Hi, On Fri, Oct 29, 2010 at 6:11 PM, Harald Welte <laforge(a)gnumonks.org> wrote: No I didn't do this, but of course I can try it. In this case, first I'll explain how it works. Nomenclature: 1) internal bootloader - bootloader placed at 0x48000000 in System ROM 2) 2nd stage bootloader or extarnal bootloader - bootloader placed in NAND - initializes DRAM controller and boots MTK's software - this bootloader prints info on UART by default When MT6235 processor starts it has RM1 bit disabled in EMI_GENA register (External Memory Interface controller), which forces ARM926 core to jump first to System ROM (0x48000000). When internal bootloader is executed it initializes UART to 19200n8 and checks if specific character is received. If no character will be received it continues "normal" boot, so fetches code from NAND (checks bootloader header at 0x0 address, then gets 2nd stage bootloader from NAND). In this case there is no security at all. If we would like to boot from NAND, it's just matter of placing proper bootloader header at address 0x0 in NAND, and then placing U-Boot in proper addresses of NAND (I saw that internal bootloader doesn't fetch code from continues addresses, which means that code is scattered). The prove there is no security is that I can execute my own code from the very beginning. When I initialize CPU with JTAG it's hold at 0x0 address (first address executed) and then I just initialize PLL, DRAM controller, load UBoot to external RAM and execute it. Everything works perfect. There is Secure Engine (SEJ) in MT6235 to protcect program in external memory, but it doesn't look like it's used. The other story is second path which can be taken in internal bootloader. This path is taken when some character will be received by UART at the beginning of internal bootloader startup. That's where FlashTool comes in. Flashtool communicates with internal bootloader and sends its own chunk of code which is executed in SRAM. This code is called Download Agent (DA) and it's linked against some security libraries. If you'll try to download your own code (without these libraries) through FlashTool it'll just fail. You can find DA customization kit under following link: http://en.pudn.com/downloads153/sourcecode/comm/mtk/detail675309_en.html This is source code where you can build your own Download Agent. This is how I first executed my own code on MT6235. It has all make files and it's prepared for ADS compiler. When you'll build your own Download Agent you just select this file in FlashTool and you have your code executed in RAM. I saw that you can use it on all MTK platforms. FlashTool links are also available on pudn.com I didn't analyze this path of bootloader, but it could be good to have it if we would like to create our own flashing tool under Linux (i.e. for flashing U-Boot). It means that I was lucky ... Exactly, I wanted to do this with dremel tool but keyboard is sticked on that metal shield (it's visible on attached picture). If I would remove it, then it would be not possible to assemble my phone back. I had just one piece, so decided to make more elegant way. In this case there is register EMI_CONN which has to have single bits enabled/disabled one by one for init sequence. That was the missing point. I agree, but now I have bootloader disassembled and I think it could be possible to download UBoot permanently without risk. We could use that to load our own code to RAM over MMC/SD/serial. Of course, no problem. In attachment you can find pinout of JTAG for Sciphone G2. Yes, I agree. In this case to download U-Boot to NAND we can use FlashTool (only for Windows). Then as you stated we can use U-Boot to load code from SD/MMC/serial. That's great! OK, no problem. That's great. BR, Marcin

Steve Markgraf wrote: Did you check the config? I've seen bad reset signal settings in tcl/target/*.cfg (trst/srst) which stopped me from getting proper control over the core. //Peter

Hi Marcin, did you ever find schematics of the Sciphone G2 anywhere online? It would be great to understand which of the I/O lines are connected to which peripherals, especially for the GSM part. Also, do you know the RF transceiver chip used in the device? We already know the MT6129 and MT6139 from the MT622x based phones, but it might be a different one for the MT6235. -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

Hi, I unsoldered plastic antenna, but there is only WiFi. Seems that RF transceiver is under metal shield. I just received second piece of Sciphone and uploaded new pictures with descriptions on Wiki: http://bb.osmocom.org/trac/wiki/SciphoneDreamG2 Good thing is that I can fit my microSD card sniffer which will make SD controller development easier. First I'll try to identify GPIOs. BR, Marcin

On Wed, Nov 3, 2010 at 6:41 PM, Wolfgang Spraul <wolfgang(a)sharism.cc> wrote: I'm realy suprised :) I didn't expect taht it'll go that far. That's great news! For sure these 9 boards will be useful for this project. Besides running osmocomBB we have to run Linux with drivers for MTK peripherals: GPIO, SD/MMC, NAND, I2C, SPI, UART, PWM, USB, LCD, etc. Most of these peripherals are available on mentioned boards so they'll be useful for drivers development. If it comes to USB cable, it's not that important because L12C connectors (which are in Sciphone G2) are pretty cheap and available here: http://www.ipmart.com/main/product/Cable,Compatible,for,China,Mobile,Phone,… So even without USB cables, LCD, antennas, speakers, etc. boards will be useful for some people. I already answered above. Wow, but I'm not holding my breath yet :) Schematics would be realy useful ... You can also ask about technical documentation for BT chip MT6601. I couldn't find datasheet and it'll be needed to make BT working. That's very good news! I appreciate your help. BR, Marcin

Count me in for this work. I have to admit I never got around to test my Motorola-phones, but the vision to do a full Linux-port surely adds some endorphine here :) BTW while looking for a source for the G2 in Europe, I found this: http://www.digizo.co.uk/products/G2-Sci-phone-Google-Android-Interface-Drea… Dunno if the price is good, but they seem to have a few in stock at least. (I was lucky though to find a used one in London during the two days I was there :)) Regards, Wolfram

