Harald Welte's blog


Harald's Web




Other Bloggers
David Burgess
Dieter Spaar
Michael Lauer
Stefan Schmidt
Rusty Russell
David Miller
Martin Pool
Jeremy Kerr
Tim Pritlove (German)
fukami (German)
fefe (German)
Bradley M. Kuhn
Lawrence Lessig
Kalyan Varma


Ohloh profile for laforge
Linked in

Creative Commons License
Articles on this blog/journal are licensed under a Creative Commons Attribution-NoDerivs 2.5 License.



Mon, 04 Dec 2006
My reason for being away from OpenEZX

This post should have been posted months ago, but only since very recently I'm allowed to talk about the real reason. You might have read about it, if you read my full blog, but I'm posting this again in the 'a780' category to make it appear on planet.openezx.org

I've been hired to be key element in the design and implementation of the OpenMoko platform and the first device it supports: The Neo1973 phone. While there is no provision in the contract preventing me from working on the OpenEZX project at all, this assignment has just sucked up all available time like a vacuum cleaner.

To OpenEZX developers, users and supporters: Please be assured that most of the work done on OpenMoko will eventually benefit OpenEZX quite a lot. So please stay tuned, and concentrate on the low-leve device-specific issues that need to be resolved with the Motorola EZX hardware :)

[ /linux/a780 | permanent link ]

Fri, 15 Sep 2006
A1200 LSM / SELinux update

James Morris got quite interested when I told him that the A1200 uses SELinux to lock out the users (owners!) from their own phone ;) So we both did some further analysis, and it turned out that Motorola had actually released the source code to their own policy engine (MotoAC) with the A1200 kernel sources on opensource.motorola.com, whcih is good.

Still we didn't understand why you would use an unmaintained, at least three years old version of SELinux to base a forked policy engine on it - but obviously this is the world of Free Software and everybody is allowed to make his own decisions.

I've also catched up with the A1200 in general and found out that people have already managed to flash their own kernel into it, whcih is great. I wish I had more time to put into OpenEZX at this point, turning it into something that is actually useful. HINT: Skilled volunteers needed.

Pavel Machek apparently got one and is annoyed by the restrictive SELinux policies. By now I'm quite sure that it's not all too difficult to get rid of them ;)

[ /linux/a780 | permanent link ]

Fri, 01 Sep 2006
ROKR E2 Linux Phone review

There has been an extensive review of the Linux based Motorola ROKR E2 phone at osnews.com.

[ /linux/a780 | permanent link ]

Tue, 29 Aug 2006
Wanted: Author and/or sources for EZX "qonsole" application

The original author of the KDE "Konsole" program, Lars Doelle, is actively looking for the Author and/or the source code of the "qonsole" program, a terminal program for the Motorola EZX platform that is apparently derived from GPL licensed Konsole.

Since the legal status of qonsole never was clear, I always refused to host it on any of the OpenEZX project resources. I didn't really know of any GPL violation going on, but had a somewhat strange feeling.

If any of you has information on where the qonsole program originates, please make sure to inform either Lars or me about it. We know by now that it appears to originate from some chinese or singapore mobile phone forums.

It's good to see more software authors of GPL licensed programs actually caring about enforcement of their license :) I sincerely hope this can be resolved and qonsole either distributed in gpl-compliant way, or a re-implementation be found/made.

[ /linux/a780 | permanent link ]

Mon, 10 Jul 2006
Motorola ROKR E2

I've found the ROKR E2, which is yet another Motorola Linux GSM/GPRS phone exclusively sold in china so far. Apparently since June 22nd, so it's a quite new thing. It's very different from the A7xx/E680x series in that it doesn't have a touch screen, but many more buttons. Also, it features a full-size SD card slot, which makes it theoretically SDIO compatible (I'm pretty sure they use some SDIO compatible SD host controller in there).

Let's see whether I can work with the Chinese language firmware. I already found out how to get it into boot-loader flash mode (by pressing the camera button on the upper right side while powering the device up). It looks completely different than the blob on the A780/E680, but that doesn't really mean anything.

As of now, I don't have any technical proof that the device runs Linux. I'll probably not find time to play with this toy before I get back to Germany. But if anyone has hints or further information on how to dig deeper into the ROKR E2, don't hesitate to send me an email about your findings.

