diff options
author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
tree | a2011270df48d3501892ac1a56015c8be57e8a7d /2008/smartphone_anatomy-ccc2008 |
import of old now defunct presentation slides svn repo
Diffstat (limited to '2008/smartphone_anatomy-ccc2008')
25 files changed, 808 insertions, 0 deletions
diff --git a/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp b/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp Binary files differnew file mode 100644 index 0000000..31455c4 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/.agenda.txt.swp diff --git a/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg b/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg Binary files differnew file mode 100644 index 0000000..ffd54b3 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/Gta02a5_pcba_cs.jpg diff --git a/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg b/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg Binary files differnew file mode 100644 index 0000000..cefda28 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/Gta02v1_bottom.jpg diff --git a/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG b/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG Binary files differnew file mode 100644 index 0000000..6b7c7a7 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/IMG_8173.JPG diff --git a/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg b/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg Binary files differnew file mode 100644 index 0000000..d5fe8f3 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/SimpleComponentDiagram.jpg diff --git a/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg Binary files differnew file mode 100644 index 0000000..733893e --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.jpg diff --git a/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png Binary files differnew file mode 100644 index 0000000..b020cc7 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/WM8753_ALSA_Mapping.png diff --git a/2008/smartphone_anatomy-ccc2008/agenda.txt b/2008/smartphone_anatomy-ccc2008/agenda.txt new file mode 100644 index 0000000..9e9e83f --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/agenda.txt @@ -0,0 +1,17 @@ +differentiation feature phone <-> smartphone + feature phone: single CPU: GSM stack + UI on one CPU + smartphone: dual CPU: 'digital baseband' + 'application processor' + +we will look at some smartphones + Openmoko GTA02 (FreeRunner) + E-TEN glofiish M800/X800 + Motorola EZX (A780/A1200/Rokr E6) + +Major components + show GTA02 SimpleComponentDiagram + +anatomy of the GSM side: + CPU (ARM7 for 2G, ARM9 for 3G) + DSP + ADC/DAC + RF PA diff --git a/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg b/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg Binary files differnew file mode 100644 index 0000000..38a94f9 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/e680_jtag.jpg diff --git a/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg b/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg Binary files differnew file mode 100644 index 0000000..963b66c --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/gta02v1_bottom.jpg diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp new file mode 100644 index 0000000..ac23f58 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy-INCOMPLETE.mgp @@ -0,0 +1,157 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +HOWTO + +How was this done? + Various reverse engineering techniques + Take actual board apart, note major components + Find + use JTAG testpads + Find + use serial console + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +Opening the case and void your warranty +%image "x800_backside_nobat_nocover.jpg" +Note the convenient test pads beneath the battery + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +Opening the case +%image "x800_opening_the_case.jpg" 800x600 +If you have a bit of experience in taking apart devices, you can do that without any damage... + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The Mainboard with all its shielding covers +%image "x800_mainboard_with_shielding.jpg" 800x600 +Obvoiusly, the shielding needs to go + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The application processor section +%image "x800_application_processor.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The HSDPA modem section +%image "x800_hsdpa_modem.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The backside +%image "x800_backside_with_lcm.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + + JTAG is a very useful interface + boundary scan (EXTEST + INTEST) + ARM Integrated Debug Macrocell + Find + use JTAG testpads + look for suspicious testpads on PCB + tracing PCB traces impossible at 8-layer PCB + trial + error + sometimes you might find schematics ;) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "e680_jtag.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + Find + use JTAG testpads + JTAG is basically a long shift register + Input, Output, Clock (TDI, TDO, TCK) + Therefore, you can try to shift data in and check if/where it comes out + Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_dbgconn_closeup.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_debcon_pcb.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_jtagfinder_probes.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_jtagfinder.