annotate compal/audio/omr-guide @ 385:79e512a21e02

pirelli/audio-tones: busy tone captured
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 10 Nov 2021 02:35:20 +0000
parents a760a5eeed65
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
379
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 When a C139 phone is booted up with a headset jack serial cable already
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 inserted, it behaves in an interesting manner: if you *don't* perform the
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3 **16379# step, rvinterf running on the host won't see any output from the phone
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 beyond a little bit on boot, but if you send an omr command through fc-tmsh,
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5 you get a response! The same behaviour occurs if you first boot the phone
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 normally with nothing in the headset jack, then insert the serial cable. It
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 looks like the electrical switch inside the phone is still set to connect the
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 headset jack to the UART, but the firmware suppresses its continuous trace
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 output beyond TM responses.
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 Using this omr method, I was able to read the same DSP API words which we have
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 previously read via tfc139 break-in method; the bytes read via omr out of DSP
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 API memory locations corresponding to FIR coefficients and AEC config match what
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14 we got via tfc139 break-in followed by fc-loadtool peeking.
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 Now comes the next ambitious part: we know that oabbr is broken in Compal's fw
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17 and thus can't be used to read ABB registers, but at least in TI's reference fw
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 the writes to Iota VBC registers are done via the DSP, rather than via the MCU
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 to ABB interface. Does Compal's fw do likewise? Can we read out DSP API words
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 through which these VBC registers are written? Let's give it a try! We need
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21 to begin by calculating the absolute addresses which we will need to read via
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 omr:
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 DSP NDB start address is 0xFFD001A8
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 d_vbctrl1 addr: 0xFFD001A8 + 0x44 = 0xFFD001EC
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 d_vbctrl2 addr: 0xFFD001A8 + 0x2E = 0xFFD001D6
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 d_vbuctrl addr: 0xFFD001A8 + 0x34 = 0xFFD001DC
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29 d_vbdctrl addr: 0xFFD001A8 + 0x36 = 0xFFD001DE
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
30
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
31 Result: the bytes read out via omr do match what we got earlier by breaking in
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
32 with tfc139 and reading the ABB registers via abbr in fc-loadtool! This
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
33 observation gives us hope: if we do build the special hardware hack for
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
34 connecting to UART signal contact pads without going through the headset jack,
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
35 then there is a good chance that we will be able to use omr to read out the
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
36 firmware's audio settings for the handheld mode. Furthermore, if we don't
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
37 trigger the switch into headset mode and if we don't kill the fw with tfc139,
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
38 then we may be able to do omr readouts while the fw is running with a SIM,
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
39 connected to a GSM network, and making a call - a confidence boost for the
a760a5eeed65 compal/audio/omr-guide: another avenue of investigation
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
40 audio settings, plus we may be able to figure out how volume control works.