The glofiish M800 is a PDA-Phone for Windows Mobile by E-TEN.

Emulate the phone

• Idea: Use Qemu to simulate the hardware of the M800 for developing new software and to find out more about existing firmware.

Hardware

SoC

• S3C2442BL-54
  • i.e. Samsung S3C2440 plus 64MB SDRAM and 256MB NAND flash in one package
  • exact same model as used in Openmoko GTA02 (FreeRunner?)
  • We know the JTAG pinout on the debug pads
  • Signals on debug pads for S3C2442 JTAG (this time verified!!), ID=0032409D
  • VCC = 2.85V (used for buffered adaptors only!), SRST is system reset:
    • PWR = Power On Button
    • REC = Voice Record Button

              REC
           o   o   o   o   o
            TDI     TCK VCC RXD
         o   o   o   o   o   o
              PWR         SRST
           o   o   o   o   o
            TMS     TDO GND TXD
         o   o   o   o   o   o
      

  • A working setup with OpenOCD for the S3C JTAG
  • The serial console is on UART2 (shared with GPS)
    • Make sure CPLD register 0x12 bit 1 is set for console mode

GPIO

GPA

M800: GPACON = 0x005E1681

• GPA0: ADDR0
• GPA1: Output GPS nRESET
• GPA2: Output
• GPA3: Output

• GPA4: Output Keyboard "Fn" LED
• GPA5: Output Keyboard "Caps" LED
• GPA6: Output (toggles 1 to 0 at GPS powerdown), seems to be related to binary/nmea
• GPA7: ADDR22

• GPA8: Output
• GPA9: ADDR24
• GPA10: ADDR25
• GPA11: Output

• GPA12: nGCS2 (WLAN_LED according to WM registry)
• GPA13: Output
• GPA14: Output (enable CPLD keyboard scanning)
• GPA15: Output GSM Reset (1-active) [old info:0-active triggers nSS1 (GSM)]

• GPA16: Output GSM SPI_REQ: indicate we wish to talk to the modem
• GPA17: CLE
• GPA18: ALE
• GPA19: nFWE

• GPA20: nFRE
• GPA21: Output USB Pullup (1 = pullup)
• GPA22: nFCE

GPB

M800: GPBCON = 0x00155556

• GPB0: TOUT0 (panel backlight PWM)
• GPB1: Output (keyboard backlight 1=on)

• GPB2: Output
• GPB3: Output WLAN_PWREN (at wifi power up == 1)

• GPB4: Output GSM Modem power on (needs to be set 500ms off, 2s on, then off again)
• GPB5: Output WLAN_nRESET (at Wifi Power Up == 1)

• GPB6: Output GPS Power Up (1 = on)
• GPB7: Output LCM SPI data (source:knight)

• GPB8: Output FM nRST
• GPB9: Output LCM SPI clock, data stable at rising edge (source:knight)

• GPB10: Output SD-card power (source:usbdl)

GPC

M800: GPCCON = 0xAA9516A9

• GPC0: Output (toggles 0-1-0 at GPS power up)
• GPC1: VCLK LCM Video

• GPC2: VLINE LCM Video
• GPC3: VFRAME LCM Video

• GPC4: VM LCM Video
• GPC5: Output (Back and front camera toogle?)

• GPC6: Output (seems to be LCM related, if 0 == WSOD)
• GPC7: Output LCM SPI chip select, low-active

• GPC8: Output Bluetooth (1=on, 0=off)
• GPC9: Output Bluetooth (1=on, 0=off)

• GPC10: Output (LCM SPI?)
• GPC11: VD[3] LCM Video

• GPC12: VD[4] LCM Video
• GPC13: VD[5] LCM Video

• GPC14: VD[6] LCM Video
• GPC15: VD[7] LCM Video

GPD

M800: GPDCON = 0xAABFAAA5

• GPD0: Output
• GPD1: Output

• GPD2: VD[10]
• GPD3: VD[11]

• GPD4: VD[12]
• GPD5: VD[13]

• GPD6: VD[14]
• GPD7: VD[15]

• GPD8: SPIMISO1 (GSM)
• GPD9: SPIMOSI1

• GPD10: SPICLK1
• GPD11: VD[19]

