NFC RFID Card Emmulation - Nexus 5 Q&A, Help & Troubleshooting

I see there is some historic stuff on Google that point to people trying to do this, but wanted to see if there was any update. Basically, I want to use the RFID reader to authenticate my phone to open my house's front door. It seems in its current implementation, the phone changes its UID after each read making my idea impossible. I can do this with an RFID tag, but hoping to use the phone instead.
Here's an example of what the reader currently reads in four consecutive attemps:
Code:
Card UID: 08 98 3A 6F
PICC type: PICC compliant with ISO/IEC 14443-4
Dumping memory contents not implemented for that PICC type.
Card UID: 08 51 ED 11
PICC type: PICC compliant with ISO/IEC 14443-4
Dumping memory contents not implemented for that PICC type.
Card UID: 08 D3 95 C6
PICC type: PICC compliant with ISO/IEC 14443-4
Dumping memory contents not implemented for that PICC type.
Card UID: 08 EA EA 2A
PICC type: PICC compliant with ISO/IEC 14443-4
Dumping memory contents not implemented for that PICC type.

Related

TI FM Radio

Preface
Hi !
In my reading of various threads it's become apparent that there are MANY people who passionately
desire a "real FM radio" app. Not all of us live in data dense areas, or can afford the costs of
streaming audio. And not all of us have given up on RF broadcasts, either due to our tastes,
local available programming, lack of commercials or whatever. And many of us very much desire
the ability to transmit on the FM band for various reasons.
I want this thread to deal with TI FM radios on all devices that contain TI chips. My observation is that
there is a great deal of commonality in the TI chips supporting FM in the last 4-6 years.
I don't generally want to deal with the Broadcom FM chips here, but the audio routing issues will be similar.
I also WOULD like to create a list of devices containing the FM chips they use, so people can more quickly
determine their FM chip type.
To non-devs who want FM yesterday: Yes, I know. No need to post about it. I'll do my best to create some
kind of app ASAP, but first some fundamentals need to be figured out. I'd think and hope that others will also
be able to create FM radio apps from the info here and elsewhere.
This thread is in a developer forum, and as such it would be preferable to limit discussion to technical
aspects, preferrably by those who are developers or thereabouts in terms of technical skills. It's hard
work sometimes to slog through near 100 page threads such as the one for the Nexus One FM radio.
If you have simple questions, comments, requests, corrections or additions to this, please consider
PMing me directly and I'll do my best to incorporate that into the thread, giving acknowledgement
if you so desire.
That said, I've posted FM Receiver and FM Transmitter scripts below. If you feel you have a reasonable
capability to try these scripts on your device, please do, and report here or via PM on success or failure
if you might be among the first few to try these on your device/model.
I will try to keep these first posts updated with the latest information, so hopefully you won't need to post
questions about whether or not your device works by referring to the "Devices" post.
---------------------
Introduction
I've enabled the FM radio functions on my HTC Legend. It is also known to work on HTC Tattoo.
Scouring the web looking for the magic incantations to enable FM audio I'm finding myself overwhelmed with all the things I don't know.
Much of the information needed is kept under wraps by TI and their customers. To get TI's information requires signing an NDA,
and perhaps other legal documents. Signing such an NDA limits how much you can say publicly, and I'd prefer to not be under
such constraints. I'm not even sure if an NDA would be sufficient for a person not employed by TI or a TI customer.
Thus this thread, to share with you the information I've found, and to ask for your help in correcting it or adding to it.
If there is any similar thread on any site, that is TI specific, but not device model specific, please let me know.
I've seen and read through a number of mega-threads here and elsewhere that are device specific, but much of the information
contained therein is useful for all devices with TI FM chips.
The chips in question are usually named: WL1271, WL1273, WL1281 and WL1283. The first two have WF + BT + FM and the latter two add GPS.
TI also calls these WiLink or BlueLink 5.0, 6.0 and 7.0, as well as BRF6300, BRF6350 and BL6450.
TI also sells various evaluation boards carrying these chips, and some TI partners produce modules, sometimes with similar numbers.
AFAICT there is no FM functionality in some of the predecessor chips such as the WiLink 4.0 chips: BRF6100 (WL1251) & BRF6150 (WL1253).
Just so you better know my knowledge level:
- I'm new to Android, smartphones and post 1995 PDAs, although I've read some on these subjects over the years.
I'm diving straight in to learn as much as I can as quickly as I can. I'm not currently employed but hope to
transition myself to what appears to be the rapidly expanding Android world.
- I've worked in software development on "semi-embedded" Linux VOIP and security appliances since 1997, with a good bit
of low level kernel/driver stuff. Not much low level stuff recently, mostly daemons and command line utilities.
At home I've recently worked on a home Asterisk VOIP box and MythTv and XBMC based HTPCs. I also manage the 5 Ubuntu
PCs our family uses, as well as one lonely 5 year old HP WinXp tablet.
- My background in electronics and computing goes back to the mid 1970's with 8080 and SCMP. I designed and built a variety
of computer, electronics and even RF devices in those days, and can still wield a mean soldering pencil when needed.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Here is some information about which chips being discussed here. Note that the terms BlueLink and WiLink can be somewhat confusing as some chips are both.
TI's Wireless Connectivity Solutions page:
http://focus.ti.com/general/docs/wt...lateId=6123&navigationId=12493&contentId=4637
Note at left that GPS (NaviLink), Bluetooth (BlueLink) and Wireless (WiLink) are represented.
FM radio seems to be the neglected "step child" that gets little mention or notice.
It's a small add-on feature that just happens to come along with Bluetooth sometimes, if at all.
Generally, the WiFi, BT, FM and GPS components in these multi-function chips tend to be independent of each other.
They can be powered up or down individually and usually have seperate control paths. They are called "IP"s, eg.
the WiFi IP or BT IP. I haven't yet determined what IP stands for, LOL.
FM is the exception though; it seems to piggyback on the BT IP. To power up FM you must first power up BT
(although some doc implied BT can then be powered down). FM has it's own I2C control path, but that is usually
not used, in favor of sharing the BT HCI interface.
Some docs I've read discourage the use of FM. Perhaps it can cause issues ?
Note that some of these chips may indicate support for Wireless-N, but that doesn't mean the device manufacturer
enabled it in their stack etc. It might be possible to enable N, perhaps with different Wireless firmware or init
scripts. While an interesting prospect, despite the expectation of vastly increased battery consumption, I don't
want to get into the Wireless issues, except as they might impact FM.
------------------------------------------------------------------------
Predecessor single function products upon which the later integrated products are based:
2004: BRF6100 / BRF6150 = BT only
http://focus.ti.com/pdfs/wtbu/TI_brf6100_6150.pdf
2005: WiLink 4.0 mWLAN (WL1251 and WL1253) = WF only
WL1251 = 802.11 b/g/e/i/d/k
WL1253 = 802.11 a/b/g/e/i/d/k/h/j
http://focus.ti.com/pdfs/wtbu/wl1251_1253_prod_bulletin.pdf
2005: BlueLink 5.0 BRF6300 = BT only
http://focus.ti.com/pdfs/wtbu/ti_bluelink_5_brf6300.pdf
------------------------------------------------------------------------
Combined products. All seem to support FM Rx and Tx:
2007: BlueLink 6.0 BRF6350 = BT + FM
http://focus.ti.com/pdfs/wtbu/ti_bluelink_6_brf6350.pdf
200?: WiLink 5.0 = WiLink 4.0 mWLAN + BlueLink 6.0 = WF + BT + FM
http://focus.ti.com/general/docs/wt...ateId=6123&navigationId=12661&contentId=15402
2010: WiLink 6.0 = WF + BT + FM (Bluetooth (2.1?) Low Energy Specification 4.0 + EDR)
WL1271 = 802.11 b/g/n (2.4 GHz)
WL1273 = 802.11 a/b/g/n (2.4 & 5 GHz)
http://www.ti.com/lit/swmt013
2010.1: BlueLink / WiLink 7.0 BL6450 = BT 2.1 (+EDR) + FM (No WF)
http://focus.ti.com/pdfs/wtbu/BlueLink7_BL6450_swmt014d.pdf
2010.2: WiLink 7.0 = WF + BT + FM + GPS
WL1281 / WL1283 = 802.11 a/b/g/n + BT 3.0 + FM + GPS 3GPP
http://focus.ti.com/pdfs/wtbu/WiLink7_WL1283_swmt016.pdf
Sources
Sources
The source of information I've found include:
- Documents from TI or customers. Usually these contain limited information.
- Source code from TI, TI's customers or other parties, including ROM builders.
- Threads/Posts on forums including this one, as well as TI support forums.
- Miscellaneous random sources such as IRC logs for HTC-Linux.
The most comprehensive and easily useful sources I've found so far are the source codes
for a Linux WL1271 driver being produced by a Nokia employee, and somewhat similar
source codes from TI.
The "Texas Instruments WL1273 FM radio" Linux driver is under development by Matti J. Aaltonen
of Nokia. I believe the Nokia N900 uses a TI chip under Maemo->Meego, and perhaps other Nokia
devices too. Various patches and discussions are underway, and can be googled, and parts of it
are slowly appearing in the latest kernel source. If you want to see the latest, the only easy way
seems to be downloading one of the latest kernels at https://lkml.org/ .
There's an ancient first version from and some discussion from April here:
http://thread.gmane.org/gmane.linux.drivers.video-input-infrastructure/18449
I used http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.37.tar.bz2 and
http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.37.bz2 but I see there's a 2.6.38 RC5
there as well.
Finding and downloading TI code has been a pain, but they have a lot there.
TI WL 128x FM V4L2 driver:
There's a git repository for what appears to be an alternate V4L driver at http://dev.omapzoom.org/pub/scm/manju/L24x-btfm.git
Some discussion: http://www.spinics.net/lists/linux-media/msg28310.html
I'm not sure why there appear to be two efforts underway to create FM V4L2 drivers, the one by Nokia and the other by TI.
This appears to be source for TI's fmapp test utility and fm_stack library in a form that can be viewed by browser:
http://git.omapzoom.org/?p=platform...2a9dcca2dced00e724a2eb1dec578152f5beb;hb=HEAD
I managed to download the older 0.12 version of fmapp and fm_stack source code from somewhere, but can't recall where.
The "fmapp" utility has a LOT of functionality for testing just about every exposed FM feature, including RDS.
There is also a recently released "Android Froyo DevKit V2" at:
http://software-dl.ti.com/dsps/dsps_public_sw/sdo_tii/TI_Android_DevKit/02_00_00/index_FDS.html
You have to sign in for that but it should be easy to create an account. I already had one via a previous TI adventure.
