summaryrefslogtreecommitdiff
path: root/2008/smartphone_anatomy-ccc2008
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
committerHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
commitfca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch)
treea2011270df48d3501892ac1a56015c8be57e8a7d /2008/smartphone_anatomy-ccc2008
import of old now defunct presentation slides svn repo
Diffstat (limited to '2008/smartphone_anatomy-ccc2008')
-rw-r--r--2008/smartphone_anatomy-ccc2008/.agenda.txt.swpbin0 -> 12288 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpgbin0 -> 366567 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpgbin0 -> 1045441 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/IMG_8173.JPGbin0 -> 2166345 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpgbin0 -> 71308 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpgbin0 -> 74511 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.pngbin0 -> 173741 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/agenda.txt17
-rw-r--r--2008/smartphone_anatomy-ccc2008/e680_jtag.jpgbin0 -> 96700 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpgbin0 -> 151881 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp157
-rw-r--r--2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp634
-rw-r--r--2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdfbin0 -> 4312673 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_application_processor.jpgbin0 -> 133493 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpgbin0 -> 76428 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpgbin0 -> 62712 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpgbin0 -> 91400 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpgbin0 -> 86510 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_factorytest.jpgbin0 -> 39570 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpgbin0 -> 127029 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpgbin0 -> 43885 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpgbin0 -> 63122 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpgbin0 -> 78293 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpgbin0 -> 67809 bytes
-rw-r--r--2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpgbin0 -> 33849 bytes
25 files changed, 808 insertions, 0 deletions
diff --git a/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp b/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp
new file mode 100644
index 0000000..31455c4
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg b/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg
new file mode 100644
index 0000000..ffd54b3
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg b/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg
new file mode 100644
index 0000000..cefda28
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG b/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG
new file mode 100644
index 0000000..6b7c7a7
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg b/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg
new file mode 100644
index 0000000..d5fe8f3
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg
new file mode 100644
index 0000000..733893e
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png
new file mode 100644
index 0000000..b020cc7
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/agenda.txt b/2008/smartphone_anatomy-ccc2008/agenda.txt
new file mode 100644
index 0000000..9e9e83f
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/agenda.txt
@@ -0,0 +1,17 @@
+differentiation feature phone <-> smartphone
+ feature phone: single CPU: GSM stack + UI on one CPU
+ smartphone: dual CPU: 'digital baseband' + 'application processor'
+
+we will look at some smartphones
+ Openmoko GTA02 (FreeRunner)
+ E-TEN glofiish M800/X800
+ Motorola EZX (A780/A1200/Rokr E6)
+
+Major components
+ show GTA02 SimpleComponentDiagram
+
+anatomy of the GSM side:
+ CPU (ARM7 for 2G, ARM9 for 3G)
+ DSP
+ ADC/DAC
+ RF PA
diff --git a/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg b/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg
new file mode 100644
index 0000000..38a94f9
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg b/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg
new file mode 100644
index 0000000..963b66c
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp
new file mode 100644
index 0000000..ac23f58
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp
@@ -0,0 +1,157 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+HOWTO
+
+How was this done?
+ Various reverse engineering techniques
+ Take actual board apart, note major components
+ Find + use JTAG testpads
+ Find + use serial console
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case and void your warranty
+%image "x800_backside_nobat_nocover.jpg"
+Note the convenient test pads beneath the battery
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case
+%image "x800_opening_the_case.jpg" 800x600
+If you have a bit of experience in taking apart devices, you can do that without any damage...
