1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Motorola EZX
Linux Smartphones
May 28, 2006
ph-neutral
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Introduction
Who is speaking to you?
an independent Free Software developer
who earns his living off Free Software since 1997
who is one of the authors of the Linux kernel firewall system called netfilter/iptables
who can claim to be the first to have enforced the GNU GPL in court
who is doing way too many projects simultaneously, one of them OpenEZX
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Contents
Disclaimer
What is OpenEZX
History of Motorola Linux Phones
A780 / E680(i) overview
Techniques for reverse engineering
Current status of information about EZX phones
OpenEZX software status
Another Linux GSM Phone: HTC BlueAngel
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Disclaimer
Disclaimer
I have no affiliation with Motorola
OpenEZX project has no affiliation with Motorola
All Information is based on observation, and may be wrong
Lots of the work has been done by a large community, I'm a newbie ;)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
What is OpenEZX
OpenEZX project
to document EZX phone hardware and software
to provide 100% free software stack for frontend CPU
might at some future point in time also look into GSM/RF related hacks
Homepage: http://openezx.org/ (http://open-ezx.org)
Wiki: http://wiki.openezx.org/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
History
History of Motorola Linux based gsm phones
A760, A768
Released in Asia in 2003
EZX (A780, E680, E680i)
E680 sold only in asian market
A780 sold in China since August 2004
A780 first Motorola Linux phone available in EU/US
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780
The A780 phone
Quad-band GSM
AGPS
GPRS, EDGE, HSCSD
Intel Xscale based
Monta Vista CE Linux
Bluetooth
USB device port (modem / mass storage)
Transflash slot (SD-card in smaller form factor)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
E680/E680i
The E680 phone
Like A780
No GPS
full-size SD/MMC slot
FM Radio
minor differences in Audio system, GPIO assignment, ...
The E680i phone
seems to only differ in software
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Other Linux Smartphones
Other Motorola Linux Smartphones
E895
A1200
A910
A732
A728
ROKR E2
They all have a similar design, so supporting all of them should be possible
Unfortunately I don't really have the money to buy/import all of them :(
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Techniques for re-engineering
learn about the device
take the device apart
take high-res PCB photographs
FCC database sometimes quite helpful
remove all the shielding covers
write down types of all integrated circuits
google for those circuits, try locating data sheets
sometimes service manuals can be obtained for small fees
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Techniques for re-engineering
try to find a serial console port
successful in many embedded devices
all you need is a 3.3v<->RS232 level shifter
A780: checking all 100+ test points with an oscilloscope :(
unfortunately not successful in the case of A780
try to find a JTAG port
cheap JTAG / parallel port adaptors available or DYI
only helps if you also have a BSDL file or similar
hard to figure out which of the five pins is which
be aware: there might be multiple JTAG ports for multiple IC's
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Techniques for re-engineering
access to the OS instead of the UI
serial console helps in many cases, not in this one
networked devices sometimes have telnet/ssh available
exploits of known-to-be-installed software (zlib-1.1.3)
try "weird button combinations" at startup
access to flash memory
read out via JTAG
if you have shell access, dd if=/dev/mtd* of=...
via vendor-supplied flash programming tool
copy / unpack / mount flash image to PC workstation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Techniques for re-engineering
simulation
running ARM binaries from device in QEMU emulation
commercial ARM emulators
disassembling
WARNING: may be illegal in most jurisdictions
use gnu binutils (objdump, ...)
use special-purpose proprietary tools (IDA Pro)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Hardware
In short
A Motorola Neptune LTE based mobile phone plus
A PXA270 Xscale based PDA in one case
Application Processor (PXA270)
runs heavily modified linux-2.4.20 kernel
48MB RAM
48MB "wireless" flash
software-configurable clock speed up to 400MHz
JTAG port on test pads, BSDL file and JFlash available
SPI/SSP interface to PCAP and BP
directly attached to 320x200 LCD display
directly attached to touch screen, buttons
directly attached to 1.3Mpixel camera module
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Hardware
Baseband Processor (Neptune LTE)
contains ARM7TDMI for GSM stack
contains 566xx DSP for digital baseband
JTAG port on test pads, but no BSDL file
Connected to Application processor via USB
SPI/SSP interface to PCAP and AP
UART connected to AGPS processor
Connects to GSM SIM module
8MB external flash
2MB external RAM
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Hardware
AGPS Processor (Motorola Telematics MG4100)
Attached to UART of BP
Has it's own Flash and RAM (2MB?)
PCAP2 (power management, clock and audio peripheral)
produces a 16 different voltages
handles all mono/stereo audio
connected to 2 speakers, microphone, vibrator
clock generation
SPI/SSP interface to AP and BP
Backlight control
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Hardware
RF Part (not very much information known)
RF6003
fractional-n RF synthesizer
RF2722
GPRS/EDGE capable receiver (RX)
RF3144
quad-band power amplifier (TX))))
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 AP Software
linux-2.4.20
whole bunch of montavista additions
dynamic power management
EZX arm subarchitecture
low-level drivers for
SPI/SSP
PCAP Audio (mono/stereo/headset/...)
Vibrator (/dev/vibrator)
USB host port attached to BP
USB device port (belcarra usbd, not gadget)
Transflash/SD/MMC
THREE proprietary flash file systems
Intel VFM (hatcreek.o)
m-systems DiskOnChip (tffs.o)
third unknown
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 AP Software
mux_cli.o
hooks into special functions of USB host driver
provides GSM TS07.10 (de)multiplex
userspace has tty devices
gprsv.o
implements GPRS line discipline for mux_cli ttys
hooks into netfilter to intercept DNS packets ?!?
provides gprs0 / grps1 network devices
ipsec.o
proprietary ipsec stack (don't we already have two GPL licensed?)
