Database Users

FM Radio - Another approach

In my Captivate I noticed a kernel module with name Si4709_driver.ko
Si4709 is a FM radio receiver www .silabs. com /products/audiovideo/fmreceivers/Pages/Si470809.aspx (sorry, I can't post URL)
By default it is not loaded, but when I tried to load it, it did. Now we need to know what API is used for user mode programs.
It would also help if those who put i9000 ROM into Captivate (but have stock kernel) tried load module and then run FM radio app.
# cd /lib
# ls
modules
# cd modules
# ls
dpram.ko
rfs_glue.ko
j4fs.ko
multipdp.ko
param.ko
vibrator.ko
Si4709_driver.ko
dhd.ko
rfs_fat.ko
stgloc
s3c_bc.ko
pvrsrvkm.ko
scsi_wait_scan.ko
fsr.ko
drop_caches.ko
fsr_stl.ko
s3c_lcd.ko
# insmod /lib/modules/Si4709_driver.ko
# lsmod
Si4709_driver 15744 0 - Live 0xbf195000
vibrator 6744 2 - Live 0xbf191000
s3c_bc 2880 0 - Live 0xbf18b000
s3c_lcd 5060 0 - Live 0xbf184000
pvrsrvkm 205996 48 s3c_bc,s3c_lcd, Live 0xbf14c000
multipdp 30968 1 - Live 0xbf13f000
dpram 194152 10 multipdp, Live 0xbf10a000
param 10132 0 - Live 0xbf105000 (P)
j4fs 65604 1 - Live 0xbf0ef000 (P)
rfs_fat 235456 5 - Live 0xbf0b0000 (P)
rfs_glue 74328 1 rfs_fat, Live 0xbf098000 (P)
fsr_stl 248012 6 j4fs, Live 0xbf056000 (P)
fsr 328428 3 dpram,fsr_stl, Live 0xbf000000 (P)
#

Nice find. This may turn into something.

With the module loaded the FM radio app no longer has the error 'Unable to turn on FM radio." However, the FM app has no sound and cannot seek for channels.

dalingrin said:
With the module loaded the FM radio app no longer has the error 'Unable to turn on FM radio." However, the FM app has no sound and cannot seek for channels.
Click to expand...
Click to collapse
Looks like the hardware may be there after all, you were using the headphones right? If so then maybe the antenna isn't wired to the headset port.

Another note: Its is possible that hardware is not there. I found another tool that seems to test FM Radio
# ./si4709_test -h
How to control FM Radio (Si4709) .........
================================================================
Usage: ./si4709_test [controls] [value]
-p power, up|down si4709 power control
-s search, up|down|auto seek channel
-rstate, show si4709 radio state
-rssi, show si4709 rssi status
-r, on|off RDS/RBDS Enable/Disable
-rds, show Show RDS/RBDS data
e.g) si4709_test -p (up/down)
================================================================
# ./si4709_test -p up
# ./si4709_test -rstate
[FM RADIO] Radio State
================================================================
Power State = 0
Seek State = 0
================================================================
I tried to do the same on my wife's I9000 and it reported "Power State = 1"
So we may be out of luck with Captivate.

Not judging anyone but why worry about an FM radio when we have apps that do it all, about 4 of my local stations are on iheartradio and another 20 are from immediate areas around me.
When I used FM on my Nokia it was a battery drain more so than 3G.

I tied to run test with headphones connected. Attempt to power up device results in reboot.
Below is kernel log related to loading driver and connecting headphones:
<7>[ 197.626426] device: 'fmradio': device_add
<7>[ 197.628218] PM: Adding info for No Bus:fmradio
<7>[ 197.635228] bus: 'i2c': add driver Si4709_driver
<7>[ 197.665086] i2c-adapter i2c-8: NAK from device addr 0x10 msg #0
<6>[ 204.231953] [ JACK_DRIVER (jack_type_detect_change,404) ] 3 pole headset or TV-out attatched : adc = 46
I also noticed that after I load driver, I see device file called /dev/fmradio. It disappers when I unload driver. It looks like /dev/fmradio is a control device for radio chip (i found string /dev/fmradio inside si4709_test tool).

oh noes! I want the fm radio function.

for_ap1 said:
I tied to run test with headphones connected. Attempt to power up device results in reboot.
Below is kernel log related to loading driver and connecting headphones:
<7>[ 197.626426] device: 'fmradio': device_add
<7>[ 197.628218] PM: Adding info for No Bus:fmradio
<7>[ 197.635228] bus: 'i2c': add driver Si4709_driver
<7>[ 197.665086] i2c-adapter i2c-8: NAK from device addr 0x10 msg #0
<6>[ 204.231953] [ JACK_DRIVER (jack_type_detect_change,404) ] 3 pole headset or TV-out attatched : adc = 46
I also noticed that after I load driver, I see device file called /dev/fmradio. It disappers when I unload driver. It looks like /dev/fmradio is a control device for radio chip (i found string /dev/fmradio inside si4709_test tool).
Click to expand...
Click to collapse
Any way to compare pics of the Captivate mainboard with a Galaxy S? In the general Captivate forum there are pics of the board. Compare chip numbers and see if there are any unmatching chips.
zerosource said:
oh noes! I want the fm radio function.
Click to expand...
Click to collapse
lol I can see the use for it in a natural disaster, during Katrina the radio was all we really had but all the good channels were on the AM side.

decepticon said:
Any way to compare pics of the Captivate mainboard with a Galaxy S? In the general Captivate forum there are pics of the board. Compare chip numbers and see if there are any unmatching chips.
Click to expand...
Click to collapse
I looked at these photos and also at photos from FCC site, but resolution is too low to read chip markings. FM chip is very small in size, so it is really hard to find it.
It seems that receiver talks via I2S bus and also needs few GPIO lines to work. If I understand correctly, I2S bus has no explicit acknowledgment, so driver might not now that device is not present on the bus. I couldn't find detailed application notes for the chip, just brief description is available. I need to look at driver sources to understand how it works. Hopefully Samsung releases it.

Will Samsung or AT&T tell us if there is an FM chip in there or not?

cesierra said:
Will Samsung or AT&T tell us if there is an FM chip in there or not?
Click to expand...
Click to collapse
Maybe a brave soul, will tear the phone apart and finally give us a straight answer
wont be me though

In the source code for the captivate, there's is a folder called fm_si4709 containing many files pertaining to that radio. Perhaps someone astute w/ kernel stuff could work the magic and enable the HW if it is there...

Well, I looked at sources of the driver (i9000 and I897 are the same). It does not do anything with hardware on driver init. So successfully loaded driver does not mean that hardware is present. I need to find a way to compile driver with debug mode on. Another option will be to build a tool that probes I2C bus (i2cdump and i2cdetect) from shell.

