Research Pre GSM Modem

From WebOS Internals
Revision as of 18:13, 13 October 2009 by StefanSchmidt (talk | contribs) (its /dev/modemuart not ttyS0)
Jump to navigation Jump to search

Modem Ports

There are several ports for communicating with the modem on the Palm Pre:

  • /dev/modemuart: Modem UART (UART Port)
  • /dev/tts/modem0 (Symlink for ttyACM0): USB Serial to Modem for AT commands (Data Port)
  • /dev/tts/modemdiag (Symlink for ttyACM1): USB Serial to Modem for Diagnositics (DIAG Port)

sysfs Entries

  • Power Control: /sys/user_hw/pins/modem/power_on/level

Palm Programs for communicating with the modem

In /usr/bin are some interessting programs:

  • PmLinuxModemCmd: You can do some operations on the modem from command line
  • PmModemInfo: Shows you the IMEI and the version of the modem firmware
  • PmModemPower: A simple shell script to turn on/reset the modem
  • PmModemUpdater: Flash the modem with a new firmware

Through disassembling the PmLinuxModemCmd binary I found some binary sequences which indicates that the Pre communicates with the modem over a binary protocol.

The binary sequences are:

00014a1c <enableloopbackdataport>:
   14a1c:	31455441 	.word	0x31455441
	...
   159c0:	0a0d      	.short	0x0a0d

000159c2 <loopback>:
   159c2:	0f88      	.short	0x0f88
   159c4:	00010000 	.word	0x00010000
   159c8:	7eb3d400 	.word	0x7eb3d400

000159cc <identify>:
   159cc:	7e3b1c1d 	.word	0x7e3b1c1d

000159d0 <getVer>:
   159d0:	1b0000fa 	.word	0x1b0000fa
   159d4:	00000009 	.word	0x00000009
   159d8:	00000000 	.word	0x00000000
   159dc:	7e          	.byte	0x7e

000159dd <testAlive>:
   159dd:	fa          	.byte	0xfa
   159de:	0000      	.short	0x0000
   159e0:	0000011b 	.word	0x0000011b
   159e4:	00000000 	.word	0x00000000
   159e8:	b74c      	.short	0xb74c
   159ea:	7e          	.byte	0x7e

000159eb <testAliveResp>:
   159eb:	1b          	.byte	0x1b
   159ec:	00000001 	.word	0x00000001
   159f0:	0000      	.short	0x0000
	...

000159f3 <testAliveResp1>:
   159f3:	1c          	.byte	0x1c
   159f4:	00000002 	.word	0x00000002
   159f8:	0000      	.short	0x0000
	...

000159fb <testAliveCDMA>:
   159fb:	fa          	.byte	0xfa
   159fc:	14080000 	.word	0x14080000
   15a00:	f904d200 	.word	0xf904d200
   15a04:	7e27      	.short	0x7e27

00015a06 <testAliveRespCDMA>:
   15a06:	0122      	.short	0x0122
   15a08:	0000      	.short	0x0000
	...

00015a0b <enterFTMmode>:
   15a0b:	29          	.byte	0x29
   15a0c:	73810003 	.word	0x73810003
   15a10:	7e          	.byte	0x7e

00015a11 <CDMAdiagPortOnUART>:
   15a11:	fa          	.byte	0xfa
   15a12:	0000      	.short	0x0000
   15a14:	00002308 	.word	0x00002308
   15a18:	fbf1      	.short	0xfbf1
   15a1a:	7e          	.byte	0x7e

00015a1b <CDMAdiagPortOnUSB>:
   15a1b:	fa          	.byte	0xfa
   15a1c:	23080000 	.word	0x23080000
   15a20:	29e20001 	.word	0x29e20001
   15a24:	7e          	.byte	0x7e

00015a25 <resetCDMA>:
   15a25:	29          	.byte	0x29
   15a26:	0002      	.short	0x0002
   15a28:	6a59      	.short	0x6a59
   15a2a:	7e          	.byte	0x7e

00015a2b <onlineMode>:
   15a2b:	fa          	.byte	0xfa
   15a2c:	00030000 	.word	0x00030000
   15a30:	00000000 	.word	0x00000000
   15a34:	09f00500 	.word	0x09f00500
   15a38:	7e          	.byte	0x7e

00015a39 <offlineMode>:
   15a39:	fa          	.byte	0xfa
   15a3a:	0000      	.short	0x0000
   15a3c:	00000003 	.word	0x00000003
   15a40:	06000000 	.word	0x06000000
   15a44:	3b6b      	.short	0x3b6b
   15a46:	7e          	.byte	0x7e

00015a47 <ATCGDCONT>:
   15a47:	41          	.byte	0x41
   15a48:	47432b54 	.word	0x47432b54
   15a4c:	4e4f4344 	.word	0x4e4f4344
   15a50:	0a0d3f54 	.word	0x0a0d3f54