• GPD12: VD[20]
• GPD13: VD[21]

• GPD14: VD[22]
• GPD15: VD[23]

GPE

M800: GPECON = 0xAAAAAAAA

• GPE0: I2SLRCK
• GPE1: I2SSCLK
• GPE2: CDCLK
• GPE3: I2SDI
• GPE4: I2SDO
• GPE5: SDCLK
• GPE6: SDCMD
• GPE7: SDDAT0
• GPE8: SDDAT1
• GPE9: SDDAT2
• GPE10: SDDAT3
• GPE11: SPIMISO0 (WLAN)
• GPE12: SPIMOSI0 (WLAN)
• GPE13: SPICLK0 (WLAN)
• GPE14: IICSCL fm_radio+kbd+capsense (switches temporarily to output on FM radio startup)
• GPE15: IICSDA fm_radio+kbd+capsense (switches temporarily to output on FM radio startup)

GPF

M800: GPFCON = 0x0000AAAA

• GPF0: EINT[0] Reset Button (0-active)
• GPF1: EINT[1] Power Button (0-active)
• GPF2: EINT[2] Button activity interrupt (CPLD?)
• GPF3: EINT[3] USB connect/disconnect (disabled during USB pullup enable)
• GPF4: EINT[4]
• GPF5: EINT[5] WiFi? unknown
• GPF6: EINT[6]
• GPF7: EINT[7] WLAN_SPI

GPG

M800: GPGCON = 0x5586AAEA

• GPG0: EINT[8] FM Radio
• GPG1: EINT[9]
• GPG2: EINT[10] Camera Button Half (0-active)
• GPG3: nSS1 (GSM)
• GPG4: EINT[12] Record Button (0-active)
• GPG5: EINT[13] capsense+joystick (CPLD?)
• GPG6: EINT[14] Keyboard slided out (1-active)
• GPG7: EINT[15] SD Card detect
• GPG8: EINT[16] GSM related, in connection with INT_DMA3 (configured for SPI)
• GPG9: Output
• GPG10: Input Bluetooth
• GPG11: EINT[19] Headphonejack
• GPG12: Output WLAN_nCS (SPI chip select)
• GPG13: Output
• GPG14: Output
• GPG15: Output

GPH

M800: GPHCON = 0x0004A1AA

• GPH0: nCTS0
• GPH1: nCRTS0
• GPH2: TXD0
• GPH3: RXD0
• GPH4: TXD1 Bluetooth
• GPH5: TXD1 Bluetooth
• GPH6: TXD2 GPS/console
• GPH7: RXD2 GPS/console
• GPH8: Input (some button, maybe cam button full?)
• GPH9: Output audio playback related (probably amplifier power-up) 1-active
• GPH10: Input (switches to CLKOUT1 if FM radio on)

GPJ

M800: GPJCON = 0x01400000

• GPJ0: Camera data interface
• GPJ1: Camera data interface
• GPJ2: Camera data interface
• GPJ3: Camera data interface
• GPJ4: Camera data interface
• GPJ5: Camera data interface
• GPJ6: Camera data interface
• GPJ7: Camera data interface
• GPJ8: Camera data interface
• GPJ9: Camera data interface
• GPJ10: Camera data interface
• GPJ11: Output (Camera sensor select?)
• GPJ12: Output (Camera sensor select?)

Other Registers

MISCCR

M800: MISCCR = 0x00410330

• USB1 as device
• CLKOUT0 = HCLK
• CLKOUT1 = HCLK
• USB not suspended
• nRSTOUT = high
• SCLK0/SCLK1 = enabled
• self refresh disabled
• nBATT_FLT=0 system in reset

DCLKCON

M800: DCLKCON = 0x00000000

EXTINT

M800: EXTINT0 = 0x22266722 M800: EXTINT1 = 0x76262642 M800: EXTINT2 = 0x00026003

• EINT0: Falling Edge
• EINT1: Falling Edge
• EINT2: Both Edge
• EINT3: Both Edge
• EINT4: Both Edge
• EINT5: Falling Edge
• EINT6: Falling Edge
• EINT7: Falling Edge

