Difference between revisions of "Research Pre GSM Modem"

From WebOS Internals
Jump to navigation Jump to search
(some infos about TelephonyInterfaceLayerGsm)
(Script to trace modemuart communication)
 
(One intermediate revision by the same user not shown)
Line 14: Line 14:
 
* PmModemPower: A simple shell script to turn on/reset the modem
 
* PmModemPower: A simple shell script to turn on/reset the modem
 
* PmModemUpdater: Flash the modem with a new firmware
 
* PmModemUpdater: Flash the modem with a new firmware
 
Through disassembling the PmLinuxModemCmd binary I found some binary sequences which indicates that the Pre communicates with the modem over a binary protocol.
 
  
 
The binary sequences are:
 
The binary sequences are:
Line 340: Line 338:
  
 
/usr/bin/TelephonyInterfaceLayerGsm connects to /dev/modemuart with a baudrate of 115200. Trying the same with screen shows me just rubbish. Seem to be the binary protocol. Make sure you rename the file before killing the process as it gets restarted automatically.
 
/usr/bin/TelephonyInterfaceLayerGsm connects to /dev/modemuart with a baudrate of 115200. Trying the same with screen shows me just rubbish. Seem to be the binary protocol. Make sure you rename the file before killing the process as it gets restarted automatically.
 +
 +
To strace TelephonyInterfaceLayerGsm and write out the relevant communication to /dev/modemuart we offer a small shell script below. Make sure your / is remounted rw for it.
 +
 +
<pre>
 +
#!/bin/sh
 +
#Make sure TelephonyInterfaceLayerGsm gets not restarted when we kill it
 +
mv /usr/bin/TelephonyInterfaceLayerGsm /usr/bin/TelephonyInterfaceLayerGsm-backup
 +
kill $(pidof TelephonyInterfaceLayerGsm)
 +
 +
sleep 2
 +
 +
#I always had fd=10 for /dev/modemuart, be verbose on reads on writes on this fd
 +
strace -x -s 10000 -f -F -o gsm.log -e read=10 -e write=10 TelephonyInterfaceLayerGsm-backup &
 +
sleep 25
 +
kill $(pidof TelephonyInterfaceLayerGsm-backup)
 +
 +
sleep 2
 +
 +
#Bring the system into a useable state again         
 +
mv /usr/bin/TelephonyInterfaceLayerGsm-backup /usr/bin/TelephonyInterfaceLayerGsm
 +
sh /etc/event.d/TelephonyInterfaceLayer
 +
</pre>

Latest revision as of 00:35, 16 October 2009

Modem Ports

There are several ports for communicating with the modem on the Palm Pre:

  • /dev/modemuart: Modem UART (UART Port)
  • /dev/tts/modem0 (Symlink for ttyACM0): USB Serial to Modem for AT commands (Data Port)
  • /dev/tts/modemdiag (Symlink for ttyACM1): USB Serial to Modem for Diagnositics (DIAG Port)

sysfs Entries

  • Power Control: /sys/user_hw/pins/modem/power_on/level

Palm Programs for communicating with the modem

In /usr/bin are some interessting programs:

  • PmLinuxModemCmd: You can do some operations on the modem from command line
  • PmModemInfo: Shows you the IMEI and the version of the modem firmware
  • PmModemPower: A simple shell script to turn on/reset the modem
  • PmModemUpdater: Flash the modem with a new firmware

The binary sequences are:

00014a1c <enableloopbackdataport>:
   14a1c:	31455441 	.word	0x31455441
	...
   159c0:	0a0d      	.short	0x0a0d

000159c2 <loopback>:
   159c2:	0f88      	.short	0x0f88
   159c4:	00010000 	.word	0x00010000
   159c8:	7eb3d400 	.word	0x7eb3d400

000159cc <identify>:
   159cc:	7e3b1c1d 	.word	0x7e3b1c1d

000159d0 <getVer>:
   159d0:	1b0000fa 	.word	0x1b0000fa
   159d4:	00000009 	.word	0x00000009
   159d8:	00000000 	.word	0x00000000
   159dc:	7e          	.byte	0x7e

000159dd <testAlive>:
   159dd:	fa          	.byte	0xfa
   159de:	0000      	.short	0x0000
   159e0:	0000011b 	.word	0x0000011b
   159e4:	00000000 	.word	0x00000000
   159e8:	b74c      	.short	0xb74c
   159ea:	7e          	.byte	0x7e

000159eb <testAliveResp>:
   159eb:	1b          	.byte	0x1b
   159ec:	00000001 	.word	0x00000001
   159f0:	0000      	.short	0x0000
	...