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The Mainboard with all its shielding covers
+%image "x800_mainboard_with_shielding.jpg" 800x600
+Obvoiusly, the shielding needs to go
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The application processor section
+%image "x800_application_processor.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The HSDPA modem section
+%image "x800_hsdpa_modem.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The backside
+%image "x800_backside_with_lcm.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+ JTAG is a very useful interface
+ boundary scan (EXTEST + INTEST)
+ ARM Integrated Debug Macrocell
+ Find + use JTAG testpads
+ look for suspicious testpads on PCB
+ tracing PCB traces impossible at 8-layer PCB
+ trial + error
+ sometimes you might find schematics ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "e680_jtag.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+ Find + use JTAG testpads
+ JTAG is basically a long shift register
+ Input, Output, Clock (TDI, TDO, TCK)
+ Therefore, you can try to shift data in and check if/where it comes out
+ Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_dbgconn_closeup.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_debcon_pcb.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder_probes.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+Found JTAG pins
+ Chain 1
+ Samsung S3C2442 Application Processor
+ Has standard ARM JTAG ICE
+ Chain 2
+ CPLD programming interface
+ Remaining work
+ find the nTRST and nSRST pins
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Serial console
+
+
+How to find the serial console
+ Just run some code that you think writes to it
+ Use a Scope to find typical patterns of a serial port
+ I haven't actually done (or needed) this on the glofiish yet, but on many other devices
+ RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
+ Don't forget to add level shifter from 3.3/5V to RS232 levels
+
+
diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp
new file mode 100644
index 0000000..36b8160
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp
@@ -0,0 +1,634 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+Anatomy of
+Contemporary
+Smartphone Hardware
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Introduction
+
+Who is speaking to you?
+ an independent Free Software developer, consultant and trainer
+ 13 years experience using/deploying and developing for Linux on server and workstation
+ 10 years professional experience doing Linux system + kernel level development
+ strong focus on network security and embedded
+ expert in Free and Open Source Software (FOSS) copyright and licensing
+ digital board-level hardware design, esp. embedded systems
+ active developer and contributor to many FOSS projects
+ thus, a techie, who will therefore not have fancy animated slides ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Introduction
+
+
+My involvement with mobile phones
+ 2003/2004: gpl-violations.org / Motorola A780
+ 2004: Started OpenEZX for A780 (now E680, A1200, E6, ...)
+ 2006: Bought my first GSM BTS
+ 06/2006-11/2007: Lead System Architect at Openmoko, Inc.
+ 10/2008: Started the 'gnufiish' project
+ 12/2008: Running my own GSM test network (see talk tomorrow morning!)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Introduction
+
+
+What is a Smartphone?
+
+ No clear definition on terminology
+ Many technical people differentiate
+ Feature Phone: Single-CPU phone
+ Single CPU + Single OS for GSM + UI
+ Smartphone: Dual-CPU phone
+ First CPU core for the actual network protocol
+ Second CPU for the UI + Applications
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Smartphone hardware
+
+Major Components (AP side)
+ Application Processor (System-on-a-Chip)
+ Samsung / Marvell / Ti / Freescale
+ Flash (typically SLC or MLC NAND)
+ connects to SoC internal NAND controller
+ RAM (mobileSDRAM / mobileDDR)
+ connects to SoC internal SDRAM controller
+ Power Management Unit (PMU / PMIC)
+ connects via I2C or SPI
+ Audio Codec
+ connects via I2C + PCM
+ Bluetooth
+ connects via UART or SPI
+ WiFi
+ connects via SDIO or SPI
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Smartphone hardware
+
+Major Components (BP side)
+ DSP
+ RF Baseband Signal Processing
+ Voice Signal Processing
+ CPU (typically ARM7)
+ GSM protocol Stack (Layer 2, Layer 3)
+ AT Command Interpreter
+ Typically LCM + Keypad Matrix
+ not used, just for feature phone
+ RF PA (Power Amplifier)