• EINT8: Falling Edge
• EINT9: Rising Edge
• EINT10: Both Edge
• EINT11: Falling Edge
• EINT12: Both Edge
• EINT13: Falling Edge
• EINT14: Both Edge
• EINT15: Both Edge

• EINT16: Falling Edge
• EINT17: Low Level
• EINT18: Low Level
• EINT19: Both Edge
• EINT20: Falling Edge
• EINT21: Low Level
• EINT22: Low Level
• EINT23: Low Level

Clocking

• LOCKTIME = 0x00ffffff
• MPLLCON = 0x0006e021
  • SDIV = 1
  • PDIV = 2
  • MDIV = 110 (=> 500MHz @ 16.9344MHz)
• UPLLCON = 0x0003c042
  • SDIV = 2
  • PDIV = 4
  • MDIV = 60
• CLKDIVN = 0x00000005
  • PDIVN=1 (PCLK is HCLK/2)
  • HDIVN=2 (HCLK=FCLK/4)
  • UCLK = UPLL output
• CAMDIVN = 0x00000010
  • CAMCLK uses CAMCLK_DIV (not UPLL)

UART

• ULCON0 = 0x03
  • 8n1
• UCON0 = 0x00000dc5
  • interrupt mode, no dma
  • timeout interrupt, exception interrupt
  • rx level interrupt
  • tx pulse interrupt
  • FCLK/n is input clock
• UFCON0 = 0x00000031
  • FIFO enable
  • Rx FIFO trigger level 32 byte
  • Tx FIFO trigger level empty
• UMCON0 = 0x11
  • Auto-Flow-Control
• UBRDIV0 = 0x01
  • ?!?

Memory Config

• BWSCON = 0x22111110
  • Bank0: ?
  • Bank1: 16bit, no WAIT, no UB/LB
  • Bank2: 16bit
  • Bank3: 16bit
  • Bank4: 16bit
  • Bank5: 16bit
  • Bank6: 32bit, no WAIT, no UB/LB
  • Bank7: 32bit, no WAIT, no UB/LB
• BANKCON0 = 0x700
• BANKCON1 = 0x7ff0
  • Page mode normal (1 data)
  • Tacp = 2
  • Tcah = 4 clocks
  • Tcoh = 4 clocks
  • Tacc = 14 clocks
  • Tcos = 4 clocks
  • Tacs = 4 clocks
• BANKCON2 = 0x700
• BANKCON3 = 0x700
• BANKCON4 = 0x700
• BANKCON5 = 0x700
• BANKCON6 = 0x18005
• SDRAM, 9 bit column, Trcd = 3
• BANKCON7 = 0x18009
• SDRAM, 9 bit column, Trcd = 4
• REFRESH = 0x00ae0432
  • Refresh counter = 1074
  • Tsrc = 7, Trp = 4, refresh enable
• BANKSIZE = 0xb1
  • burst enable
  • SDRAM power down mode enable (SCKE)
  • SCLK only during access
  • BANK6/BANK7 = 64MB/64MB

NAND config

• NFCONF = 0x962e
  • 8-bit, 2048 byte page, 5 addr cycle
  • TWRPH1 = 2 + 1
  • TWRPH0 = 6 + 1
  • TACLS = 1

• NAND chip is a K5D2G13ACM. This memory is part of the MSP-package on top of S3C2442.
  • NAND flash has same organisation and ID like standard product K9F2G08U0M from Samsung
  •  http://www.datasheetcatalog.org/datasheets/700/264933_DS.pdf
  • NAND flash could be reflashed by JTAG (WP is not connected)

LCD config

• LCDCON1 = 0x011c0379
  • enable video, TFT 16bit color, VM each frame
  • CLKVAL = 3 (VCLK = HCLK / (3+1)*2) == 500 / 8 == 62.5MHz
• LCDCON2 = 0x019fc041
  • VSPW = 1
  • VFPD = 65
  • LINEVAL = 639
  • VBPD = 1
• LCDCON3 = 0x0009df01
  • HFPD = 1
  • HOZVAL = 479
  • HBPD = 1
• LCDCON4 = 0x00000007
  • HSPW = 1
• LCDCON5 = 0x00014f09
  • half-word-swap, no byte swap
  • no LEND signal, PWREN signal
  • signal polarities normal
  • INVVFRAME = 1
  • INVVLINE = 1
  • INVVCLK = 1
  • 5:6:5 format

LCM

• Toppoly / tpo TD028TTEC1
  • exact same model as used in Openmoo GTA02 (FreeRunner?)

