Replicant

h1. S5PC110 Hardware Design

This explains the hardware design found in many S5PC110 phones.

h2. Hardware design matrix

|_. *Chip* |_. Controlled by the CPU |_. Controlled by the modem |_. Connected to the modem |

| GPS | Yes | No | No? |

| Audio CODEC | Yes | No | Yes |

| NAND | Yes | No | No |

| RAM | Yes | Yes (96Mib at least) | Yes |

| WiFi/Bluetooth | Yes | No | No |

| Sensors | Yes | No | No |

| NFC | Yes | No | No |

| Camera | Yes | No | No |

h2. Modem isolation

The modem (XMM 6160) is separated from the SoC and communicates with it via serial over 16Mib of shared memory: this is bad since it means that RAM is compromised (at least 80Mib + 16Mib = 96Mib) and can be used to spy.

Regarding audio, the modem is connected to the CODEC but cannot control it (the SoC has to enable routing from/to the modem).

There is no evidence that the GPS is connected to the modem, but since we cannot check on the hardware, there is no proof it's not connected to it either. The SoC is able to control the GPS power though, so we can keep it off.

Since the SoC has to load the modem firmware over the (fake) serial, and following the datasheets, the modem is not connected to the NAND.

h2. Exynos 3110 devices with RAM chips shared between the modem and the system on a chip

Affected devices:

* Nexus S (GT-I9020)

* Nexus S (GT-I9020A)

* Nexus S (GT-I9023)

The modem is able to spy on (at least) 96 Mib of the main memory. So far, we cannot tell:

* if it can only spy 80Mib or the full memory

* if it can be fixed or not

The Linux kernel is being loaded at the beginning of the shared memory bank (0x30000000), however the kernel should be off when it loads.

h3. Kernel details

In "kernel-crespo/arch/arm/mach-s5pv210/dev-herring-phone.c":https://git.replicant.us/replicant/kernel_samsung_crespo/tree/arch/arm/mach-s5pv210/dev-herring-phone.c#n49 we have:

<pre>

static struct resource mdmctl_res[] = {

[...]

        [2] = {

                .name = "onedram",

                .start = (S5PV210_PA_SDRAM + 0x05000000),

                .end = (S5PV210_PA_SDRAM + 0x05000000 + SZ_16M - 1),

                .flags = IORESOURCE_MEM,

        },

};

</pre>

* S5PV210_PA_SDRAM is 0x30000000

* 0x05000000 is 80Mib

* mdmctl_res goes in a platform device struct which is passed to the modem driver:

<pre>

static struct platform_device modemctl = {

        .name = "modemctl",

        .id = -1,

        .num_resources = ARRAY_SIZE(mdmctl_res),

        .resource = mdmctl_res,

        .dev = {

                .platform_data = &mdmctl_data,

        },

};

</pre>

And in the board file (in kernel-crespo/arch/arm/mach-s5pv210/mach-herring.c) we have: 

<pre>

static void __init herring_fixup(struct machine_desc *desc,

                struct tag *tags, char **cmdline,

                struct meminfo *mi)

{

        mi->bank[0].start = 0x30000000;

        mi->bank[0].size = 80 * SZ_1M;

        mi->bank[0].node = 0;

</pre>

So we can suppose that there is at least one ram chip that is shared between the modem and the main CPU. Avoiding the use of this memory bank would result in loosing 80Mib of memory.

h3. Fix attempt

An ideal fix fix would be to lose that 80Mib of RAM so that the shared memory can still be used for SoC/Modem communication but can't spy on the SoC data on RAM. The fact that it's the kernel loading address makes the task more difficult (it may require the bootloader cooperation, which is non-free).

The current diff with the Nexus S kernel is here, but it doesn't boot at all with the following changes (and mkbootimg changes):

<pre>

diff --git a/arch/arm/configs/herring_defconfig b/arch/arm/configs/herring_defconfig

old mode 100755

new mode 100644

index 11abbf0..99bf3f5

--- a/arch/arm/configs/herring_defconfig

+++ b/arch/arm/configs/herring_defconfig

@@ -1,7 +1,7 @@

 #

 # Automatically generated make config: don't edit

 # Linux kernel version: 2.6.35.7

-# Fri Jun  3 07:07:08 2011

+# Sun Apr  8 14:40:16 2012

 #

 CONFIG_ARM=y

 CONFIG_HAVE_PWM=y

@@ -418,8 +418,8 @@ CONFIG_ALIGNMENT_TRAP=y

 #

 CONFIG_ZBOOT_ROM_TEXT=0

 CONFIG_ZBOOT_ROM_BSS=0

-CONFIG_CMDLINE="console=ttyFIQ0"

-# CONFIG_CMDLINE_FORCE is not set

+CONFIG_CMDLINE="console=ttyFIQ0 no_console_suspend earlyprintk=serial,ttySAC2,115200 androidboot.serialno=3733BAB66DE200EC androidboot.bootloader=I9020XXKA3 androidboot.baseband=I9020XXKB3 androidboot.info=0x4,0x0,1 androidboot.carrier=EUR gain_code=3 s3cfb.bootloaderfb=0x34a00000 mach-herring.lcd_type=0x00000000 oem_state=unlocked"

+CONFIG_CMDLINE_FORCE=y

 # CONFIG_XIP_KERNEL is not set

 # CONFIG_KEXEC is not set

@@ -823,8 +823,6 @@ CONFIG_UEVENT_HELPER_PATH=""

