XMMBoot¶

Table of contents
XMMBoot

Introduction¶

For both libsamsung-ipc and the Linux driver it's interesting to understand better the boot of the modem in order to come with good names for the abstraction.

Abstraction¶

hci_power -> link_power

TODO:

Find the difference between power_on and boot_power_on
- Look at the GPIOs and understand what they do
- Just read the code that use the GPIOs
- Diff both procedures
Look which device has which XMM626X
Add XMM6210 devices too

GPIOs¶

Devices GPIOs assignement and drivers¶

Hardware				Linux		libsamsung-ipc
Variant	SOC	Modem	Link	GPIO usage	GPIO assignement	device driver name
Galaxy Tab: GT-P1000	Exynos 3310		RAM			aries
Galaxy S: GT-I9000	Exynos 3110	XMM6160	RAM			aries
Nexus S: GT-I9020 GT-I9020A GT-I9023	Exynos 3110		RAM			crespo
Galaxy SII: GT-I9100	Exynos 4210	XMM6260	HSIC	CONFIG_UMTS_MODEM_XMM6260=y		galaxys2
Galaxy Note: GT-N7000	Exynos 4210	XMM6260	HSIC	CONFIG_UMTS_MODEM_XMM6260=y		galaxys2
Galaxy Nexus: GT-I9250	OMAP 4460	XMM6260	MIPI	CONFIG_UMTS_MODEM_XMM6260=y Makefile modem_modemctl_device_xmm6260.c		maguro
Galaxy SIII: GT-I9300	Exynos 4412	XMM6262	HSIC	CONFIG_UMTS_MODEM_XMM6262=y Makefile modem_modemctl_device_xmm6262.c	CONFIG_SEC_MODEM_M0=y Makefile board-m0-modems.c CONFIG_MACH_M0=y gpio-midas.h gpio-rev00-m0.h	i9300
Galaxy Note 8.0 GSM: GT-N5100	Exynos 4412	XMM6262	HSIC	CONFIG_UMTS_MODEM_XMM6262=y		n5100
Galaxy Note II: GT-N7100	Exynos 4412	XMM6262	HSIC	CONFIG_UMTS_MODEM_XMM6262=y		n7100
Galaxy Tab 2: GT-P3100 GT-P5100	OMAP 4430	XMM6262	MIPI	CONFIG_UMTS_MODEM_XMM6262=y		piranah

GPIOs usage¶

TODO: make sure to mention what applies to what device

Start with I9300. Assume I9300 if device is not mentioned. Mention device when not I9300
Add more devices and mention them

Note that we don't limit ourselves to the drivers that are in use on the devices supported by Replicant.
As Samsung wrote drivers for the modem interfaces, and that the interface is similar across many different modems, other unused drivers and their comments also gives many hints about what the GPIOs are supposed to be used for.

gpio platform data name	present	comments
gpio_cp_on		powers on the modem? in which state (PMIC?, CPU?) * On GT-I9100 it's connected to the ON1 modem pin and ON2 is not connected.
gpio_cp_reset		Resets the modem CPU? PMIC?: * ''check the reset timming with C2C connection'' : Here C2C probably means chip to chip Can also read the modem CPU? and/or PMIC? reset state? * Reads from the GPIO and ''CP not ready, Active State low'' comment
gpio_reset_req_n
gpio_pda_active		Tell the modem if the SOC CPUs are sleeping/active or not? * PDA == Application processor * ''PDA_ACTIVE, let cp know AP sleep'' comment in status gc1-gpio.c * PDA_ACTIVE set to 0 right after cpu_pm_enter() * PDA_ACTIVE set to 1 right before cpu_pm_exit() * GPIO direction is output on AP side and input on BP side, which is also confirmed by the pinout table in XDA Also indicates when the CPU is ready to process modem stuff: * set to 1 at the end of xmm6262_on in modem_modemctl_device_xmm6262.c * The CPU can't process stuff if the HSIC link is in low power mode, as shown in set_hsic_lpa_states in board-m0-modems.c so it sets gpio_pda_active to 0 in these cases.
gpio_phone_active		Seem the modem counterpart of gpio_pda_active: * See umts_link_reconnect in board-m0-modems.c * See also mc_work in the unused modemctl.c driver where that GPIO is used both to signal when the modem finished booting everything and is ready, and when the modem crashes or is reset * phone_active_irq_handler in modem_modemctl_device_xmm6262.c seem to be doing exactly the same thing.
gpio_cp_dump_int
gpio_flm_uart_sel	Only used for the Galaxy Nexus in libsamsung-ipc	Modem download mode ? * FLM could be Firmware Load mode ? * On several devices, that GPIO seem to be used to switch between different UART, and the PMIC seem involved too in some devices. Not sure how it switches
gpio_cp_warm_reset
gpio_revers_bias_clear
gpio_revers_bias_restore
gpio_sim_detect		Detect SIM card presence ?
gpio_link_enable
gpio_link_active		set to 0 when the (HSIC) link is in low power and to 1 when it's back, like in set_hsic_lpa_states in board-m0-modems.c
gpio_link_hostwake
gpio_link_slavewake