Ok, I was able to build modules using Samsung sources and toolchain from Sourcery. I do not know if I can use it with stock kernel though. Will try to play with it, if I have spare time on weekend.

I just built the kernel using the sourcery toolchain: http://www.codesourcery.com/sgpp/lite/arm/portal/release1033
I enabled the debug flag for the FM radio driver (uncomment #define Si4709_DEBUG in kernel/modules/fm_si4709/Si4709_common.h)
I did an insmod of the compiled module (Si4709_driver.ko). Note the last few lines from dmesg (i2c_read failed & Si4709_dev_init failed) . Doesn't look promising.
<2>[277139.763458] --------Si4709_driver_init called
<7>[277139.766871] device: 'fmradio': device_add
<7>[277139.768313] PM: Adding info for No Bus:fmradio
<2>[277139.774798] --------Si4709_driver_init request_irq success 192
<2>[277139.779520] --------Si4709 i2c driver Si4709_i2c_driver_init called
<7>[277139.785779] bus: 'i2c': add driver Si4709_driver
<4>[277139.799406] ----- si4709_i2c_probe 94
<7>[277139.801782] device: '8-0010': device_add
<7>[277139.801979] bus: 'i2c': add device 8-0010
<7>[277139.802269] PM: Adding info for i2c:8-0010
<7>[277139.802442] driver: '8-0010': driver_bound: bound to device 'Si4709_driver'
<2>[277139.802555] --------Si4709 i2c driver Si4709_probe called
<2>[277139.807314] --------Si4709_dev_init called
<7>[277139.847935] i2c-adapter i2c-8: NAK from device addr 0x10 msg #0
<2>[277139.848866] --------i2c_read failed
<2>[277139.851148] --------Si4709_dev_init call over
<2>[277139.855568] --------Si4709_dev_init failed
<2>[277139.859757] --------Si4709_driver_init successful

Damn that sucks :-(. Wish we knew what the chip looked like so we could just see if its on the phone.

why would they put the drivers in, if there is no chip? This is just a hope.

I was think the same thing. I don't know much about kernel building but I would imagine if I was the guy at Samsung making it I wouldn't add sh!t that was useless

They didn't add a potentially useless driver, they just didn't remove it. Big difference

[HOW-TO]Set up a Captivate for Samsung Bootloader Development

OK, there's been quite a few unanswered questions on bootloader development.. I didn't want to clutter the Make your Own Bootloader thread with hardware stuff. I didn't want to clutter up the UnBrickable Mod thread with Bootloader development setup stuff. UnBrickable mod will be a one-stop shop thread for the Captivate eventually.
Introduction
This thread will get you started with bootloader development speciffic to the captivate, however the same techniques work on all GalaxyS devices with an adjustment to the RX/TX locations
We need to delve into the hardware, remove a resistor, attach a wire, and bring two wires outside of the phone. This is quite a bit more difficult then the typical UART over USB connection which we have used in the past. For bootloader development the UART Output described in this video will not work..
The external UART output with a 619Kohm jig between pins 4 and 5, monitoring 115200 8N1 serial output between pins 2 and 3 will not work because the USB hardware is initialised by the bootloaders. In order to test the bootloaders you are developing, you must go to a lower level.
Note:While the UART output in the video will not work for Bootloader development, itis absolutely unbeatable for Kernel level debug on nearly all Samsung devices.
Getting Started
You will need:
1. UnBrickable modded captivate (or other device)
2. A UART device (Android Acessory Development kit or Arduino Mega or a Bus Pirate or any other UART device)
3. A Soldering Iron
4. Flux
5. Solid core wire
6. A relay (For the wire contained within)
7. A Linux computer (get Ubuntu here and dual boot, or run in a virtual machine)
Instructions
1. Apply the UnBrickable Mod to your Samsung Captivate. See Here: http://forum.xda-developers.com/showthread.php?t=1206216
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2. Next we need to connect a relay wire to the internal JTAG UART points. We cannot use the external UART via USB as we have seen in the past for writing bootloaders because the chip which handles switching for UART has not been initialized yet. We need to go directly to the source off of the processor. You can connect to the internal JTAG UART RX and TX lines here on the JTAG pads:
Using the JTAG header, you can connect to these points using this header: http://www.mouser.com/ProductDetail/Panasonic/AXT612124/?qs=2rFUEsTwVNwSdqVM5XnLHw==
and this Receptical: http://www.mouser.com/ProductDetail/Panasonic/AXT512124/?qs=2rFUEsTwVNy9TGVyeT43Dg==
They can be connected directly, or you can use a board from a guy named "K-WW" on the Hackaday.com forums
Here is a picture of my JTAG connector... This is optional and you will likely want to run wires directly for this project.
Alternately you can get these same points here, next to the processor:
3. Once you have the wires connected to the board, technically you're done and you can now connect up to your Android using your UART Device of choice. I decided to go the extra step and run those small wires to some solid core wire I bent and melted into the phone's case.
The further one is RX and the closer one is TX. Using this low point allows me to close up the device properly and I can still use my SDCard slot.
4. To do some debugging you can connect your Arduino at 8N1 using the same code from the video above...
Code:
void setup() {
// initialize both serial ports:
Serial.begin(115200);
Serial1.begin(115200);
}
void loop() {
// read from port 1, send to port 0:
if (Serial1.available()) {
int inByte = Serial1.read();
Serial.print(inByte, BYTE);
}
// read from port 0, send to port 1:
if (Serial.available()) {
int inByte = Serial.read();
Serial1.print(inByte, BYTE);
}
}
Or connect the Bus Pirate up to the device using the following options in a terminal:
Code:
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)
(1)>3
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value
(1)>9
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1)>1
Stop bits:
1. 1 *default
2. 2
(1)>1
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1)>1
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)>2
Ready
UART>
4. Next you need some firmware. There is firmware in the Captivate Development Platform thread, and there is some in the Create Your Own bootloaders thread You can create your own.
5. In order to debug the firmware it has to be uploaded. You can use the SMDK Download tool attached in this post. Uncompress to your desktop
6. To prepare the phone for debug, remove the battery, insert the battery attach USB and run the following program in a new terminal (not the one you are monitoring USB Output)
Upon plugging in the USB, you should see
Code:
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error
Then you execute this in a new window
Code:
sudo ~/Desktop/dltool/smdk-usbdl -f ~/Desktop/dltool/s5pc110_test/s5pc110_sbl_loader.bin -a D0020000
you will see this in the same window
Code:
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>
S3C64XX Detected!
=> found device: bus 002, dev 011
=> loaded 24576 bytes from /home/adam/Desktop/dltool/s5pc110_test/s5pc110_sbl_loader.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum ffb7
=> usb_bulk_write() returned 24586
[email protected]:~$
And upon upload of the primitive bootloader, you will see this in the UART window
Code:
Welcome to the S5PC110 resurrector by Rebellos!
Calling SGS IBL Stage2, pray so it wont hang...
DONE!
Testing if BL3 area is R/W
DONE!
Please prepare USB dltool with BL3 (SBL)
Starting downloader in...
9
8
7
6
5
4
3
2
1
0
7. Unplug the USB cable. As soon as the USB cable is removed all executing commands stop and the device awaits you to push the power on button.
Some notes:
PBL execution automatically occurs at 0xD002000 (this is with a 0x10 signature in front so the actual code begins at 0xD002010)
SBL is in DRAM at 0x40244000
Conclusion
So, there you have it. This is how to set up your Captivate to be a bootloader development kit. You don't have to develop a bootloader to load it up using this method.. You can simply stop at step 1 of this guide, UnBrickable mod, and be able to test results without UART output.
If anyone would like to give me one of the following devices' mainboard I will make a UnBrickable Mod/Development Platform for each device.
Samsung Devices: I9000 S8500, S8530, SGH-897, SGH-i896, SGH-i997, T959, SGH-T849, GT-P1000, GT-i9010, GT-i8350, GT-I917
Google Nexus S, Odroid T,
Apple iPhone4
Any new Samsung WP7
Further reading
Create your own bootloader: http://forum.xda-developers.com/showthread.php?t=1233273
The Captivate Development Platform: http://forum.xda-developers.com/showthread.php?t=1206216
Lets save some bricks: http://forum.xda-developers.com/showthread.php?t=1018862

