Sciphone Dream G2¶
The Sciphone Dream G2 is a MT6235 based phone running UI software to mimic the look+feel of Android.
OsmocomBB does not yet support any Mediatek chipsets, so this phone is not supported by OsmocomBB.
More information on the hardware of the device can be found at http://en.qi-hardware.com/wiki/Sciphone_Dream_G2
The phone has a engineering menu which can be activated by dialing *#36466331#
Software¶
- There is loader_mtk firmware in osmocom-bb which enables experimentation and loading of software into RAM
- There is a U-Boot port
- There is a downstream OsmocomBB port which pulls the txburst example from u-boot into loader_mtk firmware for experimentation purposes
Presentations¶
Serial Cable¶
You can make a serial cable by sacrificing the headset that comes with the phone, and swapping the pins inside the connector.
Serial pinout:
| Pin | signal | comment | ||||
| 1 | GND | |||||
| 2 | GND | |||||
| 5 | Rx | (From PC to Phone) | ||||
| 7 | Tx | (From Phone to PC) |
JTAG¶
The JTAG port of the MT6235 is accessible on the phone PCB, see the attached picture.
You can use OpenOCD along with the attached configuration file ([raw-openocd_mt6235.cfg]) for debugging.
Serial Bootloader¶
Like all Mediatek MT62xx SoCs, the phone uses the MTKRomloader.
For executing U-Boot and Linux using the MTK romloader, proceed as follows:
- clone osmocom-bb.git and checkout the branch 'steve-m/loader_sciphone'
- compile the code, connect the phone and run osmocon:
$ ./osmocon -p /dev/ttyUSB0 -m mtk ../../target/firmware/board/mt62xx/loader.mtkram.bin
- press and hold the powerbutton of the phone, until the loading has finished and you see the following:
[...] Received branch address ack, code should run now Running on mt62xx in environment mtkram HW_CODE = 0x6235
- don't terminate osmocon and execute:
$ ./osmoload memload 0x500000 u-boot.bin $ ./osmoload jump 0x500000
- now terminate osmocon and open a serial terminal of your choice (115200-8N1)
- see below for loading Linux with U-Boot
MTK boot process¶
MT62xx chips have IPL (Initial Program Loader) saved in ROM.
This is first code executed after power up.
It configures basic functionality of CPU (serial port 19200n8) and waits on 0xA beacon.
If beacon won't be received, it jumps to NAND memory read procedure.
At NAND 0x0 address Boot Header is placed which holds informations about NAND memory and parameters of image which is going to be loaded.
NAND memory read procedure tries to read NAND memory from 0x0 address with following NFI controller settings:
| Bus width | Address bytes | Page size | Column shift | Used in Sciphone G2 | ||||||
| 1 | 3 | 512 | 8 | |||||||
| 0 | 3 | 512 | 8 | |||||||
| 1 | 4 | 512 | 8 | |||||||
| 0 | 4 | 512 | 8 | yes | ||||||
| 1 | 4 | 2048 | 16 | |||||||
| 0 | 4 | 2048 | 16 | yes | ||||||
| 1 | 5 | 2048 | 16 | |||||||
| 0 | 4 | 2048 | 16 |
If Boot Header read from NAND memory will match to currently used NFI configuration, bootloader will start to read data from NAND to internal SRAM. Internal SRAM size is 64kB, which means that code loaded by IPL can't be bigger than that.
Note: IPL doesn't configure PLL and SDRAM controller, so there is no possibility to load code to external RAM. Here is where SPL (Secondary Program Loader) comes into the game.
SPL - Runing U-Boot from NAND¶
SPL (Second Program Loader) is just small U-Boot loader which includes low level CPU initialization (PLL, SDRAM) and NAND driver.
Using default build it occupies less than 4kB, but it lacks NAND memory detection. All the NAND memory types can be specified using preprocessor which is not comfortable. We already identified three different NAND memories and that would be bad to create seperate builds for them.
Fortunatelly there is no need to strip down SPL size to 4kB, so SPL code has been reworked and new functionalities are added. It detects NAND memory at startup and configures NFI controller automatically. New implementation can be found at "nand_spl/nand_boot_detect.c".
SPL also automatically configures SDRAM controler according to RAM you have on your device (currently it tries two configurations).
SPL is generated on every U-Boot build and binary can be found at "nand_spl/u-boot-spl.bin".
SPL will be loaded and executed by IPL only if Boot Header will contain valid data (in this case checksum and length is most important).
