XMMBoot¶
- Table of contents
- XMMBoot
Introduction¶
For both libsamsung-ipc and the Linux driver it's interesting to understand better the boot of the modem in order to come with good names for the abstraction.
High level boot process¶
The exact boot sequence is different on different devices:- On most / all the devices we need to start by powering off the modem, and the link between the SOC and the modem. This makes sure that we can reliabily boot the modem at all times.
- Then we need to configure the hardware to put the modem in loading mode and have everything ready for loading its firmware. On some device, the link needed to load the modem needs to be configured as well.
- Then we send the modem firmware to the modem
- Then on some devices we need extra step (like triggering an HSIC re-enumeration) once it's done.
Abstraction¶
- hci_power -> link_power
- Find the difference between power_on and boot_power_on
- Look at the GPIOs and understand what they do
- Just read the code that use the GPIOs
- Diff both procedures
- Look which device has which XMM626X
- Add XMM6210 devices too
GPIOs¶
Devices GPIOs assignement and drivers¶
Hardware | Linux | libsamsung-ipc | ||||
---|---|---|---|---|---|---|
Variant | SOC | Modem | Link | GPIO usage | GPIO assignement | device driver name |
Galaxy Tab: GT-P1000 |
Exynos 3310 | RAM | aries | |||
Galaxy S: GT-I9000 |
Exynos 3110 | XMM6160 | RAM | aries | ||
Nexus S: GT-I9020 GT-I9020A GT-I9023 |
Exynos 3110 | RAM | crespo | |||
Galaxy SII: GT-I9100 |
Exynos 4210 | XMM6260 | HSIC | CONFIG_UMTS_MODEM_XMM6260=y | galaxys2 | |
Galaxy Note: GT-N7000 |
Exynos 4210 | XMM6260 | HSIC | CONFIG_UMTS_MODEM_XMM6260=y | galaxys2 | |
Galaxy Nexus: GT-I9250 |
OMAP 4460 | XMM6260 | MIPI | CONFIG_UMTS_MODEM_XMM6260=y Makefile modem_modemctl_device_xmm6260.c |
maguro | |
Galaxy SIII: GT-I9300 |
Exynos 4412 | XMM6262 | HSIC | CONFIG_UMTS_MODEM_XMM6262=y Makefile modem_modemctl_device_xmm6262.c |
CONFIG_SEC_MODEM_M0=y Makefile board-m0-modems.c CONFIG_MACH_M0=y gpio-midas.h gpio-rev00-m0.h |
i9300 |
Galaxy Note 8.0 GSM: GT-N5100 |
Exynos 4412 | XMM6262 | HSIC | CONFIG_UMTS_MODEM_XMM6262=y | n5100 | |
Galaxy Note II: GT-N7100 |
Exynos 4412 | XMM6262 | HSIC | CONFIG_UMTS_MODEM_XMM6262=y | n7100 | |
Galaxy Tab 2: GT-P3100 GT-P5100 |
OMAP 4430 | XMM6262 | MIPI | CONFIG_UMTS_MODEM_XMM6262=y | piranah |
GPIOs usage¶
TODO: make sure to mention what applies to what device- Start with I9300. Assume I9300 if device is not mentioned. Mention device when not I9300
- Add more devices and mention them
Note that we don't limit ourselves to the drivers that are in use on the devices supported by Replicant.
As Samsung wrote drivers for the modem interfaces, and that the interface is similar across many different modems, other unused drivers and their comments also gives many hints about what the GPIOs are supposed to be used for.
