import of old now defunct presentation slides svn repo

2 files changed, 654 insertions, 0 deletions

diff --git a/2006/phneutral-a780/abstract.txt b/2006/phneutral-a780/abstract.txt
new file mode 100644
index 0000000..0e0b2c4
--- /dev/null
+++ b/2006/phneutral-a780/abstract.txt
@@ -0,0 +1,65 @@
+* Title: 
+	Towards the first 100% free software GSM phone
+
+* Subtitle: 
+	Reverse Engineering the Motorola EZX (A768,A780,E680) series of Linux-based GSM phones
+	
+* Abstract: 
+	This presentation describes the progress of hacking and extending the
+	Motorola series of Linux based Smartphones, with the ultimate goal to
+	replace all proprietary applications with 100% free software.
+
+* Description: 
+	A longer and detailed description of the event's content (250 to 500 words)
+	It's been two years since Motorola has released the first Linux
+	Smartphone (A768).  More recently, two new models were introduced, the
+	A780 and the E680, the former even officially distributed in Germany
+	and all over the EU.
+
+	What's so special about a Linux based smartphone?  It's special because
+	the Linux kernel acts as an enabler for 3rd party hacks and 3rd party
+	software, like it can be observed with the OpenWRT, OpenTom,
+	NSLU2-Linux, OpenEmbedded, OpenZaurus and other similar projects.
+
+	The author of this presentation has sucessfully obtained "telnet"
+	access to an A780 cellphone, built a matching cross-compilation
+	toolchain and installed various applications for debugging, such as
+	busybox, iptables, nmap, lsof, strace, etc.
+
+	While re-engineering efforts are still in a early stage, work is
+	proceeding extremely fast, and important pieces such as the protocol
+	between the PXA270 frontend processor and the ARM7TDMI GSM processor
+	have already been partially re-engineered.  The project is expected to
+	progress significantly until 22C3.
+
+
+* Please state if you are going to submit a paper to be included in the 22C3
+  Proceedings
+  	Yes
+
+* Please state if you are going to use slides in your talk and in which format
+  you are going to provide a copy
+	Magicpoint or tpp
+
+* Duration of your talk
+
+* Language of your talk
+	en_US
+
+* Links to background information on the talk
+	http://www.motorolafans.com/
+	http://gnumonks.org/~laforge/weblog/linux/a780/
+	http://svnweb.gnumonks.org/trunk/a780/
+
+* Target Group: 
+	Developers
+
+* Resources you need for your talk 
+	digital projector
+
+* Related talks at 22C3 you know of 
+	none
+
+* A lecture logo, square format, min. 128x128 pixels (optional) 
+	none
+
diff --git a/2006/phneutral-a780/openezx.mgp b/2006/phneutral-a780/openezx.mgp
new file mode 100644
index 0000000..8abde5b
--- /dev/null
+++ b/2006/phneutral-a780/openezx.mgp
@@ -0,0 +1,589 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+Motorola EZX
+Linux Smartphones
+
+May 28, 2006
+ph-neutral
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+OpenEZX
+Introduction
+
+
+Who is speaking to you?
+		an independent Free Software developer
+		who earns his living off Free Software since 1997
+		who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+		who can claim to be the first to have enforced the GNU GPL in court
+		who is doing way too many projects simultaneously, one of them OpenEZX
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Contents
+
+	Disclaimer
+	What is OpenEZX
+	History of Motorola Linux Phones
+	A780 / E680(i) overview
+	Techniques for reverse engineering
+	Current status of information about EZX phones
+	OpenEZX software status
+	Another Linux GSM Phone: HTC BlueAngel
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Disclaimer
+
+
+Disclaimer
+	I have no affiliation with Motorola
+	OpenEZX project has no affiliation with Motorola
+	All Information is based on observation, and may be wrong
+	Lots of the work has been done by a large community, I'm a newbie ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+What is OpenEZX
+
+
+	OpenEZX project
+		to document EZX phone hardware and software
+		to provide 100% free software stack for frontend CPU
+		might at some future point in time also look into GSM/RF related hacks
+		Homepage: http://openezx.org/ (http://open-ezx.org)
+		Wiki: http://wiki.openezx.org/
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+History
+
+
+History of Motorola Linux based gsm phones
+	A760, A768
+		Released in Asia in 2003
+	EZX (A780, E680, E680i)
+		E680 sold only in asian market
+		A780 sold in China since August 2004
+		A780 first Motorola Linux phone available in EU/US
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780
+
+
+	The A780 phone
+		Quad-band GSM
+		AGPS
+		GPRS, EDGE, HSCSD
+		Intel Xscale based
+		Monta Vista CE Linux
+		Bluetooth
+		USB device port (modem / mass storage)
+		Transflash slot (SD-card in smaller form factor)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+E680/E680i
+
+
+	The E680 phone
+		Like A780
+		No GPS
+		full-size SD/MMC slot
+		FM Radio
+		minor differences in Audio system, GPIO assignment, ...