000159f3 <testAliveResp1>:
   159f3:	1c          	.byte	0x1c
   159f4:	00000002 	.word	0x00000002
   159f8:	0000      	.short	0x0000
	...

000159fb <testAliveCDMA>:
   159fb:	fa          	.byte	0xfa
   159fc:	14080000 	.word	0x14080000
   15a00:	f904d200 	.word	0xf904d200
   15a04:	7e27      	.short	0x7e27

00015a06 <testAliveRespCDMA>:
   15a06:	0122      	.short	0x0122
   15a08:	0000      	.short	0x0000
	...

00015a0b <enterFTMmode>:
   15a0b:	29          	.byte	0x29
   15a0c:	73810003 	.word	0x73810003
   15a10:	7e          	.byte	0x7e

00015a11 <CDMAdiagPortOnUART>:
   15a11:	fa          	.byte	0xfa
   15a12:	0000      	.short	0x0000
   15a14:	00002308 	.word	0x00002308
   15a18:	fbf1      	.short	0xfbf1
   15a1a:	7e          	.byte	0x7e

00015a1b <CDMAdiagPortOnUSB>:
   15a1b:	fa          	.byte	0xfa
   15a1c:	23080000 	.word	0x23080000
   15a20:	29e20001 	.word	0x29e20001
   15a24:	7e          	.byte	0x7e

00015a25 <resetCDMA>:
   15a25:	29          	.byte	0x29
   15a26:	0002      	.short	0x0002
   15a28:	6a59      	.short	0x6a59
   15a2a:	7e          	.byte	0x7e

00015a2b <onlineMode>:
   15a2b:	fa          	.byte	0xfa
   15a2c:	00030000 	.word	0x00030000
   15a30:	00000000 	.word	0x00000000
   15a34:	09f00500 	.word	0x09f00500
   15a38:	7e          	.byte	0x7e

00015a39 <offlineMode>:
   15a39:	fa          	.byte	0xfa
   15a3a:	0000      	.short	0x0000
   15a3c:	00000003 	.word	0x00000003
   15a40:	06000000 	.word	0x06000000
   15a44:	3b6b      	.short	0x3b6b
   15a46:	7e          	.byte	0x7e

00015a47 <ATCGDCONT>:
   15a47:	41          	.byte	0x41
   15a48:	47432b54 	.word	0x47432b54
   15a4c:	4e4f4344 	.word	0x4e4f4344
   15a50:	0a0d3f54 	.word	0x0a0d3f54

00015a54 <ATE0E1Cmd>:
   15a54:	30455441 	.word	0x30455441
   15a58:	30453145 	.word	0x30453145
   15a5c:	30453145 	.word	0x30453145
   15a60:	30453145 	.word	0x30453145
   15a64:	0a0d3145 	.word	0x0a0d3145

00015a68 <ATCmd>:
   15a68:	0a0d5441 	.word	0x0a0d5441

00015a6c <Charging90mA>:
   15a6c:	1b0000fa 	.word	0x1b0000fa
   15a70:	00000006 	.word	0x00000006
   15a74:	00180000 	.word	0x00180000
   15a78:	f0f30000 	.word	0xf0f30000
   15a7c:	7e          	.byte	0x7e

00015a7d <Charging500mA>:
   15a7d:	fa          	.byte	0xfa
   15a7e:	0000      	.short	0x0000
   15a80:	0000061b 	.word	0x0000061b
   15a84:	18000000 	.word	0x18000000
   15a88:	2b000100 	.word	0x2b000100
   15a8c:	7ee9      	.short	0x7ee9

00015a8e <Charging1A>:
   15a8e:	00fa      	.short	0x00fa
   15a90:	00061b00 	.word	0x00061b00
   15a94:	00000000 	.word	0x00000000
   15a98:	00070018 	.word	0x00070018
   15a9c:	bdfb      	.short	0xbdfb
   15a9e:	7e          	.byte	0x7e

00015a9f <getQPSTConfig>:
   15a9f:	0c          	.byte	0x0c
   15aa0:	417e3a14 	.word	0x417e3a14
   15aa4:	43512454 	.word	0x43512454
   15aa8:	0d474d44 	.word	0x0d474d44
   15aac:	51245441 	.word	0x51245441
   15ab0:	474d4443 	.word	0x474d4443
   15ab4:	2454410d 	.word	0x2454410d
   15ab8:	4d444351 	.word	0x4d444351
   15abc:	067e0d47 	.word	0x067e0d47
   15ac0:	7e7e954e 	.word	0x7e7e954e

00015ac4 <getESN>:
   15ac4:	00000026 	.word	0x00000026
	...
   15b48:	7ed2ad00 	.word	0x7ed2ad00