Samsung Infuse (SGH-i997) Owners:
We've got it much easier when it comes to the JTAG header. As you can see in the picture below, the header is already attached to the PCB, and all we need is the connector board from "K-WW".
The large metallic thing on the left is the SIM card slot. The connector for the display (at the bottom of the picture) might be in the way. If it isn't we'll be able to connect to the JTAG and UART2 ports without doing any soldering or even disconnecting a single cable on the device.
We need someone to donate an Infuse to AdamOutler. He needs to remove the processor from the PCB to be able to find the xOM5 pad. This means destroying the phone, so it doesn't matter what the condition is. If it's bricked with a smashed screen and water damage, it doesn't matter! If you can help us with this, please speak up on this thead: http://forum.xda-developers.com/showthread.php?t=1221064

You don't NEED the board. The receptical itself with wires attached will attach to the header and you could close up the device with it attached. With the socket breakout board, the device would need to remain open. I would be searching for alternate UART points as well so the JTAG header would remain available.
Like I said.... I need device mainboards... they need not work. I'm not gaining anything directly from this except fruits of firmware development.... alternate OSs and open source bootloaders

Or, try to find 5 OM resistors while phone is being powered up.
3 should be 100.3kOhm resistance and connected to GND
2 should be ~10.1kOhm resistance and connected to VCC PDA (most likely exactly 2.8V, but 1.8V and similiar is also possible option)
These should be in row, or close to itselves. Then all whats left is guessing which one of the 3 is OM5. By some dangerous tests most likely, but with much smaller risk of damaging the board, comparing to complete CPU teardown.

aww dude, that's awesome....will try to do some of it on my cappy ; )

Rebellos said:
Or, try to find 5 OM resistors while phone is being powered up.
3 should be 100.3kOhm resistance and connected to GND
2 should be ~10.1kOhm resistance and connected to VCC PDA (most likely exactly 2.8V, but 1.8V and similiar is also possible option)
These should be in row, or close to itselves. Then all whats left is guessing which one of the 3 is OM5. By some dangerous tests most likely, but with much smaller risk of damaging the board, comparing to complete CPU teardown.
Click to expand...
Click to collapse
On my device, all resistors are 100.3kohm.

how to send the MB or how to fix my bricked phone GT-i8350

Adam,
I've been staring at this document, the picture of the infuse and the sgh-t959v pictures from ifixit for a while and finally got the gumption to try finding the internal uart. Big thanks for this picture:
AdamOutler said:
You can connect to the internal JTAG UART RX and TX lines here on the JTAG pads:
Click to expand...
Click to collapse
SGH-T959V Internal Uart thread.
Thanks again for all you do for the community!
-Bryan

