The firmware files I retrieved all have a very simple layout. There's a head of 176 bytes or so which indicates the version, which firmware 'files' (flash partitions) are in the package, their length and their SHA1SUMs. Nothing too troublesome there. The filesystem in my images is a JFFS2 dump which can be mounted up with the help of mtdram on Linux.
Once there, I started to have a poke around. The entirety of the UI runs inside of the Opera web browser, which has presumably been doctored for the job. No wonder it's so damn slow. I'd already seen my share of the consumer UI, so I started having a look for things that were hidden or that had been left in place from testing. A folder in /opt/www called HiddenMenu caught my attention almost instantly. A quick grep through the standard ui revealed that it could be entered by dialing *352# in the "Phone" side of the software.
The Hidden Menu contains all sorts of interesting goodies and tidbits. There are a myriad of settings for I-don't-know-what, as well as all the production tests that one would expect. There's also a function for flashing the firmware using files from a USB stick (handy!). Now I have a way to get my own packages onto the device.
This is exactly what I attempted to do, using a JFFS2 image that I had botched. Ka-BRICK. Whoops. Enter unit 2. This one I managed to kill by flashing firmware that was apparently too old for it.
Fear not though! Because I have a third. This time, I decided to crack it open to try and JTAG and resurrect my two corpses.
The third unit was not what I was expecting. Despite looking *almost* identical on the outside, the hardware on this is completely different.
Meet the 'TurboScreen'.
Packing an iMX51 CPU instead of the iMX31 of the regular devices, as well as half a gig of RAM and FLASH, these are some significantly more serious hardware. Sagem have a different codename for it, and it appears to be a much newer design. My TurboScreen seems to have a dead touchscreen, so that spelt a halt for a little while...