Christophe Devine devinechristophe@gmail.com wrote:
I had a similar problem with a tracfone branded c139 (ftmtool error).
I guess I was lucky that the first two C139s I got from ebay were the Cingular branded version, which has the classic Compal bootloader enabled. But I just opened the one that came in Tracfone packaging, and indeed the bastards have disabled this bootloader in TF firmware: it proceeds directly to the ftmtool crap, without ever sending PROMPT1 or pausing to check for a possible download.
On IRC, Hoernchen mentioned an older post where the author "fixed" the bootloader. He also mentioned a pastebin that referenced a tool called mot931c. I managed to find it and could successfully reflah my tracfone's bootloader, which now loads osmocom-bb without issue. Here's the reuploaded software package:
https://drive.google.com/file/d/0ByHQWL5Q6bSwdkJReUlJWUQ1Z3M/edit?usp=sharin...
Thanks for sharing. I'm trying to understand how this works. It looks like with both Calypso and Compal bootloaders disabled, the only way to make the initial break-in on a TF C139 is through the firmware's RVTMUX interface. I have not yet tried running that mot931c.exe Weendoze binary under Wine; I've only run strings on it so far, and I saw the instruction to enter **16379#. Keying this magic incantation into a C139 or C140 (both TF and vanilla) yields a menu that allows switching the headset jack between headset and trace functions. Selecting trace causes the jack to be switched back to the UART (like it is on power-up), and looking at the data the running fw spits out, I see TI's classic RVTMUX interface, albeit at 57600 baud instead of TI's default of 115200.
But this is where I get stuck: even though the interface is clearly RVTMUX and includes the ETM module (TI's Enhanced Trace Mode), none of the classic ETM command packets do anything. I get ETM packets back with the correct checksum, so I infer that ETM must be present in the fw, but all response packets I could get consisted of just a 0x0E error code octet instead of the expected ETM_CORE responses.
Has anyone figured out just what this (presumably) closed source mot931c.exe binary sends to the phone?
About to try running it under Wine, and if that succeeds, then strace...
VLR, SF
Given your interest in the 850 MHz band, I gather that you must be somewhere in North America. Anywhere near Southern California perchance?
North America, yes; southern California, no. I'm in southeast Michigan, 30-some miles from Detroit.
Is it "official" PCS1900 support, or are you seeing some of the received RF energy in the PCS band (in a very strong signal area, presumably) seep through the imperfect 1800 MHz SAW filter with the antenna switch set to DCS?
That is a very good question. I am not sure yet. I will email either you or the list again when I know more.
If all else fails, I reason that one should be able to disassemble the phone, desolder the flash chip, reprogram it with a known good boot- loader using a standalone device programmer, then solder it back onto the board. But I'm guessing that flash chip is probably a micro-BGA (IIRC it's a flash+pSRAM MCP), so it wouldn't be a home soldering job, but rather something to be sent to a professional lab. If you fancy going down that road, I would suggest talking to Technotronix in Anaheim, California - ask for Gopal, and tell him you were referred by Michael S. from Harhan.
I suspect that would cost more money than I am currently willing/able to spend on this project, but I appreciate the reference and will keep it in mind.
Would you mind telling us which branding it is? It seems that Cingular units have bootloaders that work out of box, for Tracfones there is another method that has been proven to work, so what other brandings are out there?
Mine is Cingular branded, but it has software version 1.9.24 instead of the seemingly better-known (and known to work) 1.0.24.
It appears that what this tool does (at least on Tracfones with V8.8.17 firmware) is it erases and rewrites the first 64 KiB sector of the flash. The new bits written into this sector appear to be contained as a 65536-byte payload within the mot931c.exe binary; and it looks like whoever wrote this tool replaced the first 8192 bytes with a "good" C139/140 bootloader, while leaving the remaining 56 KiB unchanged from V8.8.17 firmware. So the phone ought to retain its firmware unchanged, but gain the ability to break into the bootloader like we are used to doing. But apparently the firmware checksums itself, as doing a normal boot (w/o serial download) results in a message on the LCD (with the backlight off, so hard to read) about the firmware being corrupted or something to that effect.
Very interesting, that is good to know and will come in handy if/when I get my hands on a Tracfone that it works with.
Cheers, Rusty
baseband-devel@lists.osmocom.org
-
msokolov@ivan.Harhan.ORG -
Rusty Dekema