+ Antenna Switch (MEMS SPST)
+ DAC + ADC
+ Voice and Baseband DAC + ADC
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Smartphone hardware
+
+AP / BP hardware interface
+
+ 2G (GSM Voice/SMS/CSD + GPRS)
+ typically connects via (high-speed) UART
+ sometimes USB
+ UART speeds still sufficient
+ 3G (UMTS) / 3.5G (HSDPA/HSUPA)
+ shared memory interface
+ SPI or USB
+ USB by itself is not sufficient
+ doesn't allow for wake-up by BP
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Smartphone hardware
+
+Audio interface
+
+ Typically at least three analog outputs
+ one handset ear speaker
+ one ringtone speaker
+ headphone/earphone/headset
+ Typically at least two analog inputs
+ built-in microphone
+ headphone/earphone/headset
+ GSM Modem interface
+ analog at line-level (for featurephone bb)
+ digital (PCM) in some cases
+ At least two PCM busses
+ one between SoC and Audio Codec
+ one between Bluetooth and Audio Codec
+ Result
+ Complex audio routing/setup
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Smartphone hardware
+
+Audio routing on Openmoko GTA01/GTA02
+%image "WM8753_ALSA_Mapping.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Openmoko hardware
+
+
+Openmoko hardware
+ GTA01 (Neo1973)
+ GTA02 (FreeRunner)
+ Interesting to study, since schematics are public
+ only the GSM baseband side has been removed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Openmoko hardware
+
+%image "SimpleComponentDiagram.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Openmoko hardware
+
+%image "gta02v1_bottom.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Motorola EZX hardwware
+
+
+Motorola EZX hardwware
+ Generation 1:
+ Motorola A760, A768, A780, E680
+ Hardware mostly known, schematics leaked
+ Generation 2:
+ Motorola A910, A1200, Rokr E6, A1600
+ Hardware mostly known, schematics partially leaked
+ Generation 3:
+ Rokr E8, Rizr Z6, Razr2 V8, i876, U9, A1800
+ Very little knowledge about hardwrae, custom SoC
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Motorola EZX hardwware
+
+EZ Gen1
+ SoC: PXA27x
+ PMU: Motorola PCAP
+ interface: SPI
+ BP: Neptune LTE
+ interface: USB + gpio handshake
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Motorola EZX hardwware
+
+EZ Gen3
+ SoC: Custom Freescale
+ BP: Custom Freescale
+ A lot is unknown
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Community based projects
+
+
+Linux mobile phone community ports
+
+ The vendor ships WM or other OS, community replaces it
+ xda-developers.com community
+ mostly focused on HTC devices
+ way too little developers fro too many devices
+ hardware product cycles getting shorter / faster
+ many new devices based on completely undocumented chipsets
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Linux-friendly hardware
+
+
+The E-TEN glofiish device family
+
+ various devices with different parameters
+ screen full-VGA or QVGA
+ EDGE-only, UMTS or HSDPA
+ keyboard or no keyboard
+ GPS or no GPS
+ Wifi or no Wifi
+ application processor is always the same (S3C2442)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Linux-friendly hardware
+
+I went through this process
+ I found the E-TEN glofiish devices
+ They are very similar to Openmoko
+ Samsung S3C2442 SoC MCP with NAND+SDRAM
+ TD028TTEC1 full-VGA LCM
+ Other hardware parts reasonably supported/known
+ Marvell 8686/libertas WiFi (SPI attached)
+ SiRF GPS (UART attached)
+ CSR Bluetooth (UART attached)
+ Only some unknown parts
+ CPLD for power management and kbd matrix
+ Ericsson GSM Modem (AT commandset documented!)
+ Cameras (I don't really care)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Project gnufiish
+
+
+Project 'gnufiish'
+ Port Linux to the E-TEN glofiish devices
+ Initially to the M800 and X800
+ Almost all glofiish have very similar hardware
+ Openmoko merges all my patches in their kernel!
+ Official inclusion to Openmoko distribution
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Project gnufiish
+
+gnufiish Status
+ Kernel (2.6.24/2.6.27) booted on _first attempt_
+ Working
+ I2C host controller
+ I2C communication to CPLD and FM Radio
+ USB Device mode (Ethernet gadget)
+ Touchscreen input
+ LCM Framebuffer
+ LCM Backlight control
+ GPS and Bluetooth power control
+ GPIO buttons
+ In the works
+ Audio Codec driver (50% done)
+ GSM Modem (SPI) driver (80% done)
+ M800 Keyboard + Capsense driver (25% done)
+ SPI glue to libertas WiFi driver (70% done)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+HOWTO
+
+How was this done?
