summaryrefslogtreecommitdiff
path: root/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp')
-rw-r--r--2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp157
1 files changed, 157 insertions, 0 deletions
diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp
new file mode 100644
index 0000000..ac23f58
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp
@@ -0,0 +1,157 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+HOWTO
+
+How was this done?
+ Various reverse engineering techniques
+ Take actual board apart, note major components
+ Find + use JTAG testpads
+ Find + use serial console
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case and void your warranty
+%image "x800_backside_nobat_nocover.jpg"
+Note the convenient test pads beneath the battery
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case
+%image "x800_opening_the_case.jpg" 800x600
+If you have a bit of experience in taking apart devices, you can do that without any damage...
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The Mainboard with all its shielding covers
+%image "x800_mainboard_with_shielding.jpg" 800x600
+Obvoiusly, the shielding needs to go
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The application processor section
+%image "x800_application_processor.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The HSDPA modem section
+%image "x800_hsdpa_modem.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The backside
+%image "x800_backside_with_lcm.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+ JTAG is a very useful interface
+ boundary scan (EXTEST + INTEST)
+ ARM Integrated Debug Macrocell
+ Find + use JTAG testpads
+ look for suspicious testpads on PCB
+ tracing PCB traces impossible at 8-layer PCB
+ trial + error
+ sometimes you might find schematics ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "e680_jtag.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+ Find + use JTAG testpads
+ JTAG is basically a long shift register
+ Input, Output, Clock (TDI, TDO, TCK)
+ Therefore, you can try to shift data in and check if/where it comes out
+ Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_dbgconn_closeup.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_debcon_pcb.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder_probes.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+Found JTAG pins
+ Chain 1
+ Samsung S3C2442 Application Processor
+ Has standard ARM JTAG ICE
+ Chain 2
+ CPLD programming interface
+ Remaining work
+ find the nTRST and nSRST pins
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Serial console
+
+
+How to find the serial console
+ Just run some code that you think writes to it
+ Use a Scope to find typical patterns of a serial port
+ I haven't actually done (or needed) this on the glofiish yet, but on many other devices
+ RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
+ Don't forget to add level shifter from 3.3/5V to RS232 levels
+
+
personal git repositories of Harald Welte. Your mileage may vary