![\"(swiped](\"http:\/\/www.computersolutions.cn\/blog\/wp-content\/uploads\/2010\/08\/imgA.jpg\" "\\"imgA\\"")
<\/a><\/p>\nDissected one and it contains the Anyka AK3651B as the main chip.<\/p>\n
The AK36xx series is an SoC (System on a Chip).<\/p>\n
As Anyka appears to be deathly afraid of giving out any useful information about their products, I’ve had to piece together info from what I found online.<\/p>\n Their own product page here – http:\/\/www.anyka.com\/enProShow.asp?sortFlag=110&sortName=Application%20Processor&id=105<\/a> 32-bit Microprocessor Core Video Coprocessor Audio Coprocessor Image Coprocessor Glueless Dual LCD Displays Connectivity Embedded ADCs and DACs Built-in Power Amplifier\/Headphone Driver<\/p>\n External Memory Support Package Appears that they’re mostly used in MP3\/MP4 players, which is why most of my googling on specs was ruined by whiny users asking for someone to please help them with their foobar’d player.<\/p>\n The first useful links on these are at Chuck’s pages here – http:\/\/www.chucklohr.com\/808\/<\/a><\/p>\n He’s done a lot of useful work collating information, although some of his deductions are a little strange, so take some things with a pinch of salt. Lots of good info though.<\/p>\n The main source of info on the hardware side is at http:\/\/www.readerme.com<\/a>, they have a most excellent section of downloads which provide more information on the chips than anything else out there!<\/p>\n We gave them a call and had a chat (one of the benefits of being located in China, is that we obviously speak Chinese in the office!). Both sides were laughing but we could at least talk to each other. “Mo man tai, dui ma?”<\/p>\n They actually don’t sell products, they only do design work for others, but, thats good to know. I’ll see if I can find the actual factories making these tomorrow. (Although when I say we, I mean the staff). The golden data trove is here – http:\/\/www.readerme.com\/html\/html\/%E7%9B%B8%E5%85%B3%E4%BA%A7%E5%93%81%E5%8E%9F%E7%90%86%E5%9B%BE%EF%BC%8C%E8%B4%B4%E7%89%87%E5%9B%BE.html<\/a><\/p>\n According to Anyka (\u5b89\u51ef in Chinese) the 36xx chips are a series, so they should have similar functionality. <\/p>\n While I don’t have data sheets, or a BSP, I can read the PDF’s at least to get an idea of where things are laid out.<\/p>\n AK3631B AK3651B They do look similar, so probably only minor differences in functionality (probably the newer ones are cheaper?). I may give them a call also, and see if they’ll be willing to give us some info about their products, but I’m not holding my breath on that one.<\/p>\n I’ve also poked around a bit in the firmware files using strings, and taking a look at headers, and have come up with some preliminary conclusions.<\/p>\n I’m guessing their SoC is ARM5 based, given what i have found (haven’t decompiled yet, but looks like that).<\/p>\n Some common strings in the firmware’s from start:<\/p>\n 00000 06 00 00 EA FE FF FF EA<\/p>\n Googling “06 00 00 EA FE FF FF EA” comes up with some other people talking about firmware for pxa312 devices, which have exactly that in their boot loader, so, seems likely.<\/p>\n The PXA312 is ARMv5TE…<\/p>\n I’m guessing some playing around with radare (http:\/\/radare.nopcode.org\/get\/radare.pdf.html<\/a>) should get some more info about whats going on.<\/p>\n Running strings on the firmware files available shows interesting info:<\/p>\n strings \/Documents\/Keychain\\ Camera\/cx311V2.04\/Spiboot_36XX.bin Thats our 4k bootloader, which obviously loads our 1M bios image from SPI flash memory (SPI = Serial Peripheral Interface) Hmm, more reasons for me to get a Bus Pirate now…<\/p>\n We have a flasher also, although its Windows based. eg: <\/p>\n “The setup packet is not 8 byte!”\n<\/p><\/blockquote>\n Also amusing is that its fairly easy to find the FAT32 code embedded in at least one of the firmwares<\/p>\n EB xx 90 … -> 55 AA (in Sprint1M.bin)<\/p>\n The flasher tool is also nice enough to give us an idea of layout in the 1M flash chip.