Better Mobile App

[A][SGS2][Serial] How to talk to the Modem with AT commands

This is a LIVE guide to communicating with your phones modem by AT commands. The information contained here is collected on a continuous basis from various places after having some trouble finding all relevant information in one place. Now this place is here, and if not please post a comment on what's missing and where to find it, if you do know.
All results in this guide have been obtained using a Samsung Galaxy S2 running a stock rooted GB 2.3.4 with PDA:XWKI4 and PHONE:XXKI1 on the 2.6.35.7 Kernel.
The key documents to have as a reference when working with the Android AT command set are found at the 3GPP site. In particular these 2 documents:
[1] The ETSI GSM 07.07 (3GPP TS 27.007) specifies AT style
commands for controlling a GSM phone or modem.
[2] The ETSI GSM 07.05 (3GPP TS 27.005) specifies AT style
commands for managing the SMS feature of GSM.
These documents exists in many different versions, so they are not all equal in content. Make sure to check what document version you are using.
Background
To better understand mobile phone modems and the underlying hardware I strongly recommend reading Harald Welte's "Anatomy of contemporary GSM cellphone hardware" [3] and Telica's "Challenges in integrating modems on Open Platforms" [4]. To summarize enormously, I can say this. On a modern Android based "smart phone", there are essentially two processors. The Application Processor (AP) where your Android operating system (AOS) and user interface (UI) lives, and the Baseband/Cellular Processor (BP/CP) where all the GSM and other high-tech communication magic happens, including the modem we wish to communicate with. In the most modern phones the BP and the AP and all possible other peripheral devices are integrated into one piece of hardware, loosely known as a Smartphone or System on a Chip (SoC). On this SoC there are a number of peripheral devices such as RTC, UARTs, SPI, I2C, USB ports, SD/MMC card controllers and an ISO7816 SIM card reader. However, to preserve the layered hardware structure, the AP and BP still communicates via UART (serial line), USB, SPI or through shared RAM and/or a combination of these. Therefore there will always be some path directly accessible from the outside that we should be able to use to communicate directly with the BP. Exactly how this is done, is mostly unknown due to the closed source and protectionisitc nature of the SoC manufacturers, to the great dismay of the developer community.
Although there are several methods for invoking and controlling modem services, the two most common are through the AT Commands (ATC) and/or through Remote Procedural Calls (RPC). The ATC method is by far the most popular and the ATC set can be categorized as follows.
Code:
Call Control: Commands for initiating and controling calls.
Data Call Control: Commands for controlling the data transfer and QoS.
Network Service: Commands for Supplementary services,ME, operator
selection, locking and registraction.
SMS Control: Commands for sending, notifying, setting SMS services.
ME Control & Status: Commands for ME power,keypad,display,phonebook,RTC's.
The AOS provide support for this framwork in the Radio Interface Layer (RIL), which acts as the interface between the radio HW and the Java Applicaiton Programming Interface (API). However, the RIL is divided into 3 parts or layers if you want. (These are just arbitrary, and not GSM layers!)
L3. The Java RIL (AOS API) accessible to all but with a limited set of commands.
L2. The RIL Daemon (RILJ) acting as an interface between AOS and the Vendor RIL.
L1. The Vendor RIL, which is a closed-source and HW-specific implemetation.
L0. The OEM/Vendor modem HW and firmware then acts on the L1 ATC's. (?)
Thus the job of the RIL is to translate all the telephony requests from the Android telephony framework and map them to the corresponding AT commands to the modem, and back again.
Here are two useful pictures that try to explain the various RIL layers.
Fig.1.
Fig.2.
Finding the correct serial device for the phone modem
In your phone you will find hundreds of devices listed under /dev. Knowing which one is the serial device(s) used for communicating with your Baseband Processor's (BP) Modem, is key in getting a useful AT communication going. Here it is also good to know that there are several serial devices connected to the BP. These connections are working in parallel through a MUX. So it is very likely you will be able to use several different devices to send AT commands with.
So how do we find an appropriate local serial device on the phone? One way is of course to try to connect via some terminal application to all devices and send some AT commands and look for a response, but that is not very scientific or practical. Different phones may use different default (Modem) serial devices. One way to find the serial devices is by listing available tty drivers.
Code:
# cat /proc/tty/drivers
...
rfcomm /dev/rfcomm 216 0-255 serial
g_serial /dev/ttyGS 253 0 serial
ttySAC /dev/s3c2410_serial 204 64-68 serial
serial /dev/ttyS 4 64-67 serial
...
So what are these doing and which one should we try?
After Googling around we suspect that:
rfcomm = Used by Bluetooth serial devices
ttySAC = Used by serial SAmsung Console
g_serial = "DataRouter" (also see dun: (10,123) )
In addition and thanks to the documentation in Adam Outler's info package [5], it can be inferred from the block diagram that perhaps:
Code:
s3c2410_serial0 - UART0 - Bluetooth (ttySAC)
s3c2410_serial1 - UART1 - GPS
s3c2410_serial2 - UART2 - AP PMIC - A/S1 ??
s3c2410_serial3 - UART3 - AP PMIC --> AP Level Shifter --> BP UART ??
s3c2410_serial4 - UART4 - not used?
(PMIC = Power Management IC)
The block diagram is this one, from the SGS-2 service manual.
Connecting using: a local terminal application or the ADB shell
So from our previous results, we would suspect that we could use /dev/ttyGS0. Since Busybox contain the microcom terminal program, we can simply do:
Code:
# busybox microcom -t 5000 /dev/ttyGS0
AT
ATI
<nothing> :(
However, although the connection is successful, there is no AT reaction on that line...
[EDIT] (See notes in a later post.)
Connecting using: Windows
If you are using Windows, you can go into Device Manager (DM) to find the correct port(s) used by your phone. However, depending on whether you set your phone to be used as a "USB mass storage" device or not, there may appear different devices in the DM. Here we assume that we just physically connect the phone and do nothing more. I.e. We're not using the device as a USB storage.
