How to bring up the bluetooth:
(Some of these steps may not be neccessary)

Open UART, set to 9600,n,8,1.  Set flow control by setting bits 5 and 1 of modem control (0x40100010).
Reset uart to 115200,n,8,1 
Clear buffers (so RTS goes off)

Set GPIOs 53,71,124,114 low
Wait a few seconds for everything to die

Raise 53,71,124 
6ms pause
Raise 114
3ms pause
lower 114
3ms pause
raise 81 and 114
500ms pause




At this point, as soon as we try to transmit, the UART will set it's RTS  and the BT chip responds by setting CTS (you can see it on bit  4 of the modem state (0x40100018).

--------------------------------------------------------------------------------------------------------------------------------------------
Brief interlude on HCI packets

The HCI Command packets (to the chip) look like this:
01 cc cc nn dd dd dd....
cc cc = opcode
nn = number of bytes data
dd = data

Responses look like this
04 cc nn dd dd dd ... 

Most common response op-code is 0e which is a kind of acknowledge. The data that comes with it is of the form:
01 cc cc 00 where cc is the opcode that it's acknowledging.
Sometimes more data is tacked on, like this:
04 0e 0c 01 01 10 00 03 00 30 03 0f 00 0b 42
-----------------------------------------------------------------------------------------------------------------------------------------




Ok, so here's how the conversation goes....

Operation	Op-Code		Description			Data len	Data
Send		03 0c 		reset				0 		-
Receive ACK
Send		01 10		Read version info		0		-
Receive		0e		Ack with info			12		01 01 10 00 03 00 30 03 0f 00 0b 42
Send		2e fc		~I want to write firmware	0		-
Receive ACK

At this point, we hurl some firmware at it. I'm not sure why this is done but... ok.
I spent ages collecting what was sent next then found it in this file in windows:
\windows\BCM2045B2_002.002.011.0211.0000.hcd (which is referenced by HKLM\Software\Widcomm\BTConfig\General in the winCE regsitry)

Open the file and keep doing the following until you run out of file:
1)	Read 2 bytes of code (mine are all  '4c fc')
2)	Read 1 byte --> n
3)	Read n bytes
4)	Hurl that many bytes from the file at the chip, with that opcode
5)	[Possibly: wait for the ACK] TODO: Find OUT!

The last packet of these is 4e fc, instead of 4c fc and when the ack comes for that, we can continue..

Operation	Op-Code		Description			Data len	Data
Send		03 0c		Reset again			0		-
Receive ACK
----------------------------------------
Send		09 10		Request BD Addr			0		-
Receive ACK for 24 0c (Write Class Of Device) with trailing garbarge, weirdness lies here
Send		13 0c		Write Local Name		248		Device name and lots o' garbage
Receive 	0e		Ack for 01 10 with info		12		01 01 10 00 03 00 30 03 0f f9 00 804
Send		03 10		Read Local Supported Features	0		-
----------------------------------------
Think some bits are missing/wrong here
Generally, it does these:
09 10 Request DB Addr
13 0c Write local name (text ID)
24 0c Write device class ()
03 10 Read local supported features
2f 0c Write syncronous flow control enable
01 10 Read local version info
0a 0c Write PIN type

Send		24 0c		Write class of device		3		10 01 12
Receive ACK
Send		01 fc		Unknown BCM command		6		54 5b 01 0b 1e 00
Receive ACK
Send		09 10		Read BD Addr			0		-
Receive		0e		Ack with info			10		01 09 10 00 54 5b 01 0b 1e 00
Send		13 0c		Write Local Name		248		Device name with trailing 00s
[Didn't get an ACK that time]
Send		49 0c		Write AFH Channel assement mode	1		00
Receive ACK
Send		27 fc		Unknown BCM command		10		01 0a 0a 01 01 01 01 00 00 00
Receive ACK
Send		1c fc		Unknown BCM command 		5		00 02 00 00 00
Receive ACK
Send		1e fc		Unknown BCM command		5		00 00 02 03 01
Receive ACK
Send		22 fc		Unknown BCM command		1		{00} <-- not 100% sure about this (no change in DMA page)
Receive ACK
Send		41 fc		Unknown BCM command		8		82 b0 bf ff cb 00 00 0a
Receive ACK
Send		24 0c		Write class of device		3		10 01 32

And that's it






2e fc 00 ff
ab ab ab /sdcard/firmware.dat ff

13 0c F8 6f 6c 69 66 6f 72 64 50 44 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff


page-c0.txt touchscreen stuff at 02fcc050



------
More accurate version of all the twiddling from bt_pwrmgr.dll:

81	--> AF0
81	--> output
81	--> off
84	--> AF0
84(RTS)	--> output
84(RTS)	--> on
114	--> on
114	???
delay(2)
114	--> off
delay(2)
114	--> on
81	--> on
delay(500)
84(RTS)	--> off
delay(5)
84(RTS)	--> AF1 (RTS)
check 	79(CTS) ok if on