Himalaya Linux on Magican - Windows Mobile Development and Hacking General

Hello,
i followed http://wiki.xda-developers.com/index.php?pagename=HimalayaLinuxBooting to try to boot Linux on my Magican.
1 TCP-Connection via SynCE
2. I started Haret 0.3.6 (Detected COU Family: Unknown) , tapped "listen for network connection" and connected via telnet and typed:
HaRET(4)# set KERNEL "zImage-2.6.3"
HaRET(5)# set MTYPE 448
HaRET(6)# set CMDLINE "root=/dev/ram0 init=/linuxrc ramdisk_size=14336 keepinitrd"
HaRET(7)# set INITRD "\Storage\initrd-2.6.3.gz"
HaRET(8)# bootlinux
TuX appeared on my screen, with the termometer, wich filled red.
Output on telnet session:
Physical kernel address: a0008000
Preloader physical/virtual address: a3200000
Physical initrd address: a0408000
Goodbye cruel world ...
After that SynCE-TCP-Connection went down.
I'm not sure, if there should be more visible on the screen/in the telnet session? What is this about the serial terminal? How do I connect. minicom to ttyUSB0 did not work, since the device was in use.
I really would like to contribute to porting linux to the Magican.

.... or should I've posted this in the Magican Forum?

FEDORA core 4 possible?

FEDORA core 4 possible?
Click to expand...
Click to collapse
yes, I run FC4 on my PC. Is this a problem? I mean.... SynCE works fine, I can copy files an so on.
Should I use FC3?

fry said:
I'm not sure, if there should be more visible on the screen/in the telnet session?
Click to expand...
Click to collapse
No. wince is a dead duck after the "goodbye cruel world" message.
fry said:
What is this about the serial terminal?
Click to expand...
Click to collapse
A real RS232 connection to the phone
(RXD,TXD,GND).
I have made a cable for Blueangle to
connect the GPS receiver. If i'm not
mistaken it is the same as for Himalaya.
fry said:
How do I connect. minicom to ttyUSB0 did not work, since the device was in use.
Click to expand...
Click to collapse
serial over USB is dead, because the wince USB driver is dead.
The only easy debugging that is possible
at an early boot stage is to write directly
to the PXA serial port register in assembler, but
it's a really hard way of doing things.
fry said:
I really would like to contribute to porting linux to the Magican.
Click to expand...
Click to collapse
You should take the Himalaya (and Blueangel) wiki as an example, and
document the hardware. Writing linux
device drivers without knowing the hardware config is impossible.
Start with the physical/wincevirtual memory map, then you will know if it
is possible to use the himalaya kernel
directly. Although Blueangel hardware is very close
to Himalaya, different physical address space mapping don't let to run the Himalaya kernel. Tough luck for mickeysoft2005 fanboys

double_ofour said:
FEDORA core 4 possible?
Click to expand...
Click to collapse
The usable kernel stuff is in the
handhelds.org CVS. For the packages
- use debian.

fry said:
I really would like to contribute to porting linux to the Magican.
Click to expand...
Click to collapse
Post the output of the haret
'dump gpio' and 'dump mmu' commands.
I've looked at the magician PCB pictures.
Seems to be a really cheap device compared to Blueangel
On the positive side is that there are no HTC
ASICs there, so it is probably using the PXA MMC. The 5pin connector at the bootom
doesn't look like the 22pin ipaq connector

Post the output of the haret
'dump gpio' and 'dump mmu' commands.
Click to expand...
Click to collapse
OK... I did this, see dump.txt. The output stopped while a progress bar on my xda was at about 10%, telling me "Please be patiently until operation finishes ...". After some time, SynCE connection went down. I had to reset the device.
But I think, the dump is complete, since the xda mini has only 64 MB of memory.
The 5pin connector at the bootom
doesn't look like the 22pin ipaq connector
Click to expand...
Click to collapse
It's a standard mini USB connector