Next, under the device class listed as "Modems", you will probably find at least two modem devices. For example, I have one called "HDAUDIO Soft Data Fax Modem with SmartCP", which has nothing to do with Samsung and most likely came with the computer with some bloatware. The other one is called "SAMSUNG Mobile USB Modem", which is what we want. Then right-click to open Properties of the USB Modem device and navigate to the "Diagnostics" tab. Click on the "Query Modem" to send some test AT commands to your modem. If this doesn't work, you have a problem, and I don't have an answer. The result should look something like this:
Code:
ATQ0V1E0 - OK
AT+GMM - AT+GMM
GT-I9100
AT+FCLASS=? - (0,8)
AT#CLS=? - COMMAND NOT SUPPORTED
AT+GCI? - COMMAND NOT SUPPORTED
AT+GCI=? - COMMAND NOT SUPPORTED
ATI1 - Manufacturer: SAMSUNG
Model: I9100
Revision: I9100XXKI1
IMEI: xxxxx
ATI2 - Manufacturer: SAMSUNG
Model: I9100
Revision: I9100XXKI1
IMEI: xxxxx
...
See below for an explanation of these commands.
Now try this yourself with some terminal application. My personal favorite is the free and fully feature loaded "RealTerm". In the Display tab, use ANSI and check the "newLine mode" box, then in the Port tab, find your port as listed in Device Manager. For example, for me the modem port is located on COM port 12. This is listed as "12=\ssudmdm0000" in RealTerm.
Connecting using: Cygwin (on Windows)
First thing to know about using Cygwin, is that the windows COMn ports are addressed as /dev/ttyS[n-1], thus if you have connected your phone with a USB cable, and you find it is connected to COM port 12, then it will be accessible only through /dev/ttyS11 under Cygwin. Other terminal applications may use different ports. In addition you need to have installed/compiled some terminal program like: picocom, microcom or cu etc. Also make sure the COM port is not already occupied by another terminal program.
$ picocom /dev/ttyS11
...
This works as expected.
Some basic AT command structure
I'm not going to say much about the AT commands themselves, as they are almost as old as home computers themselves. However, let's have a brief look at the "Modem Query" above.
Code:
ATQ0V1E0
- This is actually a concatenation of the 3 commands:
(ATQ0 + ATV1 + ATE0) where:
ATQ0 - Disables echo suppression
ATV1 - Enables Verbose command results mode
ATE0 - Turns off local Echo
AT+GMM
- This one doesn't work in direct serial mode (!) and
is equivalent to AT+CGMM which shows the device model
identification. (I9100)
AT+FCLASS=?
- This queries the phone (TA) mode: (data, fax, voice etc.)
ATI
- This lists: Manufacturer, Model, Revision, IMEI
NOTE: AT commands can be concatenated on one line with each line starting with AT, and each command separated by ";". In some cases the semicolon is not needed. Typically a command without "=" or "?" is a general command, that sets or gets some parameters. But any command with "=" is a setting command, unless it is directly followed by "?", in which case you are querying the available/allowed parameters and their range. If the command is followed by "?" without a "=" it is a query, asking the values for something.
WARNING!​DO NOT SEND RANDOM COMMANDS/CHARACTERS TO YOUR PHONE MODEM
Many AT commands can easily wipe or brick your phone or SIM card!
I am in no way responsible for anyone bricking their phones, and
I cannot help you if you do so. So you better know exactly what you
send before you send anything at all.​
General AT command list extracted from 3GPP TS 27.007
Here is a list with general AT commands and a brief description of their functions and the document section they are found at. The document version I used for the info extraction is shown on the first line.
Note: Several of these commands are deprecated or simply not available on the Android/Samsung phone modems, at least not int he form shown in that document.
Code:
3GPP TS 27.007 Release 9 145 V9.4.0 (2010-06)
AT+CAAP 7.25 - Automatic answer for eMLPP Service
AT+CACM 8.25 - Accumulated call meter
AT+CAEMLPP 7.22 - eMLPP Priority Registration and Interrogation
AT+CAHLD 11.1.3 - Leave an ongoing Voice Group or Voice Broadcast Call
AT+CAJOIN 11.1.1 - Accept an incoming Voice Group or Voice Broadcast Call
AT+CALA 8.16 - Alarm
AT+CALCC 11.1.6 - List current Voice Group and Voice Broadcast Calls
AT+CALD 8.38 - Delete alarm
AT+CALM 8.20 - Alert sound mode
AT+CAMM 8.26 - Accumulated call meter maximum
AT+CANCHEV 11.1.8 - NCH Support Indication
AT+CAOC 7.16 - Advice of Charge
AT+CAPD 8.39 - Postpone or dismiss an alarm
AT+CAPTT 11.1.4 - Talker Access for Voice Group Call
AT+CAREJ 11.1.2 - Reject an incoming Voice Group or Voice Broadcast Call
AT+CAULEV 11.1.5 - Voice Group Call Uplink Status Presentation
AT+CBC 8.4 - Battery charge
AT+CBCAP 8.59 - Battery Capacity
AT+CBCHG 8.61 - Battery Charger Status
AT+CBCON 8.60 - Battery Connection Status
AT+CBCS 11.3.2 - VBS subscriptions and GId status
AT+CBKLT 8.51 - Backlight
AT+CBST 6.7 - Select bearer service type
AT+CCFC 7.11 - Call forwarding number and conditions
AT+CCHC 8.46 - Close Logical Channel
AT+CCHO 8.45 - Open Logical Channel
AT+CCLK 8.15 - Clock
AT+CCUG 7.10 - Closed user group
AT+CCWA 7.12 - Call waiting
AT+CCWE 8.28 - Call Meter maximum event
AT+CDIP 7.9 - Called line identification presentation
AT+CDIS 8.8 - Display control
AT+CEAP 8.47 - EAP authentication
AT+CEER 6.10 - Extended error report
