Related
Ok, I just ordered a 32GB USB Flash Drive.
Some people report that the Athena recognizes some flash drives so I was thinking...why not remove the MD and take apart the 32GB flash drive and put it inside the Athena. Then solder the USB pins together internally so the USB drive is always connected internally to the device?
I haven't really put serious thought into this but wanted to run it past everyone and those hardware experts to see what every ways.
I have yet to look up the MD power requirements and compare those to the USB power requirements. Either way, if it's recognized it could mean a real upgrade to the device and we could always write a simple program to enable/disable the USB drive if power consumption is too great.
Your thoughts people on this?
EDIT
After further thinking I see four obvious obstacles:
- Stripping down the 32GB USB drive so it fits in the device in place of the MD. I'm hoping this isn't that big of an issue but then again I have no idea what i'm talking about. LOL
- 1 have to make sure the Athena recognizes the 32GB USB drive.
- Power Consumption as mentioned above, which might be overcome by utilizing a utility of some sort.
- Since the Athena requires the USB Host cable/adapter to make things like this work, there might need to be some type of mod internally to make this happen. I talking to someone with more knowledge of USB pin outs might help in this area.
-- EDIT: Olipro mentioned that this is most likely a non-issue. That the USB adapter just makes the USB connection a large one so the internal wiring I'm thinking about shouldn't be a problem. This is great news. One obstacle out of the way. Don't you love progress!
ltxda said:
Ok, I just ordered a 32GB USB Flash Drive.
Some people report that the Athena recognizes some flash drives so I was thinking...why not remove the MD and take apart the 32GB flash drive and put it inside the Athena. Then solder the USB pins together internally so the USB drive is always connected internally to the device?
I haven't really put serious thought into this but wanted to run it past everyone and those hardware experts to see what every ways.
I have yet to look up the MD power requirements and compare those to the USB power requirements. Either way, if it's recognized it could mean a real upgrade to the device and we could always write a simple program to enable/disable the USB drive if power consumption is too great.
Your thoughts people on this?
EDIT
After further thinking I see four obvious obstacles:
- Stripping down the 32GB USB drive so it fits in the device in place of the MD. I'm hoping this isn't that big of an issue but then again I have no idea what i'm talking about. LOL
- 1 have to make sure the Athena recognizes the 32GB USB drive.
- Power Consumption as mentioned above, which might be overcome by utilizing a utility of some sort.
- Since the Athena requires the USB Host cable/adapter to make things like this work, there might need to be some type of mod internally to make this happen. I talking to someone with more knowledge of USB pin outs might help in this area.
Click to expand...
Click to collapse
hehe u know im always behind ur crazy ideas. lets get this to work!
possible incompatibilities of it not detecting the microdrive but should be able to be fixed by software
possibly will need to integrate usb host controller chip and wires inside as well
make sure not to screw up the charger either =p
but other than that it sounds good
Hi, for information: Athena Servicemanual says you need 3 things to replace if you disassemble your device (On-Off Key, CommManager Key and some rubbers).
So if you really get the USB-Flash running then you'll get problems putting everything together again.
I think you'll get errors because the G-Sensor doesn't detect any Microdrive. (maybe freeze or reset or some other issues?). Maybe you have to shorten the G-Sensor somehow. This will need people who own the original plan of the device and also know how to get information out of it.
But great idea!
Ok, just found out that the host adapter just changes the plug to a larger USB plug. So the wiring should be a piece of cake. Let's keep this going...before you know it the team won't have only brought you a great ROM but also provide a way to have a 32GB Athena and storage you no longer have to worry about and with no moving parts!!!
PAPPL said:
Hi, for information: Athena Servicemanual says you need 3 things to replace if you disassemble your device (On-Off Key, CommManager Key and some rubbers).
So if you really get the USB-Flash running then you'll get problems putting everything together again.
I think you'll get errors because the G-Sensor doesn't detect any Microdrive. (maybe freeze or reset or some other issues?). Maybe you have to shorten the G-Sensor somehow. This will need people who own the original plan of the device and also know how to get information out of it.
But great idea!
Click to expand...
Click to collapse
Thanks for your feedback. I also think this may work and if not with the drive I've ordered with some other USB. I've seen USB devices as small is a dime so this should work. I'll be happy to purchase a bunch of USB drives to see which work. I probably would like anyone with an Athena and a USB drive to test what they have and post the results.
For the record I ordered a Corsair Survivor 32GB USB Flash Drive model CMFUSBSRVR-32GB.
I think there was a group of people(I couldn't remember who exactly) who already dismantled their athena when it came out to see which micro drives in the market is compatible with the one installed in the athena. I suggest we find the post first before and read through their findings. There might be something there that may help with this project.
If I remember it correctly, there was even a host of pictures and instructions in dismantling the Athena.
