Flash firmware to an AUCTUS A6 based radio

GOCOM and COTRE radios are based on the AUCTUS A6 SOC which is a derivative of the RDA cell phone SOCs, like the RDA 8809. You can use the tools for these RDA chips can be used to flash firmware on these radios. The radios include a debug port with full control over the device and can be used to completely rewrite the flash on the device. The procedure will even work with bricked radios and those which are password protected.

First, you need to get the platform tools. Thankfully the RDA platform tools, Cooltools, have been made available to the public.

All that is needed to flash the radio is to connect it to the host computer using the programming cable via the headset jack. The same setup that you use to write the codeplug will also work for flashing firmware.

Cooltools includes several different tools for interacting with these chips. The primary tool in this toolkit is Coolwatcher which can be used to probe, profile, and debug the RDA processors and their firmware.

We are going to use it to flash firmware onto the radio.

When starting Coolwatcher, the program prompts you for a profile for the radio. I have found that the 8809 profile seems the most similar. Before hitting ok, we need to scroll down and select which serial port to use. Enter the appropriate value on this line and hit start.

Coolwatcher startup screen

Select the RDA 8809 profile.

Coolwatcher startup screen COM port selection

And scroll down to select the right COM port under Windows or device under linux.

Coolwatcher flashing buttons

These are the three buttons to use to flash firmware. The first selects the lod file. The second selects the flashing program. The third flashes the ROM.

Flashing firmware is as easy as 1, 2, 3.

First is the lod file. The lod file contains the firmware to flash. You can turn a bin into a lod using bin2lod from lodtools. The bin file can be created by dumping the firmware from the radio using a6tools to dump 0x88000000 to 0x88400000 from the radio.

Second, select the appropriate flashing program. These programs are also lod files and will be loaded into the device RAM and executed. You need to pick the right one for the device. The program that worked for me is in the cooltools directory, chipgen/Modem2G/toolpool/plugins/fastpf/flash_programmers/host_8809_flsh_spi32m_ramrun.lod. Be careful as there is a very closely named flash program for the 8909. However, picking the wrong file here will just cause the flash to fail. Rebooting the radio will leave it the same as it was.

Third, click burn and watch the process unfold. The console for the flashing process is in the “Ruby Script” tab. Using the FTDI cable under Windows it took about 70s to flash the radio. Under Linux, it was a little slower and took about 100s.

Now, this would normally be the point where you would receive some dire warning about interrupting this process and bricked radios. It seems to be particularly difficult to leave the radio in an unrecoverable state.

The radio that I use for experiments looks like this:

My sad CO01D radio

Because I soldered on an SMA connector, the case no longer fits. This means that for now the battery is attached by a few layers of tape…

And unsurprisingly, the battery held on with some tape shifted during flashing. The radio lost power. I figured the radio would be toast.

However, this was not the case at all! The radio didn’t boot of course. The serial cable was still attached, and the radio was sending events to Coolwatcher. The debug interface still works.

And because the debug interface is still working, we can reload the flash program and try again. The radio should be quite resistant to bricking.

I think these radios might be a good target for some custom firmware. The platform does have a significant amount of code available, but the problem is that the baseband code is not a part of that code. Without this, the radio will run a program, but will not be much of a radio. But it may be possible to reuse the code for the baseband which is alredy in the firmware.