AT+CEMODE 10.1.28 - UE modes of operation for EPS
AT+CEPTT 11.1.10 - Short Data Transmission during ongoing VGCS
AT+CEREG 10.1.22 - EPS network registration status
AT+CERP 8.48 - EAP Retrieve Parameters
AT+CFCS 7.24 - Fast call setup conditions
AT+CFUN 8.2 - Set phone functionality
AT+CGACT 10.1.10 - PDP context activate or deactivate
AT+CGATT 10.1.9 - PS attach or detach
AT+CGCLASS 10.1.17 - GPRS mobile station class
AT+CGCLOSP 10.1.13 - Configure local Octet Stream PAD parameters
AT+CGCMOD 10.1.11 - PDP Context Modify
AT+CGCONTRDP 10.1.23 - PDP Context Read Dynamic Parameters
AT+CGCS 11.3.1 - VGCS subscriptions and GId status
AT+CGDATA 10.1.12 - Enter data state
AT+CGDCONT 10.1.1 - Define PDP Context
AT+CGDSCONT 10.1.2 - Define Secondary PDP Context
AT+CGEQOS 10.1.26 - Define EPS Quality Of Service
AT+CGEQOSRDP 10.1.27 - EPS Quality Of Service Read Dynamic Parameters
AT+CGEREP 10.1.19 - Packet Domain event reporting
AT+CGLA 8.43 - Generic UICC Logical Channel access
AT+CGMI 5.1 - Request manufacturer identification
AT+CGMM 5.2 - Request model identification
AT+CGMR 5.3 - Request revision identification
AT+CGREG 10.1.20 - GPRS network registration status
AT+CGSMS 10.1.21 - Select service for MO SMS messages
AT+CGSN 5.4 - Request product serial number identification
AT+CGTFT 10.1.3 - Traffic Flow Template
AT+CGTFTRDP 10.1.25 - Traffic Flow Template Read Dynamic Parameters
AT+CHLD 7.13 - Call related supplementary services
AT+CHSC 6.15 - HSCSD current call parameters
AT+CHSD 6.12 - HSCSD device parameters
AT+CHSR 6.16 - HSCSD parameters report
AT+CHST 6.13 - HSCSD transparent call configuration
AT+CHSU 6.17 - HSCSD automatic user initiated upgrading
AT+CHUP 6.5 - Hangup call
AT+CIMI 5.6 - Request international mobile subscriber identity
AT+CIND 8.9 - Indicator control
AT+CKPD 8.7 - Keypad control
AT+CLAC 8.37 - List all available AT commands
AT+CLAE 8.31 - Language Event
AT+CLAN 8.30 - Set Language
AT+CLCC 7.18 - List current calls
AT+CLCK 7.4 - Facility lock
AT+CLIP 7.6 - Calling line identification presentation
AT+CLIR 7.7 - Calling line identification restriction
AT+CLVL 8.23 - Loudspeaker volume level
AT+CMAR 8.36 - Master Reset
AT+CMEC 8.6 - Mobile Termination control mode
AT+CMEE 9.1 - Report mobile termination error
AT+CMER 8.10 - Mobile Termination event reporting
AT+CMOD 6.4 - Call mode
AT+CMOLR 8.50 - Mobile Originated Location Request
AT+CMOLRE 9.1 - Report mobile originated location request error
AT+CMOLRE 9.3 - Mobile termination error result code
AT+CMTLR 8.57 - Mobile Terminated Location Request notification
AT+CMUT 8.24 - Mute control
AT+CMUX 5.7 - Multiplexing mode
AT+CNAP 7.30 - Calling name identification presentation
AT+CNUM 7.1 - Subscriber number
AT+COLP 7.8 - Connected line identification presentation
AT+COLR 7.31 - Connected line identification restriction status
AT+COPN 7.21 - Read operator names
AT+COPS 7.3 - PLMN selection
AT+COTDI 11.1.9 - Originator to Dispatcher Information
AT+CPAS 8.1 - Phone activity status
AT+CPBF 8.13 - Find phonebook entries
AT+CPBR 8.12 - Read phonebook entries
AT+CPBS 8.11 - Select phonebook memory storage
AT+CPBW 8.14 - Write phonebook entry
AT+CPIN 8.3 - Enter PIN
AT+CPLS 7.20 - Selection of preferred PLMN list
AT+CPNET 7.27 - Preferred network indication
AT+CPNSTAT 7.28 - Preferred network status
AT+CPOL 7.19 - Preferred PLMN list
AT+CPOS 8.55 - Positioning Control
AT+CPOSR 8.56 - Positioning Reporting
AT+CPPS 7.23 - eMLPP subscriptions
AT+CPROT 8.42 - Enter protocol mode
AT+CPSB 7.29 - Current Packet Switched Bearer
AT+CPUC 8.27 - Price per unit and currency table
AT+CPWC 8.29 - Power class
AT+CPWD 7.5 - Change password
AT+CR 6.9 - Service reporting control
AT+CRC 6.11 - Cellular result codes
AT+CREG 7.2 - Network registration
AT+CRLA 8.44 - Restricted UICC Logical Channel access
AT+CRLP 6.8 - Radio link protocol
AT+CRMC 8.34 - Ring Melody Control
AT+CRMP 8.35 - Ring Melody Playback
AT+CRSL 8.21 - Ringer sound level
AT+CRSM 8.18 - Restricted SIM access
AT+CSCC 8.19 - Secure control command
AT+CSCS 5.5 - Select TE character set
AT+CSDF 6.22 - Settings date format
AT+CSGT 8.32 - Set Greeting Text
AT+CSIL 6.23 - Silence Command
AT+CSIM 8.17 - Generic SIM access
AT+CSNS 6.19 - Single numbering scheme
AT+CSQ 8.5 - Signal quality
AT+CSSAC 7.32 - Service Specific Access Control restriction status
AT+CSSN 7.17 - Supplementary service notifications
AT+CSTA 6.1 - Select type of address
AT+CSTF 6.24 - Settings time format
AT+CSVM 8.33 - Set Voice Mail Number
AT+CTFR 7.14 - Call deflection
AT+CTZR 8.41 - Time Zone Reporting
AT+CTZU 8.40 - Automatic Time Zone Update
AT+CUAD 8.49 - UICC Application Discovery
AT+CUSD 7.15 - Unstructured supplementary service data
AT+CVHU 6.20 - Voice Hangup Control
AT+CVIB 8.22 - Vibrator mode
AT+CVMOD 6.4 - Voice Call Mode
AT+FCLASS C.2.1 - Select mode
AT+VBT C.2.2 - Buffer threshold setting
AT+VCID C.2.3 - Calling number ID presentation
AT+VGR C.2.4 - Receive gain selection
AT+VGT C.2.5 - Transmit gain selection
AT+VIP C.2.6 - Initialise voice parameters
AT+VIT C.2.7 - Inactivity timer
AT+VLS C.2.8 - Line selection
AT+VRX C.2.9 - Receive data state
AT+VSM C.2.10 - Select compression method
AT+VTD C.2.12 - Tone duration
AT+VTS C.2.11 - DTMF and tone generation
AT+VTX C.2.13 - Transmit data state
Questions and Help Needed
Q1: What is the correct device on the SGS2, for ATC communication to the modem?
Q2: How and where is this device selected/configured?