The K2 BM6350 module PDFs have some further info:
http://www.ktwo.co.in/index.php?option=com_content&task=view&id=178&Itemid=465
http://www.ktwo.co.in/pdf/K2BM6350_Datasheet.pdf
http://www.ktwo.co.in/pdf/K2-BM6350 StarterKit UserManual.pdf
Forum threads:
[TUTORIAL] Reverse engineering HTC FM Radio for noobs (on EVO 4G)
http://forum.xda-developers.com/showthread.php?t=725870
Decompiled HTC Radio app
http://martinmarinov.info/HTCRadio.rar
Some words about bluetooth....
http://forum.xda-developers.com/showthread.php?t=816019
[Q] FM Radio app, Broadcom BCM4329 chipset
http://forum.xda-developers.com/showthread.php?t=837691
[THINK TANK] Enabling the Nexus One FM radio ...
http://forum.xda-developers.com/showthread.php?t=707404
FM Radio on 2.x ROMs - An Idea
http://forum.xda-developers.com/showthread.php?p=11366697
Devices
Devices
List of devices and FM chips. At this time I'd like to limit this to Android devices, but might consider others.
Would be useful to list limitations here. For example, some Motorola Droid owners were understandably disheartened,
after much work, to find they had no Fm Rx antenna connection, and could not make one without opening up the cans, etc.
on the board. So technically they had Fm Rx, practically, they had none.
Also, some boards may have no Tx antenna, but might possibly work within a few inches of an external FM receiver antenna.
--------------------------------------------------------------------------------
TI FM devices:
--------------------------------------------------------------------------------
HTC Legend: WL1273
HTC Tattoo/Click WL1271?
HTC Dream/Google G1 WL1271?
HTC Sapphire/Hero BRF6300 = WL1271?
HTC Diamond/Raphael/Blackstone BRF6350 (Windows Mobile?)
Motorola Droid WL1271
Motorola Backflip WL1271?
Motorola Milestone WL1273?
Nokia N900 WL1273? (Maemo?)
Barnes & Noble Nook Color WL1273?
--------------------------------------------------------------------------------
Broadcom FM devices:
--------------------------------------------------------------------------------
HTC Nexus One: 43xx
--------------------------------------------------------------------------------
FM Apps and APIs
FM Apps and APIs
Many handset manufacturers provide their own proprietary FM radio apps. Some people have managed to get an
FM radio app meant for another device working on theirs. Most, however, have library or other issues with a foreign app.
AFAICT, Google has not released any sanctioned FM radio API, nor do they intend to. I'd guess FM radio likely
won't bring much revenue to Google or the carriers.
In an ideal world, Android apps would use the same API as on Linux: the "Video For Linux version Two" aka V4L2.
This API makes use of a /dev/radioX device. This is somewhat similar to the /dev/videoX devices that some devices
appear to support for cameras.
If the V4L2 API was available on Android, Android FM radio apps could then be ported more easily from Linux.
Alas, there are relatively few Linux radio apps. GnomeRadio hasn't been touched in over 2 years and Gnome
doesn't run on Android anyway of course. Some command line apps could be ported, but that doesn't make for
an Android app.
So thus far, the defacto "API" for FM radio on Android has been vendor specific commands over HCI, the
Bluetooth interface. This is more or less similar to the way it can be done via I2C, but apparently
most FM chips are not wired via 12C; they use the existing HCI UART. Once again, FM radio is the
poor neglected "step-child".
One advantage of using HCI is that no new kernel drivers are needed. A disadvantage is that some mediation
driver would be required to use bluetooth and FM at the same time; the only alternative being drivers for
both smashed together, but that would be an Android specific hack and is not a good idea.
I've noted that one individual created an API spec and an app for Windows devices a few years back.
I believe it was called GFMRadio and XFMRadio or similar. That project was apparently abandoned.
MIUI released a GPL licensed FM app for some phones based on broadcom chips; HTC Desire and Nexus One.
The source code contains the string "/dev/radio", but AFAICT it doesn't appear to actually use V4L API.
It speaks directly to the broadcom FM chip via HCI.
Since MIUI source is GPL and available it could be used as a base for a TI, or TI and broadcom specific app.
In theory patches could be submitted to MIUI but I'm not sure they are open to that and the language barrier
from English to Chinese and back may be difficult.
Some interesting posts on MIUI here: http://forum.xda-developers.com/showthread.php?t=837691
http://www.miui.com/thread-1687-1-1.html
Using hcitool commands, or similar, one could write a radio app in bash or Perl etc. LOL.
TI has an "fmapp" command line testing utility that relies on libfm_stack.so .
This app won't run on my Legend because it depends on snd_ctl_* APIs in libaudio.
"strings libfm_stack.so" produces lots of interesting detail and embedded BTS scripts.
The source code I've found for TI fmapp, and it's FM stack library does not seem to have all
the functionality I've seen in the binary fmapp I found. So they may have stripped much code
for the publicly released source code.
Audio routing
Audio routing
On HTC phones, FM analog audio routing can be achieved by:
# Default
adb shell 'echo "disable" > /sys/class/htc_accessory/fm/flag'
# Headset
adb shell 'echo "fm_headset" > /sys/class/htc_accessory/fm/flag'
# Speaker
adb shell 'echo "fm_speaker" > /sys/class/htc_accessory/fm/flag'
# View
adb shell cat /sys/class/htc_accessory/fm/flag
Firmware, TI BTS file, HCI and I2S/I2C issues, tools etc.
Firmware, TI BTS file, HCI and I2S/I2C issues, tools etc.
The Nokia V4L driver loads radio-wl1273-fw.bin, although the code does indicate it may not be necessary.
I can't find this firmware file anywhere. As with many other firmwares, it may simply be a known firmware
file renamed. This has been noted with other firmware files for the TI radio.
Information on firmware for these TI chips seems scattered and incomplete. Same with the BTS Bluetooth script files
which are usually important for accessing the FM functionality.
I think one of the reasons for this lack of information is that most parties do not want us messing with the available functionality.
- Device manufacturers do not want their devices used in violation of FCC or other regulatory body rules.
For example, FM transmission at higher power levels or improper frequencies. Also RDS transmissions with bogus data.
- Device manufacturers and carriers want us to buy newer or more expensive products for additional functionality.
They also would rather we use voice minutes instead of FM "walkie talkies".
- Google and carriers want us to stream music via data rather than pick it up for free from over the air.
...
Where do I find utilities to dump/decode/encode BTS files ?
....
HCI is usually used to access FM functions, but I2C might be usable on some devices.
...
fm_rx_init_6350.1.bts
fm_rx_init_6350.2.bts
fm_rx_init_6450.1.bts
fm_tx_init_6450.1.bts
fmc_init_6350.1.bts
fmc_init_6350.2.bts
fmc_init_6450.1.bts
tiinit_0.0.0.bts
tiinit_5.2.34.bts
tiinit_5.3.53.bts
tiinit_6.1.24.bts
tiinit_6.2.31.bts
HCI/I2C Commands
HCI/I2C Commands
Most of this information is gleaned from:
- The Linux WL1271 FM Radio source code written by a Nokia employee.
- TI source code for fmapp/fmstack, etc.
Various forum posts also make it clear there is a bewildering array of commands etc. not referenced in the source codes above.
Some information can also be retrieved by looking inside BTS, firmware, app, utility and library etc. files.
...
Vendor Specific Opcodes for the various FM-related commands over HCI. (_FmcCoreTransportFmCOmmands)
_FMC_CMD_I2C_FM_READ 0x0133
_FMC_CMD_FM_I2C_FM_READ_HW_REG 0x0134
_FMC_CMD_I2C_FM_WRITE 0x0135
?0x136
_FMC_CMD_FM_POWER_MODE 0x0137
?0x138
_FMC_CMD_FM_SET_AUDIO_PATH 0x0139
_FMC_CMD_FM_CHANGE_I2C_ADDR 0x013A
Format of an HCI READ/WRITE command to FM over I2C is:
HCI Header:
- HCI Packet Type: (Added internally by the HCI Transport Layer)
- HCI Opcode: 2 bytes (LSB, MSB - LE)
- HCI Parameters Total Len: 1 byte (total length of all subsequent fields)
HCI Parameters:
- FM Opcode: 1 byte
- FM Parameters Len: 2 bytes (LSB, MSB - LE)
- FM Cmd Parameter Value: N bytes
For "simple" (non-RDS) read commands "FM Parameters Len" is always "2, 0" (2).
...
HCI/I2C Commands/Opcodes, registers, values
HCI/I2C Opcodes, registers, values.
Most of this information is gleaned from:
- The Linux WL1271 FM Radio source code written by a Nokia employee.
- TI source code for fmapp/fmstack, etc.
---------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
The most important "commands":
----------
0x137 FM_POWER_MODE: FM Core power up (last byte 0=down, 1=up)
Usage:
# FM_POWER_MODE: FM Core power up
adb shell hcitool cmd 0x3f 0x137 0x01 0x01
# FM_POWER_MODE: FM Core power down
adb shell hcitool cmd 0x3f 0x137 0x01 0x00
----------
0x133 FM_READ
Examples:
# FM_READ: POWER (Register 0x20)
adb shell hcitool cmd 0x3f 0x133 0x20 0x02 0x00
# FM_READ: RSSI (Register 0x01)
adb shell hcitool cmd 0x3f 0x133 0x01 0x02 0x00
----------
0x135 FM_WRITE
Examples:
# FM WRITE: POWER: Rx on (This actually seems to be "audio enable" !
adb shell hcitool cmd 0x3f 0x135 0x20 0x02 0x00 0x00 0x02
# FM WRITE: POWER: Rx on plus RDS
adb shell hcitool cmd 0x3f 0x135 0x20 0x02 0x00 0x00 0x03
----------
------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
The "registers": (some call them opcodes, but they seem to be registers IMO)
0x00 0 WL1273_STEREO_GET FMC_FW_OPCODE_RX_STEREO_GET
0 FM_STEREO_MODE mono (or no signal ?)
1 FM_MONO_MODE stereo signal
0x01 1 WL1273_RSSI_LVL_GET FMC_FW_OPCODE_RX_RSSI_LEVEL_GET
(-128) SCHAR_MIN FM_RX_RSSI_THRESHOLD_MIN See also WL1273_SEARCH_LVL_SET
127 SCHAR_MAX FM_RX_RSSI_THRESHOLD_MAX
0x02 2 WL1273_IF_COUNT_GET FMC_FW_OPCODE_RX_IF_COUNT_GET
# changes: 1, 2, 3, ff, fe, 0
0x03 3 WL1273_FLAG_GET FMC_FW_OPCODE_CMN_FLAG_GET
? = Event masks ?