I just couldn't remember other details because I was just browsing around and never thought of owning an athena.
http://forum.xda-developers.com/showthread.php?t=303188
Something I found about USB Drives and the Athena
Wikipedia claims microdrives use more power then flash drives:
"consume more power than flash memory (on the order of 190mA, peak 310mA, at 3.3V) "
http://en.wikipedia.org/wiki/Microdrive
Good luck to you this would be cool.
http://forum.xda-developers.com/showthread.php?t=298987
HDs that work with the athena
What about a 72GB solid state drive?
http://www.engadget.com/2008/01/07/hands-on-with-sandisks-72gb-ssd-and-friends/
eaglesteve said:
What about a 72GB solid state drive?
http://www.engadget.com/2008/01/07/hands-on-with-sandisks-72gb-ssd-and-friends/
Click to expand...
Click to collapse
Let`s keep this a short term, realistic and affordable goal. ;-p
USB storage is cheap, easily modified, compatible as it`s already recognized by the device both by the software and USB host capabilities of the device board, etc. Also, those drives aren`t yet available and I doubt people will want to spend over $800usd on them for Athena. No?
Well, IMHO there's two alternatives for such a modification:
1 - either use the ATA connection of the micro-drive with the 32 GB pendrive. Adapters exist, wiring should be tricky due to the size requirements (everything has to fit into the space usually used by the micro-drive);
2 - connect permanently the 32 GB USB pen-drive to the USB port. Removal of the micro-drive is in that case optional, maybe in order to make room.
The problem with the second option is that I am pretty sure this will screw-up USB slave connections, and more specifically ActiveSync. Altough, true, one can Sync through Bluetooth.
Two problems with the first alternative:
- G-Sensor, without a md, will no work anymore. BUT it can be disabled in a software manner, so that's no big issue aside from the fact that we won't be able to "tilt'n scroll";
- finding a compatible USB / ATA adapter (those are known to be... "capricious").
I find the first alternative much sexier, personnally... And it DOES get me thinking.
Why not just use one of theose new 16 or 32GB MicroSD/Transflash, or whatever the hell there called cards, just released at CES.. It would save ya
lots of work, and you wouldn't have to crack the Advantage open.
Yep, that's also being discussed on the forum.
But I do agree that having solid-state 32 GB instead of mechanical 8 GB in my Athena would suit me just fine.
Jointly with a 32 GB SDHC card, of course.
:-D lol
I currently have the 8GB SDHC....of course I'm going to buy the 16 and then the 32 as soon as they come out and I can get my hands on it...but my goal here is to replace the MD. After thinking it through even further, we could even setup an internal type of mechanism so as USB drives become larger and cheaper, we could just pop out the old and pop in the new thus continuing to increase the internal storage of our devices.
Maybe I'm just dreaming but replacing the MD seems to be a goal that we can achieve quickly and cost effectively. We've had the discussion of getting larger MD's...but always ran into obstacles we probably couldn't overcome. They are releasing large SSD's but we may have to mod the internal connection, etc. With the USB idea, the connection exists, compatibility is there, and it's very feasible. I'm just excited. LOL
HeartOfDarkness said:
Well, IMHO there's two alternatives for such a modification:
1 - either use the ATA connection of the micro-drive with the 32 GB pendrive. Adapters exist, wiring should be tricky due to the size requirements (everything has to fit into the space usually used by the micro-drive);
Click to expand...
Click to collapse
I'm thinking more simplistic. Take out the MD and dock it connect to. This frees up some space. Strip down USB drive as much as possible and hope that it fits some way into the device. If it fits, we can mount it in there in a number of ways. Solder 4 wires from USB drive to USB host interface on the board. Write some software to control (activate/deactivate aka mount/dismount) the USB drive and see how it goes.
2 - connect permanently the 32 GB USB pen-drive to the USB port. Removal of the micro-drive is in that case optional, maybe in order to make room.
Click to expand...
Click to collapse
Not sure what you mean exactly but...I want the USB drive to be internal. Of course I could get some velcro and stick a 32GB USB drive to the back of my Athena, etc...but that would just be ugly.
You also need the USB host cable to do this unless you want to solder wires and run them from the outside of the device to the inside USB host pins. Let me know if I got the wrong picture here.
The problem with the second option is that I am pretty sure this will screw-up USB slave connections, and more specifically ActiveSync. Altough, true, one can Sync through Bluetooth.
Click to expand...
Click to collapse
You bring up a very good point. I'm going to have to take my 4-in-1 cable and try to run a small USB drive while trying to ActiveSync. I wonder if that will still work. If it fails, the mod I'm proposing may cause a problem with ActiveSync connections. Anyone else have comments and/or ideas on this?
