Archive for the ‘Samsung H1’ Category

Hacking the Samsung H1

Saturday, May 8th, 2010

In December last year I accidentally got my hands on a Samsung H1, introduced as one of the first two phones supporting Vodafone's 360 platform. While neither the platform, nor the software stack it ships with (Linux Mobile, aka. LiMo on top of the Linux v2.6.24.7 kernel with a Samsung/Vodafone topping) have been able to convince me, what's under the hood actually is quite interesting.

Specs

  • TI OMAP3430 application processor, TWL5030 companion chip, Qualcomm MSM6290 baseband
  • 256 MB RAM, 512 MB OneNAND, 16 GB moviNAND and a MicroSD slot
  • 3.5" AMOLED touchscreen
  • TI Wl1271 802.11 b/g/(n) + Bluetooth 2.1+
  • Two camera's, one Fujitsu 5 MP sensor on the back, Samsung VGA camera on the front
  • Accelerometer, haptic feedback and eight buttons

Full (and much more detailed) specs can be found on the wiki.

Bricking it

Although the stock firmware runs a Linux kernel and userland, no shell or anything remotely useful is accessible via USB or WLAN. Having the ultimate goal of running my own up-to-date kernel I spent some time reversing the phone's bootloader in late December. What at first sight looked like the holy grail (code execution at  the bootloader level by (ab)using a mechanism used to write new firmware to NAND) turned out to be a huge pitfall as I overlooked a flag set to instruct the bootloader to re-create the partition table. This rendered the low level bootloader unable to load the secondary bootloader (which initializes 95% of the peripherals and provides the only means of recovery). The next two and a half months it served as an excellent paperweight whilst waiting for some goodies to arrive (summary: custom board adapter, one incompatible JTAG emulator and customs delays).

Fixing it

Using JTAG I managed to re-write the partition table, and thus revive the phone. In the meantime I had been working on adding board support code to U-boot and a less archaic revision of the Linux kernel (v2.6.33) (based on the source released by Samsung). Both turned out to run reasonably well after some fine tuning. Fast-forward a couple of weeks of off and on hacking, I managed to hack together support for a few peripherals as well.

Current state

Up until now quite a few people have been hopping by on IRC (#h1 on Freenode) showing interest in my effort. Unfortunately I've written every single line of code by myself so far (with support of a few regulars at #h1, which I do very much appreciate). I'll happily continue to spend my spare time on adding support for missing features and improving exisisting ones, but having others involved makes things go a lot faster, and it might just motivate me a bit more as well.

What we currently have

Odin

  • An image loader which speaks the Samsung bootloader protocol. Allows for easily loading U-boot and a custom kernel from the phone's "download mode".
  • Named after the protocol, as I haven't been able to come up with a proper name. Not to be confused with a leaked flashing tool which goes by the same name..
  • Source can be found in my git repository

U-boot

  • Based on U-boot's git master from January with some minor modifications and board support code for the H1.
  • Source can be found in my git repository

Linux kernel

  • Board support code based on v2.6.33. A kernel newbie's attempt at writing board support code.
  • Nearly all OMAP3430 features are supported as they're in mainline (e.g. USB OTG)
  • A functioning display, sound (earpiece, speaker and headphones through MAX9877 amplifier), bottom LED and keys.
  • A basic Synaptics RMI4 touchscreen driver
  • Source can be found in my git repository

Android

  • A proof of concept (not as smooth as it could/should be, and lacking about everything except a working display and touchscreen).
  • Needs lots of work and other patches (apart from kernel support) to make it remotely useful.
  • I can push the relevant trees to my git repository if anyone's willing to contribute..

What we don't have

  • WiFi #1: Nokia's Wl1271 SDIO driver from wireless-testing works but is extremely unstable due to some SDIO oddities. Having no datasheet for Wl1271 doesn't help much either.
  • WiFi #2: Wl1271 support for v2.6.32 by TI scheduled for Q2 2010.
  • Baseband: phone communicates with the baseband over dual-ported RAM ("dpram"). Needs lots of reversing engineering of the stock OS implementation.
  • Accelerometer: datasheet is available, should be easy to add.
  • Ambient light/proximity sensor: as above, though only Samsung's implementation can be used as a reference.
  • Camera (CMOS/VGA): only Samsung's driver can be used as a reference, requires OMAP3430 camera support for the kernel (not yet supported in mainline).]
  • Anything I forgot

Who cares?

I honestly wouldn't know. Perhaps:

  • Those considering buying a beagleboard, and willing to drop the HDMI and a serial port for a smaller form factor, a case, much more memory, embedded sound and a really nice display.
  • Someone affiliated with FreeSmartPhone/OpenMoko perhaps. Apparantly some are hacking the Palm Pre for it - Samsung H1 might have better hardware.
  • Anyone not afraid of Linux kernel code and/or reverse engineering, currently in possession of the phone. Stop hiding and show yourself..

As a closing remark I can only strongly suggest buying another phone if you're looking for a (real) smartphone. You may be able to find it relatively cheap on your local craigslist though (listed for < 130 eur, but as there's no real demand for the phone I can imagine a cheaper deal being possible too)

I might write another post on actually getting Angstrom or Android (proof of concept) running on the phone. Anyone interested?

I'm still sticking around (with some regulars) on Freenode (#h1). Hop along, we don't bite (hard).

Posted in Samsung H1 | 25 Comments »