#define FM_FR_EVENT (1 << 0)
#define FM_BL_EVENT (1 << 1)
#define FM_RDS_EVENT (1 << 2)
#define FM_BBLK_EVENT (1 << 3)
#define FM_LSYNC_EVENT (1 << 4)
#define FM_LEV_EVENT (1 << 5)
#define FM_IFFR_EVENT (1 << 6)
#define FM_PI_EVENT (1 << 7)
#define FM_PD_EVENT (1 << 8)
#define FM_STIC_EVENT (1 << 9)
#define FM_MAL_EVENT (1 << 10)
#define FM_POW_ENB_EVENT (1 << 11)
0x04 4 WL1273_RDS_SYNC_GET FMC_FW_OPCODE_RX_RDS_SYNC_GET
0 WL1273_RDS_NOT_SYNCHRONIZED
1 WL1273_RDS_SYNCHRONIZED
0x05 5 WL1273_RDS_DATA_GET FMC_FW_OPCODE_RX_RDS_DATA_GET
64 FMC_FW_RX_RDS_THRESHOLD (*1 or *3) See also FMC_FW_OPCODE_RX_RDS_MEM_SET_GET
85 FMC_FW_RX_RDS_THRESHOLD_MAX Used as FMC_FW_RX_RDS_THRESHOLD_MAX*RDS_BLOCK_SIZE for mem size.
? Set to 3e 16 ? (15894)
0x06 ? Set to 1 ?
------------------------------------------------------------------------------------------
Codes 6-9 missing
------------------------------------------------------------------------------------------
0x0a 10 WL1273_FREQ_SET FMC_FW_OPCODE_RX_FREQ_SET_GET
base + freq / 50Khz
0 0x000 87500 WL1273_BAND_OTHER_LOW
410 0x19a 108000 WL1273_BAND_OTHER_HIGH
0 0x000 76000 WL1273_BAND_JAPAN_LOW
280 0x118 90000 WL1273_BAND_JAPAN_HIGH
? #define FM_UNDEFINED_FREQ 0xFFFFFFFF
0x0b 11 WL1273_AF_FREQ_SET FMC_FW_OPCODE_RX_AF_FREQ_SET_GET
0x0c 12 WL1273_MOST_MODE_SET FMC_FW_OPCODE_RX_MOST_MODE_SET_GET ! MOST = "MOno/STereo"
0 WL1273_RX_STEREO Stereo according to blend
1 WL1273_RX_MONO Force mono output
0 FM_STEREO_MODE
1 FM_MONO_MODE
0x0d 13 WL1273_MOST_BLEND_SET FMC_FW_OPCODE_RX_MOST_BLEND_SET_GET
0 Switched blend & hysteresis
1 FM_STEREO_SOFT_BLEND Soft blend
Now set to 1 = Soft blend
0x0e 14 WL1273_DEMPH_MODE_SET FMC_FW_OPCODE_RX_DEMPH_MODE_SET_GET
0 FM_RX_EMPHASIS_FILTER_50_USEC
1 FM_RX_EMPHASIS_FILTER_75_USEC
0x0f 15 WL1273_SEARCH_LVL_SET FMC_FW_OPCODE_RX_SEARCH_LVL_SET_GET
7 WL1273_DEFAULT_SEEK_LEVEL
(-128) SCHAR_MIN See also WL1273_RSSI_LVL_GET
127 SCHAR_MAX
0x10 16 WL1273_BAND_SET FMC_FW_OPCODE_RX_BAND_SET_GET
0 WL1273_BAND_OTHER 87.5-108 Mhz North America, Europe, generally rest of world besides Japan
1 WL1273_BAND_JAPAN 76-90 Mhz Japan (perhaps soon US also)
0x11 17 WL1273_MUTE_STATUS_SET FMC_FW_OPCODE_RX_MUTE_STATUS_SET_GET
0 ........ FMC_FW_RX_MUTE_UNMUTE_MODE
bit0 0x01 WL1273_MUTE_SOFT_ENABLE FMC_FW_RX_MUTE_RF_DEP_MODE
bit1 0x02 WL1273_MUTE_AC FMC_FW_RX_MUTE_AC_MUTE_MODE
bit2 0x04 WL1273_MUTE_HARD_LEFT FMC_FW_RX_MUTE_HARD_MUTE_LEFT_MODE
bit3 0x08 WL1273_MUTE_HARD_RIGHT FMC_FW_RX_MUTE_HARD_MUTE_RIGHT_MODE
bit4 0x10 WL1273_MUTE_SOFT_FORCE FMC_FW_RX_MUTE_SOFT_MUTE_FORCE_MODE
Set to one of these:
2 0x02 FM_RX_AC_MUTE_MODE Mute On But enable soft/attenuate ?
0 0x00 FM_RX_UNMUTE_MODE Mute Off
16 0x10 FM_RX_SOFT_MUTE_FORCE_MODE Mute Attenuate
Then optionally logically "OR" ('|') this:
bit0 0x01 FM_RX_RF_DEP_MODE
Optional bits ?
bit2 0x04 FM_RX_HARD_MUTE_LEFT_MODE
bit3 0x08 FM_RX_HARD_MUTE_RIGHT_MODE
? #define FM_MUTE_OFF 0
? #define FM_MUTE_ON 1
? #define FM_MUTE_ATTENUATE 2
? #define FM_RX_RF_DEPENDENT_MUTE_ON 1
? #define FM_RX_RF_DEPENDENT_MUTE_OFF 0
0x12 18 WL1273_RDS_PAUSE_LVL_SET FMC_FW_OPCODE_RX_RDS_PAUSE_LVL_SET_GET
? Set to 5 ?
0x13 19 WL1273_RDS_PAUSE_DUR_SET FMC_FW_OPCODE_RX_RDS_PAUSE_DUR_SET_GET
? Set to 0x0c = 12
0x14 20 WL1273_RDS_MEM_SET FMC_FW_OPCODE_RX_RDS_MEM_SET_GET
64 FMC_FW_RX_RDS_THRESHOLD (*1 or *3) See also FMC_FW_OPCODE_RX_RDS_DATA_GET
85 FMC_FW_RX_RDS_THRESHOLD_MAX Used as FMC_FW_RX_RDS_THRESHOLD_MAX*RDS_BLOCK_SIZE for mem size.
Set to 0x55 = 85 = Max Thresh
0x15 21 WL1273_RDS_BLK_B_SET FMC_FW_OPCODE_RX_RDS_BLK_B_SET_GET
0x16 22 WL1273_RDS_MSK_B_SET FMC_FW_OPCODE_RX_RDS_MSK_B_SET_GET
0x17 23 WL1273_RDS_PI_MASK_SET FMC_FW_OPCODE_RX_RDS_PI_MASK_SET_GET
0x18 24 WL1273_RDS_PI_SET FMC_FW_OPCODE_RX_RDS_PI_SET_GET
0x19 25 WL1273_RDS_SYSTEM_SET FMC_FW_OPCODE_RX_RDS_SYSTEM_SET_GET
0 FM_RDS_SYSTEM_RDS
1 FM_RDS_SYSTEM_RBDS
0x1a 26 WL1273_INT_MASK_SET FMC_FW_OPCODE_CMN_INT_MASK_SET_GET
0x1b 27 WL1273_SEARCH_DIR_SET FMC_FW_OPCODE_RX_SEARCH_DIR_SET_GET
0 FM_SEARCH_DIRECTION_DOWN
1 FM_SEARCH_DIRECTION_UP
0x1c 28 WL1273_VOLUME_SET FMC_FW_OPCODE_RX_VOLUME_SET_GET
880 0x370 ........ FMC_FW_RX_FM_GAIN_STEP ? 35 steps ?
0 0x00 ........ FMC_FW_RX_FM_VOLUMN_MIN
30904 0x78b8 WL1273_DEFAULT_VOLUME FMC_FW_RX_FM_VOLUMN_INITIAL_VALUE
61808 0xf170 ........ FMC_FW_RX_FM_VOLUMN_MAX
65535 0xffff WL1273_MAX_VOLUME ........
- #define FM_RX_VOLUME_MIN 0
? #define FM_RX_VOLUME_MAX 70
? #define FM_RX_VOLUME_GAIN_STEP 0x370
0x1d 29 WL1273_AUDIO_ENABLE FMC_FW_OPCODE_RX_AUDIO_ENABLE_SET_GET
bit0 0x01 WL1273_AUDIO_ENABLE_I2S FMC_FW_RX_FM_AUDIO_ENABLE_I2S
bit1 0x02 WL1273_AUDIO_ENABLE_ANALOG FMC_FW_RX_FM_AUDIO_ENABLE_ANALOG
bit0|1 0x03 ........ FMC_FW_RX_FM_AUDIO_ENABLE_I2S_AND_ANALOG
0 ........ FMC_FW_RX_FM_AUDIO_ENABLE_DISABLE
0x1e 30 WL1273_PCM_MODE_SET FMC_FW_OPCODE_CMN_I2S_CLOCK_CONFIG_SET_GET
0 0x00 WL1273_PCM_DEF_MODE ? I2S protocol, left channel first, data width 16 bits
0x1f 31 WL1273_I2S_MODE_CONFIG_SET FMC_FW_OPCODE_CMN_I2S_MODE_CONFIG_SET_GET
0x0145= WL1273_IS2_RATE_48K(0) | IS2_TRI_OPT(0) | IS2_SDOWS_RF(0x0100) |
IS2_SLAVEW(0x0040) | IS2_FORMAT_STD(0) | IS2_WIDTH_50(0x0005)
0 0x0 WL1273_IS2_WIDTH_32
1 0x1 WL1273_IS2_WIDTH_40
2 0x2 WL1273_IS2_WIDTH_22_23
3 0x3 WL1273_IS2_WIDTH_23_22
4 0x4 WL1273_IS2_WIDTH_48
5 0x5 WL1273_IS2_WIDTH_50
6 0x6 WL1273_IS2_WIDTH_60
7 0x7 WL1273_IS2_WIDTH_64
8 0x8 WL1273_IS2_WIDTH_80
9 0x9 WL1273_IS2_WIDTH_96
10 0xa WL1273_IS2_WIDTH_128
bits0-3 0xf WL1273_IS2_WIDTH 0xf Mask
........
0 0x00 WL1273_IS2_FORMAT_STD (0x0 << 4)
16 0x10 WL1273_IS2_FORMAT_LEFT (0x1 << 4)
32 0x20 WL1273_IS2_FORMAT_RIGHT (0x2 << 4)
48 0x30 WL1273_IS2_FORMAT_USER (0x3 << 4)
........
0 0x00 WL1273_IS2_MASTER (0x0 << 6)
64 0x40 WL1273_IS2_SLAVEW (0x1 << 6)
........
0 0x00 WL1273_IS2_TRI_AFTER_SENDING (0x0 << 7)
128 0x80 WL1273_IS2_TRI_ALWAYS_ACTIVE (0x1 << 7)
........