To generate Boot Header and place it at the begining of binary you should use mtk_image tool. MTK Boot Header generator can be found at "tools/mtk_image.c".
Usage ./mtk_image [ -s size ] [ -o file ] mtk_dump.bin image.bin
[ -s size ] - size of image, if not specified file size will be taken
[ -o file ] - name of output file
mtk_dump.bin - dump of NAND memory from address 0 (at least 64 bytes)
image.bin - image to be loaded by MTK bootloader
mtk_image tool needs dump file from your device (at least 64 bytes read from NAND 0x0 address) as there are different NAND memory configurations. Thanks to that Boot Header will be properly generated for your device.
Note! Before flashing U-Boot to NAND, create full dump of your NAND, otherwise you'll be not able to restore phone's original software.
U-Boot¶
Port of U-Boot for Sciphone G2 can be found at U-Boot
Building U-Boot:
export CROSS_COMPILE=arm-linux-gnueabi- make sciphone_g2_config make
Linux kernel¶
Port of Linux kernel for Sciphone G2 can be found at Linux kernel
Building Linux:
export CROSS_COMPILE=arm-linux-gnueabi- make ARCH=arm sciphone_g2_defconfig make ARCH=arm uImage
Building initramfs file system¶
The easiest way to have file system in Linux kernel is to build Initramfs image.
You need to download Busybox, configure it and build it.
export CROSS_COMPILE=arm-linux-gnueabi- make menuconfig make make install
Generated file system by default installs in _install directory.
Additional to that you'll need to create console device in already built filesystem.
sudo mknod dev/console c 5 1
Now you can create CPIO archive:
find . | cpio -o -H newc > rootfs.cpio
Next step is to point to Linux kernel where initramfs image is located.
In menuconfig of Linux kernel you should modify following option:
CONFIG_INITRAMFS_SOURCE=<path_to_cpio> General setup -> Initial RAM filesystem and RAM disk -> Initramfs source file(s)
After these steps Linux kernel image will have initramfs built in.
Important note: Initramfs ignores 'init=' variable given in kernel boot parameters list. It always executes /init command at startup and you can't change it. Check if you have /init in your file system (BusyBox has /linuxrc by default, so just change its name to init).
Every time you change initramfs file system you have to rebuild also Linux kernel.
To unpack CPIO archive you can use following command:
cpio -i -d -H newc -F <path_to_cpio_archive> --no-absolute-filenames
Reading data files in U-Boot¶
NAND
Following command will read 256 bytes from NAND address 0 at address 0x800000.
nand read 0x800000 0 0x100
Serial
Following command will read data at address 0x800000 from serial at baudrate 115200 (using kermit protocol).
loadb 0x800000 115200
SD/MMC
Following command will read uImage file at address 0x800000 from MMC card.
mmcinfo fatload mmc 0 0x800000 uImage
NAND memory¶
So far three types of NAND memories has been identified:
| Chip | Size | |||
| HY27XS08121M | 512Mb (64MB) NAND | |||
| HY27XA081G1M | 1Gb (128MB) NAND | |||
| TC58NVG0S3AFT | 1Gb (128MB) NAND |
All of them are supported by "mt62xx_nand.c" NAND driver in U-Boot.
This driver has also support for ECC hardware decoding and encoding.
ECC layout which is used by MTK looks as follows:
/* * For small and large page NAND devices ecc block size is the same: * * ecc_block_size = 256 * * Placement of ecc bytes in spare area is as follows: * * -------------------------------------------------------------- * | SPARE | * -------------------------------------------------------------- * | | ECC0 | | ECC1 | | ECC2 | | ECC3 | * -------------------------------------------------------------- * 0 8 16 24 32 40 48 56 64 * * ECC0 = 12 bits (from 1st ECC block) + 12 bits (from 2nd ECC block) * ECC1 = 12 bits (from 3rd ECC block) + 12 bits (from 4th ECC block) * ECC2 = 12 bits (from 5th ECC block) + 12 bits (from 6th ECC block) * ECC2 = 12 bits (from 7th ECC block) + 12 bits (from 8th ECC block) */
ECC layout information is pretty important as built-in bootloader in MT62xx chips
has hardware ECC enabled and it won't load code from NAND if ECC layout will
not match.
This layout is also important to properly dump or restore existing firmware.
NAND driver for Linux is under development.
LCD¶
Sciphone G2 has LCD with 240x320 resolution.
