view Handset-UI-fw @ 19:f68ca40fa5c1

Firmware-deblobbing document written
author Mychaela Falconia <falcon@freecalypso.org>
date Fri, 13 Sep 2019 07:28:00 +0000
parents fcd1cf531017
children 2e9719074e79
line wrap: on
line source

The present article is a companion to the TCS211 firmware architecture document
(TCS211-fw-arch).  Those who are interested in the FreeCalypso phone handset
goal (which is currently a very distant goal) should read the TCS211-fw-arch
document first and then this article, whereas those who are more interested in
the rock solid FreeCalypso modem (as opposed to handset) solution which is
already available today and would like to understand our modem fw better only
need to read the TCS211-fw-arch document and can safely skip this handset UI
addendum.

TI's offerings for handset UI
=============================

Unlike their rock solid, full commercial product offering for AT-command-
controlled modems, TI never produced a reference phone handset firmware
implementation that could be used as-is with minimal or no changes: instead
they provided a very rough proof-of-concept implementation which is nowhere
close to usable, and left it up to their customers (handset manufacturers) to
whip it into even a minimally decent shape.  Furthermore, they had several
different approaches over the years to what the GSM industry calls by the
sexist term "MMI":

* They once had something called SMI, for "simple MMI" or "slim MMI".  We have
  what appears to be the complete source for this SMI component as part of the
  MV100-0.1.rar and 94140216gsm.rar finds, but both of those finds are just
  broken fragments, not a complete firmware for any target.  It might be
  possible to integrate this unknown-origin SMI source into Magnetite and get
  it to work with the TCS2 version of ACI, but no such feat has been attempted
  yet - it would be a mere curiosity, not something for practical use.

* SMI later gave way to a successor called BMI for "basic MMI", which is much
  bigger in terms of code size and complexity and consists of two layers: there
  is a layer called MFW (mobile framework) that sits on top of ACI, and then
  BMI proper sits on top of MFW.  This incarnation of TI's demo/prototype phone
  UI is the one which they officially supported in the TCS211 program, and our
  copy of TCS211 from OM miraculously has these BMI+MFW sources included, even
  though OM obviously didn't use this code and could not even compile it without
  doing some surgery on the build system.  Our other TCS3.2/LoCosto source also
  has BMI and MFW matching that newer version of G23M ACI and PS components,
  and we use this new TCS3 version of BMI+MFW in our TCS2/TCS3 hybrid config.

* It appears that TI once had or were trying to develop some kind of Riviera-
  based "MMI" code as an alternative to the Condat-based SMI and BMI.  SMI and
  BMI+MFW execute in the same "MMI" GPF task as ACI and communicate with it
  through direct function calls; in contrast, the alternative Riviera MMI would
  run somewhere in Riviera land and communicate with ACI through ATP and some
  kind of ACI adapter.  We never got any of this code, and it is not clear if
  it was ever a reality beyond just the idea.

In any case, it is clear from the code that TI's SSA group in France who
developed the drivers for various Calypso chipset peripherals including LCDs,
keypads and ringing buzzers on their development boards and the Condat UK group
who did SMI and BMI had very different visions and ideas.  Some examples:

* The Calypso DSP has a built-in mechanism for playing quite pleasant-sounding
  ringtone melodies through a loudspeaker driven by the chipset's ABB, and the
  SSA group developed their RiViera Audio Service front-end to these L1+DSP
  audio services, but Condat's code makes absolutely minimal use of this RV
  Audio Service, just enough to be compatible with it, and does not use any of
  the melody functions, neither E1 nor E2.

* In the original TCS211 architecture before LoCosto changes, the driver for
  the physical LCD was/is R2D in the Riviera/SSA land.  R2D provides a very rich
  set of text and graphics drawing primitives, but Condat's display layer does
  not use any of them: instead they obtain the raw framebuffer address from R2D
  and do all drawing operations themselves.

