BCM4751 » History » Version 20
Denis 'GNUtoo' Carikli, 12/04/2012 02:23 PM
1 | 1 | Paul Kocialkowski | h1. Broadcom4751GPS |
---|---|---|---|
2 | |||
3 | 9 | Paul Kocialkowski | h2. Factory image files |
4 | 1 | Paul Kocialkowski | |
5 | 2 | Paul Kocialkowski | The non-free files holding the GPS infos/code are the following: |
6 | 1 | Paul Kocialkowski | <pre> |
7 | /system/vendor/bin/gpsd |
||
8 | /system/vendor/lib/hw/gps.s5pc110.so |
||
9 | /system/vendor/etc/gps.xml |
||
10 | /system/etc/gps.conf |
||
11 | </pre> |
||
12 | |||
13 | 9 | Paul Kocialkowski | h3. gps.xml parameters |
14 | |||
15 | We have tried to change some parameters in gps.xml to see how it behaves: |
||
16 | |||
17 | |_. Parameter |_. Original |_. Changed to |_. Result | |
||
18 | | acPortName | /dev/s3c2410_serial1 | /dev/s3c2410_serial42 | The chip wasn't "booted" | |
||
19 | | gpioNStdbyPath | /sys/class/sec/gps/GPS_PWR_EN/value | /sys/class/sec/gps/GPS_PWR_EN/value2 | The chip was booted | |
||
20 | | gpioNResetPath | /sys/class/sec/gps/GPS_nRST/value | /sys/class/sec/gps/GPS_nRST/value2 | The chip was booted | |
||
21 | |||
22 | After all, it seems that when the gpsd binary is running without the gps.s5pc110.so library, the chip isn't started (our test utility doesn't work) whereas when the library is running and connects to the socket when it is created by starting gpsd, the chip is booted. |
||
23 | |||
24 | gps.s5pc110.so will actually order bootup via the socket, when the gps is requested by the Android framework. When it's not used anymore, it will request poweroff as well. |
||
25 | |||
26 | 1 | Paul Kocialkowski | h2. Protocol |
27 | |||
28 | 9 | Paul Kocialkowski | According to the logs obtained from gpsd, the chip seems to be using the MEIF protocol at first, then a patch is sent and it starts using another protocol, which doesn't seem related to MEIF according to the logs (there are basically no more references to MEIF after uploading the patch). However, as we have no information about what MEIF is (it's a binary proprietary undocumented protocol), these are just guesses. |
29 | We decided to implement the first protocol under the name MEIF, but it could also be some sort of BCM4751-specific bootloader protocol that is in charge of making the patch upload. |
||
30 | 1 | Paul Kocialkowski | |
31 | 9 | Paul Kocialkowski | The GPSD component is in charge of translating the second protocl to standard NMEA that is sent to the gps.s5pc110.so lib via the /dev/socket/gps Unix socket, created by GPSD. |
32 | 1 | Paul Kocialkowski | |
33 | 9 | Paul Kocialkowski | h2. Devices |
34 | 1 | Paul Kocialkowski | |
35 | 9 | Paul Kocialkowski | Here is a list of the devices that are known to use the BCM4751 chip: |
36 | 1 | Paul Kocialkowski | |
37 | 9 | Paul Kocialkowski | |_. Device |_. Vendor |_. BCM4751 revision | |
38 | 16 | Denis 'GNUtoo' Carikli | | Nexus S | Google/Samsung | 4751A1 or 4751A2 | |
39 | 9 | Paul Kocialkowski | | Galaxy S I9000 | Samsung | 4751A2 | |
40 | | Galaxy Tab P1000 | Samsung | ? | |
||
41 | 14 | Paul Kocialkowski | | Galaxy Tab 8.9 P7300/P7310 | Samsung | 4751A2 | |
42 | 9 | Paul Kocialkowski | | Nexus 7 | Google/Asus | ? | |
43 | 1 | Paul Kocialkowski | |
44 | 15 | Paul Kocialkowski | The bCM4751 chip exists under the following revisions: 4751A0, 4751A1, 4751A2, 47511A0 |
