msm8916-qrd phone dev board info Andy Green 2014-12-12 Introduction ------------ Qualcomm provide a cool LTE phone as a dev platform and make it available chheaply. The SoC inside, msm8916 has 4 x A53. There are 4 issues with the phone-as-dev-platform out of the box. 1) Serial port is on an undocumented 10-pin smt connector. The whole SMT connector is 1.8V only. 1: ? 2: ? 3: ? 4: ? 5: ? 6: ? 7: Serial TX from msm8916 8: Serial RX from msm8916 (1.8V ONLY!!!) 9: ? 10: 0V The FFC needed to mate with the connector is 0.5mm pitch 10-way. You can get an FFC to connect to it easily enough but hooking up the other end to something you can solder on (0.5mm pitch...) is possible but requires some skills. And remember it's 1.8V, you will need to level-convert to a normal 3.3V LVTTL USB serial adapter or hack the adapter to use 1.8V reference (this is what I did) 2) The battery is required for boot and is not charged while in fastboot or cut-down kernel Replacing the battery with 3.8V bench PSU is enough. Otherwise you will work for some hours and then nothing will work any more, because the battery is flat. For development work that's not acceptable. 3) Quick entry to fastboot means holding down a key on the phone and replug the battery I shorted the vol - key permanently (some disassembly and balls-of-steel soldering needed) and use LMP to automate 'battery' replug 4) If the phone loses all power, he reboots on a 12s cycle Mitigated by one-time entry to stock rootfs / kernel (fastboot continue) until next power loss This might be associated with forcing Vol - key permananetly down. Basic kernel build info ----------------------- This info is for the mainline-basis branch export ARCH=arm export CROSS_COMPILE=arm-linux-gnueabihf- make msm8916-qrd_defconfig make you will find the combined zImage + dtb in arch/arm/boot/zImage-dtb Running the kernel ------------------ With fastboot running, you can try your kernel like this: 1) Use msm8916-qrd_defconfig, the zImage-dtb that is produced has the dtb applied already and is good to give to fastboot. 2) Give this to fastboot --> sudo fastboot boot \ arch/arm/boot/zImage-dtb initramfs \ -p "msm8916" \ -c "console=ttyMSM0,115200,n8 loglevel=4 rdinit=/bin/bash" 3) and you will get a boot, to a bash prompt if your initramfs has one at /bin/bash Using the wcn3620 wireless -------------------------- You need to extract various firmwares from the stock image and place in /lib/firmware 1) These need to be copied from stock /dev/mmcblk0p1 image/ dir to /lib/firmware -rwxr-xr-x 1 root root 436 Jan 1 1970 wcnss.b00 -rwxr-xr-x 1 root root 6824 Jan 1 1970 wcnss.b01 -rwxr-xr-x 1 root root 12844 Jan 1 1970 wcnss.b02 -rwxr-xr-x 1 root root 61440 Jan 1 1970 wcnss.b04 -rwxr-xr-x 1 root root 3097028 Jan 1 1970 wcnss.b06 -rwxr-xr-x 1 root root 52 Jan 1 1970 wcnss.b09 -rwxr-xr-x 1 root root 655360 Jan 1 1970 wcnss.b10 -rwxr-xr-x 1 root root 39048 Jan 1 1970 wcnss.b11 -rwxr-xr-x 1 root root 7260 Jan 1 1970 wcnss.mdt 2) Copy /dev/mmcblk0p27 misc/wifi/WCNSS_qcom_cfg.ini to /lib/firmware/wlan/prima 3) Copy /dev/mmcblk0p23 etc/firmware/wlan/prima/WCNSS_cfg.dat and etc/firmware/wlan/prima/WCNSS_qcom_wlan_nv.bin to /lib/firmware/wlan/prima 4) You can force the mac address so you don't get a random one. echo -n "00:0a:f5:c4:31:e9" > /lib/firmware/wlan/macaddr0 Mainline wcn36xx and wcn36xx_msm modules are built by default. They have to be modules because they want firmware, unless you have an initramfs. Just insert them, or let udev insert them, and you can use wpa_supplicant like this # wpa_passphrase > /etc/wpa_supplicant/test.conf # wpa_supplicant -i wlan0 -Dwext -c /etc/wpa_supplicant/test.conf & Using Connman with wireless --------------------------- connman is a lightweight version of NetworkManager but using it with wifi needs some one-time setting up. 1) apt-get install connman 2) connmanctl enable wifi 3) connmanctl