V, but I assume these pins are quite
resistant, so 3.3V should work, too.
This is what I got with a Xilinx DLC5 and urjtag on a Sagem my201x
(Calypso lite, just like the C155):
Reading 0 bytes if idcode
Read 00001110 00110000 00000000 00000010 00000000 00000000 00000000
For figuring out more commands and flash access of these Sagem phones
(maybe this will work on the C155 too), I'll build the clone of a Sagem
JTAG Unlocker for Calypso phones next week.
There are a few around, and for some you can even find schematics and
hex-files. The one I'll build is based on an ATMega32, connects to the
parallel port, and the software also supports "dump flash" and "write
flash" beneath obviously, but uninteresting for us, "unlock".
Since these Calypso-based Sagem phones have no serial bootloader, the
"unlockers" always depended on JTAG for accessing the flash, so my
approach is to find out more about the Calypso JTAG with either sniffing
or disassembling one of those Sagem JTAG Unlockers.
The target should be flash-access with openocd on at least the C123 and
C155, and maybe some of the Sagems.
Since most of these Sagem phones (e.g. the my201x and myx2-2) don't use
Rita as GSM transceiver, but just like the newer Motorola Compal models
(W220 and C161) a Silicon Laboratories Si4210 Aero II (for which
register-level documentation is available), it would be nice to have a
driver for this at some later point.
These Sagem phones (in particular the myx-1) are still highly available
on different marketplaces.
More information about the baseband-devel