+ Various reverse engineering techniques
+ Take actual board apart, note major components
+ Use HaRET (hardwar reverse engineering tool)
+ Find + use JTAG testpads
+ Find + use serial console
+ Disassemble WinMobile drivers
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case and void your warranty
+%image "x800_backside_nobat_nocover.jpg"
+Note the convenient test pads beneath the battery
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+Opening the case
+%image "x800_opening_the_case.jpg" 800x600
+If you have a bit of experience in taking apart devices, you can do that without any damage...
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The Mainboard with all its shielding covers
+%image "x800_mainboard_with_shielding.jpg" 800x600
+Obvoiusly, the shielding needs to go
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The application processor section
+%image "x800_application_processor.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The HSDPA modem section
+%image "x800_hsdpa_modem.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Take hardware apart
+
+The backside
+%image "x800_backside_with_lcm.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+ JTAG is a very useful interface
+ boundary scan (EXTEST + INTEST)
+ ARM Integrated Debug Macrocell
+ Find + use JTAG testpads
+ look for suspicious testpads on PCB
+ tracing PCB traces impossible at 8-layer PCB
+ trial + error
+ sometimes you might find schematics ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "e680_jtag.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+ Find + use JTAG testpads
+ JTAG is basically a long shift register
+ Input, Output, Clock (TDI, TDO, TCK)
+ Therefore, you can try to shift data in and check if/where it comes out
+ Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_dbgconn_closeup.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_debcon_pcb.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder_probes.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+Find + use JTAG testpads
+%image "x800_jtagfinder.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+JTAG pins
+
+
+Found JTAG pins
+ Chain 1
+ Samsung S3C2442 Application Processor
+ Has standard ARM JTAG ICE
+ Chain 2
+ CPLD programming interface
+ Remaining work
+ find the nTRST and nSRST pins
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Serial console
+
+
+How to find the serial console
+ Just run some code that you think writes to it
+ Use a Scope to find typical patterns of a serial port
+ I haven't actually done (or needed) this on the glofiish yet, but on many other devices
+ RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
+ Don't forget to add level shifter from 3.3/5V to RS232 levels
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+What's HaRET
+
+What is HaRET
+ a Windows executable program for any WinCE based OS
+ offers a control interface on a TCP port
+ connect to it using haretconsole (python script) on Linux PC
+ supports a number of popular ARM based SoC (PXA, S3C, MSM)
+ features include
+ GPIO state and tracing
+ MMIO read/write
+ virtual/physical memory mapping
+ IRQ tracing (by redirecting IRQ vectors)
+ load Linux into ram and boot it from within WinCE
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Using HaRET
+
+Using HaRET
+ run the program on the target device
+ connect to it using haretconsole over USB-Ethernet
+ read GPIO configuration
+ Create GPIO funciton map based on SoC data sheet
+ watch for GPIO changes
+ remove the signal from the noise
+ exclude unitneresting and frequently changing GPIOs
+ watch for GPIO changes while performing certain events
+ press every button and check
+ start/stop peripherals
+ insert/eject SD card
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Using HaRET
+
+
+Using HARET
+ watch for IRQ changes/events
+ e.g. you see DMA3 interrupts while talking to the GSM
+ read MMIO config of DMA controller to determine user: SPI
+ read SPI controller configuration + DMA controller configuration
+ find RAM address of data buffers read/written by DMA
+ haretconsole writes logfiles
+ you can start to annotate the logfiles
+ of course, all of this could be done using JTAG, too.
+ but with HaRET, you mostly don't need it!!!
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Disassembling WinCE drivers
+
+
+Disassmbling WinCE drivers
+ is the obvious thing to do, right?