With haret-0.3.6-DEBUG.exe from http://wiki.xda-developers.com/index.php?pagename=BlueangelResearch I get:
Physical kernel address: a0008000
Preloader physical/virtual address: a358c000
Goodbye cruel world ...
Reset AC97
set thread priority to critical
disabled multitasking
this process can access all memory domains
we're in kernel mode baby!
*mmu = memPhysMap (cpuGetMMU())
cpu->setup_load
interrupts cleared
peripherals are shut down
cpuFlushCache()

fry said:
OK... I did this, see dump.txt.
Click to expand...
Click to collapse
The last INTER column seems to be broken.
Otherwise there are 4 visible interrupt lines:
0 - reset button (my guess)
13 - ?
37 - ?
38 - ?
The ALT settings and the GPIO directions
provide useful info, too.
You can do 'wgpio 60' in haret and press buttons, start bluetooth, IRDA, connect/disconnect USB,
play/record sound, make a photo, etc. and
log the GPIO changes.
The next step is to dump the PXA registers and look what subsystems are enabled (try CKEN with 'pd 0x4130004 4', or write a haret script dumping all
interesting registers like *SSP, USB, MMC,etc). Another thing you can do, is to
dump the ROM (first 64MB of memory or how big it is, starting at 0x0).
fry said:
It's a standard mini USB connector
Click to expand...
Click to collapse
Bad for you. No serial port.
But you will probably never need it.

fry said:
The output stopped while a progress bar on my xda was at about 10%, telling me "Please be patiently until operation finishes ...". After some time, SynCE connection went down. I had to reset the device.
Click to expand...
Click to collapse
Well, haret is extremely buggy in this
part, but porting 'itsutils' for use with synce
is probably not worth the pain.

Some additional comments before i'll
fell asleep:
This is unusual:
MMU 1st level descriptor table is at A0660000
Try to use haret for hx4700
since you have pxa27x
(look at handhelds.org wiki for a link).
I don't get how do they get the camera working.
IMHO, you can't use the himalaya kernel.
The LCD is probably attached to PXA, bad
for the performance, easy for linux port.

fry said:
Preloader physical/virtual address: a358c000
Click to expand...
Click to collapse
The SDRAM is in the first bank, because
it's top is close to 0xa4000000.

Related

crack wep key thru pocket pc

does anyone know how to crack WEP key using pocket pc ???? any software??? any solutions ???
AFIAK.. it's nearly impossible to do it with a PC... so with a PPC - which is so limited compared to a PC - I believe the answer is NO
cheers
can be done on PC, but takes a lot of throughput and time; you can find the source code for a WEP cracker and convert it, but is it worth it?
http://wepcrack.sourceforge.net/
V
no way doing it on a ppc for now. You can try to get linux tools like aireplay , and aircrack working on a linux Pda.
"duke911
Posted: Wed Oct 12, 2005 21:03 Post subject:
AFIAK.. it's nearly impossible to do it with a PC... so with a PPC - which is so limited compared to a PC - I believe the answer is NO
cheers"
.... with my linux notebook i take about 20 minutes to crack a 64bit wep encryprtion, and aprox. 2 hours for a 128bit key
mobile-IT
I was not talking about Linux..I meant normal Windows PC...of course when you use Linux every thing is different :wink:
cheers
seem like cracking wep is too young for now, hope will be some day!
Any 1 knows how to convert that above proggy?
Any 1 knows how to convert that above proggy?
It would be really great if i will be possible.
even just to try it !!
actually, it's rather well-developed.
go Google for aircrack.
unfortunately, you will need to posess a wireless LAN card with a compatible chipset, some of which can be used under windows to capture 802.11 frames.
Not likely just yet...
