Motorola C139 V1.9.24 Won't Load from osmocom-bb

Rusty Dekema rdekema at gmail.com
Tue Apr 8 23:09:37 UTC 2014


On Sun, Apr 6, 2014 at 5:30 PM, Michael Spacefalcon
<msokolov at ivan.harhan.org> wrote:
> Rusty Dekema <rdekema at gmail.com> wrote:
>
>> Although I would still like to eventually get a C139 working (mainly
>> for its 850 MHz support),
>
> Given your interest in the 850 MHz band, I gather that you must be
> somewhere in North America.  Anywhere near Southern California
> perchance?
>
>> I obtained a C118 yesterday and it works
>> with osmocom-bb like a charm, right out of the box. (It also has at
>> least some support for the PCS1900 band, which was a pleasant
>> surprise.)
>
> Is it "official" PCS1900 support, or are you seeing some of the
> received RF energy in the PCS band (in a very strong signal area,
> presumably) seep through the imperfect 1800 MHz SAW filter with the
> antenna switch set to DCS?
>
>> Now, back to the C139. If anyone has any further suggestions, please
>> let me know.
>
> If all else fails, I reason that one should be able to disassemble the
> phone, desolder the flash chip, reprogram it with a known good boot-
> loader using a standalone device programmer, then solder it back onto
> the board.  But I'm guessing that flash chip is probably a micro-BGA
> (IIRC it's a flash+pSRAM MCP), so it wouldn't be a home soldering job,
> but rather something to be sent to a professional lab.  If you fancy
> going down that road, I would suggest talking to Technotronix in
> Anaheim, California - ask for Gopal, and tell him you were referred by
> Michael S. from Harhan.
>
>> The phone never sends a PROMPT1 for reasons discovered later and
>> described above.
>
> Yup, a definite indicator that the bootloader our tools need to talk
> to has been removed in the firmware version in your phone, just like
> in Tracfone's version.
>
>> Yes, it's definitely 1.9.24 both on the sticker and the #02# screen.
>
> Thanks for the info about the #02# screen, I didn't know about that
> one before.
>
>> When I run the mot931c program, follow the directions, and click
>> Unlock, I get the output: "Error 2" followed by "Phone not found". Of
>> note, if I unplug the phone from the computer and do the same, I get
>> only the "Phone not found" message. Then again, the title of the
>> mot931c application is "Tracfone mobile unlock 1.0 by Lawer,"
>
> After I made my previous post, I did run that mot931c program under
> wine with the Tracfone connected, and it did reflash that phone with a
> bootloader that is compatible with osmocom-bb/DMTool/fc-loadtool etc.
> Unfortunately I failed to capture the bytes exchanged between the
> Weendoze program and the phone - trying to run wine under strace was a
> little too much for me.
>
> So now I need to get another Tracfone C139 from ebay, and be more
> careful this time..  I'm thinking about hacking the Linux kernel
> driver for the USB-serial chip in my cable (the PL-something) and
> making it log the Rx/Tx activity into a RAM buffer which I would then
> read out - an incredibly ugly hack, but one that would be more within
> the range of my skills, as compared to instrumenting wine...
>
>> and mine is not a Tracfone.
>
> Would you mind telling us which branding it is?  It seems that Cingular
> units have bootloaders that work out of box, for Tracfones there is
> another method that has been proven to work, so what other brandings
> are out there?
>
>> > It should be noted that the new bootloader is very limited (no charging, no
>> > loading of the regular phone os).
>
> It appears that what this tool does (at least on Tracfones with V8.8.17
> firmware) is it erases and rewrites the first 64 KiB sector of the
> flash.  The new bits written into this sector appear to be contained
> as a 65536-byte payload within the mot931c.exe binary; and it looks
> like whoever wrote this tool replaced the first 8192 bytes with a
> "good" C139/140 bootloader, while leaving the remaining 56 KiB
> unchanged from V8.8.17 firmware.  So the phone ought to retain its
> firmware unchanged, but gain the ability to break into the bootloader
> like we are used to doing.  But apparently the firmware checksums
> itself, as doing a normal boot (w/o serial download) results in a
> message on the LCD (with the backlight off, so hard to read) about
> the firmware being corrupted or something to that effect.
>
>> The DLTool/"DM Tool" software in this package does not seem to be able
>> to "see" or communicate with the phone.
>
> Which is not surprising at all, as this tool (appears to be Compal's
> official flasher) connects to the phone in the same manner as
> osmocon -m c140xor, so one doesn't work, neither will the other.
>
>> Perhaps this is not surprising, since the
>> mot931c tool was not able to "unlock" whatever it was supposed to
>> unlock on this phone.
>
> See above - that mot931c tool doesn't really "unlock" anything, it
> simply rewrites sector 0 of the flash with a "good" bootloader.
>
> VLR,
> SF
>




More information about the baseband-devel mailing list