Saturday 22 November 2014

MTK (Mediatek) debug cable

Reverse engineering crappy Android Linux hardware/platforms is much easier with a serial console when you have a working kernel, but no source (of course first attempt being GPL request, then when that fails, github/google). Many (most?) cheap smartphones at the moment are made using Mediatek SoCs like the MT6582, MT6589, or older MT6572. An interesting feature I found in these is that after the preloader stage, the LK bootloader and also the main kernel provides a 921600 baud TTL UART console port on the USB data lines, providing that it "sees" it during startup (else you get normal USB).

A "Prolific" PL2303HX cable will cost you about £2 from ebay. A CP210x might be a better choice, but they were just open boards so didn't look as nice.


The "2 minute" version is just swap the cable for a micro USB cable. The phone will charge if you connect the 5v wire, but the safe approach would be just connect the other 3 and leave 5v disconnected. Note that I put the green and white TX/RX the wrong way around here, on purpose to demonstrate what not to do *ahem*


That's the easy way... but the 5v input meant the phone boots up as soon as the cable is plugged in, which wasn't ideal. The few hours battery was no use really. I could have just put a switch on the cable - but that would have looked a mess. I opted for switching this using the DTR signal (ctrl-T in picocom). You might get lucky and find that DTR (pin 2 on the PL2303) is already connected up to a spare track or pad, but if not, SSOP isn't too small:


Take some switching parts from an old PC motherboard or something, I used a P-Channel MOSFET, NPN and a 10k & a 1k resistor, as shown in this non-standard & badly labelled diagram:


I tested it before compacting it! (also added an LED to show charging on/off). The phone is on the other end of the cable here... the LED isn't drawing 700mA :)


There's plenty of space to fit it inside the USB plug. If you can't use SMD parts, it'd probably sit above the PCB without issue.


The finished cable. "Why that horrible green?" - stops me thinking it's just a normal micro usb cable and plugging it in to something else and exploding it

17 comments:

  1. hey, that's what i'm looking for :)

    ReplyDelete
  2. Is there anything needed in terms of kernel settings? I can't get this to work on either fairphone1 nor Wiko Stairway.

    Is there a specific boot up sequence needed? Like plugin cable when battery out?

    ReplyDelete
    Replies
    1. It just needs to be plugged in while the phone is switched off. This starts producing output from the preloader, and keeps running through lk, but most likely output will stop once the kernel starts - the default boot cmdline includes a printk.disable_uart=1

      You can either patch this in lk, or there is an undocumented fastboot command to toggle it for the next reboot. I can't quite remember what it was, but something along the lines of "fastboot oem p2u 1"

      You should still see hundreds of lines of output before the kernel loads though, so if you've got nothing then maybe your tx/rx are swapped, or baud rate is incorrect?

      Delete
  3. This does not work on my Honor 3C (H30-U10). There's no output produced. I tried swapping TX/RX, no success. And yes baud rate was set to 921600.

    ReplyDelete
  4. Does it use 5V or 3.3V data voltage levels?

    ReplyDelete
    Replies
    1. 3.3V on the SoCs I've tested - the same as USB FS ( https://en.wikipedia.org/wiki/USB#Signaling )

      Delete
    2. So, my 5V USB-TTL PL2303HX might have killed the UART in my old phone :)

      Delete
    3. If it's definitely using 5V I/O then yes, probably. The Mediatek data brief lists the absolute maximum rating for the USB to be 3.465V

      However the datasheet for the PL2303HX (rev D) says the serial signals are limited from 1.8V to 3.3V... not as far as 5V. http://www.prolific.com.tw/userfiles/files/ds_pl2303hxd_v1_4_4.pdf
      (page 13, pin 4)

      Delete
    4. I was wrong, actually. I checked it with a multimeter and it's 3.3V. But it didn't work anyway.

      I tried modifying the LK to have printk.disable_uart always 1, but it didn't work. Swapping the RX and TX lines didn't help either. And there's no UART on the motherboard, no kernel sources for the phone. And the LCD screen is dead too.

      I needed the UART to try to install Debian instead of Android.

      Delete
  5. Hello again. I've connected UTXD4 to my PL2303HX (only GND and RX). I get come output to the console, but I think the charset is wrong (I use UTF-8): http://imgur.com/VSK9L0a . Do you have any ideas?

    ReplyDelete
    Replies
    1. Looks like a wrong baud rate setting. The MTK default is 921600.

      Delete
    2. I tried different baudrates (921600 too), but I had the same result: garbage instead of text. Is it possible that my thin wires cause interference :) ?
      By the way, thanks for quick reply.

      Delete
    3. It's probably not interference at the low speeds that UART runs at. Do you have any kind of oscilloscope or logic analyzer? That'd be the easiest way to see what's actually being transmitted.

      Delete
    4. Fixed it with the orange loop. It was the interference.
      http://imgur.com/a/8Xljh

      Delete
    5. Ah well, I'm glad you got it working!

      Delete
    6. I've finally managed to get systemd to work (even though I used kernel for other MTK6589 SP). One last question: is it OK if I also connect RX pin (1.8V) to my USB-TTL (3.3V)?
      Thank you for everything.

      Delete
    7. I wouldn't recommend it (although I have done in the past without causing any noticable damage). The datasheet says 1.7-1.9v as the absolute max rating.

      You can make a level shifter with just a few parts, or buy them for a few cents/pence on ebay. This kind of thing will work fine for UART/JTAG/etc: https://learn.sparkfun.com/tutorials/bi-directional-logic-level-converter-hookup-guide

      Delete