Q3: What do the various Proprietary AT commands (AT+X...) do?
Q4: Where can I find more documentation on the BP/CP?​References:
[1] http://www.3gpp.org/ftp/Specs/html-info/27007.htm
[2] http://www.3gpp.org/ftp/Specs/html-info/27005.htm
[3] Harald Welte's "Anatomy of contemporary GSM cellphone hardware"
http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf
[4] Telica's White Paper: "Challenges in integrating modems on Open Platforms"
http://teleca.com/Home/news_room/Whitepapers.aspx
[5] Adam Outler's "The all-in-one Galaxy S2 Hack Pack"
[6] Fabien Sanglard's non-blog: "Tracing the baseband":
http://fabiensanglard.net/cellphoneModem/index2.php
[7] "Android Application Development" (Android Telephony Internals, Ch.15.2),
R.Rogers/J.Lombardo, O'Reilly Media 2009
http://androidapps.org.ua/i_sect18_d1e18369.html
​Keywords: AT Commands, Modem, Terminal, CDC-ACM, RIL, Serial, UART
If you like this work, please hit the thank you button!

The GT-I9100 Baseband Processor (BP/CP) Specifications
Currently I have got two different specifications regarding what BP is used in the SGS2, most likely due to the different versions available of the SGS2 in Europe vs. USA. The ones I have are:
Intel/Infineon XMM6260 is the "platform" that consists of:
a) The X-GOLD 626 (ARM1176?, 40nm) baseband processor
b) The SMARTi UE2 RF-transceiver (65nm CMOS)
c) The 3GPP Release 7 HSPA+ protocol stack with:
Downlink: Category 14, Uplink: Category 7
d) Alternative Names*: Infineon IFX6260 = Intel IMC6260 = Intel XMM6260
e) Picture: http://www.infineon.com/export/sites/default/media/press/Image/press_photo/X-GOLD626.jpg
f) Datasheet: N/A
g) Most likely used in European phones
h) is apparently also present in the iPhone 4S.. (check!)
i) Closest available documentation:
XMM6160 (X-GOLD 616, ARM1176) which is also used in the SGS-1:
http://www.infineon.com/dgdl/X-GOLD...f0004&fileId=db3a30431ed1d7b2011f5bee88ef75eb
The biggest difference is in the SMARTi-UE RF-chip. BP remains similar.
XMM6180 (X-GOLD 618, ARM1176 @416 MHz) used in the iPhone4 & iPad2:
http://www.infineon.com/dgdl/X-GOLD...f0004&fileId=db3a30431ed1d7b2011f5bec418f75e6
.
Qualcomm QSC6085 (65nm,424 CSP, 12x12mm) contain:
a) BP: ARM926EJS @ 192 MHz
b) + QDSP @ 96 MHz (also on BP)
c) Modem: IS-95 A/B, 1X Rel.0, EVDOr0, EVDOrA
d) is apparently also present in the "Verizon Wireless USB760 Modem"
e) Picture: N/A
f) Datasheet: N/A
g) Most likely used in North American (US) phones (CDMA)
*It should be noted that Infineon Technologies (Wireless Division) has been acquired by Intel Mobile Communications, in early 2011.
In fact these two differences just made a whole lot of sense from the available AT command sets. Basically the modem specific AT commands immediately give up the manufacturer of the modem firmware. (Yes, competing OEM developers do work together!) Because the command sets usually consists of 3 types.
The old school "Hayes" AT standard given by ETSI GSM 07.07.
Vendor Proprietary AT commands, specific for each OEM.
Carrier Proprietary AT commands, specific to some service providers. (E.g. AT&T, Sprint, T-mobile, Verizon etc.)
So for our 2 modem cases above we have the obvious Proprietary AT extensions:Qualcomm QSCnnnn: AT$Q<something>
Intel/Infineon XMMnnnn: AT+X<something>​which indeed confirms the BP of my SGS2. Obviously there is a far easier way to reach this conclusion...---------------------------------------------------------------
TIPS!
To see what baseband processor you have,
you can enter into ServiceMode and check.
This should always work as many ServiceMode
functions are directly modem dependent.
---------------------------------------------------------------
Why? Because the ServiceMode application
actually reside in the modem firmware!​Do this:Dial: *#197328640#
Code:
MAIN MENU:
...
[2] VERSION INFO. -->
[1] SW VERSION -->
[5] READ ALL SW VERSION:
...
======>[COLOR=Red] IFX [/COLOR]SW VER: [COLOR=Red]SP6260[/COLOR]_U1_01.1135
...
This implies the phone is using software for the (Infineon) IFX 6260...​But the ServiceMode is just talking to the modem, so you can get the
same information by opening an (external) terminal shell and send
the following ATC:
Code:
[B]AT+XGENDATA[/B]
+XGENDATA: " [COLOR=Red]SP6260[/COLOR]_U1_01.1135_DB110831 2011-Sep-2 18:14:20
PDB_NOT_AVAILABLE
*SP6260_U1_01.1135_DB110831*"
"*"
OK
Here is the FBGA pin-out of that chip:
Fig.4.
A small addendum about the SMARTi UE2 chip
The BP is communicating with the RF-tranceiver chip called SMARTi UE2
(labelled "5712"), using a communication interface that corresponds to
the (MIPI) DigRF 3G (V.3.09) standard. Through this protocol the BP
(or other device) can also control some aspects of the RF to some
minor extent. But without the proper specifications of the 5712, it
may also contain other interfaces...
The DigRF connections:
Fig.5.
The SMARTi UE2 chip:
Fig.6.
Here are more link for the interested reader:
General DigRF info:
http://www.mipi.org/specifications/digrfsm-specifications
http://www.mipi.org/sites/default/files/Specification Overview final.pdf
http://electronicdesign.com/article/test-and-measurement/digrf-faqs19953.aspx
The DigRF protocol details:
http://www.siliconreleasesolutions.com/pdf/DigRF-TMWorld0509-FINAL.pdf
http://www.docstoc.com/docs/53386199/DigRF-BASEBAND-RF-DIGITAL-INTERFACE-SPECIFICATION

Complete AT command list for Samsung Galaxy S2 (GB 2.3.4, KI4)
These were obtained by sending the "list all available AT commands" request: AT+CLAC .
Their functions have been collected from many different sources, none of which originates
from Samsung. Thus many ATC's are marked with one or more "?" to signify the uncertainty.