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + +Found JTAG pins + Chain 1 + Samsung S3C2442 Application Processor + Has standard ARM JTAG ICE + Chain 2 + CPLD programming interface + Remaining work + find the nTRST and nSRST pins + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Serial console + + +How to find the serial console + Just run some code that you think writes to it + Use a Scope to find typical patterns of a serial port + I haven't actually done (or needed) this on the glofiish yet, but on many other devices + RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write + Don't forget to add level shifter from 3.3/5V to RS232 levels + + diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp new file mode 100644 index 0000000..36b8160 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.mgp @@ -0,0 +1,634 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + +Anatomy of +Contemporary +Smartphone Hardware + +%center +%size 4 +by + +Harald Welte <laforge@gnumonks.org> + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Introduction + +Who is speaking to you? + an independent Free Software developer, consultant and trainer + 13 years experience using/deploying and developing for Linux on server and workstation + 10 years professional experience doing Linux system + kernel level development + strong focus on network security and embedded + expert in Free and Open Source Software (FOSS) copyright and licensing + digital board-level hardware design, esp. embedded systems + active developer and contributor to many FOSS projects + thus, a techie, who will therefore not have fancy animated slides ;) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Introduction + + +My involvement with mobile phones + 2003/2004: gpl-violations.org / Motorola A780 + 2004: Started OpenEZX for A780 (now E680, A1200, E6, ...) + 2006: Bought my first GSM BTS + 06/2006-11/2007: Lead System Architect at Openmoko, Inc. + 10/2008: Started the 'gnufiish' project + 12/2008: Running my own GSM test network (see talk tomorrow morning!) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Introduction + + +What is a Smartphone? + + No clear definition on terminology + Many technical people differentiate + Feature Phone: Single-CPU phone + Single CPU + Single OS for GSM + UI + Smartphone: Dual-CPU phone + First CPU core for the actual network protocol + Second CPU for the UI + Applications + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Smartphone hardware + +Major Components (AP side) + Application Processor (System-on-a-Chip) + Samsung / Marvell / Ti / Freescale + Flash (typically SLC or MLC NAND) + connects to SoC internal NAND controller + RAM (mobileSDRAM / mobileDDR) + connects to SoC internal SDRAM controller + Power Management Unit (PMU / PMIC) + connects via I2C or SPI + Audio Codec + connects via I2C + PCM + Bluetooth + connects via UART or SPI + WiFi + connects via SDIO or SPI + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Smartphone hardware + +Major Components (BP side) + DSP + RF Baseband Signal Processing + Voice Signal Processing + CPU (typically ARM7) + GSM protocol Stack (Layer 2, Layer 3) + AT Command Interpreter + Typically LCM + Keypad Matrix + not used, just for feature phone + RF PA (Power Amplifier) + Antenna Switch (MEMS SPST) + DAC + ADC + Voice and Baseband DAC + ADC + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Smartphone hardware + +AP / BP hardware interface + + 2G (GSM Voice/SMS/CSD + GPRS) + typically connects via (high-speed) UART + sometimes USB + UART speeds still sufficient + 3G (UMTS) / 3.5G (HSDPA/HSUPA) + shared memory interface + SPI or USB + USB by itself is not sufficient + doesn't allow for wake-up by BP + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Smartphone hardware + +Audio interface + + Typically at least three analog outputs + one handset ear speaker + one ringtone speaker + headphone/earphone/headset + Typically at least two analog inputs + built-in microphone + headphone/earphone/headset + GSM Modem interface + analog at line-level (for featurephone bb) + digital (PCM) in some cases + At least two PCM busses + one between SoC and Audio Codec + one between Bluetooth and Audio Codec + Result + Complex audio routing/setup + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Smartphone hardware + +Audio routing on Openmoko GTA01/GTA02 +%image "WM8753_ALSA_Mapping.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Openmoko hardware + + +Openmoko hardware + GTA01 (Neo1973) + GTA02 (FreeRunner) + Interesting to study, since schematics are public + only the GSM baseband side has been removed + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Openmoko hardware + +%image "SimpleComponentDiagram.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Openmoko hardware + +%image "gta02v1_bottom.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Motorola EZX hardwware + + +Motorola EZX hardwware + Generation 1: + Motorola A760, A768, A780, E680 + Hardware mostly known, schematics leaked + Generation 2: + Motorola A910, A1200, Rokr E6, A1600 + Hardware mostly known, schematics partially leaked + Generation 3: + Rokr E8, Rizr Z6, Razr2 V8, i876, U9, A1800 + Very little knowledge about hardwrae, custom SoC + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Motorola EZX hardwware + +EZ Gen1 + SoC: PXA27x + PMU: Motorola PCAP + interface: SPI + BP: Neptune LTE + interface: USB + gpio handshake + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Motorola EZX hardwware + +EZ Gen3 + SoC: Custom Freescale + BP: Custom Freescale + A lot is unknown + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Community based projects + + +Linux mobile phone community ports + + The vendor ships WM or other OS, community replaces it + xda-developers.com community + mostly focused on HTC devices + way too little developers fro too many devices + hardware product cycles getting shorter / faster + many new devices based on completely undocumented chipsets + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Linux-friendly hardware + + +The E-TEN glofiish device family + + various devices with different parameters + screen full-VGA or QVGA + EDGE-only, UMTS or HSDPA + keyboard or no keyboard + GPS or no GPS + Wifi or no Wifi + application processor is always the same (S3C2442) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Linux-friendly hardware + +I went through this process + I found the E-TEN glofiish devices + They are very similar to Openmoko + Samsung S3C2442 SoC MCP with NAND+SDRAM + TD028TTEC1 full-VGA LCM + Other hardware parts reasonably supported/known + Marvell 8686/libertas WiFi (SPI attached) + SiRF GPS (UART attached) + CSR Bluetooth (UART attached) + Only some unknown parts + CPLD for power management and kbd matrix + Ericsson GSM Modem (AT commandset documented!) + Cameras (I don't really care) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Project gnufiish + + +Project 'gnufiish' + Port Linux to the E-TEN glofiish devices + Initially to the M800 and X800 + Almost all glofiish have very similar hardware + Openmoko merges all my patches in their kernel! + Official inclusion to Openmoko distribution + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Project gnufiish + +gnufiish Status + Kernel (2.6.24/2.6.27) booted on _first attempt_ + Working + I2C host controller + I2C communication to CPLD and FM Radio + USB Device mode (Ethernet gadget) + Touchscreen input + LCM Framebuffer + LCM Backlight control + GPS and Bluetooth power control + GPIO buttons + In the works + Audio Codec driver (50% done) + GSM Modem (SPI) driver (80% done) + M800 Keyboard + Capsense driver (25% done) + SPI glue to libertas WiFi driver (70% done) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +HOWTO + +How was this done? + Various reverse engineering techniques + Take actual board apart, note major components + Use HaRET (hardwar reverse engineering tool) + Find + use JTAG testpads + Find + use serial console + Disassemble WinMobile drivers + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +Opening the case and void your warranty +%image "x800_backside_nobat_nocover.jpg" +Note the convenient test pads beneath the battery + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +Opening the case +%image "x800_opening_the_case.jpg" 800x600 +If you have a bit of experience in taking apart devices, you can do that without any damage... + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The Mainboard with all its shielding covers +%image "x800_mainboard_with_shielding.jpg" 800x600 +Obvoiusly, the shielding needs to go + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The application processor section +%image "x800_application_processor.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The HSDPA modem section +%image "x800_hsdpa_modem.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Take hardware apart + +The backside +%image "x800_backside_with_lcm.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + + JTAG is a very useful interface + boundary scan (EXTEST + INTEST) + ARM Integrated Debug Macrocell + Find + use JTAG testpads + look for suspicious testpads on PCB + tracing PCB traces impossible at 8-layer PCB + trial + error + sometimes you might find schematics ;) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "e680_jtag.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + Find + use JTAG testpads + JTAG is basically a long shift register + Input, Output, Clock (TDI, TDO, TCK) + Therefore, you can try to shift data in and check if/where it comes out + Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_dbgconn_closeup.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_debcon_pcb.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_jtagfinder_probes.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + +Find + use JTAG testpads +%image "x800_jtagfinder.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +JTAG pins + + +Found JTAG pins + Chain 1 + Samsung S3C2442 Application Processor + Has standard ARM JTAG ICE + Chain 2 + CPLD programming interface + Remaining work + find the nTRST and nSRST pins + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Serial console + + +How to find the serial console + Just run some code that you think writes to it + Use a Scope to find typical patterns of a serial port + I haven't actually done (or needed) this on the glofiish yet, but on many other devices + RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write + Don't forget to add level shifter from 3.3/5V to RS232 levels + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +What's HaRET + +What is HaRET + a Windows executable program for any WinCE based OS + offers a control interface on a TCP port + connect to it using haretconsole (python script) on Linux PC + supports a number of popular ARM based SoC (PXA, S3C, MSM) + features include + GPIO state and tracing + MMIO read/write + virtual/physical memory mapping + IRQ tracing (by redirecting IRQ vectors) + load Linux into ram and boot it from within WinCE + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Using HaRET + +Using HaRET + run the program on the target device + connect to it using haretconsole over USB-Ethernet + read GPIO configuration + Create GPIO funciton map based on SoC data sheet + watch for GPIO changes + remove the signal from the noise + exclude unitneresting and frequently changing GPIOs + watch for GPIO changes while performing certain events + press every button and check + start/stop peripherals + insert/eject SD card + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Using HaRET + + +Using HARET + watch for IRQ changes/events + e.g. you see DMA3 interrupts while talking to the GSM + read MMIO config of DMA controller to determine user: SPI + read SPI controller configuration + DMA controller configuration + find RAM address of data buffers read/written by DMA + haretconsole writes logfiles + you can start to annotate the logfiles + of course, all of this could be done using JTAG, too. + but with HaRET, you mostly don't need it!!! + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Disassembling WinCE drivers + + +Disassmbling WinCE drivers + is the obvious thing to do, right? + is actually not all that easy, since + WinCE doesn't allow you to read the DLLs + not via ActiveSync neither WinCE filesystem API's + Apparently, they are pre-linked and not real files anymore + luckily, there are tools in the 'ROM cooking' scene + hundreds of different tools, almost all need Windows PC + therefore, not useful to me + conclusion: Need to understand the ROM image format + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Disassembling WinCE ROM files + +Disassembling WinCE ROM files + 'datextract' to