Radio Analysis

For the complete list of my articles on Android devices and software, including analysis of devices and system firmware, lists of external resources and tools, and How-To instructions, check the front page of this wiki under the Android heading

As part of my investigation into methods for replacing the HTC Linux kernel and Android system via a firmware update I am noting interesting information here.

The radio OS runs on the ARM9 core, otherwise known as the baseband processor or modem, part of the Qualcomm MSM7230 System-on-a-Chip (SOC) that includes the ARM11 applications processor.

The operating system is called REX (Real-Time Executive) and is based on the  L4 micro-kernel and the  Iguana operating system, with Qualcomm and HTC extensions.

It provides the environment for Qualcomm's AMSS (Advanced Mobile Subscriber Software) which provides all the phone functionality running on the ARM9.

See my ongoing description of the boot process.

Contents

• Talking to the Radio
• Radio AT Commands
• List of radio image source files

Current Status

9th November: added the Radio AT Commands page that contains details and logs from the session on 7th November where I investigated all possible AT commands the radio might accept.

7th November: modifying analysis tools that were focused on hboot to work with radio images. With hands-on a device yesterday I used hboot's "rtask C" to connect the radio directly to the USB interface and use the serial port to talk to it, getting as far as being able to query the SIMLOCK values including the elusive S-OFF @secuflag. See the rtask C - Talking to the Radio topic on the HBoot Analysis page for more details including how to talk to the radio via the serial-over-USB port. Added a list of external resources to this page related to the Qualcomm modem interfaces.

22nd October: "radio" analysis 1st pass 40% complete (setting up pointers to string constants).

21st October: "radio" analysis 1st pass 33% complete (setting up pointers to string constants).

20th October: "radio" analysis 1st pass 10% complete (setting up pointers to string constants).

Information

Talking to the Radio

It is possible from the HBoot mode (and FastBoot) to have the REX/AMSS take over the HS-USB port and then connect to it using serial-over-usb protocol from the host PC. Here's how to do it.

I can't give instructions for all operating system variations so you may need to adjust some of these steps to match the way your OS handles things. I am working from a Debian/Ubuntu Linux host.

First, permanently black-list the Qualcomm Serial driver that would otherwise load and manage the USB device. You may want to remove this file later if the qcserial driver should take over managing the device again:

echo "blacklist qcserial" | sudo tee /etc/modprobe.d/blacklist-qualcomm.conf  

Begin with the USB cable unplugged.

Start the device in HBoot mode by pressing and holding the volume-down rocker, pressing and releasing the power button, then releasing the volume-down rocker when the HBoot menu appears.

Unload the USB serial driver if it is loaded:

lsmod | grep -q usbserial && sudo modprobe -r usbserial  

Load the Linux USB serial driver configured to manage the device in HBoot mode:

sudo modprobe vendor=0xBB4 product=0x0C94  

Connect the USB cable. The device screen menu title should change from "HBOOT" to "HBOOT USB PLUG".

There should now be a new serial port that programs can connect to on the host PC:

grep 'generic converter now attached to ttyUSB' /var/log/kern.log  Nov  9 01:14:07 hephaestion kernel: [367061.282247] usb 1-2: generic converter now attached to ttyUSB0  

This shows us the device is presented on ttyUSB0. That final number could be different if there are other USB serial devices attached. It can also be different if a previous session didn't correctly clear the port. I've been caught out by assuming it would be ttyUSB0 and when checking found it is on ttyUSB1.

Cause the device to have REX/AMSS take over the USB port:

echo "rtask C" >/dev/ttyUSB0  

The serial port should now have disappeared because the device went away. It has re-appeared with a different ID so reload usbserial to match:

sudo modprobe -r usbserial  sudo modprobe  usbserial vendor=0x05c6 product=0x9002  

There should now be three new ports:

tail /var/log/kern.log | grep ttyUSB  Nov  9 01:15:37 hephaestion kernel: [367151.622349] usb 1-2: generic converter now attached to ttyUSB0  Nov  9 01:15:37 hephaestion kernel: [367151.623206] usb 1-2: generic converter now attached to ttyUSB1  Nov  9 01:15:37 hephaestion kernel: [367151.624394] usb 1-2: generic converter now attached to ttyUSB2  

Whatever the ports are numbered it is the third (last listed) that we need to connect to. You can use any serial terminal communications program, GUI or shell-based. I use screen and have it log the session (-L) to screen.0.log in the current directory:

screen -L /dev/ttyUSB2  

When the terminal program is connected you should (but may not always) see:

+PB_READY  

This shows the radio is awaiting commands. See the Radio AT Commands article for the commands and what they do.

REX Boot Menu

ARM9BootMode:%x   %s [0/1/2/3]    Saving the default boot mode in flash    0 : Boot CE and goto AMSS        Press OK Key: Enter CE Bootloader    1 : Don't boot CE, enter command mode    2 : Don't boot CE, goto AMSS    3 : Boot CE, ARM9 enter endless loop    4 : Stay in OEMSBL,Wait GO2AMSS        Then Boot CE, mARM goto AMSS    Press OK Key+COMM Key to enter mode 1 directly  

Source-code Files

This is an (incomplete) list of the source-code files used in building the HTC Vision's REX L4/Iguana operating system image.

See the attached text file  which lists them.

Resources

 Qualcomm Gobi 2000 Linux driver information and indications that an AMSS and APSS sub-set is loaded into the miniPCI device's firmware.

 Mobile Broadband and Qualcomm Proprietary Protocols - Dan Williams blog (Dan is one of the Linux NetworkManager developers)