00015a54 <ATE0E1Cmd>:
   15a54:	30455441 	.word	0x30455441
   15a58:	30453145 	.word	0x30453145
   15a5c:	30453145 	.word	0x30453145
   15a60:	30453145 	.word	0x30453145
   15a64:	0a0d3145 	.word	0x0a0d3145

00015a68 <ATCmd>:
   15a68:	0a0d5441 	.word	0x0a0d5441

00015a6c <Charging90mA>:
   15a6c:	1b0000fa 	.word	0x1b0000fa
   15a70:	00000006 	.word	0x00000006
   15a74:	00180000 	.word	0x00180000
   15a78:	f0f30000 	.word	0xf0f30000
   15a7c:	7e          	.byte	0x7e

00015a7d <Charging500mA>:
   15a7d:	fa          	.byte	0xfa
   15a7e:	0000      	.short	0x0000
   15a80:	0000061b 	.word	0x0000061b
   15a84:	18000000 	.word	0x18000000
   15a88:	2b000100 	.word	0x2b000100
   15a8c:	7ee9      	.short	0x7ee9

00015a8e <Charging1A>:
   15a8e:	00fa      	.short	0x00fa
   15a90:	00061b00 	.word	0x00061b00
   15a94:	00000000 	.word	0x00000000
   15a98:	00070018 	.word	0x00070018
   15a9c:	bdfb      	.short	0xbdfb
   15a9e:	7e          	.byte	0x7e

00015a9f <getQPSTConfig>:
   15a9f:	0c          	.byte	0x0c
   15aa0:	417e3a14 	.word	0x417e3a14
   15aa4:	43512454 	.word	0x43512454
   15aa8:	0d474d44 	.word	0x0d474d44
   15aac:	51245441 	.word	0x51245441
   15ab0:	474d4443 	.word	0x474d4443
   15ab4:	2454410d 	.word	0x2454410d
   15ab8:	4d444351 	.word	0x4d444351
   15abc:	067e0d47 	.word	0x067e0d47
   15ac0:	7e7e954e 	.word	0x7e7e954e

00015ac4 <getESN>:
   15ac4:	00000026 	.word	0x00000026
	...
   15b48:	7ed2ad00 	.word	0x7ed2ad00

00015b4c <CDMAPcmLoopbackOn>:
   15b4c:	000e0b4b 	.word	0x000e0b4b
   15b50:	00010003 	.word	0x00010003
   15b54:	0001000c 	.word	0x0001000c
   15b58:	7e00      	.short	0x7e00

00015b5a <CDMAPcmLoopbackOff>:
   15b5a:	0b4b      	.short	0x0b4b
   15b5c:	0003000e 	.word	0x0003000e
   15b60:	000c0001 	.word	0x000c0001
   15b64:	7e000000 	.word	0x7e000000

00015b68 <GSMPcmLoopbackOn>:
   15b68:	000e0b4b 	.word	0x000e0b4b
   15b6c:	000b0003 	.word	0x000b0003
   15b70:	0001000c 	.word	0x0001000c
   15b74:	7e00      	.short	0x7e00

00015b76 <GSMPcmLoopbackOff>:
   15b76:	0b4b      	.short	0x0b4b
   15b78:	0003000e 	.word	0x0003000e
   15b7c:	000c000b 	.word	0x000c000b
   15b80:	7e000000 	.word	0x7e000000

00015b84 <Dial>:
   15b84:	000000fa 	.word	0x000000fa
   15b88:	00000000 	.word	0x00000000
   15b8c:	04000000 	.word	0x04000000
	...
   15bf0:	34000000 	.word	0x34000000
   15bf4:	31363830 	.word	0x31363830
   15bf8:	32333837 	.word	0x32333837
   15bfc:	00000037 	.word	0x00000037
	...
   15c30:	0a000000 	.word	0x0a000000
	...
   15c58:	0000      	.short	0x0000
   15c5a:	7e          	.byte	0x7e

00015c5b <disableloopbackdataport>:
   15c5b:	41          	.byte	0x41
   15c5c:	0d304554 	.word	0x0d304554
   15c60:	0a          	.byte	0x0a

00015c61 <ATDT>:
   15c61:	41          	.byte	0x41
   15c62:	4454      	.short	0x4454
   15c64:	37313654 	.word	0x37313654
   15c68:	37323338 	.word	0x37323338
   15c6c:	0a0d      	.short	0x0a0d

00015c6e <testAlive_1>:
   15c6e:	00fa      	.short	0x00fa
   15c70:	00011b00 	.word	0x00011b00
   15c74:	00000001 	.word	0x00000001
   15c78:	7ead8101 	.word	0x7ead8101

00015c7c <onlineMode_1>:
   15c7c:	030000fa 	.word	0x030000fa
   15c80:	00000000 	.word	0x00000000
   15c84:	4f020000 	.word	0x4f020000
   15c88:	5d7d      	.short	0x5d7d
   15c8a:	7e          	.byte	0x7e