Questions

• To where does the SPI serial interface connect?

CPLD

• Xilinx XC2C128
  • We do have the Jedec Bitmap File in it
  • We know the JTAG pinout on the debug pads
  • Signals on debug pads for CPLD JTAG (this time verified!!), ID=0091DF90
  • VCC = 2.85V (used for buffered adaptors only!), SRST is system reset:

         o   o   o   o   o
      TDI     TCK     VCC
       o   o   o   o   o   o
                        SRST
         o   o   o   o   o
      TMS     TDO     GND
       o   o   o   o   o   o
    

Memory Map

It seems to have some MMIO interface at nGCS1, i.e. physical addres 0x08000000 (win virtual: 0xac000000).

HaRET(31)# vdump 0xac000000 32
ac000000 | c43f043f e43f043f 443f043f 643f043f | ?.?.?.?.?.?D?.?d
ac000010 | 44000403 04000402 640d0401 04040404 | ...D.......d....

0x08000000: X800 keypad

• bit 0: volume down button
• bit 1: volume up button

0x08000002: X800 keypad

• bit 0: down button
• bit 1: up button

0x08000004: X800 keypad

• bit 0: right button
• bit 1: left button

0x08000006: X800 keypad

• bit 0: camera button
• bit 1: enter button

0x08000008: X800 keypad

• bit 0: send button
• bit 1: end button

0x0800000c: X800 keypad

• bit 0: AP1 button
• bit 1: AP0 button

0x08000010:

• bit 0: right red blinking LED
• bit 1: right green LED
• bit 2: left blue blinking LED
• bit 3: left orange blinking LED

0x08000012: apparently some modem-related CPLD mode (1 = "normal", 6 used by Modem Flasher)

• bit 0: 0 = UART2 in GPS mode. 1 = UART2 in console mode

0x08000014:

• bit 0: left white blinking LED (twice)
• bit 1: ?
• bit 2: vibrator
• bit 18: camera white led (normal)
• bit 19: camera white LED (superbright, timeout 2 sec)

Questions

• Does the JEDEC bitmap file allow us to reverse-engineer its functionality?  http://www.pldtool.com/pld-file-formats
• Where is the driver object code for the CPLD in WinMobile??
  • it's in keypad.dll

Wifi

• Marvel 8686 based
  • Here's the datasheet:  http://www.edom.com.tw/vender/product/WM-G-MR-05_Spec_v18_20080221.pdf
  • libertas driver in mainline should do the trick
  • connected via SPI

