Necromancer's notes

Well, to make the long story short – it’s dead. I was setting up my router with OpenWrt to share the internet, and connected the wrong power supply unit that provided 7.5 instead of 5 volts. The router is ok – there’s a good stepdown converter onboard, while the usb host is directly powered by what comes from power supply. So, that’s 2.5 volts overvoltage.
So, the modem got totally screwed: Blink and it’s dead. So I took the screwdriver and disassembled it.

By the way, the modem usually acts a bit weird. If it’s ledt disconnected for a long time, once you connect it to your laptop, the laptop just gets turned off via usb short-circuit protection. My guess was, that that happened because of the big inrush current into some capacitors out there.
And the guess was correct. The 5V usb supply are connected to two 6V 470uF caps connected in parallel (almost 1000uF!), then it goes into an unknown noname IC, and after that – into an LC filter consisting of 2х470uF 6V caps + 2 tantalum caps (value unknown, all caps are connected in parallel). AFAIK that is done because GSM modules do consume a lot of current while sending out bursts of data.
Whe I plugged the modem in the usb the multimeter showed 0 volts at the output of that unknown stepdown.
“It’s dead, Luke”
Let’s hope that the main SoC is still alive. Since no datasheets were found on the stepdown, I decided to guess the output voltage. My guess was 3.3, but I wanted to be sure. The chipset is Qualcom, with ARM core inside, so that could be anything from 1.2 volts, AFAIK. So I hacked another project, I called “The dropper“, to guess the correct voltage. At 3.3 volts the modem came back to life.
So I glued a 3.3 linear voltage regulator to the PCB:

Connected that with 0.3mm coated wires, so that it would fit in the original casing and no mod would be visible.
It worked for 15 seconds before the voltage regulator was shut down by overheat protection. Looks like the current was too big for it to handle.
So I said “goodbye” to preserving the original look, drilled the case, attached a powerful 3.3 volt stepdown, and assembled it. You know, who cares about design when the whole thing is going to work in the attic for the time being?. The result looks somewhat like that:

I removed one of the 470uF caps at the input, so that it will not bug me any more while I’m debugging the software stack on the laptop.
Once assembled, the modem connected to the network, completed a ping test. So, I guess it can be called a success.

I urgently needed a small device, to produce me a number of fixed voltages (mostly below 3.3 volts). I was a bit too lazy to do the step-down, so I resorted to lowdrops. You know, the guy who borrowed my L-meter for a ‘week or so’ still didn’t return that, and I do not feel myself comfortable winding inductance for 38063 with no measurements.

So, it’s dumb. I took a bunch AMS1117 (adjustables, fixed 3.3 and fixed 2.5), a bucnch of SMD resistors, and a LED. For calculation of resistor value any LM317 calc does the job fine.The LED has a 470 Оhm resistor.
I didn’t have any variable resistors, so I didn’t put any here.

The circuit is somewhat like that:
I was a bit in a hurry to fill in resistor values.

Here goes the 3d PCB model:

And the resulting device:

I added a power cord and a sticker with voltages.

And here goes the kicad project: lowdropper.tar.gz

Okay, I admit it, we’re building something quite big this time. And robotic. So big, that it needs some embedded brains of the ARM scale (SmartQ7) and a microcontroller, that does all the dirty work (e.g. controls motors, gathers data from sensors and feeds that stuff to an ARM for processing.) However, disconnecting the micro for flashing, or running around with an ISP programmer is not an option.this thing moves pretty much.
Continue reading “Remote-flashing an AVR board from an ARM” →

Okay, I hacked it to work.
So, what was the problem?
These damned modems by default show up as a mass_storage. As a cdrom actually. Which contains drivers. For windows.
Afterwards they are switched into a regular modem mode, which linux can make use of.
To do the switch in linux we need usb-modeswitch. A nice utility that handles the task. And some sniffed data filled into the config file.
Here it is:

########################################################
# HSDPA USB modem from dealextreme
# http://www.dealextreme.com/details.dx/sku.47013
# By Andrew 'Necromant' Andrianov

DefaultVendor= 0x05c6
DefaultProduct=0x2000

TargetVendor= 0x05c6
TargetProduct= 0x0015

# This modem doesn't react fast - it pauses for some 30-40 seconds
CheckSuccess=40

MessageEndpoint=0x08
MessageContent="5553424368032c882400000080000612000000240000000000000000000000"
# Nothing will work until you read the response from device
NeedResponse=1


I obtained it looking at this dump I grabbed from windoze via usbsnoop:

[231 ms] UsbSnoop - FilterAddDevice(a6b42748) : DriverObject 898c1408, pdo 88b88b30
[232 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_LEGACY_BUS_INFORMATION)
[232 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_LEGACY_BUS_INFORMATION)
[232 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_RESOURCE_REQUIREMENTS)
[233 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_RESOURCE_REQUIREMENTS)
[233 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_FILTER_RESOURCE_REQUIREMENTS)
[233 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_FILTER_RESOURCE_REQUIREMENTS)
[233 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_START_DEVICE)
[233 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_START_DEVICE)
[233 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_SYSTEM_CONTROL
[234 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL
[234 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0
[234 ms] >>> URB 1 going down >>>
-- URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE:
TransferBufferLength = 00000012
TransferBuffer = 883c3e50
TransferBufferMDL = 00000000
Index = 00000000
DescriptorType = 00000001 (USB_DEVICE_DESCRIPTOR_TYPE)
LanguageId = 00000000
[237 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=2
[237 ms] <<< URB 1 coming back <<< -- URB_FUNCTION_CONTROL_TRANSFER: PipeHandle = 8851a600 TransferFlags = 0000000b (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) TransferBufferLength = 00000012 TransferBuffer = 883c3e50 TransferBufferMDL = 897ae7b8 00000000: 12 01 10 01 00 00 00 40 c6 05 00 20 00 00 01 02 00000010: 00 01 UrbLink = 00000000 SetupPacket = 00000000: 80 06 00 01 00 00 12 00 [237 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [237 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0 [238 ms] >>> URB 2 going down >>>
-- URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE:
TransferBufferLength = 00000009
TransferBuffer = 89887a68
TransferBufferMDL = 00000000
Index = 00000000
DescriptorType = 00000002 (USB_CONFIGURATION_DESCRIPTOR_TYPE)
LanguageId = 00000000
[241 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=2
[241 ms] <<< URB 2 coming back <<< -- URB_FUNCTION_CONTROL_TRANSFER: PipeHandle = 8851a600 TransferFlags = 0000000b (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) TransferBufferLength = 00000009 TransferBuffer = 89887a68 TransferBufferMDL = 897ae7b8 00000000: 09 02 20 00 01 01 00 a0 fa UrbLink = 00000000 SetupPacket = 00000000: 80 06 00 02 00 00 09 00 [241 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [241 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0 [242 ms] >>> URB 3 going down >>>
-- URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE:
TransferBufferLength = 00000020
TransferBuffer = 8986bcb8
TransferBufferMDL = 00000000
Index = 00000000
DescriptorType = 00000002 (USB_CONFIGURATION_DESCRIPTOR_TYPE)
LanguageId = 00000000
[245 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=2
[245 ms] <<< URB 3 coming back <<< -- URB_FUNCTION_CONTROL_TRANSFER: PipeHandle = 8851a600 TransferFlags = 0000000b (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) TransferBufferLength = 00000020 TransferBuffer = 8986bcb8 TransferBufferMDL = 897ae7b8 00000000: 09 02 20 00 01 01 00 a0 fa 09 04 00 00 02 08 06 00000010: 50 00 07 05 87 02 40 00 00 07 05 08 02 40 00 00 UrbLink = 00000000 SetupPacket = 00000000: 80 06 00 02 00 00 20 00 [245 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [245 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0 [246 ms] >>> URB 4 going down >>>
-- URB_FUNCTION_SELECT_CONFIGURATION:
ConfigurationDescriptor = 0x8986bcb8 (configure)
ConfigurationDescriptor : bLength = 9
ConfigurationDescriptor : bDescriptorType = 0x00000002
ConfigurationDescriptor : wTotalLength = 0x00000020
ConfigurationDescriptor : bNumInterfaces = 0x00000001
ConfigurationDescriptor : bConfigurationValue = 0x00000001
ConfigurationDescriptor : iConfiguration = 0x00000000
ConfigurationDescriptor : bmAttributes = 0x000000a0
ConfigurationDescriptor : MaxPower = 0x000000fa
ConfigurationHandle = 0x00000000
Interface[0]: Length = 56
Interface[0]: InterfaceNumber = 0
Interface[0]: AlternateSetting = 0
[306 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=0
[306 ms] <<< URB 4 coming back <<< -- URB_FUNCTION_SELECT_CONFIGURATION: ConfigurationDescriptor = 0x8986bcb8 (configure) ConfigurationDescriptor : bLength = 9 ConfigurationDescriptor : bDescriptorType = 0x00000002 ConfigurationDescriptor : wTotalLength = 0x00000020 ConfigurationDescriptor : bNumInterfaces = 0x00000001 ConfigurationDescriptor : bConfigurationValue = 0x00000001 ConfigurationDescriptor : iConfiguration = 0x00000000 ConfigurationDescriptor : bmAttributes = 0x000000a0 ConfigurationDescriptor : MaxPower = 0x000000fa ConfigurationHandle = 0x88b188c0 Interface[0]: Length = 56 Interface[0]: InterfaceNumber = 0 Interface[0]: AlternateSetting = 0 Interface[0]: Class = 0x00000008 Interface[0]: SubClass = 0x00000006 Interface[0]: Protocol = 0x00000050 Interface[0]: InterfaceHandle = 0x899ddae0 Interface[0]: NumberOfPipes = 2 Interface[0]: Pipes[0] : MaximumPacketSize = 0x00000040 Interface[0]: Pipes[0] : EndpointAddress = 0x00000087 Interface[0]: Pipes[0] : Interval = 0x00000000 Interface[0]: Pipes[0] : PipeType = 0x00000002 (UsbdPipeTypeBulk) Interface[0]: Pipes[0] : PipeHandle = 0x899ddafc Interface[0]: Pipes[0] : MaxTransferSize = 0x00001000 Interface[0]: Pipes[0] : PipeFlags = 0x00000000 Interface[0]: Pipes[1] : MaximumPacketSize = 0x00000040 Interface[0]: Pipes[1] : EndpointAddress = 0x00000008 Interface[0]: Pipes[1] : Interval = 0x00000000 Interface[0]: Pipes[1] : PipeType = 0x00000002 (UsbdPipeTypeBulk) Interface[0]: Pipes[1] : PipeHandle = 0x899ddb1c Interface[0]: Pipes[1] : MaxTransferSize = 0x00001000 Interface[0]: Pipes[1] : PipeFlags = 0x00000000 [306 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [306 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0 [306 ms] >>> URB 5 going down >>>
-- URB_FUNCTION_SELECT_INTERFACE:
ConfigurationHandle = 0x88b188c0
Interface: Length = 56
Interface: InterfaceNumber = 0
Interface: AlternateSetting = 0
Interface: Class = 0x00000008
Interface: SubClass = 0x00000006
Interface: Protocol = 0x00000050
Interface: InterfaceHandle = 899ddae0
Interface: NumberOfPipes = 2
[369 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=0
[369 ms] <<< URB 5 coming back <<< -- URB_FUNCTION_SELECT_INTERFACE: ConfigurationHandle = 0x88b188c0 Interface: Length = 56 Interface: InterfaceNumber = 0 Interface: AlternateSetting = 0 Interface: Class = 0x00000008 Interface: SubClass = 0x00000006 Interface: Protocol = 0x00000050 Interface: InterfaceHandle = 8852c5b8 Interface: NumberOfPipes = 2 Interface: Pipes[0] : MaximumPacketSize = 0x00000040 Interface: Pipes[0] : EndpointAddress = 0x00000087 Interface: Pipes[0] : Interval = 0x00000000 Interface: Pipes[0] : PipeType = 0x00000002 (UsbdPipeTypeBulk) Interface: Pipes[0] : PipeHandle = 0x8852c5d4 Interface: Pipes[0] : MaxTransferSize = 0x00010000 Interface: Pipes[0] : PipeFlags = 0x00000000 Interface: Pipes[1] : MaximumPacketSize = 0x00000040 Interface: Pipes[1] : EndpointAddress = 0x00000008 Interface: Pipes[1] : Interval = 0x00000000 Interface: Pipes[1] : PipeType = 0x00000002 (UsbdPipeTypeBulk) Interface: Pipes[1] : PipeHandle = 0x8852c5f4 Interface: Pipes[1] : MaxTransferSize = 0x00010000 Interface: Pipes[1] : PipeFlags = 0x00000000 [369 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [369 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=0 [369 ms] >>> URB 6 going down >>>
-- URB_FUNCTION_CLASS_INTERFACE:
TransferFlags = 00000001 (USBD_TRANSFER_DIRECTION_IN, ~USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 00000001
TransferBuffer = 884f7e60
TransferBufferMDL = 00000000
UrbLink = 00000000
RequestTypeReservedBits = 00000000
Request = 000000fe
Value = 00000000
Index = 00000000
[372 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=00000000, Irp=882c0368, Context=885ea8d0, IRQL=2
[372 ms] <<< URB 6 coming back <<< -- URB_FUNCTION_CONTROL_TRANSFER: PipeHandle = 8851a600 TransferFlags = 0000000b (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) TransferBufferLength = 00000001 TransferBuffer = 884f7e60 TransferBufferMDL = 88369240 00000000: 00 UrbLink = 00000000 SetupPacket = 00000000: a1 fe 00 00 00 00 01 00 [373 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [373 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=2 [373 ms] >>> URB 7 going down >>>
-- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
PipeHandle = 8852c5f4 [endpoint 0x00000008]
TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 0000001f
