Difference between revisions of "BCM4325"

From The iPhone Wiki
Jump to: navigation, search
m
 
(14 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This chip is in the iPod2,1 (iPod touch 2G) and iPhone2,1 (iPhone 3GS) and combines Bluetooth/Wifi and a secret FM radio, presumably connected and ready to go on a future firmware release by Apple.
+
This chip is in the [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]]. It combines Bluetooth and Wi-Fi communications, and a yet-to-be-enabled FM radio.
   
 
== FM Radio ==
 
== FM Radio ==
  +
The most peculiar thing is the inclusion of an FM radio. Interfacing the FM radio is done in two stages: Control via the Bluetooth modules's UART or I2C and digital audio streaming over the module's I2S/PCM hardware.
   
  +
Most notably: the FM radio never physically leaves the sillicon die, except for the antenna (which may be connected directly to the BT/UMTS/everything else [:P lol] antenna) this means that the control/streaming will be an extension to the BT protocols currently implemented.
The most peculiar thing is the inclusion of an FM radio. There is a product brief available from broadcom on this chip: {put link here} but it serves little purpose apart from the block diagram and interface hardware/software.
 
   
  +
For control, the HCI over UART (/dev/uart.bluetooth) seems the most logical solution to turn the radio on/tune/search etc. but the vendor specific HCI commands will need to be *obtained* (or reversed, which could prove hard). A broadcom datasheet would have this information, but unfortunately you have to sign an NDA to obtain one.
Interfacing the FM radio is done in two stages: Control via the bluetooth modules's UART or I2C and digital audio streaming over the module's I2S/PCM hardware.
 
   
  +
For streaming, the i2s bus sounds good... interfacing this could be hard but playing on the stereo bluetooth profile of iPhone OS 3 we could piggy back, at least to start with. however we do need the radio ON first...
most notably: the FM radio never physically leaves the sillicon die, except for the antenna (which may be connected directly to the BT/UMTS/everything else [:P lol] antenna) this means that the control/streaming will be an extension to the BT protocols currently implemented.
 
   
  +
In terms of sound streaming /etc/bluetool/iPhone2,1.boot.script from iPhone OS 3 contains these lines of interest:
For control, the HCI over UART (/dev/uart.bluetooth) seems the most logical solution to turn the radio on/tune/search etc. but the vendor specific HCI commands will need to be *obtained* (or reversed, which could prove hard). A broadcom datasheet would have this information, but unfortunately you have to sign an NDA to obtain one.
 
   
For streaming, the i2s bus sounds good... interfacing this could be hard but playing on the stereo bluetooth profile of iphone OS 3 we could piggy back, at least to start with. however we do need the radio ON first...
 
   
  +
<code>
== Datasheet ==
 
  +
<nowiki>##</nowiki> Set the sleep mode params
   
  +
bcm -s 0x01,0x00,0x00,0x01,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x01
  +
  +
msleep 200
  +
  +
<nowiki>#</nowiki> Configure I2S GPIO lines <---- here
  +
  +
bcm -g
  +
  +
msleep 50
  +
  +
<nowiki>#</nowiki> route audio to pcm <---- here
  +
  +
bcm -p
  +
  +
<nowiki>##</nowiki> That was easy!
  +
  +
quit</code>
  +
  +
  +
this means that there is more than likely some sound streaming code just waiting to receive data (or send it, in which case it could easily be hacked??)
  +
  +
lets find it!
  +
  +
This code interfaces *a* PCM device... the mic (i havent upgraded to the iOS 4 SDK so this comment assumes no secondary mic as present in iPhone 4)
  +
  +
http://developer.apple.com/iphone/library/samplecode/aurioTouch/Introduction/Intro.html
  +
  +
with reference to pcm devices as 'audio unit' s or 'audio component' s :
  +
  +
  +
<code>
  +
// Open the output unit
  +
  +
AudioComponentDescription desc;
  +
  +
desc.componentType = kAudioUnitType_Output;
  +
  +
desc.componentSubType = kAudioUnitSubType_RemoteIO;
  +
  +
desc.componentManufacturer = kAudioUnitManufacturer_Apple;
  +
  +
desc.componentFlags = 0;
  +
  +
desc.componentFlagsMask = 0;
  +
  +
  +
AudioComponent comp = AudioComponentFindNext(NULL, &desc);
  +
</code>
  +
  +
Technically, all we have to do is turn the radio on, find the correct audio component and then stream the data to the UI, don't we??? This app even does all of the streaming and such for us!
  +
  +
However, there is no way to verify the radio is on from just the HCI side (its all rx and no output) or just the PCM side... we need to have both parts working simultaneously. Remember to route the audio through PCM in the chip initialisation script! (Which means a ton of reverse engineering/fiddling around with undocumented parts...)
  +
  +
== Datasheet ==
 