Two problems with the first alternative:
- G-Sensor, without a md, will no work anymore. BUT it can be disabled in a software manner, so that's no big issue aside from the fact that we won't be able to "tilt'n scroll";
- finding a compatible USB / ATA adapter (those are known to be... "capricious").
I find the first alternative much sexier, personnally... And it DOES get me thinking.
Click to expand...
Click to collapse
I'm hoping we can do it without any adapters. Just straight soldering of the 4 USB wires needed to communicate. Should suffice. I found that I don't really use nor need the G-Sensor on the MD. For sure can be disabled in the ROM. The Athena Project team would just have to make a Special Edition ROM for those that do the mod.
I posted a few weeks ago about a SSD that Intel will be releasing soon. I believe it will be a drop-in replacement for the existing drive.
http://forum.xda-developers.com/showthread.php?t=352834
techntrek said:
I posted a few weeks ago about a SSD that Intel will be releasing soon. I believe it will be a drop-in replacement for the existing drive.
http://forum.xda-developers.com/showthread.php?t=352834
Click to expand...
Click to collapse
I actually read that thread a little while ago. Do you know when it will be released and how fast they will get up to larger drives like 8, 16, 32, etc. GB's?
ia ctually dont think you will run into active sync problems...
reason being i remember a special cable that came with my friends hermes that split the usb port into two
one for charging and one for syncing...
so i think if we disable the flash drive when syncing it should be fine
Greetings all,
Just off of the success of fixing the frustration of the broken audio adapter after upgrading to a new ROM problem, I think that a new and even more valeuable project is at hand: UnBricking these that are really bricked.
Ok, here is my thought and experience in as short a summery as I can give. Almost ALL consumber products these days evolved from general purpose processors with outboard EPROM or EEPROM, RAM, and peripheral components. As the devices develope, custom chipsets come into play to reduce size, component count, weight, power consumption, cost, etc, while upping the reliability, battery life, features, speed, and just the joy factor of these things. Look at them as they get better and better, just the transition from 6th gen 6700 to the 7th gen 6800 how much better it works. This goes for everything from the PDA/Smartphones, to the refrigerator, to satellite receivers, everything. A problem was that as more stuff gets crammed onto a smaller number of chips, they needed a way to initially configure these things so they would not come out as dumb boxes. Enter the JTAG interface. For those who do not know the acronym, look it up, but basically it is a standard interface and protocol to communicate with dedicated microprocessors and program them, without having to exactly speak the language of each model and brand. When you get a device off the production line at the end it goes to a workstation that has a JTAG interface jig and a PC configured to load the initial stuff, like the bootloader and basic stuff needed to make it what it is. I have been working with stuff for many years now and have JTAGGed satellite receivers, cell phones, air cards, cars, yes even cars use it, and a standard set of software talks to it all. The only difference is the connector or jig that is used and the BIN file you load. This is usually createable from the bootloader file that we usually load up to the USB port with the RUU, but without a bootloader in it already we can not do anything with it, so we need to JTAG like OLIPRO2.40 straight to the memory address range it needs to go to. JTAG software will, thru the interface, establish communication with, communicate, identify, and program the flash directly, heck you can put the entire ROM on it if you want. I do this all the time with other devices, so I know it is possible.
If you have a 6800 that is bricked thru software error and NOT broken by any crazy stuff done to it afterwards, then JTAGging WILL fix it. I propose to start the JTAG project for the 6800 series HTC devices, as I see an ever increasing number of these getting bricked it needs to be done. The ONLY way one should be touched inside is if it is known to be bricked by software error that you can not get back out of and thats all that is wrong with it, and very important that there is no possibility of returning it to your carrier under warranty for repair. HTC would do exactly what I propose and send it back fixed but probably charge a bunch. I have not killed mine, and do not intend to do so just for this project, but if anyone has one that is just a paperweight and meets the above criteria and has nothing to loose and plenty of time (cause my paying job takes priority) I would be happy to take this on and find, probe, and JTAG your device, fix it and provide before, during, and afterwards logging of what is done. I would then prepare a package of instructions and software on how everyone else can do it as well.
Anyone got a really dead one that they would care to try ???????
I hope I'm not on the list. I haven't seen JTAG since I went to the DD-WRT forums.
Sounds like a great project for those in need.
Mmm, JTAG... DD-WRT and old CNC machines..
I'm curious about this, how do you interface with the phone for JTAG? I just skimmed the article [dont have my glasses] but would love to know.
JTAG fixed my Hermes
JTAG does work - it brought my bricked hermes back to life!
morganlowe said:
Mmm, JTAG... DD-WRT and old CNC machines..
I'm curious about this, how do you interface with the phone for JTAG? I just skimmed the article [dont have my glasses] but would love to know.
Click to expand...
Click to collapse
You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.
Shadowmite said:
You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.
Click to expand...