[ /linux/a780 | permanent link ]

Sat, 08 Jul 2006
Motorola A728 and A732

Just next to my hotel, there is a book store that also sells mobile phones. Among the Motorola models are the A728 and A732, both Linux based. They're about 160EUR each. I don't yet know whether that is a good price, but now after checking with some online shops I think it is.

So I guess I'll get one of each in order to investigate whether we can hack them from an OpenEZX point of view. Also, this finally allows me to obtain proof whether they're still shipping GPL incompliant or not.

I'll continue to look for an A768 and E895. Let's see whether I'll find some time to do some more serious 'shop browsing'.

[ /linux/a780 | permanent link ]

Fri, 23 Jun 2006
Some small A780 progress

I've continued my work on porting the ts07.10 from Motorola's mux_cli to 2.6.x. It now compiles, although I have no idea whether it actually works as expected.

Since Linux 2.5/2.6 has undergone quite some sophisticated changes in both scheduling/context area (no more struct task_queue) as well as the tty layer (dynamically allocated and managed flip buffers, etc), the task has been a bit more challenging than the usual copy+paste+minor_fixup task.

I'll also be releasing the -ezx6 kernel soon (2.6.17 based) in the next couple of days, where I plan to merge mickey's various driver bits (LED, backlight, keypad fixes) and the above-mentioned mux_cli.

[ /linux/a780 | permanent link ]

Mon, 12 Jun 2006
Interview on OpenEZX at LWN.net

For those interested, lwn.net is featuring the first part of an interview withe me on the status of the OpenEZX project. The way longer pert of the interview on gpl-violations.org will be posted within the next two weeks.

Now let's hope that I'll be able to fix that nasty netfilter bug that I'm hunting for weeks now and get back to OpenEZX kernel hacking...

[ /linux/a780 | permanent link ]

Wed, 07 Jun 2006
Not working on OpenEZX at the moment

Due to lots of other "real life" and "real work" constraints, I'm not able to work on OpenEZX for at least another week :(

[ /linux/a780 | permanent link ]

Sat, 27 May 2006
Porting Motorola's TS07.10 MUX driver to 2.6.x

Since Motorola has finally released the source code for the mux_cli.o and gprsv.o modules of their 2.4.17 kernel on opensource.motorola.com, I've started to clean them up and port them to 2.6.x.

Due to the questionable coding style of that original source code, and the many interface changes in the TTY layer between 2.4.x and 2.6.x, this turns out to be a bigger task than expected. With some luck, I'll find some time tomorrow at ph-neutral to finish the initial port.

Once that code works on 2.6.x, I already have a quite long list of TODO's. First of all, the lower-layer interface needs to be cleaned up. Ideally, the whole TS 07.10 implementation is a TTY line discipline that can be stacked on top of any UART, together with a virtual/fake UART that makes use of the Motorola specific TS07.10 USB transport.

[ /linux/a780 | permanent link ]

Fri, 19 May 2006
Touch-screen driver for A780/E680, lots of other progress

As of today, the OpenEZX project has a working touch screen driver. I've been testing this with the Kdrive X11 server of OpenEmbedded, and it seems to work nicely on my A780 after calibrating with ts_calibrate.

This is such a major step forward, since the touch-screen driver requires a functional PCAP2 driver, which in turn comprises working SPI support, as well as some tricky SPI-during-hardirq for interrupt chaining.

If you're interested in giving it a try, there's the the -ezx6 quilt patchset including all this work.

Also, thanks to the work by Michael 'mickey' Lauer, I've managed to set up an OpenEmbedded environment to build a distribution for OpenEZX. You can find the first bunch of packages as well as a root filesystem that you can put on TransFlash on my OpenEZX developer pages.

The availability of a OE based root filesystem, a kernel with keypad, touch-screen, usbnet and framebuffer support actually means that all the [G]UI people can now start to work on making their favourite UI system work on OpenEZX. Given the amount of interest I've seen in this area, I'm confident that I still don't (yet) need to dive into UI development myself but can stay with the more technical low-level stuff.

Speaking of which, I've also hacked a nice tool called gpiotool, using which you can read/write GPIO configuration as well as individual GPIO pins from userspace. If I had written this earlier on, it would have saved a lot of time and hassle. But then, it's always hard pushing yourself to develop code that _just_ aids development and doesn't really add any functionality itself.

Using this tool I'm now investigating the AP/BP interaction (handshake). Let's hope that we can actually use the phone as a phone really soon.

