SciphoneDreamG2 » History » Version 29
h1. Sciphone Dream G2
The Sciphone Dream G2 is a [[MT6235]] based phone running UI software to mimic the look+feel of Android.
There is currently an u-boot and Linux port for the MT6235 underway, the primary development platform is the Sciphone G2.
*[[OsmocomBB]] does not yet support any Mediatek chipsets, so this phone is not supported by [[OsmocomBB]].*
More information on the hardware of the device can be found at http://en.qi-hardware.com/wiki/Sciphone_Dream_G2
The phone has a engineering menu which can be activated by dialing *#36466331#
- There is "loader_mtk firmware":https://git.osmocom.org/osmocom-bb/tree/src/target/firmware/apps/loader_mtk/main.c in osmocom-bb which enables experimentation and loading of software into RAM
- There is a "U-Boot port":https://git.osmocom.org/uboot-mt623x/
- There is a downstream "OsmocomBB port":https://gitlab.com/unrznbl/osmocom-bb/tree/sciphone-txburst which pulls the txburst example from u-boot into loader_mtk firmware for experimentation purposes
* Getting the First Open Source GSM Stack in Linux at ELC 2012: "slides":https://events.linuxfoundation.org/images/stories/pdf/lf_elc12_mielczarczyk.pdf "video":https://bootlin.com/pub/video/2012/elc/elc-2012-mielczarczyk-first-open-source-gsm-stack.webm
h2. Serial Cable
You can make a serial cable by sacrificing the headset that comes with the phone, and swapping the pins inside the connector.
||5||Rx||(From PC to Phone)||
||7||Tx||(From Phone to PC)||
The JTAG port of the MT6235 is accessible on the phone PCB, see the attached picture.
You can use "OpenOCD":http://openocd.berlios.de/web/ along with the attached configuration file ([raw-attachment:openocd_mt6235.cfg]) for debugging.
h2. Serial Bootloader
Like all Mediatek MT62xx SoCs, the phone uses the [[MTKRomloader]].
For executing U-Boot and Linux using the MTK romloader, proceed as follows:
* clone osmocom-bb.git and checkout the branch 'steve-m/loader_sciphone'
* compile the code, connect the phone and run osmocon:
$ ./osmocon -p /dev/ttyUSB0 -m mtk ../../target/firmware/board/mt62xx/loader.mtkram.bin
* press and *hold* the powerbutton of the phone, until the loading has finished and you see the following:
Received branch address ack, code should run now
Running on mt62xx in environment mtkram
HW_CODE = 0x6235
* *don't* terminate osmocon and execute:
$ ./osmoload memload 0x500000 u-boot.bin
$ ./osmoload jump 0x500000
* now terminate osmocon and open a serial terminal of your choice (115200-8N1)
* see below for loading Linux with U-Boot
h2. MTK boot process
MT62xx chips have IPL (Initial Program Loader) saved in ROM.
This is first code executed after power up.
It configures basic functionality of CPU (serial port 19200n8) and waits on 0xA beacon.
If beacon won't be received, it jumps to NAND memory read procedure.
At NAND 0x0 address Boot Header is placed which holds informations about NAND memory and parameters of image which is going to be loaded.
NAND memory read procedure tries to read NAND memory from 0x0 address with following NFI controller settings:
||Bus width||Address bytes||Page size||Column shift||Used in Sciphone G2||
If Boot Header read from NAND memory will match to currently used NFI configuration, bootloader will start to read data from NAND to internal SRAM. Internal SRAM size is 64kB, which means that code loaded by IPL can't be bigger than that.
*Note:* IPL doesn't configure PLL and SDRAM controller, so there is no possibility to load code to external RAM. Here is where SPL (Secondary Program Loader) comes into the game.
h2. SPL - Runing U-Boot from NAND
SPL (Second Program Loader) is just small U-Boot loader which includes low level CPU initialization (PLL, SDRAM) and NAND driver.
Using default build it occupies less than 4kB, but it lacks NAND memory detection. All the NAND memory types can be specified using preprocessor which is not comfortable. We already identified three different NAND memories and that would be bad to create seperate builds for them.
Fortunatelly there is no need to strip down SPL size to 4kB, so SPL code has been reworked and new functionalities are added. It detects NAND memory at startup and configures NFI controller automatically. New implementation can be found at "nand_spl/nand_boot_detect.c".
SPL also automatically configures SDRAM controler according to RAM you have on your device (currently it tries two configurations).