45 | |||
46 | 9 | Paul Kocialkowski | h2. Free software implementation |
47 | 1 | Paul Kocialkowski | |
48 | 9 | Paul Kocialkowski | On January 2012, the work to write a free software implementation that could handle the BCM4751 chip was started. |
49 | The main target is the Nexus S, even though it should work with few changes on other BCM4751 devices. |
||
50 | 1 | Paul Kocialkowski | |
51 | 9 | Paul Kocialkowski | The code source is available at: https://gitorious.org/replicant/crespo-gps-utils |
52 | 1 | Paul Kocialkowski | |
53 | 9 | Paul Kocialkowski | h3. Current status |
54 | 1 | Paul Kocialkowski | |
55 | 9 | Paul Kocialkowski | |_. Part |_. Status |_. Comments | |
56 | | Serial setup | "DONE":https://gitorious.org/replicant/crespo-gps-utils/commit/e4f94e901b9b4c5fef5642ad9580863fc2bfe336 | Magic is: @termios.c_cflag = 0x800018b2;@ | |
||
57 | | MEIF parsing | "DONE":https://gitorious.org/replicant/crespo-gps-utils/commit/927c1c92dd092cec8c56351bf663101183f19076 | | |
||
58 | | MEIF dispatch | "DONE":https://gitorious.org/replicant/crespo-gps-utils/commit/f952dde8f3a29634be1c8fa19b8eed367c1ad878 | | |
||
59 | | MEIF patch upload | "DONE":https://gitorious.org/replicant/crespo-gps-utils/commit/9a5827778189b7e0f91879430a4e160567ee6bbd | Nexus S and Galaxy S patches differ | |
||
60 | 1 | Paul Kocialkowski | |
61 | 9 | Paul Kocialkowski | h3. Utilities |
62 | |||
63 | |_. Name |_. Task |_. Arguments | |
||
64 | | bcm4751_gpsd | Main utility, boots the chip, send the patch, switch protocol | None | |
||
65 | | bcm4751_test | Deprecated utility, can be used for poweroff | @stop@: poweroff the chip | |
||
66 | | bcm4751_hal | Acts as the framework: permits to trace gps.s5pc110.so | None | |
||
67 | | bcm4751_daemon | Acts as (a fake) gpsd to the lib | None | |
||
68 | | bcm4751_lib | Acts as (a fake) lib to gpsd | None | |
||
69 | |||
70 | h3. BCM4751 gpsd |
||
71 | |||
72 | This is where MEIF is implemented. It currently does the following: |
||
73 | * Serial setup |
||
74 | * Autobaud |
||
75 | * MEIF reader loop |
||
76 | * MEIF parsing |
||
77 | * MEIF dispatch |
||
78 | * MEIF patch upload |
||
79 | * Protocol switch (sends unknown bytes in the second protocol to get a response) |
||
80 | * Response dump |
||
81 | |||
82 | Sample output log: |
||
83 | 1 | Paul Kocialkowski | <pre> |
84 | 9 | Paul Kocialkowski | Turning the GPS on... |
85 | Opening the GPS serial... |
||
86 | Sending autobaud... |
||
87 | Read 17 bytes |
||
88 | Read 32 bytes |
||
89 | MEIF message: MEIF_STATE_REPORT_MSG with 18 bytes of data: |
||
90 | [0000] 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........ |
||
91 | [0010] 1A 00 .. |
||
92 | Got a STATE_REPORT message |
||
93 | 1 | Paul Kocialkowski | |
94 | 9 | Paul Kocialkowski | Read 23 bytes |
95 | Read 32 bytes |
||
96 | Read 16 bytes |
||
97 | Read 7 bytes |
||
98 | MEIF message: MEIF_CONFIG_VALUES_MSG with 70 bytes of data: |
||
99 | [0000] 02 00 01 00 01 00 40 00 01 00 02 00 00 00 00 00 ........ ........ |
||
100 | [0010] 01 00 02 00 00 00 00 00 00 00 06 00 81 11 00 09 ........ ........ |
||
101 | [0020] 07 07 D9 07 42 52 4F 41 44 43 4F 4D 00 00 00 00 ....BROA DCOM.... |
||