[ /linux/a780 | permanent link ]

Mon, 15 May 2006
Motorola launching opensource.motorola.com

Motorola seems to be making some progress internally. Today they've announced the availability of opensource.motorola.com, a web site dedicated to free and open source software used and developed in/by Motorola. This is apparently also the portal where they are starting to publicize the source code for their Linux based Smartphones.

While the source code there is not complete in any way [yet], it actually includes the kernel sources for the A1200 phone, too. After a quick read through it, it seems to be very similar to the A780 code (because of a very similar hardware architecture).

Some of the differences are:

  • FOTA (Flash on-the-air)
  • Basically a function by which network operators can modify the flash memory of your phone, thereby forcing software updates onto you. Not something completely new in the GSM world, but something that always gives me the creeps as a security professional.
  • Power Management
  • Apparently the power management capabilities were extended to provide better battery life time.
  • Minor differences in boot loader / kernel handover
  • SE Linux
  • Yes, they're actually using SE Linux features on a phone. I haven't yet tried to figure out for what, but usually you would assume that the mobile phone vendors/operators use it to lock their users out of the phone, rather than protecting the users from the evil outside world.

[ /linux/a780 | permanent link ]

Sun, 14 May 2006
A full day of EZX driver development

Today wasn't exactly the most efficient day of development I ever had. Basically, the amount of progress made after 13 hours of hacking in the area of EZX device drivers is extremely slow. It didn't even help to not eat, not cook, and not get out of the bed for the whole day. Basically I started with "let's fix this quickly before breakfast", but it wasn't fixed even when I stopped working at 11pm.

My new SPI driver seems to be working fine, but I have massive problems with all the PCAP drivers. This is mainly touch-screen, but also ADC for reading battery voltage, etc. Somehow I cannot get it to produce any IRQ's.

[ /linux/a780 | permanent link ]

Fri, 12 May 2006
Debian sarge root filesystem image for EZX phones

In order to get other developers going quickly, I have now provided a Debian sarge (arm) root filesystem and a corresponding kernel plus instructions.

Anyone who wants to see a stock Debian installation boot on his EZX phone, have a look at the files published here.

[ /linux/a780 | permanent link ]

Thu, 11 May 2006
OpenEZX virtual host running

I've finally found the time to configure the OpenEZX virtual host. This means that I now have absolutely no problems to hand out developer accounts on openezx.org. I've also moved the EZX related subversion repository from gnumonks.org to this machine.

If you're working on free software for Motorola EZX smartphones, and are interested in getting some account where you can host your project(s) in svn / git, dump some code on http/ftp or just want a openezx.org email address, please let me know.

[ /linux/a780 | permanent link ]

Working on Bluetooth and GPRS/GSM support

I've been working a bit on getting Bluetooth and GPRS/GSM support into my 2.6.x based kernel for the A780. Both are quite a bit challenging, even more than I initially thought so.

As for Bluetooth: In theory there is a bcm2035 chip, compatible to the Bluetooth HCI specification, attached to ttyS1 (BTUART) of the PXA270. However, there are some power management related additional signals hooked up to GPIO signals. I think I'm configuring them right, though. Also, there is some indication that the bcm2035 actually requires a bit of firmware loaded into it. Without a vendor data sheet and with only some stripped proprietary Motorola dload program this will require quite a bit more of investigation.

My initial 'demand' for Bluetooth would have been the possibility to use my Apple BT keyboard with the framebuffer console, providing a local console in case telnet dies for some reason.

On the GSM/GPRS front (yes, we actually want to use the phone as a phone sometimes), I've been wading through disassembled gprsv.o and mux_cli.o code. Both re-implementations are progressing slowly, but steadily.

The easier part seems to be mux_cli.o. I've now started to write some libusb based userspace code to test a ts07.10 implementation in userspace via the USB endpoints to the BP. Once the userspace code seems to be working, I can work on a kernel level implementation. The good thing about this is that there are actually quite a few GSM phones that support this multiplex on their serial port. So the resulting mux/demux driver will actually be useful for more people, not just Motorola Linux smartphone owners.

[ /linux/a780 | permanent link ]

Sat, 29 Apr 2006
A780/E680: SPI driver using hardware SPI controllers working

So apparently there is no obvious reason for Motorola's driver using bit-banging rather than the controllers inside the PXA270. I now have a modified Motorola driver on running that uses the SPI controller for the bus to PCAP2. Getting my own driver running should therefore be quite fast now.