SPL is generated on every U-Boot build and binary can be found at "nand_spl/u-boot-spl.bin".
SPL will be loaded and executed by IPL only if Boot Header will contain valid data (in this case checksum and length is most important).
To generate Boot Header and place it at the begining of binary you should use mtk_image tool. MTK Boot Header generator can be found at "tools/mtk_image.c".
Usage ./mtk_image [ -s size ] [ -o file ] mtk_dump.bin image.bin
[ -s size ] - size of image, if not specified file size will be taken
[ -o file ] - name of output file
mtk_dump.bin - dump of NAND memory from address 0 (at least 64 bytes)
image.bin - image to be loaded by MTK bootloader
mtk_image tool needs dump file from your device (at least 64 bytes read from NAND 0x0 address) as there are different NAND memory configurations. Thanks to that Boot Header will be properly generated for your device.
*Note! Before flashing U-Boot to NAND, create full dump of your NAND, otherwise you'll be not able to restore phone's original software.*
Port of U-Boot for Sciphone G2 can be found at "U-Boot":https://git.osmocom.org/uboot-mt623x/
h2. Linux kernel
Port of Linux kernel for Sciphone G2 can be found at "Linux kernel":http://git.osmocom.org/gitweb?p=linux-mt623x.git;a=summary
make ARCH=arm sciphone_g2_defconfig
make ARCH=arm uImage
h2. Building initramfs file system
The easiest way to have file system in Linux kernel is to build "Initramfs image":http://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt.
You need to download "Busybox":http://www.busybox.net/, configure it and build it.
Generated file system by default installs in _install directory.
Additional to that you'll need to create console device in already built filesystem.
sudo mknod dev/console c 5 1
Now you can create CPIO archive:
find . | cpio -o -H newc > rootfs.cpio
Next step is to point to Linux kernel where initramfs image is located.
In menuconfig of Linux kernel you should modify following option:
General setup -> Initial RAM filesystem and RAM disk -> Initramfs source file(s)
After these steps Linux kernel image will have initramfs built in.
*Important note:* Initramfs ignores 'init=' variable given in kernel boot parameters list. It always executes /init command at startup and you can't change it. Check if you have /init in your file system (BusyBox has /linuxrc by default, so just change its name to init).
Every time you change initramfs file system you have to rebuild also Linux kernel.
To unpack CPIO archive you can use following command:
cpio -i -d -H newc -F <path_to_cpio_archive> --no-absolute-filenames
h2. Reading data files in U-Boot
Following command will read 256 bytes from NAND address 0 at address 0x800000.
nand read 0x800000 0 0x100
Following command will read data at address 0x800000 from serial at baudrate 115200 (using kermit protocol).
loadb 0x800000 115200
Following command will read uImage file at address 0x800000 from MMC card.
fatload mmc 0 0x800000 uImage
h2. NAND memory
So far three types of NAND memories has been identified:
||HY27XS08121M||512Mb (64MB) NAND||
||HY27XA081G1M||1Gb (128MB) NAND||
||TC58NVG0S3AFT||1Gb (128MB) NAND||
All of them are supported by "mt62xx_nand.c" NAND driver in U-Boot.
This driver has also support for ECC hardware decoding and encoding.
ECC layout which is used by MTK looks as follows:
* For small and large page NAND devices ecc block size is the same:
* ecc_block_size = 256
* Placement of ecc bytes in spare area is as follows:
* | SPARE |
* | | ECC0 | | ECC1 | | ECC2 | | ECC3 |
* 0 8 16 24 32 40 48 56 64
* ECC0 = 12 bits (from 1st ECC block) + 12 bits (from 2nd ECC block)
* ECC1 = 12 bits (from 3rd ECC block) + 12 bits (from 4th ECC block)
* ECC2 = 12 bits (from 5th ECC block) + 12 bits (from 6th ECC block)
* ECC2 = 12 bits (from 7th ECC block) + 12 bits (from 8th ECC block)
ECC layout information is pretty important as built-in bootloader in MT62xx chips
has hardware ECC enabled and it won't load code from NAND if ECC layout will
This layout is also important to properly dump or restore existing firmware.
NAND driver for Linux is under development.
Sciphone G2 has LCD with 240x320 resolution.
Currently two different LCD controllers has been identified (on Sciphone G2):
These controllers are already supported in U-Boot.
To identify what kind of controller is in your device, just check U-Boot prints.
DRAM: 32 MiB
NAND: 64 MiB
MMC: msdc_mmc: 0
mtk_lcd INFO: Read LCD device code: 9331.
