Project

General

Profile

ExynosModemIsolation » History » Version 3

Paul Kocialkowski, 03/15/2013 11:21 PM

1 1 Paul Kocialkowski
h1. S5PC110 Hardware Design
2
3
This explains the hardware design found in many S5PC110 phones.
4
5
h2. Hardware design matrix
6
7
|_. *Chip* |_. Controlled by the CPU |_. Controlled by the modem |_. Connected to the modem |
8
| GPS | Yes | No | No? |
9
| Audio CODEC | Yes | No | Yes |
10
| NAND | Yes | No | No |
11 3 Paul Kocialkowski
| RAM | Yes | Yes (96Mib at least) | Yes |
12 1 Paul Kocialkowski
| WiFi/Bluetooth | Yes | No | No |
13
| Sensors | Yes | No | No |
14
| NFC | Yes | No | No |
15
| Camera | Yes | No | No |
16
17
h2. Modem isolation
18
19 2 Paul Kocialkowski
The modem (XMM 6160) is separated from the SoC and communicates with it via serial over 16Mib of shared memory: this is bad since it means that RAM is compromised (at least 80Mib + 16Mib = 96Mib) and can be used to spy.
20 1 Paul Kocialkowski
Regarding audio, the modem is connected to the CODEC but cannot control it (the SoC has to enable routing from/to the modem).
21
There is no evidence that the GPS is connected to the modem, but since we cannot check on the hardware, there is no proof it's not connected to it either. The SoC is able to control the GPS power though, so we can keep it off.
22
Since the SoC has to load the modem firmware over the (fake) serial, and following the datasheets, the modem is not connected to the NAND.
23
24
h2. Shared RAM issue
25
26 3 Paul Kocialkowski
The modem is able to spy on (at least) 96 Mib of the main memory. So far, we cannot tell:
27
* if it can only spy 80Mib or the full memory
28 1 Paul Kocialkowski
* if it can be fixed or not
29
30
h3. Kernel details
31
32
@kernel-crespo/arch/arm/mach-s5pv210/dev-herring-phone.c@:
33
<pre>
34
static struct resource mdmctl_res[] = {
35
[...]
36
        [2] = {
37
                .name = "onedram",
38
                .start = (S5PV210_PA_SDRAM + 0x05000000),
39
                .end = (S5PV210_PA_SDRAM + 0x05000000 + SZ_16M - 1),
40
                .flags = IORESOURCE_MEM,
41
        },
42
};
43
</pre>
44
45
* S5PV210_PA_SDRAM is 0x30000000
46 3 Paul Kocialkowski
* 0x05000000 is 80Mib
47 1 Paul Kocialkowski
* mdmctl_res goes in a platform device struct which is passed to the modem driver:
48
49
<pre>
50
static struct platform_device modemctl = {
51
        .name = "modemctl",
52
        .id = -1,
53
        .num_resources = ARRAY_SIZE(mdmctl_res),
54
        .resource = mdmctl_res,
55
        .dev = {
56
                .platform_data = &mdmctl_data,
57
        },
58
};
59
</pre>
60
61
And in the board file (in kernel-crespo/arch/arm/mach-s5pv210/mach-herring.c) we have: 
62
<pre>
63
static void __init herring_fixup(struct machine_desc *desc,
64
                struct tag *tags, char **cmdline,
65
                struct meminfo *mi)
66
{
67
        mi->bank[0].start = 0x30000000;
68
        mi->bank[0].size = 80 * SZ_1M;
69
        mi->bank[0].node = 0;
70
</pre>
71
72 3 Paul Kocialkowski
So we can suppose that there is at least one ram chip that is shared between the modem and the main CPU. Avoiding the use of this memory bank would result in loosing 80Mib of memory.