Sciphone Dream G2

The Sciphone Dream G2 is a MT6235 based phone running UI software to mimic the look+feel of Android.

There is currently an u-boot and Linux port for the MT6235 underway, the primary development platform is the Sciphone G2.

OsmocomBB does not yet support any Mediatek chipsets, so this phone is not supported by OsmocomBB.

More information on the hardware of the device can be found at
The phone has a engineering menu which can be activated by dialing *#36466331#

Serial Cable

You can make a serial cable by sacrificing the headset that comes with the phone, and swapping the pins inside the connector.

Serial pinout:

Pin signal comment
5 Rx (From PC to Phone)
7 Tx (From Phone to PC)

sciphone_serial.jpg (Sciphone G2 with serial cable)


The JTAG port of the MT6235 is accessible on the phone PCB, see the attached picture.
You can use OpenOCD along with the attached configuration file ([raw-openocd_mt6235.cfg]) for debugging.

scig2_front.JPG scig2_jtag.JPG (Sciphone Dream G2 JTAG pinout)

Serial Bootloader

Like all Mediatek MT62xx SoCs, the phone uses the MTKRomloader.

For executing U-Boot and Linux using the MTK romloader, proceed as follows:

  • clone osmocom-bb.git and checkout the branch 'steve-m/loader_sciphone'
  • compile the code, connect the phone and run osmocon:
    $ ./osmocon -p /dev/ttyUSB0 -m mtk ../../target/firmware/board/mt62xx/loader.mtkram.bin
  • press and hold the powerbutton of the phone, until the loading has finished and you see the following:
    Received branch address ack, code should run now
    Running on mt62xx in environment mtkram
    HW_CODE = 0x6235
Uploading U-Boot
  • don't terminate osmocon and execute:
    $ ./osmoload memload 0x500000 u-boot.bin
    $ ./osmoload jump 0x500000
  • now terminate osmocon and open a serial terminal of your choice (115200-8N1)
  • see below for loading Linux with U-Boot

MTK boot process

mt62xx_boot.jpg (MT62xx boot process)

MT62xx chips have IPL (Initial Program Loader) saved in ROM.

This is first code executed after power up.

It configures basic functionality of CPU (serial port 19200n8) and waits on 0xA beacon.

If beacon won't be received, it jumps to NAND memory read procedure.

At NAND 0x0 address Boot Header is placed which holds informations about NAND memory and parameters of image which is going to be loaded.

NAND memory read procedure tries to read NAND memory from 0x0 address with following NFI controller settings:

Bus width Address bytes Page size Column shift Used in Sciphone G2
1 3 512 8
0 3 512 8
1 4 512 8
0 4 512 8 yes
1 4 2048 16
0 4 2048 16 yes
1 5 2048 16
0 4 2048 16

If Boot Header read from NAND memory will match to currently used NFI configuration, bootloader will start to read data from NAND to internal SRAM. Internal SRAM size is 64kB, which means that code loaded by IPL can't be bigger than that.

Note: IPL doesn't configure PLL and SDRAM controller, so there is no possibility to load code to external RAM. Here is where SPL (Secondary Program Loader) comes into the game.

SPL - Runing U-Boot from NAND

SPL (Second Program Loader) is just small U-Boot loader which includes low level CPU initialization (PLL, SDRAM) and NAND driver.

Using default build it occupies less than 4kB, but it lacks NAND memory detection. All the NAND memory types can be specified using preprocessor which is not comfortable. We already identified three different NAND memories and that would be bad to create seperate builds for them.

Fortunatelly there is no need to strip down SPL size to 4kB, so SPL code has been reworked and new functionalities are added. It detects NAND memory at startup and configures NFI controller automatically. New implementation can be found at "nand_spl/nand_boot_detect.c".

SPL also automatically configures SDRAM controler according to RAM you have on your device (currently it tries two configurations).

SPL is generated on every U-Boot build and binary can be found at "nand_spl/u-boot-spl.bin".

SPL will be loaded and executed by IPL only if Boot Header will contain valid data (in this case checksum and length is most important).

To generate Boot Header and place it at the begining of binary you should use mtk_image tool. MTK Boot Header generator can be found at "tools/mtk_image.c".

Usage ./mtk_image [ -s size ] [ -o file ] mtk_dump.bin image.bin
    [ -s size ]    - size of image, if not specified file size will be taken
    [ -o file ]    - name of output file
    mtk_dump.bin    - dump of NAND memory from address 0 (at least 64 bytes)
    image.bin    - image to be loaded by MTK bootloader

mtk_image tool needs dump file from your device (at least 64 bytes read from NAND 0x0 address) as there are different NAND memory configurations. Thanks to that Boot Header will be properly generated for your device.

