Research Pre GSM Modem
Jump to navigation
Jump to search
Modem Ports
There are several ports for communicating with the modem on the Palm Pre:
- /dev/modemuart: Modem UART (UART Port)
- /dev/tts/modem0 (Symlink for ttyACM0): USB Serial to Modem for AT commands (Data Port)
- /dev/tts/modemdiag (Symlink for ttyACM1): USB Serial to Modem for Diagnositics (DIAG Port)
sysfs Entries
- Power Control: /sys/user_hw/pins/modem/power_on/level
Palm Programs for communicating with the modem
In /usr/bin are some interessting programs:
- PmLinuxModemCmd: You can do some operations on the modem from command line
- PmModemInfo: Shows you the IMEI and the version of the modem firmware
- PmModemPower: A simple shell script to turn on/reset the modem
- PmModemUpdater: Flash the modem with a new firmware
The binary sequences are:
00014a1c <enableloopbackdataport>: 14a1c: 31455441 .word 0x31455441 ... 159c0: 0a0d .short 0x0a0d 000159c2 <loopback>: 159c2: 0f88 .short 0x0f88 159c4: 00010000 .word 0x00010000 159c8: 7eb3d400 .word 0x7eb3d400 000159cc <identify>: 159cc: 7e3b1c1d .word 0x7e3b1c1d 000159d0 <getVer>: 159d0: 1b0000fa .word 0x1b0000fa 159d4: 00000009 .word 0x00000009 159d8: 00000000 .word 0x00000000 159dc: 7e .byte 0x7e 000159dd <testAlive>: 159dd: fa .byte 0xfa 159de: 0000 .short 0x0000 159e0: 0000011b .word 0x0000011b 159e4: 00000000 .word 0x00000000 159e8: b74c .short 0xb74c 159ea: 7e .byte 0x7e 000159eb <testAliveResp>: 159eb: 1b .byte 0x1b 159ec: 00000001 .word 0x00000001 159f0: 0000 .short 0x0000 ... 000159f3 <testAliveResp1>: 159f3: 1c .byte 0x1c 159f4: 00000002 .word 0x00000002 159f8: 0000 .short 0x0000 ... 000159fb <testAliveCDMA>: 159fb: fa .byte 0xfa 159fc: 14080000 .word 0x14080000 15a00: f904d200 .word 0xf904d200 15a04: 7e27 .short 0x7e27 00015a06 <testAliveRespCDMA>: 15a06: 0122 .short 0x0122 15a08: 0000 .short 0x0000 ... 00015a0b <enterFTMmode>: 15a0b: 29 .byte 0x29 15a0c: 73810003 .word 0x73810003 15a10: 7e .byte 0x7e 00015a11 <CDMAdiagPortOnUART>: 15a11: fa .byte 0xfa 15a12: 0000 .short 0x0000 15a14: 00002308 .word 0x00002308 15a18: fbf1 .short 0xfbf1 15a1a: 7e .byte 0x7e 00015a1b <CDMAdiagPortOnUSB>: 15a1b: fa .byte 0xfa 15a1c: 23080000 .word 0x23080000 15a20: 29e20001 .word 0x29e20001 15a24: 7e .byte 0x7e 00015a25 <resetCDMA>: 15a25: 29 .byte 0x29 15a26: 0002 .short 0x0002 15a28: 6a59 .short 0x6a59 15a2a: 7e .byte 0x7e 00015a2b <onlineMode>: 15a2b: fa .byte 0xfa 15a2c: 00030000 .word 0x00030000 15a30: 00000000 .word 0x00000000 15a34: 09f00500 .word 0x09f00500 15a38: 7e .byte 0x7e 00015a39 <offlineMode>: 15a39: fa .byte 0xfa 15a3a: 0000 .short 0x0000 15a3c: 00000003 .word 0x00000003 15a40: 06000000 .word 0x06000000 15a44: 3b6b .short 0x3b6b 15a46: 7e .byte 0x7e 00015a47 <ATCGDCONT>: 15a47: 41 .byte 0x41 15a48: 47432b54 .word 0x47432b54 15a4c: 4e4f4344 .word 0x4e4f4344 15a50: 0a0d3f54 .word 0x0a0d3f54 00015a54 <ATE0E1Cmd>: 15a54: 30455441 .word 0x30455441 15a58: 30453145 .word 0x30453145 15a5c: 30453145 .word 0x30453145 15a60: 30453145 .word 0x30453145 15a64: 0a0d3145 .word 0x0a0d3145 00015a68 <ATCmd>: 15a68: 0a0d5441 .word 0x0a0d5441 00015a6c <Charging90mA>: 15a6c: 1b0000fa .word 0x1b0000fa 15a70: 00000006 .word 0x00000006 15a74: 00180000 .word 0x00180000 15a78: f0f30000 .word 0xf0f30000 15a7c: 7e .byte 0x7e 00015a7d <Charging500mA>: 15a7d: fa .byte 0xfa 15a7e: 0000 .short 0x0000 15a80: 0000061b .word 0x0000061b 15a84: 18000000 .word 0x18000000 15a88: 2b000100 .word 0x2b000100 15a8c: 7ee9 .short 0x7ee9 00015a8e <Charging1A>: 15a8e: 00fa .short 0x00fa 15a90: 00061b00 .word 0x00061b00 15a94: 00000000 .word 0x00000000 15a98: 00070018 .word 0x00070018 15a9c: bdfb .short 0xbdfb 15a9e: 7e .byte 0x7e 00015a9f <getQPSTConfig>: 15a9f: 0c .byte 0x0c 15aa0: 417e3a14 .word 0x417e3a14 15aa4: 43512454 .word 0x43512454 15aa8: 0d474d44 .word 0x0d474d44 15aac: 51245441 .word 0x51245441 15ab0: 474d4443 .word 0x474d4443 15ab4: 2454410d .word 0x2454410d 15ab8: 4d444351 .word 0x4d444351 15abc: 067e0d47 .word 0x067e0d47 15ac0: 7e7e954e .word 0x7e7e954e 00015ac4 <getESN>: 15ac4: 00000026 .word 0x00000026 ... 