release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Wiki > Main > MeizuReverseEngineering (compare)

Difference: MeizuReverseEngineering (r31 vs. r30)

Reverse engineering the Meizu players

M6

The main component of the M6 is the S5L8700. datasheet.

These are mostly guesses made by looking at the various debug strings in the firmware files and which addresses get accessed in those functions.

Memory

Address Device
0x00000000 Boot ROM (50KB)
0x08000000 SDRAM (16MB)
0x22000000 SRAM (256KB)
0x24000000 NOR Flash (1MB)*

*not in the M6SL

In DFU mode code gets loaded to 0x22000000 on M6SL, and to 0x22020000 on the other players

GPIO

Pin I/O/F M6SP M6SL M3
P0.0   QT411: SS QT1106: CS QT1106: CS
P0.1   QT411: SCLK QT1106: SCLK QT1106: SCLK
P0.2   Backlight: EN Backlight: EN Backlight: EN
P0.3   QT411: SDO QT1106: MISO QT1106: MISO
P0.4   QT411: DETECT QT1106: CHANGE QT1106: CHANGE
P0.5   Button: Hold   Button: Hold
P0.7   Button: Enter    
P1.0   LV24000: DATA button: Menu Buttons: Menu
P1.1   LV24000: NR_W LCD Driver: MISO  
P1.2   LV24000: CLOCK button: Lock switch codec identify
P1.3   Button: Power LTC3455: PWRON LTC3455: PWRON
P1.4   LTC3455: PBSTAT (Play button) button: Play Buttons: Play
P1.5   QT411: DRDY QT1106: DRDY QT1106: DRDY
P1.6   QT411: SDI QT1106: MOSI QT1106: MOSI
P3.2   LCD Driver: MISO SDO (nc) TEA5760: SDA TEA5760: SDA
P3.3   N/C button: RW Buttons: <>
P3.4   N/C TEA5760: SCL TEA5760: SCL
P3.6   LCD Driver: MOSI SDI    
P3.7   LCD Driver: SCLK SCL    
P4.2   N/C LCD Driver: SCLK  
P4.3   N/C LCD Driver: MOSI  
P4.7   N/C button: FF  
P5.0   codec reset codec reset codec reset
P5.1   BEEP+ BEEP+ BEEP+
P5.2   BEEP- BEEP- BEEP-
P5.7   LTC3455: CHRG LTC3455: CHRG LTC3455: CHRG
P7.0   LCD Driver: RST? RST (nc) LCD Driver: RST?  
P7.1   LCD Driver: CS LCD Driver: CS  
P10.0   I2C: SCL I2C: SCL I2C: SCL
P10.1   I2C: SDA I2C: SDA I2C: SDA

(nc) means not connected.

Power system

The CPU can control its own power by sending a signal to the power manager IC. This means that during power-up it has to quickly let the power manager know it wants to keep receiving power. Using the same signal, the CPU can shut itself (and the rest of the electronics) down.

A long press on the play button (M3) or the enter button (M6) causes a quick power-down/power-up sequence, allowing the user to reset the system even when the CPU has completely crashed.

Battery charging is done completely in hardware, software can only monitor whether the charger is active or not.

I2C?

Devices connected to built-in I2C bus:

  • 0x30: UDA1380 codec
  • 0x34: WM8987 codec
  • 0x60-0x6F: S35390 RTC

Devices connected to GPIO-based I2C bus:

  • 0x22: TEA5760 FM radio

ADC

Channel M6SP M6SL M3
ADC0 Buttons   -
ADC2 Battery voltage   Battery voltage

The 10-bit ADC seems to have a full range of 3.00V. The battery voltage is divided by two (through a resistive divider) before entering one of the ADC channels.

r32 - 14 Jan 2010 - 17:53:49 - BertrikSikken

Revision r31 - 04 Nov 2009 - 07:03 - BertrikSikken
Revision r30 - 05 Aug 2009 - 07:51 - BertrikSikken
Copyright by the contributing authors.