Rokr E2
custom essay writing
bestessays.com The ROKR E2 is the second incarnation of Motorola's music phone. Unlike the original ROKR E1, it doesn't work with Apple's iPod/iTunes store, but with some Motorola-own store for downloading music. It was released exclusively in China's GOME stores on June 22nd 2006 and apparently is selling extremely well. Even though we now have one E2 for development purpose, not too much about the hardware is known so far. |
|
Contents |
Kernel
Linux version 2.4.20_mvlcee31-mainstone_pxa27x (BJDC@LINUX) (GCC 3.x for XSCALE) #1 Jan 1,2003
More details:
MontaVista(R) Linux(R) Consumer Electronics Edition 3.1 Linux/armv5tel 2.4.20_mvlcee31-mainstone_pxa27x # busybox uname -a Linux (none) 2.4.20_mvlcee31-mainstone_pxa27x #1 Jan 1,2003 armv5tel unknown
In totally:
MontaVista Linux Kernel + Framebuffer + Qte + ezx/Chemalon
CPU
Processor : Intel XScale-PXA27x rev 7 (v5l)|| BogoMIPS : 311.28 Features : swp half thumb fastmult edsp CPU implementor : 0x69 CPU architecture: 5TE CPU variant : 0x0 CPU part : 0x411 CPU revision : 7 Cache type : undefined 5 Cache clean : undefined 5 Cache lockdown : undefined 5 Cache unified : harvard I size : 32768 I assoc : 32 I line length : 32 I sets : 32 D size : 32768 D assoc : 32 D line length : 32 D sets : 32
Default power management clock settings appear to be 104Mhz, 208Mhz, and 312Mhz at 1.35v.
RAM
48MB in two physicals chips
0xA0000000-0xA1FFFFFB (32MB) 0xAC000000-0xACFFFFFC (16MB)
total: used: free: shared: buffers: cached: Mem: 47509504 45441024 2068480 0 466944 19390464 Swap: 0 0 0 MemTotal: 46396 kB MemFree: 2020 kB MemShared: 0 kB Buffers: 456 kB Cached: 18936 kB SwapCached: 0 kB Active: 17284 kB Inactive: 15592 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 46396 kB LowFree: 2020 kB SwapTotal: 0 kB SwapFree: 0 kB Committed_AS: 57172 kB
Flash Memory
Here is a map of the flash memory:
Filesystem 1k-blocks Used Available Use% Mounted on rootfs 56752 56752 0 100% / /dev/root 56752 56752 0 100% / /dev/roflash1 10968 10968 0 100% /usr/language /dev/roflash2 26308 26308 0 100% /usr/data_resource /dev/roflash3 452 452 0 100% /usr/setup /dev/roflash4 116 116 0 100% /usr/securesetup /dev/mtdblock8 6144 884 5260 15% /ezx_user /dev/mtdblock9 12160 1204 10956 10% /ezxlocal /dev/mmca1 122912 10304 112608 9% /mmc/mmca1
Note: /dev/mmca1 is my SD card
MTD structure (/proc/mtd):
dev : size erasesize name mtd0 : 00008000 00008000 "CADDO_SECOND" mtd1 : 00008000 00008000 "ITUNES" mtd2 : 00008000 00008000 "CADDO_PRIMARY" mtd3 : 00008000 00008000 "FOTA_REV" mtd4 : 00040000 00020000 "MBM" mtd5 : 00020000 00020000 "CONFIG" mtd6 : 00020000 00020000 "BLOB" mtd7 : 00100000 00020000 "KERNEL" mtd8 : 00600000 00020000 "USERFS_DB" mtd9 : 00be0000 00020000 "USERFS_GENERAL" mtd10: 00020000 00020000 "TEST_CMD" mtd11: 00020000 00020000 "LOGO" mtd12: 000c0000 00020000 "FOTA" mtd13: 00020000 00020000 "RESERVE"
Note that only mtd8 and mtd9 are mounted as block devices. For 33P, "ITUNES" is empty. "LOGO" contains a GIF89a image at offset 0x800, used as the operator logo on boot.
Motorola Flash Memory Regions, label, and filename (from /etc/flashmem.map)
Physical address 0 to 32M is occupied by flash chip 0 of AP,and 32M-64M by flash 1,they are both "Intel StrataFlash® Wireless Memory System (LV18/LV30 SCSP) 1024-Mbit LV family",Manufacturer Code:0x89,Device Identifier Code of chip 0:0x881c,and chip 1:8819,the datasheet can be downloaded from http://download.intel.com/design/flcomp/datashts/25385403.pdf.