102 | [0030] 00 00 00 00 34 37 35 31 41 31 00 00 00 00 00 00 ....4751 A1...... |
||
103 | [0040] 00 00 00 00 B3 05 ...... |
||
104 | Got config values: |
||
105 | vendor: BROADCOM |
||
106 | product: 4751A1 |
||
107 | |||
108 | Sending the first part of the patch... |
||
109 | Sending 2054 bytes! |
||
110 | MEIF message: MEIF_SEND_PATCH_MSG with 2046 bytes of data: |
||
111 | |||
112 | Read 14 bytes |
||
113 | MEIF message: MEIF_NACK_MSG with 6 bytes of data: |
||
114 | [0000] 03 00 03 00 0F 00 ...... |
||
115 | Got a NACK message |
||
116 | Reason is: MEIF_NACK_GARBAGE_RECEIVED |
||
117 | |||
118 | Read 12 bytes |
||
119 | MEIF message: MEIF_ACK_MSG with 4 bytes of data: |
||
120 | [0000] 04 01 0B 00 .... |
||
121 | Got an ACK message |
||
122 | |||
123 | Sending the second part of the patch... |
||
124 | Sending 706 bytes! |
||
125 | MEIF message: MEIF_SEND_PATCH_MSG with 698 bytes of data: |
||
126 | |||
127 | Read 12 bytes |
||
128 | MEIF message: MEIF_ACK_MSG with 4 bytes of data: |
||
129 | [0000] 05 02 0D 00 .... |
||
130 | Got an ACK message |
||
131 | |||
132 | Ready to switch protocol! |
||
133 | Sending unknown bytes! |
||
134 | Read 12 bytes: |
||
135 | [0000] FE 00 FD 40 00 00 F1 B1 12 20 67 FC ........ ..g. |
||
136 | </pre> |
||
137 | 1 | Paul Kocialkowski | |
138 | 10 | Paul Kocialkowski | h3. BCM4751 patch |
139 | |||
140 | In order to use the same protocol as the non-free gpsd, a patch needs to be sent. It is hardcoded in the non-free gpsd binary. |
||
141 | Note that we don't know what that patch exactly is nor what it does. In any case, it must be considered as the propriety of Broadcom (or Samsung maybe) and falls under the non-free gpsd license. |
||
142 | |||
143 | Here are notes on how to extract the patch from various non-free gpsd binaries: |
||
144 | 13 | Paul Kocialkowski | |_. Device |_. Source |_. GPSD MD5 |_. Offset |_. Length |_. dd command | |
145 | | Nexus S | CM 9.0.0 | 4a6c0027e530b5b8a346153a355ef8e3 | 0x15DDEA | 2738 bytes | dd skip=1433066 count=2738 if=gpsd of=bcm4751a1.fw bs=1 | |
||
146 | | Galaxy S | CM 9.1.0 | 4a6c0027e530b5b8a346153a355ef8e3 | 0x15E89E | 6406 bytes | dd skip=1435806 count=6406 if=gpsd of=bcm4751a2.fw bs=1 | |
||
147 | 10 | Paul Kocialkowski | |
148 | 13 | Paul Kocialkowski | The @bcm4751_gpsd@ utility will attempt to read the patch from @/data/bcm4751a1.fw@ or @/data/bcm4751a2.fw@ |
149 | 10 | Paul Kocialkowski | |
150 | 18 | Denis 'GNUtoo' Carikli | h4. Post protocol switching |
151 | |||
152 | 20 | Denis 'GNUtoo' Carikli | Sending this string: |
153 | "\xfe\x00\xfd\x6f\x3a\x01\x00\x00\x00\x00\x34\xfc" |
||
154 | many times makes some other string appear on the serial port... |
||
155 | 17 | Denis 'GNUtoo' Carikli | <pre> |
156 | 20 | Denis 'GNUtoo' Carikli | fe 00 fd 0f ff 07 06 00 00 01 54 fc |
157 | fe 00 fd 0f ff 08 06 00 00 01 1c fc |
||
158 | </pre> |
||
159 | Here's the decoding of the first bytes: |
||
160 | <pre> |
||
161 | 17 | Denis 'GNUtoo' Carikli | ff00 = 8bytes |
162 | fe00 = 12bytes |
||
163 | fe01 = 16bytes |
||
164 | fe02 = 20bytes |
||
165 | fe03 = 24bytes |
||
166 | fe04 = 28bytes |
||
167 | fe05 = 32bytes |
||
168 | fe06 = 36bytes |
||
169 | fe07 = 40bytes |
||
170 | </pre> |
||
171 | 20 | Denis 'GNUtoo' Carikli | |
172 | fc seem an end marker and 54/c1 a checksum.... |