Currently two different LCD controllers has been identified (on Sciphone G2):- ILI9331
- ILI9325
These controllers are already supported in U-Boot.
To identify what kind of controller is in your device, just check U-Boot prints.
DRAM: 32 MiB NAND: 64 MiB MMC: msdc_mmc: 0 mtk_lcd INFO: Read LCD device code: 9331.
U-Boot supports displaying bitmap on the screen, you just have to create bitmap in proper format.
By default U-Boot will build osmocomBB bitmap.
To convert your customized bitmap change type of bitmap to indexed.
Using GIMP, select "Image -> Mode -> Indexed...". Maximum number of colours is 240 (16 is used by internal U-Boot CMAP).
In existing U-Boot bmp logo converting tool (tools/bmp_logo.c) there are two issues:- width of bitmap has to be aligned to 4 (otherwise padding bytes will be added and bitmap will be not properly displayed)
- size of bitmap can't be bigger than 65535 (LCD on Sciphone G2 is 240x320 = 76800)
Both issues are fixed on uboot-mt623x.
MT6235 LCD controller shares data lines with NFI (NAND) controller. Currently there is no possibility to use NAND when LCD is used.
Frame buffer driver for Linux is under development.
BBT handling¶
Comment from "sciphone_g2.h" configuration file explains how BBT is handled.
/* * Below option allows U-Boot to save BBT table in NAND. * Without this option BBT table is created everytime when first nand * command is executed (except "nand dump"). Full scanning of NAND * takes long time and unnecessarily delays first command execution. * * NOTE! This option is disabled by defaut as at startup it deletes last * two blocks of NAND. Most of people run code from RAM and don't have * NAND memory dumped yet. If you don't like to wait on first nand * command, you should enable below option. */ #define MT62XX_NAND_BBT_IN_NAND
MTD partitions¶
Layout of MTD partitions is following:
device nand0 <mt62xx_nand.0>, # parts = 5 #: name size offset mask_flags 0: sbl 0x00020000 0x00000000 0 1: env 0x00020000 0x00020000 0 2: u-boot 0x00200000 0x00040000 0 3: kernel 0x00200000 0x00240000 0 4: root 0x03bc0000 0x00440000 0
Building images with OpenEmbedded¶
Currently the easiest way to build your own Linux distribution for Sciphone G2 is to use OE.
Setting up of OE is described here.
To have Sciphone G2 target and Linux kernel with U-Boot from OsmocomBB repositories, you need to apply patch from here.
Under above link you can also find example config file for OE build.
So far following images has been successfully run on Sciphone G2:
minimal-image opie-image-16mb opie-image x11-image
After successfull build of image, following directory will contain U-Boot, Linux kernel and file system image:
/YOUR_BUILD_DIRECTORY/deploy/images/sciphone_g2/
U-Boot and Linux kernel are built from latest sources found in OsmocomBB repositories.
Running Linux distro¶
It's possible to run any Linux distribution without flashing Sciphone's original firmware.
To do this, you need to prepare microSD card and use osmocon loader to load u-Boot image to RAM.
Current images for U-Boot and Root File Systems can be found here.
First of all ext3 partition has to be created on SD card.
Note!!! Followig method will erase all data on your SD card.
sudo fdisk /dev/sdbX press p (prints partition table) press d (deletes partition table) press n (adds new partition) sudo mkfs.ext3 /dev/sdbX
Next step is to copy built image to SD card:
sudo dd if=<path_to_ext3_image_file> of=/dev/sdbx
When operation is finished, you can pull out SD card from PC and insert it to Sciphone.
Now you can load U-Boot image using osmocon tool.
When U-Boot starts, it loads /boot/uImage kernel file from SD card to RAM and boots it (OE automatically copies built kernel to /boot directory).
After that you should see OsmocomBB splash screen with "Please wait ..." text and after few moments an OPIE welcome screen should appear.
Note!!! Initial boot takes much longer time than next ones.
If your screen is not properly calibrated, execute ts_calibrate command from shell which will recalibrate your touchscreen.
Additional equipment¶
Sciphone G2 has microSD card slot in hardly available place.
During development process you'll waste a lot of time to pull out and put in microSD card with new software.
Below picture shows home made microSD card extension cable which makes SD card changes much faster.
Links¶
- video showing Sciphone G2 running Angstrom Linux with OPIE
Updated by fixeria 3 months ago · 32 revisions