I've also hacked a bit on the keyboard side, although it's not working yet.

[ /linux/a780 | permanent link ]

Thu, 27 Apr 2006
Working on new SPI/SSP drivers for OpenEZX kernel

One of the fundamental interfaces on the Motorola EZX phones is SPI, which interconnects (among others) the PCAP2 peripheral with the PXA270. Motorola ships their 2.4.20 kernel with some ugly piece of spaghetti code driver for it. Apparently they've had difficulties driving the PXA27x SPI controller, and in the end decided to just 'bit-bang' the signals over GPIO. Obviously that's inefficient and CPU-intensive. I hope there is no real hardware problem preventing the use of the embedded SPI controllers.

First I started writing a driver against arch/arm/mach-pxa/ssp.c, only to discover later that this code actually predates (and therefore doesn't use) the generic drivers/spi/ interface. Since I'm a fan of generic interfaces, I chose to write a PXA generic driver for the drivers/spi interface, plus some EZX specific glue code for it.

One of the interesting bits is that the PCAP2 can interrupt the PXA, and it then acts as an external interrupt controller, whose registers you can access over SPI. So a PCAP2 interrupt can mean that some touch-screen event happened, that the headphone, USB or microphone jack state has changed, etc. All those various real interrupt sources need to be fed to individual distinct drivers (audio, touch-screen, USB). The Motorola kernel uses an ugly kludge of callback functions that those drivers can register with the SSP/SPI driver.

So in my new driver, I choose to actually model that bit of PCAP2 functionality as an external interrupt controller. This way the actual sound/touch-screen driver can just do request_interrupt() like they usually do. However, this means that I need to access SPI from within hardirq context, which again doesn't mix well with the architecture of the drivers/spi code (which is asynchronous and queues requests). So I need to implement a couple of synchronous SPI functions in addition to that.

This is now a lot of code, and I'm about to test and debug it, which is expected to be time-consuming and boring. I'll post a status update as soon as there's more information.

[ /linux/a780 | permanent link ]

Sat, 22 Apr 2006
OpenEZX: USB Ethernet support working

After lots of hacking at FISL 7.0 in Porto Alegre, I've managed to get the PXA27x USB device controller to work in USB Ethernet emulation to work. I can now actually ping and telnet to the E680, using a debootstrapped Debian/ARM on SD-Card.

I'll publish the patches in one or two days, when everything has stabilized a bit, and the debugging code has been removed.

Also, at the event here, I've managed to convince quite a number of Free Software people that those Linux smartphones are actually quite interesting toys. Most notably, Keith Packard of Xorg fame has indicated he would probably be getting one and working on a lightweight UI. This motivates me even more to have a stable and fully working kernel environment finished soon.

[ /linux/a780 | permanent link ]

Mon, 17 Apr 2006
State of OpenEZX 2.6.x kernel development

During my two days of EZX phone hacking, I've made significant progress. Probably the most important discovery was how to get a serial console on the USB plug, enabling other people to do further kernel development without physically modifying the phone - but it's still a long way to go.

A current list of TODO's:

  • find out why kernel doesn't boot with CONFIG_IWMMXT
  • find out why E680 SD/MMC works, but not A780 TransFlash
  • debug and fix pxa27x_udc in order to provide usbnet (nfsroot!)
  • debug and fix mtd support in order to be able to access system flash
  • port and cleanup video and sound drivers
  • port Motorola-specific SSP/SPI drivers into 2.6.x generic SPI stack
  • port all the driver specific dpm bits from Motorola's 2.4.20 to 2.6.x
  • clean up the already working keypad drivers
  • finish re-implementation of mux_cli and grpsv modules
  • look into re-implementing the proprietary flash fs drivers, though I don't think that is particularly important, we could run our code 100% on SD/TransFlash
  • create a modified bootloader that allows for multi-boot configurations. It could actually include SD/TF support for booting kernels from there.
  • check how the other (later) Motorola Linux smartphones differ and merge their device-specific code into our 2.6.x kernel tree
  • last, but not least, we need to do something about userspace. I'm not a GUI guy at all, and I haven't yet thoroughly investigated all the existing projects like OPIE, etc. I'm sure once the hardware support is there, some more GUI-savvy people will do something in that area, though.

