[project]Port android to meizu M8

Okay folkz. Im on converting the code from the SwitchRadioOn funktion from ARM ASM to C. Then i will try to launch it under linux and see if i can enable the sgold chip. Only problem:
Converting from asm to c is not what i do every day, so i need help.
If anyone (banxian maybe or sth else) could have a llook on the code to see if this is right how i converted it, this would be really nice.
So i will post it here in the hope someone with a little understanding will have a look on it
asm i in comments, c is uncommented. So if anyone understands this better than me or knows someone how could feel free so help out
thx

PHP Code:

    /*
    MOV     R2, #0
    MOV     R1, #0x940
    MOVL    R0, 0x7F008000
    BL      DrvLib_MapIoSpace
    STR     R0, [SP,#8+var_8]
    LDR     R2, [SP,#8+var_8]
    LDR     R3, =unk_C11623AC
    STR     R2, [R3]
    LDR     R3, =unk_C11623AC
    LDR     R3, [R3]
    CMP     R3, #0
*/
    void* gpIOreg;
    gpIOreg = DrvLib_MapIoSpace(0x7F008000,0x940,false);

    if(gpIOreg == NULL)
    {
        std::cout << "Map failed";
        return 1;
    }


    /*
    LDR     R3, =unk_C11623AC
    LDR     R3, [R3]
    ADD     R3, R3, #0x820
    LDR     R2, [R3]
    MOVL    R3, 0xFFF0FFFF
    AND     R3, R2, R3
    ORR     R2, R3, #0x10000
*/
    unsigned int R2,R3;

    void *WorkPtr = gpIOreg;
    WorkPtr += 0x820;
    R2 = *WorkPtr;
    R3 = 0xFFF0FFFF;
    R3 = R2 & R3;
    R2 = R3 | 0x10000;

    /*
    LDR     R3, =unk_C11623AC
    LDR     R3, [R3]
    ADD     R3, R3, #0x820
    STR     R2, [R3]
*/
    WorkPtr = gpIOreg;
    WorkPtr += 0x820;
    *WorkPtr = R2;

    /*
    LDR     R3, =unk_C11623AC
    LDR     R3, [R3]
    ADD     R3, R3, #0x800
    ADD     R3, R3, #0x24
    LDR     R2, [R3]
    MOVL    R3, 0xFFFFFFEF
    AND     R2, R2, R3
*/

    WorkPtr = gpIOreg;
    WorkPtr += 0x800;
    WorkPtr += 0x24;
    R2 = *WorkPtr;
    R3 = 0xFFFFFFEF;
    R2 = R2 & R3;

    /*
    LDR     R3, =unk_C11623AC
    LDR     R3, [R3]
    ADD     R3, R3, #0x800
    ADD     R3, R3, #0x24
    STR     R2, [R3]
    MOV     R0, #0x64
    BL      Sleepx */

    WorkPtr = gpIOreg;
    WorkPtr += 0x800;
    WorkPtr += 0x24;
    *WorkPtr = R2; 


I WISH I Knew C but im just starting to learn it next semester .. i wish i could help to make the android development faster :S

If the map function does what I presume it does, then it looks OK. Howbeit a bit strange. Can't you just use inline ASM?

Originally Posted by r3wDy

Okay folkz. Im on converting the code from the SwitchRadioOn funktion from ARM ASM to C. Then i will try to launch it under linux and see if i can enable the sgold chip. Only problem:
Converting from asm to c is not what i do every day, so i need help.
If anyone (banxian maybe or sth else) could have a llook on the code to see if this is right how i converted it, this would be really nice.
So i will post it here in the hope someone with a little understanding will have a look on it
asm i in comments, c is uncommented. So if anyone understands this better than me or knows someone how could feel free so help out
thx

Can't you just use inline ASM?

was my first try, but seems that visual studio dont likes inline asm with arm :/

EDIT: Conversation finished. This is it:

/*
MOV R2, #0
MOV R1, #0x940
MOVL R0, 0x7F008000
BL DrvLib_MapIoSpace
STR R0, [SP,#8+var_8]
LDR R2, [SP,#8+var_8]
LDR R3, =unk_C11623AC
STR R2, [R3]
LDR R3, =unk_C11623AC
LDR R3, [R3]
CMP R3, #0
*/
unsigned char * gpIOreg;
gpIOreg = (unsigned char*)DrvLib_MapIoSpace(0x7F008000,0x940,false);

if(gpIOreg == NULL)
{
std::cout << "Map failed";
return 1;
}


/*
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x820
LDR R2, [R3]
MOVL R3, 0xFFF0FFFF
AND R3, R2, R3
ORR R2, R3, #0x10000
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x820
STR R2, [R3]

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
LDR R2, [R3]
MOVL R3, 0xFFFFFFEF
AND R2, R2, R3
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
STR R2, [R3]

MOV R0, #0x64
BL Sleepx
*/

unsigned char *WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x820) &= 0xFFF0FFFF;
*(DWORD*)(WorkPtr+0x820) |= 0x10000;

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x824) &= 0xFFFFFFEF;
Sleep(0x64);
/*

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x60
LDR R2, [R3]
MOVL R3, 0xFFF0FFFF
AND R3, R2, R3
ORR R2, R3, #0x10000
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x60
STR R2, [R3]

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
LDR R2, [R3]
MOVL R3, 0xFFFFFFEF
AND R2, R2, R3
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
STR R2, [R3]

MOV R0, #0x64
BL Sleepx
*/

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x60) &= 0xFFF0FFFF;
*(DWORD*)(WorkPtr+0x60) |= 0x10000;

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x64) &= 0xFFFFFFEF;
Sleep(0x64);

/*

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
LDR R3, [R3]
ORR R2, R3, #0x10
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
STR R2, [R3]

MOV R0, #0x64
BL Sleepx
*/

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x64) |= 0x10;
Sleep(0x64);

/*

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
LDR R2, [R3]
MOVL R3, 0xFFFFFFEF
AND R2, R2, R3
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
STR R2, [R3]

MOV R0, #0x64
BL Sleepx
*/

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x64) &= 0xFFFFFFEF;
Sleep(0x64);

/*
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
LDR R3, [R3]
ORR R2, R3, #0x10
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
STR R2, [R3]

MOV R0, #0x64
BL Sleepx
*/

WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x64) |= 0x10;
Sleep(0x64);

/*
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
LDR R2, [R3]
MOVL R3, 0xFFFFFFEF
AND R2, R2, R3
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x64
STR R2, [R3]

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
LDR R3, [R3]
ORR R2, R3, #0x10
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
STR R2, [R3]

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
LDR R2, [R3]
MOVL R3, 0xFFFFFFEF
AND R2, R2, R3
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
STR R2, [R3]

MOV R0, #0x12C
BL Sleepx
*/
WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x64) &= 0xFFFFFFEF;
*(DWORD*)(WorkPtr+0x824) |= 0x10;
*(DWORD*)(WorkPtr+0x824) &= 0xFFFFFFEF;
Sleep(0x12c);
/*

LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
LDR R3, [R3]
ORR R2, R3, #0x10
LDR R3, =unk_C11623AC
LDR R3, [R3]
ADD R3, R3, #0x800
ADD R3, R3, #0x24
STR R2, [R3]
*/
WorkPtr = gpIOreg;
*(DWORD*)(WorkPtr+0x824) |= 0x10;
/*
LDR R3, =unk_C11623AC
LDR R3, [R3]
CMP R3, #0
BEQ loc_C115CE4C
*/

if(gpIOreg == 0)
std::cout << "Failed...";

If someone might have a look onnit i know its not the funniest thing but i overlooked it a dozen times and still not sure that there are no error lol

Try this:

PHP Code:

// http://gitorious.org/m8tinyloader/m8tinyloader/blobs/master/M8TinyLoader/tinydebug.h
#include "tinydebug.h"

// http://topic.csdn.net/u/20091218/08/55dd0720-6a15-42cd-bb2b-d75a4f30d3a0.html
DWORD HW_Init()
{
    volatile S3C6410_GPIO_REG* gpIOreg;
    gpIOreg = (volatile S3C6410_GPIO_REG*)DrvLib_MapIoSpace(S3C6410_BASE_REG_PA_GPIO, sizeof(S3C6410_GPIO_REG), false);
    if(gpIOreg == NULL)
    {
        std::cout << "Map failed";
        return 1;
    }
     
    // store in global variable for accessing later
    //g_pGPIOReg = gpIOreg;
    
    // see "tinydebug.h"
    // 0x820: GPMCON
    // 0x824: GPMDAT
    // 0x60:  GPDCON
    // 0x64:  GPDDAT
    
    gpIOreg->GPMCON = gpIOreg->GPMCON & ~(0xF<<16) | (1<<16);
    gpIOreg->GPMDAT = gpIOreg->GPMDAT & ~(1<<4);
    Sleepx(100);
    
    gpIOreg->GPDCON = gpIOreg->GPDCON & ~(0xF<<16) | (1<<16);
    gpIOreg->GPDDAT = gpIOreg->GPDDAT & ~(1<<4);
    Sleepx(100);
    
    gpIOreg->GPDDAT = gpIOreg->GPDDAT | (1<<4);
    Sleepx(100);
    
    gpIOreg->GPDDAT = gpIOreg->GPDDAT & ~(1<<4);
    Sleepx(100);
    
    gpIOreg->GPDDAT = gpIOreg->GPDDAT | (1<<4);
    Sleepx(100);
    
    gpIOreg->GPDDAT = gpIOreg->GPDDAT & ~(1<<4);
    gpIOreg->GPMDAT = gpIOreg->GPMDAT | (1<<4);
    gpIOreg->GPMDAT = gpIOreg->GPMDAT & ~(1<<4);
    Sleepx(300);
    
    gpIOreg->GPMDAT = gpIOreg->GPMDAT | (1<<4);

    return 0;
} 


lol thx i have this file too but just dont thought about using this structure lol
anyway thx i will try it

is that the baseband command ?
and if this works what does it mean ?
sorry for asking but my understanding of these things ..c codes and whats not... is almost non existent :S

evow04, big thx for RC3.
I am very waiting RC4
Sorry for my bad English

Took it, compiled it and placed it in machine init from the kernel...

Whats all about:
the baseband is the telephone chip. This chip is connected to com1 of the main cpu (s3c6410) and should behave like a modem (sending AT to the com should give OK fpr example).
As seen in the AT thread, under windoesce this worx. Under linux this worx not. No answer from the chip. So i think the chip must somehow be enabled before we can use it. So i searched the dlls from the meizu fw and found this SwitchRadioOn function. After this function, at commands are sent to the chip. The code above is the code from this function. I took the assembler code from the dlls and converted it to c code. Calling this function writes values to gpio registers of the main cpu (for me look like some hw init).
I hope this code enables the baseband chip so it will answer OK in linux.
So thats it
When the baseband chip is enabled we could start experimenting with it and try to modify a gsm0710mux from android. If we could achieve this, we should be able to use android on m8 as telephone. But thats much work. And the baseband must work first.

ok thanks for explaining ... i do have some basic knowledge in c++ i mainly used it for flash animations and some app orders but it was very basic .. so thanks for explaining !

Thank you for all!

Originally Posted by r3wDy

found this SwitchRadioOn function. After this function, at commands are sent to the chip.

actually this makes sense, it´s like you say; the modem needs to be activated just like you would do with an older fax modem on a computersystem. Without activating the radio function first the baseband won´t be useable, the sameway the airplane mode functions in wince..