Copyright Certicom Corp
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Software
Libraries
glibc
Bluetooth
proprietary userspace program directly opens HCI
GPS
no NMEA, no serial device emulation :(
proprietary library / lapid via mux_cli kernel module
UI
embedded Qt
Motorola EZX toolkit
Java
Full J2ME support
(but who wants java if there's linux?)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
A780 Software
Apps
Opera
Helix Player with codecs
aac, amr, mp4, realvideo, mid, mp3, mp4, wma
movianVPN
proprietary IPsec VPN client
CoPilot
proprietary GPS navigation, map&route program
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX Firmware Images
EZX Firmware Images
Motorola ships .SHX firmware images to service centres
No legal way for users to get FW updates
Proprietary Windows apps flash phone via USB
Motorola PST
Motorola RSD lite
SHX files contain 'code groups'
AP bootloader (blob based)
AP linux kernel
AP root filesystem
AP /ezxlocal filesystem
AP "language pack"
Bootup Logo/Animation
BP OS
DSP code
Cryptographic Signature(s)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX bootloader
EZX bootloader
based on GPL licensed blob
source code now finally released by Motorola
low-level initialization code (GPIO config, clock, ...)
vendor specific USB device that allows for
transfer of executable code from USB host
execution of transferred executable
serial console code is present in binary, but not used :(
PST/RSD firmware updates work by uploading a 'ramloader'
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX Firmware Update Process
EZX AP Firmware Update Process
Application Processor is put into update mode
via two-button combination at bootup
via software (writing magic value to start of SDRAM)
Application Processor enumerates in firmware update mode
Host PC sends executable code (ramldr) to phone memory
Host PC sends jump command to make AP execute downloaded code
Application Processor re-enumerates as different device
Host PC sends content for individual flash partitions into AP RAM
AP ramldr code flashes partitions
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX Firmware Update Process
EZX BP Firmware Update Process
Application Processor is put into "pass-through mode"
via boot loader by fiddling with HCD/OTG/UDC/GPIO regs
Host PC is directly attached to Basband Processor
Host PC downloads executable code (BP ramldr) to phone memory
BP verifies cryptographic signature (RSA 1024?)
BP executes BP ramldr
Host PC sends content for flash partitions into BP RAM
BP ramldr code flashes partitions
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX Firmware Update Process
EZX AGPS Firmware Update Process
AGPS attached to UART of BP
BP can update AGPS ARM7 firmware via UART
Protocol unknown
EZX Bluetooth Firmware Update Process
Broadcom bcm2305 connected to AP UART
It can be updated via UART, too
Linux kernel driver can only update it via USB, not UART
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX USB (EMU)
EZX phones seem to have USB device port
Actually, it's "Enhanced Mini USB" (EMU)
Depending on pullup/pulldown/... resistors
USB device port
Serial port (RS232 at 3.3V levels)
Stereo audio signal
500mA charger
Carkit (easy install, professionally installed)
Factory test
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
EZX USB (EMU)
USB Configurations
Even in USB device EMU mode, there are many configs
Official configs
cdc_acm (serial modem emulation for host pc)
USB mass storage (transflash and VFAT-on-TFFS devices)
Undocumented configs
usbnet (network device over USB)
Allows telnet into phone
PST
Mode used by PST Windows App
DSPlog
Apparently a way to dump data from DSP
NetMonitor
supposedly for GSM network monitor
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
How to boot via USB
Button combination during power-on gets phone into bootloader
bootloader supports download of executable code from USB host into RAM
bootloader can jump to downloaded executable code
A Linux application (boot_usb) has been developed, using libusb
using boot_usb, we can boot our own kernel without flashing device
ideal for rapid kernel development
not really an option for final EZX distribution, what if no usb host around?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Status
Status of Free Software on original kernel
Updated toolchain (gcc-3.4)
Linux native BlueZ bluetooth working
netfilter/iptables port (you can do NAT between GPRS and usbnet)
nmap/tcpdump/af_packet.o
lsof, busybox, bash2,
gameboy emulator
qonsole (qt console app with OSD keyboard)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Status of kernel
The current 2.6.16.13-ezx5 kernel supports
PXA270FB with framebuffer based console + backlight
Serial Console (STUART on PCB, or FFUART via EMU -> USB)
New Driver for SSP/SPI (PCAP)
Driver for SD/MMC/Transflash using generic MMC stack
USB host controller (OHCI) towards BP working
USB device controller working (usbnet)
New Touchscreen driver
New Keypad driver
TODO
look into supporting other Motorola Linux phones
finish port of TS 07.10 mux and GPRS line discipline
fix initial gpio handshake between AP and BP
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Other Software
Other Free Software
ezxflash - Linux app (with GUI!) replacing proprietary P2K
fbgrabd
Daemon that runs fbgrab, creates PNG's and sends them via TCP
gpiotool
Tool for reading/reconfiguring/setting GPIO pins from userspace
pcaptool
Tool for reading/writing PCAP registers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
TODO
TODO
some reference application that can make voice and/or data calls from the commandline
document Motorola vendor-specific AT commands, add them to libgsm
USB On-The-GO support (hardware support present!)
discover how DSPlog, PST, other interfaces work
dm-crypt for your personal contacts/data
native IPsec
ScummVM port [320x240 and touchpad, ideal!] :)
at some point merge with openembedded.org ?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenEZX
Thanks
Thanks to
the BBS scene, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF (http://www.franken.de/)
for bringing me in touch with the internet as early as 1994
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Astaro AG
for sponsoring parts of my free software work
Chaos Computer Club (http://www.ccc.de/)
for providing an inspiring environment for cool hacks
%size 3
The slides and the an according paper of this presentation are available at http://svn.gnumonks.org/projects/presentations
%size 3
|