TransferBuffer = 882567a0
TransferBufferMDL = 00000000
00000000: 55 53 42 43 68 03 2c 88 24 00 00 00 80 00 06 12
00000010: 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00
UrbLink = 00000000
[374 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=8836abf8, Irp=882c0368, Context=885ea8d0, IRQL=2
[374 ms] <<< URB 7 coming back <<< -- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER: PipeHandle = 8852c5f4 [endpoint 0x00000008] TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK) TransferBufferLength = 0000001f TransferBuffer = 882567a0 TransferBufferMDL = 89854dd0 UrbLink = 00000000 [374 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [374 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=2 [375 ms] >>> URB 8 going down >>>
-- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
PipeHandle = 8852c5d4 [endpoint 0x00000087]
TransferFlags = 00000002 (USBD_TRANSFER_DIRECTION_OUT, USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 00000024
TransferBuffer = 00000000
TransferBufferMDL = 88369240
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020: 00 00 00 00
UrbLink = 00000000
[376 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=8836abf8, Irp=882c0368, Context=885ea8d0, IRQL=2
[376 ms] <<< URB 8 coming back <<< -- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER: PipeHandle = 8852c5d4 [endpoint 0x00000087] TransferFlags = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) TransferBufferLength = 00000024 TransferBuffer = 00000000 TransferBufferMDL = 88369240 00000000: 05 80 02 00 33 00 00 00 42 4d 43 20 43 6f 72 70 00000010: 55 53 42 20 53 74 6f 72 61 67 65 20 20 20 20 20 00000020: 32 2e 33 31 UrbLink = 00000000 [376 ms] UsbSnoop - FilterDispatchAny(a6b3dfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL [376 ms] UsbSnoop - FdoHookDispatchInternalIoctl(a6b3e1ea) : fdo=8837b020, Irp=882c0368, IRQL=2 [377 ms] >>> URB 9 going down >>>
-- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
PipeHandle = 8852c5d4 [endpoint 0x00000087]
TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 0000000d
TransferBuffer = 882567a0
TransferBufferMDL = 00000000
00000000: 55 53 42 43 68 03 2c 88 24 00 00 00 80
UrbLink = 00000000
[378 ms] UsbSnoop - MyInternalIOCTLCompletion(a6b3e126) : fido=8836abf8, Irp=882c0368, Context=885ea8d0, IRQL=2
[378 ms] <<< URB 9 coming back <<< -- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER: PipeHandle = 8852c5d4 [endpoint 0x00000087] TransferFlags = 00000001 (USBD_TRANSFER_DIRECTION_IN, ~USBD_SHORT_TRANSFER_OK) TransferBufferLength = 0000000d TransferBuffer = 882567a0 TransferBufferMDL = 89854dd0 00000000: 55 53 42 53 68 03 2c 88 00 00 00 00 00 UrbLink = 00000000 [378 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_INTERFACE) [379 ms] UsbSnoop - FilterDispatchPnp: Query for Bus interface for USB Function Drivers. [379 ms] InterfaceType: USB_BUS_INTERFACE_USBDI_GUID [379 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_INTERFACE) [379 ms] UsbSnoop - FdoHookDispatchPnp: Query for Bus interface for USB Function Drivers. [379 ms] InterfaceType: USB_BUS_INTERFACE_USBDI_GUID [380 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [380 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [380 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_PNP_DEVICE_STATE) [380 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_PNP_DEVICE_STATE) [380 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [380 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [380 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [380 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [3820 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [3820 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_CAPABILITIES) [30999 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [30999 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [30999 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [30999 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_QUERY_DEVICE_RELATIONS) [30999 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_SURPRISE_REMOVAL) [30999 ms] UsbSnoop - FdoHookDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_SURPRISE_REMOVAL) [31030 ms] UsbSnoop - FilterDispatchPnp(a6b4245c) : IRP_MJ_PNP (IRP_MN_REMOVE_DEVICE)