WinMobile? Registry

[HKEY_LOCAL_MACHINE\Comm\GSPI86861\Parms]
"LED_IOP_BASE_L"=dword=00000000
"LED_IOP_BASE_H"=dword=0000b160
"LED_BSR_ADDRESS_L"=dword=00000010
"LED_BSR_ADDRESS_H"=dword=0000ac00
"WLAN_LED"="GPA12"
"WLAN_nRESET"="GPB5"
"WLAN_PWREN"="GPB3"
"SPI_SYSINTR"=dword=00000000
"SPI_IRQ"=dword=00000023
"SPI_INT"="GPF7"
"SPI_nCS"="GPG12"
"SPI_MISO"="GPE11"
"SPI_MOSI"="GPE12"
"SPI_CLK"="GPE13"
"SPI_CHANNEL"=dword=00000000
"SupportVOIP"=dword=00000000
"HscfgGap"=dword=00000050
"HscfgGpio"=dword=00000004
"HscfgCriteria"=dword=00000002
"BtType"=dword=00000000
"AssoRetryTimes"=dword=00000002
"AutoDeepSleepTime"=dword=00000000
"RoamScanAlgorithm"=dword=00000000
"RoamDiffRSSIThreshold"=dword=0000000a
"RoamMinScanInterval"=dword=000000c8
"RoamMaxScanInterval"=dword=000003e8
"RoamChannelScanList"=dword=000007ff
"RoamSignalStrengthThreshold"=dword=0000003c
"MacFrameType"=dword=00000000
"AdhocAwakePeriod"=dword=00000001
"MultipleDTim"=dword=00000001
"NullPktInterval"=dword=00000000
"GPIOIntPulsewidth"=dword=00000005
"GPIOIntTriggerEdge"=dword=00000001
"GPIOIntPinNumber"=dword=00000004
"SDGPIOIntEnable"=dword=00000000
"ESSID_32"=dword=00000000
"LocalListenInterval"=dword=00000000
"Enable80211D"=dword=00000000
"RoamingMode"=dword=00000001
"bActiveRoamingwithBGSCAN"=dword=00000000
"RSSI_Range"=dword=0000000a
"ulRSSIThresholdTimer"=dword=00001388
"bLinkLostScanOneChannel"=dword=00000001
"bActiveRoamingScanOneChannel"=dword=00000001
"AvoidScanTime"=dword=00002710
"SdioIstThread"=dword=00000065
"SetSD4BIT"=dword=00000000
"AdhocDefaultBand"=dword=00000001
"AdhocWiFiDataRate"=dword=00000000
"AdhocDefaultChannel"=dword=00000006
"BTWLANRxPriorityHi"=dword=00000000
"BTWLANRxPriorityLo"=dword=00000000
"BTWLANTxPriorityHi"=dword=00000000
"BTWLANTxPriorityLo"=dword=00000000
"BTFrequencyConfig"=dword=00000000
"BTAntennaConfig"=dword=00000000
"BTMode"=dword=00000000
"RTSThsd"=dword=0000092a
"FragThsd"=dword=0000092a
"ExtendedScan"=dword=00000001
"PowerMode"=dword=00000000
"NetworkAddress"=""
"UseMfgFw"=dword=00000000
"BusType"=dword=00000000
"BusNumber"=dword=00000000

Questions

• how to best integrate the asynchronous s3c24xx SPI driver with the GSPI code of the libertas?

Bluetooth

• CSR 41814
  • Integrated on WiFi? module:  http://www.edom.com.tw/vender/product/WM-G-MR-05_Spec_v18_20080221.pdf
  • BlueCore?4-ROM WLCSP single chip radio
  • Same as in Nokia n800 and iPhone
  • connected to UART1

Audio Codec

• AKM 4641EN
  •  http://www.asahi-kasei.co.jp/akm/en/product/ak4641en/ak4641en_f00e.pdf
  • Control interface uses I2C at slave address (0x24 >> 1)

Connections

• Receiver Speaker (above LCM): LOUT (left line out)
• Ringtone Speaker (backside): MOUT2 (mono out 2)
  • this speaker is further controlled by an audio Amp enabled by GPH9
• Headset Speakers: LOUT + ROUT (line out)

Questions

• How is the GSM really connected to the codec?
• How is the FM radio connected (we don't have enough inputs...)
• How to simplify the number of mixer controls
• How to properly show the equalizer in alsamixer (negative values...)

FM Radio

• Si4700 (possibly also a Si4702 -> land pattern and package QFN20)
  •  http://www.pctuner.ru/files/pdf/silabs_si4700_01_short.pdf
  •  http://www.edom.com.tw/vender/product/Si4702-03-C19.pdf
  • Control over I2C bus 0 address 0x10
  • si470x usb-only driver from mainline was adopted to i2c, does not work actually
• When a call is arrived the fm radio driver gets notified about this by an IRQ and tell the fm chip to mute

Power-Up sequence for the chip (discovered with kngiht & qemu):

• The datasheet tells us that the chip is put into power on mode when setting the nRST pin to high
  • the nRST pin is GPB8
• together with getting the chip back from power down mode we have to select which interface we want to use
  • we use 2-wire (i2c)

GPIO Sequence looks like this

• configure GPE14/GPE15 as output and put them to low
• configure GPB8 as output
• configure GPH10 as CLKOUT1
• put GPB8 (nRST) to high (nSEN is automatically controlled by some other component)
• put GPE14/GPE15 to high
• configure GPE14/GPE15 as IICSCL/IICSDA

GPS

• SIRF GSC3LTif
  •  http://www.freewebtown.com/4-10/w/o/wolfram_lin/gps/GSC3f_DS_1055-1041.pdf (similar chip)
• single-chip GPS Receiver
• conected to UART2 (shared with serial console, maybe the power-up and down sequences take care about the muxing)