gpio platform data name | present | absent | direction | comments |
---|---|---|---|---|
gpio_cp_on | GT-I9300 | powers on the modem? in which state (PMIC?, CPU?) * On GT-I9100 it's connected to the ON1 modem pin and ON2 is not connected. |
||
gpio_cp_reset | GT-I9300 | read + write | Resets the modem CPU? PMIC?: * ''check the reset timming with C2C connection'' : Here C2C probably means chip to chip Can also read the modem CPU? and/or PMIC? reset state? * Reads from the GPIO and ''CP not ready, Active State low'' comment Also used in umts_link_reconnect (todo: check firmware status) |
|
gpio_reset_req_n | GT-I9300 (define) | It seems to reset the modem. On some device with an MSM SOC (modem? AP?) in the smdk4412 kernel, it resets the modem PMIC. It can also be used to keep the modem (SOC? PMIC? CPU?) in reset mode while powered on. It could very well be the PMIC with the GT-I9300 as we have the following sequence in xmm6262_on : gpio_set_value(mc->gpio_reset_req_n, 0); gpio_set_value(mc->gpio_cp_on, 0); gpio_set_value(mc->gpio_cp_reset, 0); msleep(100); gpio_set_value(mc->gpio_cp_reset, 1); /* If XMM6262 was connected with C2C, AP wait 50ms to BB Reset*/ msleep(50); gpio_set_value(mc->gpio_reset_req_n, 1); gpio_set_value(mc->gpio_cp_on, 1); udelay(60); gpio_set_value(mc->gpio_cp_on, 0); msleep(20); SOCs probably need to have a very specific voltage ramp up sequences to boot (voltage ramps and so on are described in the SOC datasheets, TODO: check with a specific example). If that's true it would mean that the CPU has to not be off at boot but still be in some reset mode to accept a firmware? In that case, once everything is off, the CPU power would be turned on first, then the PMIC, then the reset line for the firmware loading (way later) |
||
gpio_pda_active | GT-I9300 | Tell the modem if the SOC CPUs are sleeping/active or not? * PDA == Application processor * ''PDA_ACTIVE, let cp know AP sleep'' comment in status gc1-gpio.c * PDA_ACTIVE set to 0 right after cpu_pm_enter() * PDA_ACTIVE set to 1 right before cpu_pm_exit() * GPIO direction is output on AP side and input on BP side, which is also confirmed by the pinout table in XDA Also indicates when the CPU is ready to process modem stuff: * set to 1 at the end of xmm6262_on in modem_modemctl_device_xmm6262.c * The CPU can't process stuff if the HSIC link is in low power mode, as shown in set_hsic_lpa_states in board-m0-modems.c so it sets gpio_pda_active to 0 in these cases. |
||
gpio_phone_active | GT-I9300 | Seem the modem counterpart of gpio_pda_active: * See umts_link_reconnect in board-m0-modems.c * See also mc_work in the unused modemctl.c driver where that GPIO is used both to signal when the modem finished booting everything and is ready, and when the modem crashes or is reset * phone_active_irq_handler in modem_modemctl_device_xmm6262.c seem to be doing exactly the same thing. |
||
gpio_cp_dump_int | GT-I9300 | Maybe used for crash dump. Reference: Presentation about exploiting XMM modems: The nonfree s-boot 4.0 bootloader can probably get the modem crashdump. (cp is the modem) | ||
gpio_flm_uart_sel | Only used for the Galaxy Nexus in libsamsung-ipc | GT-I9300 | Modem download mode ? * FLM could be Firmware Load mode ? * On several devices, that GPIO seem to be used to switch between different UART, and the PMIC seem involved too in some devices. Not sure how it switches |
|
gpio_cp_warm_reset | GT-I9300 | |||
gpio_revers_bias_clear | GT-I9300 | |||
gpio_revers_bias_restore | GT-I9300 | |||
gpio_sim_detect | GT-I9300 (GPIO_SIM_DETECT is not set) | Detect SIM card presence ? | ||
gpio_link_enable | GT-I9300 | power management | ||
gpio_link_active | GT-I9300 (define) | set to 0 when the (HSIC) link is in low power and to 1 when it's back, like in set_hsic_lpa_states in board-m0-modems.c , power management | ||
gpio_link_hostwake | GT-I9300 (define) | power management According to the code below in modem_link_device_hsic.c, it seems that the modem can tell the host to set the HSIC link to sleep when that GPIO is high, and to re-enable the link when it's low: static irqreturn_t link_pm_irq_handler(int irq, void *data) { int value; struct link_pm_data *pm_data = data; #if defined(CONFIG_SLP) pm_wakeup_event(pm_data->miscdev.this_device, 0); #endif if (!pm_data->link_pm_active) return IRQ_HANDLED; /* host wake up HIGH */ /* resume usb runtime pm start */ /* host wake up LOW */ /* slave usb enumeration end, host can send usb packet after runtime pm status changes to ACTIVE */ [...] } |
