blob: ac23f587dfaeea47ca93363fd11a9291c5df8017 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
HOWTO
How was this done?
Various reverse engineering techniques
Take actual board apart, note major components
Find + use JTAG testpads
Find + use serial console
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
Opening the case and void your warranty
%image "x800_backside_nobat_nocover.jpg"
Note the convenient test pads beneath the battery
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
Opening the case
%image "x800_opening_the_case.jpg" 800x600
If you have a bit of experience in taking apart devices, you can do that without any damage...
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
The Mainboard with all its shielding covers
%image "x800_mainboard_with_shielding.jpg" 800x600
Obvoiusly, the shielding needs to go
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
The application processor section
%image "x800_application_processor.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
The HSDPA modem section
%image "x800_hsdpa_modem.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Take hardware apart
The backside
%image "x800_backside_with_lcm.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
JTAG is a very useful interface
boundary scan (EXTEST + INTEST)
ARM Integrated Debug Macrocell
Find + use JTAG testpads
look for suspicious testpads on PCB
tracing PCB traces impossible at 8-layer PCB
trial + error
sometimes you might find schematics ;)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
%image "e680_jtag.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
JTAG is basically a long shift register
Input, Output, Clock (TDI, TDO, TCK)
Therefore, you can try to shift data in and check if/where it comes out
Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
%image "x800_dbgconn_closeup.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
%image "x800_debcon_pcb.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder_probes.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Find + use JTAG testpads
%image "x800_jtagfinder.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
JTAG pins
Found JTAG pins
Chain 1
Samsung S3C2442 Application Processor
Has standard ARM JTAG ICE
Chain 2
CPLD programming interface
Remaining work
find the nTRST and nSRST pins
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anatomy of Contemporary Smartphone Hardware
Serial console
How to find the serial console
Just run some code that you think writes to it
Use a Scope to find typical patterns of a serial port
I haven't actually done (or needed) this on the glofiish yet, but on many other devices
RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write
Don't forget to add level shifter from 3.3/5V to RS232 levels
|