+ is actually not all that easy, since
+ WinCE doesn't allow you to read the DLLs
+ not via ActiveSync neither WinCE filesystem API's
+ Apparently, they are pre-linked and not real files anymore
+ luckily, there are tools in the 'ROM cooking' scene
+ hundreds of different tools, almost all need Windows PC
+ therefore, not useful to me
+ conclusion: Need to understand the ROM image format
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Disassembling WinCE ROM files
+
+Disassembling WinCE ROM files
+ 'datextract' to extract different portions like OS image
+ 'x520.pl' to remove spare NAND OOB sectors from image and get a file
+ split resulting image in bootsplash, cabarchive and disk image
+ 'xx1.pl' to split cabarchive into CAB files
+ 'partextract' to split disk image in partitions
+ 'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1
+ 'dumpxip.pl' to dump/recreate files in partition0 and 1
+ 'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Disassembling WinCE Drivers
+
+
+Disassembling WinCE Drivers
+ Now we finally have the re-created DLL's with the drivers
+ Use your favourite debugger/disassembler to take them apart
+ I'm a big fan of IDA (Interactive Disassembler)
+ The only proprietary software that I license+use in 15 years
+ There's actually a Linux x86 version
+ Was even using it with qemu on my Powerbook some years back
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Disassembling WinCE Drivers
+
+Important drivers
+ pwrbtn.dll: the power button ?!?
+ spkphn.dll: high-level device management
+ i2c.dll: S3C24xx I2C controller driver
+ spi.dll: The GSM Modem SPI driver
+ Sergsm.dll: S3C24xx UART driver, NOT for GSM
+ SerialCSR.dll: CSR Bluetooth driver
+ fm_si4700.dll: The FM Radio (I2C)
+ battdrvr.dll: Battery device (I2C)
+ keypad.dll: Keypad+Keyboard+Capsense (I2C)
+ GSPI8686.dll: Marvell WiFi driver (SPI)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Disassembling WinCE Drivers
+
+Disassembling WinCE drivers
+ Is typically hard, they're completely stripped
+ Windows drivers are very data-driven, not many symbols/functions
+ However, debug statements left by developers are always helpful
+ After some time you get used to it
+ You know your hardware and the IO register bases
+ take it from there, look at register configuration
+ What I've learned about WinCE driver development
+ ... would be an entirely separate talk
+ MSDN luckily has full API documentation
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+WinCE Registry
+
+
+WinCE has a registry, too
+ I never really understood what this registry is all about, but it doesn't matter ;)
+ You can use 'synce-registry' to dump it to Linux
+ Contains important information about
+ how drivers are interconnected
+ various configuration parameters of drivers
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Links
+
+ http://wiki.openmoko.org/
+ http://wiki.openezx.org/Glofiish_X800
+ http://git.openezx.org/?p=gnufiish.git
+ http://eten-users.eu/
+ http://wiki.xda-developers.com/
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Anatomy of Contemporary Smartphone Hardware
+Thanks
+
+
+Thanks to
+ The OpenEZX team that continues the project
+ Openmoko, Inc. for trying to create more open phones
+ Hunz for his jtagfinder
+ xda-developers.org for all their work on WinCE tools
+ eten-users.eu for the various ETEN related ROM cooking projects
+ Willem Jan Hengeveld (itsme) for his M700 ROM tools
+ Samsung, for having 100% open source driver for their SoC's
+ Ericsson, for publishing the full AT command set for their modems
diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf
new file mode 100644
index 0000000..2905944
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg b/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg
new file mode 100644
index 0000000..2d5fafb
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg b/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg
new file mode 100644
index 0000000..18267c5
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg b/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg
new file mode 100644
index 0000000..74a4371
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg b/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg
new file mode 100644
index 0000000..112d8f8
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg b/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg
new file mode 100644
index 0000000..87a6bbd
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg b/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg
new file mode 100644
index 0000000..9447b3a
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg b/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg
new file mode 100644
index 0000000..2612957
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg
new file mode 100644
index 0000000..e790d4d
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg
new file mode 100644
index 0000000..370e215
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg b/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg
new file mode 100644
index 0000000..4630dce
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg b/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg
new file mode 100644
index 0000000..f2b46d6
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg
Binary files differ
diff --git a/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg b/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg
new file mode 100644
index 0000000..74228a4
--- /dev/null
+++ b/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary