Linux port to the HTC Smartphones


This section summarizes briefly some of the information I could gather from reverse engineering the SPL. A lot more information is available on the Xanadux wiki.

Booting procedure

The booting procedure in diagnostic mode which allow us to load Linux is the following:

IPL/SPL (Flash ROM) ->EOL (miniSD) ->Linux (miniSD)
(Press and hold camera,
 press and release power)
Initialize the phone
Set the screen up, fill in white
Check the SD card type (diagnostic)
Check the SD card signature
Ask if SD card should be loaded
(Press volume down)
Load SD card content at 0x8c080000
Jump at 0x8c080000
Relocate at 0x8d000000
Set framebuffer console up
Read SD card partition table
Look for a FAT partition
Look for 'IMAGE.BIN' in the FAT
Load 'IMAGE.BIN' at 0x8c008000
Turn off cache and MMU
Jump at 0x10008000 (physical)
Set page tables up
Turn on MMU and D-cache
Jump to start_kernel()

SD card authentication

When booting in diagnostic mode, the SPL checks for the presence of a miniSD. If it finds one, it checks if an HTC header is present in the first sector of the card. This header contains a magic identifying the card type, for example a full or partial ROM image (to be flashed) or a diagnostic card. If the type is a diagnostic card, the content of the card is loaded to RAM and executed instead of being flashed to the Disk-On-Chip. However, before loading the content to RAM, the security level is checked and if it is too high (lower means more priviledges), the operation is aborted and the "Not allow update!" message is printed. The security level depends on two parameters. The first one is whether the Disk-On-Chip identifier contains always the same character (like '11111111'), in which case the security level is 0 and all operations are allowed (this is called a Super-CID). Otherwise the miniSD itself is checked to see if it is signed.

Signing the card means combining its unique identifier with one of the three keys specific to the phone model (providing security levels 0-2). Any security level <= 2 is enough to load the diagnostic card, so we don't have to bother using the proper key, provided the model is correct. These keys are known by the program (they are present at the end of the SPL image for your phone model), so what you need to provide is the SD card unique identifier. Every SD card in the world has a 128-bit identifier available by sending special commands to the SD. This means only a SD controller can provide that kind of information, USB adapters cannot (since they only know how to read/write the SD card flash memory, not how to access its registers). Some laptops have integrated controllers, or other devices like PDAs, or even a unlocked HTC smartphone running Linux :), so you can use such devices to retrieve it.

General Purpose Input/Output (GPIO)

The OMAP Platform provides general I/O pins which can be used for sensing or signaling. How these pins are used is unfortunately totally machine-dependent. From what I could find in the SPL, it seems the following GPIO are used.

GPIO #dirpurpose
7OUT unknown
15OUT LCD_Panel_Reset (HIGH: reset, LOW: no reset)
16OUT unknown
19OUT ARM7_RF_Enable
31IN unknown
32IN unknown
34OUT Vibrator_En
35IN USB D- ?
36IN USB D+ ?
40IN/OUT unknown
41IN unknown
42IN unknown
43IN/OUT unknown
61OUT unknown
62OUT unknown
69IN LCDPanel_ID0
70IN LCDPanel_ID1
72OUT FrontLight_Dim
73OUT unknown
74OUT KeypadLed
77OUT LCD_out_en
78 IN unknown
77OUT Led_1 (pullup)
80OUT unknown
81OUT unknown
84OUT unknown
116 IN LightSensor
121OUT LCD_Power_1
122OUT unknown
124OUT LCD_out_data
125 IN unknown
126IN FrontLight_En
127OUT LCD_out_clock