0 0x00 WL1273_IS2_SDOWS_RR (0x0 << 8)
256 0x100 WL1273_IS2_SDOWS_RF (0x1 << 8)
512 0x200 WL1273_IS2_SDOWS_FR (0x2 << 8)
768 0x300 WL1273_IS2_SDOWS_FF (0x3 << 8)
........
0 0x00 WL1273_IS2_TRI_OPT (0x0 << 10)
1024 0x400 WL1273_IS2_TRI_ALWAYS (0x1 << 10)
........
0 0x00 WL1273_IS2_RATE_48K (0x0 << 12)
4096 0x1000 WL1273_IS2_RATE_44_1K (0x1 << 12)
8192 0x2000 WL1273_IS2_RATE_32K (0x2 << 12)
16384 0x4000 WL1273_IS2_RATE_22_05K (0x4 << 12) ?! No 0x3, 0x6-0x7, 0xb-0xe ?
20480 0x5000 WL1273_IS2_RATE_16K (0x5 << 12)
32768 0x8000 WL1273_IS2_RATE_12K (0x8 << 12)
36864 0x9000 WL1273_IS2_RATE_11_025 (0x9 << 12)
40960 0xa000 WL1273_IS2_RATE_8K (0xa << 12)
61440 0xf000 WL1273_IS2_RATE (0xf << 12) Mask
........
0 WL1273_I2S_DEF_MODE WL1273_IS2_WIDTH_32| WL1273_IS2_FORMAT_STD| WL1273_IS2_MASTER| WL1273_IS2_TRI_AFTER_SENDING|
WL1273_IS2_SDOWS_RR| WL1273_IS2_TRI_OPT| WL1273_IS2_RATE_48K
0x20 32 WL1273_POWER_SET FMC_FW_OPCODE_RX_POWER_SET_GET
0 WL1273_POWER_SET_OFF FMC_FW_RX_POWER_SET_FM_AND_RDS_OFF
! 0 just seems to mute output. RSSI still responds and all registers remain set.
bit0 0x01 WL1273_POWER_SET_FM FMC_FW_RX_POWER_SET_FM_ON_RDS_OFF
bit1 0x02 WL1273_POWER_SET_RDS ........
bit0|1 0x03 ........ FMC_FW_RX_POWER_SET_FM_AND_RDS_ON
bit4 0x10 WL1273_POWER_SET_RETENTION ........
0x21 33 WL1273_INTX_CONFIG_SET FMC_FW_OPCODE_CMN_INTX_CONFIG_SET_GET
0x22 34 WL1273_PULL_EN_SET FMC_FW_OPCODE_CMN_PULL_EN_SET_GET
? Set to 0xff = 255 ?
0x23 35 WL1273_HILO_SET FMC_FW_OPCODE_RX_HILO_SET_GET
0 0x0 FM_RX_IFFREQ_TO_HI_SIDE
1 0x1 FM_RX_IFFREQ_TO_LO_SIDE
2 0x2 FM_RX_IFFREQ_HILO_AUTOMATIC
Set to 1 = FM_RX_IFFREQ_TO_LO_SIDE
0x24 36 WL1273_SWITCH2FREF FMC_FW_OPCODE_CMN_SWITCH_2_FREF_SET
0x25 37 WL1273_FREQ_DRIFT_REPORT FMC_FW_OPCODE_CMN_FREQ_DRIFT_REPORT_SET TI fmc_fw_defs.h error defines as 0x24
0x28 40 WL1273_PCE_GET FMC_FW_OPCODE_CMN_PCE_GET
Set to 0x0f = 15
0x29 41 WL1273_FIRM_VER_GET FMC_FW_OPCODE_CMN_FIRM_VER_GET
Set to 2
0x2a 42 WL1273_ASIC_VER_GET FMC_FW_OPCODE_CMN_ASIC_VER_GET
Set to 2
0x2b 43 WL1273_ASIC_ID_GET FMC_FW_OPCODE_CMN_ASIC_ID_GET
Set to 0x1273 = 4723
0x2c 44 WL1273_MAN_ID_GET FMC_FW_OPCODE_CMN_MAN_ID_GET
Set to 0x17 = 23
0x2d 45 WL1273_TUNER_MODE_SET FMC_FW_OPCODE_RX_TUNER_MODE_SET
0 TUNER_MODE_STOP_SEARCH FMC_FW_RX_TUNER_MODE_STOP_SEARCH
1 TUNER_MODE_PRESET FMC_FW_RX_TUNER_MODE_PRESET_MODE
2 TUNER_MODE_AUTO_SEEK FMC_FW_RX_TUNER_MODE_AUTO_SEARCH_MODE (AUTONOMOUS)
3 TUNER_MODE_AF FMC_FW_RX_TUNER_MODE_ALTER_FREQ_JUMP
4 TUNER_MODE_AUTO_SEEK_PI ........
5 TUNER_MODE_AUTO_SEEK_BULK ........
0x2e 46 WL1273_STOP_SEARCH FMC_FW_OPCODE_RX_STOP_SEARCH
0x2f 47 WL1273_RDS_CNTRL_SET FMC_FW_OPCODE_RX_RDS_CNTRL_SET
1 FMC_FW_RX_RDS_FLUSH_FIFO
------------------------------------------------------------------------------------------
Codes 48-51 (0x30-0x33) missing
------------------------------------------------------------------------------------------
0x32 ? Set to 0xC000 = 49152
------------------------------------------------------------------------------------------
0x34 52 WL1273_SOC_INT_TRIGGER
------------------------------------------------------------------------------------------
Code 53 (0x35) missing
Code 54 (0x36) and up are mostly TX, except:
0x57 87 WL1273_RX_ANTENNA_SELECT ........
and the common/CMN values 100-102, 254, 255
------------------------------------------------------------------------------------------
0x36 54 WL1273_TX_AUDIO_INPUT_LEVEL_RANGE_SET
0x37 55 WL1273_CHANL_SET FMC_FW_OPCODE_TX_CHANL_SET_GET
freq / 10Khz
7600 0x1db0 76000 WL1273_BAND_TX_LOW
10800 0x2a30 108000 WL1273_BAND_TX_HIGH
0x38 56 WL1273_SCAN_SPACING_SET FMC_FW_OPCODE_TX_CHANL_BW_SET_GET
1 WL1273_SPACING_50kHz FMC_FW_TX_CHANNEL_BW_50_KHZ
2 WL1273_SPACING_100kHz FMC_FW_TX_CHANNEL_BW_100_KHZ
4 WL1273_SPACING_200kHz FMC_FW_TX_CHANNEL_BW_200_KHZ
Set to 4 = 200 KHz
1 0x1 FM_CHANNEL_SPACING_50KHZ
2 0x2 FM_CHANNEL_SPACING_100KHZ
4 0x4 FM_CHANNEL_SPACING_200KHZ
0x39 57 WL1273_REF_SET ........
0x3a 58 WL1273_POWER_ATT_SET ........
0x3b 59 WL1273_POWER_LEV_SET FMC_FW_OPCODE_TX_POWER_LEVEL_SET_GET
Set to 4
/* Range for TX power level in units for dB/uV */ ! 122-pwr
#define FM_PWR_LVL_LOW 91
#define FM_PWR_LVL_HIGH 122
/* Chip specific default TX power level value */
#define FM_PWR_LVL_DEF 4
0x3c 60 WL1273_AUDIO_DEV_SET ........
0x109 = 265 ?
0x3d 61 WL1273_PILOT_DEV_SET ........
0x1b = 27
0x3e 62 WL1273_RDS_DEV_SET ........
8
0x3f 63 WL1273_AUDIO_IO_SET FMC_FW_OPCODE_TX_AUDIO_IO_SET
0 WL1273_AUDIO_IO_SET_ANALOG FMC_FW_TX_AUDIO_IO_SET_ANALOG
1 WL1273_AUDIO_IO_SET_I2S FMC_FW_TX_AUDIO_IO_SET_I2S
0x40 64 WL1273_PREMPH_SET FMC_FW_OPCODE_TX_PREMPH_SET_GET
0 FM_TX_PREEMPH_50US FM TX Pre-emphasis filter default ?
1 FM_TX_PREEMPH_OFF
2 FM_TX_PREEMPH_75US
0x41 65 TX_BAND_SET !!??
0x42 66 WL1273_MONO_SET FMC_FW_OPCODE_TX_MONO_SET_GET
0 WL1273_TX_MONO
1 WL1273_TX_STEREO
1 by default
0x43 67 WL1273_MPX_LMT_ENABLE
0x44 68 ........ FMC_FW_OPCODE_TX_PI_CODE_SET_GET
0x45 69 WL1273_ECC_SET FMC_FW_OPCODE_TX_RDS_ECC_SET_GET
0x46 70 WL1273_PTY FMC_FW_OPCODE_TX_RDS_PTY_CODE_SET_GET
0x47 71 WL1273_AF FMC_FW_OPCODE_TX_RDS_AF_SET_GET
------------------------------------------------------------------------------------------
Code 72 (0x48) missing
------------------------------------------------------------------------------------------
0x49 73 WL1273_TX_AUDIO_LEVEL_TEST_THRESHOLD ........
0x4a 74 WL1273_DISPLAY_MODE FMC_FW_OPCODE_TX_RDS_PS_DISPLAY_MODE_SET_GET
0 FMC_FW_TX_RDS_PS_DISPLAY_MODE_SCROLL_OFF
1 FMC_FW_TX_RDS_PS_DISPLAY_MODE_SCROLL_ON
0x4d 77 WL1273_RDS_REP_SET FMC_FW_OPCODE_TX_RDS_REPERTOIRE_SET_GET
0x4e 78 WL1273_TA_SET FMC_FW_OPCODE_TX_RDS_TA_SET
0x4f 79 WL1273_TP_SET FMC_FW_OPCODE_TX_RDS_TP_SET
0x50 80 WL1273_DI_SET FMC_FW_OPCODE_TX_RDS_DI_CODES_SET_GET
0x51 81 WL1273_MS_SET FMC_FW_OPCODE_TX_RDS_MUSIC_SPEECH_FLAG_SET_GET
0x52 82 WL1273_PS_SCROLL_SPEED FMC_FW_OPCODE_TX_RDS_PS_SCROLL_SPEED_SET_GET
0x53 83 WL1273_SOC_AUDIO_PATH_SET ........
0x54 84 WL1273_SOC_PCMI_OVERRIDE ........
0x55 85 WL1273_SOC_I2S_OVERRIDE ........
0x56 86 WL1273_I2C_DEV_ADDR_SET ........
default 0x22 = 34 (Nokia: #define RX71_FM_I2C_ADDR 0x22)
0x57 87 WL1273_RX_ANTENNA_SELECT ........
0x58 88 WL1273_REF_ERR_CALIB_PARAM_SET ........
0x0c = 12
0x59 89 WL1273_REF_ERR_CALIB_PERIODICITY_SET ........