+
+	The E680i phone
+		seems to only differ in software
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Other Linux Smartphones
+
+	Other Motorola Linux Smartphones
+		E895
+		A1200
+		A910
+		A732
+		A728
+		ROKR E2
+
+	They all have a similar design, so supporting all of them should be possible
+		Unfortunately I don't really have the money to buy/import all of them :(
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Techniques for re-engineering
+
+
+	learn about the device
+		take the device apart
+		take high-res PCB photographs
+		FCC database sometimes quite helpful
+		remove all the shielding covers
+		write down types of all integrated circuits
+		google for those circuits, try locating data sheets
+		sometimes service manuals can be obtained for small fees
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Techniques for re-engineering
+
+
+	try to find a serial console port
+		successful in many embedded devices
+		all you need is a 3.3v<->RS232 level shifter
+		A780: checking all 100+ test points with an oscilloscope :(
+		unfortunately not successful in the case of A780
+
+	try to find a JTAG port
+		cheap JTAG / parallel port adaptors available or DYI
+		only helps if you also have a BSDL file or similar
+		hard to figure out which of the five pins is which
+		be aware: there might be multiple JTAG ports for multiple IC's
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Techniques for re-engineering
+
+
+	access to the OS instead of the UI
+		serial console helps in many cases, not in this one
+		networked devices sometimes have telnet/ssh available
+		exploits of known-to-be-installed software (zlib-1.1.3)
+		try "weird button combinations" at startup
+
+	access to flash memory
+		read out via JTAG
+		if you have shell access, dd if=/dev/mtd* of=...
+		via vendor-supplied flash programming tool
+		copy / unpack / mount flash image to PC workstation
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Techniques for re-engineering
+
+
+	simulation
+		running ARM binaries from device in QEMU emulation
+		commercial ARM emulators
+
+	disassembling
+		WARNING: may be illegal in most jurisdictions
+		use gnu binutils (objdump, ...)
+		use special-purpose proprietary tools (IDA Pro)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Hardware
+
+
+	In short
+		A Motorola Neptune LTE based mobile phone plus
+		A PXA270 Xscale based PDA in one case
+
+	Application Processor (PXA270)
+		runs heavily modified linux-2.4.20 kernel
+		48MB RAM
+		48MB "wireless" flash
+		software-configurable clock speed up to 400MHz
+		JTAG port on test pads, BSDL file and JFlash available
+		SPI/SSP interface to PCAP and BP
+		directly attached to 320x200 LCD display
+		directly attached to touch screen, buttons
+		directly attached to 1.3Mpixel camera module
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Hardware
+
+
+	Baseband Processor (Neptune LTE)
+		contains ARM7TDMI for GSM stack
+		contains 566xx DSP for digital baseband
+		JTAG port on test pads, but no BSDL file
+		Connected to Application processor via USB
+		SPI/SSP interface to PCAP and AP
+		UART connected to AGPS processor
+		Connects to GSM SIM module
+		8MB external flash
+		2MB external RAM
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Hardware
+
+
+	AGPS Processor (Motorola Telematics MG4100)
+		Attached to UART of BP
+		Has it's own Flash and RAM (2MB?)
