Nokia cellular phone hacking
Many old Nokia cellular phones have graphical LCDs based on the PCD8544 controller. These are perfect for various electronic projects with microcontrollers. The interface is a two-wire serial type (clock and data), and some additional signals. The LCD supply is a single 3.3 V with very low supply current. This is not really a "hack"; we are merely re-using parts of the phone.
Note that information here is for the Nokia 6150 specifically. However many older models (e.g. Nokia 5110) are very similar, and hence most stuff is applicable also to those. Below is an image showing the different parts of the front PCB (back side has no components).
Note how the keypad is partly divided into rows and columns. This is because those keys are multiplexed in this way. The other keys are more or less randomly connected to the rows and columns. Each button has an edge area and a center are, between which a short-circuit is created when the button is pressed. The upper switch is used to turn the phone on and off, and the buzzer is what emits the loud beep when e.g. receiving an SMS. The three testpads are connected to the phone's internal circuits, and have no real use in this context.
Since the LCDs only have the conductive-rubber type of connection, the easiest method of hooking a microcontroller up to it is to re-use the whole PCB. The connection on the back has two rows of 14 pins each, which I numbered A1 through A14 and B1 through B14.
The image below shows the numbering convention I have used. Note that the ribbon cable was soldered to the board as part of the hack. It is normally not there when you open the phone.
A table below describes the function of each pin.
| Pin | Function | Explanation |
| A1 | LED & buzzer ground | |
| A2 | Switch output | Shorted to A8 (ground) when switch is pressed |
| A3 | LCD D/C | Selects data (high) or command (low) for LCD communication |
| A4 | LCD SCLK | LCD serial clock |
| A5 | LCD SDIN | LCD serial data |
| A6 | LCD /SCE | LCD chip enable (active low) |
| A7 | LCD /RES | LCD reset (active low) |
| A8 | Ground | LCD ground supply, middle testpad, switch ground |
| A9 | Buzzer control | |
| A10 | LCD Vdd | Positive supply for LCD (2.8 - 3.3 V), LCD Osc (note 1) |
| A11 | not connected | |
| A12 | LED control | Set high to turn on LEDs |
| A13 | Speaker 1 | Differential driving through passive filter (?) |
| A14 | Speaker 2 | Differential driving through passive filter (?) |
| B1 | LED & buzzer positive supply | Ca +3.9 V supply (note 2) |
| B2 | Connected to B3 | |
| B3 | Connected to B2 | |
| B4 | Leftmost testpad | |
| B5 | Row 4, "right" edge | |
| B6 | Row 3, "down" center, "hang up" center | |
| B7 | Row 2, "answer" center, "up" center | |
| B8 | Row 1, "left" center | |
| B9 | Rightmost testpad | |
| B10 | Column 3, switch output (through diode) | (note 3) |
| B11 | Column 2 | |
| B12 | Column 1 | |
| B13 | "Left" edge, "up" edge, "down" edge, "right" center | |
| B14 | "Answer" edge, "hang up" edge |
Note 1: A decoupling capacitor is installed between LCD Vdd and LCD ground on the PCB.
Note 2: The LEDs are driven by a constant-current circuit, equal to (0.5*U(A12) - 0.7)/15 A for the display LEDs and (0.6*U(A12) - 0.7)/15 for the keypad LEDs. These formulas are valid as long as U(B1) is larger than 2.0 + 0.6*U(A12), which gives approx. 3.9 V as lower limit, but this is not critical. However, buzzer requires more than 3.3 V.
Note 3: The anode of the diode is connected to B10, and cathode to the switch output. Not sure why this wiring is used...
The LCD operates in the range 2.8 - 3.3 V, and hence all other signals should also be within that range. To use the LCD, required signals are: A3, A4, A5, A6, A7, A8, and A10. I will not go into details about how the signals are used, how stuff is written to the LCD, etc, since that is covered by the PCD8544 datasheet. However, I will give a proper initialization sequence, which is useful for checking that the LCD is working:
- Reset LCD with a short low pulse on /RST signal at power-on
- Command 0x21 (function set - extended)
- Command 0xC6 (set operation voltage to 7 V)
- Command 0x13
- Command 0x20 (function set - basic)
- Command 0x0C (configuration - normal mode)
- Data 0xAA (turn on a few pixels)
The LCD should now show a vertical pattern of 10101010 in the top leftmost corner. You can download an ASM file for Atmel's microcontroller ATmega8. The file contains a program that writes some stuff to the LCD and then turns the contrast up & down repeatedly.
Once the basic communication is working, doing graphics on the LCD is not very difficult:
Nokia cellular phone hacking
0 comments:
Post a Comment