||
gpio_link_slavewake | GT-I9300 (define) | power management According to the code in board-m0-modems.c, it seems to be used to wakup the modem or to make it exit low power mode by triggering a rising edge but I don't know why it checks the hostwake GPIO in the code below: /* HSIC specific function */ void set_slave_wake(void) { if (gpio_get_value(modem_link_pm_data.gpio_link_hostwake)) { pr_info("[MODEM_IF]Slave Wake\n"); if (gpio_get_value(modem_link_pm_data.gpio_link_slavewake)) { pr_info("[MODEM_IF]Slave Wake set _-\n"); gpio_direction_output( modem_link_pm_data.gpio_link_slavewake, 0); mdelay(10); } gpio_direction_output( modem_link_pm_data.gpio_link_slavewake, 1); } } [...] void set_hsic_lpa_states(int states) { int val = gpio_get_value(umts_modem_data.gpio_cp_reset); mif_trace("\n"); if (val) { switch (states) { [...] case STATE_HSIC_LPA_PHY_INIT: gpio_set_value(umts_modem_data.gpio_pda_active, 1); set_slave_wake(); pr_info(LOG_TAG "set hsic lpa phy init: " "slave wake-up (%d)\n", gpio_get_value( modem_link_pm_data.gpio_link_slavewake) ); break; } } } |
||
gpio_ap_dump_int | GT-I9300 (define) | Maybe used for crash dump. Reference: Presentation about exploiting XMM modems: The nonfree s-boot 4.0 bootloader can probably get the modem crashdump. Here it would indicate that the host somehow can send crashdumps to the modem somehow? | ||
gpio_sim_io_sel | GT-I9300 (define) | Seem to be used for some dual modem feature which is not present in any Replicant kernels (aries, crespo, espresso10, smdk4412, tuna) for Replicant 6 (or 4.2 for aries and crespo) | ||
gpio_cp_ctrl1 | GT-I9300 (define) | |||
gpio_cp_ctrl2 | GT-I9300 (define) |
Libsamsung-ipc¶
ioctl / function | Devices | |||||||
GT-I9250 | GT-I9100 / GT-N7000 | GT-I9300 | GT-N5100 | GT-N7100 | GT-P3100 / GT-P5100 | Galaxy S (GT-I9000) / Galaxy Tab | Nexus S (GT-I902x) | |
libsamsung-ipc driver | maguro | galaxys2 | i9300 | n5100 | n7100 | piranah | aries | crespo |
open, close, read, write fmt/rfs gprs power |
Yes | |||||||
boot_power status_online_wait |
Yes | No | No | |||||
hci_power link_control_active link_connected_wait link_get_hostwake_wait |
No | Yes | No | |||||
link_control_enable | Yes (ignored by Linux4[5][6]) | Yes (ignored by Linux1[2][3]) | ||||||
psi_send | xmm626_mipi_psi_send | xmm626_hsic_psi_send | xmm626_mipi_psi_send | xmm616_psi_send | ||||
firmware_send | xmm626_mipi_firmware_send | xmm626_hsic_firmware_send | xmm626_mipi_firmware_send | xmm616_firmware_send | ||||
nv_data_send | xmm626_mipi_nv_data_send | xmm626_hsic_nv_data_send | xmm626_mipi_nv_data_send | xmm616_nv_data_send |
libsamsung-ipc <-> kernel functions <-> gpios¶
libsamsung-ipc | Kernel | |||
---|---|---|---|---|
Function using the ioctl | ioctl name | pointer signature | GPIO used | comment |
xmm626_kernel_smdk4412_power | IOCTL_MODEM_ON IOCTL_MODEM_OFF |
int (*modem_on)(struct modem_ctl*); int (*modem_off)(struct modem_ctl*); |
gpio_cp_on gpio_cp_reset gpio_reset_req_n gpio_pda_active |
|
gpio_phone_active | ||||
gpio_cp_dump_int | ||||
xmm626_kernel_smdk4412_boot_power | IOCTL_MODEM_BOOT_ON IOCTL_MODEM_BOOT_OFF |
int (*modem_boot_on)(struct modem_ctl*); int (*modem_boot_off)(struct modem_ctl*); |
gpio_flm_uart_sel | |
gpio_cp_warm_reset | ||||
gpio_revers_bias_clear | ||||
gpio_revers_bias_restore | ||||
gpio_sim_detect | ||||
xmm626_kernel_smdk4412_status_online_wait | IOCTL_MODEM_STATUS | int phone_state; | gpio_cp_on gpio_cp_reset gpio_pda_active gpio_reset_req_n gpio_phone_active |
int phone_state get assigned the status computed from the various GPIO states xmm626_kernel_smdk4412_status_online_wait only waits for the online status |
xmm626_kernel_smdk4412_link_control_enable | IOCTL_LINK_CONTROL_ENABLE | int (*link_ldo_enable)(bool); |
gpio_link_enable | on i9300: * link_ldo_enable only returns 0 and has a comment ("Exynos HSIC V1.2 LDO was controlled by kernel") * gpio_link_enable is set to 0 (so it's ignored) |
Glossary¶
Terms for the modem CPU:- BP: Baseband processor
- CP: Cellular? processor
- AP: Application processor
TODO: move in its own page and point to it
LPA: Low power mode active (Related to ULPI specs only?)