0x5a 90 WL1273_POWER_ENB_SET FMC_FW_OPCODE_TX_POWER_ENB_SET
0 FMC_FW_TX_POWER_DISABLE
1 FMC_FW_TX_POWER_ENABLE
0x5b 91 WL1273_PUPD_SET FMC_FW_OPCODE_TX_POWER_UP_DOWN_SET
0 WL1273_PUPD_SET_OFF FMC_FW_TX_POWER_DOWN
bit0 1 WL1273_PUPD_SET_ON FMC_FW_TX_POWER_UP
bit4 0x10 WL1273_PUPD_SET_RETENTION ........
0x5c 92 WL1273_MUTE FMC_FW_OPCODE_TX_MUTE_MODE_SET_GET
0 FMC_FW_TX_UNMUTE
1 FMC_FW_TX_MUTE
0x5d 93 WL1273_PI_SET ........
0x5e 94 WL1273_RDS_DATA_ENB FMC_FW_OPCODE_TX_RDS_DATA_ENB_SET_GET
0 FMC_FW_TX_RDS_ENABLE_STOP
1 FMC_FW_TX_RDS_ENABLE_START
0x5f 95 WL1273_RSSI_BLOCK_SCAN_FREQ_SET ........
0x60 96 WL1273_TX_AUDIO_LEVEL_TEST ........
0x61 97 WL1273_RSSI_BLOCK_SCAN_START ........
0x62 98 WL1273_RDS_CONFIG_DATA_SET FMC_FW_OPCODE_TX_RDS_CONFIG_DATA_SET
0x63 99 WL1273_RDS_DATA_SET FMC_FW_OPCODE_TX_RDS_DATA_SET
0x64 100 WL1273_WRITE_HARDWARE_REG FMC_FW_OPCODE_CMN_HARDWARE_REG_SET_GET
0x65 101 WL1273_CODE_DOWNLOAD FMC_FW_OPCODE_CMN_CODE_DOWNLOAD
0x66 102 WL1273_RESET FMC_FW_OPCODE_CMN_RESET
0x0f00 = 3840
------------------------------------------------------------------------------------------
Code 103 (0x67) missing
------------------------------------------------------------------------------------------
0x68 104 WL1273_READ_FMANT_TUNE_VALUE ........ TX tuning capacitor value
?
/* FM TX antenna impedence values */
#define FM_TX_ANT_IMP_50 0
#define FM_TX_ANT_IMP_200 1
#define FM_TX_ANT_IMP_500 2
------------------------------------------------------------------------------------------
Codes 105-253 (0x69-0xfd) missing
------------------------------------------------------------------------------------------
0xfe 254 WL1273_FM_POWER_MODE ........
0 FMC_FW_RX_FM_POWER_MODE_DISABLE
1 FMC_FW_RX_FM_POWER_MODE_ENABLE
0xff 255 WL1273_FM_INTERRUPT ........
------------------------------------------------------------------------------------------
?
5 WL1273_RSSI_BLOCK_SCAN_DATA_GET RSSI_BLOCK_SCAN_DATA_GET
------------------------------------------------------------------------------------------
/*
Maximum length of data that may be sent in a single RDS data set command
Once FM FW team removes internal limitations, HCI limitations (much
longer) may apply.
In case a longer RDS data should be sent to the chip, it is divided into
multiple chunks, each chunk being up to FMC_FW_TX_MAX_RDS_DATA_SET_LEN
bytes long
*/
#define FMC_FW_TX_MAX_RDS_DATA_SET_LEN ((FMC_UINT)30)
/*
Defines the max length of data that can be written to FM Hardware register
*/
#define FMC_FW_WRITE_HARDWARE_REG_MAX_DATA_LEN ((FMC_UINT)HCI_CMD_PARM_LEN)
? HCI_CMD_PARM_LEN ?
------------------------------------------------------------------------------------------
Event masks:
bit, 2 hex bytes, (1), (2)
0 0x0001 WL1273_FR_EVENT FMC_FW_MASK_FR Tuning Operation Ended
1 0x0002 WL1273_BL_EVENT FMC_FW_MASK_BL Band limit was reached during search
2 0x0004 WL1273_RDS_EVENT FMC_FW_MASK_RDS RDS data threshold reached in FIFO buffer
3 0x0008 WL1273_BBLK_EVENT FMC_FW_MASK_BBLK RDS B block match condition occurred
4 0x0010 WL1273_LSYNC_EVENT FMC_FW_MASK_LSYNC RDS sync was lost
5 0x0020 WL1273_LEV_EVENT FMC_FW_MASK_LEV RSSI level has fallen below the threshold configured by SEARCH_LVL_SET
6 0x0040 WL1273_IFFR_EVENT FMC_FW_MASK_IFFR Received signal frequency is out of range
7 0x0080 WL1273_PI_EVENT FMC_FW_MASK_PI RDS PI match occurred
8 0x0100 WL1273_PD_EVENT FMC_FW_MASK_PD Audio pause detect occurred
9 0x0200 WL1273_STIC_EVENT FMC_FW_MASK_STIC Stereo indication changed
10 0x0400 WL1273_MAL_EVENT FMC_FW_MASK_MAL Hardware malfunction
11 0x0800 WL1273_POW_ENB_EVENT FMC_FW_MASK_POW_ENB Tx Power Enable/Disable
12 0x1000 WL1273_SCAN_OVER_EVENT FMC_FW_MASK_INVALID_PARAM
13 0x2000 WL1273_ERROR_EVENT !! One of the above is wrong !!
---------------------------------------------------------------------------------------------------------
FM Receiver script
---null set---
FM Transmitter script
---null set---
I think you are doing an awsome job and I really hope that you'll succeded. But the reason why I'm writing this post is to get this thread on the first page again for a while, so maybe more developers will see it, and can contribute !
Good luck!
EDIT: Perhaps it just needs more outstandig title, maybe Unviersal FM radio for android devices with TI WL chips, or something that would get people to read it.
qzem said:
I think you are doing an awsome job and I really hope that you'll succeded. But the reason why I'm writing this post is to get this thread on the first page again for a while, so maybe more developers will see it, and can contribute !
Good luck!
EDIT: Perhaps it just needs more outstandig title, maybe Unviersal FM radio for android devices with TI WL chips, or something that would get people to read it.
Click to expand...
Click to collapse
It's already off the first page, LOL.
My plan has been to post a link to this thread in the various existing threads for different devices using the TI FM chips. I'm sure that will get this thread some notice. I think a lot of devs and dev types stick to the forums for their devices and don't look at this general section.
At least there are so many potentially matching keywords in the first 10 posts that google searches on the subject are likely to link here.
I agonized over the thread title name for some time and "TI FM Radio" is best description I could think of, technically at least. I don't know if I can rename the thread, but it might help to put the names of popular devices with TI chips in the title.
As I posted on the Legend thread, I now have an App Inventor app up and running with functionality to tune, scan, change volume and see signal strength. The audio routing is the last major piece of the puzzle, but it may be different on different devices.
I'll spend a few more days at most to try and get audio routing working, and then, whether working or not, I'll post in a few threads looking for further info and people who want to try the app I'm building.
Would be nice to see the RDS and transmitter working soon too.
Regarding merging the bluetooth and FM drivers, TI's solution appears to be what they call a shared transport line discipline driver. The way this should work, each driver has what appears to it to be dedicated access to it's respective core, and the line discipline driver takes care of any queueing or delaying of commands & such that has to happen to keep them from stepping on each others toes.
Oh, and "IP" is "Intellectual Property" in this case. So the core, generally you'd say the WL127x has a wifi core, bluetooth core, etc. and 128x has a gps core as well. An IP core uses a description language (it used to be VHDL) to describe the layout of the core, so for instance if a company wants to build wifi onto their own chip, they can buy use of the IP core from TI instead of having to buy a phyiscal chip and interface to it.
I've got a debian install wedged onto my Droid 2 Global, I'm going to look into the "ti-st" V4L2 FM drivers, and see if I can get a module that will insert. The kernel can't be replaced on D2G yet, but as far as I know if I get a 2.6.32.9 kernel tree, and get ti-st driver to compile under it, I don't see why it shouldn't insert as a module just fine. Also, I'll look REAL closely to see if I can discern how it gets audio out, so I might have an hcitool command or two to add if that pans out.
hwertz said:
Regarding merging the bluetooth and FM drivers, TI's solution appears to be what they call a shared transport line discipline driver. The way this should work, each driver has what appears to it to be dedicated access to it's respective core, and the line discipline driver takes care of any queueing or delaying of commands & such that has to happen to keep them from stepping on each others toes.
Oh, and "IP" is "Intellectual Property" in this case. So the core, generally you'd say the WL127x has a wifi core, bluetooth core, etc. and 128x has a gps core as well. An IP core uses a description language (it used to be VHDL) to describe the layout of the core, so for instance if a company wants to build wifi onto their own chip, they can buy use of the IP core from TI instead of having to buy a phyiscal chip and interface to it.
I've got a debian install wedged onto my Droid 2 Global, I'm going to look into the "ti-st" V4L2 FM drivers, and see if I can get a module that will insert. The kernel can't be replaced on D2G yet, but as far as I know if I get a 2.6.32.9 kernel tree, and get ti-st driver to compile under it, I don't see why it shouldn't insert as a module just fine. Also, I'll look REAL closely to see if I can discern how it gets audio out, so I might have an hcitool command or two to add if that pans out.
Click to expand...
Click to collapse
Thanks for the info hwertz .
OK I understand "IP" now; never heard it used in that way to designate blocks on a chip.
Yes I read something about the line discipline. Some block diagrams: http://omappedia.org/wiki/Wilink_ST
If you know of any HCI commands dealing with audio routing, please post or pm whatever info you can share.
So I'd guess your opinion is that the v4l2 api is the best route to support FM radios on Android ? That was among my first thoughts until I saw that there is currently virtually no such support on any Android ROM I've heard of. HCI seems to work fine, but it requires chip specific commands of course.
Clearly though, at least Nokia and TI both are working on efforts to bring V4L2 apis for the TI chip in the embedded linux or Android environments.
I'm not sure how audio routing would be configured on Android when using v4l2 apis. The PC environment requires moving digital data from source to destination. But SOC devices often can move digital or analog data directly and without software support.
FM Transmitting Radius
So I hope this question is not too basic for this forum, but I'm new to it and wonder how large the FM transmitting radius of such a chip might be. I basically just need to get an idea, but of course I'd also be thankful if you can refer me to all sorts of literature, specs, overviews, etc.
Thanks!
Lipton1 said:
So I hope this question is not too basic for this forum, but I'm new to it and wonder how large the FM transmitting radius of such a chip might be. I basically just need to get an idea, but of course I'd also be thankful if you can refer me to all sorts of literature, specs, overviews, etc.
Thanks!
Click to expand...