Click to collapse
I was thinking the same thing, there's not much on this chip out there... I have JTAG stuff for old school EPROMs and such, even got a cable for Linksys routers... I would worry about digging into my phone though. I know with Sprint you can add insurance at anytime, but you must wait 30 days to make a first claim... I got some old Treo 600s for Sprint I could donate to someone needing a phone as a temp.
Shadowmite said:
You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.
Click to expand...
Click to collapse
And the great Shadowmite emerges from the......shadows?
Long time no see! (TC)
JTAG prober
Shadowmite said:
You have to find the 4 or 5 connection points needed and determine memory layout. The problem with his idea here is the cpu in the 6800 is SPECIAL. No public datasheets, and it's proprietary as heck. Good luck finding the jtag points for the kaiser or 6800 or any msm7000 series device using the msm as the cpu.
Click to expand...
Click to collapse
JTAG points are usually together in a pattern and not scattered, and JTAG prober software is wonderful for getting the pinout by analyzing the signals it sees, JKEYS is good as is QXDM (Qualcomm Extensible Diagnostic Monitor) is what I used for doing the same thing with a Sierra Wireless 580 card that uses the MSM5500. The card was corrupted during a flash update and I was able to JTAG and get it back and use it as a test card to this day. QXDM even can unlock the protected memory and change things you are not allowed to change (ESN), it is pretty much all powerfull as far as the Qualcomm chips go. By the way, before Nortel I worked for Qualcomm and still have access so I was reeeeeeeal happy to see HTC start useing this chipset ;-)
You go ahead and try then, let us know if you succeed.
Will do when,,,,,,
Shadowmite said:
You go ahead and try then, let us know if you succeed.
Click to expand...
Click to collapse
When a unit becomes available I will do it ;-)
bump.
Surely there must be one person out the the hundreds with "bricked" titans that would donate it to madman. I am sure he will give it back when he is finished with it.
madman34: I think you may have found a winner.
Thanks for the referal
hindjew1 said:
madman34: I think you may have found a winner.
Click to expand...
Click to collapse
Thanks, I went there and asked him to come here and have a look. I am thinking that he does have a possible candidate, but just for grins I just pulled my battery and plugged in my wall pack and right away get the red light, but with my laptop I do get his 'data device' and red light so I am open to the possibility that there might be a fusible link bad in his if it is not a software problem. Either way, if it is useless to him I will be happy to look at it.
man i bricked the ecu on my subaru once... i had to send it to the open source ecu tool dev to jtag it... good times
drag to kill your car
bmorrisj said:
man i bricked the ecu on my subaru once... i had to send it to the open source ecu tool dev to jtag it... good times
Click to expand...
Click to collapse
That would be a bummer as you could not drive to get the fix. I started by writing code for the TMS7000 processors in the old VC2, then my Acura in 1988, but then they stopped useing PROMS and went to JTAG, really got me going.
No takers so far, and mine still works
Well nobody has come forward with a victim,,,,,hmmmmm,,,,uuuuhhhhh,,,,,unit to try ;-) and mine works still so we wait.
madman34, one one unit we have so far that has died did not entirely die. It would appear if the spl gets wiped out on a msm7xxx series device using comm core as cpu it has a failsafe mode if the oemsbl/qcsbl are still present. The device goes into download mode on boot and sits there.
Since you stated you worked for qualcomm, can you shed any light on this and how we might possibly be able to write nand from download mode? Or get back to debug mode instead?
Shadowmite said:
madman34, one one unit we have so far that has died did not entirely die. It would appear if the spl gets wiped out on a msm7xxx series device using comm core as cpu it has a failsafe mode if the oemsbl/qcsbl are still present. The device goes into download mode on boot and sits there.
Since you stated you worked for qualcomm, can you shed any light on this and how we might possibly be able to write nand from download mode? Or get back to debug mode instead?
Click to expand...
Click to collapse
I worked for them before this series came out, but I will get up with some of my old friends there and see if I can get more info.
my mogul is stuck on the ***** ass sprint screen after a tried upgrade but im in Houston
I was just thinking, all that the lapdock is to the phone is an HDMI output and a USB input, so why does it trigger webtop, and could I trigger webtop the same way?
My initial thought is, it triggers it by something sent into the USB, is there any way anyone could identify what in particular so it might be mimicked?
I realize people have come up with software webtop without lapdock solutions, but I'd really rather just leave the software alone (harmless as the change may be..), I rather like it as it is (with launcher pro instead of default that is..)
So, what is the lapdock doing to key the atrix to go into webtop?
I did search for this, sorry if there's already a thread about it, I didn't find one..
Although I am not a hardware person and have limited experience with Linux, I am also interested in the answer to this question. I would have to assume that the Atrix recognizes the connection and sends a command to launch the appropriate software.
