Firmware upgrade

From OpenEZX

This page describes firmware upgrade process including commands and restrictions.

BP pass-through mode

By default you can access only AP bootloader, not BP. To access BP bootloader you can run firmware utilites directly on phone, or put AP bootloader in pass-through mode. On gen2 you need to press flash button one more time and MBM loader should write "BP passthrough" in the center of screen.

How this works

Every motorola bootloader supports at least one feature: executing (signed) code via usb. Bootloader itself is not capable to flash firmware, so host tool sends (signed) upgrade agent with flashing code, called "ramloader"

Command set

Command	IROM 2,3	IROM 4	LTE2	LTE2 ram	a780-blob	MBM	gen-blob	ramldr2	Description
RQVN	y	y	y	y	y	y	y	n	request running software version
RQSN	n	n	y	y	??	y	n	n	request serial number
RQCS	y	y	y	y	y	n	y	n	calculates all code groups checksum
RQRC	y	y	y	y	y	n	y	n	calculates given memory range checksum
READ	n	n	y	y	??	n	renamed: RBIN	renamed: R	read data from given address
ADDR	y	y	y	y	y	y	y	part of: F	sets addres for next write
BIN	y	y	y	y	y	y	ram only	part of: F	send data and copy or flash it to address, pleviously set by ADDR.
JUMP	y	y	y	y	y	y	y	n	jumps to given address
ERASE	n	n	n	y	n	n	n	n	erases previosly given range of flash memory
POWER_DOWN	??	??	y	??	??	n	y	n	shutdowns phone
BP_PASS	-	-	-	-	no	yes	no	-	redirect USB to bp
FLASH	n	n	n	n	n	n	y	n	flashes data from given memory address to given flash address

y	no restrictions
y	weak hackable restriction
y	strong restriction

Hacks

RQCS can be used to dump protected memory ranges
ADDR-BIN can be used to execute unsigned code via direct writes to stack

Load and execute code

Without rsa checks

I want to load binary at address 0xa00e0000 and then execute. There is no signature checks in MBM, blob and gen-blob, so i can use jump

use ADDR to set loading addres to 0xa00e0000
use BIN to send first 0x1000 bytes of data
set loading address to 0xa00e1000
send next 0x1000 bytes
repeat to send all data
use JUMP to execute code at 0xa00e0000
code at 0xa00e0000 executed!

Whith rsa checks using bootloader weakness

On LTE2 IROM3 with rsa checks i should to same except last step.

send data to 0x03FD0000 using ADDR-BIN
send ADDR to set loading address to stack address (0x03FEF800) - irom should report error, since its totally impossible to write to stack on such hardened device
just ignore error and send a lot of \x03\xFD\x00\x14 (address of code entry point) using bin
code at 0x03FD0014 executed!

Write data to flash

Native motorola way

send ramloader using ADDR-BIN-JUMP
send ERASE (erase regions harcoded in ramloader header)
use ADRR to set loading address to flash
use BIN to send 4k bytes of data

Gen-blob way

send 0x20000 (flash eraseblock size) of data to ram buffer (for example 0xa0400000)
use FLASH command to flash data from 0xa0400000 to given address

RAMLDR2 way

send F command to set loading address - ramldr2 should report eraseblock size
send exactly this amount of data splitted to 1k frames - ramldr2 should report _OK to each frame
after all data sent, ramldr should report data checksum

Sending commands

All bootloaders except RAMLDR2 use same command format and USB interface. To send command you should find two endpoints (in and out) on USB interface. On gen1 output is 2, input is 1 (0x810), on other output is 1, input is 2 (0x82).

Every packet starts from \x02, then goes command in ASCII. If there is any arguments, right after command goes separator \x1e, then arguments (usially HEX-ASCII-coded) and terminating \x03:

\x02RQSN\x03 - send RQSN, no args
\x02ADDR\x1eA0400000\x03 - send ADDR with argument 0xa0400000

Same with response:

\x02ACK\x1eA0400000\x03 - write to address 0xA0400000 permitted

Firmware upgrade

Contents