More specifically (and be practical), you'll need a wireless network card with a chipset supporting host mode (eg, Prism 2/2.5/3, maybe Prism54 soon, none of which are for Pocket PC) and approximately 1GB free space (on SD memory card).
The success of WEP cracking tools under Linux relies on the network driver's ability to capture WEP packets sent between hosts and APs. If someone created such a driver for mobile devices, and probably a small linux environment, then they would be able to use it. Despite advances in mobile devices, I think getting a Linux environment running is the first step and then comes figuring out the wireless chipset, so I don't see this happening too soon.
no way
no way of running a program on WM5 with the Jasjar ?
if your Wlan card in the PDA has documentation on a monitor mode, then you could have a stab at writing your own driver, alternately, reverse engineer it, if you've got the equipment.
As far as I know, there's no full frame packet capture tools for PPC out at all.
Re: Not likely just yet...
nedbsd said:
I think getting a Linux environment running is the first step and then comes figuring out the wireless chipset, so I don't see this happening too soon.
Click to expand...
Click to collapse
The TI ACX100 chipset used by HTC PDAs and phones has an opensource driver http://acx100.sourceforge.net
It is its control interface (non-PCI and non-USB, but memory mapped) that is making some
trouble.
clustered said:
does anyone know how to crack WEP key using pocket pc ???? any software??? any solutions ???
Click to expand...
Click to collapse
Er...why do you want to do this? :?:
TheBrit said:
Er...why do you want to do this? :?:
Click to expand...
Click to collapse
Because its fun!
mobile-IT said:
no way doing it on a ppc for now. You can try to get linux tools like aireplay , and aircrack working on a linux Pda.
"duke911
Posted: Wed Oct 12, 2005 21:03 Post subject:
AFIAK.. it's nearly impossible to do it with a PC... so with a PPC - which is so limited compared to a PC - I believe the answer is NO
cheers"
.... with my linux notebook i take about 20 minutes to crack a 64bit wep encryprtion, and aprox. 2 hours for a 128bit key
Click to expand...
Click to collapse
how much do you upload/download while cracking a 128bit key?
MDAIIIUser said:
TheBrit said:
Er...why do you want to do this? :?:
Click to expand...
Click to collapse
Because its fun!
Click to expand...
Click to collapse
fun and because human make the law and human broke the law...
try out retina wifi
I know this is an old thread, but i was chatting to a friend who is pretty much a genius when it comes to computers (especially linux).
This came up in conversation and he basically said that wep (like bluetooth) transmits parts of the key in plain text. If you know where to look and capture the right parts of the stream it doesnt take long to put them together in the right places and get the full key.
veda_sticks said:
I know this is an old thread, but i was chatting to a friend who is pretty much a genius when it comes to computers (especially linux).
This came up in conversation and he basically said that wep (like bluetooth) transmits parts of the key in plain text. If you know where to look and capture the right parts of the stream it doesnt take long to put them together in the right places and get the full key.
Click to expand...
Click to collapse
Agreed with the time observations, a friend who uses Linux reckons 3 minutes for the average BT Home Hub. At least to get the WEP key anyway.
Are you joking? 3 year thread gets re-opened? The RC4 implementation in WEP has been known to be flawed for quite some time. The problem is that no drivers for PPC are able to be put into RFMON in order to retrieve the amount of packets required to decipher a key.
Until a driver shows up, the most you would be able to do is dictionary attack a key on a PPC.