Power-Up

• B6 = 1 (suspected GPS power)
• A1 = 0 (low-active GPS reset)
• A1 = 1 (take it out of reset)
• C0 = 1
• J3 = 1 (input)
• C0 = 0

Power-down

• A6 = 1 (this pin is weird, you can apparently enable binary mode using it ?!?
• A6 = 0
• B6 = 0 (switch off gps power)

Configuration

If booting Linux from WinMobile? / HaReT, the SiRF chip is initialized to 57600bps and uses the SiRF binary protocol. Bringing it up from linux it starts with NMEA, but still needs 57600bps. It also prints out a banner:

$PSRFTXT,Version GSWLT3.0.0HT_3.1.01.00-SDKLT001P1.00b *4A
$PSRFTXT,ETEN-20070119-NMEA57600_S_EE-LX*2C
$PSRFTXT,TOW:  588657*14
$PSRFTXT,WK:   1506*67
$PSRFTXT,POS:  3838229 715301 5026744*1B
$PSRFTXT,CLK:  96814*2F
$PSRFTXT,CHNL: 12*73

Battery

The battery has a I2C chip at address 0x2f. It is yet unclear which component is used. Somebody needs to take a battery apart. Update: Done!

This is a dump using i2cdump:

root@glofiish-m800:~# i2cdump 0 0x2f
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: 31 01 0c ff 3f 00 00 00 00 35 00 00 10 00 50 68    1??.?....5..?.Ph
10: 30 67 fe ff 62 19 00 40 00 00 00 00 00 00 00 00    0g?.b?.@........

It is suspected that the byte at 0x14 is the charge level in Percent (0x62 == 100%)

In the battery or onboard?

Update: The battery PCB only contains a NF216LF, which seems to be nothing more than a 20V bi-directional MOSFET (according to  http://www.greatwallsemi.com/RoHS/TSSOP8.pdf). Another update: The battery PCB contains double FET SM8205AOC and charge controller VA7021. There's no I2C inteligence inside the battery.

The battery meter must be on the mainboard itself. Update: This seems to be true. The battery voltage seems to measured by a I2C ADC which is yet unknown (package marking is: 8805)

However, experiments show that once the battery is removed, we cannot talk to i2c slave 0x2f anymore. Once we put the battery back, we can talk to it. So it seems like the abovementioned battery meter PDF was misleading. Update: There seems to be some GPIO checking for battery. It is a mistery why the chip does not answer if the battery is detached.

Charger

The charging circuit for the battery is built around BQ24070 from Texas Instruments (package marking BRQ, package QFN20)

• BQ24070
  •  http://focus.ti.com/docs/prod/folders/print/bq24070.html

DC/DC-Supply

The mainboard needs couple of voltages. One of the DC/DC converters is build around TPS62420 from Texas Instruments (package marking BQF, package QFN10)

• TPS62420
  •  http://focus.ti.com/docs/prod/folders/print/tps62420.html

LED Driver

The driver for the TFT-backlight is be built around TPS61042 from Texas Instruments (package marking BHS, package DRB)

• TPS61042
  •  http://focus.ti.com/docs/prod/folders/print/tps61042.html

Keyboard

The keyboard is organized in a matrix of 8 columns by 6 rows. Each column has a 16bit register in the CPLD (physical address 0x08000000 through 0x0800000e).

Matrix scanning has to be explicitly enabled by GPA14. If it is not enabled, all columns will read the same value.

Any keypress will raise EINT13 (low-active), even while matrix scanning is disabled.

The volume-up/volume-down buttons are also mapped to the keyboard matrix, rather than GPIO buttons.