Click to collapse
This thread is over 2 years old now. The original purpose was to try and find others interested in sharing the undocumented secrets of TI's FM chip.
But after my info dump, nobody showed up to share with me, and likely nobody will, so I will close it after this post.
Any further discussion about FM can move to the Spirit FM thread in my sig.
These chips put out tiny amounts of power in transmit mode, maybe 10-30 milliwatts or so. The only phones I have that transmit have to have their headset cable antenna wrapped around the receiver antenna to get anything resembling decent quality.
So I'd call the transmit radius a few centimetres at most. Little wonder then, perhaps, why so few Android devices support transmit.

Fix for ARLiberator 3.01 half screen issue on HDMI sticks

When using ARLiberator on a HDMI stick to connect to an AppRadio it seems to work however there's an issue that only half of the screen can be reached. Which makes it pretty useless even though it seems a small problem and indeed it was. I have developed a fix for it that involves modifying the APK of the ARLiberator 3.01 version.
The steps are as following:
1) Get apktool
- Goto https://code.google.com/p/android-apktool/downloads/list
- Download apktool1.5.2.tar.bz2
- Download apktool-install-windows-r05-ibot.tar.bz2
- Unpack both files in a directory like c:\apktool so it will look like this
aapt.exe
apktool.bat
apktool.jar
2) Get Java JDK 7u25
- Goto //www.oracle.com/technetwork/java/javase/downloads/index.html
- Click on Java Platform (JDK) 7u25
- Click on jdk-7u25-windows-i586.exe if you have a 32bits system
- Click on jdk-7u25-windows-x64.exe if you have a 64bits system
- Save file and install it.
- Add C:\Program Files\Java\jdk1.7.0_25\bin to your path variable.
3) Open command line in c:\apktool
C:\Apktool>java -version
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b17)
Java HotSpot(TM) Client VM (build 23.25-b01, mixed mode, sharing)
4) Copy your 3.01 apk file to c:\apktool in my case called com.kyle.arliberator-a49f58a925d99a41afeb9a36d472b806.apk
5) Decompile
C:\Apktool>apktool d com.kyle.arliberator-a49f58a925d99a41afeb9a36d472b806.apk 301
I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: C:\Documents and Settings\Ruud\apktool\framework\1.apk
I: Loaded.
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Done.
I: Copying assets and libs...
6) Fix files
Open file C:\Apktool\301\smali\com\kyle\arliberator\TouchHandler.smali
Goto line 72. "if-le v0, v1, :cond_0"
Change it to "goto :cond_0"
Open file C:\Apktool\301\smali\com\kyle\arliberator\KillNanny.smali
Goto line 807. "0x1e1cf -> :sswitch_1"
Change it to "0x1e1cf -> :sswitch_0"
7) Build apk
C:\Apktool>apktool b 301 301fixed.apk
I: Checking whether sources has changed...
I: Smaling...
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs...
I: Building apk file...
8) Prepare apk signing (only need to do once, values you enter don't really matter except password)
C:\Apktool>keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Enter keystore password: android
Re-enter new password: android
What is your first and last name?
[Unknown]: james brown
What is the name of your organizational unit?
[Unknown]: fluffy
What is the name of your organization?
[Unknown]: fluffers
What is the name of your City or Locality?
[Unknown]: amsterdam
What is the name of your State or Province?
[Unknown]: nh
What is the two-letter country code for this unit?
[Unknown]: nl
Is CN=james brown, OU=fluffy, O=fluffers, L=amsterdam, ST=nh, C=nl correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
for: CN=james brown, OU=fluffy, O=fluffers, L=amsterdam, ST=nh, C=nl
Enter key password for <alias_name>
(RETURN if same as keystore password):
New certificate (self-signed):
[
[
Version: V3
Subject: CN=james brown, OU=fluffy, O=fluffers, L=amsterdam, ST=nh, C=nl
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 2302897498469818610507865964188619447321569256045500777798690530354475198664205066592969169321470713032681508
733306834574529850207658647514679181766691822631188140576709323607982695172198123038121197240253522055939542487047506386
716104547119098887170863849418260816385179213380928971384233871142993611611834083487249662969179258518611292988333637102
227241592334735863024515710929024071170905152943178086184336293000456783247552092347479124040297057663523558151307892056
393360874914089822140793285958124895164763575613359626849777825230884625298246269560901997927825106169042411463502008207
2538339018083911783240963349
public exponent: 65537
Validity: [From: Thu Aug 15 22:36:25 CEST 2013,
To: Mon Dec 31 21:36:25 CET 2040]
Issuer: CN=james brown, OU=fluffy, O=fluffers, L=amsterdam, ST=nh, C=nl
SerialNumber: [ 123ba4dd]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 18 2A 06 45 87 E9 63 88 52 F7 D1 6C 38 C2 F0 CC .*.E..c.R..l8...
0010: 36 11 9A D7 6...
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 1E BB 4E 57 3D AF C8 51 AA 08 62 5C C9 17 ED B6 ..NW=..Q..b\....
0010: 7E 91 A7 2C 9B A2 E8 31 ED C3 92 FE 67 33 0F 08 ...,...1....g3..
0020: DD 07 51 DF 40 DD 49 B0 A3 BC 79 DE 1B DE 0A F2 ..Q @.i...y.....
0030: E6 91 50 F2 65 3C 14 4B 80 C5 D8 68 10 29 C5 3F ..P.e<.K...h.).?
0040: 3E 8F 01 AC F7 12 25 79 E3 48 80 A8 2C 94 3A 08 >.....%y.H..,.:.
0050: 0D 1F C4 17 56 39 B4 7F 8C 3A 9D 7D EB 29 22 9F ....V9...:...)".
0060: 40 7A 2A 98 CE 5A 24 79 34 AA 85 EE D7 9E DB 6D @z*..Z$y4......m
0070: 1B 50 58 E5 68 22 58 FB A5 84 15 B1 8E 17 FD E8 .PX.h"X.........
0080: 40 E2 95 7A 27 4D 0F E0 6B 45 69 E7 29 80 AB 02 @..z'M..kEi.)...
0090: 38 BB 5B AB 62 68 4B 88 12 1D 32 97 0D 15 F4 9C 8.[.bhK...2.....
00A0: BC 49 11 D1 1E C9 D1 0E 20 92 D0 DE BE C7 73 81 .I...... .....s.
00B0: 38 93 C7 53 36 FD 7E CA 76 1A 71 93 43 B1 95 5D 8..S6...v.q.C..]
00C0: 27 D6 2B 0E E2 EC 57 47 90 EB C0 4B 79 C5 2E 3A '.+...WG...Ky..:
00D0: 91 EA F4 37 B6 10 AC B1 C5 D0 81 6C 42 37 ED E8 ...7.......lB7..
00E0: 77 94 4B E6 1A 07 90 AE B1 A1 5D 24 F7 73 A5 96 w.K.......]$.s..
00F0: B1 08 58 1F 0A 14 D7 06 3A 3A 5F 28 BE 75 E1 01 ..X.....::_(.u..
]
[Storing my-release-key.keystore]
9) Sign apk file
C:\Apktool>jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore 301fixed.apk alias_name
Enter Passphrase for keystore: android
adding: META-INF/MANIFEST.MF
adding: META-INF/ALIAS_NA.SF
adding: META-INF/ALIAS_NA.RSA
signing: assets/digital7.ttf
signing: lib/armeabi/libndk1.so
signing: res/anim/dialog_enter.xml
signing: res/anim/dialog_exit.xml
signing: res/anim/fade_in.xml
..
..
signing: res/xml/appradiohome.xml
signing: res/xml/changelog.xml
signing: res/xml/settings.xml
signing: AndroidManifest.xml
signing: classes.dex
signing: resources.arsc
10) Install your new apk file and enjoy
note: Google license check is removed so it can run anywhere.
Please keep this in mind and do not spread it around.
This only works with invert xy coordinates enabled in the settings.
any suggestions on the better HDMI Sticks to use for this?
Same question, which stick is the best to get?
xdaisgreat said:
Same question, which stick is the best to get?
Click to expand...
Click to collapse
I don't know which one is best but I got a Tronsmart MK908. It's a quad core and it's fast and snappy. It should provide more than enough processing power and memory (2GB) to play music, video and run a navigation app. Here you can read more about it XDA discussion on MK908.
I installed some apps and everything seems to work well and fast. In the XDA discussion some people complain that it's 720p and not 1080p but for use with an AppRadio that doesn't matter at all. To cut a long story short, I got one and I am happy with it thus far.
I fixed this ARL issue but then didn't finish my complete setup with the MK908 yet because now I am working on hacking the Pioneer AppRadio app so it will allow complete control of your phone/stick. I am doing this because ARL doesn't support AppRadio 3 but the Pioneer App does.
Also with ARL 3.01 it was quite difficult to get Bluetooth connected with the stick. This is an ARL issue because the Pioneer app has no problems connecting.
Difficult? How so exactly? Where are the issues?
Willing to try it so I am not limited on my phone selection
Sent from my Nexus 7 using Tapatalk 4
-=Jeff=- said:
Difficult? How so exactly? Where are the issues?
Click to expand...
Click to collapse
That you have to retry connecting many times before it connects. What seems to help is to cycle Bluetooth on/off. If you scroll down a bit here http://forum.xda-developers.com/showthread.php?t=1622795&page=36 there's some quite complicated procedure on how to get it connecting. Note that the older ARL V2.51 had no connection issues. Anyway it's an ARL issue and since the appradio forums is back on I suggest you check there for possible solutions.
This is very interesting, i have been trying to get a Minix Neo X7 Quad core box installed for a week now. i have all the connections working really well but the touch screen is well off.
It would seem using the stock application for touch would not really give me any alignment at all. all the calibration tool did was show on the right had side of the screen and once complete really didn't match a thing.
Once i installed the modded APK the calibration tool still only shows on the right of the screen but i now have the left of the screen setup ok. all works and touch is spot on.!
So can you tell me if the application can be modded again to give me touch across the whole thing?
smartit said:
This is very interesting, i have been trying to get a Minix Neo X7 Quad core box installed for a week now. i have all the connections working really well but the touch screen is well off.
It would seem using the stock application for touch would not really give me any alignment at all. all the calibration tool did was show on the right had side of the screen and once complete really didn't match a thing.
Once i installed the modded APK the calibration tool still only shows on the right of the screen but i now have the left of the screen setup ok. all works and touch is spot on.!
So can you tell me if the application can be modded again to give me touch across the whole thing?
Click to expand...
Click to collapse
Of course it can. If you are willing to spend enough time on it.
Did you enable invert xy coordinates?
This issue should have been fixed by the ARL dev long time ago already. It was actually one of the reasons why I started development of the AppRadio Unchained mod.
When I have some time I will look at it again. There's another line in the code where the coordinates are limited. Removing this will fix the problem.