* The TCS211 code we got had a jaw-dropping bug in the code path for ringing
  the piezoelectric buzzer: due to a miscommunication between the French folks
  in charge of the actual buzzer driver in chipsetsw and the German or UK folks
  in charge of Condat's audio layer, the buzzer always rang at some 99 Hz (its
  lowest possible frequency, horrible on ears) no matter what tone frequency
  was intended.  Given that our copy of TCS211 dates from 2007 and considering
  how old the buzzer function must be, it hurts to think for how many years
  that bug sat there without anyone wondering why ringing sounds so horrible.

In terms of the code architecture, none of Condat's UI code ever calls any of
the actual drivers in the SSA realm directly: instead everything goes through
the Condat drivers layer in condat/com/src/driver, and that layer provides a
very poor adaptation as highlighted above.

LCD support
===========

TI's demo/prototype UI code never supported a wide variety of different display
sizes or keypad layouts - instead they only supported whatever existed on their
in-house development boards at each given point in their history.  TI's C-Sample
and earlier development boards had 84x48 pixel B&W displays, whereas from
D-Sample onward they made the big jump to a 176x220 pixel color LCD.  Both
versions of the UI we got (TCS211 targeting D-Sample and TCS3.2 targeting
I-Sample, TI's LoCosto board) were developed on 176x220 pixel color LCD
platforms, and that is the only display size which they intended to support.
There also exists a remnant of support for their earlier 84x48 pixel C-Sample
LCD, which we resurrected in FreeCalypso to see it run on Mot C139 hardware,
but that support was broken: it would not even compile without our fixes.  In
our current FC Magnetite firmware we can build this C-Sample UI version for the
C139 target and it works in the demo / proof-of-concept sense, but it is likely
to be even more broken than the official 176x220 pixel version.

Anyone interested in adding support for a different LCD will need to start with
the R2D driver under src/cs/drivers/drv_app/r2d.  The principal LCD type
selection is done in r2d_config.h (C-Sample and D-Sample are the only options
supported by the version we got with TCS211), and this selection affects all of
R2D and all of its clients.  Our change to this r2d_config.h LCD type selection
logic consists of selecting C-Sample instead of D-Sample when the build target
is C139.  A secondary selection is made in r2d_inits.c and r2d_refresh.c where
the code snippets for the actual hardware initialization and output are
included: the way we currently support the C139 hw target is a very thorough
emulation of the C-Sample including its vertical B&W framebuffer format, all of
the code in R2D and in Condat's display driver sees a real C-Sample LCD, and
only the hardware-poking code is substituted.

The direct implication of our C-Sample emulation approach for the C139 LCD is
that the full 96x64 pixel size of Motorola's LCD becomes completely
inaccessible, and all software sees a 84x48 pixel subset.  The same happens
with color: because TI's C-Sample LCD was B&W, the color capabilities of the
real C139 LCD become inaccessible.  Anyone who wishes to fix this shortcoming
would need to implement a new bona fide LCD type in R2D, and then adapt
Condat's display driver accordingly.

Condat's display driver (condat/com/src/driver/display.c) is very messy and
very difficult to understand.  The only change we have made to it in FreeCalypso
was fixing the support for the C-Sample LCD which was bitrotten: the bitrot and
our fix for it is not specific to the C139, it would affect a real C-Sample
board just as well.  Understanding this code well enough to extend it to other
LCD geometries and framebuffer formats would be a much greater challenge.

Above Condat's display driver lies the actual UI implementation in BMI and MFW.
This UI code supports only 3 possible configurations:

* Both COLOURDISPLAY and LSCREEN defined: the display is 176x220 color;

* LSCREEN is defined but not COLOURDISPLAY: the display is 176x220 B&W - TI
  used this config when building "GSM Lite" fw for the D-Sample;

* Neither LSCREEN nor COLOURDISPLAY defined: the old 84x48 pixel B&W UI from
  the days of C-Sample and earlier.

