Odin protocol
From Samsung H1 Wiki
Communication with Sbl is performed over a virtual (USB) serial port.
- The handshake and any messages may have a required minimum length, this has yet to be verified.
- Further research is needed, this writeup is mainly what I've been able to recall from memory (as I'm unable to test and verify right now Ius 02:58, 3 February 2010 (UTC))
Handshake
A message containing 'SAMSUNG' is sent to Sbl, which in turn replies 'LAST'.
Commands
If the handshake is succesful, the host may send various commands to the device using a fixed format (or header?).
struct odin_msg {
unsigned int cmd;
unsigned int arg;
unsigned int len;
unsigned int flag;
};
| Name | Opcode | Description |
|---|---|---|
| cmd_image_pbl | 0x1F4 (500) | |
| cmd_image_sbl | 0x1F5 (501) | |
| cmd_image_lfs | 0x1F6 (502) | |
| cmd_image_zimage | 0x1F7 (503) | |
| cmd_image_initrd | 0x1F8 (504) | |
| cmd_image_factoryfs | 0x1F9 (505) | Has len and flag {0 = not yet finished, 1 = done uploading}? |
| cmd_image_datafs | 0x1FA (506) | |
| cmd_movi_download | 0x1FC (508) & 0x26C (620) | |
| cmd_dpram_download | 0x258 (600) | |
| cmd_write_firmware | 0x262 (610) | |
| cmd_download_image | 0x2BC (700) | flag {0 = 0x80000000, 1 = 0x86C00000} |
| cmd_image_csa | 0x2BD (701) | |
| cmd_write_onw | 0x2BE (702) | |
| cmd_set_parameter | 0x2BF (703) | |
| cmd_get_parameter | 0x2C0 (704) | |
| 0x2C1 (705) | ||
| cmd_phone_on | 0x2C2 (706) | |
| cmd_download_finish | 0x2C3 (707) | Writes downloadlog.txt and reboots |
| 0x2C4 (708) | ||
| cmd_image_lfs_cpy | 0x2C6 (710) | |
| cmd_ping | 0x2C7 (711) | |
| cmd_get_version | 0x2C8 (712) | |
| cmd_get_platform | 0x2C9 (713) |
Download mode USB descriptors
Bus 002 Device 012: ID 04e8:6601 Samsung Electronics Co., Ltd Z100 Mobile Phone
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 2 Abstract (modem)
bDeviceProtocol 0 None
bMaxPacketSize0 64
idVendor 0x04e8 Samsung Electronics Co., Ltd
idProduct 0x6601 Z100 Mobile Phone
bcdDevice 2.1b
iManufacturer 1 SAMSUNG
iProduct 2 Gadget Serial
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 67
bNumInterfaces 2
bConfigurationValue 2
iConfiguration 5 Gadget Serial CDC ACM
bmAttributes 0xc0
Self Powered
MaxPower 2mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 6 Gadget Serial Control
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x00
bDataInterface 1
CDC ACM:
bmCapabilities 0x0f
connection notifications
sends break
line coding and serial state
get/set/clear comm features
CDC Union:
bMasterInterface 0
bSlaveInterface 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0010 1x 16 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 7 Gadget Serial Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 0
bNumConfigurations 1
cannot read device status, Connection timed out (110)
