The Tools
First, you need to get the platform tools. Thankfully the RDA platform tools, Cooltools, have been made available to the public.
The Hardware
All that is needed to flash the radio is to connect it to the host computer using the programming cable via the headset jack. The same setup that you use to write the codeplug will also work for flashing firmware.
Coolwatcher
Cooltools includes several different tools for interacting with these chips. The primary tool in this toolkit is Coolwatcher which can be used to probe, profile, and debug the RDA processors and their firmware.
We are going to use it to flash firmware onto the radio.
When starting Coolwatcher, the program prompts you for a profile for the radio. I have found that the 8809 profile seems the most similar. Before hitting ok, we need to scroll down and select which serial port to use. Enter the appropriate value on this line and hit start.
Flashing firmware
Flashing firmware is as easy as 1, 2, 3.
First is the lod file. The lod file contains the firmware to flash. You can turn a bin into a lod using bin2lod from lodtools. The bin file can be created by dumping the firmware from the radio using a6tools to dump 0x88000000 to 0x88400000 from the radio.
Second, select the appropriate flashing program. These programs are also lod files and will be loaded into the device RAM and executed. You need to pick the right one for the device. The program that worked for me is in the cooltools directory, chipgen/Modem2G/toolpool/plugins/fastpf/flash_programmers/host_8809_flsh_spi32m_ramrun.lod. Be careful as there is a very closely named flash program for the 8909. However, picking the wrong file here will just cause the flash to fail. Rebooting the radio will leave it the same as it was.
Third, click burn and watch the process unfold. The console for the flashing process is in the “Ruby Script” tab. Using the FTDI cable under Windows it took about 70s to flash the radio. Under Linux, it was a little slower and took about 100s.
Now, this would normally be the point where you would receive some dire warning about interrupting this process and bricked radios. It seems to be particularly difficult to leave the radio in an unrecoverable state.
The radio that I use for experiments looks like this: And unsurprisingly, the battery held on with some tape shifted during flashing. The radio lost power. I figured the radio would be toast.
However, this was not the case at all! The radio didn’t boot of course. The serial cable was still attached, and the radio was sending events to Coolwatcher. The debug interface still works.
And because the debug interface is still working, we can reload the flash program and try again. The radio should be quite resistant to bricking.
The Future
I think these radios might be a good target for some custom firmware. The platform does have a significant amount of code available, but the problem is that the baseband code is not a part of that code. Without this, the radio will run a program, but will not be much of a radio. But it may be possible to reuse the code for the baseband which is alredy in the firmware.