Note the lack of support for small color displays like the one on the C139.

Text fonts
----------

The SSA group's R2D driver provides text display functions and contains its own
fonts, but Condat's stuff does not use those display functions or fonts -
instead BMI and MFW (and presumably SMI too) use a different font/text
implementation contained in the Condat drivers layer.

Keypad support
==============
 
The hardware keypad driver is KPD in Riviera/SSA land, residing in
chipsetsw/drivers/drv_app/kpd in TCS211 or in src/cs/drivers/drv_app/kpd in
Magnetite and Selenite.  Unlike the display driver R2D, KPD is always included
even in modem firmware builds - but if there is no keypad connected to the
Calypso, it does nothing.  TI's firmware architecture and UI code support only
traditional numeric keypads - there is no provision for supporting a full QWERTY
keyboard.  However, if the keypad layout on a given phone handset is close
enough to what TI had on their development boards, modifying KPD for the
specific wiring is very easy: we have already added proper support for Mot C1xx
and Pirelli DP-L10 keypads.

Battery monitoring and charging
===============================

TI had two incarnations of their battery charging and monitoring driver: first
PWR, then LCC.  Both were implemented in Riviera/SSA land.  LCC was not a good
fit for our targets of interest (Mot C1xx, Pirelli DP-L10 and our desired
FreeCalypso Libre Dumbphone hardware) while PWR had other problems, so we
retired both of them and wrote our own replacement called FCHG.

There is a quirk, however: there is no connection in the TCS211 code as
delivered by TI between their demo/prototype UI (or rather between Condat's
power driver stub) and either of their battery driver implementations.  At the
time of TCS211-2007 the original PWR driver had already been retired and only
LCC was supported, but even that LCC driver had no connection to the UI: one
could remove it from the fw build configuration and the UI code would still
compile and link just fine, which would not be possible if there were any calls
to LCC's API functions.  The practical effect of this quirk is that there is no
need to resurrect PWR or LCC in order to run TI's UI code in its pristine
original form - using our own FCHG or no battery management driver at all is
just as fine.

The proper way to get proper support for Mot C139
=================================================

I (Mother Mychaela) feel very strongly that the best way to produce practically
usable end user FreeCalypso firmware for the C139 target would be to do it
together with our own FreeCalypso Libre Dumbphone development, as opposed to
trying to support the C139 to the exclusion of our own FreeCalypso hardware.
Specifically, I propose the following order of steps:

1) First build our own FreeCalypso UI development board, a derivative of the
   FCDEV3B adding a 176x220 pixel color LCD and other miscellany to serve as a
   replacement for TI's D-Sample.

2) Retire the C-Sample UI configuration and our currently implemented C-Sample
   emulation hack on the C139, and start running TI's UI code the way TI's own
   developers ran it on the D-Sample.

3) Change the "small screen" UI layout from 84x48 to 96x64 pixels (from 6 rows
   of 14 characters to 8 rows of 16 characters with TI's existing font), and
   fix the bugs related to displaying this "small screen" (!LSCREEN) UI on a
   physically larger LCD - we would like to display it on our 176x220 pixel UI
   development board.

4) Extend the UI code to allow the possibility of COLOURDISPLAY && !LSCREEN,
   i.e., a small (96x64 pixels) color display like on the C139.  Have this
   96x64 pixel color UI displayed on our 176x220 pixel UI development board.

5) Work on getting the actual UI into shape, keeping the two configurations of
   176x220 pixel color (future FreeCalypso Libre Dumbphone) and 96x64 pixel
   color (Mot C139) as actively supported ones.  Do all development on our
   176x220 pixel UI development board.

6) Once the UI-enabled firmware works decently on our development board in both
   176x220 and 96x64 configurations, add native C139 LCD support (not C-Sample
   emulation) to R2D, adapt Condat's display driver as necessary if we are still
   using it (if we don't find a way to get rid of it by this point), and run
   our 96x64 pixel color UI config on real C139 hardware.  At this point we
   should have practically usable end user FreeCalypso fw on the C139.