The Samsung Anyway Jig

The Samsung Anyway Jig
Summary: Some information and pictures of the mysterious Samsung Anyway Jig
Skill Level: Medium
==================================================
Do NOT post questions/requests on how to obtain one, they
will not be answered. (Because I have no idea, since its
Samsung proprietary test equipment!)
Do NOT post links to commercial jigs, unless you also post
the internal schematics, in such a way that it can be easily
constructed at home.
If you already have a working home-made multifunction jig
that you would like to share, please remember:
- a picture of the device
- a picture of the schematics
- a detailed parts list
- the phone/models it applies to
- any other relevant features to make it work
==================================================
Purpose
As custom ROM flashing become more and more popular, the XDA-forums are
continuously bombarded with questions and answers on how to debrick their
devices, often using (what used to be) professional hardware analysis and
debugging equipment, like vendor provided JTAG, JIG and software flashing
tools. These tools used to be only available to certified technical repair and
support centers, closely connected with the various phone vendors. However,
this scenario is rapidly changing as more people are getting higher technical
skills, while using these devices and tools on their phones.
One particular such device, provided by Samsung, has been used for years to
program, customize, repair, debug and unbrick essentially all available
Samsung phones. This blue box is called the "Samsung Anyway Jig", and somehow
Samsung has managed to hide it from public scrutiny and analysis, which have
elevated this device to an almost mythical status. At least for the common
person wishing to repair or modify his phone. Probably because Samsung have
realized that there is a great profit to be made, by having their customer
sending their phones in for repair, rather than letting them in on the simple
secret on how to do this kind of repairs themselves. This behavior have also
been a great joy for the few professional service centers that actually have
access to this device (or similar devices) or who were able to figure out how
it works, making it into a million dollar industry, and obviously without
sharing their knowledge to the public.
Thanks to great community oriented websites and forums like XDA and others,
the public awareness have increased to such a level, that today anyone (with
minimal soldering skills) can build a multifunction and debricking JIG. And
because of the increasingly better standardization among mobile phone
manufacturers, very few modifications are needed for this device to be working
with essentially any modern mobile-phone on the market.
This thread is an attempt to better understand the Samsung Anyway Jig, such
that one can build his/her own Jig, with the information contained herein,
together with many other publicly available documents. It shall be noted that
I do not have access to this device, and I have neither factual data, nor
info, on how this thing actually works. But I do have a very good idea!
Close inspection, of the only 3 (!) images found, as obtained by Google Image
Search (which I am growing increasingly unhappy with), provide a good start
for what is going on in that device.
The Anyway Versions
The Anyway Jig come in slightly different versions. And since I only have access
to 4 pictures, I cannot tell what other versions are available. However, I
noticed the following:
Code:
[SIZE=2]Version PartNumber Variation/Note
-------------------------------------------------------------------------------
S100 Doesn't have "EMP" Solution
S101 GH99-36900A Has "EMP" solution. Is used with GT-S7230 (Bada OS)
S102[/SIZE][SIZE=2] GH99-36900B [/SIZE][SIZE=2]1.2A High-Current version for Tabs & Tablets
[/SIZE]
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So let me first reproduce the text as seen on the photo of this box:
Code:
[SIZE=2]
| Function
-------------------------------------------------------------------------------
No Solution | Mode OFF ON
-------------------------------------------------------------------------------
1 Agere TC | Boot Low High
2 Hp, Vision, Infineon | SDS O X
3 NXP Sysol | USB O X
4 NXP Swift Broadcom | DBG X O
5 UMTS (Qualcomm) | M-USB Use Not Use
6 EMP | ID type UART USB
7 - | ID-BOOT Boot-On Boot-Off
8 - | - - -
9 - | SDS TRX - Loop
10 - | DBG TRX - Loop
-------------------------------------------------------------------------------
| O = Connect, X = Disconnect
[/SIZE]
"The Solution"
The first thing to notice, is that the "Solution" column is completely
independent of the "Function" column. The "Solution" column seem to refer to
the manufacturer of the modem hardware used in the device, usually the
cellular/baseband processor (CP/BP) used by your phone or the modem chip in
routers etc. You can find out what you have by using the methods I have
outlined in the thread: "Phone/Modem Hardware Cross Reference List".
Once you know what you have, you use the 10-pole (BCD?) rotary micro-switch,
as shown in the picture below, to set it to the number corresponding to your
phone modem. (The settings in that picture, corresponds to a Samsung Wave
[GT-S7230] which has a Broadcom BP and thus the rotary-switch is set to #4.)
But according to this document, for attaching a [GT-I9000], you need to set
it to #2 (for Infineon).
It is unclear at this point whether or not this setting is actually changed
much when using various modern phones. It is more likely that this is used for
backward compatibility to older phones that use older connectors, and that new
phones all use the same setting since most of them, now use micro-USB
connectors. Otherwise it simply wouldn't make sense to use a
micro-rotary-switch, especially considering the vast number of modems chips
available today, while the uUSB standard connectors doesn't allow other
signals.
"The Function"
As you have already noticed, next to the rotary switch, there is a 10-pole DIL
switch, that is used to set the Jigs "Function", or behavior. The table above
show the various functional options available, that you can use for the JIG.
Although it is unclear what all these functions actually does, without access
to a box or manual, we are free to make some educated guesses.
Here we make the following (rather wild) guesses as what the various modes does:
Code:
[SIZE=2]DILpos Mode Typical What Description-Guess
-------------------------------------------------------------------------------
1 Boot 0 Low ??
2 SDS 1 X ??
3 USB 0 O ?Enable/disable USB pass trough: [target]--->[JIG]--->[PC]
4 DBG 0 X ?Enable/disable debug by "port":
5 M-USB 0 Use ?Enable/disable modem USB connection
6 ID type 1 USB ?"Interface Dongle" output-side selection (wheter to use the USB or UART to connect to PC)
7 ID-BOOT 0 Boot-on ?Determines if the device should bootup/start when connected to the JIG.
8 - - - -
9 SDS TRX 0 - ?Enable/disable Loopback on this interface
10 DBG TRX 0 - ?Enable/disable Loopback on this interface
-------------------------------------------------------------------------------
where (0==OFF, 1=ON) of the 10-pol DIL switch,
while "O" is connect and "X" disconnect.[/SIZE]
If you have any knowledge of what these does, please let us know. For example,
I like to know what the "SDS" refers to and what it is/was used for?
Then What?
So how interesting is this, for our modern Android based and micro-USB
connected phones, on a scale from 1-10? Probably not much more than 3.
Because most of the device magic happens inside the phone, determined by
various internal multiplexers (MUX), resistance/capacitance detectors, the
Power Management IC (PMIC) and related device drivers.
The most important thing to understand, is that today there are very specific
standards regarding what functionality is offered and expected, given certain
conditions on the micro-USB signals. For example, shorting the D+ and D- USB
signals, tells your phone to start charging, using the VBUS and GND lines.
While a resitive short between the micro-USB lines ID_CON (pin 4) and GND
(pin-5), allows and selects a wide range of functionality from remote control,
debug mode, download mode, audio/video transfer and everything else you may
want to do. These are some of the things we would like to focus on here.
So what is more interesting, is how we can build a JIG that is much more
modern and useful than this old dinosaur, that can provide us with a fully
controlled set of the functions mentioned above. So if you still dream about
getting one, forget it and build your own! Below I will link to a list of DIY
multifunction JIGs. That means I only list serious JIGs that contain a little
more functionality, than just a resistor. Post if you have something worth
showing.
Useful Resources
*Fun with resistors (home/car dock mode + more)
Lets Save Some Bricks
*The Captivate Development Platform mod AKA UnBrickable Mod
Set up a Captivate for Samsung Bootloader Development
The Vibrant Development Platform AKA UnBrickable Mod
USB Jig FAQ (Frequently Asked Questions) [4/4/2012] ICS bootloader added
Galaxy S UART JIG & Debugging Connector
Complete USB2.0 Specifications (>13 MB, 30 files, main: 650 pages)
USB Battery Charging Specifications 1.2 (71 pages)
FSA9280A Datasheet (Used in SGS1)
FSA9285 censored Datasheet ()
FSA9485 censored Datasheet ()
FSA3200 Datasheet (Used in SGS2)
---------------------------------------
* Strongly recommended reading
Let me know of any dead links.
Here is an internal photo of the original Anyway S100.
Keywords: jig, samsung, anyway, resistors, multiplex
​
UPDATE: 2012-10-24
Anyway Software, Drivers and Manuals for:
Anyway D100 (8 port factory jig)
Anyway S100 (1 port factory jig)
Can be found for download in Post#67 ...
​

