annotate pirelli/keypad @ 160:db3b300da465

malware version of the C118 bootloader reversed
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Thu, 15 May 2014 08:38:42 +0000
parents 023d55d76b28
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
61
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 Seeking to understand the 16-pin interface between the main PCBA and the keypad.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2 Both connectors (the one on the main PCBA and the one on the underside of the
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3 keypad) have silkscreen with pin numbers around them, but the numbers in these
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4 silkscreen labels don't match: per the main PCB silkscreen, pin 1 is toward the
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
5 edge of the phone, whereas per the keypad underside silkscreen, pin 1 is toward
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
6 the middle.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 Here I will use pin numbers per the main PCBA silkscreen.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
10 Geometric centre of the footprint is at (3923,456) in steve-m's L8 scan.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11
63
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
12 Pin 2: *guess* may be KBC0
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
13
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
14 Pin 3: L8 trace to (4068,278), L7 damaged, guessing the middle trace in the
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
15 bunch of 3 found when tracing KBC0. Inner via at (4084,491). Found it on L2,
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
16 goes to (4107,482). Goes to Calypso ball M5, or maybe N5. N5 seems unlikely,
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
17 as it's a power pin, so must be M5 - but that is KBC4, which shouldn't go to
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
18 the main keypad.
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
19
61
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20 Pin 8: connected to massive copper flood, almost certainly GND.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 Pin 9: connected to a copper fill that's islanded by some traces, so it may or
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 may not connect the same massive fill (GND?) as pin 8. In this island there is
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24 a largish solid-connect via at (3915,475) and two smaller ones at (3766,539)
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25 and (3911,507). On L7 these vias connect to massive copper flood - definitely
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26 GND.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 The keymap given in OsmocomBB (confirmed to be correct) indicates that the main
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 keypad ought to use KBC0 through KBC3 and all 5 KBR lines. The 3 side buttons
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 use KBC4 and KBR1 through KBR3. Let's try tracing the KBC and KBR lines of
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31 interest from the Calypso.
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 Tracing KBC0, Calypso ball N4: goes to via at (4122,380). Found it on L2, goes
2bc45eb8818d Pirelli PCB RE: attempt to trace out KBC/KBR lines stopped by grind-down damage
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34 to a larger via at (4130,444). Found it on L7, trace disappears into the edge
63
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
35 grind-down damage. The trace disappearing into the damage is the leftmost in a
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
36 bunch of 3, the point at which the middle of the bunch is cut off is (4116,352).
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
37 A *guess* is that we may be going to connector pin 2.
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
38
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
39 Let's try tracing some signals from Iota. Let's start with PWON (ball F8).
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
40 L1 trace from ball seems to go to (2767,974). On L2 it goes to two vias:
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
41 (2730,745) and (3312,194). Both vias are inner. Following (3312,194) first.
023d55d76b28 Pirelli PCB RE: another failed attempt at tracing the keypad connections
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 61
diff changeset
42 Unable to find it, edge damage gets in the way again.