7) While the less demanding and more casual phone users will be happy with the
   feeble C139 if it runs our FreeCalypso fw, those of us who desire the
   Ultimate Awesome Libre Dumbphone will be able to take our 176x220 pixel UI
   development board and start turning it into an actual FreeCalypso Libre
   Dumbphone handset.  This will be the point when we can move the ringtone
   output from the piezo buzzer to the loudspeaker (Melody E1) and start making
   other changes for better-than-C139 hardware.

Of course the biggest difficulty with the above plan is that it requires
designing and building a new piece of hardware as its very first critical step.
My personal plan is to kill two birds with one stone: design the board in such
a way that it can be used both as a development board for the above plan and as
a close-to-final prototype for my desired FC Libre Dumbphone handset - although
not completely final, as this board would absolutely need to be usable in its
bare form on a lab bench without plastics, which calls for a somewhat different
design than a final handset product.

Anyone who disagrees with my approach, anyone who is against designing and
building new custom hardware at high cost and who is instead interested first
and foremost in pre-existing hardware targets like Mot C139 is more than welcome
to delve into the code themselves and try their own hand at fixing the code to
make it practically usable on the C139.  However, I have to warn you: if you
spend a significant amount of time working with TI's code and develop an
affection for it, it is quite possible that you will start to feel the way I do
in terms of desiring a D-Sample-like platform for development.

Why Mot C139?
=============

Out of the known repertoire of pre-existing Calypso-based phones whose existence
has been discovered by OsmocomBB and for which we already have some foundations
of support in FreeCalypso, Mot C139 is the most suitable one for the purpose of
turning it into a Libre Dumbphone by way of aftermarket firmware.  Here are the
problems with the other ones:

* Pirelli DP-L10 is my absolute favourite with an end user hat on, but the
  unwanted extra chips for the unwanted-for-us WLAN and camera functionality
  are a killer.  There are no schematics for the phone and no documentation for
  any of these chips, and we don't know how to power them down.  In a fully
  quiescent state with all Calypso sleep modes enabled and with both LCD and
  keypad backlights off, the board still draws about 87 mA from the battery,
  which will kill a fully charged battery in about 10 hours of complete idle.
  Furthermore, it is not possible to turn on the loudspeaker without going
  through the W56940 ringtone chip, and the reset line for this chip comes from
  a GPIO on the completely undocumented camera chip - thus without a way to
  control this reset line we may not be able to program the W56940, and without
  that programming we may not be able to turn on the loudspeaker, ruining all
  usefulness of this phone.

* Mot C11x/12x family is good in terms of not having any undocumented hardware,
  but the tiny RAM capacity is a bummer.  These lowest-end phones have only
  256 KiB of IRAM (Calypso internal RAM) and 256 KiB of XRAM (board-level RAM),
  whereas the next-step-up C139/140 has 512 KiB of XRAM.  It is a significant
  difference for us: while we fit into C139's 512 KiB with no sweat, it would
  require some very unpleasant and unrewarding work to trim the fat and
  reshuffle our memory usage to fit into the 256+256 arrangement on C11x.
  Furthermore, most C11x/12x phones have only 2 MiB of flash, which would again
  require major contortions to fit into, whereas all C139/140 phones have 4 MiB.

* Mot C155/156 seem nice, but there is a problem: these phones ring with a
  loudspeaker driven by a ringtone generator chip instead of a piezo buzzer
  driven by the Calypso, and their ringtone generator chip is Sunplus SPMA100B.
  No documentation could be found for that chip, and if we can't program it, we
  won't be able to make the phone ring or operate its loudspeaker in any other
  way.  Furthermore, the LCD controller in these phones is much less obvious
  than the one in the C139/140.