ULPI: Probably a USB PHY spec
SIM card presence detection¶
Do we really want to check the SIM card presence?
Would it be possible not to for privacy reasons?
Example:- Boot a modem with a SIM
- Take away the SIM card
- Go to a protest with only the SIM card and a phone with no data on it to be able to call if necessary.
TODO¶
- check gpio_flm_uart_sel in smdk4412 kernel too
Potential privacy and security issues¶
gpio_pda_active¶
From cpuidle-exynos4.c we have things like that:
cpu_pm_enter(); #if defined(CONFIG_INTERNAL_MODEM_IF) || defined(CONFIG_SAMSUNG_PHONE_TTY) gpio_set_value(GPIO_PDA_ACTIVE, 0); #endif if (log_en) pr_debug("+++lpa\n")
and:
if (log_en) pr_debug("---lpa\n"); #if defined(CONFIG_INTERNAL_MODEM_IF) || defined(CONFIG_SAMSUNG_PHONE_TTY) gpio_set_value(GPIO_PDA_ACTIVE, 1); #endif cpu_pm_exit();
Does it means that we are telling the modem about each time we go in suspend to RAM?
Devices affected or not affected:
Device | Config |
---|---|
GT-I9300 | # CONFIG_INTERNAL_MODEM_IF is not set # CONFIG_SAMSUNG_PHONE_TTY is not set |
gpio_phone_active¶
From ehci-s5p.c we have things like that:
#if defined(CONFIG_UMTS_MODEM_XMM6262) if (pdata->get_cp_active_state && !pdata->get_cp_active_state()) { s5p_ehci_port_control(pdev, CP_PORT, 0); pr_err("mif: force port%d off by cp reset\n", CP_PORT); } #endif
Does it allows the modem to trigger a re-enumeration of the HSIC bus?
Devices affected or not affected:
Device | Config |
---|---|
GT-I9300 | CONFIG_UMTS_MODEM_XMM6262=y .gpio_phone_active = GPIO_PHONE_ACTIVE |
Other connections¶
According to the modem logs gathered with xgoldmon, on the Galaxy SII (GT-I9100) with Replicant 6.0, the Galaxy Nexus under Replicant 6.0 and the Galaxy SIII (GT-I9300) with the stock OS, the modem has a way to get information about the battery status.
Since libsamsung-ipc doesn't send that information, the modem probably is connected to a chip or resistance that can see get that information.
The XMMProtocolInterfaces article has an example of log for the Galaxy SII (GT-I9100) that has information about the battery voltage.
Links¶
- modem_modemctl_device_xmm6262.c
- https://forum.xda-developers.com/galaxy-s2/help/how-to-talk-to-modem-commands-t1471241/page4
- http://www.arteris.com/blog/bid/59433/Interchip-Connectivity-HSIC-UniPro-HSI-C2C-LLI-oh-my
- TODO: move this link somewhere where it's more useful
Updated by Denis 'GNUtoo' Carikli over 2 years ago · 213 revisions