Research Pre GSM Modem

Modem Ports
There are several ports for communicating with the modem on the Palm Pre:
 * /dev/modemuart: Modem UART (UART Port)
 * /dev/tts/modem0 (Symlink for ttyACM0): USB Serial to Modem for AT commands (Data Port)
 * /dev/tts/modemdiag (Symlink for ttyACM1): USB Serial to Modem for Diagnositics (DIAG Port)

sysfs Entries

 * Power Control: /sys/user_hw/pins/modem/power_on/level

Palm Programs for communicating with the modem
In /usr/bin are some interessting programs:
 * PmLinuxModemCmd: You can do some operations on the modem from command line
 * PmModemInfo: Shows you the IMEI and the version of the modem firmware
 * PmModemPower: A simple shell script to turn on/reset the modem
 * PmModemUpdater: Flash the modem with a new firmware

The binary sequences are: 00014a1c : 14a1c:	31455441 	.word	0x31455441 ...  159c0:	0a0d      	.short	0x0a0d

000159c2 : 159c2:	0f88     	.short	0x0f88 159c4:	00010000 	.word	0x00010000 159c8:	7eb3d400 	.word	0x7eb3d400

000159cc : 159cc:	7e3b1c1d 	.word	0x7e3b1c1d

000159d0 : 159d0:	1b0000fa 	.word	0x1b0000fa 159d4:	00000009 	.word	0x00000009 159d8:	00000000 	.word	0x00000000 159dc:	7e         	.byte	0x7e

000159dd : 159dd:	fa         	.byte	0xfa 159de:	0000     	.short	0x0000 159e0:	0000011b 	.word	0x0000011b 159e4:	00000000 	.word	0x00000000 159e8:	b74c     	.short	0xb74c 159ea:	7e         	.byte	0x7e

000159eb : 159eb:	1b         	.byte	0x1b 159ec:	00000001 	.word	0x00000001 159f0:	0000     	.short	0x0000 ...

000159f3 : 159f3:	1c         	.byte	0x1c 159f4:	00000002 	.word	0x00000002 159f8:	0000     	.short	0x0000 ...

000159fb : 159fb:	fa         	.byte	0xfa 159fc:	14080000 	.word	0x14080000 15a00:	f904d200 	.word	0xf904d200 15a04:	7e27     	.short	0x7e27

00015a06 : 15a06:	0122     	.short	0x0122 15a08:	0000     	.short	0x0000 ...

00015a0b : 15a0b:	29         	.byte	0x29 15a0c:	73810003 	.word	0x73810003 15a10:	7e         	.byte	0x7e

00015a11 : 15a11:	fa         	.byte	0xfa 15a12:	0000     	.short	0x0000 15a14:	00002308 	.word	0x00002308 15a18:	fbf1     	.short	0xfbf1 15a1a:	7e         	.byte	0x7e

00015a1b : 15a1b:	fa         	.byte	0xfa 15a1c:	23080000 	.word	0x23080000 15a20:	29e20001 	.word	0x29e20001 15a24:	7e         	.byte	0x7e

00015a25 : 15a25:	29         	.byte	0x29 15a26:	0002     	.short	0x0002 15a28:	6a59     	.short	0x6a59 15a2a:	7e         	.byte	0x7e

00015a2b : 15a2b:	fa         	.byte	0xfa 15a2c:	00030000 	.word	0x00030000 15a30:	00000000 	.word	0x00000000 15a34:	09f00500 	.word	0x09f00500 15a38:	7e         	.byte	0x7e

00015a39 : 15a39:	fa         	.byte	0xfa 15a3a:	0000     	.short	0x0000 15a3c:	00000003 	.word	0x00000003 15a40:	06000000 	.word	0x06000000 15a44:	3b6b     	.short	0x3b6b 15a46:	7e         	.byte	0x7e

00015a47 : 15a47:	41         	.byte	0x41 15a48:	47432b54 	.word	0x47432b54 15a4c:	4e4f4344 	.word	0x4e4f4344 15a50:	0a0d3f54 	.word	0x0a0d3f54

00015a54 : 15a54:	30455441 	.word	0x30455441 15a58:	30453145 	.word	0x30453145 15a5c:	30453145 	.word	0x30453145 15a60:	30453145 	.word	0x30453145 15a64:	0a0d3145 	.word	0x0a0d3145

00015a68 : 15a68:	0a0d5441 	.word	0x0a0d5441

00015a6c : 15a6c:	1b0000fa 	.word	0x1b0000fa 15a70:	00000006 	.word	0x00000006 15a74:	00180000 	.word	0x00180000 15a78:	f0f30000 	.word	0xf0f30000 15a7c:	7e         	.byte	0x7e

00015a7d <Charging500mA>: 15a7d:	fa         	.byte	0xfa 15a7e:	0000     	.short	0x0000 15a80:	0000061b 	.word	0x0000061b 15a84:	18000000 	.word	0x18000000 15a88:	2b000100 	.word	0x2b000100 15a8c:	7ee9     	.short	0x7ee9