So why am I stating this here? Because it's up to _you_ to help and take care of one of these tasks if we want to see the dream of having a fully-free software E680/A780 before they get phased out ;)

[ /linux/a780 | permanent link ] boots on EZX phones

I've finally managed to get a 2.6.x kernel running on the Motorola A780 and E680. Apparently the problems I encountered are part of 2.6.14 (which was current mainline when I started the port). After merging my patches into, everything suddenly worked fine ;)

So what I've got now:

  • kernel booting on both A780 and E680
  • USB host controller towards Neptune BP working
  • USB device controller partially working
  • MTD support for all flash partitions
  • SD/MMC support on E680 (TransFlash on A780 not working yet)
  • Framebuffer working on both models, with nice 4x6 tiny font

The main obstacle now is that TransFlash on the A780 is not working yet. The A780 is actually more important than the E680. For some strange reason, all the response bytes from the TF card appear to be zero (at least that's what the response FIFO of the PXA27x embedded SD/MMC controller reports). I've already tried a lot, but am a bit clueless after many hours of trial and error :(

[ /linux/a780 | permanent link ]

Sun, 16 Apr 2006
Running a serial console on the A780

After about half a day of trial and error (which was related to a totally different problem, as it turned out), I now have a 2.4.20-based kernel with working serial console for my A780. Unfortunately the console requires soldering four wires onto test pads of the PCB - something that I achieved with 0.1mm diameter magnet wire (Kupferlackdraht for you Germans). The magnet wires are thin enough to get them through the TransFlash slot to the outside, without having to modify the case.

If you're interested in a bootup log captured from the STUART, check this one.

The rest of the day was spent debugging why my (still 2.6.14 based) kernel doesn't want to boot on the machine. As it turns out, booting stops somewhere in the early initialization after head.S has called decompress_kernel(). Debugging this problem has also caused me to actually write some ARM assembly code. For years I'm reading and debugging ARM code, but I've never actually written ARM asm from scratch. So my assembly code now prints one character for every stage of the booting process (ABCDEFGHI) and then stops. At the time the C code should print its first character, the device is already gone. So maybe something with the setup of the registers according to C calling convention, or setup of stack/heap is erroneous.

Interestingly, that startup code has not really changed all that much from 2.4.20 (which runs) and my 2.6.14 based kernel.

It's not unlikely that I'm [again] hunting a totally different problem. I'll probably merge my patches into 2.6.17-rc1 and see whether that works...

[ /linux/a780 | permanent link ]

Tue, 11 Apr 2006
Obtaining Asian Motorola EZX phones in Europe

A couple of days ago, I was looking for a way to obtain Motorola Linux Smartphones in Europe, i.e. those plenty of models that are not officially sold anywhere but China and other areas of Asia.

I've now found a suitable importer specialized in importing Asian phones into the European market. In case you're interested, feel free to contact me for more details. The phones range between EUR 180 and EUR 300, but there's a minimum order of five phones. I'll probably be ordering around early may.

[ /linux/a780 | permanent link ]

Sat, 08 Apr 2006
planet.openezx.org launched

In the tradition of my main project netfilter (which has a planet.netfilter.org, I've now also opened a planet site for the OpenEZX project at planet.openezx.org.

This should give users the ability to stay up to date with current developments in the Motorola Linux smartphone hacking community.

If you know of any feeds that I should add to this planet, please let me know

[ /linux/a780 | permanent link ]

Looking for Motorola Linux phones

Since right now I only have E680i and A780, I would be interested in a way to obtain E896, A1200, A910, A768, A760, A732, A728 as well as ROKR E2. Most of them seem to be mainly sold in China / Taiwan.

If anybody knows a good source (importer in Europe) or some other way how to get these phones in the western half of the world, let me know.

Direct import would also be possible, but I'd need to know a serious exporter in .cn/.tw in order to do so. Any suggestions welcome.

[ /linux/a780 | permanent link ]

Fri, 07 Apr 2006
Booting kernels on A780 / E680

It's a bit strange that I still have so much difficulty running my own kernel on the phone. As it appears, there are some subtle hardware (or bootloader?) version differences that made me struggle for so long.

Two out of my three A780, and my one E680 don't boot any self-compiled kernels but rather just crash. The third A780 however boots them just fine.

Obviously, as Murphy's law indicates, the phone it works on is my 'production' phone, i.e. the one I use for my day-by-day phone needs.