Libsamsung-ipc¶

ioctl / function	Devices
	GT-I9250 (maguro)	GT-I9100	GT-I9300	GT-N5100	GT-N7100	GT-P3100 / GT-P5100 (piranah)
open, close, read, write fmt/rfs gprs power	Yes
boot_power status_online_wait	Yes	No
hci_power link_control_active link_control_wait link_get_hostwake_wait	No	Yes				No
link_control_enable		Yes (ignored by Linux⁴[5][6])	Yes (ignored by Linux¹[2][3])	Yes	Yes

TODO:

Don't use abbreviated function names

¹ https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-m0-modems.c#n221

² https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-m0-modems.c#n218

³ https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-m0-modems.c#n136

⁴ https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-u1-modems.c#n153

⁵ https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-u1-modems.c#n151

⁶ https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/board-u1-modems.c#n139

libsamsung-ipc <-> kernel functions <-> gpios¶

libsamsung-ipc	Kernel
Function using the ioctl	ioctl name	pointer signature	GPIO used	comment
xmm626_kernel_smdk4412_power	IOCTL_MODEM_ON IOCTL_MODEM_OFF	int (modem_on)(struct modem_ctl); int (modem_off)(struct modem_ctl);	gpio_cp_on gpio_cp_reset gpio_reset_req_n gpio_pda_active
			gpio_phone_active
			gpio_cp_dump_int
xmm626_kernel_smdk4412_boot_power	IOCTL_MODEM_BOOT_ON IOCTL_MODEM_BOOT_OFF	int (modem_boot_on)(struct modem_ctl); int (modem_boot_off)(struct modem_ctl);	gpio_flm_uart_sel
			gpio_cp_warm_reset
			gpio_revers_bias_clear
			gpio_revers_bias_restore
			gpio_sim_detect
xmm626_kernel_smdk4412_status_online_wait	IOCTL_MODEM_STATUS	int phone_state;	gpio_cp_on gpio_cp_reset gpio_pda_active gpio_reset_req_n gpio_phone_active	int phone_state get assigned the status computed from the various GPIO states xmm626_kernel_smdk4412_status_online_wait only waits for the online status
xmm626_kernel_smdk4412_link_control_enable	IOCTL_LINK_CONTROL_ENABLE	int (*link_ldo_enable)(bool);	gpio_link_enable	on i9300: * link_ldo_enable only returns 0 and has a comment ("Exynos HSIC V1.2 LDO was controlled by kernel") * gpio_link_enable is set to 0 (so it's ignored)

Glossary¶

Terms for the modem CPU:

BP: Baseband processor
CP: Cellular? processor

Term for the CPU of the system on a chip running Replicant:

AP: Application processor

TODO: move in its own page and point to it

LPA: Low power mode active (Related to ULPI specs only?)

ULPI: Probably a USB PHY spec

SIM card presence detection¶

Do we really want to check the SIM card presence?

Would it be possible not to for privacy reasons?

Example:

Boot a modem with a SIM
Take away the SIM card
Go to a protest with only the SIM card and a phone with no data on it to be able to call if necessary.

TODO¶

check gpio_flm_uart_sel in smdk4412 kernel too

Potential privacy and security issues¶

gpio_pda_active¶

From cpuidle-exynos4.c we have things like that:

    cpu_pm_enter();

#if defined(CONFIG_INTERNAL_MODEM_IF) || defined(CONFIG_SAMSUNG_PHONE_TTY)
    gpio_set_value(GPIO_PDA_ACTIVE, 0);
#endif

    if (log_en)
        pr_debug("+++lpa\n")

and:

    if (log_en)
        pr_debug("---lpa\n");
#if defined(CONFIG_INTERNAL_MODEM_IF) || defined(CONFIG_SAMSUNG_PHONE_TTY)
    gpio_set_value(GPIO_PDA_ACTIVE, 1);
#endif

    cpu_pm_exit();

Does it means that we are telling the modem about each time we go in suspend to RAM?