00015a8e <Charging1A>: 15a8e:	00fa     	.short	0x00fa 15a90:	00061b00 	.word	0x00061b00 15a94:	00000000 	.word	0x00000000 15a98:	00070018 	.word	0x00070018 15a9c:	bdfb     	.short	0xbdfb 15a9e:	7e         	.byte	0x7e

00015a9f <getQPSTConfig>: 15a9f:	0c         	.byte	0x0c 15aa0:	417e3a14 	.word	0x417e3a14 15aa4:	43512454 	.word	0x43512454 15aa8:	0d474d44 	.word	0x0d474d44 15aac:	51245441 	.word	0x51245441 15ab0:	474d4443 	.word	0x474d4443 15ab4:	2454410d 	.word	0x2454410d 15ab8:	4d444351 	.word	0x4d444351 15abc:	067e0d47 	.word	0x067e0d47 15ac0:	7e7e954e 	.word	0x7e7e954e

00015ac4 <getESN>: 15ac4:	00000026 	.word	0x00000026 ...  15b48:	7ed2ad00 	.word	0x7ed2ad00

00015b4c <CDMAPcmLoopbackOn>: 15b4c:	000e0b4b 	.word	0x000e0b4b 15b50:	00010003 	.word	0x00010003 15b54:	0001000c 	.word	0x0001000c 15b58:	7e00     	.short	0x7e00

00015b5a <CDMAPcmLoopbackOff>: 15b5a:	0b4b     	.short	0x0b4b 15b5c:	0003000e 	.word	0x0003000e 15b60:	000c0001 	.word	0x000c0001 15b64:	7e000000 	.word	0x7e000000

00015b68 <GSMPcmLoopbackOn>: 15b68:	000e0b4b 	.word	0x000e0b4b 15b6c:	000b0003 	.word	0x000b0003 15b70:	0001000c 	.word	0x0001000c 15b74:	7e00     	.short	0x7e00

00015b76 <GSMPcmLoopbackOff>: 15b76:	0b4b     	.short	0x0b4b 15b78:	0003000e 	.word	0x0003000e 15b7c:	000c000b 	.word	0x000c000b 15b80:	7e000000 	.word	0x7e000000

00015b84 <Dial>: 15b84:	000000fa 	.word	0x000000fa 15b88:	00000000 	.word	0x00000000 15b8c:	04000000 	.word	0x04000000 ...  15bf0:	34000000 	.word	0x34000000 15bf4:	31363830 	.word	0x31363830 15bf8:	32333837 	.word	0x32333837 15bfc:	00000037 	.word	0x00000037 ...  15c30:	0a000000 	.word	0x0a000000 ...  15c58:	0000      	.short	0x0000 15c5a:	7e         	.byte	0x7e

00015c5b : 15c5b:	41         	.byte	0x41 15c5c:	0d304554 	.word	0x0d304554 15c60:	0a         	.byte	0x0a

00015c61 <ATDT>: 15c61:	41         	.byte	0x41 15c62:	4454     	.short	0x4454 15c64:	37313654 	.word	0x37313654 15c68:	37323338 	.word	0x37323338 15c6c:	0a0d     	.short	0x0a0d

00015c6e <testAlive_1>: 15c6e:	00fa     	.short	0x00fa 15c70:	00011b00 	.word	0x00011b00 15c74:	00000001 	.word	0x00000001 15c78:	7ead8101 	.word	0x7ead8101

00015c7c <onlineMode_1>: 15c7c:	030000fa 	.word	0x030000fa 15c80:	00000000 	.word	0x00000000 15c84:	4f020000 	.word	0x4f020000 15c88:	5d7d     	.short	0x5d7d 15c8a:	7e         	.byte	0x7e

PmModemUpdater
Usage: PmModemUpdater -h                    Print usage PmModemUpdater -v                    Detect current modem firmware version PmModemUpdater -p /path/to/firmware.tar  Check the firmware package info PmModemUpdater -b		     Backup NV items from device to /var/firmware/palm_nv_backup.txt PmModemUpdater -r /path/to/nvfile    Load NV items from nvfile PmModemUpdater<firmware.tar          Update the firmware using a tar file as input PmModemUpdater<firmware.tar -f       Force an update even the modem has the same version than tar file PmModemUpdater<firmware.tar -s xx xx Force the modem to be flashed (RESCUE MODE) PmModemUpdater -i            	      Start a data/voice test on your umts modem directly PmModemUpdater -e            	      Ignore stop/start TIL/WAND PmModemUpdater -o            	      silent mode which means no verbose output at all PmModemUpdater<firmware.tar -m       Force the modem to be flashed (INFINITE USB RESCUE MODE) on USB

