%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware HOWTO How was this done? Various reverse engineering techniques Take actual board apart, note major components Find + use JTAG testpads Find + use serial console %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart Opening the case and void your warranty %image "x800_backside_nobat_nocover.jpg" Note the convenient test pads beneath the battery %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart Opening the case %image "x800_opening_the_case.jpg" 800x600 If you have a bit of experience in taking apart devices, you can do that without any damage... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart The Mainboard with all its shielding covers %image "x800_mainboard_with_shielding.jpg" 800x600 Obvoiusly, the shielding needs to go %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart The application processor section %image "x800_application_processor.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart The HSDPA modem section %image "x800_hsdpa_modem.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Take hardware apart The backside %image "x800_backside_with_lcm.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins JTAG is a very useful interface boundary scan (EXTEST + INTEST) ARM Integrated Debug Macrocell Find + use JTAG testpads look for suspicious testpads on PCB tracing PCB traces impossible at 8-layer PCB trial + error sometimes you might find schematics ;) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads %image "e680_jtag.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads JTAG is basically a long shift register Input, Output, Clock (TDI, TDO, TCK) Therefore, you can try to shift data in and check if/where it comes out Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads %image "x800_dbgconn_closeup.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads %image "x800_debcon_pcb.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads %image "x800_jtagfinder_probes.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Find + use JTAG testpads %image "x800_jtagfinder.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware JTAG pins Found JTAG pins Chain 1 Samsung S3C2442 Application Processor Has standard ARM JTAG ICE Chain 2 CPLD programming interface Remaining work find the nTRST and nSRST pins %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anatomy of Contemporary Smartphone Hardware Serial console How to find the serial console Just run some code that you think writes to it Use a Scope to find typical patterns of a serial port I haven't actually done (or needed) this on the glofiish yet, but on many other devices RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write Don't forget to add level shifter from 3.3/5V to RS232 levels