ubuntu-phone team mailing list archive

[sturmflut <sturmflut@xxxxxxxxxxxxxx>]

Good morning dear list,

it's time for the "good news, bad news" part again.

The good news: I managed to attach gdb to the Factory Mode [1] binary,
and with some debugging-symbol-building and gdb-command-writing it's now
starting to get possible to catch every ioctl and semi-automatically
dump the parameters. Those of you who know a bit about debugging may see
the value in a gdb output like this one:

Breakpoint 1, 0xb6f41298 in ioctl () from /system/lib/libc.so

lrwx------ root     root              2015-12-16 21:44 25 -> /dev/fm
FM_IOCTL_POWERUP
$5 = {err = 0 '\000', band = 1 '\001', space = 1 '\001', hilo = 0
'\000', freq = 880}

Turns out you only need three ioctl()s to power on and tune the whole FM
chip: FM_IOCTL_POWERUP, FM_IOCTL_MUTE and FM_IOCTL_ANA_SWITCH.


The bad news: We also catched all the ioctls necessary to tell the audio
chip to forward the FM signal to the headphones, and it's 90 (!) calls.
So our problem isn't the FM radio, it actually seems to be the audio
subsystem.


cheers,
Simon


[1]
http://sturmflut.github.io/ubuntu/bq/2015/05/04/hacking-the-bq-part-2-factory-mode/