0x00000000 - 0x0001FFFF caddo (caddo_data.bin) 0x00020000 - 0x0005FFFF mbm (mbm.bin) 0x00060000 - 0x000607FF cdtcsf (cdtcsf) 0x00060800 - 0x00066FFF cdt (cdt.bin) 0x00067000 - 0x0007FFFF kct (kct.bin) 0x00080000 - 0x000807FF blobcsf (blobcsf) 0x00080800 - 0x0009FFFF blob (blob) 0x000A0000 - 0x000A07FF kernelcsf (kernelcsf) 0x000A0800 - 0x0019FFFF kernel (zImage) 0x001A0000 - 0x00A9FFFF resource (resource.img) 0x00AA0000 - 0x0109FFFF userdb (userfs_db.img) 0x010A0000 - 0x01C9FFFF usergeneral (userfs_general.img) 0x01CA0000 - 0x01CA0FFF securesetupcsf (securesetupcsf) 0x01CA1000 - 0x01CBFFFF securesetup (secure_setup.img) 0x01CC0000 - 0x01CDFFFF tcmd (tcmd) 0x01CE0000 - 0x01CE07FF logocsf (logocsf) 0x01CE0800 - 0x01CFFFFF logo (logo.img) 0x01D00000 - 0x01DBFFFF fota (fota.img) 0x01DC0000 - 0x01DDFFFF paniclog (N/A) 0x01DE0000 - 0x025DFFFF language (language.img) 0x025E0000 - 0x025FFFFF setup (setup.img) 0x02600000 - 0x02600FFF rootcsf (rootcsf) 0x02601000 - 0x03FFFFFF root (rootfs_cramfs.img) 0xA0200000 - 0xA024FFFF rdl (rdl)
Flashing the E2
The ROKR E2 can be flashed from linux using the moto4lin ezxflash tools. The E2 AP (linux) flash data is held in a .sbf file. Use moto4lin's parseheader then unsbf to extract the code groups (memory regions). Some of the regions are cramfs images and can be mounted as a loopback file:
mount -t cramfs {file.bin} -o loop,offset={n} /mountpoint/path
Cramfs Code Groups:
Address file Offset Mountpoint Notes ------------ ------ ---------- ----- 001a0000.bin 0 /usr/data_resource /dev/roflash2 01ca0000.bin 4096 /usr/securesetup /dev/roflash4 01de0000.bin 0 /usr/language /dev/roflash1 025e0000.bin 0 /usr/setup /dev/roflash3 02600000.bin 4096 / /dev/root
JFFS2 Code Groups
00aa0000.bin 0 /ezx_user /dev/mtd8, /dev/mtdblock8, "USERFS_DB" 010a0000.bin 0 /ezxlocal /dev/mtd9, /dev/mtdblock9, "USERFS_GENERAL"
Partial Cramfs Code Groups:
a0de0000.bin 0x220000 / (?) (??) (Extended root fs? Debugging root?)
Other Code Groups:
00060000.bin - Maps to mtd5 CONFIG - (Has kernel boot args?)
00080000.bin - Bootloader - Maps to mtd6 "BLOB"
000a0000.bin - Maps to mtd7 "KERNEL"
01ce0000.bin - Operator logo at offset 0x800. Maps to mtd11 "LOGO"
03fc8000.bin - ?? (AP->BP comms? BIOS?) no mtd mapping
10040000.bin - ??
10080000.bin - ?? (200 bytes long)
100800c8.bin - ?? Has references to "sim", IMEI Lock, SEEM, call meters, IMELODY ringtone, SMS, an GEM
Contains 16-bit text:
"Motorola Phone ED3F9710: Motorola Communications Class B"
"Motorola Communication Interface0"
"Audio Control Interface"
"Linear Streaming Audio MiCrophone Interface"
"Logarithm Streaming Aucio Microphone interface"
"Linear Streaming Audio Speaker Interface"
"Logarithmic Streaming Audio Speaker Interface"
"Accessory2Motorola MCU Data Logger"
"Motorola Test Command"
"Motorola DSP Logger"
"Motorola DSP Debugger"
"Motorola Data Interface"
...more...
10330000.bin - ?? (2048 bytes long)
10350000.bin - ?? Contains 16-bit text "Motorola's Flash Neptune LTE2"
10390000.bin - ?? Byte patterns looks like image assets
Debug Port
There appears to be two Debug Ports on the Rokr E2. The one on the front provides JTag access to the Applications Processor and access to the the ST_UART for a serial console. The other is assumed for the base-band.
Kernel NFS Support
The ROKR E2's kernel has static NFS support. After starting a telnet session, an exported NSF volume can be mounted with:
mkdir /tmp/mnt
mount -t nfs 192.168.1.1:/{export} /tmp/mnt -o nolock
Note that 'nolock' must be used, as no port mapper exists on the phone.
Media Player
Seems to use Helix 10.0 mediaplayer for tunes. However it is missing the oggfformat.so plugin so Ogg/Vorbis files do not play on this device (yet!)