Marcin et al, sorry it took a bit longer than I thought, but I was hard at work and can report some good progress. A package with 4 full G2 + 4 PCBA + some USB cables and batteries is on the way to Harald with EMS. Let's hope it arrives soon and without big customs problems. Thanks to generous Bluelans support, I have more stuff here, another 6 full phones (4 with buggy touch panel, 2 should be OK), plus another 4 or 5 PCB. I grinded down 2 PCBs to take pictures of the layers, and I broke another full set to make an illustrated disassembly guide. That set is probably still usable, although at least I ripped off the touch panel cable, and broke the glass under the touch panel, and maybe added some more damage as part of me making the disassembly guide. Well, hopefully it helps others making a safer disassembly, that was the point of it. I kept adding things to my G2 wiki page http://en.qi-hardware.com/wiki/Sciphone_Dream_G2 What we have now is: 1) disassembly guide 2) PCB layers, also 1 large PDF with all layers so it should be easy to flip pages and follow traces 3) G2 schematics PDF, thanks to Bluelans 4) bottom side (LCM side) component placement, thanks to Bluelans That pretty much concludes what I planned to do. Maybe they can find the top side component placement file as well, that would be nice. Not sure though. Also if the first package of phones arrives safely, I have more phones and boards I can send people. I plan to give away everything I have. One thing you could help me with is URLs to the datasheets, as many as we can find, or have open URLs for. http://en.qi-hardware.com/wiki/Sciphone_Dream_G2#Key_Components You mentioned you are looking for MT6601, I can start to ask around a bit, also for the full 6235 SDK if we can find it somewhere. But I don't even have links to the 6235 or 6140 datasheets right now... Hope this helps, good luck for your work! Wolfgang

Marcin, a small update, for completeness... Bluelans digged up and released the battery side component placement PDF file as well, I updated http://en.qi-hardware.com/wiki/Sciphone_Dream_G2#Schematics.2C_component_pl… So we have component placement for both sides now, which should make working with the phone a bit easier... Cheers, Wolfgang

For my part I am totally impressed by the PCB layers images. How do you get them? just grinding with fine sandpaper and a lot of patience, or do you have a machine? Sebastien On Tue, Nov 9, 2010 at 8:24 AM, Harald Welte <laforge(a)gnumonks.org> wrote:

jaki toolchain do arm-a używacie? czy https://sourcery.mentor.com/sgpp/lite/arm/portal/release1592 ? How toolchain for arm-and do you use? or https://sourcery.mentor.com/sgpp/lite/arm/portal/release1592? i have ubuntu 10.04 -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Linux-u-boot-port-to-MT6235-tp17… Sent from the baseband-devel mailing list archive at Nabble.com.

Hi Wolfgang, I'm really amazed by your commitment :) On 03.11.2010 22:47, Harald Welte wrote: By the way - many shops still sell the "Sciphone G2+", do you know the difference compared to the G2? One thing I noticed is that the G2 seems to be triple-band (there's a 850/1800/1900 and a 900/1800/1900 variant), and the G2+ quad-band. Can you confirm this? Regards, Steve

On Tue, Nov 09, 2010 at 06:29:00AM +0000, Wolfgang Spraul wrote: According to the schematics it is a quad-band design. The Antenna switch is a SP5T (two bands tx, 3 bands rx), followed by an additional filter that separates the 850 from the 900 in the RX path. Given that the filters (including the 850/900) are all unbalanced-to-balanced filters, I doubt that somebody would simply not place them (as you cannot replace them just with a 0ohms resistor or soemthing. By removing one filter you would not be able to produce a standard 850/1800/1900 or 950/1800/1900 configuration but something like 850/900/1800 or 850/900/1900 which doesn't maeke sense. My personal educated guess is: they are all quad-band. -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

On Tue, Nov 09, 2010 at 10:09:42AM +0100, Sylvain Munaut wrote: no. ouch. probably a 'marketing requirement'... "we don't want to sell a quadband phone for the same price like a tri-band phone" -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

On 9-11-2010 7:29, Wolfgang Spraul wrote: Hahahaha, I really enjoyed your post :D

Hi Steve, On Mon, Nov 08, 2010 at 03:45:28PM +0100, Steve Markgraf wrote: this is great news. It means people without JTAG (and without soldering wires to test pads on the PCB) will be able to participate by simply loading code via the serial port. I can't wait until I receive the Sciphone G2 boards from Wolfgang Right now I've been soldering some wires to the test pads next to the MT6227 of the Mobistel EL570, I'm quite sure they also have JTAG on it. I'm planning to compare the GSM part of the 622x and 6235 as per the data sheet next. I hope they are reasonably similar, which would mean any testing / development we do on the 622x could later be leveraged to the 6235. Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

Hi, On Tue, Nov 9, 2010 at 4:35 AM, the grugq <thegrugq(a)gmail.com> wrote: This will work on all phones based on MT6235 as long as code will be executed in internal RAM (64KB) and you'll know where are serial port pins (these are specific for phone). There will be also differences in RAM, NAND, LCD, etc. and it's matter of writing new driveres for these peripherals. BR, Marcin

On Wed, Jan 4, 2012 at 7:30 PM, Harald Welte <laforge(a)gnumonks.org> wrote: Well, fuck, I thought it was Russians threw Linux on SciPhone (because of the Russian forum I read about it) and my countryman here:) no estimates of the great Mr. Martin! Courtesy google translate.