It might be interesting to dump the bootlog from M8 with newer firmware(leaks) to see if it could contain more information then the older bootlogs..?

btw guys, it could be that i will edit the first post a last time.
This to provide static information about the topic and to move the dynamic information to the wiki, this way everyone can update it if somethings changes.
I hope you guys understand and agree with the idea.

And r3wdy thanks again for your time to investigate the baseband.

Linux kernel crashes when i use the MapIO macro, because it points then to something in the vmem which isnt existing. So i changed it like this

PHP Code:

//    S3C64XX_GPMCON = S3C64XX_GPMCON & ~(0xF<<16) | (1<<16);
//    S3C64XX_GPMDAT = S3C64XX_GPMDAT & ~(1<<4);
    u32 val;

    val = __raw_readl(S3C64XX_GPMCON);
    val = val & ~(0xF<<16) | (1<<16);
    __raw_writel(val,S3C64XX_GPMCON);

    val = __raw_readl(S3C64XX_GPMDAT);
    val = val & ~(1<<4);
    __raw_writel(val,S3C64XX_GPMDAT);

    msleep(100);
    
  //  S3C64XX_GPDCON = S3C64XX_GPDCON & ~(0xF<<16) | (1<<16);
  //  S3C64XX_GPDDAT = S3C64XX_GPDDAT & ~(1<<4);

    val = __raw_readl(S3C64XX_GPDCON);
    val = val & ~(0xF<<16) | (1<<16);
    __raw_writel(val,S3C64XX_GPDCON);

    val = __raw_readl(S3C64XX_GPDDAT);
    val = val & ~(1<<4);
    __raw_writel(val,S3C64XX_GPDDAT);

    msleep(100);
    
    //S3C64XX_GPDDAT = S3C64XX_GPDDAT | (1<<4);
    val = __raw_readl(S3C64XX_GPDDAT);
    val = val | (1<<4);
    __raw_writel(val,S3C64XX_GPDDAT);

    msleep(100);
    
    //S3C64XX_GPDDAT = S3C64XX_GPDDAT & ~(1<<4);
    val = __raw_readl(S3C64XX_GPDDAT);
    val = val & ~(1<<4);
    __raw_writel(val,S3C64XX_GPDDAT);

    msleep(100);
    
   // S3C64XX_GPDDAT = S3C64XX_GPDDAT | (1<<4);
    val = __raw_readl(S3C64XX_GPDDAT);
    val = val | (1<<4);
    __raw_writel(val,S3C64XX_GPDDAT);
    msleep(100);
    
    //S3C64XX_GPDDAT = S3C64XX_GPDDAT & ~(1<<4);
    //S3C64XX_GPMDAT = S3C64XX_GPMDAT | (1<<4);
    //S3C64XX_GPMDAT = S3C64XX_GPMDAT & ~(1<<4);
    val = __raw_readl(S3C64XX_GPDDAT);
    val = val & ~(1<<4);
    __raw_writel(val,S3C64XX_GPDDAT);

    val = __raw_readl(S3C64XX_GPMDAT);
    val = val | (1<<4);
    __raw_writel(val,S3C64XX_GPMDAT);

    val = __raw_readl(S3C64XX_GPMDAT);
    val = val & ~(1<<4);
    __raw_writel(val,S3C64XX_GPMDAT);

    msleep(300);
    
   // S3C64XX_GPMDAT = S3C64XX_GPMDAT | (1<<4); 

    val = __raw_readl(S3C64XX_GPMDAT);
    val = val | (1<<4);
    __raw_writel(val,S3C64XX_GPMDAT); 


the kernel executed it. I called the function in machine init. But still no ok when i send AT to ttySAC1 (confusing here: there are 4 com ports, 0-3 but writing to ttySAC2 prints in my TerraTerm so com2 is ttySAC2 and not ttySAC1 as i supposed) but ttySAC0 and TTYSAC1 gave no answer.
Will have another look on the whole code and in disasm again. And i will stalk the windows registry for comport values.