These are the included plugins:
./usr/helix/aacff.so ./usr/helix/amrn.so ./usr/helix/amrw.so ./usr/helix/atrc.so ./usr/helix/audplin.so ./usr/helix/clntcore.so ./usr/helix/cook.so ./usr/helix/dmp4.so ./usr/helix/drv2.so ./usr/helix/drvc.so ./usr/helix/httpfsys.so ./usr/helix/hxsdp.so ./usr/helix/midfformat.so ./usr/helix/mp3fformat.so ./usr/helix/mp3render.so ./usr/helix/mp4fformat.so ./usr/helix/mp4v.so ./usr/helix/raac.so ./usr/helix/ramfformat.so ./usr/helix/ramrender.so ./usr/helix/rarender.so ./usr/helix/rmfformat.so ./usr/helix/rv20.so ./usr/helix/rv30.so ./usr/helix/rv40.so ./usr/helix/sipr.so ./usr/helix/smplfsys.so ./usr/helix/vidplin.so ./usr/helix/wma_fileformat.so ./usr/helix/wmarend.so
Browser
Official ROM version 33P uses Opera 8.5.2023.
CLIENT: MOT-E2/R564_G_12.02.32P Mozilla/4.0 (compatible; MSIE 6.0; Motorola ROKR E2)
Interesting Files
- This is a link to a dump of the directory structure and files found with firmware 43P: E2_FindDump
- This is a link to a dump of the running processes found on firmware 33P: E2_running_processes
- /usr/SYSqtapp/phone/alertprocess -playvol {n} -playfile foo.wav will play the foo.wav audio file at volume {n} (0-10).
- /usr/SYSqtapp/phone/vibrateprocess -playperiod {n} will cause the phone to vibrate for {n} seconds (default=1)
- libezxtapi.so (C, no mangeled names) communicates with the BP through a pair of PF_LOCAL UDP sockets to place calls, record audio, get BP version information, possibly check subsidy lock status, etc.
- /lib/modules/logger.o logs events to a pair of files on ezxlocal. Usage:
insmod /lib/modules/logger.o /usr/SYStapi/aplog_mode.sh 1
This will start logging, as per the writeable policy in /ezxlocal/ezx_aplog.cfg. The default is to log MUX and output files to /ezxlocal/downloads/mystuff/ as logging.map and logged.map
- /etc/init.d/ezxenvr.sh sets up all session variables necessary for executing apps.
- start-stop-daemon can be used like a "sudo -u root" by scripts run as user ezx:
start-stop-daemon --start --chuid root --exec {command} (command's arguments...)
Note that +s executables will fail unless user ezx makes a copy:
cp /bin/mknod /tmp/mknod; start-stop-daemon --start --chuid root --exec /tmp/mknod /tmp/device c 1 2
- A set/license of the Intel Performance Primitives (verison "5.0 Gold" in ROM 33P) exists in /usr/lib/ezx/lib/libipp-??.so. Headers can be downloaded free from the Intel evaluation download page.
- The libezxappbase.so.1 contains a number of WiFi-related routines.
The motoac kernel modifications
The Rokr E2 (and presumably the A1200) can restrict access to certain areas of the filesystem and tasks through a Motorola modified version of SELinux and policy called motoac. Motorola released the source for this under the GPL as part of their kernel source code release.
This is a link to a dump of the strings found in the acpolicy.cfg file distributed with firmware 33P: E2_acpolicy.cfg_strings
Motorola SElinux Policy
The ROKR 33P build's security policy can be found in the binary file /etc/acpolicy.cfg. Here is a summary for user 'root':
Filesystem: /usr/* protected resource (r-x) /bin/* protected resource (r-x) /sbin/* protected resource (r-x) /etc/* protected resource (r-x) /.backup/* protected resource (r-x)
Processes:
Defined Domains:
1: moto_domain
/bin/fakelogin3
/usr/SYSqtapp/drm/drmapp*
/usr/sbin/in.telnetd
/bin/bash
/bin/sh
/bin/ash
/usr/SYSqtapp/am/am*
/usr/SYSqtapp/phone/*
/etc/ac_getflexbit
2: carrier
3: trusted
4: Untrusted
Note that a more restrictive policy is defined for user "ezx".
Interesting Info
You can boot into flash mode by holding the "Voice Key" on the right side of the phone while powering up the phone. If you push the voice key again, you will go into the BP flash mode. Remove battery to reboot.
The PCM sound device driver only supports 16-bit LE audio.
ROM Version Discrepancies (from 33P)
R564_G_12.00.43P
- No MPKG installer/MPKG installer disabled (handset from China Mobile)
R564_G_12.01.46P
- Phone was purchased in China 2007/07, phone and firmware branded with China Mobile (中国移动)
- No mpkg installer.
- No USBNET connection option but IP access could be enabled with AT commands from modem mode. Handset would respond to ping (192.168.1.2).
- However, all ports were closed; no telnet or smb access.
External Links
- Official Motorola RORK E2 GPL Repository
- Motorola RORK E2 Modders Home - Simple and straight forward
- Motohell E2 Forum
- MotoModders E2 forum
- Freemod.net Rokr E2 Modding
- LibXZE2 unofficial (LEGAL) API for homebrew E2 development
- The "Motorola Fans" website is not linked here since many of the applications listed in the forum are illegal.