External USB hard drive

Does anybody know if it is possible to connect the phone to a USB hard drive?
only with flame and Athena as they are the only ones which support usb host
other devices cant use usb devices only be used by usb hosts normaly a pc
There was actually someone who developed a working hard disk storage driver for windows mobile but last I checked the site no longer offered it. Searched for days trying to find the file elsewhere. No luck. Cant think of the company that made the driver.
I'm bumping this as I am also after the same sort of program / utility.
I want to be able to access my External HD and view / play files off it... anyone able to help me out?
Maybe with a external powersupplied disk
Rudegar said:
only with flame and Athena as they are the only ones which support usb host...
Click to expand...
Click to collapse
Correct
Our Hermes has no usb host support. I found a topic at forum.brighthand.com which suggested the host functionality could be added with a usb host driver. I found the software (attached zip) but alas... Though I did exactly as the 'manual' (readme.txt) explained, the usb-stick did not appear in my explorer.
Possibly an external drive with external power supply might work because the hermes usb port is simply not powerful enough to supply the power to the usb-stick. However I did not "explore that possibility" (don't have one ) and chances are 'just a driver' is not enough and hermes lacks "usb host hardware".
dident read the post because you dident give a link to the post just the forum
but i doubt that it's a general thing
many pda's have usbhost in the cpu itself but htc never connected those connectors
so it's not wired to the connector they have their own usb chip
so if the post you read said it about any other pda then htc based one it could be that that manufactor did connect the usb but dident supply the driver which would then be fixed with what you found
Rudegar said:
many pda's have usbhost in the cpu itself but htc never connected those connectors
Click to expand...
Click to collapse
Sounds like there could be the potential for a hardware hack...
heh, nice try. but it will end like GPS HW hack on the TyTN (aka Hermes). it is not worth it, I mean there is easy way, just buy device with GPS integrated, or buy external. I have electronic skills and proper tools, I can do such things but it is too complicated. in that hermes was problem, that antena was not properly connected and you can never get a GPS lock. I guess that with usb host is the same. missing circuitry.
Deuce Nitro said:
Sounds like there could be the potential for a hardware hack...
Click to expand...
Click to collapse
Yepp!
Hi,
this is correct
sinmae said:
heh, nice try. but it will end like GPS HW hack on the TyTN (aka Hermes). it is not worth it, I mean there is easy way, just buy device with GPS integrated, or buy external. I have electronic skills and proper tools, I can do such things but it is too complicated. in that hermes was problem, that antena was not properly connected and you can never get a GPS lock. I guess that with usb host is the same. missing circuitry.
Click to expand...
Click to collapse
The USB host port of the Samsung CPU is used to connect to the internal GSM/GPRS chipset. So no chance to break it up!
If someone would ever hack this hardware part, the result would be a hermes without radio.
The engineers at HTC used the USB host port to achieve the necessary bandwith for high speed data connection to the GSM/GPRS chips from Qualcomm.
Best regards,
scholbert
thats an interesting information, thanx
scholbert said:
The engineers at HTC used the USB host port to achieve the necessary bandwith for high speed data connection to the GSM/GPRS chips from Qualcomm.
Click to expand...
Click to collapse

