Project

General

Profile

XMMProtocolInterfaces » History » Version 38

Denis 'GNUtoo' Carikli, 01/31/2022 09:27 AM
Add tests with the GT-I9300

1 1 Denis 'GNUtoo' Carikli
h1. XMMProtocolInterfaces
2
3 5 Denis 'GNUtoo' Carikli
{{>toc}}
4
5 10 Denis 'GNUtoo' Carikli
h2. usb_sel
6 3 Denis 'GNUtoo' Carikli
7 21 Denis 'GNUtoo' Carikli
h3. HOWTO enable the modem usb interface
8 3 Denis 'GNUtoo' Carikli
9 21 Denis 'GNUtoo' Carikli
The modem also has an USB port that can be routed to the smartphone/tablet USB port.
10 1 Denis 'GNUtoo' Carikli
11 21 Denis 'GNUtoo' Carikli
To do that you first need to get a root shell in the device as the commands need to be executed as root.
12
13 10 Denis 'GNUtoo' Carikli
Once this is done you need to switch the USB connector to the modem USB. This can be done with the following command:
14 1 Denis 'GNUtoo' Carikli
<pre>
15 10 Denis 'GNUtoo' Carikli
echo MODEM > /sys/devices/virtual/sec/switch/usb_sel
16 1 Denis 'GNUtoo' Carikli
</pre>
17
18 10 Denis 'GNUtoo' Carikli
Then nothing will happen, you will still be able to login through adb.
19 1 Denis 'GNUtoo' Carikli
20 10 Denis 'GNUtoo' Carikli
To make the device switch to the modem USB you then need to unplug and replug the USB cable between your computer and the device.
21
22
At this point, if the modem was booted, you'll see a new USB device appearing.
23
Some serial ports will also appear.
24
25
Tested on Replicant 6.0 0004 RC3
26
27 22 Denis 'GNUtoo' Carikli
| Device   | Distribution           | Modem status | USB ids (lsusb from laptop)   | tty                          |
28 1 Denis 'GNUtoo' Carikli
| GT-I9100 | Replicant 6.0 0004 RC3 | Off          | None                          | N/A                          |
29
| GT-I9100 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |
30
| GT-I9300 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |
31 21 Denis 'GNUtoo' Carikli
32
When running lsusb on the SOC on the Replicant 11 kernel on a GT-I9300, we also see @1519:0020 Comneon HSIC Device@ once the modem is booted. Once powered on and before booting, the USB ids seen in lsusb with that kernel are these ones: @058b:0041 Infineon Technologies Flash Loader utility@ instead.
33
34
As the modem isn't visible either when not powered on, we need to look if it's possible to boot the modem from a laptop for instance.
35 10 Denis 'GNUtoo' Carikli
36 11 Denis 'GNUtoo' Carikli
h3. Protocols
37 12 Denis 'GNUtoo' Carikli
38 20 Denis 'GNUtoo' Carikli
|_. Device |_. State      |_. UART       |_. Protocol                                      |
39
| GT-I9100 | modem booted | /dev/ttyACM0 | AT: [[GTI9100ModemTTYACM0]]                     |
40
| GT-I9100 | modem booted | /dev/ttyACM1 | Compatible with xgoldmon                        |
41
| GT-I9300 | modem booted | /dev/ttyACM0 | AT: [[GTI9300ModemTTYACM0]]                     |
42
| GT-I9100 | modem booted | /dev/ttyACM1 | Xgoldmon waits for messages but nothing arrives |
43 37 Denis 'GNUtoo' Carikli
| GT-I9300 | modem booted | /dev/ttyACM3 | AT: [[GTI9300ModemTTYACM0]]                     |
44
45 19 Denis 'GNUtoo' Carikli
h3. Xgoldmon
46 1 Denis 'GNUtoo' Carikli
47 23 Denis 'GNUtoo' Carikli
description: Xgoldmon is a software that can get some cellular protocol traces from some Samsung phones using the samsung-ipc protocol.
