Replicant

h1. XMMProtocolInterfaces

{{>toc}}

h2. usb_sel

h3. HOWTO enable the modem usb interface

The modem also has an USB port that can be routed to the smartphone/tablet USB port.

To do that you first need to get a root shell in the device as the commands need to be executed as root.

Once this is done you need to switch the USB connector to the modem USB. This can be done with the following command:

<pre>

echo MODEM > /sys/devices/virtual/sec/switch/usb_sel

</pre>

Then nothing will happen, you will still be able to login through adb.

To make the device switch to the modem USB you then need to unplug and replug the USB cable between your computer and the device.

At this point, if the modem was booted, you'll see a new USB device appearing.

Some serial ports will also appear.

Tested on Replicant 6.0 0004 RC3

| Device   | Distribution           | Modem status | USB ids (lsusb from laptop)   | tty                          |

| GT-I9100 | Replicant 6.0 0004 RC3 | Off          | None                          | N/A                          |

| GT-I9100 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |

| GT-I9300 | Replicant 6.0 0004 RC3 | Booted       | 1519:0020 Comneon HSIC Device | /dev/ttyACM0 -> /dev/ttyACM6 |

When running lsusb on the SOC on the Replicant 11 kernel on a GT-I9300, we also see @1519:0020 Comneon HSIC Device@ once the modem is booted. Once powered on and before booting, the USB ids seen in lsusb with that kernel are these ones: @058b:0041 Infineon Technologies Flash Loader utility@ instead.

As the modem isn't visible either when not powered on, we need to look if it's possible to boot the modem from a laptop for instance.

h3. Protocols

|_. Device |_. State      |_. UART       |_. Protocol                                      |

| GT-I9100 | modem booted | /dev/ttyACM0 | AT: [[GTI9100ModemTTYACM0]]                     |

| GT-I9100 | modem booted | /dev/ttyACM1 | Compatible with xgoldmon                        |

| GT-I9300 | modem booted | /dev/ttyACM0 | AT: [[GTI9300ModemTTYACM0]]                     |

| GT-I9100 | modem booted | /dev/ttyACM1 | Xgoldmon waits for messages but nothing arrives |

h3. Xgoldmon

description: Xgoldmon is a software that can get some cellular protocol traces from some Samsung phones using the samsung-ipc protocol.

git: https://github.com/2b-as/xgoldmon.git

Xgoldmon seem to display things on the GT-I9100:

<pre>

# ./xgoldmon -vvvv -i localhost -t s2 -l /dev/ttyACM1

LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<

LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<

LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4007, battery_level=5<<

LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<

LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666779<<

LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4225<<

LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4225, AvgBattVal_mv=4026, battery_level=5<<

LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<

LOG:>>[HIGH]oembatt.c,310,[DISP] Thermistor : measured_value=1630666778<<

LOG:>>[HIGH]oembatt.c,137,[DISP] oem_set_batt_level : 4220<<

LOG:>>[HIGH]oembatt.c,236,[DISP] BATT : measured_value_mv=4220, AvgBattVal_mv=4055, battery_level=5<<

LOG:>>[LOW]oemdisplay.c,363,no change -> rssi:4, bat:5<<

</pre>

And when calling an (inexisting/invalid) number, the frames appear in Wireshark.

However on the GT-I9300 it waits for messages that never arrive.

And on the GT-I9100 there seem to be very few messages.

I did some tests and compared a GT-I9100 with Replicant 6 and one with the stock distribution (rooted) and the one running Replicant outputed very few messages while the one running the stock OS outputed many messages.

Both had the same result when running AT+TRACE?:

<pre>

at+trace?

+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0

</pre>

For more background on the values:

<pre>

AT+TRACE=?

+TRACE: description START

at+trace=[<mode>],[<speed>],["<unit>=<umode>[,<unit>=<umode>[;...]]]",["<method>"],[PowerSavingCountdown]

<mode>:

       -------------------------------------------------------------

                                                                    0:        sets all units OFF [param <unit> will be ignored !]

                                                                                                                                 1:        sets all units ON  [param <unit> will be ignored !]

                                 no param: 3rd param. <units> configures trace-units

                                                                                              -> trace? will then display 128 as <mode>

<speed>: (115200,230400,460800,921600,1843200,3000000,3250000,6000000)

<units>:

        -------------

                     ap: apoxi

                              st: stack

                                       db: debug

                                                pr: printf

                                                          bt: bluetooth

                                                                       lt: LLT

                                                                              li: LwIP

                                                                                      gt: GATE

                                                                                              ae: AENEAS

<umode>:

        -----------------

                         0: unit-trace OFF

                                          1: unit-trace ON

<method>:

         --------------------------------

                                         "BTM":  byte stuffing trace method

                                                                           "DTM":  direct trace method

                                                                                                      "EBTM": extended byte stuffing trace method

<PowerSavingCountdown in msecs>: (0-30000)

i.e.:

     --------------------------------------------------

                                                       at+trace=0

                                                                 at+trace=,460800

                                                                                 at+trace=,115200,"st=1,pr=1,bt=1,ap=0,db=1,lt=0,li=0"

                                                                                                                                      at+trace=,,"lt=1,db=1,ga=0"

    at+trace=,,,"EBTM"

                      at+trace=,,,,2000

+TRACE: description END

OK

</pre>

On the stock OS I most followed xmongold procedure:

<pre>

To enable the logging mode ("diag mode") on the S2, S3 and Note2:

- Go to the Phone application, enter *#9900# and set "Debug Level

  Enabled" to "HIGH". The phone will reboot.

- Go to the Phone application again, enter *#7284# and set "USB" to

  "MODEM" and tap "SAVE and RESET". The phone will reboot again.

</pre>

But I didn't do the @*#9900@ thing as I didn't see any debug level.

I only had the following menu:

<pre>

+-------------------------------------------------+

|              Run dumpstate/logcat/modem log     |

+-------------------------------------------------+

|              Delete dumpstate/logcat            |

+-------------------------------------------------+

|              run dumpstate/local                |

+-------------------------------------------------+

|              Copy kenrel log to the SD card     |

+-------------------------------------------------+

|              Run modem log                      |

+-------------------------------------------------+

|         Copy to sdcard(include CP Ramdump)      |

+-------------------------------------------------+

| Disable fast dormancy (Current State: Enabled ) |

+-------------------------------------------------+

|              Ramdump Mode Enable/HIGH           |

+-------------------------------------------------+

|                TCP DUMP START                   |

+-------------------------------------------------+

|        Enable SecLog (currently disabled)       |

+-------------------------------------------------+

|                             Exit                |

+-------------------------------------------------+

</pre>

When using run modem log it did show the following popup:

<pre>

+----------------------------+

| /!\ Dump Result            |

+----------------------------+

| GET MODEM LOG SUCCESS!     |

| Please copy to SDcard with |

| other Menu button.         |

+----------------------------+

|            OK              |

+----------------------------+

</pre>

In the one running Replicant I did @AT+TRACE=1@.

h2. Links

* https://forum.xda-developers.com/t/info-r-d-i9300-uart-and-nvdata-guide.2928854/ Documentation for some GT-I9300 non-standard AT commands

* https://forum.xda-developers.com/t/a-sgs2-serial-how-to-talk-to-the-modem-with-at-commands.1471241/ Documentation for GT-I9100  tracing commandsh