XMMUpstreaming¶

• Table of contents
• XMMUpstreaming
  • Analysis of Replicant 9 Linux 5.2 modem branch
  • Analysis of the architecture of the drivers made by Simon Shields
    • Firmware loading and GPIO driver
      • Issue that lead to this design.
    • Main drivers
      • Write to /dev/umts_ipc

Analysis of Replicant 9 Linux 5.2 modem branch¶

These were cleaned up and ported from forkbomb's code:

b4c2df98ed6f misc: xmm6262: Add Samsung IPC USB modem firmware download module
77b55273bd6e net: usb: add Samsung IPC-over-HSIC driver
f9ae2d1697fa net: add Samsung IPC interface driver
7806adad4507 HACK: usb: host: ehci-exynos: add ehci_power sysfs node
82c317b0da5e HACK: add modem power on/off driver
28e5b460f920 HACK: usb: ehci_exynos: enable OHCI_SUSP_LEGACY
e7c122b770c1 ARM: dts: EXYNOS: add 3G modem nodes to midas boards
c3201527f7ea ARM: dts: split Exynos 4412 N710x boards up
5b55f03cda8c ARM: dts: EXYNOS: add Samsung IPC modem support
eca381876d5e ARM: dts: EXYNOS: enable HSIC0 on midas boards
7ec9129e3221 replicant_*_defconfig: extend cmdline to get IMSI and other information
54c196380507 replicant_*_defconfig: Add modem support
[...]
0ecfebd2b524 Linux 5.2

If we look at the drivers only (not the dts or config changes, or hacks in pre-existing code, we are left with):

b4c2df98ed6f misc: xmm6262: Add Samsung IPC USB modem firmware download module
77b55273bd6e net: usb: add Samsung IPC-over-HSIC driver
f9ae2d1697fa net: add Samsung IPC interface driver
82c317b0da5e HACK: add modem power on/off driver

We'd also need to find a way to fix these:

7806adad4507 HACK: usb: host: ehci-exynos: add ehci_power sysfs node
28e5b460f920 HACK: usb: ehci_exynos: enable OHCI_SUSP_LEGACY

• The GPIO handling like drivers/hsi/clients/nokia-modem.c (some GPIOs probably cannot be handled in userspace like gpio_pda_active (see XMMBoot for more details) (82c317b0da5e HACK: add modem power on/off driver)
• The firmware loading code (b4c2df98ed6f misc: xmm6262: Add Samsung IPC USB modem firmware download module)
• Probably some of the hacks here. For instance GPIO input IRQ -> hsic bus reset

So we have: Userspace <-> SIPC protocol <-> SIPC transport <-> HSIC

• The SIPC protocol is huge and has different userspace interfaces. Maybe it could be split It looks fine as-is.
• The SIPC transport driver uses an USB id table (the modem ID once booted). => Should we keep the IDs in it or move them in the modem driver instead? It's fine there.

Also look at the motorolla cpcap driver for the droid4. The architecture is different though: While it uses USB, it's tied to Qualcomm modem drivers (CDC) which probably doesn't have a specific protocol beside the multiplexing of the UART lines and network interfaces, though CDC could be seen as a specific protocol

Analysis of the architecture of the drivers made by Simon Shields¶

• With the Replicant 11 kernel under Parabola and with Simon Shields patches for libsamsung-ipc being reworked/rebased
• With a Galaxy S as part of some other project (PostmarketOS ?) (TODO: Add mailing list link and reference)

Firmware loading and GPIO driver¶

Issue that lead to this design.¶

Linux has an API to ask userspace for a firmware, retrieve that firmware and so it can send it to the device afterward.

The issue is that this API typically expect files to be in /lib/firmware while here the data is on a dedicated partition like RADIO.

So we could for instance do something like that:

# echo 1 > /sys/class/firmware/<somename>/loading
# cat /dev/block/by-partlabel/RADIO > /sys/class/firmware/<somename>/data
# echo 0 > /sys/class/firmware/<somename>/loading

But the issue is that on GNU/Linux udev and/or systemd handles that and in Android there is also a dedicated daemon for firmware loading, and both probably expect file names that are provided by the kernel to know which file to cat in /sys/class/firmware/<somename>/data.

So while we could load the firmware, I don't know how the Android firmware loading code would be able to detect that it needs to cat a partition and not a file in /lib/firmware.

Maybe we could have a symlink to the partition in /lib/firmware?

Having that work on GNU/Linux is also extremely useful for testing so there we would have issues too to make it work fine.

Main drivers¶

Write to /dev/umts_ipc¶

+----------------+        +---------------+                                                                                                                                          +--------------+
| libsamsung-ipc | -----> | /dev/umts_ipc | -----> drivers/net/sipc/miscdev.c: .write -> sipc_misc_write( [...] ) {  [...] // enqueue data to tx_queue_raw + add padding [....] } -> | tx_queue_raw |
+----------------+        +---------------+                                                                                                                                          +--------------+

+--------------+
| tx_queue_raw | -----> | dequeue in drivers/net/sipc/core.c in sipc_tx_work ( [...] ) { [...] sipc_do_tx( [...] ); [...] } -----> sipc_do_tx( [...] ep->transmit() [...] );
+--------------+

+-------------+
| .transmit() | -----> sipc_link_transmit( [...], struct sk_buff *skb ) {  [...] // configure the USB as sndbulkpipe for sending a bulk pipe and sends the skb }
+-------------+   ^
                  |
                  |+--Setup in sipc_probe()

In wireshark we need to find out what fields of the urb struct usb_sndbulkpipe() populates, and find the payload in Wireshark.

Then we should see a 1 byte HDLC header and footer and the payload inside which should normally correspond exactly to what libsamsung-ipc sent (though the bytes may be encoded as big endian or little endian by the USB core).