Note! Before flashing U-Boot to NAND, create full dump of your NAND, otherwise you'll be not able to restore phone's original software.


Port of U-Boot for Sciphone G2 can be found at U-Boot

Building U-Boot:

export CROSS_COMPILE=arm-linux-gnueabi-
make sciphone_g2_config

Linux kernel

Port of Linux kernel for Sciphone G2 can be found at Linux kernel

Building Linux:

export CROSS_COMPILE=arm-linux-gnueabi-
make ARCH=arm sciphone_g2_defconfig
make ARCH=arm uImage

Building initramfs file system

The easiest way to have file system in Linux kernel is to build Initramfs image.

You need to download Busybox, configure it and build it.

export CROSS_COMPILE=arm-linux-gnueabi-
make menuconfig
make install

Generated file system by default installs in _install directory.

Additional to that you'll need to create console device in already built filesystem.

sudo mknod dev/console c 5 1

Now you can create CPIO archive:

find . | cpio -o -H newc > rootfs.cpio

Next step is to point to Linux kernel where initramfs image is located.

In menuconfig of Linux kernel you should modify following option:

General setup -> Initial RAM filesystem and RAM disk -> Initramfs source file(s)

After these steps Linux kernel image will have initramfs built in.

Important note: Initramfs ignores 'init=' variable given in kernel boot parameters list. It always executes /init command at startup and you can't change it. Check if you have /init in your file system (BusyBox has /linuxrc by default, so just change its name to init).
Every time you change initramfs file system you have to rebuild also Linux kernel.

To unpack CPIO archive you can use following command:

cpio -i -d -H newc -F <path_to_cpio_archive> --no-absolute-filenames

Reading data files in U-Boot


Following command will read 256 bytes from NAND address 0 at address 0x800000.

nand read 0x800000 0 0x100


Following command will read data at address 0x800000 from serial at baudrate 115200 (using kermit protocol).

loadb 0x800000 115200


Following command will read uImage file at address 0x800000 from MMC card.

fatload mmc 0 0x800000 uImage

NAND memory

So far three types of NAND memories has been identified:

Chip Size
HY27XS08121M 512Mb (64MB) NAND
HY27XA081G1M 1Gb (128MB) NAND

All of them are supported by "mt62xx_nand.c" NAND driver in U-Boot.

This driver has also support for ECC hardware decoding and encoding.

ECC layout which is used by MTK looks as follows:

* For small and large page NAND devices ecc block size is the same:
*      ecc_block_size = 256
* Placement of ecc bytes in spare area is as follows:
* --------------------------------------------------------------
* |                            SPARE                           |
* --------------------------------------------------------------
* |    | ECC0  |       | ECC1  |       | ECC2  |       | ECC3  |
* --------------------------------------------------------------
* 0    8       16      24      32      40      48      56      64
* ECC0 = 12 bits (from 1st ECC block) + 12 bits (from 2nd ECC block)
* ECC1 = 12 bits (from 3rd ECC block) + 12 bits (from 4th ECC block)
* ECC2 = 12 bits (from 5th ECC block) + 12 bits (from 6th ECC block)
* ECC2 = 12 bits (from 7th ECC block) + 12 bits (from 8th ECC block)

ECC layout information is pretty important as built-in bootloader in MT62xx chips
has hardware ECC enabled and it won't load code from NAND if ECC layout will
not match.

This layout is also important to properly dump or restore existing firmware.

NAND driver for Linux is under development.


Sciphone G2 has LCD with 240x320 resolution.

Currently two different LCD controllers has been identified (on Sciphone G2):
  • ILI9331
  • ILI9325
    These controllers are already supported in U-Boot.

To identify what kind of controller is in your device, just check U-Boot prints.

DRAM:  32 MiB
NAND:  64 MiB
MMC:   msdc_mmc: 0
mtk_lcd INFO: Read LCD device code: 9331.

U-Boot supports displaying bitmap on the screen, you just have to create bitmap in proper format.

By default U-Boot will build osmocomBB bitmap.

To convert your customized bitmap change type of bitmap to indexed.

Using GIMP, select "Image -> Mode -> Indexed...". Maximum number of colours is 240 (16 is used by internal U-Boot CMAP).