Once again...I am not really in any position to contribute much relevant information.
Just to throw out some other ideas that rattled around in my head for someone more familiar with this device...
There is a communication that comes from displays where they identify themselves and their modes for whatever device that connects to them- some pieces of this information could be key.
Beyond that, any particular piece of information the USB device identifies itself with similarly- a model or serial number the internal usb hub claims itself to be to the system, I know these are standard passive details these devices share with anything connecting to them.
In the identification side, I wonder if the files modified by the software webtop hack might lend details about what is precisely telling them to go into webtop..
If it's keyed off of some particular serial number or model information from the USB, I figure I could buy a cheap configurable USB diag board and flash it to mimic that info..
I sincerely doubt there's anything superbly intelligent in the lapdock where it does some non-standard communication as a handshake, I would think it has to be based on the standard passive device information every USB hub or HDMI connection shares..
edit:
Unless there's an extra device on the USB hub internally like a smartcard or flash chip with a key the atrix checks for..
I have webtop enabled without a dock, and webtop pops up when I plug just the HDMI cable in. I imagine it is just detecting the external display, and doesn't have anything to do with USB.
It should not be complicated as you you think. It's rather trigerred by some specific resistor on the pins 4&5 of micro USB connector
jenarelJAM said:
I have webtop enabled without a dock, and webtop pops up when I plug just the HDMI cable in. I imagine it is just detecting the external display, and doesn't have anything to do with USB.
Click to expand...
Click to collapse
You arent running stock software then. It detects it yes depending on what software you are running but the docks sends a signal to the atrix to turn on webtop on stock.
Not sure that it uses resistors, because when software hack was not available, bunch of people tried to do it with resistors however nobody got it to work. The best way would be to take apart multimedia dock and look at circuitry . Most likely it has a microchip sending some kind of ID. The problem is you need a special device to sniff usb communication between devices. If somebody has a device like that it should not be that hard to sniff it and program separate microchip to send it to usb.
this should have been posted in q&a... not the dev section
jgc121 said:
this should have been posted in q&a... not the dev section
Click to expand...
Click to collapse
Sorry, I can never tell the difference, when things are technical and require some development understanding which place to put it. If a mod could move this post I would appreciate it then.
jenarelJAM said:
I have webtop enabled without a dock, and webtop pops up when I plug just the HDMI cable in. I imagine it is just detecting the external display, and doesn't have anything to do with USB.
Click to expand...
Click to collapse
Its sensing an external diplay. The hdmi cable does a handshake upon connection of the cable. At that point, the software handles what happens. Webtop senses usb as well (like the car dock does), but the hack removes that check. Thats how hdmi triggers webtop.
Sent from my Motorola Atrix 4G on the network with the most backhaul, whatever that is
From a video I saw from Motorola in UK it was a RFID thing......I am looking for the video now
_Dennis_ said:
From a video I saw from Motorola in UK it was a RFID thing......I am looking for the video now
Click to expand...
Click to collapse
About two and a half minutes in to http://www.youtube.com/watch?v=U5vgYiF3Udw.
He is specifically talking about the desk dock there but seems to imply they use "whisper technology" to communicate for all docks.
That's not from Motorola and that guy made that up....
At least that's my take....
Sent from my MB860 using XDA App
Thread moved to correct section.
There's no rfid ... the devs would have figured that out by now. Its most likely just by device id. Same reason the cable shouldn't be plugged into a computer. The device id is not in the standards compliance for usb. (E.g. not flash drove, hard disk, human interface device)
Sent from my Motorola Atrix 4G on the network with the most backhaul, whatever that is. This post might have errors as I hate touchscreen keyboards.
Hello,
I'm new to the rooting world and I am unaware of how to root my Fossil Q Marshal Gen 2... I use an iPhone so im planning to use android studio on my Mac for the same. Pls help me. Thanks.
In terms of actually rooting it, I'm afraid I can't help. However, I have a Fossil Gen 3 Marshall and wanted to do something similar, but my intent was to flash AsteroidOS. The response on here seems to be that it couldn't be done (certainly the flashing the new OS) due to the lack of ports. However, some long and intensive googling suggested that yours (and I suspect mine) does indeed have a data port, its just covered and internal. I have seen the four (actually, I think five) pins that I believe to be the data port, which might facilitate the flashing a new OS.
This is something I intend to keep looking into until I can find a way to keep Google from my devices!
denial_button said:
In terms of actually rooting it, I'm afraid I can't help. However, I have a Fossil Gen 3 Marshall and wanted to do something similar, but my intent was to flash AsteroidOS. The response on here seems to be that it couldn't be done (certainly the flashing the new OS) due to the lack of ports. However, some long and intensive googling suggested that yours (and I suspect mine) does indeed have a data port, its just covered and internal. I have seen the four (actually, I think five) pins that I believe to be the data port, which might facilitate the flashing a new OS.