Building your own multifunction JIG
The first thing you need to know, when building your own jig, is how various
resistor values determine the behavior of your phone. Below is a list of
resistor values used in the FSA9280A multiplexer chip. These values have been
become a bit of a standard for new Samsung phones and are thus likely to
remain true also for new models and many other devices running AOS. In
post #3 we use these values to build our Resistor Banks.
FSA9280A/88A Resistor Value Functionality
ID_CON Accessory Detection Table (ID_CON resistance to GND):
Code:
[SIZE=2]ADC-reg Min Typ Max Attn Accessory Detected
-------------------------------------------------------------------------------
00000 GND [COLOR=Red]GND [/COLOR]GND ! Host Mode / OTG (On-The-Go)
00001 1.9K 2K 2.1K Audio Send/End Button
00010 2.47K 2.604K 2.73K Audio Remote S1 Button
00011 3.05K 3.208K 3.37K Audio Remote S2 Button
00100 3.81K 4.014K 4.21K Audio Remote S3 Button
00101 4.58K 4.82K 5.06K Audio Remote S4 Button
00110 5.73K 6.03K 6.33K Audio Remote S5 Button
00111 7.63K 8.03K 8.43K Audio Remote S6 Button
01000 9.53K 10.03K 10.53K Audio Remote S7 Button
01001 11.43K 12.03K 12.63K Audio Remote S8 Button
01010 13.74K 14.46K 15.18K Audio Remote S9 Button
01011 16.4K 17.26K 18.12K Audio Remote S10 Button
01100 19.48K 20.5K 21.53K Audio Remote S11 Button
01101 22.87K 24.07K 25.27K Audio Remote S12 Button
01110 27.27K 28.7K 30.14K Reserved Accessory #1
01111 32.3K 34K 35.7K Reserved Accessory #2
10000 38.19K 40.2K 42.21K Reserved Accessory #3
10001 47.41K 49.9K 52.4 K Reserved Accessory #4
10010 61.66K 64.9K 68.15K Reserved Accessory #5
10011 76.1K [COLOR=Red]80.7K[/COLOR] 84.1K ! Audio Device Type-2
10100 96.9K [COLOR=Red]102K[/COLOR] 107.1K ! Phone Powered Device
10101 115K 121K 127K TTY Converter
10110 143K 150K 157K UART Cable
10111 190K 200K 210K Type-1 Car Kit Charger*
11000 242K 255K 268K Factory Mode Boot OFF-USB
11001 292K 301K 316K Factory Mode Boot ON-USB
11010 347K [COLOR=Red]365K[/COLOR] 383K ! Audio/Video MHL Cable**
11011 420K 442K 464K Type-2 Car Kit Charger*
11100 507K 523K 549K Factory Mode Boot OFF-UART
11101 588K 619K 650K Factory Mode Boot ON-UART
11110 750K 1000/2K 1050K Audio Device Type-1 with Remote
11111 - Open - Slave Mode / Charger Mode***
-------------------------------------------------------------------------------
* USB Car Kit specification: ANSI/CEA-936-A.
** USB MHL (Mobile High definition Link)
! Attention, when these values are used, all pin functions
changes. Having the wrong device connected in this mode, may
short and brick interior phone chips.
-------------------------------------------------------------------------------
[/SIZE]
There is a good reason why some resistor values are marked as "DO NOT USE", in
the original FSA9280A datasheet. That reason is because these values trigger a
signal path switch (by cascading multiplexers), in such a way that the
original 2-5 USB (cable) signals no longer exists as such. If this occurs,
when you have another type of device connected, than what was intended for
that function, you risk short-circuiting and bricking the relevant internal
chip that is driving that function. The best example is the MHL function. When
MHL is activated, all mUSB pins become part of MHL signal lines. If during you
happen to have a dedicated charger connected instead of a dedicated
mUSB-to-HDMI cable, you will for sure burn out your MHL Transmitter chip (or
possibly any other chip using those signals in that path). Why? Because a
dedicated charger has D+ and D- pins shorted, while its trying to provide +5V
(@1.2A) on pin-1. This at the same time the MHL chip is trying to provide
various output signals on all 5 pins!
Factory Mode Auto-Configuration Table (1% Resistors on ID_CON Pin):
Code:
[SIZE=2]Configuration Boot VBUS DP_CON DM_CON ID_CON BOOT JIG
-------------------------------------------------------------------------------
FactoryMode 0 (UART) On Open RxD TxD 619K HIGH LOW --> Triggers "Dock Mode" (Google Car Home)
FactoryMode 0 (UART) Off Open RxD TxD 523K LOW LOW -->
FactoryMode 1 (USB) On Closed DP_Host DM_Host 301K HIGH LOW --> Triggers "Download Mode" (aka "Debrick/Recovery JIG")
FactoryMode 1 (USB) Off Closed DP_Host DM_Host 255K LOW LOW -->
[/SIZE]
In addition to the above resistor values based on just that one chip, and mainly used by Samsung, there is an international standard specification for Battery Charging. In these spec's there are three additional values to consider.
Battery Charging 1.1 Specifications
(May need to be verified...)
Code:
[SIZE=2]DCP: USB Dedicated Charger Port RID_A = 124K
CDP: USB Charging Downstream Port RID_B = 68K
SDP: USB Standard Downstream Port RID_C = 36.5K
where RID = "Resistor Identification"[/SIZE]
List of DIY multifunction JIGs
UberPinguin's Multi-R Jig
Another nice I9100 UART JIG (chinese)
DHylands SGS2 Serial Adapter and Console
Recommended UART Cables
FTDI's "Chipi-X" USB-to-RS232 Cable
Good to Know
Android D2XX FTDI Driver
"Build your own Music dock" [Samsung]

The Dancing MyWay Jig
< here be dragons 2 >

Dude! excellent find. Holy Hack!
you may have seen this thread.. http://forum.gsmhosting.com/vbb/f200/who-used-samsung-anyway-jig-1347210/
that Duc guy may have some info.
someone also links to a user manual where you can see more of that puppy in action.. http://samfirmware.webs.com/I5801_Flash_Tutorial_English.pdf
enjoy. ciao.

^^ Yeah, thanks, but most of those links are dead and the "manual" is just an old standard flashing/service manual. In fact I got the above pictures from some other service manuals. Finally, I don't like having to register to a website, just so that I can see some images.

I do have a AnyWay S100 jig here that i got when samsung support left the place i work. I think i can get a hold of all the cables that they had for it. If i remember correct there was never a micro usb cable tho. But if you want i cna open that puppy up and provide pictures of the inside of the jig. also it could be nice if i could find a way to make a micro usb cable for it...