00015b4c <CDMAPcmLoopbackOn>:
   15b4c:	000e0b4b 	.word	0x000e0b4b
   15b50:	00010003 	.word	0x00010003
   15b54:	0001000c 	.word	0x0001000c
   15b58:	7e00      	.short	0x7e00

00015b5a <CDMAPcmLoopbackOff>:
   15b5a:	0b4b      	.short	0x0b4b
   15b5c:	0003000e 	.word	0x0003000e
   15b60:	000c0001 	.word	0x000c0001
   15b64:	7e000000 	.word	0x7e000000

00015b68 <GSMPcmLoopbackOn>:
   15b68:	000e0b4b 	.word	0x000e0b4b
   15b6c:	000b0003 	.word	0x000b0003
   15b70:	0001000c 	.word	0x0001000c
   15b74:	7e00      	.short	0x7e00

00015b76 <GSMPcmLoopbackOff>:
   15b76:	0b4b      	.short	0x0b4b
   15b78:	0003000e 	.word	0x0003000e
   15b7c:	000c000b 	.word	0x000c000b
   15b80:	7e000000 	.word	0x7e000000

00015b84 <Dial>:
   15b84:	000000fa 	.word	0x000000fa
   15b88:	00000000 	.word	0x00000000
   15b8c:	04000000 	.word	0x04000000
	...
   15bf0:	34000000 	.word	0x34000000
   15bf4:	31363830 	.word	0x31363830
   15bf8:	32333837 	.word	0x32333837
   15bfc:	00000037 	.word	0x00000037
	...
   15c30:	0a000000 	.word	0x0a000000
	...
   15c58:	0000      	.short	0x0000
   15c5a:	7e          	.byte	0x7e

00015c5b <disableloopbackdataport>:
   15c5b:	41          	.byte	0x41
   15c5c:	0d304554 	.word	0x0d304554
   15c60:	0a          	.byte	0x0a

00015c61 <ATDT>:
   15c61:	41          	.byte	0x41
   15c62:	4454      	.short	0x4454
   15c64:	37313654 	.word	0x37313654
   15c68:	37323338 	.word	0x37323338
   15c6c:	0a0d      	.short	0x0a0d

00015c6e <testAlive_1>:
   15c6e:	00fa      	.short	0x00fa
   15c70:	00011b00 	.word	0x00011b00
   15c74:	00000001 	.word	0x00000001
   15c78:	7ead8101 	.word	0x7ead8101

00015c7c <onlineMode_1>:
   15c7c:	030000fa 	.word	0x030000fa
   15c80:	00000000 	.word	0x00000000
   15c84:	4f020000 	.word	0x4f020000
   15c88:	5d7d      	.short	0x5d7d
   15c8a:	7e          	.byte	0x7e

PmModemUpdater

Usage:
PmModemUpdater -h                     Print usage
PmModemUpdater -v                     Detect current modem firmware version
PmModemUpdater -p  /path/to/firmware.tar  Check the firmware package info
PmModemUpdater -b		      Backup NV items from device to /var/firmware/palm_nv_backup.txt 
PmModemUpdater -r /path/to/nvfile     Load NV items from nvfile   		
PmModemUpdater<firmware.tar           Update the firmware using a tar file as input
PmModemUpdater<firmware.tar  -f       Force an update even the modem has the same version than tar file
PmModemUpdater<firmware.tar  -s xx xx Force the modem to be flashed (RESCUE MODE)
PmModemUpdater  -i            	      Start a data/voice test on your umts modem directly
PmModemUpdater  -e            	      Ignore stop/start TIL/WAND
PmModemUpdater  -o            	      silent mode which means no verbose output at all
PmModemUpdater<firmware.tar -m        Force the modem to be flashed (INFINITE USB RESCUE MODE) on USB

pmmodempower

 #!/bin/sh
 for i in "$*"
    if [ "$i" = "on" ]
    then
	echo Powering On Modem
	echo 1 > /sys/user_hw/pins/modem/power_on/level
    fi
    if [ "$i" = "off" ]
    then 
	echo Powering Off Modem
	echo 0 > /sys/user_hw/pins/modem/boot_mode/level
	echo 0 > /sys/user_hw/pins/modem/power_on/level
    fi
    if [ "$i" = "cycle" ]
    then
	echo Powering Off Modem
	echo 0 > /sys/user_hw/pins/modem/boot_mode/level
	echo 0 > /sys/user_hw/pins/modem/wakeup_modem/level
	echo 0 > /sys/user_hw/pins/modem/power_on/level
	sleep 2
	echo Powering On Modem
	echo 1 > /sys/user_hw/pins/modem/power_on/level
	#echo Waiting for MODEM_WAKE_APP Low
	#while [ "$appwake" != "0" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	#echo Waiting for MODEM_WAKE_APP Pulse High
	#appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#while [ "$appwake" != "1" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	#while [ "$appwake" != "0" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	echo Asserting APP_WAKE_MODEM
	echo 1 > /sys/user_hw/pins/modem/wakeup_modem/level
    fi
 done