This is something I intend to keep looking into until I can find a way to keep Google from my devices!
Click to expand...
Click to collapse
Yeah popping the watch open and making a pin connector to touch the board with, will allow you access to Fastboot Mode. This has been proven on another Fossil Watch missing the USB Port. And Since I'm guessing most of Fossil's models remain the same with different aesthetic tweaks, most everything should be the same.
We just have to make a Fastboot Connector and then pop the watch open to access USB. I bet you they left most of the bootloaders unlocked that didn't have physical access to fastboot mode. I know my Smartwatch actually has all of its log set to ENG. So there is actually a lot of data to sift through in recovery mode logs and everything. But we can't access the data in user mode. But it is there if we can make the pin connector.
Also interested in this if. Will be watching for answers because I would love to remove sone bloat and mae my waych a little snappier in performance.
Hi everyone!
It's been a while since I last fiddled with Android, more than a decade!
But I think I found a nice little project that I'll try to document here.
So far bricked it, tore it apart, found UART and managed to unbrick it.
I could really need some help to try and edit the boot image!
So I recently got my hands on a Polycom Conference phone...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
It's a nice handsfree device that I now use as a USB speakerphone and SIP client on my desk at home.
And it's running Android, so it cannot be left untouched!!!
My goal is to root it, maybe be able to install some additional apps on it and ideally retain these things with a current software update - more on that later.
My starting point:
The device has its own launcher and is unfortunately completely locked down.
No ADB, no custom apps, no browser, no nothing.
All I can do is start an internal recovery on boot that will look for a firmware on a USB drive.
It works for one SIP account and can be used as a USB speakerphone.
Pretty boring for what it is, I think.
Some details:
Android 4.4.2, Kernel version 3.0.31
Hardware: bcm911130_pl_rocky_proto2, PolyDSP Merlyn ARMA9, BootBlock 3.0.5.0006 (65290-001), BCM28155 A3 VideoCore
CPU: armeabi-v7a, capri_pl_rocky_proto2
Getting root:
There is a known vulnerability for the device in an older firmware version:
It's described here unkl4b.github.io/Authenticated-RCE-in-Polycom-Trio-8800-pt-1/
While it's not exactly easy to downgrade to this version and should not even be possible according to support documents,
it is in fact possible by starting from the latest 5.9.6.3432 version Polycom still offers and then downgrading via USB in two increments via
5.8.0 AA (downloads.polycom.com/voice/rp_trio/Polycom_UC_Software_5_8_0_15024_AA_Trio8800_release.zip) to the vulnerable version
5.7.1.4145 (downloads.polycom.com/voice/rp_trio/Polycom_UC_Software_5_7_1_4145_AC_Trio8800_release.zip)
Now I can enable Telnet on the device by uploading the following configuration file:
Code:
<telnet diags.telnetd.enabled="1"></telnet>
And then start the process as described, by logging in on port 1023 with Polycom / 456 (or the current Admin password) and starting adbd:
Code:
ping 8.8.8.8 ; setprop service.adb.tcp.port 5555
ping 8.8.8.8 ; stop adbd
ping 8.8.8.8 ; start adbd
After that, I can connect via adb over TCP and open a shell as root. Yay!
Where that leaves me:
I can enable the Android Launcher and use it until the Poly Launcher pops up again every 30 seconds or so via pm enable com.android.launcher
Enabling USB debugging does not work. It disables the TCP connection but no USB connection is possible.
I tried to install APKs over the shell but the Polycom Settings app has a watchdog that deletes everything again immediately.
The setting userAllowed seems to be defined in /data/data/com.polycom.polysettings/shared_prefs/com.polycom.polysettings.PreferencesFile.xml but any changes to this file are just overwritten immediately.
I removed that settings app by remounting /system with mount -o rw,remount /system and renaming /system/app/PolySettings.apk and /system/app/PolySettings.odex.
After killing the process, that unfortunately leads to a popup every second, telling me that the settings app could not be opened.
With a lot of fast tapping it would be possible to start a 3rd party app on the device. Kingoroot did not work, though.
So the remote shell is all I have for now.
I managed to dd everything under /dev/block/ as well as /system, /user and /cache as an image.
Here's where I would really appreciate some help!
Do I even have a chance to make some persistent changes to this phone without tearing it apart?
Any development tools I saw are for much newer Android versions, so if I even have a chance at changing anything, someone pointing me in the right direction (kitchens, tutorials) would be great.
My main machine is a Mac but I have a Windows machine at my disposal.
What should my next steps be?
How can I have a look into what's on the device from the images I pulled?
How would I best approach all the device restrictions?
How can I then make permanent changes, if at all?
