«

Hacking the Samsung H1

In December last year I accidentally got my hands on a Samsung H1, introduced as one of the first two phones supporting Vodafone's 360 platform. While neither the platform, nor the software stack it ships with (Linux Mobile, aka. LiMo on top of the Linux v2.6.24.7 kernel with a Samsung/Vodafone topping) have been able to convince me, what's under the hood actually is quite interesting.

Specs

  • TI OMAP3430 application processor, TWL5030 companion chip, Qualcomm MSM6290 baseband
  • 256 MB RAM, 512 MB OneNAND, 16 GB moviNAND and a MicroSD slot
  • 3.5" AMOLED touchscreen
  • TI Wl1271 802.11 b/g/(n) + Bluetooth 2.1+
  • Two camera's, one Fujitsu 5 MP sensor on the back, Samsung VGA camera on the front
  • Accelerometer, haptic feedback and eight buttons

Full (and much more detailed) specs can be found on the wiki.

Bricking it

Although the stock firmware runs a Linux kernel and userland, no shell or anything remotely useful is accessible via USB or WLAN. Having the ultimate goal of running my own up-to-date kernel I spent some time reversing the phone's bootloader in late December. What at first sight looked like the holy grail (code execution at  the bootloader level by (ab)using a mechanism used to write new firmware to NAND) turned out to be a huge pitfall as I overlooked a flag set to instruct the bootloader to re-create the partition table. This rendered the low level bootloader unable to load the secondary bootloader (which initializes 95% of the peripherals and provides the only means of recovery). The next two and a half months it served as an excellent paperweight whilst waiting for some goodies to arrive (summary: custom board adapter, one incompatible JTAG emulator and customs delays).

Fixing it

Using JTAG I managed to re-write the partition table, and thus revive the phone. In the meantime I had been working on adding board support code to U-boot and a less archaic revision of the Linux kernel (v2.6.33) (based on the source released by Samsung). Both turned out to run reasonably well after some fine tuning. Fast-forward a couple of weeks of off and on hacking, I managed to hack together support for a few peripherals as well.

Current state

Up until now quite a few people have been hopping by on IRC (#h1 on Freenode) showing interest in my effort. Unfortunately I've written every single line of code by myself so far (with support of a few regulars at #h1, which I do very much appreciate). I'll happily continue to spend my spare time on adding support for missing features and improving exisisting ones, but having others involved makes things go a lot faster, and it might just motivate me a bit more as well.

What we currently have

Odin

  • An image loader which speaks the Samsung bootloader protocol. Allows for easily loading U-boot and a custom kernel from the phone's "download mode".
  • Named after the protocol, as I haven't been able to come up with a proper name. Not to be confused with a leaked flashing tool which goes by the same name..
  • Source can be found in my git repository

U-boot

  • Based on U-boot's git master from January with some minor modifications and board support code for the H1.
  • Source can be found in my git repository

Linux kernel

  • Board support code based on v2.6.33. A kernel newbie's attempt at writing board support code.
  • Nearly all OMAP3430 features are supported as they're in mainline (e.g. USB OTG)
  • A functioning display, sound (earpiece, speaker and headphones through MAX9877 amplifier), bottom LED and keys.
  • A basic Synaptics RMI4 touchscreen driver
  • Source can be found in my git repository

Android

  • A proof of concept (not as smooth as it could/should be, and lacking about everything except a working display and touchscreen).
  • Needs lots of work and other patches (apart from kernel support) to make it remotely useful.
  • I can push the relevant trees to my git repository if anyone's willing to contribute..

What we don't have

  • WiFi #1: Nokia's Wl1271 SDIO driver from wireless-testing works but is extremely unstable due to some SDIO oddities. Having no datasheet for Wl1271 doesn't help much either.
  • WiFi #2: Wl1271 support for v2.6.32 by TI scheduled for Q2 2010.
  • Baseband: phone communicates with the baseband over dual-ported RAM ("dpram"). Needs lots of reversing engineering of the stock OS implementation.
  • Accelerometer: datasheet is available, should be easy to add.
  • Ambient light/proximity sensor: as above, though only Samsung's implementation can be used as a reference.
  • Camera (CMOS/VGA): only Samsung's driver can be used as a reference, requires OMAP3430 camera support for the kernel (not yet supported in mainline).]
  • Anything I forgot

Who cares?

I honestly wouldn't know. Perhaps:

  • Those considering buying a beagleboard, and willing to drop the HDMI and a serial port for a smaller form factor, a case, much more memory, embedded sound and a really nice display.
  • Someone affiliated with FreeSmartPhone/OpenMoko perhaps. Apparantly some are hacking the Palm Pre for it - Samsung H1 might have better hardware.
  • Anyone not afraid of Linux kernel code and/or reverse engineering, currently in possession of the phone. Stop hiding and show yourself..

As a closing remark I can only strongly suggest buying another phone if you're looking for a (real) smartphone. You may be able to find it relatively cheap on your local craigslist though (listed for < 130 eur, but as there's no real demand for the phone I can imagine a cheaper deal being possible too)

I might write another post on actually getting Angstrom or Android (proof of concept) running on the phone. Anyone interested?

I'm still sticking around (with some regulars) on Freenode (#h1). Hop along, we don't bite (hard).

This entry was posted on Saturday, May 8th, 2010 at 18:56 and is filed under Samsung H1. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

25 Responses to “Hacking the Samsung H1”

  1. Honda_Man Says:
    May 10th, 2010 at 11:00

    Ok, I have H1 on hand and I'm so deadly ready to participate just let me know to my email. I dont care If I get dead H1 I believe I can revive it trough UART via samsung gsm servicing tools like Z3X or NSpro, USTPRO2 or HWKuFs.
    I would be happy if we can make something working on this

  2. bigwings Says:
    May 10th, 2010 at 12:15

    hey, i found an article about the inbrics H1, which works with andorid and has WVGA AMOLED Touchscreen with 3.7". Maybe we can use the driver for our samsung h1.

    Link: http://www.techtree.com/India/News/Inbrics_H1_is_the_Coolest_Android_Phone_Ever/551-108648-893.html

  3. hunghe Says:
    May 10th, 2010 at 20:17

    I hope it can work soon, because limo - os it, I hope you can share your work. Everybody here will help you more :D

  4. Uatek Says:
    May 21st, 2010 at 00:58

    Hello I'm too interested in any H1 hacking, I have medium Linux knowledge, but never hacked kernel. I don't have any mean to unbrick my H1 if I brick it, knowing that you can count on me if you have some no risky tasks to do or test.

  5. xdac Says:
    June 1st, 2010 at 12:19

    I am trying to remove the Vodafone 360 service (mainly email, web browser and contact sync with 360). I have managed to locate a firmware version of the Samsung H1 used in Korea which does not have Vodafone 360 and extracted all the files. The version is in English.

    The problem is that the firmware version has a number of files which are not in the Vodafone version -even though they are standard Limo files. DOES ANY ONE HAVE A VERSION OF ODIN THAT WILL FLASH THIS – OR ANY OTHER FLASH SOFTWARE??????????/ If so job done.

    The version of Odin I have has vodafone as a pull down menu hence must be filtering files. I am using odin2 [Oct 23 2009] which works fine flashing H1 & M1 with Vodafone branded OS.

    The files in the Korean firmware are which are all standard Limo files. http://h1.pargon.nl/wiki/index.php?title=LiMo_firmware_structure

    app_config.rfs
    boot.bin
    datafs.rfs
    factoryfs.cramfs
    factoryfs2.cramfs
    initrd.cramfs
    param.lfs
    sbl.bin
    zImage

    The first error I get from Odin is that it does not know factoryfs2.cramfs which I solved by merging the files. Then I got an error saying it did not recognise datafs.rfs etc.

    Any pointers welcome.

  6. Honking Says:
    June 18th, 2010 at 07:58

    Can you push the relevant trees to your git repository ?
    Maybe I can have a try

  7. lau Says:
    June 18th, 2010 at 19:53

    不知道什么时候能用上您的作品,加油!!

  8. Twist Says:
    June 18th, 2010 at 21:43

    加油!!!

  9. Max Says:
    June 21st, 2010 at 04:22

    Hi, bro. Do you know that there are a lots of fans in China waiting for your good news to let gt-i8320 run the Android OS. Some Chinese guys made progress to let the cellphone can support Chinese and have done the third-party ROM. If you are interested, please let me know. Even someone can do the donation as the Android OS running on i8320. Appreciate your hard working. Keep moving.

  10. mephisto Says:
    June 24th, 2010 at 10:59

    hello, samsung made linux-2.6.24.7 opensource.
    it seems have every driver.
    can we port android 1.5 first?

  11. Adam Says:
    June 27th, 2010 at 15:17

    Hi, I just find a video online to show Android 2.2 running on Samsung H1. I am not sure whether it is true, but you may be interested in this.

    http://static.youku.com/v1.0.0114/v/swf/qplayer.swf?VideoIDS=XMTg0OTc4NDIw

  12. Hijglander Says:
    June 30th, 2010 at 04:57

    Would really love to get my hands on an android for this phone. The LiMo OS just doesn't have the support that android has.