USB Host disconnected pin?

hello,
i've heard that the universal WOULD support USB host drivers if an unconnected pin inside the universal was connected... could anyone tell me;
- if i manage to get the pin connected, would i get usb host features like on any other usb host phone with proper drivers?
- how hard is it to do?
- WHAT to do?
Oh man,really really nice interesting idea,hope it's true and possible,i hope someone knows all about that and soon writes here how that is possible maaan,would be really awesome to play with that
PalDragan said:
Oh man,really really nice interesting idea,hope it's true and possible,i hope someone knows all about that and soon writes here how that is possible maaan,would be really awesome to play with that
Click to expand...
Click to collapse
nice to hear someone else would like to get it to work too
EDIT: just found this on another thread on another forum about a PXA270 phone, someone was trying to get it to work, seems like all we need is
- switch the pin to host mode
- a driver (maybe zenos latest ones?)
After about 6 months of not touching this project, I decided to take another quickie look at the PXA270 docs and programmers reference. What I now see is very interesting.
Originally, I was looking at bringing out the USB Host 1 interface pins to the outside world as they were only terminated internally on the motherboard. Only about 1% of users might be able to do that.
I then started to look at the USB OTG (On The Go) interface that this chip supports. The USB OTG interface can be used as both a client and host. It shares the same pins as the Axim's serial port. Unfortuately, there are two serial control lines pins that are not brought out to the connector, so I scrubbed that idea.
This past weekend I picked up the programmer's design reference book to look at how the various USB interfaces are programmed and I saw something that I missed before as this was in the USB Client section. It appears (to me anyways) that the USB Client pins can also be programmed to act as a USB Host when in the USB OTG low power operation mode. The manual discusses how the additional control registers are used along with an output mux and charge-pump circuit (to provide the +5v). Refer to the PXA27x Processor Family Developer's Manual - dated Jan 2006, sections 12.5.2 and 20.
I will be looking at this more closely to see if a simple driver can be written (Afarre, where are you...) to switch the USB client pins into Host mode. In addition to this, the USB device drivers would be needed. Please remember, an additional IO interface circuit will be needed to connect between any USB device and the Axim as the proper voltages are not on the sync connector.
Click to expand...
Click to collapse
the_fish said:
nice to hear someone else would like to get it to work too
Click to expand...
Click to collapse
Suuuuuuuuuure,every crazy idea to abuse my PPC and i'm in for the quest
PalDragan said:
Suuuuuuuuuure,every crazy idea to abuse my PPC and i'm in for the quest
Click to expand...
Click to collapse
haha same, btw thats the link to the topic:
http://www.mobilitysite.com/boards/x50-x51-forums/140071-hacking-pxa270-internal-usb-host-24.html
Unfortunately, this means it's not for 99% of users as it requires a delicate hardware mod/addition to the motherboard (see my earlier posts & photos in this thread).
Click to expand...
Click to collapse
seems like they were still working on the driver (which we already have(?)) so we only need the hardware mod.... i guess...
the_fish said:
haha same, btw thats the link to the topic:
http://www.mobilitysite.com/boards/x50-x51-forums/140071-hacking-pxa270-internal-usb-host-24.html
seems like they were still working on the driver (which we already have(?)) so we only need the hardware mod.... i guess...
Click to expand...
Click to collapse
Ummm it's definately a crazy idea. We were discussing with mamaich (our guru) last year. Unfortunately it's not that simple to provide the power in sync connector, which is acting as a usb client (connector) at the moment.
tomal said:
Ummm it's definately a crazy idea. We were discussing with mamaich (our guru) last year. Unfortunately it's not that simple to provide the power in sync connector, which is acting as a usb client (connector) at the moment.
Click to expand...
Click to collapse
did you read in the thread i posted a link to? they had the same problem, but also found out that it maybe is possible to provide the nessecary +5v too, they were not sure tho, and i thought maybe zenos drivers contain the code to do that.
the_fish said:
did you read in the thread i posted a link to? they had the same problem, but also found out that it maybe is possible to provide the nessecary +5v too, they were not sure tho, and i thought maybe zenos drivers contain the code to do that.
Click to expand...
Click to collapse
Ok, seems there is a new idea of power injection from outside.
Anybody tried it...?
Couple of months ago, I was trying with outside +5v power but nothing happens
Win_XP said:
Couple of months ago, I was trying with outside +5v power but nothing happens
Click to expand...
Click to collapse
did you use one of those special USB cables that have two female USB-A, one for power and the other for the device to plug in?
http://htc-tytn-ii.handster.com/software.php?id=3339&for=HTC+TyTN+II
i don't know anything about this.. i'm actually looking to hook up something that normally has a rs-232 port.. but is also made in usb.. It draws power from another source
with something like that program doesn't that suggest usb host is possible..
http://gnalpgnarf.handster.com/software.php?id=3339&for=gnalpgnarf
hmmm....am I right or am I wrong?
Theoretically speaking the idea with a pin is supposed to redirect power from intake to output, however, not only Uni is incapable of supporting the output (you are essentially attempting to piggyback another device), the external support will not be possible due to pin configuration, regardless of the cable used.
Another thing, other than sheer experimentation, what would be the real point of such USB host?
STOP TORTURING YOUR UNIs, GUYS!!!!
I am pretty sure, that the Universal doesn't support USB Host.
It did not, it does not, it will not.
Sorry guys!
To be honest:
Yes, the PXA270 chip supports USB Host, but in most HTC devices they use this feature already for something else, like: WLAN or 3G connection.
DOMy
seen this?:
http://hhtinker.blogspot.com/2008/10/usb-host-on-treo-650.html
do you know what USB Host already busy?
it used as data call transfer radio <-> CE.
USB hub will not solve this problem easy.
also if you want attach it to miniUSB connector, you need additional OTG chip.
=> Host on universal is very hard to do, ...impossible.