We really have to get to the bottom of what's going on here. Also, if there really are differences, then Motorola has to publish the kernel source for both versions under the obligations of the GPL. So far they have only released a single version.

[ /linux/a780 | permanent link ]

Mon, 27 Mar 2006
Downloading and executing your own code in RAM of EZX phones

In the last two days I've written a small program that allows you to utilize part of the built-in firmware update mechanism of the Motorola EZX phones. In fact, what it does is to download an arbitrary (max 1MB) piece of code from the PC to the phone via USB, and then execute that code on the phone.

On the one hand, this might look like a security hole (but well, nobody really cares about security on mobile phones anyway). On the other hand, this should definitely speed up kernel and driver development within the OpenEZX project, since it basically removes the need to flash the phone for testing of some new code.

Also, once a working driver for the TransFlash slot has been cooked up, it would actually be possible to usb-boot the phone into an OS that mounts its files from TransFlash. This doesn't touch a single bit of flash memory and is therefore ideal for development and probably even something similar to what 'live CD' distributions are to PC systems.

[ /linux/a780 | permanent link ]

Fri, 18 Nov 2005
There's hope for running our own kernel on the A780

Ok, now I am in contact with one guy that managed to run a working kernel that he compiled himself from the source code that Motorola Hong Kong has published.

This finally confirms that the kernel (even though it was requested for E68) works on a A780 without further modifications. On the other hand, I'm a bit puzzled why it won't work here. To figure out where the problem is, I've asked him to pass me the exact source tar-ball that he was using, plus detailed information on his cross toolchain.

I've also started over again from a 'vanilla' Motorola kernel tree and will give it another try. If this works, I'll re-try with the serial console, and if that works, move on to the 2.6.x tree (which I'm planning to make public this weekend, btw).

Meanwhile, I have confirmed that the bootloader is actually based on blob, and thus also needs to be released under the GPL. This, in turn, should facilitate the development of a GPL licensed host-side replacement of PST for flashing the phones.

I'm a bit worried since I'm busy with many other things over the next couple of weeks. But even while travelling, I'll have the full toolchain, sources, and everything with me.

[ /linux/a780 | permanent link ]

Sat, 29 Oct 2005
linuxdevices reports on OpenEZX, quote from Motorola executive

linuxdevices.com reports about OpenEZX. In that report, it quotes Motorola's chief architect of mobile devices: Motorola had no immediate plans to support native Linux applications on its phones, in part due to carrier concerns about network health, security, and interoperability..

This is just not true. In fact, the A780 as it ships in Germany comes with a native GPS navigation and routing application called "CoPilot". Also, since the whole GSM stack runs on a different CPU than the Linux OS, there are no security/interoperability/network health concerns that I could think of.

Also, I have received reports that Motorola actually distributes a Linux SDK to selected third party vendors. Parts of those SDK's (the header files for the EZX libraries) have actually leaked, which support the position that there is a SDK.

In many ways, the EZX phones are a combination of a traditional Neptune-based Motorola GSM phone, plus a Linux-based PDA. Therefore, if any native Linux apps on the PDA half could influence the 'network health' in a negative way, then any other Neptune based phone could, too.

[ /linux/a780 | permanent link ]

Sun, 23 Oct 2005
OpenEZX wiki was launched

Thanks to my friends at maintech, The OpenEZX project now has a Wiki.

I've only added some very basic information, but I hope that developers and users especially from motorolafans will contribute soon.

One of the important things we need soon is a project logo, for both the website and the wiki. Volunteers welcome :)

[ /linux/a780 | permanent link ]

Fri, 21 Oct 2005
Massive Response to OpenEZX announcement

When I launched the OpenEZX page two days ago, I didn't expect such a massive (press) response to it.

All I did was to write a small announcement to my weblog, and it was picked up by a lot of press, such as lwn.net and golem.de.

Looks like this blog is read by a lot of people, and there's nothing I can't post here that doesn't get immediately distributed to a lot of places. Amazing ;)

Also, I've even received multiple requests for EZX-based consulting. Apparently there are companies who're interested in a 'fully programmable GSM phone'.

On a side-note, even Bruce Perens has now bought an A780 since he thinks it's "fun to hack". David Miller is pondering to buy one after his holidays in Korea... Let's only hope that they will actually find some time to get work on the EZX phone done. It's vital to have some basic running code ASAP in order to get more people to hack on stuff like the user interface.