The 'datasheet' provided is rubbish and we need the actual datasheet before any real development can be done...
 
The 'datasheet' provided is rubbish and we need the actual datasheet before any real development can be done...
  +
  +
==Links==
  +
[http://www.broadcom.com/products/Bluetooth/Bluetooth-RF-Silicon-and-Software-Solutions/BCM4325 Broadcom page for BCM4325]

Latest revision as of 11:23, 24 March 2017

This chip is in the iPod touch (2nd generation) and iPhone 3GS. It combines Bluetooth and Wi-Fi communications, and a yet-to-be-enabled FM radio.

FM Radio

The most peculiar thing is the inclusion of an FM radio. Interfacing the FM radio is done in two stages: Control via the Bluetooth modules's UART or I2C and digital audio streaming over the module's I2S/PCM hardware.

Most notably: the FM radio never physically leaves the sillicon die, except for the antenna (which may be connected directly to the BT/UMTS/everything else [:P lol] antenna) this means that the control/streaming will be an extension to the BT protocols currently implemented.

For control, the HCI over UART (/dev/uart.bluetooth) seems the most logical solution to turn the radio on/tune/search etc. but the vendor specific HCI commands will need to be *obtained* (or reversed, which could prove hard). A broadcom datasheet would have this information, but unfortunately you have to sign an NDA to obtain one.

For streaming, the i2s bus sounds good... interfacing this could be hard but playing on the stereo bluetooth profile of iPhone OS 3 we could piggy back, at least to start with. however we do need the radio ON first...

In terms of sound streaming /etc/bluetool/iPhone2,1.boot.script from iPhone OS 3 contains these lines of interest:


## Set the sleep mode params

bcm -s 0x01,0x00,0x00,0x01,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x01

msleep 200

# Configure I2S GPIO lines <---- here

bcm -g

msleep 50

# route audio to pcm <---- here

bcm -p

## That was easy!

quit


this means that there is more than likely some sound streaming code just waiting to receive data (or send it, in which case it could easily be hacked??)

lets find it!

This code interfaces *a* PCM device... the mic (i havent upgraded to the iOS 4 SDK so this comment assumes no secondary mic as present in iPhone 4)

http://developer.apple.com/iphone/library/samplecode/aurioTouch/Introduction/Intro.html

with reference to pcm devices as 'audio unit' s or 'audio component' s :


// Open the output unit

AudioComponentDescription desc;

desc.componentType = kAudioUnitType_Output;

desc.componentSubType = kAudioUnitSubType_RemoteIO;

desc.componentManufacturer = kAudioUnitManufacturer_Apple;

desc.componentFlags = 0;

desc.componentFlagsMask = 0;


AudioComponent comp = AudioComponentFindNext(NULL, &desc);

Technically, all we have to do is turn the radio on, find the correct audio component and then stream the data to the UI, don't we??? This app even does all of the streaming and such for us!

However, there is no way to verify the radio is on from just the HCI side (its all rx and no output) or just the PCM side... we need to have both parts working simultaneously. Remember to route the audio through PCM in the chip initialisation script! (Which means a ton of reverse engineering/fiddling around with undocumented parts...)

Datasheet

The 'datasheet' provided is rubbish and we need the actual datasheet before any real development can be done...

Links

Broadcom page for BCM4325