The standard AT set as shown in the OP, I have not bothered to describe here.
Code:
ATA - Answer
ATD - Dial ...
ATE - Enable command echo (0=disable, 1=enable)
ATH - ??? Hangup/Hook
ATO ?? - Return to Online Data Mode
ATQ - Result code supression
ATS - Command line termination? S[3,4,5]
ATV - Command response format (0=Numerical, 1=Verbose)
ATX - Result code format for CONNECT Mfg!
ATZ - Reset Modem (...)
ATl -
ATm -
AT&C ? - (Received line signal detector) Behaviour
AT&D ? - (Data terminal ready) Behaviour
AT&F ? - Restore Factory Default Configuration
AT\Q ? - Local flow control selection
AT+CACM
AT+CAMM
AT+CAOC
AT+CBC
AT+CBST
AT+CCFC
AT+CCHC
AT+CCHO - Open Logical Channel
AT+CCID - SIM Serial Number
AT+CCLK - Realtime clock
AT+CCUG
AT+CCWA
AT+CCWE
AT+CEER
AT+CFUN * ? This command selects the level of functionality <fun> in the MS. Only some values of<fun> are allowed (see Defined values).
AT+CGACT -
AT+CGATT -
AT+CGAUTO -
AT+CGCLASS -
AT+CGCMOD -
AT+CGDATA -
AT+CGDCONT -
AT+CGDSCONT -
AT+CGEQMIN -
AT+CGEQNEG -
AT+CGEQREQ -
AT+CGEREP * - Packet Domain event reporting
AT+CGLA E - Generic UICC Logical Channel access
AT+CGMI - Request manufacturer identification
AT+CGMM - Request model identification
AT+CGMR - Request revision identification
AT+CGPADDR -
AT+CGQMIN -
AT+CGQREQ -
AT+CGREG * - GPRS network registration status AT+CGREG=2;+CGREG?
AT+CGSMS -
AT+CGSN * - Request product serial number identification (IMEI)
AT+CGTFT
AT+CHLD
AT+CHUP - Hangup call
AT+CIMI * - Request international mobile subscriber identity (IMSI)
AT+CLAC - List all available AT commands
AT+CLAN
AT+CLCC
AT+CLCK
AT+CLIP
AT+CLIR
AT+CMEE - Report mobile termination error (+CME) verbosity mode (0,1,2)
AT+CMGC
AT+CMGD
AT+CMGF
AT+CMGL
AT+CMGR
AT+CMGS
AT+CMGW
AT+CMMS
AT+CMOD
AT+CMSS
AT+CMUX - Set multiplexing protocol control channel mode(s)
AT+CNAP
AT+CNMA
AT+CNMI * - This command selects the procedure, how receiving of new SMS from network is indicated to the TE
AT+CNUM
AT+COLP
AT+COLR
AT+CONNECTPORT
AT+COPN
AT+COPS -
AT+CPAS
AT+CPIN
AT+CPIN2
AT+CPLS
AT+CPMS
AT+CPOL
AT+CPUC
AT+CPWD
AT+CPWROFF
AT+CR
AT+CRC
AT+CREG
AT+CRES
AT+CRLA ? - Restricted UICC Logical Channel access
AT+CRLP * - Radio link protocol
AT+CRSM
AT+CSAS
AT+CSCA
AT+CSCB
AT+CSCS
AT+CSDH
AT+CSIM
AT+CSMP
AT+CSMS
AT+CSQ - Signal Quality
AT+CSSN
AT+CSTA
AT+CSVM
AT+CTFR
AT+CTZR
AT+CTZU
AT+CUAD - UICC Application Discovery
AT+CUSD
AT+CVHU
AT+FCLASS - Select mode: put TA into mode: (data, fax, voice etc.)
AT+IPR - This command specifies the data rate at which the DCE will accept commands. The full range of data rate values may be reduced dependent on HW or other criteria.
AT+NEER
AT+TRACE * ? (see: +XSIO) This command controls the trace; it allows selecting the trace mode, method and the trace data transfer rate.
AT+VTD
AT+VTS
AT+XAACOPS ?
AT+XAPP * ! - Known buffer overflow in Iphone 4S (unsigned code execution): Probably used to send executable code (application) to BB!
AT+XBANDSEL ? This command allows to switch from automatic band selection to selection of one or more (up to four) bands.
AT+XCALLSTAT * ? Set reporting call status: This command allows enabling / disabling the reporting voice call status on DTE using an unsolicited result code +XCALLSTAT: <call_id><stat>.
AT+XCEER ?
AT+XCGCLASS ?? Changing the startup MS Mobile class ("B", "CC")
AT+XCONFIG + ?? This command allows the configuration of DLCs (Data Logical Channels). (see +XMUX)
AT+XCOPS ? Display of the most adapted name of the network.The command parameter <type> allows requesting the name type which shall be displayed.
AT+XCSP ? This command reads the customer service profile (CSP) from the SIM. The CSP indicates the services that are user accessible.
AT+XCSPAGING ? This command allows enable/disable the circuit switching paging. The command has an effect only when used before +COPS or +CGATT.
AT+XCSSMS ? Initiate Resending of SMS over CS if GPRS Fails
AT+XCTMS ? This command allows to set the TTY/CTM behavior. The selected setting is stored also in NVRAM and remains valid also after switch off the mobile
AT+XDATACHANNEL ? This command configures the channel over which CSD or GPRS data shall be routed.
AT+XDLCTEST ?
AT+XDNS ? This command enables / disables a dynamic DNS (Domain Name Service) request before context activation.
AT+XDTMF ? This command allows setting the value of SEND DTMF user setting that controls whether the DTMF tone generation on request from SIM-TK is allowed.
AT+XEER ?
AT+XEONS ? displays the list of available networks with details like long operator name, short operator name, MCC/MNC, Long EONS name, Short EONS name for each PLMN.
AT+XFDOR ? Trigger Fast Dormancy
AT+XFDORT ? Set Fast Dormancy Timer
AT+XGAUTH ? This proprietary command allows to enter the type of authentication for a user-name (using a password) for the specified PDP context
AT+XGENDATA ? This command requests the software version and generation data.
AT+XHOMEZR ? This Set command enables and disables the home zone change event reporting. If the reporting is enabled; the MT returns the unsolicited result code +XHOMEZR: <label> whenever the home zone is changed.