PmModemUpdater

Usage:
PmModemUpdater -h                     Print usage
PmModemUpdater -v                     Detect current modem firmware version
PmModemUpdater -p  /path/to/firmware.tar  Check the firmware package info
PmModemUpdater -b		      Backup NV items from device to /var/firmware/palm_nv_backup.txt 
PmModemUpdater -r /path/to/nvfile     Load NV items from nvfile   		
PmModemUpdater<firmware.tar           Update the firmware using a tar file as input
PmModemUpdater<firmware.tar  -f       Force an update even the modem has the same version than tar file
PmModemUpdater<firmware.tar  -s xx xx Force the modem to be flashed (RESCUE MODE)
PmModemUpdater  -i            	      Start a data/voice test on your umts modem directly
PmModemUpdater  -e            	      Ignore stop/start TIL/WAND
PmModemUpdater  -o            	      silent mode which means no verbose output at all
PmModemUpdater<firmware.tar -m        Force the modem to be flashed (INFINITE USB RESCUE MODE) on USB

pmmodempower

 #!/bin/sh
 for i in "$*"
    if [ "$i" = "on" ]
    then
	echo Powering On Modem
	echo 1 > /sys/user_hw/pins/modem/power_on/level
    fi
    if [ "$i" = "off" ]
    then 
	echo Powering Off Modem
	echo 0 > /sys/user_hw/pins/modem/boot_mode/level
	echo 0 > /sys/user_hw/pins/modem/power_on/level
    fi
    if [ "$i" = "cycle" ]
    then
	echo Powering Off Modem
	echo 0 > /sys/user_hw/pins/modem/boot_mode/level
	echo 0 > /sys/user_hw/pins/modem/wakeup_modem/level
	echo 0 > /sys/user_hw/pins/modem/power_on/level
	sleep 2
	echo Powering On Modem
	echo 1 > /sys/user_hw/pins/modem/power_on/level
	#echo Waiting for MODEM_WAKE_APP Low
	#while [ "$appwake" != "0" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	#echo Waiting for MODEM_WAKE_APP Pulse High
	#appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#while [ "$appwake" != "1" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	#while [ "$appwake" != "0" ]
	#do
	#    appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level`
	#done
	echo Asserting APP_WAKE_MODEM
	echo 1 > /sys/user_hw/pins/modem/wakeup_modem/level
    fi
 done

PmLinuxModemCmd

 usage: PmLinuxModemCmd <Port> <[a][b][c][d <number>][e][f][ftm][h][g][i][k <#pkts>][l][m][n][o][pcmloopback <radio> <state>][q][r][s][t][u <#pkts>][zr][zt][zl][1] [5][9]]> [v]
 where: <Port>:
           /dev/ttyS0         - Modem UART. - UART PORT
           /dev/tts/modem0    - USB Serial to Modem for AT commands - DATA PORT.
           /dev/tts/modemdiag - USB Serial to Modem for Diagnostics - DIAG PORT.
 where:
       e - empty read buffer from specified port.
       u - Loopback mode performance test. Next argument <#pkts>
  UART PORT COMMANDS: (/dev/ttyS0) 
       b  - Send loopback mode command for 256 bytes. UART goes into loopback mode until power cycle.
       d  - Send commands to dial a phone number. Phone number in the format 4086178327.
       f  - Send offline mode and read pkt.
       ftm - Enter modem FTM mode (both CDMA and GSM modems).
       i  - Send identify command.
       l  - Send testalive then loop forever doing ( onlinemode, offlinemode, sleep  to UART.
       m  - Disable loopback mode.
       o  - Send online mode and read pkt.
       pcmloopback - control PCM loopback. <radio> = GSM/CDMA <state> = on/off.
       q  - Send test alive, online mode and then read pkts.
       r  - Get firmware version.
       t  - Send test alive and read pkt.
       1  - Send command to enable 1A charging.
       5  - Send command to enable 500mA charging.
       9  - Send command to enable 90mA charge.
       zs - CDMA reset modem.
       zt - CDMA send test alive and read pkts.
       zdiagonusb - CDMA put diag port on USB diag.
       zdiagonuart- CDMA put diag port on UART.
  DATA PORT COMMANDS: (/dev/tts/modem0) 
       a - Send AT\n.
       c - Send ATCGDCONT\n.
       h - Send Echo command.
       k - Test loopback perf using command (ATE1\n).
  DIAG PORT COMMANDS: (/dev/tts/modemdiag) 
       g  - Get QPST serial port config from DIAG port.
       s  - Get ESN from DIAG port.
       zl - CDMA put modemdiag into loopback. 
       zr - CDMA Read performance tests. Takes two arguments <numpkts> and <pktSize>.
               Eg. %s /dev/tts/modemdiag zr <NumPkts> <PktSize> [v] 
       zw - CDMA Write performance tests. Takes two arguments <numpkts> and <pktSize>.
               Eg. %s /dev/tts/modemdiag zw <NumPkts> <PktSize> [v] 
       zu - CDMA Performance tests of the diag port after putting it into loopback. Takes two arguments <numpkts> and <pktSize>. 
               Eg. %s /dev/tts/modemdiag zu <NumPkts> <PktSize> [v] 
 where  v - verbose output.