Project

General

Profile

XMMProtocolInterfaces » History » Version 30

Denis 'GNUtoo' Carikli, 04/27/2021 09:37 AM

1 1 Denis 'GNUtoo' Carikli
h1. XMMProtocolInterfaces
2
3 5 Denis 'GNUtoo' Carikli
{{>toc}}
4
5 10 Denis 'GNUtoo' Carikli
h2. usb_sel
6 3 Denis 'GNUtoo' Carikli
7 21 Denis 'GNUtoo' Carikli
h3. HOWTO enable the modem usb interface
8 3 Denis 'GNUtoo' Carikli
9 21 Denis 'GNUtoo' Carikli
The modem also has an USB port that can be routed to the smartphone/tablet USB port.
10 1 Denis 'GNUtoo' Carikli
11 21 Denis 'GNUtoo' Carikli
To do that you first need to get a root shell in the device as the commands need to be executed as root.
12
13 10 Denis 'GNUtoo' Carikli
Once this is done you need to switch the USB connector to the modem USB. This can be done with the following command:
14 1 Denis 'GNUtoo' Carikli
<pre>
15 10 Denis 'GNUtoo' Carikli
echo MODEM > /sys/devices/virtual/sec/switch/usb_sel
16 1 Denis 'GNUtoo' Carikli
</pre>
17
18 10 Denis 'GNUtoo' Carikli
Then nothing will happen, you will still be able to login through adb.
19 1 Denis 'GNUtoo' Carikli
20 10 Denis 'GNUtoo' Carikli
To make the device switch to the modem USB you then need to unplug and replug the USB cable between your computer and the device.
21
22
At this point, if the modem was booted, you'll see a new USB device appearing.
23
Some serial ports will also appear.
24
25
Tested on Replicant 6.0 0004 RC3
26
27 22 Denis 'GNUtoo' Carikli
| Device   | Distribution           | Modem status | USB ids (lsusb from laptop)   | tty                          |
28 1 Denis 'GNUtoo' Carikli
| GT-I9100 | Replicant 6.0 0004 RC3 | Off          | None                          | N/A                          |
29
| GT-I9100 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |
30
| GT-I9300 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |
31 21 Denis 'GNUtoo' Carikli
32
When running lsusb on the SOC on the Replicant 11 kernel on a GT-I9300, we also see @1519:0020 Comneon HSIC Device@ once the modem is booted. Once powered on and before booting, the USB ids seen in lsusb with that kernel are these ones: @058b:0041 Infineon Technologies Flash Loader utility@ instead.
33
34
As the modem isn't visible either when not powered on, we need to look if it's possible to boot the modem from a laptop for instance.
35 10 Denis 'GNUtoo' Carikli
36 11 Denis 'GNUtoo' Carikli
h3. Protocols
37 12 Denis 'GNUtoo' Carikli
38 20 Denis 'GNUtoo' Carikli
|_. Device |_. State      |_. UART       |_. Protocol                                      |
39
| GT-I9100 | modem booted | /dev/ttyACM0 | AT: [[GTI9100ModemTTYACM0]]                     |
40
| GT-I9100 | modem booted | /dev/ttyACM1 | Compatible with xgoldmon                        |
41
| GT-I9300 | modem booted | /dev/ttyACM0 | AT: [[GTI9300ModemTTYACM0]]                     |
42
| GT-I9100 | modem booted | /dev/ttyACM1 | Xgoldmon waits for messages but nothing arrives |
43 3 Denis 'GNUtoo' Carikli
44 19 Denis 'GNUtoo' Carikli
h3. Xgoldmon
45 1 Denis 'GNUtoo' Carikli
46 23 Denis 'GNUtoo' Carikli
description: Xgoldmon is a software that can get some cellular protocol traces from some Samsung phones using the samsung-ipc protocol.
47
git: https://github.com/2b-as/xgoldmon.git
48
49 4 Denis 'GNUtoo' Carikli
Xgoldmon seem to display things on the GT-I9100:
50 1 Denis 'GNUtoo' Carikli
<pre>
51
# ./xgoldmon -vvvv -i localhost -t s2 -l /dev/ttyACM1
52
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<
53
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<
54 9 Denis 'GNUtoo' Carikli
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4007, battery_level=5<<
55
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
56
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666779<<
57
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4225<<
58
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4225, AvgBattVal_mv=4026, battery_level=5<<
59
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
60 1 Denis 'GNUtoo' Carikli
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<
61
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<
62
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4055, battery_level=5<<
63
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
64
</pre>
65
66
And when calling an (inexisting/invalid) number, the frames appear in Wireshark.
67 19 Denis 'GNUtoo' Carikli
68
However on the GT-I9300 it waits for messages that never arrive.
69
And on the GT-I9100 there seem to be very few messages.
70
71 26 Denis 'GNUtoo' Carikli
I did some tests and compared a GT-I9100 with Replicant 6 and one with the stock distribution (rooted) and the one running Replicant outputed very few messages while the one running the stock OS outputed many messages.
72
73 29 Denis 'GNUtoo' Carikli
Both had the same result when running @AT+TRACE?@ on /dev/ttyACM0:
74 26 Denis 'GNUtoo' Carikli
<pre>
75
at+trace?
76
+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0
77
</pre>
78
79
For more background on the values:
80
<pre>
81
AT+TRACE=?
82
+TRACE: description START
83
84
85
at+trace=[<mode>],[<speed>],["<unit>=<umode>[,<unit>=<umode>[;...]]]",["<method>"],[PowerSavingCountdown]
86
87
<mode>:
88
       -------------------------------------------------------------
89
                                                                    0:        sets all units OFF [param <unit> will be ignored !]
90
                                                                                                                                 1:        sets all units ON  [param <unit> will be ignored !]
91