Would I have a chance to (partially) upgrade to a newer firmware while keeping it rooted and modded?
I'll keep poking it, the process has been fun so far.
Maybe this will lead to something in the end, maybe not.
Any help is highly appreciated!
s#
shadow# said:
Here's where I would really appreciate some help!
Do I even have a chance to make some persistent changes to this phone without tearing it apart?
Any development tools I saw are for much newer Android versions, so if I even have a chance at changing anything, someone pointing me in the right direction (kitchens, tutorials) would be great.
My main machine is a Mac but I have a Windows machine at my disposal.
What should my next steps be?
How can I have a look into what's on the device from the images I pulled?
How would I best approach all the device restrictions?
How can I then make permanent changes, if at all?
Would I have a chance to (partially) upgrade to a newer firmware while keeping it rooted and modded?
I'll keep poking it, the process has been fun so far.
Maybe this will lead to something in the end, maybe not.
Any help is highly appreciated!
Click to expand...
Click to collapse
Hello and good morning, @shadow#
Prior to your next posting please read the guidances that are stuck on top of every forum like
[ATTN] : Read before posting - Any questions posted here will be MOVED or CLOSED
Please read the below before posting. Any questions not development related will be moved or closed. Forum Searching | Posting | The Basics: (Make sure you've read them before starting a new thread) Forum Rules Forum Search Google Forum...
forum.xda-developers.com
and the others. I've moved the thread to Android Q&A.
Thanks for your cooperation!
Regards
Oswald Boelcke
Senior Moderator
I've got about as far as you.....although have managed to prove the telnet can be accessed on the 7.2.3.0852 version also.
If you dowwnload the full .ld software, there is a folder in there called Config, with a file called Global.cfg.
Have a look at that file....there are a lot of flags that can be set/unset. Might be a good place to work from.
Note, i'm on 7.2.3.0852, so I have ssh access but not the ability to execute additional code via ";"
My sim is simply to hsve Spotify on the unit!
Well, this was fast I seem to have bricked the device already.
I tried to unpack the boot.img I got from the device, make a very small change with CarlivImageKitchen (starting adbd) and then write the packed image back to the device.
On reboot I now get the first Polycom screen and that's it.
The 4 finger revovery does no longer work, it's just stuck and does not continue.
Lacking any kind of connection to the device I guess it's time to bin it and move on.
That is, unless anyone has any more ideas on what I could try.
Maybe there's UART lines available?
shadow# said:
Well, this was fast I seem to have bricked the device already.
I tried to unpack the boot.img I got from the device, make a very small change with CarlivImageKitchen (starting adbd) and then write the packed image back to the device.
On reboot I now get the first Polycom screen and that's it.
The 4 finger revovery does no longer work, it's just stuck and does not continue.
Lacking any kind of connection to the device I guess it's time to bin it and move on.
That is, unless anyone has any more ideas on what I could try.
Click to expand...
Click to collapse
Will it respond to a ping? May just be the gui/application stack that's crashed.
If so, you may be able to get it to boot from a provisioning server.
tjump7 said:
Maybe there's UART lines available?
Click to expand...
Click to collapse
I'd have to figure out how to take it apart for this first and then start from scratch with no knowledge, probably including getting all the tools.
Tempting but not sure it's worth it
silo24 said:
Will it respond to a ping? May just be the gui/application stack that's crashed.
If so, you may be able to get it to boot from a provisioning server.
Click to expand...
Click to collapse
It does not even react to the 4 finger recovery method any more.
Pretty sure that's way before there is any network. No link.
shadow# said:
I'd have to figure out how to take it apart for this first and then start from scratch with no knowledge, probably including getting all the tools.
Tempting but not sure it's worth it
It does not even react to the 4 finger recovery method any more.
Pretty sure that's way before there is any network. No link.
Click to expand...
Click to collapse
Just a Pi Pico I believe is needed for the hardware aspect, as for the tools, i don't know what you currently have. I'm just trying to come up with ideas for you
Quick edit, here's a link if you're curious at all: https://github.com/Noltari/pico-uart-bridge
shadow# said:
I'd have to figure out how to take it apart for this first and then start from scratch with no knowledge, probably including getting all the tools.
Tempting but not sure it's worth it
It does not even react to the 4 finger recovery method any more.
Pretty sure that's way before there is any network. No link.
Click to expand...
Click to collapse
Try a usb stick. Try with a full zip file first, then try with the 0000000p.cfg and the xxxxx.sip.ld file only.
silo24 said:
Try a usb stick. Try with a full zip file first, then try with the 0000000p.cfg and the xxxxx.sip.ld file only.
Click to expand...
Click to collapse
It no longer reacts to a USB stick and I cannot trigger the recovery as that is not a real recovery but instead part of the boot image. Which I unfortunately messed up.