AT+XHSDUPA ? This command configures the mode of HSDPA and HSUPA (by changing the appropriate dynamic NVRAM parameter)
AT+XL1SET ? Call the L1-specific function
AT+XLEMA ??? Emergency number list (Ofono)
AT+XLIN ? This command sets the current line.
AT+XLOG * ! - Known buffer overflow in Iphone 4S (unsigned code execution) ? This command allows displaying the exceptions stored in NVRAM on DTE. The MS-error LOG is contained in a response code formatted as +XLOG: <num>,<code>,<file>,<line>,<count> or an other appropriate format as specified below.
AT+XMER ? Enables or disables sending of unsolicited result codes from the MS to the DTE when the battery charge level or the radio signal level crosses a defined threshold.
AT+XMUX + ? Multiplexing mode: This command configures the GSM 07.10 multiplexing protocol.
AT+XNOTIFYDUNSTATUS ??? (LG) This command is used to notify DNS setting status
AT+XNVMMCC ?
AT+XNVMPLMN ?
AT+XPINCNT - This command reads the remaining attempts for SIM PIN, SIM PIN2, SIM PUK and SIM PUK2.
AT+XPOW ? This command sets the powersaving-mode.
AT+XPROGRESS ? This command allows enabling / disabling the display of an unsolicited result code + XPROGRESS: <cin> (call number indication), <status> on DTE while a call is in progress.
AT+XRAT ? This command forces the selection of the Radio Access Technology (RAT) in the protocol stack.
AT+XREDIAL ? Enabling of automatic redialing if the called party was busy.
AT+XREG ! ? Involved in the iPhone unlock hacks...
AT+XRXDIV * ? This command is used to allow external control of the Rx Diversity feature during runtime.
AT+XSETCAUSE ?
AT+XSIMSTATE ? Display SIM and Phonelock Status (write at+xsimstate=1 to turn on, at+xsimstate=0 to turn off)
AT+XSIO * ? This command allows the configuration of the modem-interface (AT), trace-interface, IrDA interface and MUX-interface by setting the variant number.
AT+XSMS ? Detection of Signal DR_SM_FINISHED_IND
AT+XSVM ? This command allows to set the voice mail server number.
AT+XSYSTRACE ?
AT+XTESM ?
AT+XTRACECONFIG ?
AT+XUBANDSEL ?
AT+XUICC - Checks for UICC Card, whether the current SIM is a 2G or 3G sim.
AT+XVTS -
As you can see there are quite a few OEM commands here, whose functions I have not been able to
figure out yet. Please post if you know anything or have any documentation on these. They all
start with: AT+X<something>. There are also others that, that are not documented at all, AFAIK.
[2012-02-05]
On this list, the most interesting ATC's for our purposes are AT+XSIO and AT+XTRACE as described here:
Code:
[B]AT+XSIO[/B] This command allows the configuration of the modem-interface (AT),
trace-interface, IrDA interface and MUX-interface by setting the
variant number.
• Set command allows the configuration of the modem-interface (AT), trace-interface, IrDA interface and
MUX-interface by setting the variant number. The set variant number becomes active only after a reset
• Read command allows seeing which is the current variant and which is the requested variant. A star marks
the active variant.
• Test command returns the possible and customizable variants.
Defined values:
<requested> requested variant, which may be in range 0-255
<active> currently active variant, which may be in range 0-255
<AT-interface> NULL, UART0, …, UARTn
<Trace> NULL, UART0, …, UARTn
<MUX> 1-x
<IrDA> NULL, UART0, …, UARTn
Example:
[B]AT+XSIO=?[/B]
+XSIO: [SP62XX_es1] Variant=0: AT= USART2 USB[03]; BB-Trace= USB1; 3G-Trace= USB2; OCT= USB6;
+XSIO: Variant=1 : AT= USART2 USB[03]; BB-Trace= TADO0; 3G-Trace= TADO1; OCT= USB1;
+XSIO: Variant=2 : AT= USART2 USB[01]; BB-Trace= BG0; 3G-Trace= BG1;
+XSIO: Variant=3 : AT= USB[01]; BB-Trace= USART2; 3G-Trace= USIF5; OCT= USB6;
+XSIO: Variant=4 : AT= USART2 USB[01]; BB-Trace=/bbt/0; 3G-Trace=/3gt/0;
[B]AT+XSIO? [/B]
+XSIO: 0, *0
-------------------------------------------------------------------------------
[B]AT+TRACE[/B] This command controls the trace; it allows selecting the trace mode,
method and the trace data transfer rate.
• Set command switches the trace on or off. It allows the trace mode, method and the trace data transfer rate.
• Read command allows seeing the current set mode value along with the speed, i.e. data transfer rate. It also
allows knowing which traceable unit is on or off.
• Test command returns all the possible values of mode, data transfer rate, traceable unit, their mode and
power saving countdown.
Command Syntax:
AT+TRACE=[<mode>],[<speed>],[<unit>=<umode>],[<method>],[PowerSavingCountdown]
Defined Valuse:
<mode> may be
0 switch trace off
1 switch trace on (all kinds of traces are switched on)
128 This value can not be entered, it is only displayed via read
syntax if trace configuration is done by unitdefinitions
the last time. See <umode> & <unit> for trace configuration;
<unit>=<umode>
<unit> indicates a traceable unit as follows:
St stack
Pf printf
Bt Bluetooth
Ap apoxi
Db debug
Lt LLT (Low Level Trace)
Li LwIP (Lightweight TCP/IP Stack)
Ga GATE (3rd Party Software Decoding with a Windows DLL)
<umode> defines whether the unit related trace is on or off and can have the values:
0 unit-trace off
1 unit-trace on
<method> sting type indicating the trace method with possible values:
"BTM" byte stuffing trace method
"EBTM" extended byte stuffing trace method
<PowerSavingCountdown>
Integer value indicating the power saving countdown
value in units of milliseconds. The maximum valid value is
30000.
Example:
[B]AT+TRACE? [/B]
+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0
[2012-02-14]
Additional hidden AT commands on the SGS-2
Runing strings on the stock /system/bin/drexe , you will find the following AT commands embedded.
These are probably not directly supported by Modem, but rather interpreted by drexe, as
they're not present in the +CLAC list. In addition, some of them just don't work and maybe only
provided for backward compatibility for other devices and modems.
Code:
AT+APPLIST
AT+AUTHKEY=
AT+BATGETLEVEL?
