Hello,
I finally got some time to play with OsmocomBB again. It works intermittently on my Pirelli DP-L10: sometimes ok, other times MO call attempts fail inexplicably and there are messages pouring in the vty window about network contact being lost and reestablished.
I suspect that the lack of RF calibration may be an issue, especially considering that I'm in PCS land whereas most active developers are in EGSM/DCS. So I got this crazy idea: what if we can figure out where and how the original factory calibration values are stored, and make use of them? It looks like the last 64kb sector of the flash (at 0x027f0000 as seen by the cpu) is where the factory data are stored, but the format looks incomprehensible. :(
So here's what I'm thinking: I would like to try putting JTAG on this phone, and using a hardware watchpoint to catch where the proprietary fw reads from the 0x027f0000-0x027fffff region.
I saw in the Wiki that there is an unpopulated footprint for a JTAG connector, and upon taking my phone apart, I have confirmed that it's there indeed. But I wonder, has anyone here (steve-m perhaps?) actually used this JTAG interface and got it to work? If someone has, I'd like to ask the following:
* What connector part did you populate on that footprint? * What actual JTAG adapter gadget did you use? * How did you connect that JTAG adapter gadget to the phone?
Thanks, Kim
Hi,
On 25.07.2013 23:41, ubuntugirl wrote:
- What connector part did you populate on that footprint?
None, actually. I just directly soldered some pieces of enamelled wire to the pads of the footprint.
- What actual JTAG adapter gadget did you use?
I used a Bus Blaster v2, but any other adapter that is supported by OpenOCD and can handle 3.3V levels should work fine. (Actually the Calypso uses 2.8V IO-levels, but 3.3V works anyway).
- How did you connect that JTAG adapter gadget to the phone?
I soldered the wires to a 0.1" pin header, and then used a few 1 pin female-female jumper wires to connect them to the Bus Blaster.
Regards, Steve
On 7/26/13, Steve Markgraf steve@steve-m.de wrote:
None, actually. I just directly soldered some pieces of enamelled wire to the pads of the footprint.
Got it. I thought initially that populating the "proper" connector on there (an FPC one, no doubt) would probably be cleaner, but then one would need a custom-made FPC cable to go with that... too expensive. :(
I used a Bus Blaster v2, but any other adapter that is supported by OpenOCD and can handle 3.3V levels should work fine. (Actually the Calypso uses 2.8V IO-levels, but 3.3V works anyway).
Thanks for the info. At my day job we have some other jtaggers (don't remember the make & model) that appear to be similar (also based on the FTDI chip) - when I'm back at work, I'll take a look and see if they support 3.3V or 2.8V.
I soldered the wires to a 0.1" pin header, and then used a few 1 pin female-female jumper wires to connect them to the Bus Blaster.
Sounds reasonable... will probably do the same or similar once I get my own BB or a similar jtagger.
Now while I have your attention... I'm trying to gain a better understanding of the display subsystem on this phone - maybe even get the camera to work (dreaming). I wonder, has anyone been able to find a datasheet or other docs for the SPCA552E chip? The code that's currently in git implements a combined driver for the S6B33B1X and this Sunplus chip; the datasheet for the S6B33B1X was readily findable via Google, but not the other chip.
If no one ever succeeded in finding any docs for the SPCA552E, I wonder where the comments on lines 110-123 of src/target/firmware/fb/fb_s6b33b1x.c came from...
Kim
Hi,
On 27.07.2013 20:15, ubuntugirl wrote:
Now while I have your attention... I'm trying to gain a better understanding of the display subsystem on this phone - maybe even get the camera to work (dreaming). I wonder, has anyone been able to find a datasheet or other docs for the SPCA552E chip? The code that's currently in git implements a combined driver for the S6B33B1X and this Sunplus chip; the datasheet for the S6B33B1X was readily findable via Google, but not the other chip.
If no one ever succeeded in finding any docs for the SPCA552E, I wonder where the comments on lines 110-123 of src/target/firmware/fb/fb_s6b33b1x.c came from...
Unfortunately there's only a datasheet of the SPCA554 floating around, just search for "SPCA554AV02".
I reverse engineered most of the stuff in this driver via JTAG with OpenOCD by setting data watchpoints/breakpoints on the address of the SPCA. The comments were added by looking up the writes in the datasheet mentioned above and trying to understand what happens, but unfortunately the SPCA552 and 554 seem to have quite a few differences, so not everything could be figured out. At least it was enough information to get the bypass mode working, which was my main goal.
Since the SPCA has an integrated 8051 core, you probably need to upload proprietary code to get the camera working, or you have to rewrite the firmware for this chip as well...
Same thing with the WiFi-chip unfortunately, it needs a proprietary firmware blob.
Regards, Steve
baseband-devel@lists.osmocom.org
-
Steve Markgraf -
ubuntugirl