The bootloader is u-boot but I cannot access it. Config is:
Code:
baudrate=115200bootcmd=if key VOL_UP; then android recovery; else android; fi;bootdelay=1brcm_dt_enable=yesbrcm_dt_size=0x10preboot=vc runwatchdog=off
The volume keys are soft keys, so no luck there either.
Have you tried the micro-usb port to a PC? If it's that screwed it may be in a recovery mode of some sort. Like Qualcomm QFIL for example.
Any ideas what chipset these things run on? They are going so cheap on eBay now that I've just bought another!
silo24 said:
Have you tried the micro-usb port to a PC? If it's that screwed it may be in a recovery mode of some sort. Like Qualcomm QFIL for example.
Click to expand...
Click to collapse
I tried but nothing was detected.
I got stuck half way through my teardown attempt after taking out all visible screws.
I fear the display is glued on with more screws underneath, I have no clue how to remove it.
Any ideas?
There's FCC pictures available of the insides of the 8500 <- that's actually an 8800!
8500 VOIP Conference phone with Bluetooth functionality Teardown Internal Photos report131453884415308571 Polycom .
VOIP Conference phone with Bluetooth functionality Internal photo details for FCC ID M72-8500 made by Polycom Inc.. Document Includes Internal Photos report131453884415308571
fccid.io
I see quite a few unpopulated headers on that board!
If only I could get to them
Alright!
That was some nasty glue, but I finally managed to get it open.
The display is glued on, mostly on the sides. The NFC antenna on the left as well as the soft buttons on the right are glued back and front and need to stay on the display - so currently no idea if they are still ok.
The display connector comes from the back at the top of the display and connects in the lower part. Display needs to be flipped upwards to get to the last screws. As long as any wedging is limited to the left and right sides it is possible to get if off without damaging the display.
I still get the Polycom logo.
Here is some pictures of the bottom of the PCBs.
The last one has the Wifi Board and a curious little connector that is unused.
Could this be a service port?
Now what should I try next?
So I found an old FTDI232 that should work on my Macbook and started checking all of the 4 pin headers for potential UART.
I set the terminal to 115200 8-N-1 with no flow control and connected GND and RX.
I tried for a few seconds each after powering the device.
Unfortunately, I got absolutely nothing apart from some noise on some on them as soon as power was provided.
That port in the image above I have no connector for, it's probably something else anyway.
What else could I try?
shadow# said:
Alright!
That was some nasty glue, but I finally managed to get it open.
The display is glued on, mostly on the sides. The NFC antenna on the left as well as the soft buttons on the right are glued back and front and need to stay on the display - so currently no idea if they are still ok.
The display connector comes from the back at the top of the display and connects in the lower part. Display needs to be flipped upwards to get to the last screws. As long as any wedging is limited to the left and right sides it is possible to get if off without damaging the display.
I still get the Polycom logo.
Here is some pictures of the bottom of the PCBs.
View attachment 5837545View attachment 5837547View attachment 5837549
The last one has the Wifi Board and a curious little connector that is unused.
Could this be a service port?
View attachment 5837551
Now what should I try next?
Click to expand...
Click to collapse
J1 indicator....could be for JTAG potentially?
EDIT: After looking again I can see I'm probably wrong, but that may still be your UART interface?
tjump7 said:
J1 indicator....could be for JTAG potentially?
EDIT: After looking again I can see I'm probably wrong, but that may still be your UART interface?
Click to expand...
Click to collapse
Could actually be JTAG as it seems to be double sided, 4 more pins at the top.
Three of them measure 1.8V when powered, the rest seems to be at 0V.
But I have no way of properly connecting to it.
shadow# said:
Could actually be JTAG as it seems to be double sided, 4 more pins at the top.
Three of them measure 1.8V when powered, the rest seems to be at 0V.
But I have no way of properly connecting to it.
Click to expand...
Click to collapse
Do you by chance have a logic level converter? Would make talking to 1.8v much easier
tjump7 said:
Do you by chance have a logic level converter? Would make talking to 1.8v much easier
Click to expand...
Click to collapse
Unfortunately not, not even anything JTAG related.
shadow# said:
Unfortunately not, not even anything JTAG related.
Click to expand...
Click to collapse
How important is this project to you? The logic level is cheap (and that may be I2c as well, no real clue)
4-channel I2C-safe Bi-directional Logic Level Converter
Because the Arduino (and Basic Stamp) are 5V devices, and most modern sensors, displays, flashcards, and modes are 3.3V-only, many makers find that they need to perform level ...
www.adafruit.com
Any chance of identifying the underlying SoC? Obviously it's reporting itself as bcm911130, but I suspect that's a Polycom specific part number....i.e. a Standard cellular Android SoC with elements that aren't utilised blocked out.
Might give more of an idea as to the Bootloader structure.