<\/p>\n You’ll need to install the Anyka M3 USB driver to talk to the chip, which appears to have the following attributes via USB: This is a bit naughty, as 0471 is in theory already taken by Philips (or NXP) according to http:\/\/www.linux-usb.org\/usb.ids<\/a><\/p>\n Its also astoundingly obvious that they used driverworks to make the driver. (From the oh so copied in China vid\/pid, and the strings left in the driver). An example of this here http:\/\/www.baiheee.com\/OpenSource\/Easy%20USB%2051%20Programer\/Easy%20USB%2051%20Programer_DriveOurBoard.htm<\/a><\/p>\n Want to bet someone read those instructions and its been repeated ad nauseum? Back to our flasher, it says that our 1M chip is laid out as follows:<\/p>\n ###Project Name ###Devie Number ###COM path producer sundance2 = producer_sundance2.bin bios run addr = 0x30500000 chip type = AK_3225 ram size = 8 moduleburn DownloadMode = 2 fs start addr = 0x6c0000 partition count = 0<\/p>\n download_to_udisk count = 0<\/p>\n download_to_nand count = 3 download_to_mtd count = 0<\/p>\n nand supported count = 0\n<\/p><\/blockquote>\n If we take a look at that, our Spring1M_bios.bin starts off at C000 A look in a hex editor at that position shows:<\/p>\n Note the 32bit word value – 0xE1A0C00D<\/p>\n Thats classic ARM, so we _know_ its arm based…<\/p>\n romStart [0xe1a0c00d] mov r12,r13<\/p><\/blockquote>\n<\/a><\/p>\n
\nsays the following:<\/p>\n
\nIntegrated I\/D cache
\nMemory Management Unit (MMU)<\/p>\n
\nMPEG4.SP codec
\nH.263 codec
\nMotion JPEG codec<\/p>\n
\nMP3 decoder
\nWMA decoder
\nAAC\/AAC+ decoder
\nAMR codec
\nReal-time audio stream in PCM\/ADPCM format<\/p>\n
\nJPEG HW codec<\/p>\n
\nSupporting MPU LCD
\nSupporting RGB LCD
\nProgrammable LCD size and refreshing rate<\/p>\n
\nUSB 2.0 HS OTG
\nI2S master\/slave
\nUART
\nSPI
\nMMC\/SD<\/p>\n
\nSAR ADC for touch panel and voltage detect
\nSigma-Delta ADC for microphone
\nSigma-Delta DACs for stereo<\/p>\n
\nSupporting SDRAM
\nSupporting Nand Flash (SLC\/MLC, with hardware ECC)<\/p>\n
\nLQFP 128-pin\/144-pin\uff0cFBGA 100-pin\/144-pin<\/p><\/blockquote>\n
\nThey don’t speak great Mandarin though – so it was bad cantonesedarin or Mandonese? Hmm, have to come up with a word for that! (similar to Chinglish but mixing Cantonese and Mandarin).<\/p>\n
\nThey did point us in the direction of a few trading companies that could do FOB export, but shipping quantities are in the x,000’s so not so useful yet.<\/p>\n
\nThey did prove to be an excellent source of data on the chips though if one takes a look at the PDF’s on their site.<\/p>\n
\n<\/a><\/p>\n
\n<\/a><\/p>\n
\nAgain, hard to check, as Anyka datasheets appear to be hens teeth. <\/p>\n
\nANYKA362
\n 6KA49
\nstart read cfg
\nfile cnt:%d
\nfile name:%s
\nCannot find BIOS
\nread file info fail
\nload bios ……
\nmap:%d
\nfile len:%d
\nld addr:0x%x
\nLoad bios from spiflash successfuly!
\nread BIOS fail
\nspi boot start
\nsystem clock: %d
\nBIOS<\/p>\n<\/blockquote>\n
\nMore on SPI here.
\nhttp:\/\/en.wikipedia.org\/wiki\/Serial_Peripheral_Interface_Bus<\/a><\/p>\n
\nI’m guessing some USB sniffing will lead to some magic byte handshake sequence to get into the bootloader via USB, as the BIOS strings point to that.<\/p>\n<\/a><\/p>\n
\nVendor ID: 0471
\nProduct ID: 0666 (the product of the beast? hehe)<\/p>\n
\nSadly, its so easy to see the minimal effort that’s gone into things.<\/p>\n
\nproject name = chaoxian<\/p>\n
\ndevice channel = 8<\/p>\n
\ncom bOpen = 0
\ncom base = 1
\ncom count = 1
\ncom baud rate = 38400<\/p>\n
\npath producer sundance2A uboot = producer_sundance2A_uboot.bin
\npath producer sundance2A umass = producer_sundance2A_umass.bin
\npath nandboot sundance2= Spiboot_36XX.bin
\npath nandboot sundance2A= Spiboot_36XX.bin<\/p>\n
\nbios start addr = 0xc0000
\nbios end addr = 0x1c0000
\nbios backup start addr = 0x1c0000
\nbios backup end addr = 0x2c0000<\/p>\n
\nchip uboot = 1
\nchip power off gpio = 255
\nchip usb2 = 0
\nchip get aid = 0
\nchip update = 0
\nchip select loop = 1
\nchip select nand0 = 1
\nchip select nand1 = 1
\nchip select nand2 = 1
\nchip select nand3 = 1
\nchip gpio_ce2 = 255
\nchip gpio_ce3 = 255<\/p>\n
\nram row = 12
\nram column = 8
\nram bank = 4<\/p>\n
\nmoduleburn bDownloadFLS = 1
\nmoduleburn bDownloadEEP = 1
\nmoduleburn baudrate = 921600
\nmoduleburn gpio_dtr = 85
\nmoduleburn gpio_module_igt = 109
\nmoduleburn gpio_module_reset = 87
\nmoduleburn path_fls = LCG2.fls
\nmoduleburn path_eep = LCG2.eep<\/p>\n
\nfs reserver block = 64
\nfs nonfs reserve size = 4<\/p>\n
\ndownload_to_nand1 = 0, Spring1M_bios.bin, 0x30500000, BIOS
\ndownload_to_nand2 = 0, Spring.bin, 0x30000000, MMI
\ndownload_to_nand3 = 0, AkResData.Bin, 0x0, RES<\/p>\n
\n(bios start addr = 0xc0000)
\n(Deduct a 0 as we’re not offset by 0x300000000)<\/p>\n<\/a><\/p>\n