Bricked my new Hero AND Magic !!! ??

HELP!
After JF 1.51 I installed latest Radio with it.
reboot - fine
Then I installed an SPL.
reboot - fine
Radio : 2_22_19_26I
SPL : Haykuro's "Special"
Then I tried the JacHero 2.1F Image
reboot - the Sign comes up (the unwrapping Phone) - nothing - dead
Here my dmesg:
[15286.272584] usb 2-2: new high speed USB device using ehci_hcd and address 4
[15286.340311] hub 2-0:1.0: unable to enumerate USB device on port 2
[15320.276569] usb 2-2: new high speed USB device using ehci_hcd and address 5
[15320.344322] hub 2-0:1.0: unable to enumerate USB device on port 2
[15361.868634] usb 2-2: new high speed USB device using ehci_hcd and address 6
[15361.936323] hub 2-0:1.0: unable to enumerate USB device on port 2
[15392.128125] usb 2-2: new high speed USB device using ehci_hcd and address 7
[15392.196334] hub 2-0:1.0: unable to enumerate USB device on port 2
[15437.872588] usb 2-2: new high speed USB device using ehci_hcd and address 8
[15437.940333] hub 2-0:1.0: unable to enumerate USB device on port 2
[15446.872067] usb 2-2: new high speed USB device using ehci_hcd and address 9
[15446.940334] hub 2-0:1.0: unable to enumerate USB device on port 2
[15520.032077] usb 2-2: new high speed USB device using ehci_hcd and address 10
[15520.096385] hub 2-0:1.0: unable to enumerate USB device on port 2
[15528.892075] usb 2-2: new high speed USB device using ehci_hcd and address 11
[15528.960253] hub 2-0:1.0: unable to enumerate USB device on port 2
Click to expand...
Click to collapse
lsusb shown NOTHING as it isn't enumerated.
The SAME Story now for my HTC Magic.
This is the most expensive Brick I ever bought :-(
So is the a way to reocver?
- JF 1.51
- SPL.
- 2_22_19_26I
- SPL
- JacHero 2.1F
Um, none of these are Hero ROMs!!!
P
you must send them back to htc, theres no alternative.. but i cant unterstand why people install a software (=rom) for a different hardware system...
felikz said:
you must send them back to htc, theres no alternative.. but i cant unterstand why people install a software (=rom) for a different hardware system...
Click to expand...
Click to collapse
Sorry, that you cant understand...
As the hero is the most expensive I took tis first into account, but as you can read with this software I bricked my my G2 MAGIC as well!
on both phones the same ****.
AND, it would be better if the pseudo developers would be more professional in publishing and tell the user that this Ropm is JUST for this phone, etc... Can't see it written on the Homepage - just here in the forum I see more background infos...
I am Arch LINUX Package Maintainer, registered LINUX User since 2002 and NOT a noob, ok?
thanks anyway, I send both bricks back to recovery service and maybe let you know...
mark.doe said:
AND, it would be better if the pseudo developers would be more professional in publishing and tell the user that this Ropm is JUST for this phone, etc... Can't see it written on the Homepage - just here in the forum I see more background infos...
Click to expand...
Click to collapse
LOL You are a nice guy ...
mark.doe said:
AND, it would be better if the pseudo developers would be more professional in publishing and tell the user that this Ropm is JUST for this phone, etc... Can't see it written on the Homepage - just here in the forum I see more background infos...
Click to expand...
Click to collapse
Very pleasant post!
Given that "justanothercrowd" *specifically* states
PLEASE DO YOUR RESEARCH BEFORE FLASHING ANY ROM INCLUDING MINE!!!
Click to expand...
Click to collapse
in his XDA post for his ROM, I find it rather surprising that you should decide to denigrate the ROM developers because *you* did not follow those instructions. ( link - http://forum.xda-developers.com/showthread.php?t=522076 )
In the XDA world, whatever you do to your phone is *your* responsibility. Even if you correctly follow the instructions, and end up with a bricked phone, it is still *your* responsibility. I'm not try to be harsh here, but this is a simple fact - if you flash any phone with a ROM from a "non-authorized" source, you are effectively unsupported, with the exception of the goodwill of the people and developers in the community that provided the ROM. Making statements like the one quoted above is one of the fastest ways to see that goodwill dissipate!
I am Arch LINUX Package Maintainer, registered LINUX User since 2002 and NOT a noob, ok?
Click to expand...
Click to collapse
Sorry, but by your actions and your subsequent tone, you've established that you are a noob in this context. BTW - what's a "registered linux user"?
Regards,
Dave
Just a quick question - does an "Arch LINUX Package Maintainer" beat a level 5 Arch Mage in Dungeons and Dragons?
Florida
So lets see -
You do something idiotic ( and with known risks we all take onboard )
Then mess it all up...twice
Then go squealing thats it 'not your fault' whilst claiming to be the GOL ( Gandalf of Linux )
Good luck on obtaining help here.
why do i see a flame war coming?
you have three posts and two of them is whining that you screwed up on ROMs that are not for the devices you have....
muahahaha! more money than sense...?
How hard can it be, to use a rom from the correct section (e.g. the Hero forum part for... indeed, Hero roms!).
You should not blame the 'pseudo developers' for your mistakes.
On the other hand I'm going to cut you some slack. Even though you made a terrible mistake, fooked up completely and you are now desperately trying to blame other people for it... I totally feel your pain. Losing two devices like this obviously isn't a nice experience at all. And it's probably going to cost you money on top of that as well, it totally sucks!
Please tell us if HTC fixed your phones for free (just in case that mine gets bricked, too). Wishing you good luck.
BTW with Arch: I love it, but thats the stuff with the not really researching, same on Android and Arch, when you do something without "really" knowing what, you can damage it.
OK, cya anyway and stay with us and Android
Greets.
Well colour me surprised. Nice to see that not everything descends into flaming here..!
Yes. Both have been replaced without a hassle. I told them it was bricked after putting in a foreign card on vacation and getting a spurious OTA (stupid but worked).
The mistake with one fon was definitely my fault and I excuse for the tone. English is not my native language and this sounded way too rude.
Sent from my GT-I9000 using XDA App
Oh I do love a happy ending!
Glad you got it sorted
Read, read again, and then read another few times just to be sure - That's my mantra when it comes to flashing / modding my phone.