scan wifi (wait a couple of seconds it will tell it completed) 4) connmanctl services You will get something like this foamy wifi_000af5c431e9_666f616d79_managed_psk wifi_000af5c431e9_hidden_managed_psk HAPPYCAT wifi_000af5c431e9_4841505059434154_managed_psk SMC wifi_000af5c431e9_534d43_managed_none SweetHome wifi_000af5c431e9_5377656574486f6d65_managed_psk sophia wifi_000af5c431e9_736f70686961_managed_psk 5) connmanctl (you will get a prompt) connmanctl> agent on connmanctl> connect wifi_000af5c431e9_666f616d79_managed_psk give it the passphrase, after a couple of seconds Connected wifi_000af5c431e9_666f616d79_managed_psk connmanctl> quit 6) on subsequent boots, wlan will come up automagically with no user interaction Starting Bluetooth ------------------ You need to run three commands to start BT hciattach /dev/smd3 qualcomm E0:CB:EF:9c:0b:ca rfkill unblock bluetooth hciconfig hci0 up Device pairing with Bluetooth ----------------------------- Using Bluez from the commandline for keyboard / mouse pairing 1) Put the keyboard device in pairing mode 2) find the MAC # hcitool scan 00:1F:20:E3:49:B1 Logitech Keyboard K480 3) Pair (it means, type "676301" on the keyboard) bluez-simple-agent hci0 00:1F:20:E3:49:B1 DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 0) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 1) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 2) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 3) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 4) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 5) DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 6) Release New device (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1) Device will not stop flashing yet There's another style of pairing where the agent prompts for a PIN you generate, then the keyboard wants to have the same PIN typed on it + Enter. 4) Trust bluez-test-device trusted 00:1F:20:E3:49:B1 yes 5) Connect bluez-test-input connect 00:1F:20:E3:49:B1 [ 3353.905158] hid-generic 0005:046D:B330.0001: unknown main item tag 0x0 Device will stop flashing at this point After it's trusted and connected once, bluetoothd will autoconnect him subsequently without needing to do anything. As a keyboard / mouse, the device now works on framebuffer console or X as expected. Bluetooth audio playing ----------------------- 1) Pair with the audio device (I used logictech BT speakers) using hcitool scan + bluez-simple-agent as above 2) Make sure you trust it bluez-test-device trusted 00:02:3C:25:27:AC yes 3) Connect won't complete until pulseaudio is running. Just pulseaudio & is enough 4) Connect bluez-test-audio connect 00:02:3C:25:27:AC 5) Well... play some audio aplay -d hw:bluetooth test48.wav Notes on using the adapter PCB ------------------------------ The tree has ./tools/dtr-control/dtr.c and a Makefile in there to make dtr-control, which lets you reset (dtr-control by itself) and turn off (dtr-control --off) the phone from your PC in a scriptable way. When the phone turns on, it runs the stock firmware, unless you hold down the - volume key at boot which is difficult. Therefore there's a script ./tools/dtr-control/fb.sh included which uses adb and fastboot to automate [stock boot] -> [adb reset-bootloader] -> [fastboot] and optionally send your kernel on fastboot. Use fb.sh --prep to automate only getting the phone back into fastboot, which you can run asynchronously at the start of your build, like this (./m is the make script) ./tools/dtr-control/fb.sh --prep & \ ./m msm8916-qrd_defconfig && \ ./m && \ ./tools/dtr-control/fb.sh --wait fb.sh takes 22s to go through the reset -> adb -> fastboot sequence so if your build is longer than 22s, resetting into fastboot costs nothing and the new kernel is sent as soon as build completes. Patch sources ------------- https://git.kernel.org/cgit/linux/kernel/git/galak/linux-qcom.git/