Project

General

Profile

researching the thuraya sg2520 smartphone

  • made by apsi / www.apsat.co.kr
  • fcc id: TZ5SG2520, ( search here )
  • the gsm part is a siemens MC 55 revision 0400

software

System OS of SG-2520 terminal is using Windows CE 4.2 Core and it is consisted of OMAP
1510 CPU, ARM Core, RAM 128 MB, and Flash ROM 64 MB. Screen is 176 x 220 Pixel and it
supports Bluetooth, IrDA, 1.30 Mega Pixel and SD card. File access is possible via ActiveSync
but it does not support DB Sync.

XP/2000 can be used as development environment and development tool is based on the
Embedded Visual C++ 4.0 and you need to use the SG2520-CORE-SDK-8.2 Device of SDK.

see this page for instructions on how to update the phone to the latest firmware version.

the usb connector

  • type: 3050-24R-0.5 from HJI&C
    • it looks quite a bit like a lg c1200 / zune / ipod connector.
  • i think we need 3050-24P-0.5
devices available on the connector:
  • uart1 : rx=pin13, tx=pin14, rts=pin20, cts=pin23
  • uart2 : rx=pin1, tx=pin3
  • i2c : pin7=SCL, pin11=SDA, irq=pin24
  • audio: mic=pin8+pin9, spk=pin17+pin18
  • usb: DM-=pin10, DM+=pin15, VBUS=pin16
  • Ground=pin12, pin19
  • extdevice power: pin21, pin22
  • external boot : pin2
  • charge voltage : pin4+pin5
  • external device attached signal : pin6

you can connect to the internal modem as follows

  • from start -> connectivity -> bluetooth
  • turn 'on', and select 'dial up network'
  • move rocker switch to the right for the 'search' window
  • make desktoppc discoverable
  • select your desktoppc, then choose 'pairing' from the option menu
  • from your desktop connect to the dialup profile
  • talks at 115200 baud

'secret' dial codes

|| 3785#*# || HKLM\SOFTWARE\NaceTech\Network :CurrentModuleID=1 :SystemPreference=2 || 3597#*# || HKLM\SOFTWARE\NaceTech\Network :CurrentModuleID=0 :SystemPreference=0 || 47726#*# || EngineerMenu.exe || 357899#*# || SDUpgrade.exe || 321*321#*# || show 'operation time' ? || 321*123#*# || show start/end time ?

rom v2.3

|| 47722#*# || Diagnostic\GmtsLinkage.exe || 47723#*# || Diagnostic\GsmLinkage.exe || 47724#*# || Diagnostic\ImeiSetting.exe || 47725#*# || Diagnostic\TransVer.exe || 47726#*# || EngineerMenu.exe || 357899#*# || SDUpgrade.exe || 47726##*## || DebugMode.exe || #746635625## || PhoneLock.exe || #737# || Settings/SGClean.exe ; master reset || 7453328466#*# || \DiskOnChip\RilDbg.log ; RIL debug Switched on || 74533284633#*# || \DiskOnChip\RilDbg.log ; RIL debug Switched off || 7453776724325#*# || ?? || 321*321#*# || show 'operation time' ? || 321*123#*# || show start/end time ?

memory map

|| virtual || physical || size || v80000000-81000000 || p00000000-01000000 || 1000000 || v81000000-81400000 || p04000000-04400000 || 400000 || v83000000-84000000 || p0c000000-0d000000 || 1000000 || v84000000-88000000 || p10000000-14000000 || 4000000 || v88000000-88100000 || p20000000-20100000 || 100000 || v89000000-8a100000 || pe0000000-e1100000 || 1100000 || v8bf00000-8c000000 || pfff00000-00000000 || 100000 || vfffd0000-fffd1000 || p10500000-10501000 || 1000 || vfffd1000-fffd2000 || p10500000-10501000 || 1000 || vfffd2000-fffd3000 || p10500000-10501000 || 1000 || vfffd3000-fffd4000 || p10500000-10501000 || 1000 || vffff0000-ffff1000 || p10504000-10505000 || 1000 || vffff2000-ffff3000 || p10504000-10505000 || 1000 || vffff4000-ffff5000 || p10504000-10505000 || 1000 || vffff6000-ffff7000 || p10504000-10505000 || 1000 || vffffc000-ffffd000 || p10505000-10506000 || 1000