ParanoidDK said:
But if you want i cna open that puppy up and provide pictures of the inside of the jig.
Click to expand...
Click to collapse
Yes! We'd love to see what's inside! Chips, and wiring etc!
Do you happen to have any windows software drivers for the device? (Why? Because of this.)
Making a micro USB hack would be easy...if you have the right tools or a micro-USB breakout PCB. Just remember that most micro-USB to USB cables do not have the USB_ID line in the cable, but is immediately shorted inside micro-connector. You could get a micro-to-mini-USB cable, that should also include the USB_ID (aka ID_CON) line, but these are hard to find as they are not conforming to common USB cable standards.

Well the usb cable should be the least thing... And if i make one i might just as well make one from start with a micro usb plug, cable and the printer plug in the other end... I think i might be able to use the cable for one of the older samsung phones i have for the box as start point...
i have a print i need to make and then i will open up the box and start to take some pics with my SGS3 just so you can get a preview of the inside...

An anonymous and friendly contributor have come forward with a little bit more information, although not very useful.
1) The S102 model is modified to allow a higher current as used in Tablets.
2) The manual "Function" settings can now be made in software, and is no longer used. (Well then, how is it set in software?)
3) The "Solution" for Galaxy models should be set to "NXP Swift". (But this contradicts the Service Manual for the GT-I9100 and others! But is probably explained by the different BP's used in those devices.)
We need internal pictures! (or the schematics)

Here is some pictures of the internals from the S100 i have here. Proberly not the best ones but the best i can take with my cam... If i have to take better ones i will have to get my friend involved with his DSLR.
I had to upload them to my server as they was to large to upload to xda...
Internals Pictures of the AnyWay S100 Jig
-----EDIT----
I am going to see if i can find the last cables and the psu for the jig today in the bin... As it is now without the PSU windows dont even see the device...

ParanoidDK said:
Here is some pictures of the internals from the S100 i have here. Proberly not the best ones but the best i can take with my cam... If i have to take better ones i will have to get my friend involved with his DSLR.
I had to upload them to my server as they was to large to upload to xda...
Internals Pictures of the AnyWay S100 Jig
-----EDIT----
I am going to see if i can find the last cables and the psu for the jig today in the bin... As it is now without the PSU windows dont even see the device...
Click to expand...
Click to collapse
hi thanks to give all i need full box so can you help me ?

[email protected] said:
hi thanks to give all i need full box so can you help me ?
Click to expand...
Click to collapse
I am not going to part with the anyway jig i got so no... You will have to keep looking on ebay... I dont mind opening it up to let the world see the inside but am not going to sell it.

That's a whole lot of relays in that box.
I don't know if anyone has stated which connector is for what,
but I'd guess that the 25 pin connector goes to a model-specific resistor assembly.
Too much of the relay wiring goes out there.

The big "printer port" is the port for the phone connections that i know... i have a cable for a older samsung phone with the box... and that might be a problem because it might use diffrent pins for diffrent phone models... so without seeing both ends of the micro usb cable naked it will be hard to make a cable...
If you guys need more pics let me know... i can also strip that samsung cable i allready got...
Sent from my GT-I9300 using xda premium

ParanoidDK said:
Here is some pictures of the internals from the S100 i have here... I am going to see if i can find the last cables and the psu for the jig today in the bin... As it is now without the PSU windows dont even see the device...
Click to expand...
Click to collapse
Wow! This thing was (any?) way more complicated inside than what I could have imagined! Containing several relays, a PIC16F876A, and who knows what all those other chips are doing.
This is kind of bad news, as then it will be nearly impossible to build anything like it. At least without the firmware for the PIC and the drivers used. However, I believe that most of its functionality is for switching purposes in order to be able to use it on a broad spectrum of devices. So if we can limit ourselves to the most recent smart phones with micro-USB connectors, much of the internal electronic can be ignored.
So don't worry about the PSU (Power Supply Unit?). It would be much more useful if you have the drivers...
This is how it looks:
<I seem to have some upload problems!! >
(Not sure if its an XDA issue or not...)
EDIT: Now it worked...3 days later!

Could you take apart the shell on the 25 pin adapter cable for the old cell phone model?
I'll bet that there are some precision resistors in there.
Thanks.

I dont have the drivers... and i do worry about the psu because without that the unit dont work....
I will open the cable and upload some pictures of that today....
Sent from my GT-I9300 using xda premium

no comment

You sure have some problems with that image E:V:A
But here it is (I hope):
Did just open the cable i got ant it is a S20 cable.
http://www.samsung.com/us/mobile/cell-phones-accessories/APCBS10UBEBSTD
There is no resistors it is just a 25 pins to S20 cable... Will upload some pics here in a bit... And now i really have to check to see if there are more cables just to check the 25 pins end..
---EDIT----
Link to pictures of the naked cable: http://blog.moonman.dk/files/Anyway_S20_cable.zip

Are you sure that this jig does anything for current cell phones?
It seems to me that this device has nothing to do with the semi-standard today
of 5 pin micro USB connectors with resistance coding on the 5th ID pin.