pmmodempower
for i in "$*" if [ "$i" = "on" ] then echo Powering On Modem echo 1 > /sys/user_hw/pins/modem/power_on/level fi   if [ "$i" = "off" ] then echo Powering Off Modem echo 0 > /sys/user_hw/pins/modem/boot_mode/level echo 0 > /sys/user_hw/pins/modem/power_on/level fi   if [ "$i" = "cycle" ] then echo Powering Off Modem echo 0 > /sys/user_hw/pins/modem/boot_mode/level echo 0 > /sys/user_hw/pins/modem/wakeup_modem/level echo 0 > /sys/user_hw/pins/modem/power_on/level sleep 2 echo Powering On Modem echo 1 > /sys/user_hw/pins/modem/power_on/level #echo Waiting for MODEM_WAKE_APP Low #while [ "$appwake" != "0" ] #do #   appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done #echo Waiting for MODEM_WAKE_APP Pulse High #appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #while [ "$appwake" != "1" ] #do #   appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done #while [ "$appwake" != "0" ] #do #   appwake=`cat /sys/user_hw/pins/modem/wakeup_app/level` #done echo Asserting APP_WAKE_MODEM echo 1 > /sys/user_hw/pins/modem/wakeup_modem/level fi done
 * 1) !/bin/sh

PmLinuxModemCmd
usage: PmLinuxModemCmd <Port> <[a][b][c][d ][e][f][ftm][h][g][i][k <#pkts>][l][m][n][o][pcmloopback ][q][r][s][t][u <#pkts>][zr][zt][zl][1] [5][9]]> [v] where: <Port>: /dev/ttyS0        - Modem UART. - UART PORT /dev/tts/modem0   - USB Serial to Modem for AT commands - DATA PORT. /dev/tts/modemdiag - USB Serial to Modem for Diagnostics - DIAG PORT. where: e - empty read buffer from specified port. u - Loopback mode performance test. Next argument <#pkts> UART PORT COMMANDS: (/dev/ttyS0) b - Send loopback mode command for 256 bytes. UART goes into loopback mode until power cycle. d - Send commands to dial a phone number. Phone number in the format 4086178327. f - Send offline mode and read pkt. ftm - Enter modem FTM mode (both CDMA and GSM modems). i - Send identify command. l - Send testalive then loop forever doing ( onlinemode, offlinemode, sleep  to UART.       m  - Disable loopback mode.       o  - Send online mode and read pkt.       pcmloopback - control PCM loopback. = GSM/CDMA = on/off.       q  - Send test alive, online mode and then read pkts.       r  - Get firmware version.       t  - Send test alive and read pkt.       1  - Send command to enable 1A charging.       5  - Send command to enable 500mA charging.       9  - Send command to enable 90mA charge.       zs - CDMA reset modem.       zt - CDMA send test alive and read pkts.       zdiagonusb - CDMA put diag port on USB diag.       zdiagonuart- CDMA put diag port on UART.  DATA PORT COMMANDS: (/dev/tts/modem0)        a - Send AT\n.       c - Send ATCGDCONT\n.       h - Send Echo command.       k - Test loopback perf using command (ATE1\n).  DIAG PORT COMMANDS: (/dev/tts/modemdiag)        g  - Get QPST serial port config from DIAG port. s - Get ESN from DIAG port. zl - CDMA put modemdiag into loopback. zr - CDMA Read performance tests. Takes two arguments and <pktSize>. Eg. %s /dev/tts/modemdiag zr <NumPkts> <PktSize> [v] zw - CDMA Write performance tests. Takes two arguments and <pktSize>. Eg. %s /dev/tts/modemdiag zw <NumPkts> <PktSize> [v] zu - CDMA Performance tests of the diag port after putting it into loopback. Takes two arguments and <pktSize>. Eg. %s /dev/tts/modemdiag zu <NumPkts> <PktSize> [v] where v - verbose output.

TelephonyInterfaceLayerGsm
/usr/bin/TelephonyInterfaceLayerGsm connects to /dev/modemuart with a baudrate of 115200. Trying the same with screen shows me just rubbish. Seem to be the binary protocol. Make sure you rename the file before killing the process as it gets restarted automatically.

To strace TelephonyInterfaceLayerGsm and write out the relevant communication to /dev/modemuart we offer a small shell script below. Make sure your / is remounted rw for it.

mv /usr/bin/TelephonyInterfaceLayerGsm /usr/bin/TelephonyInterfaceLayerGsm-backup kill $(pidof TelephonyInterfaceLayerGsm)
 * 1) !/bin/sh
 * 2) Make sure TelephonyInterfaceLayerGsm gets not restarted when we kill it

sleep 2

strace -x -s 10000 -f -F -o gsm.log -e read=10 -e write=10 TelephonyInterfaceLayerGsm-backup & sleep 25 kill $(pidof TelephonyInterfaceLayerGsm-backup)
 * 1) I always had fd=10 for /dev/modemuart, be verbose on reads on writes on this fd

sleep 2

mv /usr/bin/TelephonyInterfaceLayerGsm-backup /usr/bin/TelephonyInterfaceLayerGsm sh /etc/event.d/TelephonyInterfaceLayer
 * 1) Bring the system into a useable state again