48
git: https://github.com/2b-as/xgoldmon.git
49
50 4 Denis 'GNUtoo' Carikli
Xgoldmon seem to display things on the GT-I9100:
51 1 Denis 'GNUtoo' Carikli
<pre>
52
# ./xgoldmon -vvvv -i localhost -t s2 -l /dev/ttyACM1
53
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<
54
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<
55 9 Denis 'GNUtoo' Carikli
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4007, battery_level=5<<
56
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
57
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666779<<
58
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4225<<
59
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4225, AvgBattVal_mv=4026, battery_level=5<<
60
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
61 1 Denis 'GNUtoo' Carikli
LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<
62
LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<
63
LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4055, battery_level=5<<
64
LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<
65
</pre>
66
67
And when calling an (inexisting/invalid) number, the frames appear in Wireshark.
68 19 Denis 'GNUtoo' Carikli
69
However on the GT-I9300 it waits for messages that never arrive.
70
And on the GT-I9100 there seem to be very few messages.
71
72 26 Denis 'GNUtoo' Carikli
I did some tests and compared a GT-I9100 with Replicant 6 and one with the stock distribution (rooted) and the one running Replicant outputed very few messages while the one running the stock OS outputed many messages.
73
74 29 Denis 'GNUtoo' Carikli
Both had the same result when running @AT+TRACE?@ on /dev/ttyACM0:
75 26 Denis 'GNUtoo' Carikli
<pre>
76
at+trace?
77
+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0
78
</pre>
79
80
For more background on the values:
81
<pre>
82
AT+TRACE=?
83
+TRACE: description START
84
85
86
at+trace=[<mode>],[<speed>],["<unit>=<umode>[,<unit>=<umode>[;...]]]",["<method>"],[PowerSavingCountdown]
87
88
<mode>:
89
       -------------------------------------------------------------
90
                                                                    0:        sets all units OFF [param <unit> will be ignored !]
91
                                                                                                                                 1:        sets all units ON  [param <unit> will be ignored !]
92
                                 no param: 3rd param. <units> configures trace-units
93
                                                                                              -> trace? will then display 128 as <mode>
94
95
<speed>: (115200,230400,460800,921600,1843200,3000000,3250000,6000000)
96
97
98
<units>:
99
        -------------
100
                     ap: apoxi
101
                              st: stack
102
                                       db: debug
103
                                                pr: printf
104
                                                          bt: bluetooth
105
                                                                       lt: LLT
106
                                                                              li: LwIP
107
                                                                                      gt: GATE
108
                                                                                              ae: AENEAS
109
110
<umode>:
111
        -----------------
112
                         0: unit-trace OFF
113
                                          1: unit-trace ON
114
115
116
<method>:
117
         --------------------------------
118
                                         "BTM":  byte stuffing trace method
119
                                                                           "DTM":  direct trace method
120
                                                                                                      "EBTM": extended byte stuffing trace method
121
122
123
<PowerSavingCountdown in msecs>: (0-30000)
124
125
126
i.e.:
127
     --------------------------------------------------
128
                                                       at+trace=0
129
                                                                 at+trace=,460800
130
                                                                                 at+trace=,115200,"st=1,pr=1,bt=1,ap=0,db=1,lt=0,li=0"
131
                                                                                                                                      at+trace=,,"lt=1,db=1,ga=0"
132
    at+trace=,,,"EBTM"
133
                      at+trace=,,,,2000
134
135
+TRACE: description END
136
137
OK
138
</pre>
139
140
On the stock OS I most followed xmongold procedure:
141
<pre>
142
To enable the logging mode ("diag mode") on the S2, S3 and Note2:
143
- Go to the Phone application, enter *#9900# and set "Debug Level
144
  Enabled" to "HIGH". The phone will reboot.
145
- Go to the Phone application again, enter *#7284# and set "USB" to
146
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.
147
</pre>
148
But I didn't do the @*#9900@ thing as I didn't see any debug level.