AT+CERTKEY
AT+CGMM
AT+CGSN
AT+CGTEMR=NewPCStudio
AT+DEVAUTH
AT+DEVCONINFO
AT+DISSTRNO=
AT+FOTALOC?
AT+FOTAREADY?
AT+FOTASTART
AT+FUS?
AT+GMM
AT+GSN
AT+HIDSWVER
AT+IMEINUM
AT+PASSWORDINPUT
AT+PRODUCTCODE
AT+PROF=
AT+SECUKEY
AT+SUDDLMOD=
AT+SUPPORTFUS
AT+SWVER
AT+SYNCML=MOBEXSTART
AT+SYNCML=MOBEXSTOP
[2012-02-09]

Very good to read, thanks for linking me that.
But just to correct - AT is abit deprecated interface in SGS, SGS2 and similiar models. It can be used to control modem directly from PC (not sure if PC is really directly talking to modem or to part of Android's HALs, which is then talking to modem, for eg. USB-UART multiplexer in I9000 and S8500/S8530 is capable to switch phone MicroUSB port between AP USB/UART and CP USB/UART.
The main controlling interface used in above models is RPC through oneDRAM shared-memory area. You can find devices like "dpram", "onedram", "modemctl" in kernel - these are critical for proper working of modem. Even if RIL is using AT commands, it does send them through RPC.
AP-CP UART connection seems to be used only for early booting stage (at least in I9000 and S8500, haven't analysed I9100 but guess that's similiar)
Ad1. There may be no real ability to communicate with modem directly on SGS2 and AT responses you are getting may be from Android, working on AP only, not AMSS (Advanced Mobile Subscriber Software - RTOS working on Qualcomm's CP)
Ad4. These datasheets are most guarded secrets of manufacturers. Only single, incomplete manuals leak from Qualcomm, not really useful. Also AP-CP RPC protocol is proprietary of Samsung, they got AMSS sources from Qualcomm and they are adding their own drivers there.
Oh yes, I gave Qualcomm as example, but is CP in SGS2 Qualcomm? It wasn't QC product on SGS1 but tbh it is also very closed source.
While AP-CP low level protocol is opensource (you can find it in dpram/onedram/modemctl drivers in kernel), higher level of that layer - compiled into sec-RIL, is not.
AP-CP protocol is different between I9000 and S8500 (general concept remains the same, just it has been rewriten so packet types and structures are different), but if you are interested - we're creating opensource RIL for S8000/S8500/S8530/S8600 device series, supposed to work with Android ports for them - http://code.google.com/p/bada-modemril/ (branch experimental-MochaIPC)

As I understand, SGS2 use intel's xmm6260 platform, which might also contain it's own interface/firmware etc.
As long as the modem works well, there is little need to dig into the details of how ril communicate with modem, but when the modem does not work as it should (In my case it refused to register on only one specific mobile operator), an AT command which can do a factory reset of the modem might be helpful

EDIT: 2012-02-01
Rebellos said:
... not sure if PC is really directly talking to modem or to part of Android's HALs, which is then talking to modem, for eg. USB-UART multiplexer in I9000 and S8500/S8530 is capable to switch phone MicroUSB port between AP USB/UART and CP USB/UART.
Click to expand...
Click to collapse
Hi, thanks for deep insight! I had to read your post 5+ times to take it all in.
That the AT is deprecated is no secret, but the fact (at least according to some firmware specialists) is that it will still be a while before the OEM's can get rid of the (AT) dependence of their secret and crappy proprietary firmware, that often need to be backward compatible...
Regarding whether I'm talking to AP or CP. You are probably correct that I am talking to AP through HAL. At least from SGS2 block diagram, UART-3 is in the AP, but connected to a level-shifter in the PMIC (still on the same SoC), which is in turn connected to the BP UART-X. (I don't have a clue why this is done so.) So in any case it seem that the AT's are reaching their destination, through some abstraction layer, which may explain why I can only talk ATC's from Samsung Drivers and not from a local (phone) terminal shells.
The question is, what happens if we try to use the Bada trick, to go into ServiceMode (SM) and enable the corresponding BP access? But the SM is different on SGS and that option is not clearly available. However, there is:
Code:
MAIN MENU --> COMMON --> DIAG CONFIG
[1] LOG VIA USB *
[2] LOG VIA UART
[3] LOG VIA IPC
[4] SPEED 115200
[5] SPEED 921600 *
[6] DBG MSG OFF (toggle)
[7] RAMDUMP OFF (toggle)
[8] DUMP ALL TRACE
But these do not seem related to AP/BP connections...[EDIT]
I found it! The selection of AP/BP connection behavior
when connecting your phone as a USB client, to a PC
host, can be manually set in the PhoneUtil (PU) menu.
This sets the behavior of your phone when connecting it
to a PC, so that you can select whether you like it to act
as a Modem or PDA, on the USB and/or UART port.
The PU menu is different from the ServiceMode menu.
Dial: *#7284#
Code:
UART:
[[B]o[/B]] MODEM[B]*[/B]
[ ] PDA
USB:
[ ] MODEM
[[B]o[/B]] PDA[B]*[/B]
* is default SGS2 setting.
However, after making the change to use USB in MODEM mode,
my host is asking for new drivers, which I cannot find... ​Now, if the modem controlling interface is using RPC, how is this reflected at the OS level? Still, any Linux based kernel is device based, so there have to be a way to talk to that device. (I have no idea how to work with RPC's...)
There may be no real ability to communicate with modem directly on SGS2 and AT responses you are getting may be from Android, working on AP only, not AMSS (Advanced Mobile Subscriber Software - RTOS working on Qualcomm's CP)
Click to expand...
Click to collapse
A: There is no AMSS, since we are not using a Qualcomm BP in this device...
... Only single, incomplete manuals leak from Qualcomm, not really useful. Also AP-CP RPC protocol is proprietary of Samsung, they got AMSS sources from Qualcomm and they are adding their own drivers there.
Click to expand...
Click to collapse
A: Agree, but HW hackers are often too much concerned with getting the exact datasheets. Rather try to get an old/similar one that is available... The old device drivers probably have not changed THAT much, but at least it would be a start.
While AP-CP low level protocol is opensource (you can find it in dpram/onedram/modemctl drivers in kernel), higher level of that layer - compiled into sec-RIL, is not.
Click to expand...