After two days of full-time EZX kernel hacking, I now have a compiling 2.6.14-rc4 based kernel that has already half of the EZX-specific drivers merged.

I didn't really test to flash that kernel to a phone yet, mostly because I currently don't have an original E680 firmware that I could flash into the device if anything goes wrong. Also, before trying ti flash the kernel, I'd preferably like to have JTAG running. I'll publish my kernel tree as soon as I have confirmed it actually boots on the device.

Unfortunately I also have real work to do, and today is a full-time gpl-violations.org day, the weekend will probably be spent with some more librfid hacking. Stay tuned for some more OpenEZX news next week.

[ /linux/a780 | permanent link ]

There are other (more advanced) Linux Phone projects

Since I'm getting that much coverage, I want to redirect some of that in the direction of the already-existing (and way more advanced, as of now) Linux phone projects.

There are multiple mobile phone projects at handhelds.org, esp. for the iPAQ H6315 and the HTC BlueAngel.

I didn't know about any of these projects so far, but I'll certainly look at their codebase and see whether any of the high-level (user interface) code could be re-used. But let me finish the low-level driver/operating system part first :)

[ /linux/a780 | permanent link ]

Wed, 19 Oct 2005
OpenEZX.org project launched

Today I've started a small preliminary homepage about my A780/E680 hacking efforts at openezx.org. This also means that the old a780-hackers@lists.gnumonks.org list was renamed to openezx-devel@lists.gnumonks.org.

Expect no big news for some time, since I'm mostly working on porting/merging all EZX specific stuff into a 2.6.14-rc4 kernel.. a quite big job that will certainly take some time.

Stay tuned.

[ /linux/a780 | permanent link ]

Tue, 18 Oct 2005
E680 has arrived

I've managed to obtain a 2nd hand E680 phone, which is based on the same Motorola EZX platform as the A780. The E680 are only sold in Asia, so the device I now have is actually a Chinese model.

Next on the plan for A780/E680 hacking is playing with the JTAG port, and trying to flash a non-OEM non-branded non-chinese firmware into the E680.

Once JTAG is running, I will be trying to port the drivers to a 2.6.14-ish kernel and compile and install that more recent kernel.

[ /linux/a780 | permanent link ]

Sun, 16 Oct 2005
A780 batteries/charger dead?

I'm unable to recharge any of my two A780 batteries, at least not via USB. Since I'm travelling, I cannot try with the real power-supply charger. Let's hope I can somehow resolve this, and it isn't really some damage to the phone's built-in charging controller :(

On the A780 hacking front, I've now successfully confirmed that there are indeed JTAG pads on the PCB, both for the PXA270 and for the ARM7TDMI, which is great news.

I also think there is still hope that the USB device port could actually be used as a host port. At least the PXA270 supports various options for OTG. Now the big question is only whether this is compatible with Motorola's overloading of the USB (called Enhanced Mini USB).

[ /linux/a780 | permanent link ]

Sat, 01 Oct 2005
More A780 hacking

Today was a very exciting day of more A780 hacking. You know, from time to time it's quite good to do something else than stupid netfilter development or the like ;)

So what I've been able to do? Well, I analyzed most of the device drivers from userspace side. I now know the key-codes of every keypad or other button/wheel/dial on the device, I know the touch screen and framebuffer. I can control the three different backlights.

Then I've learned a bit more about the architecture of the phone. The Xscale processor (PXA270 Bulverde) actually uses USB to talk to the Neptune chip. Neptune is a DSP with a synthesized ARM7TDMI on-chip. The PXA270 runs in host mode, the Neptune in device mode.

Interestingly, the Motorola developers have debugging callbacks in the stock kernel. So by registering a simple kernel module with the USB rx/tx functions, I now have hexdumps of the USB traffic between those two chips (also called AP and BP).

Then I called the a780, and I immediately received some nice hexdumps in the kernel ring buffer. The first thing I could spot was "IP: "+4930xxxxxxxx",1\r\n". There it was, the incoming phone number :)

Some other nice guy at motorolafans.com has managed to replace the proprietary userspace Bluetooth code with the stock Linux BlueZ codebase. He's working on Bluetooth keyboard support... that would really be nice. Using a Bluetooth keyboard with the Qonsole terminal emulator (or even a framebuffer console) of your phone :)

I'm really confident that the AP<->BP protocol can be worked out fairly quickly. Once this is done, we can start developing our own "phone" programs, and get rid of all the bloated embeddedQT and Java crap that is running on the phone. It has 48MB of physical ram, and the database daemon has a resident size of 2.7MB, the address book 4.5MB, the "phone" program has 6.6MB. This is really ridiculous...