149
150 27 Denis 'GNUtoo' Carikli
I only had the following menu:
151 26 Denis 'GNUtoo' Carikli
<pre>
152
+-------------------------------------------------+
153
|              Run dumpstate/logcat/modem log     |
154
+-------------------------------------------------+
155
|              Delete dumpstate/logcat            |
156
+-------------------------------------------------+
157
|              run dumpstate/local                |
158
+-------------------------------------------------+
159
|              Copy kenrel log to the SD card     |
160
+-------------------------------------------------+
161
|              Run modem log                      |
162
+-------------------------------------------------+
163
|         Copy to sdcard(include CP Ramdump)      |
164
+-------------------------------------------------+
165
| Disable fast dormancy (Current State: Enabled ) |
166
+-------------------------------------------------+
167
|              Ramdump Mode Enable/HIGH           |
168
+-------------------------------------------------+
169 27 Denis 'GNUtoo' Carikli
|                TCP DUMP START                   |
170 26 Denis 'GNUtoo' Carikli
+-------------------------------------------------+
171 27 Denis 'GNUtoo' Carikli
|        Enable SecLog (currently disabled)       |
172
+-------------------------------------------------+
173
|                             Exit                |
174
+-------------------------------------------------+
175 26 Denis 'GNUtoo' Carikli
</pre>
176
177 28 Denis 'GNUtoo' Carikli
When using run modem log it did show the following popup:
178 26 Denis 'GNUtoo' Carikli
<pre>
179
+----------------------------+
180
| /!\ Dump Result            |
181
+----------------------------+
182
| GET MODEM LOG SUCCESS!     |
183
| Please copy to SDcard with |
184
| other Menu button.         |
185
+----------------------------+
186
|            OK              |
187
+----------------------------+
188
</pre>
189
190 30 Denis 'GNUtoo' Carikli
As for the following:
191
<pre>
192
- Go to the Phone application again, enter *#7284# and set "USB" to
193
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.
194
</pre>
195 31 Denis 'GNUtoo' Carikli
I didn't have any "SAVE and RESET" and I probably didn't need to reboot but I probably needed to disconnect and reconnect the USB cable.
196 30 Denis 'GNUtoo' Carikli
197
The setting stay across reboots (I still have @1519:0020 Comneon HSIC Device@) and in the recovery I don't have any USB device (anymore?).
198 26 Denis 'GNUtoo' Carikli
199
200 1 Denis 'GNUtoo' Carikli
In the one running Replicant I did @AT+TRACE=1@.
201 38 Denis 'GNUtoo' Carikli
202
203
On the GT-I9300, following this part:
204
<pre>
205
- Go to the Phone application again, enter *#7284# and set "USB" to
206
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.
207
</pre>
208
results in the "PARAM partition being written to":https://redmine.replicant.us/projects/replicant/wiki/GTI9300PARAM#USB-switch . At the next boot the bootloader will configure the USB switch to connect to the modem USB. And if you install Replicant just after that, you end up with no adb in the recovery or in Replicant, though USB host works fine and heimdall also works fine.
209
210
I've also "written a tool":https://git.replicant.us/contrib/GNUtoo/tools/at-mappers/ to diff the modem settings through AT commands, and it didn't find any difference beside with the @AT+TRACE@ settings.
211
212
The goal was to find some differences after doing that:
213
<pre>
214
- Go to the Phone application, enter *#9900# and set "Debug Level
215
  Enabled" to "HIGH". The phone will reboot.
216
</pre>
217
218
Here I captured the settings with @LOW@ and @HIGH@, and the only interesting difference is with AT+TRACE:
219
<pre>
220
$ diff -u GT-I9300-main-stock-low-1.conf GT-I9300-main-stock-high-3.conf
221
222
[...]
223
-at+trace = ['+TRACE: 0,921600,"ap=0;st=0;db=0;pr=0;bt=0;lt=0;li=0;ga=0;ae=0","DTM",0']
224
+at+trace = ['+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0']
225
[...]