Cameras

Both cameras, front and back, must be connected to the S3C camera interface. (Likely to be GDJ0-10). To toogle between those cams some GPIO might be used. (GDJ11, GPJ12 and GPC5 are involved). Here is what haret captures during such switches: (GPIO = 2 means it is no input or output but used for the SoC camera interface)

From back to front:

005.189    GPIOS   GPJCON: GDJ11(566 567)=1
005.200    GPIOS   GPJDAT: GPJ12(268)=0
005.301    GPIOS   GPJCON: GDJ0(545)=0 GDJ1(547)=0 GDJ2(549)=0 GDJ3(551)=0
GDJ4(553)=0 GDJ5(555)=0 GDJ6(557)=0 GDJ7(559)=0 GDJ8(561)=0 GDJ9(563)=0
GDJ10(565)=0
005.444    GPIOS   GPJCON: GDJ0(545)=2 GDJ1(547)=2 GDJ2(549)=2 GDJ3(551)=2
GDJ4(553)=2 GDJ5(555)=2 GDJ6(557)=2 GDJ7(559)=2 GDJ8(561)=2 GDJ9(563)=2
GDJ10(565)=2
005.507    GPIOS   GPJCON: GDJ11(566 567)=2
005.609    GPIOS   GPCDAT: GPC5(69)=1

Front to Back:

005.083    GPIOS   GPCDAT: GPC5(69)=0
005.094    GPIOS   GPJCON: GDJ11(566 567)=1
005.206    GPIOS   GPJCON: GDJ0(545)=0 GDJ1(547)=0 GDJ2(549)=0 GDJ3(551)=0
GDJ4(553)=0 GDJ5(555)=0 GDJ6(557)=0 GDJ7(559)=0 GDJ8(561)=0 GDJ9(563)=0
GDJ10(565)=0
005.354    GPIOS   GPJCON: GDJ0(545)=2 GDJ1(547)=2 GDJ2(549)=2 GDJ3(551)=2
GDJ4(553)=2 GDJ5(555)=2 GDJ6(557)=2 GDJ7(559)=2 GDJ8(561)=2 GDJ9(563)=2
GDJ10(565)=2
005.404    GPIOS   GPJCON: GDJ11(566 567)=2
005.517    GPIOS   GPJDAT: GPJ12(268)=1

Front camera I2C address is 0x30

Back camera I2C address is 0x3C

Question:

• What sensors are used. 0,3MP for the front cam, 2,0MP for the back cam. Vendor and type?

GSM / UMTS

See the Ericsson_3.5G_Modem page.

WinCE Software

bootloader

The M800 can be put into USB flash download mode by pressing the 'record' button while powering-on. The screen will show

USB Downloader 0023
Flash Capacity=256MB

USB Downloader Ready.
USB host isn ot connected yet.
USB host is connected.
Waiting a download.

It is yet unclear how to use this flash downloader moder.

test system

The M800 can be put into the test system by pressing the camera button while powering on. The screen will show

EMPIRE_M Test System

and then print a long list of all the test-able hardware peripherals.

The test system is to be used by touchscreen.

FIXME: add screenshots of testing

1 NAND

[NAND Flash Test]

Flash ID=0xECAA
Maker: Samsung
Chip = K5D2G13ACM
Total Size = 0x10000000
Block Size = 0x00020000

Test 0x00000000 to 0x00000800

Test O.K. - Bad Block = 0

NAND memory map

The native WM6 OS image consists of several parts. These are the physical locations in NAND memory:

NAND structure of S3C2442 MCP K5D2G13ACM (equivalent to K9F2G08)

boot.dat    BOOTER_X800_03_LB_01_10 block0, page0, offset=0x00000000    length=0x00001000 - initial loader
            LOADER_LB_01_04         block0, page2, offset=0x00001000    length=0x00003000
usbdl.dat   USBDL_M800_02_LB_01_25  block1, page0, offset=0x00020000    length=0x00013800 - USB downloader
knight.dat  KNIGHT_M800_03_LB_01_33 block3, page0, offset=0x00060000    length=0x00031800 - test software
---                                 block6, page0, offset=0x000c0000    length=0x00000800 - BT address and some test scripts
ipl.dat     IPL_M800_01_LB_01_10    block8, page0, offset=0x00100000    length=0x00020000 - system loader (xip format)
os.dat      M800_WWE_A42_040_0319   block11,page0, offset=0x00160000    length=0x055b1800 - OS-image

Linux Software

kernel

There's a public git tree at  git://git.openezx.org/, which you can grab by using

$ git clone git://git.openezx.org/gnufiish.git

rootfs

just use any openmoko gta01 rootfs on a SD card