                                 no param: 3rd param. <units> configures trace-units
92
                                                                                              -> trace? will then display 128 as <mode>
93
94
<speed>: (115200,230400,460800,921600,1843200,3000000,3250000,6000000)
95
96
97
<units>:
98
        -------------
99
                     ap: apoxi
100
                              st: stack
101
                                       db: debug
102
                                                pr: printf
103
                                                          bt: bluetooth
104
                                                                       lt: LLT
105
                                                                              li: LwIP
106
                                                                                      gt: GATE
107
                                                                                              ae: AENEAS
108
109
<umode>:
110
        -----------------
111
                         0: unit-trace OFF
112
                                          1: unit-trace ON
113
114
115
<method>:
116
         --------------------------------
117
                                         "BTM":  byte stuffing trace method
118
                                                                           "DTM":  direct trace method
119
                                                                                                      "EBTM": extended byte stuffing trace method
120
121
122
<PowerSavingCountdown in msecs>: (0-30000)
123
124
125
i.e.:
126
     --------------------------------------------------
127
                                                       at+trace=0
128
                                                                 at+trace=,460800
129
                                                                                 at+trace=,115200,"st=1,pr=1,bt=1,ap=0,db=1,lt=0,li=0"
130
                                                                                                                                      at+trace=,,"lt=1,db=1,ga=0"
131
    at+trace=,,,"EBTM"
132
                      at+trace=,,,,2000
133
134
+TRACE: description END
135
136
OK
137
</pre>
138
139
On the stock OS I most followed xmongold procedure:
140
<pre>
141
To enable the logging mode ("diag mode") on the S2, S3 and Note2:
142
- Go to the Phone application, enter *#9900# and set "Debug Level
143
  Enabled" to "HIGH". The phone will reboot.
144
- Go to the Phone application again, enter *#7284# and set "USB" to
145
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.
146
</pre>
147
But I didn't do the @*#9900@ thing as I didn't see any debug level.
148
149 27 Denis 'GNUtoo' Carikli
I only had the following menu:
150 26 Denis 'GNUtoo' Carikli
<pre>
151
+-------------------------------------------------+
152
|              Run dumpstate/logcat/modem log     |
153
+-------------------------------------------------+
154
|              Delete dumpstate/logcat            |
155
+-------------------------------------------------+
156
|              run dumpstate/local                |
157
+-------------------------------------------------+
158
|              Copy kenrel log to the SD card     |
159
+-------------------------------------------------+
160
|              Run modem log                      |
161
+-------------------------------------------------+
162
|         Copy to sdcard(include CP Ramdump)      |
163
+-------------------------------------------------+
164
| Disable fast dormancy (Current State: Enabled ) |
165
+-------------------------------------------------+
166
|              Ramdump Mode Enable/HIGH           |
167
+-------------------------------------------------+
168 27 Denis 'GNUtoo' Carikli
|                TCP DUMP START                   |
169 26 Denis 'GNUtoo' Carikli
+-------------------------------------------------+
170 27 Denis 'GNUtoo' Carikli
|        Enable SecLog (currently disabled)       |
171
+-------------------------------------------------+
172
|                             Exit                |
173
+-------------------------------------------------+
174 26 Denis 'GNUtoo' Carikli
</pre>
175
176 28 Denis 'GNUtoo' Carikli
When using run modem log it did show the following popup:
177 26 Denis 'GNUtoo' Carikli
<pre>
178
+----------------------------+
179
| /!\ Dump Result            |
180
+----------------------------+
181
| GET MODEM LOG SUCCESS!     |
182
| Please copy to SDcard with |
183
| other Menu button.         |
184
+----------------------------+
185
|            OK              |
186
+----------------------------+
187
</pre>
188
189 30 Denis 'GNUtoo' Carikli
As for the following:
190
<pre>
191
- Go to the Phone application again, enter *#7284# and set "USB" to
192
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.
193
</pre>
194
I didn't have any "SAVE and RESET" and I probably didn't need to reboot (I need to re-check that).
195
196
The setting stay across reboots (I still have @1519:0020 Comneon HSIC Device@) and in the recovery I don't have any USB device (anymore?).
197 26 Denis 'GNUtoo' Carikli
198
199
In the one running Replicant I did @AT+TRACE=1@.
200 24 Denis 'GNUtoo' Carikli
201
h2. Links
202
203 25 Denis 'GNUtoo' Carikli
* https://forum.xda-developers.com/t/info-r-d-i9300-uart-and-nvdata-guide.2928854/ Documentation for some GT-I9300 non-standard AT commands
204
* https://forum.xda-developers.com/t/a-sgs2-serial-how-to-talk-to-the-modem-with-at-commands.1471241/ Documentation for GT-I9100  tracing commandsh