PmLinuxModemCmd

 usage: PmLinuxModemCmd <Port> <[a][b][c][d <number>][e][f][ftm][h][g][i][k <#pkts>][l][m][n][o][pcmloopback <radio> <state>][q][r][s][t][u <#pkts>][zr][zt][zl][1] [5][9]]> [v]
 where: <Port>:
           /dev/ttyS0         - Modem UART. - UART PORT
           /dev/tts/modem0    - USB Serial to Modem for AT commands - DATA PORT.
           /dev/tts/modemdiag - USB Serial to Modem for Diagnostics - DIAG PORT.
 where:
       e - empty read buffer from specified port.
       u - Loopback mode performance test. Next argument <#pkts>
  UART PORT COMMANDS: (/dev/ttyS0) 
       b  - Send loopback mode command for 256 bytes. UART goes into loopback mode until power cycle.
       d  - Send commands to dial a phone number. Phone number in the format 4086178327.
       f  - Send offline mode and read pkt.
       ftm - Enter modem FTM mode (both CDMA and GSM modems).
       i  - Send identify command.
       l  - Send testalive then loop forever doing ( onlinemode, offlinemode, sleep  to UART.
       m  - Disable loopback mode.
       o  - Send online mode and read pkt.
       pcmloopback - control PCM loopback. <radio> = GSM/CDMA <state> = on/off.
       q  - Send test alive, online mode and then read pkts.
       r  - Get firmware version.
       t  - Send test alive and read pkt.
       1  - Send command to enable 1A charging.
       5  - Send command to enable 500mA charging.
       9  - Send command to enable 90mA charge.
       zs - CDMA reset modem.
       zt - CDMA send test alive and read pkts.
       zdiagonusb - CDMA put diag port on USB diag.
       zdiagonuart- CDMA put diag port on UART.
  DATA PORT COMMANDS: (/dev/tts/modem0) 
       a - Send AT\n.
       c - Send ATCGDCONT\n.
       h - Send Echo command.
       k - Test loopback perf using command (ATE1\n).
  DIAG PORT COMMANDS: (/dev/tts/modemdiag) 
       g  - Get QPST serial port config from DIAG port.
       s  - Get ESN from DIAG port.
       zl - CDMA put modemdiag into loopback. 
       zr - CDMA Read performance tests. Takes two arguments <numpkts> and <pktSize>.
               Eg. %s /dev/tts/modemdiag zr <NumPkts> <PktSize> [v] 
       zw - CDMA Write performance tests. Takes two arguments <numpkts> and <pktSize>.
               Eg. %s /dev/tts/modemdiag zw <NumPkts> <PktSize> [v] 
       zu - CDMA Performance tests of the diag port after putting it into loopback. Takes two arguments <numpkts> and <pktSize>. 
               Eg. %s /dev/tts/modemdiag zu <NumPkts> <PktSize> [v] 
 where  v - verbose output.

TelephonyInterfaceLayerGsm

/usr/bin/TelephonyInterfaceLayerGsm connects to /dev/modemuart with a baudrate of 115200. Trying the same with screen shows me just rubbish. Seem to be the binary protocol. Make sure you rename the file before killing the process as it gets restarted automatically.

To strace TelephonyInterfaceLayerGsm and write out the relevant communication to /dev/modemuart we offer a small shell script below. Make sure your / is remounted rw for it.

#!/bin/sh
#Make sure TelephonyInterfaceLayerGsm gets not restarted when we kill it
mv /usr/bin/TelephonyInterfaceLayerGsm /usr/bin/TelephonyInterfaceLayerGsm-backup
kill $(pidof TelephonyInterfaceLayerGsm)

sleep 2

#I always had fd=10 for /dev/modemuart, be verbose on reads on writes on this fd
strace -x -s 10000 -f -F -o gsm.log -e read=10 -e write=10 TelephonyInterfaceLayerGsm-backup &
sleep 25
kill $(pidof TelephonyInterfaceLayerGsm-backup)

sleep 2

#Bring the system into a useable state again           
mv /usr/bin/TelephonyInterfaceLayerGsm-backup /usr/bin/TelephonyInterfaceLayerGsm
sh /etc/event.d/TelephonyInterfaceLayer