15b48: 7ed2ad00 .word 0x7ed2ad00 00015b4c <CDMAPcmLoopbackOn>: 15b4c: 000e0b4b .word 0x000e0b4b 15b50: 00010003 .word 0x00010003 15b54: 0001000c .word 0x0001000c 15b58: 7e00 .short 0x7e00 00015b5a <CDMAPcmLoopbackOff>: 15b5a: 0b4b .short 0x0b4b 15b5c: 0003000e .word 0x0003000e 15b60: 000c0001 .word 0x000c0001 15b64: 7e000000 .word 0x7e000000 00015b68 <GSMPcmLoopbackOn>: 15b68: 000e0b4b .word 0x000e0b4b 15b6c: 000b0003 .word 0x000b0003 15b70: 0001000c .word 0x0001000c 15b74: 7e00 .short 0x7e00 00015b76 <GSMPcmLoopbackOff>: 15b76: 0b4b .short 0x0b4b 15b78: 0003000e .word 0x0003000e 15b7c: 000c000b .word 0x000c000b 15b80: 7e000000 .word 0x7e000000 00015b84 <Dial>: 15b84: 000000fa .word 0x000000fa 15b88: 00000000 .word 0x00000000 15b8c: 04000000 .word 0x04000000 ... 15bf0: 34000000 .word 0x34000000 15bf4: 31363830 .word 0x31363830 15bf8: 32333837 .word 0x32333837 15bfc: 00000037 .word 0x00000037 ... 15c30: 0a000000 .word 0x0a000000 ... 15c58: 0000 .short 0x0000 15c5a: 7e .byte 0x7e 00015c5b <disableloopbackdataport>: 15c5b: 41 .byte 0x41 15c5c: 0d304554 .word 0x0d304554 15c60: 0a .byte 0x0a 00015c61 <ATDT>: 15c61: 41 .byte 0x41 15c62: 4454 .short 0x4454 15c64: 37313654 .word 0x37313654 15c68: 37323338 .word 0x37323338 15c6c: 0a0d .short 0x0a0d 00015c6e <testAlive_1>: 15c6e: 00fa .short 0x00fa 15c70: 00011b00 .word 0x00011b00 15c74: 00000001 .word 0x00000001 15c78: 7ead8101 .word 0x7ead8101 00015c7c <onlineMode_1>: 15c7c: 030000fa .word 0x030000fa 15c80: 00000000 .word 0x00000000 15c84: 4f020000 .word 0x4f020000 15c88: 5d7d .short 0x5d7d 15c8a: 7e .byte 0x7e
PmModemUpdater
Usage: PmModemUpdater -h Print usage PmModemUpdater -v Detect current modem firmware version PmModemUpdater -p /path/to/firmware.tar Check the firmware package info PmModemUpdater -b Backup NV items from device to /var/firmware/palm_nv_backup.txt PmModemUpdater -r /path/to/nvfile Load NV items from nvfile PmModemUpdater<firmware.tar Update the firmware using a tar file as input PmModemUpdater<firmware.tar -f Force an update even the modem has the same version than tar file PmModemUpdater<firmware.tar -s xx xx Force the modem to be flashed (RESCUE MODE) PmModemUpdater -i Start a data/voice test on your umts modem directly PmModemUpdater -e Ignore stop/start TIL/WAND PmModemUpdater -o silent mode which means no verbose output at all PmModemUpdater<firmware.tar -m Force the modem to be flashed (INFINITE USB RESCUE MODE) on USB
pmmodempower
#!/bin/sh for i in "$*" if [ "$i" = "on" ] then echo Powering On Modem echo 1 > /sys/user_hw/pins/modem/power_on/level fi if [ "$i" = "off" ] then echo Powering Off Modem echo 0 > /sys/user_hw/pins/modem/boot_mode/level echo 0 > /sys/user_hw/pins/modem/power_on/level fi if [ "$i" = "cycle" ] then echo Powering Off Modem echo 0 > /sys/user_hw/pins/modem/boot_mode/level echo 0 > /sys/user_hw/pins/modem/wakeup_modem/level echo 0 > /sys/user_hw/pins/modem/power_on/level sleep 2 echo Powering On Modem echo 1 > /sys/user_hw/pins/modem/power_on/level #echo Waiting for MODEM_WAKE_APP Low #while [ "$appwake" != "0" ] #do # appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done #echo Waiting for MODEM_WAKE_APP Pulse High #appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #while [ "$appwake" != "1" ] #do # appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done #while [ "$appwake" != "0" ] #do # appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done echo Asserting APP_WAKE_MODEM echo 1 > /sys/user_hw/pins/modem/wakeup_modem/level fi done
