path: root/README.ms8916-qrd

msm8916-qrd phone dev board info
Andy Green <andy.green@linaro.org> 2014-12-12

Introduction
------------

Qualcomm provide a cool LTE phone as a dev platform and make it available
chheaply.  The SoC inside, msm8916 has 4 x A53.

There are 4 issues with the phone-as-dev-platform out of the box.

1) Serial port is on an undocumented 10-pin smt connector.

The whole SMT connector is 1.8V only.

1: ?
2: ?
3: ?
4: ?
5: ?
6: ?
7: Serial TX from msm8916
8: Serial RX from msm8916 (1.8V ONLY!!!)
9: ?
10: 0V

The FFC needed to mate with the connector is 0.5mm pitch 10-way.

You can get an FFC to connect to it easily enough but hooking up the other end
to something you can solder on (0.5mm pitch...) is possible but requires some
skills.

And remember it's 1.8V, you will need to level-convert to a normal 3.3V LVTTL
USB serial adapter or hack the adapter to use 1.8V reference (this is what I did)

2) The battery is required for boot and is not charged while in fastboot or cut-down kernel

Replacing the battery with 3.8V bench PSU is enough.

Otherwise you will work for some hours and then nothing will work any more, because
the battery is flat.  For development work that's not acceptable.

3) Quick entry to fastboot means holding down a key on the phone and replug the battery

I shorted the vol - key permanently (some disassembly and balls-of-steel soldering needed)
and use LMP to automate 'battery' replug

4) If the phone loses all power, he reboots on a 12s cycle

Mitigated by one-time entry to stock rootfs / kernel (fastboot continue) until next power loss
This might be associated with forcing Vol - key permananetly down.

Basic kernel build info
-----------------------

This info is for the mainline-basis branch

export ARCH=arm
export CROSS_COMPILE=arm-linux-gnueabihf-
make msm8916-qrd_defconfig
make

you will find the combined zImage + dtb in arch/arm/boot/zImage-dtb


Running the kernel
------------------

With fastboot running, you can try your kernel like this:

1) Use msm8916-qrd_defconfig, the zImage-dtb that is produced
has the dtb applied already and is good to give to fastboot.

2) Give this to fastboot -->

sudo fastboot boot \
        arch/arm/boot/zImage-dtb initramfs \
        -p "msm8916" \
        -c "console=ttyMSM0,115200,n8 loglevel=4 rdinit=/bin/bash"

3) and you will get a boot, to a bash prompt if your initramfs has one at /bin/bash


Using the wcn3620 wireless
--------------------------

You need to extract various firmwares from the stock image and place in /lib/firmware

1) These need to be copied from stock /dev/mmcblk0p1 image/ dir to /lib/firmware

-rwxr-xr-x 1 root root     436 Jan  1  1970 wcnss.b00
-rwxr-xr-x 1 root root    6824 Jan  1  1970 wcnss.b01
-rwxr-xr-x 1 root root   12844 Jan  1  1970 wcnss.b02
-rwxr-xr-x 1 root root   61440 Jan  1  1970 wcnss.b04
-rwxr-xr-x 1 root root 3097028 Jan  1  1970 wcnss.b06
-rwxr-xr-x 1 root root      52 Jan  1  1970 wcnss.b09
-rwxr-xr-x 1 root root  655360 Jan  1  1970 wcnss.b10
-rwxr-xr-x 1 root root   39048 Jan  1  1970 wcnss.b11
-rwxr-xr-x 1 root root    7260 Jan  1  1970 wcnss.mdt

2) Copy /dev/mmcblk0p27 misc/wifi/WCNSS_qcom_cfg.ini to /lib/firmware/wlan/prima

3) Copy /dev/mmcblk0p23

   etc/firmware/wlan/prima/WCNSS_cfg.dat and 
   etc/firmware/wlan/prima/WCNSS_qcom_wlan_nv.bin

to /lib/firmware/wlan/prima

4) You can force the mac address so you don't get a random one.

echo -n "00:0a:f5:c4:31:e9" > /lib/firmware/wlan/macaddr0

Mainline wcn36xx and wcn36xx_msm modules are built by default.  They have to be
modules because they want firmware, unless you have an initramfs.