A101it mainboard hacking and chipset information

Hi,
as i wrote in another thread, i purchased a bricked A101.
There's no response from the system so i decided to start investigation on the hardware .
A101it chipset information:
Processor
• Ti OMAP3630 (515-pin CBB/P BGA package) ARM Cortex A8 at 1 GHz with DSP
• POWERVR SGX530 Graphic accelerator: 3D OpenGL ES 2.0
Memory
• 256MB LPDDR SDRAM (168-pin PoP BGA package) soldered on top of OMAP3630
• 8/16GB eMMC (169-pin BGA package) connected to OMAP3630 internal mmc2 interface
Interfaces
• USB slave 2.0 (OMAP3630 internal interface, MicroUSB connector)
• USB host interface (TPS65921 host interface, TYP A connector)
• Micro SD slot (OMAP3630 internal mmc1 interface, SDHC compatible)
Display subsystem
• ChiMei 10.1" TFT-Display N101L6-L02 (18Bit-LVDS interface)
• Ti SN75LVDS83B LVDS transmitter (56-pin BGA package)
Touchscreen subsystem
• Pixcir capacitiv touchscreen unit (TR16C0 controller, USB interface)
• Ti TUSB2551A USB transceiver (16-pin QFN package)
HDMI subsystem
• NXP TDA19989AET 24-Bit HDMI transmitter
• HDMI output (19-pin Mini HDMI connector)
Communication
• Ti WL1270/1 WiFi (802.11 b/g/n)
• Ti WL1270/1 Bluetooth 2.1 EDR
Miscellaneous
• Built-in speaker
• Built-in Microphone
• Freescale MMA7660FC G-sensor
• Omnivison OV7675 VGA camera (0.3M)
Power source
• Ti TPS65921 power management chip
• Intersil ISL9220 LiPo charger
• Internal: Lithium Polymer battery
• External: 5V/1A Power adapter/charger
To get some detailed informations about these chips, i made a sweet datasheet collection.
Grab the zip-file here.
TBC...
EDIT: The brick issue is solved.
The platform did not boot up due to a broken connection to onboard RAM.
This thread will present various hacks and other stuff a geek might have fun with
Read on for some more information.
So here's my first result:
I successfully located the sys_boot signals of the OMAP3630.
I made a first test by changing the default boot mode.
With sys_boot5 pulled high the boot order changes to peripheral boot first.
In other words you may use this tool to directly access the OMAP memory (e.g. RAM).
In theory it should alos be possible to boot the device form external microSD as well, but at factory default the microSD slot is covered by power management. In other words, power is switched off at boot time.
This could be hacked as well
My attempt will be to un-brick my device by using external boot mechanism.
Maybe i'll need some help at a later point!
EDIT: Peripheral boot modes had successfully been verifed.
It definitely works on the Archos 101. Perhaps this may be useful for some open bootloader project.
Aynway, i already discovered some other things, that might be helpful for hardware hackers. So if you are kind leave a comment or ask some questions.
Stay tuned!
scholbert
Oh, that's interesting ... I don't know anything about hardware hacking but I'd like to learn hope you will show us ... keep on the good effort ... and I'll keep an eye on this tread .... might come handy ... jejeje
sounds great, keep on rolling
peripheral boot
Hi,
thanks for your replies.
So as expected using peripheral boot over USB/UART is working (sys_boot5 pulled high).
At least the ASIC ID is send correctly and the initial communication starts.
See the screenshot attached.
Flash V1.6 also got a eMMC driver included.
So this could be the way .
Right now there's an error message:
Code:
Unknown status message 'dKAYd 2nd stdrted?' during peripheral boot (waiting for 2nd)
I guess the response should be: OKAY! 2nd started?
EDIT:
MMMh strange... i'll have to find out who is generating this message.
If it is comming from OMAP the SDRAM setup should be verified.
Seems that the LSB byte stuck @ 0x64.
Code:
dKAYd 2nd stdrted?
ascii = dKAY -> hex = 0x59414b64 (msb..lsb)
ascii = d 2n -> hex = 0x6e322064
ascii = d st -> hex = 0x74732064
ascii = drte -> hex = 0x65747264
ascii = d? -> hex = 0x00003F64
See the session log file for more details!
Anyway i justed started to play around... maybe some tweaks in the configuration are needed
Have fun!
scholbert
Pretty Cool
Thanks for attesting coolness
Made some further tests... though my time is really limited right now.
I found out that the message is send from 2nd loader which is used for Ti's Flash tool.
So this might indicate that there's something wrong with my memory or memory bus.
I re-checked the RAM setup sripts for the Ti tool again but could not find any error. Reduced the timing as well. Still got that message...
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Anyway this is open discussion, feel free to post
Cheers,
scholbert
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
We already know that, it's built-in ^^
(some have opened their Archos before ^^)
trungvn1988 said:
Nice try. Can you tell us about the RAM, it's built in the mainboard or changable?
Click to expand...
Click to collapse
http://forum.archosfans.com/viewtopic.php?f=74&t=42806
Soldered on, not changable by anyone with home soldering tools. Very small ball soldering. I gave it an attempt, even got a replacement 1GB RAM module as a test piece... Didn't work out well for me.
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
.............yippie yeah it's working out!!!!
Thanks for the feedback
First i'll have to quote myself:
It's very strange that the pattern really seems to stick, which is unusual for damaged memory... i will report further findings.
Click to expand...
Click to collapse
Guess what...... it's fixed!!!!!
I really go crazy. See attached log file.