However im not 100% sure about this adresses... gpiobase is likethe one i got from the dll, but then the function should work right (as when i took the right adress table) i will printk them to see where they are leeding

This is was the printk said:

[DRVLIB] --DrvLib_MapIoSpace() b2b08000
S3C64XX_GPMCON: f4500820;
S3C64XX_GPMDAT: f4500824;
S3C64XX_GPDCON: f4500060;
S3C64XX_GPDDAT: f4500064;
read f4500820:222122
write f4500820:212122
read f4500824:1a
write f4500824:a
read f4500060:11010
write f4500060:11010
read f4500064:8
write f4500064:8
read f4500064:8
write f4500064:18
read f4500064:18
write f4500064:8
read f4500064:8
write f4500064:18
read f4500064:18
write f4500064:8
read f4500824:a
write f4500824:1a
read f4500824:1a
write f4500824:a
read f4500824:a
write f4500824:1a

The problem here is that there is a huge difference between the adress that MapIO gives and the one the linux macros generate. I think its sure that the physical gpiobase adress is 0x7F008000. This is common in wince and linux. I dunno if or where are differences in virtual memory mangement.
im thinking of writing the whole thing i asm and do it before any memory manager can virtualize anything. Anyone here who knows if i can write to the physical adress in linux kernel? or must i use the va?

back again from skiing hollidays but sill drunk
i am java-coder, but i learned assembler and C. but more then 14 yeares ago. i hope my head get "clean" tomorrow, and i am able to read all news and can help you.

Oke writing to PA 0x7008000 is something which the kernel doenst like
Its not vmem to invalid page.
All in all i think the GPIO Adresses fromt he linux macros are right, as the Pushbuttons on the m8 are recognized correctly and (as i remember) are also on gpios.
So three things to do now:
I will try to write a program with the whole sequence, from opening the port to sending the first at command.

CreateFile
GetCommState
<init comstate struct>
SetCommState
EscapeCommFunction 5 (Sends the DTR (data-terminal-ready) signal.)
SetCommMask E1 (1110 0001) EV_ERR | EV_BREAK | EV_RLSD | EV_RXCHAR
memset
SetCommTimeouts

Call ResetRadio(RadioSwitchOn (function)

sprintf AT+IPR=230400

ResetRadio is nearly the same as switchradioon. Maybe in a decive driver as i can access the GPIOregisters there.
the second thing is looking in the dissablembly of the mux driver if something is wrong with the function/ checking the adresses.
third thing would be to see if there is any machine dependent init code (as in linux) which would be in kernel or sth to init the hardware. Maybe this is only the switch on, not the activate/init. I will searck for the flymode switch. maybe this alos just does switchradioon/off.
Thats the status for now

PS another interesting thing is KITL http://blogs.msdn.com/ce_base/archiv...27/648747.aspx
We can active KITL in the bootmenu. i dunno if there is anything implemented behind this option, but a freaking kernel lvl debugger would bring us great use

is any one has try out flash the whole nandflash and then after that port wince 6.0 on it

Dunno what you want so say sry

I managed to fined the GPIOInit function in nk.exe.
Im analyzing it, some gpio registers are set (what a suprise lol).
I would say this initializes the whole hardware on this ports.
maybe we can port this function to c. Best would be with inline asm because its not a short one
I will c

i wish you luck....thank youi for putting so much time and afford in this projekt..im sure you will suceed

Originally Posted by jointech_123

is any one has try out flash the whole nandflash and then after that port wince 6.0 on it

I think the only one who might have tried this is bill, however it is been a while that we heard from him/her.

i think best way to proceed is first dumping all data from m8 through jtag and then try bill´s ubootloader. Worst case scenario is modding uboot to load wince or reflashing using the meizu so called bios firmware.

r3wdy, i never managed to activate ktil myself but then again my m8 got broken before i could complete my tests.So it doesn´t say a thing :-)