  13. i-chat Says:
    July 4th, 2010 at 11:58

    great news about the opensource Firmware, Now its time for custom firmwares.

    to be honnest i dont care mutch about android at this time, meaning that a gtk- phone would be good enought, as soon as it gets its act straight - thus NO 360 crap, and only decent apps.

    the H1 should have:
    ... a browser, thought the current one is quite ok
    ... a pim client : just 1 - for email / calandar and telephone calls ( with syncml or google sync would be great)
    ... a way to install new (ported) gtk apps..

    what shouldn't it have: a vodafone 360 client / intergration - a slow interface, - a java (j2me) stuf, - we have gtk so no need for java...

  14. DarkCriSis Says:
    July 21st, 2010 at 15:42

    News at http://android-fans.net use google translator...
    Rom coming!

  15. qing Says:
    July 22nd, 2010 at 13:05

    how to run the kernel in qemu

    qemu may be not support OMAP3430

    but it support n900 now in qemu-maemo

    http://meego.gitorious.org/qemu-maemo/

  16. darkcrisis Says:
    July 23rd, 2010 at 22:29

    Very junior rom, only experience with.

    Downloads Address:
    http://www.rayfile.com/zh-cn/files/13c27c3d-9648-11df-b57b-0015c55db73d/

    Rar to unzip the files inside are two files
    i8320_Android. tar This is the kernel file, downloaded to the PDA which odin2 tools
    release_root_v0.1.tar.gz The rootfs file system is the need to extract ext3 formatted partition inside the TF card

    Production of TF card rootfs:
    The hair is the TF card version of the android rootfs, so first the TF to prepare a card larger than 128M.
    formatted ext3 format, for example, your TF card under linux device called sdb then execute the command
    mkfs.ext3 / dev/sdb1 / mnt / mmc
    extract the rootfs file release_root_v0.1.tar.gz
    cd / mnt / mmc
    tar zxvf / home/k0059/release_root_v0.1.tar.gz

  17. darkcrisis Says:
    July 23rd, 2010 at 22:29

    Google translator :P

  18. i-chat Says:
    July 27th, 2010 at 09:31

    hi - you say its a junior rom - whats that supposed to meaan,

    is it ready,

    what if i get it installed:

    can i use all the basic functions ( gsm / sms / gprs and usb ) - i meen i wouldn't care for wifi (for now) but the fone must be workin still

    feetback apreciated.

  19. Darkcrisis Says:
    July 27th, 2010 at 11:17

    Nop, gsm/sms/gprs/usb/wifi/bt and more not working for now...

  20. yasin Says:
    July 28th, 2010 at 20:38

    wowwww..its a very good begening.
    Release a stable n working os for this crap h1 soon.
    Goodluck n cheers for the developers!
    -yasin

  21. yasin Says:
    August 1st, 2010 at 16:48

    whts happening abt the firmware porting to h1?? Anymore news?? why everyone is soooo silent??

  22. Ricardo Says:
    August 3rd, 2010 at 00:43

    Now we can all contribute for the development of Android for H1.
    I was testing android on H1 and it seems it is a really nice start. Cheers for the chinese developer k0059 to give us the way to start a community android version for H1.

  23. salvarez01 Says:
    August 4th, 2010 at 18:09

    What do you mean?
    I don't see any new from european team since some months.
    Why not join the two work groups to achieve improved implementation time?

    It is possible?

    Regards.

  24. Yasin Says:
    August 11th, 2010 at 11:21

    Good News!!
    I dnt have to look for android porting to h1 websites anymore...bcz thief has stolen my h1 yesterday!! :( :(

    Wht a crap OS the h1 had..!!

  25. Escort Amsterdam Says:
    August 28th, 2010 at 09:49

    From my participate i can inform that a few businesses market to their own customers as fine as they could and, consequently, they lead a potentiality mine of possibleness down. Your customers could be your most important ingenuity. Get to screw as more as you can some them and update your consumer database. If you dont hump a database, begin one. Channel prevailing mailings to your customers and spring them reasons to rise substantiate and do activity with you, much as preferred-customer offers. What you see almost your customers can helpfulness you point industry to your most profitable grouping of possibleness customers. Convey a summary of your canvass can serve you select targeted transmittal lists or the publicizing media that primo reaches your most profitable interview. BTW: Really prissy diary.

Leave a Reply