From The iPhone Wiki
Revision as of 11:23, 24 March 2017 by Spydar007 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This chip is in the iPod touch (2nd generation) and iPhone 3GS. It combines Bluetooth and Wi-Fi communications, and a yet-to-be-enabled FM radio.

FM Radio

The most peculiar thing is the inclusion of an FM radio. Interfacing the FM radio is done in two stages: Control via the Bluetooth modules's UART or I2C and digital audio streaming over the module's I2S/PCM hardware.

Most notably: the FM radio never physically leaves the sillicon die, except for the antenna (which may be connected directly to the BT/UMTS/everything else [:P lol] antenna) this means that the control/streaming will be an extension to the BT protocols currently implemented.

For control, the HCI over UART (/dev/uart.bluetooth) seems the most logical solution to turn the radio on/tune/search etc. but the vendor specific HCI commands will need to be *obtained* (or reversed, which could prove hard). A broadcom datasheet would have this information, but unfortunately you have to sign an NDA to obtain one.

For streaming, the i2s bus sounds good... interfacing this could be hard but playing on the stereo bluetooth profile of iPhone OS 3 we could piggy back, at least to start with. however we do need the radio ON first...

In terms of sound streaming /etc/bluetool/iPhone2,1.boot.script from iPhone OS 3 contains these lines of interest:

## Set the sleep mode params

bcm -s 0x01,0x00,0x00,0x01,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x01

msleep 200

# Configure I2S GPIO lines <---- here

bcm -g

msleep 50

# route audio to pcm <---- here

bcm -p

## That was easy!


this means that there is more than likely some sound streaming code just waiting to receive data (or send it, in which case it could easily be hacked??)

lets find it!

This code interfaces *a* PCM device... the mic (i havent upgraded to the iOS 4 SDK so this comment assumes no secondary mic as present in iPhone 4)


with reference to pcm devices as 'audio unit' s or 'audio component' s :

// Open the output unit

AudioComponentDescription desc;

desc.componentType = kAudioUnitType_Output;

desc.componentSubType = kAudioUnitSubType_RemoteIO;

desc.componentManufacturer = kAudioUnitManufacturer_Apple;

desc.componentFlags = 0;

desc.componentFlagsMask = 0;

AudioComponent comp = AudioComponentFindNext(NULL, &desc);

Technically, all we have to do is turn the radio on, find the correct audio component and then stream the data to the UI, don't we??? This app even does all of the streaming and such for us!

However, there is no way to verify the radio is on from just the HCI side (its all rx and no output) or just the PCM side... we need to have both parts working simultaneously. Remember to route the audio through PCM in the chip initialisation script! (Which means a ton of reverse engineering/fiddling around with undocumented parts...)


The 'datasheet' provided is rubbish and we need the actual datasheet before any real development can be done...


Broadcom page for BCM4325