changeset 379:a760a5eeed65

compal/audio/omr-guide: another avenue of investigation
author Mychaela Falconia <falcon@freecalypso.org>
date Sun, 10 Oct 2021 19:53:35 +0000
parents 82fb5a70c9fd
children a66cb88c5f77
files compal/audio/omr-guide
diffstat 1 files changed, 40 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/compal/audio/omr-guide	Sun Oct 10 19:53:35 2021 +0000
@@ -0,0 +1,40 @@
+When a C139 phone is booted up with a headset jack serial cable already
+inserted, it behaves in an interesting manner: if you *don't* perform the
+**16379# step, rvinterf running on the host won't see any output from the phone
+beyond a little bit on boot, but if you send an omr command through fc-tmsh,
+you get a response!  The same behaviour occurs if you first boot the phone
+normally with nothing in the headset jack, then insert the serial cable.  It
+looks like the electrical switch inside the phone is still set to connect the
+headset jack to the UART, but the firmware suppresses its continuous trace
+output beyond TM responses.
+
+Using this omr method, I was able to read the same DSP API words which we have
+previously read via tfc139 break-in method; the bytes read via omr out of DSP
+API memory locations corresponding to FIR coefficients and AEC config match what
+we got via tfc139 break-in followed by fc-loadtool peeking.
+
+Now comes the next ambitious part: we know that oabbr is broken in Compal's fw
+and thus can't be used to read ABB registers, but at least in TI's reference fw
+the writes to Iota VBC registers are done via the DSP, rather than via the MCU
+to ABB interface.  Does Compal's fw do likewise?  Can we read out DSP API words
+through which these VBC registers are written?  Let's give it a try!  We need
+to begin by calculating the absolute addresses which we will need to read via
+omr:
+
+DSP NDB start address is 0xFFD001A8
+
+d_vbctrl1 addr: 0xFFD001A8 + 0x44 = 0xFFD001EC
+d_vbctrl2 addr: 0xFFD001A8 + 0x2E = 0xFFD001D6
+d_vbuctrl addr: 0xFFD001A8 + 0x34 = 0xFFD001DC
+d_vbdctrl addr: 0xFFD001A8 + 0x36 = 0xFFD001DE
+
+Result: the bytes read out via omr do match what we got earlier by breaking in
+with tfc139 and reading the ABB registers via abbr in fc-loadtool!  This
+observation gives us hope: if we do build the special hardware hack for
+connecting to UART signal contact pads without going through the headset jack,
+then there is a good chance that we will be able to use omr to read out the
+firmware's audio settings for the handheld mode.  Furthermore, if we don't
+trigger the switch into headset mode and if we don't kill the fw with tfc139,
+then we may be able to do omr readouts while the fw is running with a SIM,
+connected to a GSM network, and making a call - a confidence boost for the
+audio settings, plus we may be able to figure out how volume control works.