PmLinuxModemCmd
usage: PmLinuxModemCmd <Port> <[a][b][c][d <number>][e][f][ftm][h][g][i][k <#pkts>][l][m][n][o][pcmloopback <radio> <state>][q][r][s][t][u <#pkts>][zr][zt][zl][1] [5][9]]> [v] where: <Port>: /dev/ttyS0 - Modem UART. - UART PORT /dev/tts/modem0 - USB Serial to Modem for AT commands - DATA PORT. /dev/tts/modemdiag - USB Serial to Modem for Diagnostics - DIAG PORT. where: e - empty read buffer from specified port. u - Loopback mode performance test. Next argument <#pkts> UART PORT COMMANDS: (/dev/ttyS0) b - Send loopback mode command for 256 bytes. UART goes into loopback mode until power cycle. d - Send commands to dial a phone number. Phone number in the format 4086178327. f - Send offline mode and read pkt. ftm - Enter modem FTM mode (both CDMA and GSM modems). i - Send identify command. l - Send testalive then loop forever doing ( onlinemode, offlinemode, sleep to UART. m - Disable loopback mode. o - Send online mode and read pkt. pcmloopback - control PCM loopback. <radio> = GSM/CDMA <state> = on/off. q - Send test alive, online mode and then read pkts. r - Get firmware version. t - Send test alive and read pkt. 1 - Send command to enable 1A charging. 5 - Send command to enable 500mA charging. 9 - Send command to enable 90mA charge. zs - CDMA reset modem. zt - CDMA send test alive and read pkts. zdiagonusb - CDMA put diag port on USB diag. zdiagonuart- CDMA put diag port on UART. DATA PORT COMMANDS: (/dev/tts/modem0) a - Send AT\n. c - Send ATCGDCONT\n. h - Send Echo command. k - Test loopback perf using command (ATE1\n). DIAG PORT COMMANDS: (/dev/tts/modemdiag) g - Get QPST serial port config from DIAG port. s - Get ESN from DIAG port. zl - CDMA put modemdiag into loopback. zr - CDMA Read performance tests. Takes two arguments <numpkts> and <pktSize>. Eg. %s /dev/tts/modemdiag zr <NumPkts> <PktSize> [v] zw - CDMA Write performance tests. Takes two arguments <numpkts> and <pktSize>. Eg. %s /dev/tts/modemdiag zw <NumPkts> <PktSize> [v] zu - CDMA Performance tests of the diag port after putting it into loopback. Takes two arguments <numpkts> and <pktSize>. Eg. %s /dev/tts/modemdiag zu <NumPkts> <PktSize> [v] where v - verbose output.
TelephonyInterfaceLayerGsm
/usr/bin/TelephonyInterfaceLayerGsm connects to /dev/modemuart with a baudrate of 115200. Trying the same with screen shows me just rubbish. Seem to be the binary protocol. Make sure you rename the file before killing the process as it gets restarted automatically.
To strace TelephonyInterfaceLayerGsm and write out the relevant communication to /dev/modemuart we offer a small shell script below. Make sure your / is remounted rw for it.
#!/bin/sh #Make sure TelephonyInterfaceLayerGsm gets not restarted when we kill it mv /usr/bin/TelephonyInterfaceLayerGsm /usr/bin/TelephonyInterfaceLayerGsm-backup kill $(pidof TelephonyInterfaceLayerGsm) sleep 2 #I always had fd=10 for /dev/modemuart, be verbose on reads on writes on this fd strace -x -s 10000 -f -F -o gsm.log -e read=10 -e write=10 TelephonyInterfaceLayerGsm-backup & sleep 25 kill $(pidof TelephonyInterfaceLayerGsm-backup) sleep 2 #Bring the system into a useable state again mv /usr/bin/TelephonyInterfaceLayerGsm-backup /usr/bin/TelephonyInterfaceLayerGsm sh /etc/event.d/TelephonyInterfaceLayer