Area51© said:
Of course it can. If you are willing to spend enough time on it.
Did you enable invert xy coordinates?
This issue should have been fixed by the ARL dev long time ago already. It was actually one of the reasons why I started development of the AppRadio Unchained mod.
When I have some time I will look at it again. There's another line in the code where the coordinates are limited. Removing this will fix the problem.
Click to expand...
Click to collapse
Thank you for your response.
I have not had another chance to look at this but I will over the weekend. I am sure I checked the invert checkbox but I think I will flush all app data and try again, I have noticed that the DEV has added lines for screen resolution etc and I am wondering if it thinks its still in portrait mode. I will confirm all this over the weekend. you also mentioned you have had better connection success with an older version of the app?
Would you be able to PM me about this?
smartit said:
Thank you for your response.
I have not had another chance to look at this but I will over the weekend. I am sure I checked the invert checkbox but I think I will flush all app data and try again, I have noticed that the DEV has added lines for screen resolution etc and I am wondering if it thinks its still in portrait mode. I will confirm all this over the weekend. you also mentioned you have had better connection success with an older version of the app?
Would you be able to PM me about this?
Click to expand...
Click to collapse
Ok, I checked for you. To remove the other limiting thingy, add the following to step 6) :
In TouchHandler.smali
Goto line 119: "if-lt v0, v1, :cond_0"
Change it to "goto :cond_0"
I hope this helps. I would rather not spend more time on it. Quite busy with AppRadio Unchained development.
Thanks again. For you quick help with.
Sent from my GT-I9505 using Tapatalk
Really so I have to recompile the whole package? Yikes! There has to be an easier way. Do you have a patch I could apply? I'm using a mouse to get around the screen right now but that's not really how I wanted to do things.
SageForce said:
Really so I have to recompile the whole package?
Click to expand...
Click to collapse
Yeah. I could have put the APK somewhere for download but didn't want to make a pirated copy available. Also I don't have loads of spare time to make things as easy as possible for anybody that possibly wants to use this. Maybe you can contribute something?
I hear you on that could you PM me a link? I've got my license version but I'd like to take a look at it and see what I could do?
Area51© said:
Yeah. I could have put the APK somewhere for download but didn't want to make a pirated copy available. Also I don't have loads of spare time to make things as easy as possible for anybody that possibly wants to use this. Maybe you can contribute something?
Click to expand...
Click to collapse
Thank u very much
Your tutorial works very fine for me. Takes me about 20 minutes till its works. thx a lot!!:good::good::good:
I tried to do that but it is still not working for my ODROID U3 .
If someone has an idea !
Edit : My bad, I've done again the calibration and now it's working well. Thanks .
My only problem is that I need to force the connection at startup.
Thanks for the write up. I have a MK809III with AppRadio Unchained. Funny enough, it does the same half screen thing. I am going to try this tonight & see if it works. If so, I'll do a FULL walkthrough on setting this up. The main problem I see is that there are soo many variants of these sticks. On my board, its listed a Ver 5_2, which I could not find almost any ROMs that worked. One good thing though, the WiFi is pretty good. It looks like they have an antenna built in around the perimeter of the board.
Sincidius said:
Thanks for the write up. I have a MK809III with AppRadio Unchained. Funny enough, it does the same half screen thing. I am going to try this tonight & see if it works. If so, I'll do a FULL walkthrough on setting this up. The main problem I see is that there are soo many variants of these sticks. On my board, its listed a Ver 5_2, which I could not find almost any ROMs that worked. One good thing though, the WiFi is pretty good. It looks like they have an antenna built in around the perimeter of the board.
Click to expand...
Click to collapse
After not being happy with ARL I made ARU and ARUReloaded that definitely does not have this issue. If you have ARUR make sure that you have selected 'Invert XY-coordinates' in the settings.
Area51© said:
After not being happy with ARL I made ARU and ARUReloaded that definitely does not have this issue. If you have ARUR make sure that you have selected 'Invert XY-coordinates' in the settings.
Click to expand...
Click to collapse
Yeah, 720P output, invert, reset, worked. Thanks!
The only issue now is Google Play music using the SD card storage. I have tried almost everything (Xposed Music fix, RootBrowser) but cannot seem to get Play Music to download to the SD card. The select memory under settings isn't even available. Not looking for a solution, just whining.

[GUIDE] OBEX Protocol for Samsung GSM devices specification

Author: Apriorit (Device Team)
Permanent link: www(dot)apriorit(dot)com/dev-blog/58-samsung-obex-specification
This article describes the protocol of data exchange that is the modification of the well-known OBEX protocol used in the GSM Samsung phones from the SHP family. The described modification of this protocol lets you write data to the phone and also get and save them.
Introduction
This article describes the protocol of data exchange that is the modification of the well-known OBEX protocol used in the GSM Samsung phones from the SHP family. The described modification of this protocol lets you write data to the phone and also get and save them.
Samsung Corporation made the new line of phones from SHP family and implemented the support of OBEX protocol in them that had not been used in the phones of this company before. Tries to use the common OBEX protocol did not succeed. This problem was solved by means of sniffing the Samsung PC Studio 3.0 utility. The obtained results are given in the main part of the article.
This article will be useful for those who develop utilities for writing/reading information from the phones. The described protocol modification will solve the problem of communicating with the device.
First we consider three main types of the protocol commands. Then we pay our attention to the sequence of the commands sent to connect with the device, read data and finish the session. Then I will give some examples for the main commands. At the end of the article some summary will be given.
Main protocol commands format
All protocol commands can be divided into 2 types:
1. AKN-packages. They are packages to confirm the data receiving and request the next part of the extended package.
2. Data packages. They are initialization, acquiring, closing etc. There can be Request and Answer packages.
AKN package is one block with 3 bytes length: 0x83 0x00 0x03.
Request package has the following structure:
Size (bytes) Meaning Description
1 Package ID 0x80 Select the answering device, obtain the properties and establish connection
0x81 Finish the connection session
0x82 Write an object
0x83 Read an object
0x84 Reserved
0х85 Select the default directory on the receiving side
0хFF Cancel current operation
2 Package size The size of the whole package (from the zero byte and to the end)
… Data blocks Some number of data blocks that depends on the context of the command containing them.
Format:
Size (bytes) Meaning Description
1 Type Set the type of the data in the block
2 Size The size of the whole data block (from the zero byte and to the end)
N-3 Data Some data depending on the type specified by the first byte
The description of the Answer packages is given in the table below.
Size (bytes) Value Description
1 Package ID 0x90 Successful but not completed (received package is a part of the extended package)
0xA0 Successful and completed
0xC3 Access denied
0xC4 Not found
0xC9 Conflict
2 Package size The size of the whole package (from the zero byte and to the end)
… Data blocks Some number of data blocks that depends on the context of the command containing them.
Format:
Size (bytes) Meaning Description
1 Type Set the type of the data in the block
2 Size The size of the whole data block (from the zero byte and to the end)
N-3 Data Some data depending on the type specified by the first byte
The sequence of commands
As any standard communication protocol modified OBEX consists of the sequence of requests and answers. In general the communication session can be divided into 3 phases:
1. Initialization
2. Acquiring data
3. Closing the session
Table with the session description is given below.
Initialization phase
Request 41 54 2B 53 59 4E 43 4D 4C 3D 4D 4F 42 45 58 53 54 41 52 54 0D 0A AT+SYNCML=MOBEXS
Answer 41 54 2B 53 59 4E 43 4D 4C 3D 4D 4F 42 45 58 5354 41 52 54 0D 4F 4B 0D 0A AT+SYNCML=MOBEXSTART.OK..
Request 80 00 0F 11 00 FF FF 46 00 08 4D 4F 42 45 58 А.... F..MOBEX
Answer A0 00 14 12 00 05 78 CB 00 00 00 01 4A 00 08 4D 4F 42 45 58 а.....x╦....J..MOBEX
Acquiring phase
Request A series of requests and answers for acquiring data
Answer Note: if the first byte of the package is equal to 0x90 then it is so-called extended package and then the sending of AKN-package (0x83 0x00 0x03) is required,
after it the device will give us the other parts of the package.
Closing phase
Request 81 00 08 CB 00 00 00 01 Б..╦....
Answer A0 00 03 а..
Commands examples
Let’s consider some examples of the data acquisition. They will be the examples of working with the file system.
Obtaining the list of subfolders of the folder(m-obex/fs/folder_listing)
Request
83 00 29 CB 00 00 00 01 42 00 1C 6D 2D 6F 62 65 ?.)E....B..m-obex/fs/folder_listing..../.
78 2F 66 73 2F 66 6F 6C 64 65 72 5F 6C 69 73 74
69 6E 67 00 01 00 05 2F 00
Size (bytes) Value Description
1 0x83 Reading
2 0x00 0x29 Package size
1 0xCB Data block type
4 0x00 0x00 0x00 0x01 Reserved
1 0x42 Data block type (text)
2 0x00 0x1C Block size
N-3 m-obex/fs/folder_listing Block data (command name)
1 0x01 Block type (list)
2 0x00 0x05 Block size
N-3 0x2F 0x00 Block data
Note: “/” for the root, “/” for the other folders
Answer
A0 00 FC 42 00 1B 6D 2D 6F 62 65 78 2F 66 73 2F .uB..m-obex/fs/
66 6F 6C 64 65 72 5F 6C 69 73 74 69 6E 67 C3 00 folder_listingA.
00 00 D6 49 00 D9 41 75 64 69 6F 2C 30 2C 31 31 ..OI.UAudio,0,11
31 30 30 31 30 31 30 2C 32 30 30 34 3A 30 33 3A 1001010,2004:03:
30 31 20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E 47 01 01:03:00\r\nG
72 61 70 68 69 63 73 2C 30 2C 31 31 31 30 30 31 raphics,0,111001
30 31 30 2C 32 30 30 34 3A 30 33 3A 30 31 20 30 010,2004:03:01 0
31 3A 30 33 3A 30 30 5C 72 5C 6E 56 69 64 65 6F 1:03:00\r\nVideo
2C 30 2C 31 31 31 30 30 31 30 31 30 2C 32 30 30 ,0,111001010,200
34 3A 30 33 3A 30 31 20 30 31 3A 30 33 3A 30 30 4:03:01 01:03:00
5C 72 5C 6E 4D 75 73 69 63 2C 30 2C 31 31 31 30 \r\nMusic,0,1110
30 31 30 31 30 2C 32 30 30 34 3A 30 33 3A 30 31 01010,2004:03:01
20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E 4F 74 68 01:03:00\r\nOth
65 72 20 46 69 6C 65 73 2C 30 2C 31 er Files,0,1
31 31 30 30 31 30 31 30 2C 32 30 30 34 3A 30 33 11001010,2004:03
3A 30 31 20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E :01 01:03:00\r\n
Size Value Description
1 0xA0 Successful operation
2 0x00 0x0F Package size
1 0x42 Block type
2 0x00 0x1C Block size
N-3 m-obex/fs/folder_listing(0x00) Block data
1 0xCB Block type
4 0x00 0x00 0x00 0xD6 Reserved
1 0x49 Block type
2 0x00 0xD9 Block size
N-3 Block data
Note: the list items are separated with the pair of symbols “\r\n”
Each element of the list is the folder description: [Name][Size(always 0)][Attributes][Modified][Created].