External boot over USB and 2nd loader started up successfully, using the Ti tool.
So RAM is working now!
This definitely saved my day...
What happened exactly?
As i pointed out, the data on memory bus stucked at 0x64, so i assumed there was an issue with DQM/DQS signals on PoP memory.
See some related documents about the function of these signals on RAM chips.
The DQM/DQS where not toggled in the right way because of bad soldering at the PoP memory chip.
See the attached pic for the excact position of these signals (marked in red).
The chip itself is soldered on top of the OMAP3630.
In the end i used a hot-air solder gun and soem soldering flux and fixed the broken connection. In fact i used this "technique" some time ago to fix a "No GSM" issue on HTC Hermes.
Though i'm very excited right know, i'll have to make a break for today, because i have a date
Harfainx said:
I'll definitely be keeping an eye on this topic, seems like some good information might come of it.
Click to expand...
Click to collapse
Yes i'll try my very best
Kind regards,
scholbert
Guy, it's so nice! Keep up the good work!
datasheet collection
Hey,
i was lucky last week. My device is up and running.
Fortunately the eMMC data structure was O.K. In the end my device refused to boot, because of that broken connection to the RAM.
So there'd been no need to fiddle around with eMMC for now.
Maybe i'll do some investigation at a later point.
Feel free to set up your device for peripheral boot and try the Ti Flash tool debugging possibilities.
Right now i decided to re-assemble the device and use it for a while.
I must assume that i know nothing about the internal structure of the firmware. So it would be essential to get some insights
I got some additional information about the eMMC/microSD data lines.
If there's some interest i might post further pics.
To get some background about the chips on the A101 mainboard, i collected some datasheets of the main components.
Grab the zip-file here.
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
yes it would be great if we could find one, maybe we could find a way to get inside and change some things
scholbert said:
...
Most of them are easy to find other's are not
Anyway, saves your time i guess.
BTW, is there any tool to unpack gen8 AOS files?
Regards,
scholbert
Click to expand...
Click to collapse
As far as i know we can't extract aos files since they are encrrypted and we don't have they proper KEY - its saved inside the device somewhere
But good luck with going on! Rly sounds interesting who knows what it's good for in future
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
..... uuuh great!!!
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
Yupp, that's awesome. I just joined that thread.
In the meantime i disassembled my device again, because i want to spent some more time on research.
I found out some more details about the chips and the design in general.
The A101 seems a pretty neat device for extensive hacking, because archos did a good job and made a very clear design.
I started to prepare a pin map by looking at the kernel sources again.
Maybe i'll be able to find some other useful testpoints on the mainboard (e.g. UART2)
As you might know, the touchscreen is connected to USB using OHCI mode.
To attach it to the OMAP ports they also used a chip from Ti.
See this datasheet for more information:
http://focus.ti.com/docs/prod/folders/print/tusb2551a.html
If i'll find some time i'll try to make kind of a floor plan from the mainboard and post some pics as well.
P.S.: If someone knows the manufaturer of the speaker drivers, please tell me! The parts are marked as 8JAM892 and are located near the soldering points for the speaker.
Keep on hackin'
scholbert
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
pbarrett said:
What I would like to find out is what component it is that dies when the USB port fails (and it stops sleeping as well). Maybe it's replaceable (if you can do SMD soldering).
Click to expand...
Click to collapse
Mmmh... without being affected by this issue it's hard to tell.
If the port dies, there could be many reasons of course.
Maybe the 5V power supply for Vbus is dying on these devices, due to "over-current" issue. I have not identified that part right now.
The signal lines itself usually won't be harmed... apart from injecting ESD pulses right to the connector.
The USB host port is directly connected to data lines of the USB PHY inside TPS65921 (Power Management chip).
OMAP3630 itself uses ULPI mode to connect to this part.
That's all i could say for now.
Regards,
scholbert
FrEcP said:
good news - check out:
http://forum.xda-developers.com/showthread.php?t=1214674
seems we got a way to extract soon
Click to expand...
Click to collapse
If we can't extract those AOS files - how are custom ROM builders such as $auron getting their hands on the upper layer of the firmware? I know I am not expressing myself technically correct, but what I understand is that for instance $auron's UrukDroid is a custom Linux kernel etc. with on top of it the modules, GUI etc of the official Archos packages...
you don't need to extract the aos file to get the filesystem of the archos android. you simply have to root your device or just install angstrom (which comes with SDE) and then you can copy the squashfs file to your computer so you can extract whatever you need. it's not encrypted but signed, you only have to skip the first 256 bytes (if I remember correctly) of the file to get a valid squashfs image.

Categories

Resources