+
+	PCAP2 (power management, clock and audio peripheral)
+		produces a 16 different voltages
+		handles all mono/stereo audio
+		connected to 2 speakers, microphone, vibrator
+		clock generation
+		SPI/SSP interface to AP and BP
+		Backlight control
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Hardware
+
+
+RF Part (not very much information known)
+
+	RF6003
+		fractional-n RF synthesizer
+
+	RF2722
+		GPRS/EDGE capable receiver (RX)
+
+	RF3144
+		quad-band power amplifier (TX))))
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 AP Software
+
+
+	linux-2.4.20
+		whole bunch of montavista additions
+		dynamic power management
+		EZX arm subarchitecture
+		low-level drivers for
+			SPI/SSP
+			PCAP Audio (mono/stereo/headset/...)
+			Vibrator (/dev/vibrator)
+			USB host port attached to BP
+			USB device port (belcarra usbd, not gadget)
+			Transflash/SD/MMC
+		THREE proprietary flash file systems
+			Intel VFM (hatcreek.o)
+			m-systems DiskOnChip (tffs.o)
+			third unknown
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 AP Software
+
+
+	mux_cli.o
+		hooks into special functions of USB host driver
+		provides GSM TS07.10 (de)multiplex
+		userspace has tty devices
+
+	gprsv.o
+		implements GPRS line discipline for mux_cli ttys
+		hooks into netfilter to intercept DNS packets ?!?
+		provides gprs0 / grps1 network devices
+
+	ipsec.o
+		proprietary ipsec stack (don't we already have two GPL licensed?)
+		Copyright Certicom Corp
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Software
+
+
+	Libraries
+		glibc
+	Bluetooth
+		proprietary userspace program directly opens HCI
+	GPS
+		no NMEA, no serial device emulation :(
+		proprietary library / lapid via mux_cli kernel module
+	UI
+		embedded Qt
+		Motorola EZX toolkit
+	Java
+		Full J2ME support
+			(but who wants java if there's linux?)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+A780 Software
+
+
+	Apps
+		Opera
+		Helix Player with codecs
+			aac, amr, mp4, realvideo, mid, mp3, mp4, wma
+		movianVPN
+			proprietary IPsec VPN client
+		CoPilot
+			proprietary GPS navigation, map&route program
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX Firmware Images
+
+
+	EZX Firmware Images
+		Motorola ships .SHX firmware images to service centres
+		No legal way for users to get FW updates
+		Proprietary Windows apps flash phone via USB
+			Motorola PST
+			Motorola RSD lite
+		SHX files contain 'code groups'
+			AP bootloader (blob based)
+			AP linux kernel
+			AP root filesystem
+			AP /ezxlocal filesystem
+			AP "language pack"
+			Bootup Logo/Animation
+			BP OS
+			DSP code
+			Cryptographic Signature(s)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX bootloader
+
+
+	EZX bootloader
+		based on GPL licensed blob
+		source code now finally released by Motorola
+		low-level initialization code (GPIO config, clock, ...)
+		vendor specific USB device that allows for
+			transfer of executable code from USB host
+			execution of transferred executable
+		serial console code is present in binary, but not used :(
+		PST/RSD firmware updates work by uploading a 'ramloader'
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX Firmware Update Process
+
+
+	EZX AP Firmware Update Process
+		Application Processor is put into update mode
+			via two-button combination at bootup
+			via software (writing magic value to start of SDRAM)
+		Application Processor enumerates in firmware update mode
+		Host PC sends executable code (ramldr) to phone memory
+		Host PC sends jump command to make AP execute downloaded code
+		Application Processor re-enumerates as different device
+		Host PC sends content for individual flash partitions into AP RAM
+		AP ramldr code flashes partitions
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX Firmware Update Process
+
+
+	EZX BP Firmware Update Process
+		Application Processor is put into "pass-through mode"
+			via boot loader by fiddling with HCD/OTG/UDC/GPIO regs
+		Host PC is directly attached to Basband Processor
+		Host PC downloads executable code (BP ramldr) to phone memory
+		BP verifies cryptographic signature (RSA 1024?)