 CONFIG_STANDALONE=y

 CONFIG_PREVENT_FIRMWARE_BUILD=y

 # CONFIG_FW_LOADER is not set

-# CONFIG_FIRMWARE_IN_KERNEL is not set

-CONFIG_EXTRA_FIRMWARE=""

 # CONFIG_DEBUG_DRIVER is not set

 # CONFIG_DEBUG_DEVRES is not set

 # CONFIG_SYS_HYPERVISOR is not set

@@ -835,7 +833,7 @@ CONFIG_MTD=y

 CONFIG_MTD_CONCAT=y

 CONFIG_MTD_PARTITIONS=y

 # CONFIG_MTD_REDBOOT_PARTS is not set

-# CONFIG_MTD_CMDLINE_PARTS is not set

+CONFIG_MTD_CMDLINE_PARTS=y

 # CONFIG_MTD_AFS_PARTS is not set

 # CONFIG_MTD_AR7_PARTS is not set

@@ -1191,6 +1189,7 @@ CONFIG_DEVKMEM=y

 CONFIG_SERIAL_SAMSUNG=y

 CONFIG_SERIAL_SAMSUNG_UARTS_4=y

 CONFIG_SERIAL_SAMSUNG_UARTS=4

+# CONFIG_SERIAL_SAMSUNG_DEBUG is not set

 CONFIG_SERIAL_SAMSUNG_CONSOLE=y

 CONFIG_SERIAL_S5PV210=y

 # CONFIG_SERIAL_MAX3100 is not set

@@ -2046,7 +2045,9 @@ CONFIG_HAVE_ARCH_KGDB=y

 CONFIG_DEBUG_USER=y

 CONFIG_DEBUG_ERRORS=y

 # CONFIG_DEBUG_STACK_USAGE is not set

-# CONFIG_DEBUG_LL is not set

+CONFIG_DEBUG_LL=y

+CONFIG_EARLY_PRINTK=y

+# CONFIG_DEBUG_ICEDCC is not set

 CONFIG_OC_ETM=y

 CONFIG_DEBUG_S3C_UART=2

diff --git a/arch/arm/mach-s5pv210/dev-herring-phone.c b/arch/arm/mach-s5pv210/dev-herring-phone.c

index f8798b3..ecef636 100755

--- a/arch/arm/mach-s5pv210/dev-herring-phone.c

+++ b/arch/arm/mach-s5pv210/dev-herring-phone.c

@@ -48,8 +48,8 @@ static struct resource mdmctl_res[] = {

 	},

 	[2] = {

 		.name = "onedram",

-		.start = (S5PV210_PA_SDRAM + 0x05000000),

-		.end = (S5PV210_PA_SDRAM + 0x05000000 + SZ_16M - 1),

+		.start = (0x30000000  + 0x05000000),

+		.end = (0x30000000  + 0x05000000 + SZ_16M - 1),

 		.flags = IORESOURCE_MEM,

 	},

 };

diff --git a/arch/arm/mach-s5pv210/mach-herring.c b/arch/arm/mach-s5pv210/mach-herring.c

index c3a0182..67fa1cf 100755

--- a/arch/arm/mach-s5pv210/mach-herring.c

+++ b/arch/arm/mach-s5pv210/mach-herring.c

@@ -5494,21 +5494,17 @@ static void __init herring_fixup(struct machine_desc *desc,

 		struct tag *tags, char **cmdline,

 		struct meminfo *mi)

 {

-	mi->bank[0].start = 0x30000000;

-	mi->bank[0].size = 80 * SZ_1M;

+	mi->bank[0].start = 0x40000000;

+	mi->bank[0].size = 256 * SZ_1M;

 	mi->bank[0].node = 0;

-	mi->bank[1].start = 0x40000000;

-	mi->bank[1].size = 256 * SZ_1M;

-	mi->bank[1].node = 1;

-

-	mi->bank[2].start = 0x50000000;

+	mi->bank[1].start = 0x50000000;

 	/* 1M for ram_console buffer */

-	mi->bank[2].size = 127 * SZ_1M;

-	mi->bank[2].node = 2;

-	mi->nr_banks = 3;

+	mi->bank[1].size = 127 * SZ_1M;

+	mi->bank[1].node = 1;

+	mi->nr_banks = 2;

-	ram_console_start = mi->bank[2].start + mi->bank[2].size;

+	ram_console_start = mi->bank[1].start + mi->bank[1].size;

 	ram_console_size = SZ_1M - SZ_4K;

 	pm_debug_scratchpad = ram_console_start + ram_console_size;

</pre>

<pre>

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk

index fff6d1b..c09d935 100755

--- a/BoardConfigCommon.mk

+++ b/BoardConfigCommon.mk

@@ -51,10 +51,10 @@ DEFAULT_FB_NUM := 2

 BOARD_NAND_PAGE_SIZE := 4096 -s 128

-BOARD_KERNEL_BASE := 0x30000000

+BOARD_KERNEL_BASE := 0x40000000

 BOARD_KERNEL_PAGESIZE := 4096

-BOARD_KERNEL_CMDLINE := console=ttyFIQ0 no_console_suspend

-

+BOARD_KERNEL_CMDLINE := console=ttyFIQ0 no_console_suspend earlyprintk=serial,ttySAC2,115200 bootmem_debug

+BOARD_FORCE_RAMDISK_ADDRESS := 0x41000000

 #TARGET_RECOVERY_UI_LIB := librecovery_ui_crespo

 TARGET_RELEASETOOLS_EXTENSIONS := device/samsung/crespo

</pre>