FreeCalypso > hg > freecalypso-reveng
comparison compal/audio/omr-guide @ 379:a760a5eeed65
compal/audio/omr-guide: another avenue of investigation
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Sun, 10 Oct 2021 19:53:35 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 378:82fb5a70c9fd | 379:a760a5eeed65 |
|---|---|
| 1 When a C139 phone is booted up with a headset jack serial cable already | |
| 2 inserted, it behaves in an interesting manner: if you *don't* perform the | |
| 3 **16379# step, rvinterf running on the host won't see any output from the phone | |
| 4 beyond a little bit on boot, but if you send an omr command through fc-tmsh, | |
| 5 you get a response! The same behaviour occurs if you first boot the phone | |
| 6 normally with nothing in the headset jack, then insert the serial cable. It | |
| 7 looks like the electrical switch inside the phone is still set to connect the | |
| 8 headset jack to the UART, but the firmware suppresses its continuous trace | |
| 9 output beyond TM responses. | |
| 10 | |
| 11 Using this omr method, I was able to read the same DSP API words which we have | |
| 12 previously read via tfc139 break-in method; the bytes read via omr out of DSP | |
| 13 API memory locations corresponding to FIR coefficients and AEC config match what | |
| 14 we got via tfc139 break-in followed by fc-loadtool peeking. | |
| 15 | |
| 16 Now comes the next ambitious part: we know that oabbr is broken in Compal's fw | |
| 17 and thus can't be used to read ABB registers, but at least in TI's reference fw | |
| 18 the writes to Iota VBC registers are done via the DSP, rather than via the MCU | |
| 19 to ABB interface. Does Compal's fw do likewise? Can we read out DSP API words | |
| 20 through which these VBC registers are written? Let's give it a try! We need | |
| 21 to begin by calculating the absolute addresses which we will need to read via | |
| 22 omr: | |
| 23 | |
| 24 DSP NDB start address is 0xFFD001A8 | |
| 25 | |
| 26 d_vbctrl1 addr: 0xFFD001A8 + 0x44 = 0xFFD001EC | |
| 27 d_vbctrl2 addr: 0xFFD001A8 + 0x2E = 0xFFD001D6 | |
| 28 d_vbuctrl addr: 0xFFD001A8 + 0x34 = 0xFFD001DC | |
| 29 d_vbdctrl addr: 0xFFD001A8 + 0x36 = 0xFFD001DE | |
| 30 | |
| 31 Result: the bytes read out via omr do match what we got earlier by breaking in | |
| 32 with tfc139 and reading the ABB registers via abbr in fc-loadtool! This | |
| 33 observation gives us hope: if we do build the special hardware hack for | |
| 34 connecting to UART signal contact pads without going through the headset jack, | |
| 35 then there is a good chance that we will be able to use omr to read out the | |
| 36 firmware's audio settings for the handheld mode. Furthermore, if we don't | |
| 37 trigger the switch into headset mode and if we don't kill the fw with tfc139, | |
| 38 then we may be able to do omr readouts while the fw is running with a SIM, | |
| 39 connected to a GSM network, and making a call - a confidence boost for the | |
| 40 audio settings, plus we may be able to figure out how volume control works. |