Hi Osmocom and FreeCalypso communities,
I would like to disclose my recent discovery, which so far was
discussed within a small group of Osmocom members and with Mychaela
Falconia.
==== A bit of history ====
There exists a tool for flashing old Sony Ericsson phones called
pstool (search for 'PSTool_SE_ODM_free' in your favorite search
engine). It's a Windows executable with a custom GUI, and with some
additional clarifications specifically for "big Russian specialists"
:P
Unlike the more famous SETool2 Lite, which does support a wide range
of phones based on SEMC's own A1 DB2xxx and A2 DB3xxx chipsets, the
pstool is limited to only a few phone models (all listed in GUI):
* J100i, J110i, J120i,
* K200i, K220i.
Among them is Sony Ericsson J100i [1], a Calypso based phone designed
by Compal, on which you can already run custom OsmocomBB or
FreeCalypso firmware. Both J110i and J120i are likely variants of
J100i with some minor differences (correct me if I am wrong).
[1] https://osmocom.org/projects/baseband/wiki/SonyEricssonJ100i
My curiosity was piqued when I saw K200i/K220i in the dropdown list of
the pstool. I ordered a few phones on a local advertising site
assuming that they may also be based on Calypso. And... yes, they are!
==== Hardware ====
For those who are interested to see the inside, here are some photos:
https://people.osmocom.org/fixeria/dump/se_k200i/board/
Some highlights (from Mychaela's E-mail):
* Calypso 751992A (C035, final DSP ROM version 3606, full 512 KiB IRAM),
* RF: Familiar Iota TWL3025 ABB and Rita, PA SKY77318,
* Flash: SPANSION S71PL129NB0HFW4B (16 MiB NOR + 4 Mib XRAM),
* Winbond W56932DYX - probably a ringtone melody player?
According to [2], K220i is identical to K200i with the only difference
that the former has an FM radio receiver. If anyone has a K220i, I
would be interested to see the board photos though.
[2] https://mobile-review.com/review/sonyericsson-k200.shtml
==== Software ====
I was able to get the FreeCalypso loadagent running:
https://people.osmocom.org/fixeria/dump/se_k200i/info.txt
and managed to dump the raw flash contents:
https://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash1.binhttps://people.osmocom.org/fixeria/dump/se_k200i/K200i-fc-flash2.bin
The DSP ROM is a well-known version 3606:
https://people.osmocom.org/fixeria/dump/se_k200i/dspromdump.txt
I was also able to get unmodified OsmocomBB layer1 firmware (the J100i
variant) running and even got the basic Rx functionality working:
* cell_log is able to find cells,
* ccch_scan happily decodes BCCH/AGCH/PCH messages.
What's really nice about the K200i is that (unlike the J100i) it has
the Calypso boot ROM unlocked, just like Pirelli DP-L10 [3]. This
makes it impossible to brick the phone by erasing the flash.
[3] https://osmocom.org/projects/baseband/wiki/PirelliDPL10
==== Summary ====
At the moment of writing this announcement, K200i is neither supported
by OsmocomBB nor by FreeCalypso. The big problem here is that we could
not find the board schematics, so we don't have sufficient knowledge
on how the RFFE control signals are routed. Figuring this out (be it
hw-based or fw-based approach) is quite a big effort, and I doubt
there will be a commercial interest to sponsor this.
In any case, I believe it's a nice *potential* target, so I created a
wiki page [4] with all the relevant information about K200i.
[4] https://osmocom.org/projects/baseband/wiki/SonyEricssonK200i
Now I am giving the podium to Mychaela, I am sure she has more to say :P
Best regards,
Vadim.
Dear Osmocom community,
your input is required in order to tune the re-launch of the OsmoDevCall
talk series. One of the complaints before the suspension in Summer this year
was that the "Friday night 8pm CEST" timeslot was not exactly ideal for several
people.
Finding a common denominator might be difficult, given that Osmocom is a dayjob
for some, a hobby for most, and we're of course not all in the same time zone
or even continent.
So let's try to run a couple of polls to figure out:
* What is the best day of the week for OsmoDevCall?
https://bitpoll.de/poll/CEQnaQKEvO/
* What is the best time of day for OsmoDevCall?
https://bitpoll.de/poll/59dgmzOocT/
* What is the best frequency of OsmoDevCall
https://bitpoll.de/poll/8jyuRJB6Hb/
The polls are open until October 21st, 2021. I would appreciate a high turn-out
so we have a good representation across our community to make an educated decision
about the schedule of futur events.
Can't wait to re-start OsmoDevCall!