U-Boot supports displaying bitmap on the screen, you just have to create bitmap in proper format.
By default U-Boot will build osmocomBB bitmap.
To convert your customized bitmap change type of bitmap to indexed.
Using GIMP, select "Image -> Mode -> Indexed...". Maximum number of colours is 240 (16 is used by internal U-Boot CMAP).
In existing U-Boot bmp logo converting tool (tools/bmp_logo.c) there are two issues:
* width of bitmap has to be aligned to 4 (otherwise padding bytes will be added and bitmap will be not properly displayed)
* size of bitmap can't be bigger than 65535 (LCD on Sciphone G2 is 240x320 = 76800)
Both issues are fixed on "uboot-mt623x":http://git.osmocom.org/gitweb?p=uboot-mt623x.git;a=summary.
MT6235 LCD controller shares data lines with NFI (NAND) controller. Currently there is no possibility to use NAND when LCD is used.
Frame buffer driver for Linux is under development.
h2. BBT handling
Comment from "sciphone_g2.h" configuration file explains how BBT is handled.
* Below option allows U-Boot to save BBT table in NAND.
* Without this option BBT table is created everytime when first nand
* command is executed (except "nand dump"). Full scanning of NAND
* takes long time and unnecessarily delays first command execution.
* NOTE! This option is disabled by defaut as at startup it deletes last
* two blocks of NAND. Most of people run code from RAM and don't have
* NAND memory dumped yet. If you don't like to wait on first nand
* command, you should enable below option.
h2. MTD partitions
Layout of MTD partitions is following:
device nand0 <mt62xx_nand.0>, # parts = 5
#: name size offset mask_flags
0: sbl 0x00020000 0x00000000 0
1: env 0x00020000 0x00020000 0
2: u-boot 0x00200000 0x00040000 0
3: kernel 0x00200000 0x00240000 0
4: root 0x03bc0000 0x00440000 0
h2. Building images with [[OpenEmbedded]]
Currently the easiest way to build your own Linux distribution for Sciphone G2 is to use OE.
Setting up of OE is described "here":http://www.openembedded.org/index.php/Getting_started.
To have Sciphone G2 target and Linux kernel with U-Boot from [[OsmocomBB]] repositories, you need to apply patch from "here":http://downloads.qi-hardware.com/people/marcin/.
Under above link you can also find example config file for OE build.
So far following images has been successfully run on Sciphone G2:
After successfull build of image, following directory will contain U-Boot, Linux kernel and file system image:
U-Boot and Linux kernel are built from latest sources found in [[OsmocomBB]] repositories.
h2. Running Linux distro
It's possible to run any Linux distribution without flashing Sciphone's original firmware.
To do this, you need to prepare microSD card and use osmocon loader to load u-Boot image to RAM.
Current images for U-Boot and Root File Systems can be found "here":http://downloads.qi-hardware.com/people/marcin/.
First of all ext3 partition has to be created on SD card.
*Note!!! Followig method will erase all data on your SD card.*
sudo fdisk /dev/sdbX
press p (prints partition table)
press d (deletes partition table)
press n (adds new partition)
sudo mkfs.ext3 /dev/sdbX
Next step is to copy built image to SD card:
sudo dd if=<path_to_ext3_image_file> of=/dev/sdbx
When operation is finished, you can pull out SD card from PC and insert it to Sciphone.
Now you can load U-Boot image using osmocon tool.
When U-Boot starts, it loads /boot/uImage kernel file from SD card to RAM and boots it (OE automatically copies built kernel to /boot directory).
After that you should see [[OsmocomBB]] splash screen with "Please wait ..." text and after few moments an OPIE welcome screen should appear.
*Note!!! Initial boot takes much longer time than next ones.*
If your screen is not properly calibrated, execute *ts_calibrate* command from shell which will recalibrate your touchscreen.
h2. Additional equipment
Sciphone G2 has microSD card slot in hardly available place.
During development process you'll waste a lot of time to pull out and put in microSD card with new software.
Below picture shows home made microSD card extension cable which makes SD card changes much faster.
- "video showing Sciphone G2 running Angstrom Linux with OPIE":http://www.youtube.com/watch?v=-_guRruQi0I
- "video showing Sciphone G2 running Linux kernel":http://www.youtube.com/watch?v=w_Iwsckm7Ko
- "Sciphone G2 binary images and patches":http://downloads.qi-hardware.com/people/marcin/