Devices affected or not affected:

Device	Config
GT-I9300	# CONFIG_INTERNAL_MODEM_IF is not set # CONFIG_SAMSUNG_PHONE_TTY is not set

gpio_phone_active¶

From ehci-s5p.c we have things like that:

#if defined(CONFIG_UMTS_MODEM_XMM6262)
    if (pdata->get_cp_active_state && !pdata->get_cp_active_state()) {
        s5p_ehci_port_control(pdev, CP_PORT, 0);
        pr_err("mif: force port%d off by cp reset\n", CP_PORT);
    }
#endif

Does it allows the modem to trigger a re-enumeration of the HSIC bus?

Devices affected or not affected:

Device	Config
GT-I9300	CONFIG_UMTS_MODEM_XMM6262=y .gpio_phone_active = GPIO_PHONE_ACTIVE

Modem partitions¶

Name	Content	aries	crespo	GT-I9100	GT-I9300	GT-P5100	GT-N5100
?	Partition table	None			[ 0x0 -> 0xfff ]	TODO	TODO
PSIRAM	First stage bootloader	[ 0x0-> 0x4fff ]		[ 0x0 -> 0xefff ]	[ 0x1000 -> 0xefff ]
EBL	Second stage bootloader ?			[ 0xF000 -> 0x27fff ]
MAIN	?			[ 0x28000 -> 0x9fffff ]	[ 0x28000 -> 0x9ff7ff ]
SECPACK	?			[ 0x9ff800 -> 0x9fffff ]
NV	nvdata default values	[ 0xD80000 -> ? ]	[0xD80000 -> ? ]	[ 0xa00000 -> 0xbfffff ]

TODO: find the place in libsamsung-ipc source mentioning that

References for the table:

https://git.replicant.us/replicant/external_libsamsung-ipc/tree/samsung-ipc/devices/i9300/i9300.h?id=9ff9785a7f48e32f107ca7fb2e298b1320ad4cbc
https://git.replicant.us/replicant/external_libsamsung-ipc/tree/samsung-ipc/devices/n7100/n7100.h?id=9ff9785a7f48e32f107ca7fb2e298b1320ad4cbc
Verified on GT-I9300 and GT-N7100 modem partition table

GT-I9300, GT-N7100, GT-P3100 modem partition table dump¶

TODO:

Send patch for the modem-partition-tool#n33
Make sure that we know the device from the command line
Understand the field depths along the way when supporting more devices
Document all other devices that don't have this partition table
Find the name of this partition table

$ hexdump -C RADIO.img
00000000  50 53 49 52 41 4d 00 00  00 00 00 00 00 10 00 00  |PSIRAM..........|
00000010  00 00 00 00 00 e0 00 00  00 00 00 00 00 00 00 00  |................|
00000020  45 42 4c 00 00 00 00 00  00 00 00 00 00 f0 00 00  |EBL.............|
00000030  00 00 00 60 00 90 01 00  00 00 00 00 00 00 00 00  |...`............|
00000040  4d 41 49 4e 00 00 00 00  00 00 00 00 00 80 02 00  |MAIN............|
00000050  00 00 30 60 00 78 9d 00  00 00 00 00 00 00 00 00  |..0`.x..........|
00000060  53 45 43 50 41 43 4b 00  00 00 00 00 00 f8 9f 00  |SECPACK.........|
00000070  00 00 00 00 00 08 00 00  00 00 00 00 00 00 00 00  |................|
00000080  4e 56 00 00 00 00 00 00  00 00 00 00 00 00 a0 00  |NV..............|
00000090  00 00 e8 60 00 00 20 00  00 00 00 00 00 00 00 00  |...`.. .........|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
[...]

Devices with a different partition table¶

The devices with a Qualcomm modem like the GT-I9305 and the GT-N7105 have individual files inside the vfat modem partition. See the Samsung_Midas_4G on the quectel-modems osmocom project for more details.

Unknown¶

We would need to get a device and dump the modem firmware to check, but given the offset of the PSIRAM, it probably contains the same header:

Galaxy Note 8.0
GT-P5100 is untested but but it's probably similar to the GT-P3100

Links¶

modem_modemctl_device_xmm6262.c
https://forum.xda-developers.com/galaxy-s2/help/how-to-talk-to-modem-commands-t1471241/page4
http://www.arteris.com/blog/bid/59433/Interchip-Connectivity-HSIC-UniPro-HSI-C2C-LLI-oh-my
- TODO: move this link somewhere where it's more useful