Just insert them, or let udev insert them, and you can use wpa_supplicant like this

# wpa_passphrase <your BSS> > /etc/wpa_supplicant/test.conf

# wpa_supplicant -i wlan0 -Dwext -c /etc/wpa_supplicant/test.conf &



Using Connman with wireless
---------------------------

connman is a lightweight version of NetworkManager but using it with wifi needs some
one-time setting up.

1) apt-get install connman
2) connmanctl enable wifi
3) connmanctl scan wifi  (wait a couple of seconds it will tell it completed)
4) connmanctl services

You will get something like this

    foamy                wifi_000af5c431e9_666f616d79_managed_psk
                         wifi_000af5c431e9_hidden_managed_psk
    HAPPYCAT             wifi_000af5c431e9_4841505059434154_managed_psk
    SMC                  wifi_000af5c431e9_534d43_managed_none
    SweetHome            wifi_000af5c431e9_5377656574486f6d65_managed_psk
    sophia               wifi_000af5c431e9_736f70686961_managed_psk

5) connmanctl (you will get a prompt)
       connmanctl> agent on
       connmanctl> connect wifi_000af5c431e9_666f616d79_managed_psk

give it the passphrase, after a couple of seconds
Connected wifi_000af5c431e9_666f616d79_managed_psk
       connmanctl> quit

6) on subsequent boots, wlan will come up automagically with no user interaction


Starting Bluetooth
------------------

You need to run three commands to start BT

 hciattach  /dev/smd3 qualcomm E0:CB:EF:9c:0b:ca
 rfkill unblock bluetooth
 hciconfig hci0 up


Device pairing with Bluetooth
-----------------------------

Using Bluez from the commandline for keyboard / mouse pairing

1) Put the keyboard device in pairing mode

2) find the MAC

# hcitool scan
00:1F:20:E3:49:B1 Logitech Keyboard K480

3) Pair (it means, type "676301" on the keyboard)

bluez-simple-agent hci0 00:1F:20:E3:49:B1
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 0)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 1)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 2)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 3)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 4)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 5)
DisplayPasskey (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1, 676301 entered 6)
Release
New device (/org/bluez/645/hci0/dev_00_1F_20_E3_49_B1)

Device will not stop flashing yet

There's another style of pairing where the agent prompts for a PIN you generate,
then the keyboard wants to have the same PIN typed on it + Enter.

4) Trust

bluez-test-device trusted 00:1F:20:E3:49:B1 yes

5) Connect

bluez-test-input connect 00:1F:20:E3:49:B1
[ 3353.905158] hid-generic 0005:046D:B330.0001: unknown main item tag 0x0

Device will stop flashing at this point

After it's trusted and connected once, bluetoothd will autoconnect him
subsequently without needing to do anything.

As a keyboard / mouse, the device now works on framebuffer console or X as
expected.


Bluetooth audio playing
-----------------------

1) Pair with the audio device (I used logictech BT speakers) using
hcitool scan + bluez-simple-agent as above

2) Make sure you trust it

 bluez-test-device trusted 00:02:3C:25:27:AC yes

3) Connect won't complete until pulseaudio is running.  Just pulseaudio & is enough

4) Connect

 bluez-test-audio connect 00:02:3C:25:27:AC

5) Well... play some audio

 aplay -d hw:bluetooth test48.wav


Notes on using the adapter PCB
------------------------------

The tree has ./tools/dtr-control/dtr.c and a Makefile in there to make
dtr-control, which lets you reset (dtr-control by itself) and turn off (dtr-control --off) the phone from your PC in a scriptable way.

When the phone turns on, it runs the stock firmware, unless you hold down the - volume key at boot which is difficult.

Therefore there's a script ./tools/dtr-control/fb.sh included which uses
adb and fastboot to automate [stock boot] -> [adb reset-bootloader] -> [fastboot] and optionally send your kernel on fastboot.

Use fb.sh --prep to automate only getting the phone back into fastboot, which you can run asynchronously at the start of your build, like this (./m is the make script)

    ./tools/dtr-control/fb.sh --prep & \
    ./m msm8916-qrd_defconfig && \
    ./m && \
    ./tools/dtr-control/fb.sh --wait

fb.sh takes 22s to go through the reset -> adb -> fastboot sequence so if your build is longer than 22s, resetting into fastboot costs nothing and the new kernel is sent as soon as build completes.