+		BP executes BP ramldr
+		Host PC sends content for flash partitions into BP RAM
+		BP ramldr code flashes partitions
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX Firmware Update Process
+
+
+	EZX AGPS Firmware Update Process
+		AGPS attached to UART of BP
+		BP can update AGPS ARM7 firmware via UART
+		Protocol unknown
+
+	EZX Bluetooth Firmware Update Process
+		Broadcom bcm2305 connected to AP UART
+		It can be updated via UART, too
+		Linux kernel driver can only update it via USB, not UART
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX USB (EMU)
+
+
+	EZX phones seem to have USB device port
+		Actually, it's "Enhanced Mini USB" (EMU)
+		Depending on pullup/pulldown/... resistors
+			USB device port
+			Serial port (RS232 at 3.3V levels)
+			Stereo audio signal
+			500mA charger
+			Carkit (easy install, professionally installed)
+			Factory test
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+EZX USB (EMU)
+
+
+	USB Configurations
+		Even in USB device EMU mode, there are many configs
+		Official configs
+			cdc_acm (serial modem emulation for host pc)
+			USB mass storage (transflash and VFAT-on-TFFS devices)
+		Undocumented configs
+			usbnet (network device over USB)
+				Allows telnet into phone
+			PST
+				Mode used by PST Windows App
+			DSPlog
+				Apparently a way to dump data from DSP
+			NetMonitor
+				supposedly for GSM network monitor
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+How to boot via USB
+
+
+	Button combination during power-on gets phone into bootloader
+		bootloader supports download of executable code from USB host into RAM
+		bootloader can jump to downloaded executable code
+	A Linux application (boot_usb) has been developed, using libusb
+		using boot_usb, we can boot our own kernel without flashing device
+		ideal for rapid kernel development
+		not really an option for final EZX distribution, what if no usb host around?
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Status
+
+
+	Status of Free Software on original kernel
+		Updated toolchain (gcc-3.4)
+		Linux native BlueZ bluetooth working
+		netfilter/iptables port (you can do NAT between GPRS and usbnet)
+		nmap/tcpdump/af_packet.o
+		lsof, busybox, bash2, 
+		gameboy emulator
+		qonsole (qt console app with OSD keyboard)
+		
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Status of kernel
+
+
+	The current 2.6.16.13-ezx5 kernel supports
+		PXA270FB with framebuffer based console + backlight
+		Serial Console (STUART on PCB, or FFUART via EMU -> USB)
+		New Driver for SSP/SPI (PCAP)
+		Driver for SD/MMC/Transflash using generic MMC stack
+		USB host controller (OHCI) towards BP working
+		USB device controller working (usbnet)
+		New Touchscreen driver
+		New Keypad driver
+	TODO
+		look into supporting other Motorola Linux phones
+		finish port of TS 07.10 mux and GPRS line discipline
+		fix initial gpio handshake between AP and BP
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Other Software
+
+
+	Other Free Software
+		ezxflash - Linux app (with GUI!) replacing proprietary P2K
+		fbgrabd
+			Daemon that runs fbgrab, creates PNG's and sends them via TCP
+		gpiotool
+			Tool for reading/reconfiguring/setting GPIO pins from userspace
+		pcaptool
+			Tool for reading/writing PCAP registers
+		
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+TODO
+
+
+	TODO
+		some reference application that can make voice and/or data calls from the commandline
+		document Motorola vendor-specific AT commands, add them to libgsm
+		USB On-The-GO support (hardware support present!)
+		discover how DSPlog, PST, other interfaces work
+		dm-crypt for your personal contacts/data
+		native IPsec
+		ScummVM port [320x240 and touchpad, ideal!] :)
+		at some point merge with openembedded.org ?
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenEZX
+Thanks
+
+
+	Thanks to
+		the BBS scene, Z-Netz, FIDO, ...
+			for heavily increasing my computer usage in 1992
+		KNF (http://www.franken.de/)
+			for bringing me in touch with the internet as early as 1994
+			for providing a playground for technical people
+			for telling me about the existance of Linux!
+		Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+			for implementing (one of?) the world's best TCP/IP stacks
+		Astaro AG
+			for sponsoring parts of my free software work
+		Chaos Computer Club (http://www.ccc.de/)
+			for providing an inspiring environment for cool hacks
+%size 3
+	The slides and the an according paper of this presentation are available at http://svn.gnumonks.org/projects/presentations
+%size 3