A documentation, research and development thread for the Snapdragon S4
Do NOT post general questions/requests on how to
do this or that, they will not be answered here.
ONLY post if you have additional tricks, hacks or
information that can help/benefit this thread.
This is a pure research and development thread
and will be aggressively moderated!
1) To continue the documentation effort of the Qualcomm Snapdragon S4 (MSM8960).
2) To construct a MSM8960 "Hack-Pack" with documents, info, code, pictures, tools and drivers etc..
This will be done in the same spirit as the excellent and already epic
(Verizon) Samsung Galaxy S3 (SGH-I535) "[R&D] Unlock Bootloaders" thread. In
fact this thread should be considered as the advanced continuation to that
effort. Many of the key introductory documents about the MSM8960 can be found
in that thread, so before you post what you think may be new information here,
please make sure you have read and searched that thread.
As Qualcomm are keeping even the most basic hardware information secret from
the development community, it has triggered an enormous annoyance-driven
effort to try to map out the basic inner workings and behavior of our mobile
phone processors. As more people are actively developing using the NDK and
getting more familiar with kernel compiling, tweaking and modifications at
the hardware level, more information is needed about the processor and its
Qualcomm (and Samsung) should know and be told again, that we are not
interested in industrial espionage and to copy their inner workings of their
flagship processors, but rather understand how they are connected and can be
programmed for the infinite various purposes that may help improve our common
future of mobile platforms.
A. Understand the MSM8960 Memory Map
B. Understand the MSM8960 HW registers (GPIO, GSBI, I2C, UART, SPI, Qfuses etc.)
C. Understand the bootloader code (Secure Boot 3.0)
D. To provide a permanent and early alternative boot-route that
cannot be disabled or hijacked by rogue firmware updates.
(Sound funny, doesn't it, when you change perspective!?)
E. Collect additional information on the MSM8960
(A) This is the most difficult to obtain without any documentation,
because certain regions of memory is not readable from/by userspace
applications/code. One can only hope that there are some readable shadow
regions or that some new information/documentation will spill the details.
If not, then publicly available kernel code and programs like viewmem and
lime may help us here.
(B) Most registers should be readable by shadow memory locations and if not
there are other TLMM registers that should tell us just which registers are
not readable. Then we'll have to figure out how to read them anyway, with JTAG
as a last resort, although JTAG may also be protected!
(C) This is difficult although possible to do by anyone with some IDA
experience, since it requires extensive RE of the entire boot-loader chain.
(PBL --> SBL1 --> SBL2 --> SBL3) But it is heavily dependent on the success
of (A) and (B).
(D) Probably impossible without (A-C)
(E) Difficult because of the extreme lack of public documentation. A leaked
document such as one or both of the following, would provided us all the detail
needed to fulfill (A-C) and part of (D).
Here are the most useful documents we have so far:
We may also find other documents, to similar processors useful. The most similar processor AFAIK, is the MSM8660,Code:The 8960 Boot Architecture Overview 80-N5009-1 Rev.B MSM8960, PM8921, and WCD9310 Baseband 80-N1622-41 Rev.D
but others may be any or all of the later ones in the series: MSM8930, MSM8228 and MSM8974. So please look out for these:
Code:MSM8260/MSM8660 Boot Qfuses and Configuration 80-VU872-17 Software Interface 80-VU872-2 User Guide 80-VU872-3
However, the documents we need most are:
Code:MSM8960 Qfuses and Security (Application Note) 80-N1622- ?? MSM8960/MSM8270/MSM8x60A Mobile Station Modem Software Interface 80-N1622-2 Rev.C MSM8260/MSM8660 Mobile Station Modem Software Interface 80-VU872-2 Rev.D
All the information in this thread have been acquired by searching on-line
and researching the hardware and software used by Qualcomm-based mobile
devices containing this hardware. Thus any documentation linked within
this thread and labelled within that document as "confidential", can no
longer be considered as such, as it is openly and readily available on
internet by simple searches. XDA is in no way to be held responsible for
any leaked material linked in this thread. If by any chance, someone does
directly link to illegally obtained and singularly accessible documents,
please contact OP starter and such links or posts will be removed after
References & Sources:
Lots of useful documents and manuals (Thanks to Antagonist42)
Explanation of the Qualcomm Proprietary protocols (QMI, DM)
LiME - Linux memory Extractor (XDA feature)
Jan 2013 Qualcomm Documentation Leak (~140 files): HERE