So in the example of these two commands you can see the general structure of the package in the modified OBEX protocol.
In conclusion I want to mention that the records in the phone book as well as the calendar are represented in VCard as it was in the previous versions of the OBEX protocols.

[DEAD] Crius Mea Q7A+ - Qualcomm MSM8625 SoC ARMv7-A arch DEAD

ⴰⵣⵓⵍ,
When i say dead, it's typically dead.
The tablet is a Crius Mea Q7A+, uses the Qualcomm MSM8625 SoC based on the ARMv7-A arch that combines 2 ARM Cortex-A5.
While this tablet was just bricked for a long while, and i couldn't and didn't have time and firmware to reflash it, since it's one of those useless chinese low end tablets.
Having such a desirable SoC for a programmer i thought i can test on it my first steps bootloaders and Embedded OS while developing them for this sole purpose.
ⵣ Space to avoid readers jumping lines ⵣ
The tablet after i flashed it with a lower firmware of an equivalent or almost another SoC, was booting in fastboot mode only thinking that i could get more info's with that about partitions.
I didn't, so what i did was erasing the modem partition, and that left the tablet open as a generic storage drive, i saved almost every information i could have about this SoC, the partition that were available, Qualcomm's boot sequence, UART serial connection of the SoC, and read for week several pages to gather information useful to make a bootloader.
ⵣ Space to avoid readers jumping lines ⵣ
At the end i failed, i thought i could repartition the Flash memory of the SoC to prepare it for future uploading of my bootloader, there was a partition that is miss aligned, which was maybe the 3gb internal storage, so what i did is delete the partition and recreate it erasing the secondary ones, it was working normally as expected.
But then tomorrow i decided to plug the tablet again, but it doesn't get detected, this happened before, i cant really explain how the Primary core is trying to establish connection with the PC, but it's a bad mofo. Still it was detected all the time if i remember well.
But today the tablet was dead, i can even feel the SoC is not responding at all.
Not even detected when plugged to PC.
The battery does charges, cause i tested with a diode since i dont have a multimeter, which burned even with a resistor after the current was too high, but then with a DC brushless motor.
Mainly the charging circuit is separated from other components and connected directly to DC, that's why it's charging.
I opened the tablet, and took off the battery cables thinking i might be able to get the core to QDload mode which pressing some combinations...
And yeah i tried every combination i can think off, i even tried pressing my mouse in the PC and pressing the Vol UP in the tablet... am so funny.
I hope anyone can tell me a way to communicate with the SoC in this state, or any other solution thanks peace.
Finally i forgot the partition i saved as a text before i repartitioned the last ones only :
Code:
Disk /dev/sdd: 3.7 GiB, 3909091328 bytes, 7634944 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
/dev/sdd1 * 1 40 40 20K 4d QNX4.x
/dev/sdd2 41 540 500 250K 45 unknown
/dev/sdd3 541 102940 102400 50M c W95 FAT32 (LBA)
/dev/sdd4 102941 7634943 7532003 3.6G 5 Extended
/dev/sdd5 131072 135167 4096 2M 46 unknown
/dev/sdd6 135168 141311 6144 3M 58 unknown
/dev/sdd7 141312 147455 6144 3M 4a unknown
/dev/sdd8 147456 153599 6144 3M 4b unknown
/dev/sdd9 153600 157695 4096 2M 5d unknown
/dev/sdd10 157696 165887 8192 4M 90 unknown
/dev/sdd11 165888 167935 2048 1M 63 GNU HURD or SysV
/dev/sdd12 167936 169471 1536 768K 47 unknown
/dev/sdd13 169472 196623 27152 13.3M 60 unknown
/dev/sdd14 196624 217103 20480 10M 91 unknown
/dev/sdd15 217104 413711 196608 96M 83 Linux
/dev/sdd16 413712 440863 27152 13.3M 48 unknown
/dev/sdd17 440864 1362463 921600 450M 83 Linux
/dev/sdd18 1362464 1567263 204800 100M 83 Linux
/dev/sdd19 1567264 1567303 40 20K 4c unknown
/dev/sdd20 1567304 4536903 2969600 1.4G c W95 FAT32 (LBA)
/dev/sdd21 4536904 7510599 2973696 1.4G 83 Linux
/dev/sdd22 7510600 7634942 124343 60.7M 83 Linux
As you can the sdd4 partition was overlapping other partitions sectors so i had to erase it, the rest got erased in the way, but the main boot and from 1 to 3 are intact.
Something else, the MSM7627a is a close SoC to this one, except for the one i have got 2 Cores instead of one, and supports LPDDR and have a more developed GPU, here's a note i wrote :
Code:
MSM7627 seems close enough to the MSM8625, except that it uses a single core ARMv7-A CORTEX A5.
Which is the primary core that we need to boot up, then add the next core to the equation for the kernel.
Some differences about the MSM7627a and the MSM8625 :
MSM7627a | MSM8625
CPU Clock Speed 1,000MHz 1,200MHz
CPU Cores 1 2
GPU Qualcomm Adreno 200 Qualcomm Adreno 203
RAM Interface LPDDR2 SDRAM LPDDR, LPDDR2 SDRAM
As we can see here, they are almost identical, except for the cores which wont make a wall since we're making a bootloader, the GPU... and the RAM interface
Am on Debian Stretch and i dont have any ways of visualization but i accept any link on any platform. Thanks everyone peace again
I also want to add, that i can feel a bit of heat over the tablet it's certainly not from the battery, i dont really know if its coming from the SoC, but if it is am really glad he's doing some cycles.
And i thought i had a chance in this forum lol. looks like am on ma own.

Daydream NFC

Can anyone with a daydream view somehow upload the files of the NFC chip in the headset so we can "pair" a daydream view and instead use a cardboard?
ditto
AXelzero1 said:
Can anyone with a daydream view somehow upload the files of the NFC chip in the headset so we can "pair" a daydream view and instead use a cardboard?
Click to expand...
Click to collapse
Well, I have a daydream view but I don't know the means to upload it if you can elaborate I will be glad to do so.
Here's the NDEF data from the tag. Just write records 1-4 to a NFC tag, and it should appear like a Daydream headset. However, without the controller you won't get very far.
Code:
-- NDEF ------------------------------
# NFC data set information:
NDEF message containing 4 records
Current message size: 98 bytes
Maximum message size: 98 bytes
NFC data set access: Read-Only
# Record #1: MIME type (RFC 2046) record:
Type Name Format: MIME type (RFC 2046)
Short Record
type: "google.vr/rsvd"
Payload length: 4 bytes
Payload data:
[00] 00 00 00 00 |.... |
# Record #2: MIME type (RFC 2046) record:
Type Name Format: MIME type (RFC 2046)
Short Record
type: "google.vr/ver"
Payload length: 4 bytes
Payload data:
[00] 00 00 00 03 |.... |
# Record #3: MIME type (RFC 2046) record:
Type Name Format: MIME type (RFC 2046)
Short Record
type: "google.vr/data"
Payload length: 2 bytes
Payload data:
[00] 08 03 |.. |
# Record #4: Android Application record:
Type Name Format: NFC Forum external type
Short Record
type: "android.com:pkg"
package name: com.google.vr.vrcore
Payload length: 20 bytes
Payload data:
[00] 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 76 72 2E 76 72 |com.google.vr.vr|
[10] 63 6F 72 65 |core |
# NDEF message:
[00] 92 0E 04 67 6F 6F 67 6C 65 2E 76 72 2F 72 73 76 |...google.vr/rsv|
[10] 64 00 00 00 00 12 0D 04 67 6F 6F 67 6C 65 2E 76 |d.......google.v|
[20] 72 2F 76 65 72 00 00 00 03 12 0E 02 67 6F 6F 67 |r/ver.......goog|
[30] 6C 65 2E 76 72 2F 64 61 74 61 08 03 54 0F 14 61 |le.vr/data..T..a|
[40] 6E 64 72 6F 69 64 2E 63 6F 6D 3A 70 6B 67 63 6F |ndroid.com:pkgco|
[50] 6D 2E 67 6F 6F 67 6C 65 2E 76 72 2E 76 72 63 6F |m.google.vr.vrco|
[60] 72 65 |re |
# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 872 bytes
NDEF access: Read & Write
E1 10 6D 00 |..m. |
isaacwg said:
Here's the NDEF data from the tag. Just write records 1-4 to a NFC tag, and it should appear like a Daydream headset. However, without the controller you won't get very far.
Click to expand...
Click to collapse
I was just looking to get around that. I have an extra phone I can use as a controller emulator if I need to.
how can i write this ndef records to a tag ??
So how do I write these four records on NFC tag? With what app and how?
You can use NFC Tag Cloner.
I've turned it into a file type that this app can recognize.
Download, unzip the file, then copy to your Android device.
Install the app, then try opening this file with a file explorer such as Solid Explorer. If asked what app to open, make sure you choose NFC Tag Cloner.
Interestingly enough, zipping this file so that I could upload it ended up almost tripling its size.
Hi. Can anyone explain how to write this daydream tag code on a Mifare Classic 1k tag using android phone, any app? Thanks!
NuVanDibe said:
You can use NFC Tag Cloner.
I've turned it into a file type that this app can recognize.
Download, unzip the file, then copy to your Android device.
Install the app, then try opening this file with a file explorer such as Solid Explorer. If asked what app to open, make sure you choose NFC Tag Cloner.
Interestingly enough, zipping this file so that I could upload it ended up almost tripling its size.
Click to expand...
Click to collapse
Please, can you teach me how i can write your imported tag on my NFC Tags?
NuVanDibe said:
You can use NFC Tag Cloner.
I've turned it into a file type that this app can recognize.
Download, unzip the file, then copy to your Android device.
Install the app, then try opening this file with a file explorer such as Solid Explorer. If asked what app to open, make sure you choose NFC Tag Cloner.
Interestingly enough, zipping this file so that I could upload it ended up almost tripling its size.
Click to expand...
Click to collapse
I was able to clone the NFC tag with this file/app but I would like to learn how to manually write these hex records on a tag. The only tag I have is a Mifare Ultralight.
Hi Simeonico,
How did you do that? If I open the tag file in NFC cloner, it doesn't show up anywhere and it doesn't give me the option to write anything to an NFC tag before I scan a source tag....
Thanks.

Categories

Resources