226
</pre>
227
228
Note that if we have @+TRACE: 0,921600,"ap=0;st=0;db=0;pr=0;bt=0;lt=0;li=0;ga=0;ae=0","DTM",0@, we can simply do AT+TRACE=1 to make it like it should (@+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0@).
229 24 Denis 'GNUtoo' Carikli
230 32 Denis 'GNUtoo' Carikli
h2. Upstream kernel
231
232 36 Denis 'GNUtoo' Carikli
The upstream driver for the Galaxy SIII (GT-I9300) is in "drivers/extcon/extcon-max77693.c":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/extcon/extcon-max77693.c
233 32 Denis 'GNUtoo' Carikli
234
Once loaded we have:
235
<pre>
236
[root@u-boot-i9300 ~]# uname -r
237
5.10.0-rc2+
238
239
[root@u-boot-i9300 ~]# cd /sys/class/extcon/extcon0
240
[root@u-boot-i9300 extcon0]# ls */
241
cable.0/:
242
name  state
243
244
cable.1/:
245
name  state
246
247
cable.2/:
248
name  state
249
250
cable.3/:
251
name  state
252
253
cable.4/:
254
name  state
255
256
cable.5/:
257
name  state
258
259
cable.6/:
260
name  state
261
262
cable.7/:
263
name  state
264
265
cable.8/:
266
name  state
267
268
cable.9/:
269
name  state
270
271
device/:
272
driver  driver_override  extcon  input  modalias  power  subsystem  uevent
273
274
power/:
275
async  autosuspend_delay_ms  control  runtime_active_kids  runtime_active_time  runtime_enabled  runtime_status  runtime_suspended_time  runtime_usage
276
277
subsystem/:
278
extcon0
279
[root@u-boot-i9300 extcon0]# grep . */name
280
cable.0/name:USB
281
cable.1/name:USB-HOST
282
cable.2/name:SDP
283
cable.3/name:DCP
284
cable.4/name:FAST-CHARGER
285
cable.5/name:SLOW-CHARGER
286
cable.6/name:CDP
287
cable.7/name:MHL
288
cable.8/name:JIG
289
cable.9/name:DOCK
290 33 Denis 'GNUtoo' Carikli
[root@u-boot-i9300 extcon0]# grep .  */state
291
cable.0/state:1
292
cable.1/state:0
293
cable.2/state:1
294
cable.3/state:0
295
cable.4/state:0
296
cable.5/state:0
297
cable.6/state:0
298
cable.7/state:0
299
cable.8/state:0
300
cable.9/state:0
301 32 Denis 'GNUtoo' Carikli
</pre>
302
303
I'm unsure if switching from userspace is implemented or not. 
304
305 35 Denis 'GNUtoo' Carikli
Though some part looks unimplemented. 
306
307
In "gpio-rev00-m0.h in the smdk4412 kernel":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/include/mach/gpio-rev00-m0.h#n169 we have:
308 32 Denis 'GNUtoo' Carikli
<pre>
309
#define GPIO_USB_SEL            EXYNOS4212_GPJ0(1)
310
</pre>
311 1 Denis 'GNUtoo' Carikli
312 35 Denis 'GNUtoo' Carikli
And the "max77693-muic.c driver":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/drivers/misc/max77693-muic.c seems to use that to do the switch between the modem USB and the SOC USB.
313 32 Denis 'GNUtoo' Carikli
And that seems to be used to switch to the modem USB.
314
315 24 Denis 'GNUtoo' Carikli
h2. Links
316
317 25 Denis 'GNUtoo' Carikli
* https://forum.xda-developers.com/t/info-r-d-i9300-uart-and-nvdata-guide.2928854/ Documentation for some GT-I9300 non-standard AT commands
318
* https://forum.xda-developers.com/t/a-sgs2-serial-how-to-talk-to-the-modem-with-at-commands.1471241/ Documentation for GT-I9100  tracing commandsh