[Hardware][Arduino][Pre-boot] Universal Arduino Serial Adapter

Overview
I have designed a "universal" serial adapter that the XDA community might appreciate. I recently needed access to a variety of devices using serial TTL and RS232 communication. The devices being a phone, router and firewall unit. I talked with a few friends that are in IT and polled some other ROM developers to get an idea on what they may find useful in a serial adapter device. Below is the result of the work. The idea is to have 1 serial adapter that takes care of all of your DB9 / null modem / goofy pinouts in one package.
Project Page
I have posted all of the code, pictures and an early circuit diagram to github: https://github.com/mcrosson/arduino_universal_serial_adapter . As I continue to develop and implement the project I will be pushing to github. Please note at this time the circuit diagram is a bit out of date. I am working on getting an updated diagram built but I am still learning Eagle and it will be a little while before I have it published.
Compatible Devices
Phone UART chips
Null modem serial ports
Cisco serial consoles
Working Features
Configurable line speed
TTL voltage adjustments (1.8V, 3.3V, 5V)
RS232 communication
Full UI
Future Features
Session recording to SD card
RTC for timestamped sessions and output timestamps
Inline display of serial communication on LCD Won't fix, LCD response is too low for this
RX/TX status via blinking the button LEDs
Known Issues
At 115200 line speeds the serial channel may drop characters -- This appears to be a speed limitation / bad code Fixed in dd981aa44d
UI timeout isn't reset when events occur Fixed in 7f60a42f9b
Timeout config doesn't reset / change current timeout Fixed in ebd4ac5d04
Code
IDE / Environment
This project was developed using stino (Sublime Text 2 plugin). It works slightly differently (read: more powerful) than the standard Arduino IDE. This project may or may not build under the Arduino IDE.
Configuration
The `Project.h` and `Project.cpp` files define the pinouts in use, Arduino pinout and a number of other items that may vary between builds. Please read through these [short] files and update the pinouts, addresses and anything else that may be different before uploading to your Arduino.
Prototype
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Demo
I have posted some rough demo videos here (clickable) demonstrating some of the projects functions.
Parts
Arduino Mega
AdaFruit 1.8" LCD with MicroSD Card Slot
PSP Joystick
LED backlit buttons
Spark Fun MicroUSB breakout
AdaFruit logic level converter (bi-directional)
RJ-45 jacks
DB9 jack
Maxim Max3232 RS232 to TTL DIP IC's
Credits / Thanks
ChildOfTheHorn/Stacy Wylie
Adam Outler
Motorhead
utkanos
bhundven
Articles / Information Used For Project
http://forum.xda-developers.com/showthread.php?t=1901376
http://forums.hackaday.com/viewtopic.php?f=3&t=623
http://petervanhoyweghen.wordpress.com/2012/11/08/using-the-leonardo-as-usb-to-* serial-converter/
http://www.cellbots.com/how-to/handling-3-3v-to-5v-logic-level-conversion/
https://plus.google.com/104711040110222472212/posts/3764HBYeb2X
http://www.cutedigi.com/arduino-shields/rs232-shield-for-arduino.html
http://www.arduino.cc/en/Tutorial/SoftwareSerial
http://arduino.cc/en/Tutorial/ArduinoSoftwareRS232
http://www.ossmann.com/5-in-1.html
http://www.lammertbies.nl/comm/cable/RS-232.html
http://www.usconverters.com/index.php?main_page=page&id=61&chapter=0

Happy to be a part of it KemoNine. I'm all set with my simplified version but I'm still happy to have helped.

second!
great works kemonine96,curious to try it!

sert00 said:
second!
great works kemonine96,curious to try it!
Click to expand...
Click to collapse
Hopefully it works well for you. I've been hoping to find a solid solution to the problem of dropped serial data when running at faster line speeds. I'm thinking the code is setup in a way where it takes too long to process all of the input events. Going to be trying to set it up as an interrupt driven serial read/pass through to see if that fixes the problem any.
If not, I recently obtained an Arduino Due which should have enough CPU to keep up with everything compared to the standard Arduino Mega I'm currently using.

kemonine96 said:
Overview
I have designed a "universal" serial adapter that the XDA community might appreciate. I recently needed access to a variety of devices using serial TTL and RS232 communication. The devices being a phone, router and firewall unit. I talked with a few friends that are in IT and polled some other ROM developers to get an idea on what they may find useful in a serial adapter device. Below is the result of the work. The idea is to have 1 serial adapter that takes care of all of your DB9 / null modem / goofy pinouts in one package.
Project Page
I have posted all of the code, pictures and an early circuit diagram to github: https://github.com/mcrosson/arduino_universal_serial_adapter . As I continue to develop and implement the project I will be pushing to github. Please note at this time the circuit diagram is a bit out of date. I am working on getting an updated diagram built but I am still learning Eagle and it will be a little while before I have it published.
Compatible Devices
Phone UART chips
Null modem serial ports
Cisco serial consoles
Working Features
Configurable line speed
TTL voltage adjustments (1.8V, 3.3V, 5V)
RS232 communication
Full UI
Future Features
Session recording to SD card
RTC for timestamped sessions and output timestamps
Inline display of serial communication on LCD
Known Issues
At 115200 line speeds the serial channel may drop characters -- This appears to be a speed limitation / bad code
UI timeout isn't reset when events occur Fixed in 7f60a42f9b
Timeout config doesn't reset / change current timeout Fixed in ebd4ac5d04
Code
IDE / Environment
This project was developed using stino (Sublime Text 2 plugin). It works slightly differently (read: more powerful) than the standard Arduino IDE. This project may or may not build under the Arduino IDE.
Configuration
The `Project.h` and `Project.cpp` files define the pinouts in use, Arduino pinout and a number of other items that may vary between builds. Please read through these [short] files and update the pinouts, addresses and anything else that may be different before uploading to your Arduino.
Prototype
Demo
I have posted some rough demo videos here (clickable) demonstrating some of the projects functions.
Parts
Arduino Mega
AdaFruit 1.8" LCD with MicroSD Card Slot
PSP Joystick
LED backlit buttons
Spark Fun MicroUSB breakout
AdaFruit logic level converter (bi-directional)
RJ-45 jacks
DB9 jack
Maxim Max3232 RS232 to TTL DIP IC's
Credits / Thanks
ChildOfTheHorn/Stacy Wylie
Adam Outler
Motorhead
utkanos
bhundven
Articles / Information Used For Project
http://forum.xda-developers.com/showthread.php?t=1901376
http://forums.hackaday.com/viewtopic.php?f=3&t=623
http://petervanhoyweghen.wordpress.com/2012/11/08/using-the-leonardo-as-usb-to-* serial-converter/
http://www.cellbots.com/how-to/handling-3-3v-to-5v-logic-level-conversion/
https://plus.google.com/104711040110222472212/posts/3764HBYeb2X
http://www.cutedigi.com/arduino-shields/rs232-shield-for-arduino.html
http://www.arduino.cc/en/Tutorial/SoftwareSerial
http://arduino.cc/en/Tutorial/ArduinoSoftwareRS232
http://www.ossmann.com/5-in-1.html
http://www.lammertbies.nl/comm/cable/RS-232.html
http://www.usconverters.com/index.php?main_page=page&id=61&chapter=0
Click to expand...
Click to collapse
oh how i miss those breadboards

I managed to solve the dropped characters issue tonight. I am now using the Timer3 library (look for Timer1 library on non-mega hardware) to control the serial IO using an interrupt timer.
Works great with the interrupt driven IO. Next up is RTC and SD card integration.

Quick update on progress: I implemented some basic sd card logging and RTC functionality today. I also cleaned up some of the code and generally improved things.
Ran into an issue with sd card data transfers being "slow" which is forcing me to look into non-standard libraries for io purposes. My next step will be to be able to log data at 115200 baud to the sd card. Hopefully I'll have this rectified soon.

kemonine96 said:
Quick update on progress: I implemented some basic sd card logging and RTC functionality today. I also cleaned up some of the code and generally improved things.
Ran into an issue with sd card data transfers being "slow" which is forcing me to look into non-standard libraries for io purposes. My next step will be to be able to log data at 115200 baud to the sd card. Hopefully I'll have this rectified soon.
Click to expand...
Click to collapse
Not a lot of activity in this thread lately, but I'm just getting into this area.
Have you made any progress on logging data to sd card?