The resulting device can be accessed via usbserial module.
just give it a hint: vendor=0x05c6 product=0x0015
If you have usbserial - you'll have to unload it first and supply it some arguments.
e.g. modprobe -r usbserial
modprobe usbserial vendor=0x05c6 product=0x0015
You'll get 3 new ttyUSB's now.
Now you can setup ppp and it will (hopefully) work.

So, time to get my SmartQ ready to serve as a robobrain.
So I needed a way to connect to the internal UART. Luckily with access to a laser cutter it’s really simple…
Thanks to Dmitry for the assistance with the cutter.

The pin header contans
Vcc in for battery charger,
regulated 3.3 volt output,
Ground (Nothing is without it )
And RX/TX pins, ready to use.

So, I finally got that one. Took 22 days for it to get here.
I remember the bunch of bugs SmartQ7 came along with, so I got myself morally prepared for several days of making different things work.
Surprisingly – that wasn’t really needed.

The touchscreen is resistive, but quite usable, nevertheless. No noticeable jitter, as smq7 had, and I don’t miss the on-screen-keyboard keys.
GPS is also around and works fine. On a 10′ screen it’s just awesome. The exteral antenna that came along with it is quite useful, if you want to use that in the car.
SD and HD videos play fine, with builtin CCPlayer.This thing with a drugged pacman in headphones as an icon comes only in chinese, but does the job pretty well – luckily not much to translate there.
3D games work, and run quite fast, even though a resolution of 1024×600 is a bit too much for a 256m memory the device has.
Accelerometer is also around, and even works as expected. aTilt3D works fine.
Camera – just a plain webcam, not much to say about that. Works. That’s all. You don’t expect a 5 megapixel thing in there, are you?
Microphone could be a bit more sensitive, but also bearable.
The loudsoeakers a a bit too quiet, although there might be a software fix to that problem.
USB made me more than glad. Both ports really work as 2.0, read and write really fast and supply enough current to spin an external HDD. Well, two of them, actually in my test copying an ubuntu iso from one to another. USB flash drives and HDDs mount automatically, if the FS is fat. All other filesystems are just ignored.
And now the bad stuff.
wowHome. A shitty app, that replaces standart homescreen. Slow as hell and buggy. Eve if u select Launcher Pro as the default homescreen it will still pop out. Looks like it uses 2d to render 3d effects. It uses about 40 megs ram and is… just crap.
Live wallpapersJust don’t work as expected i they use 3d. Not a big loss anyway.
Skype fails on outgoing and ingoing calls.

And now let’s make the device work faster.
First we’ll need Universal AndRoot to root the device and move/rename wowHome.apk. that turns off that crap and boosts device performance. LauncherPro works flawlessly.
Btw, that also turned on a nice wallpaper of some 3d-art girl. Developers dream?

The resulting system is now just about as fast as on my Motorola milestone.
The only thing remaining is to install a bunch of apps and you’re done.

Watching a 40-minute episode of Frnge from external HDD drained the battery from 100 to 60% using max backlight. So I guess it’s ok.
Wifi reception is good, signal is stable. Even a little better then of my Motorola Milestone.
Looks like they didn’t manage to do the power management part properly – so there’s a switch on the side. Leave it on – and it will drain battery a bit faster.
Ethernet works fine, no problems with that.

the other bad parts are a beeping on the max backlight screen and crappy loudspeakers. The amp inside really need some more caps on Vcc pin.

It’s started. Just give loads of thanks to osmocom-baseband guys who made the initial efforts.
Anyway, the whole stuff is working. Even on my old E1000 phone.
The instructions are pretty much straightforward. Take your phone

Hook it to youe favourite uart to usb chip (mine is ftdi)

And fire up osmocon and osmoload as described here: http://bb.osmocom.org/trac/wiki/SciphoneDreamG2

While now uboot has somewhat working support for nand, ram, mmc
Uncommenting PLL initialisation code makes my device hang in process, so we’re at somewhat really slow.
But nevertheless, here we go


/ # uname -a
Linux (none) 2.6.36-next-20101029+ #72 PREEMPT Wed Nov 17 14:10:39 CET 2010 armv5tejl GNU/Linux
/ # cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 104.24
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5

Hardware : E1000 Rachel
Revision : 0000
Serial : 0000000000000000
/ #

I copied all the sciphone’s code and tagged it e1000_rachel, since all the chineese device differ a little.
Now it’s time to fix some uart bugs, write more code… Hell, I didn’t even think that was possible.
With a 2d accelerator, wifi, bluetooth, full keyboard and TV this thing ca be a hell of thing to control.. say a mikrokopter with analog camera in there?
Possibilities are endless, hardware is dirt cheap.