extract different portions like OS image + 'x520.pl' to remove spare NAND OOB sectors from image and get a file + split resulting image in bootsplash, cabarchive and disk image + 'xx1.pl' to split cabarchive into CAB files + 'partextract' to split disk image in partitions + 'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1 + 'dumpxip.pl' to dump/recreate files in partition0 and 1 + 'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Disassembling WinCE Drivers + + +Disassembling WinCE Drivers + Now we finally have the re-created DLL's with the drivers + Use your favourite debugger/disassembler to take them apart + I'm a big fan of IDA (Interactive Disassembler) + The only proprietary software that I license+use in 15 years + There's actually a Linux x86 version + Was even using it with qemu on my Powerbook some years back + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Disassembling WinCE Drivers + +Important drivers + pwrbtn.dll: the power button ?!? + spkphn.dll: high-level device management + i2c.dll: S3C24xx I2C controller driver + spi.dll: The GSM Modem SPI driver + Sergsm.dll: S3C24xx UART driver, NOT for GSM + SerialCSR.dll: CSR Bluetooth driver + fm_si4700.dll: The FM Radio (I2C) + battdrvr.dll: Battery device (I2C) + keypad.dll: Keypad+Keyboard+Capsense (I2C) + GSPI8686.dll: Marvell WiFi driver (SPI) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Disassembling WinCE Drivers + +Disassembling WinCE drivers + Is typically hard, they're completely stripped + Windows drivers are very data-driven, not many symbols/functions + However, debug statements left by developers are always helpful + After some time you get used to it + You know your hardware and the IO register bases + take it from there, look at register configuration + What I've learned about WinCE driver development + ... would be an entirely separate talk + MSDN luckily has full API documentation + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +WinCE Registry + + +WinCE has a registry, too + I never really understood what this registry is all about, but it doesn't matter ;) + You can use 'synce-registry' to dump it to Linux + Contains important information about + how drivers are interconnected + various configuration parameters of drivers + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Links + + http://wiki.openmoko.org/ + http://wiki.openezx.org/Glofiish_X800 + http://git.openezx.org/?p=gnufiish.git + http://eten-users.eu/ + http://wiki.xda-developers.com/ + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Anatomy of Contemporary Smartphone Hardware +Thanks + + +Thanks to + The OpenEZX team that continues the project + Openmoko, Inc. for trying to create more open phones + Hunz for his jtagfinder + xda-developers.org for all their work on WinCE tools + eten-users.eu for the various ETEN related ROM cooking projects + Willem Jan Hengeveld (itsme) for his M700 ROM tools + Samsung, for having 100% open source driver for their SoC's + Ericsson, for publishing the full AT command set for their modems diff --git a/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf Binary files differnew file mode 100644 index 0000000..2905944 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/smartphone-anatomy.pdf diff --git a/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg b/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg Binary files differnew file mode 100644 index 0000000..2d5fafb --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_application_processor.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg b/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg Binary files differnew file mode 100644 index 0000000..18267c5 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_backside_nobat_nocover.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg b/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg Binary files differnew file mode 100644 index 0000000..74a4371 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_backside_with_lcm.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg b/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg Binary files differnew file mode 100644 index 0000000..112d8f8 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_dbgconn_closeup.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg b/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg Binary files differnew file mode 100644 index 0000000..87a6bbd --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_debcon_pcb.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg b/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg Binary files differnew file mode 100644 index 0000000..9447b3a --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_factorytest.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg b/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg Binary files differnew file mode 100644 index 0000000..2612957 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_hsdpa_modem.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg Binary files differnew file mode 100644 index 0000000..e790d4d --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg Binary files differnew file mode 100644 index 0000000..370e215 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_jtagfinder_probes.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg b/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg Binary files differnew file mode 100644 index 0000000..4630dce --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_mainboard_with_shielding.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg b/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg Binary files differnew file mode 100644 index 0000000..f2b46d6 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_opening_the_case.jpg diff --git a/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg b/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg Binary files differnew file mode 100644 index 0000000..74228a4 --- /dev/null +++ b/2008/smartphone_anatomy-ccc2008/x800_usbdownload.jpg |