In existing U-Boot bmp logo converting tool (tools/bmp_logo.c) there are two issues:
  • width of bitmap has to be aligned to 4 (otherwise padding bytes will be added and bitmap will be not properly displayed)
  • size of bitmap can't be bigger than 65535 (LCD on Sciphone G2 is 240x320 = 76800)
    Both issues are fixed on uboot-mt623x.

MT6235 LCD controller shares data lines with NFI (NAND) controller. Currently there is no possibility to use NAND when LCD is used.

Frame buffer driver for Linux is under development.

BBT handling

Comment from "sciphone_g2.h" configuration file explains how BBT is handled.

* Below option allows U-Boot to save BBT table in NAND.
* Without this option BBT table is created everytime when first nand
* command is executed (except "nand dump"). Full scanning of NAND
* takes long time and unnecessarily delays first command execution.
* NOTE! This option is disabled by defaut as at startup it deletes last
* two blocks of NAND. Most of people run code from RAM and don't have
* NAND memory dumped yet. If you don't like to wait on first nand
* command, you should enable below option.

MTD partitions

Layout of MTD partitions is following:

device nand0 <mt62xx_nand.0>, # parts = 5
 #: name                size            offset          mask_flags
 0: sbl                 0x00020000      0x00000000      0
 1: env                 0x00020000      0x00020000      0
 2: u-boot              0x00200000      0x00040000      0
 3: kernel              0x00200000      0x00240000      0
 4: root                0x03bc0000      0x00440000      0

Building images with OpenEmbedded

Currently the easiest way to build your own Linux distribution for Sciphone G2 is to use OE.

Setting up of OE is described here.

To have Sciphone G2 target and Linux kernel with U-Boot from OsmocomBB repositories, you need to apply patch from here.

Under above link you can also find example config file for OE build.

So far following images has been successfully run on Sciphone G2:


After successfull build of image, following directory will contain U-Boot, Linux kernel and file system image:

U-Boot and Linux kernel are built from latest sources found in OsmocomBB repositories.

Running Linux distro


It's possible to run any Linux distribution without flashing Sciphone's original firmware.

To do this, you need to prepare microSD card and use osmocon loader to load u-Boot image to RAM.

Current images for U-Boot and Root File Systems can be found here.

First of all ext3 partition has to be created on SD card.

Note!!! Followig method will erase all data on your SD card.

sudo fdisk /dev/sdbX
press p (prints partition table)
press d (deletes partition table)
press n (adds new partition)
sudo mkfs.ext3 /dev/sdbX

Next step is to copy built image to SD card:

sudo dd if=<path_to_ext3_image_file> of=/dev/sdbx

When operation is finished, you can pull out SD card from PC and insert it to Sciphone.

Now you can load U-Boot image using osmocon tool.

When U-Boot starts, it loads /boot/uImage kernel file from SD card to RAM and boots it (OE automatically copies built kernel to /boot directory).

After that you should see OsmocomBB splash screen with "Please wait ..." text and after few moments an OPIE welcome screen should appear.

Note!!! Initial boot takes much longer time than next ones.

If your screen is not properly calibrated, execute ts_calibrate command from shell which will recalibrate your touchscreen.

Additional equipment

Sciphone G2 has microSD card slot in hardly available place.

During development process you'll waste a lot of time to pull out and put in microSD card with new software.

Below picture shows home made microSD card extension cable which makes SD card changes much faster.

microsd_extension.jpg scig2_microsd.jpg


- video showing Sciphone G2 running Angstrom Linux with OPIEBR</a>

- video showing Sciphone G2 running Linux kernelBR</a>

- Sciphone G2 binary images and patchesBR</a>

scig2_jtag.JPG - Sciphone Dream G2 JTAG pinout (85.9 KB) laforge, 10/30/2010 01:11 PM

scig2_front.JPG (110 KB) marcin, 11/02/2010 06:52 AM

scig2_back.jpg (125 KB) marcin, 11/02/2010 06:52 AM

sciphone_serial.jpg - Sciphone G2 with serial cable (62.4 KB) steve-m, 11/08/2010 08:35 PM

openocd_mt6235.cfg - OpenOCD configuration file for the Mediatek MT6235 (2.89 KB) steve-m, 11/21/2010 01:47 PM

mt62xx_boot.jpg - MT62xx boot process (50.3 KB) marcin, 12/03/2010 03:40 PM

scig2_opie.jpg (13 KB) marcin, 02/17/2011 08:54 AM

microsd_extension.jpg (51.2 KB) marcin, 02/17/2011 12:54 PM

scig2_microsd.jpg (62.7 KB) marcin, 02/17/2011 01:09 PM