Maplobats said:
Not a lot of activity in this thread lately, but I'm just getting into this area.
Have you made any progress on logging data to sd card?
Click to expand...
Click to collapse
No, I ran into some performance issues when I went to implement the feature. I believe I traced it down to some case statements but it's been awhile since I worked on the build.
Sent from my XT1053 using Tapatalk

Hacking & Reverse Engineering of Tata Sky HD STB ( Technicolor : DSI729TAT )

I have a "Tata Sky HD" Set-top Box and I was about to throw this in garbage but before I want to know what is happening under the hood.
I search on internet and I found nothing except this. I'm noob so sorry for if say something silly.
I found this specifications.
Product : TATA SKY HD
Original Maker : Technicolor
Product Model Number : DSI729TAT
Chipset : STiH237 BHKB B3L
Type : ST40 -32 BIT
Architecture : RISC
RAM : 2GB [ SK Hynix H5TQ2G63FFR H9C
Storage : 1GB [ Spanison ML01G100
Power : 12v DC
Software: busybox 1.18.2 , mtdwrap, uclibc, Linux Kernel 2.6.32.59_stm24_0211, ST drivers: embx.ko, embxmailbox.ko, ics.ko, ics_user.ko, lxload.ko, mme.ko, mme_user.ko, LZO Decompression Library 2.03, Decompression Utility
PORTS : 1 HDMI 1.2/1.3/1.4, 1 USB 2.0, SAT-IN & 2 Audio 1 Video Out , 1 Optical S/PDIF (for Dolby Digital Plus Audio ), 1 Digi Card.
I Found 1 UART PORT Which would be used while extraction of Firmware.
AFTER SOME REASEARCH I FOUND THAT IT HAS SIMILAR TO ARM-CORTEX-A9 AND MALI-400 GPU. (MAYBE I'M WORNG)
IDEA : It has a a Good processor and ram which can run as raspberry-pi os.
so we can repurpose it as a Media Center, Gaming Console, NAS, Smart Home, Small Server or a Mini Computer.
storage is low so we have to add some storage. I'm not sure how this is possible. except swapping the NAND flash Chip.
GOAL 1 : Extract Firmware and Extract Paid Decryption key which is use to verify the sat-in signals. ( a stb which don't required subscription to watch any tv channel )
i think they modified the software which capture the unencrypted signal and if we have a signal receiver then we are good to go. but for big companies wants to earn money so they added these barriers which needs decryption. and if the satellite is sending encrypted signal then we need to find the key. ( i know it's hard that's why we are here. I'll love to hear you thoughts on these)
GOAL 2: Change the Firmware and install Linux.
Goal 3: Find a way to use it as media server with increased storage and add a wireless module for WIFI access.
I'm not sure it is possible or not. but i think its possible. just think about it a small hardware can collect signal from satellite and decrypt the signals in HD with Dolby HD audio. we just need to find a way to access this.
I SHARED MY IDEA AND I DON'T KNOW MUCH ABOUT THESE.
PROBLLY I'M GOING TO ACCESS THIS WITH UART INTERFACE AND TRYING TO ACCESS THE BOOTLOADER.
OR MAYBE DESIGN A CUSTOM KERNAL.
I'M SEARCHING FOR COMPATIBLE FIRMWARE WHICH I CAN MODIFY AS I NEED.
EXTRA : I FOUND A SIMILAR STB WHICH USED IN RUSSIA "NTV PLUS SET TOP BOX" HAS SIMILAR PROPERTIES LIKE TATASKY HD BUT WITH EXTRA I/O PORTS.
THANK YOU. IF YOU HAVE ANY ADDIONAL IDEA THEN I'LL LOVE TO HEAR THAT.
Links Used For Gathering Information
Chipset : https://www.st.com/en/digital-set-top-box-ics/stih237.html
RAM : https://www.electronicsdatasheets.com/manufacturers/sk-hynix/parts/h5tq2g63ffrh9c
OS information : https://www.technicolor.com/node/1899
Storage : https://www.qdatasheet.com/search.jsp?sWord=ML01G100&page=2&op=i
RISC BASED TOOLS AND APPS : https://www.riscosopen.org/content/downloads/common

This is probably the UART. You will most likely get a shell and U-Boot logs provided that it's not fused-off (ST microcontrollers can have debug interfaces fused off during flashing at the manufacturer)
How to find the pinout:
GND will have continuity with metallic parts of the board (heatsinks, HDMI ports, etc)
VCC will measure 1.8-5V DC depending on logic level
RX will not measure very much voltage
TX will go crazy during boot on an oscilliscope.
Try baudrate 115200 8n1

$cronos_ said:
This is probably the UART. You will most likely get a shell and U-Boot logs provided that it's not fused-off (ST microcontrollers can have debug interfaces fused off during flashing at the manufacturer)
View attachment 5877483
How to find the pinout:
GND will have continuity with metallic parts of the board (heatsinks, HDMI ports, etc)
VCC will measure 1.8-5V DC depending on logic level
RX will not measure very much voltage
TX will go crazy during boot on an oscilliscope.
Try baudrate 115200 8n1
Click to expand...
Click to collapse
Well i don't have oscilloscope yet, soon I will try your guide, thanks for guidance. I will try to update upcoming experiments.

dyal96 said:
IDEA : It has a a Good processor and ram which can run as raspberry-pi os.
so we can repurpose it as a Media Center, Gaming Console, NAS, Smart Home, Small Server or a Mini Computer.
storage is low so we have to add some storage. I'm not sure how this is possible. except swapping the NAND flash Chip.
GOAL 1 : Extract Firmware and Extract Paid Decryption key which is use to verify the sat-in signals. ( a stb which don't required subscription to watch any tv channel )
i think they modified the software which capture the unencrypted signal and if we have a signal receiver then we are good to go. but for big companies wants to earn money so they added these barriers which needs decryption. and if the satellite is sending encrypted signal then we need to find the key. ( i know it's hard that's why we are here. I'll love to hear you thoughts on these)
Click to expand...
Click to collapse
I think we can utilize the usb port on the back to add the external storage, as the usb port is used for storing the TV recording (as far as I can recall), and for the uart part, we can also use it for accessing root shell in the initial step, to figure out the operation method and framework.
I don't have any idea about the encryption keys, it would be cool if there's a way for that.
I have the same STB, would love to repurpose the old box, what's your progress on this so far ?

If you have a multimeter, you can check if the pins are for UART, RX voltage would be very low, TX voltage would be fluctuating upon boot, check continuity for GND with any grounded part like the HDMI port shield or the AV port silver port, VCC would be 3.3 or 5 volts