At the end of the road, I'm dreaming of something small and efficient, running uClibc, busybox, DirectFB, ...

The USB device port of the device is called "Extended Mini USB (EMU)", because it apparently can be switched in more than half a dozen of different modes (by assigning various pull-up/pull-down resistors). Apart from a USB device, it can for example run a UART on that port. However, since the USB host port is already used for Bulverde<->Neptune communication, I don't think it is possible to run the phone in USB host mode. This basically rules out attaching a stock 802.11 wifi USB adapter, which is very sad.

[ /linux/a780 | permanent link ]

Fri, 30 Sep 2005
Running netfilter/iptables on your cellphone

Yes, you're reading this right. I've managed to build iptables.o, ipt_*.o, iptable_filter.o, iptable_nat.o, ip_conntrack.o and the like for my Motorola A780 cellphone.

As of now, there's not really all that much need for it... but when I start running dozens of applications on the device, I better make sure to have a decent packet filter to the GPRS/HSCSD world.

But even then, in theory it should now be possible to NAT between the GPRS device one one side, and the usb-lan on the other side. Maybe I should try to bring my whole home network online via the A780 :)

OTOTH this doesn't fix the various security issues on the horizon. The A780 apparently ships zlib-1.1.3. I don't even know how many security vulnerabilities were fixed since then...

[ /linux/a780 | permanent link ]

More fun with the Motorola A780

I've now successfully built a compatible toolchain for the Motorola A780, thanks to this good site with instructions.

Obviously, one of the first things to do was to build busybox with a config that enables all the missing tools. For some strange reason, the A780 does not ship with the usual uClibc/busybox combination, but with the straight GNU tools (glibc, fileutils, ...). Unfortunately important bits such as less, top, strace, etc. were missing.

I've also managed to build matching ext2,jbd,ext3,sunrpc,nfsd and af_packet kernel modules. The VFAT partition on the TransFlash card was shrunk, and an ext3 partition added. Some hooks into the startup scripts, and now the ext3 is mounted when the phone is switched on. Some PATH and LD_LIBRARY_PATH mangling in .profile, and I have a very workable environment on the phone.

Obviously the most important goal would be to port the EZX arm architecture support into a recent 2.6.x kernel, and then run a full-fledged 2.6.x kernel on the device. With embedded IPsec, packet filtering, etc. That goal is very far, due to stupid proprietary device drivers.

So for now, I'll be looking into the kernel/userspace API's and the userspace/userspace API's in order to develop native userspace applications that can actually use the phone (i.e. make voice/data calls, use the headset/speaker/microphone, ...

[ /linux/a780 | permanent link ]

Tue, 13 Sep 2005
Obtaining a root-shell on the Motorola A780

I've recently acquired a Motorola A780 quad-band GSM cellphone. It's basically an Intel PXA270 based system with 48MB flash, a 256MB TransFlash reader, Bluetooth, a GPS receiver and MotaVista CEE Linux 3.0 (2.4.20 based).

As usual, the vendor tries to "lock down" the OS from the user. Luckily, some nice people of motorolafans.com have already found their way into the phone. Using their "linloader", you can put shell scripts on the TransFlash card and execute them by clicking on them in the explorer. Using that you can put the phone into a mode where it runs as usbnet 'device' with telnetd and samba.

By now I've already learned quite a bit about the phone. Interestingly, they are running glibc (not uClibc). The same goes for the rest of the device. No busybox, but rather the standard gnu programs. So it's much less of the typical embedded Linux environment, and more like a "regular" GNU/Linux system.

glibc-2.3.2, embedded QT, and some "ezx" class library on top. Add some J2ME runtime environment, a handful of different filesystems (vfat, cramfs, romfs, TrueFFS, mfs), a SD/MMC reader driver, a GPRS module, some strange "USB Logger" (looks like syslog-over-usb) and a number of userspace programs and there you go.

Oh, and yes, obviously the phone was delivered with no GPL license text, no source code and no written offer thereof. But that's a different chapter.

[ /linux/a780 | permanent link ]