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
hi there,
i ran into an error with ./transceiver in osmocom-bb
if i write
osmocom/osmocom-bb/src/host/layer23/src/transceiver # sudo ./transceiver
-a 47 -2 -r 99
the cli returns with
47
41
1
Aborted
what am i doing wrong? i hope you can help me out.
have a nice day
msfu
Hello if I remember i have tested to telnet 192.168.0.1 8090 or if I
broadcast DHCP from my PC I have 192.168.0.142 but in both cases i have
connection refused :( you mean that if I buy sysmocell i will be able to
flash FW on my nano3G will check if I can have serial. Thank you for your
response I will keep the community in touch if I can go further. I will
only be able to make new tests in 10 days... :(
Le dim. 7 août 2022 à 16:09, Neels Hofmeyr <nhofmeyr(a)sysmocom.de> a écrit :
> I dimly remember that the nano3G have both serial console contacts you can
> solder onto, as well as an exploitable DHCP client (what i heard is that
> the
> DHCP client is a bash script that fails to properly escape the host name
> given
> to the DHCP client). With that you might be able to gain ssh access. Even
> then
> you may not have much of a chance to get it to run, depending on the
> installed
> firmware.
>
> A factoid is that a nano3G obtained from sysmocom.de will work with
> osmo-hnbgw.
> Not sure if it is still in the shop... Some of them have also been given
> away
> free of charge, to non-commercial users: research / hacker spaces. So if I
> needed one to play with, I guess I would ask sysmocom indicating my
> intended
> use, or ask some of the people that got one from Accelerate3g5 -- in case
> there's someone no longer using their nano3G:
> https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5
>
> HTH,
>
> ~N
>
Hello @osmocom i wonder something. I have bought IP. accès NANO 3 G S8
Modèle # 237BA UMTS Band 2/5 (800 Mhz) will i have a chance to make it work
with accelerate 3g5 software thanks, Bastien Baranoff
mailto:baseband-devel@lists.osmocom.org
Hello everybody!
I built osmocombb main branch many times without problem.
I downloaded sylvain_ind branch prebuilt vm because has no success to buiding.
My error is:
make[1]: Entering directory '/home/user/osmocom-bb-sylvain-burst_ind/src/target/firmware'
make[1]: *** No rule to make target 'include/tiffs.h', needed by 'board/compal_e88/init.o'. Stop.
But even prebuilt VM dosent show BURST_IND when start ccch_scan.
I have feeling that everything is firmware problem.
Can somebody send me a link with prebult sylvain_ind firmware or even better link oo some upload service with prebuilt VM?
I will be very thankfull and i am willing to pay for
that and some explanation via chat or email.
Thank you very much!
Kind regards!
hi there,
i ran into an error with ./transceiver in osmocom-bb
if i write
osmocom/osmocom-bb/src/host/layer23/src/transceiver # sudo ./transceiver
-a 47 -2 -r 99
the cli returns with
47
41
1
Aborted
what am i doing wrong? i hope you can help me out.
have a nice day
msfu
hi there,
i ran into an error with ./transceiver in osmocom-bb
if i write
osmocom/osmocom-bb/src/host/layer23/src/transceiver # sudo ./transceiver
-a 47 -2 -r 99
the cli returns with
47
41
1
Aborted
what am i doing wrong? i hope you can help me out.
have a nice day
msfu
Hello,
im trying to open the mobile application but it tells me that it failed
to parse the configuration file.
~/osmocom/osmocom-bb/src/host/layer23/src/mobile# sudo ./mobile
Copyright (C) 2010-2015 Andreas Eversberg, Sylvain Munaut, Holger
Freyther, Harald Welte
Contributions by Alex Badea, Pablo Neira, Steve Markgraf and others
License GPLv2+: GNU GPL version 2 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
<0011> app_mobile.c:451 Failed to parse the configuration file
'/root/.osmocom/bb/mobile.cfg'
<0011> app_mobile.c:454 Please make sure the file
'/root/.osmocom/bb/mobile.cfg' exists, or use an example from
'doc/examples/mobile/'
i was searching for the directory /root/.osmocom/bb/ to build the
missing file but i cannot find it.
Am i blind or where is this folder? it is not in my Home or root directory.
Thanks for your help
best regards
msfu
Hi there,
after a fresh new install i tried to open layer1 in osmocombb but the
tool gave me this error:
~/osmocom/osmocom-bb/src/host/osmocon# sudo ./osmocon -m c123xor -p
/dev/ttyUSB1 -c
root/osmocom/osmocom-bb/src/target/firmware/board/compal_e88/layer1.compalram.bin
got 2 bytes from modem, data looks like: 04 81 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(chainloader): file_size=32, hdr_len=4, dnload_len=39
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 39 bytes (39/39)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!
Enabled Compal ramloader -> Calypso romloader chainloading mode
Received ident ack from phone, sending parameter sequence
opening file: No such file or directory
i dont think its broken, but maybe its a spelling error or something?
I hope you can help me. I'm just irritated.
Have a nice day
msfu