disk on chip

|| binary partition || pdocread -n 0 -b 0x20000 0 0x100000 bdk0.nb || bootloader || 20M xip image || pdocread -h 0x87c12aae 0 0x1400000 dsk1.nb || DSK1: osimage || 64M fat32 || pdocread -h 0x47b6a28e 0 0x4000000 dsk2.nb || DSK2: contains thuraya shell etc. || 30M fat16 || pdocread -h 0xa7b6a2f2 0 0x1e00000 dsk4.nb || DSK4: userfilesystem || OTP || pdocread -o 0 0x1c || 001AB1018CE7,356013006101607 ( the bluetooth-mac + imei )

hardware

  • large circuitboard
    • display
    • keyboard
    • sdcard slot
    • samsung btez1702sa / 060420 aba
      • bluetooth
    • 604A / 0547 (16 pin chip )
    • microphone
    • pads where speaker attaches
    • Infrared part
  • small circuitboard 'siemens mc55'
    • infineon PMB 7850 E / 60608 / EL606065S04
      • GSM / GPRS Single Chip Baseb
    • dialog D0767CB LF / 060855YH
      • power management
    • M36W0T604 / 0T1ZAQ / 99246 v5 / MYS 99 603 / (st)
      • 16MByte flash + 2MByte sram
  • main board front
    • TPS65010 / TI 5CW / ZCH5 G4
      • powermanagement chip
    • SEC 631 BL75 / K4M511633C
      • 64M byte SDRAM
    • Ricoh 387A / A59
      • realtime clock
    • 635 / 555L18
      • probably timer chip.
    • TI OMAP1510G / 65C052W / ZZG2
      • probably the application processor
    • NLAS 3699 G5CHN ( several of these )
      • 4 low power RON switch
    • M-systems DiskOnChip G4 / MD8832-d16-V3-X-P
      • flash chip
    • nVidia GoForce 4000 / S AGKTP / taiwan 452a2
      • video codec
    • TI AIC1110 / 69HLJ
      • pcm codec with mic+spk amps
    • TI AIC23BIZ / 61K9T
      • audio codec with headphone amp
    • SIRF / GSC3f-7879 / DRRPAB / NO2WCQF / 0628 KR
      • gps
    • small battery
  • main board back
    • DALMA v2.1 / P2YH6-032
      • probably the sat radio part
    • TI OMAP1510G / 65C052W / ZZG2
      • probably the SAT processor
    • intel 3050L0ZBQ / 5616B221 / Z617I112A
      • probably ram+flash
    • connector for camera part
    • philips 9535 / 0419 / buG634
      • i2c gpio pins
    • philips 8028 / 218W / ctG607B
      • 2.5Ghz IF freq synth
    • AD9864 / BCPZ / # 0622 / 906925.1
      • IF digitizing part
    • sim connector
    • battery connector
    • 16 pad test connector
  • camera part
    • connector on top for siemens board

talking to thuraya modem via bluetooth on osx

  • on device, enable bt, show, 'dun'
  • on mac: add serialport for 'dialup networking' and 'rs232'

sg2520 usb modes


<pre>
[activesync mode]
usbvidpid:  1a26:9d84
    class=0xff, subclass=0xff, protocol=0xff

[usb modem] in gsm mode
usbvidpid: 1a26:9d81   class=0x02
 interface#1 class=0x02[CDC] subclass=0x02 [ACM] protocol=0x01 [at commands]
 interface#2 class=0x0A[CDCData] subclass=0x00 protocol=0x00

[usb modem] in sat mode
usbvidpid: 1a26:9d82   class=0x02
 interface#1 class=0x02[CDC] subclass=0x02 [ACM] protocol=0x01 [at commands]
 interface#2 class=0x0A[CDCData] subclass=0x00 protocol=0x00

[uart]
usbvidpid: 1a26:9d83   class=0x02
 interface#1 class=0x02[CDC] subclass=0x02 [ACM] protocol=0xff
 interface#2 class=0x0A[CDCData] subclass=0x00 protocol=0x00
</pre>
Add picture from clipboard (Maximum size: 48.8 MB)