Click to collapse
Can you be more specific? (I'm starting to get lost here somewhere...)
AP-CP protocol is different between I9000 and S8500 (general concept remains the same, just it has been rewriten so packet types and structures are different), but if you are interested - we're creating opensource RIL for S8000/S8500/S8530/S8600 device series, supposed to work with Android ports for them - http://code.google.com/p/bada-modemril/ (branch experimental-MochaIPC)
Click to expand...
Click to collapse
Yes, I am. How/where can I find what these differences are?
PS. Regarding the BP on the SGS2, see my 2nd post...

E:V:A said:
A: There is no AMSS, since we are not using a Qualcomm BP in this device...
Click to expand...
Click to collapse
Doesn't matter that much at all, it's likely almost the same stuff.
E:V:A said:
Can you be more specific? (I'm starting to get lost here somewhere...)
Yes, I am. How/where can I find what these differences are?
Click to expand...
Click to collapse
Not hard to get lost, it took me literally few months to understand all these things. Sources are very messy - pay attention to Makefiles, some of drivers aren't even compiled in.
I9000 GB driver (it was reorganised, comparing to Froyo)
https://github.com/project-voodoo/l...erbread-samsung/drivers/misc/samsung_modemctl
I9100 driver is in I9100 kernel sources in /drivers/svnet/ and /drivers/dpram/ (maybe also somewhere else, couldn't find direct link)
You can find my implementation of SHP OneDram frames-protocol there, based on I9000 GB driver - http://code.google.com/p/bada-modemctl/ (it isn't working yet - noone tested it)
As you can see - it's only lowlevel interface of sending frames and few parsers.
Real parsers and senders of frames are in libsec-ril.so library of platform - you can open it with IDA (I suggest 6.0+, it does deal with GOT of linux DLLs much better than previous versions) and find booting modem, installing callbacks inside of dpram/modemctl, parsing and sending packets and so on. Have fun.

I have to say I'm pretty lost on the topic already. I've read about such stuff at the replicant project a while ago. Maybe you find some useful information there.
replicant.us (can't link yet)
Looks to me like they have free ril implementations for dream, n1 and nexus S.

XdxH62 said:
I have to say I'm pretty lost on the topic already. I've read about such stuff at the replicant project a while ago. Maybe you find some useful information there.
Click to expand...
Click to collapse
Copy that! I don't even know where to begin...
But I have collected (thanks to you guys) the following very interesting links:
Available Source Code:
XGOLD-RIL (Omapzoom):
http://dev.omapzoom.org/?p=modem-int/xgold-ril.git;a=tree
Voodoo SGS-1 GB modem:
https://github.com/project-voodoo/l...ung/drivers/misc/samsung_modemctl/modem_ctl.c
https://github.com/project-voodoo/l...erbread-samsung/drivers/misc/samsung_modemctl
General...
https://github.com/GalaxySII/samsung-kernel-galaxysii
bada-modemril: Android RIL library for communication with baseband processor using Samsung OneDram.
https://code.google.com/p/bada-modemril/
bada-modemctl: Android kernel driver for communication with baseband processor using Samsung OneDram.
http://code.google.com/p/bada-modemctl/
Samsung H1 / Nexus S RIL/Modem support:
http://replicant.us/
http://trac.osuosl.org/trac/replicant/wiki
https://gitorious.org/replicant
https://gitorious.org/replicant/samsung-ril
http://github.com/morphis/libsamsung-ipc
http://ftp.osuosl.org/pub/replicant/
Nice!
http://trac.osuosl.org/trac/replicant/wiki/How_to_port_Replicant
https://github.com/morphis/libsamsung-ipc/tree/master/samsung-ipc/device/aries
Unrelated?
Android USB-to-serial: IOIO API
https://github.com/ytai/ioio/wiki
Android App: android-serialport-api
https://code.google.com/p/android-serialport-api/
Great USB GSM/3G stick hacking:
http://blogs.gnome.org/dcbw/category/drivers/
ModemManager Hmm??
https://launchpad.net/modemmanager
http://cgit.freedesktop.org/ModemManager/ModemManager/tree/README
http://cgit.freedesktop.org/ModemManager/ModemManager/tree/libqcdm/src/dm-commands.h

I am the Replicant developer who worked on Nexus S port and also did the work on aries (galaxy s, galaxy tab) devices and wrote a big part of the free RIL.
Replicant is a fully free Android derivate running on some devices (mostly Google phones).
If you have any question regarding samsung modems in Android phones, i'd be happy to answer them!
I'll attach the mail I sent back to E:V:A next
---------- Post added at 08:27 PM ---------- Previous post was at 08:22 PM ----------
Modems on Android devices is a wide domain.
Phones differ on many things, like:
* modem chipset
* modem firmware
* transport modem <-> AP
* modem protocol
* user-space integration (Android RIL)
First thing is the modem chipset. There are quite a few. For instance on
HTC phones, you'll have the ones included in the MSM or QSD SoCs (which
is quite unusual, modems aren't often part of the SoC) IIRC.
On other devices, it'll be a separate chip connected to the SoC via
various transport methods.
I know better the case of recent Samsung phones, like Nexus S, Galaxy S,
Galaxy Tab (first gen), Galaxy S2, etc.
There, you have the modem, usually an intel x-gold 6xx, that is wired to
the SoC. So transport is done via serial line and/or some dedicated RAM
memory (not from the main sticks).
Even though a phone can have the same modem wired (at hardware level)
the same way, the kernel drivers can be different. That's the case of
nexus s and galaxy s. On the first one, modem Rx/Tx with AP is done via
ioctls while on galaxy s it's done via a PHONET network interface
(svnet0). SO it's not (and particularly on Samsung phones) only a serial
interface you can open with screen: you need to understand how it's done
and write dedicated software to reproduce this (cf. the code on
libsamsung-ipc/devices/ that is device-specific).
So once you have transport set up, you need to know about the protocol
the modem speaks. This depends on the firmware the modem is running.
I know that the modem used in Nexus S is also used in some iPhone (4G
IIRC) but it has a different firmware and so speaks a different
protocol. I suspect it to be AT on the iPhone while Nexus S speaks a
samsung-specific modem protocol. They invented that protocol and
rewritten the modem firmware to use it instead of AT or anything else.
This protocol is usually called "Samsung IPC Protocol" and we have a
free implementation of it in libsamsung-ipc and samsung-ril.
On the Nokia N900, transport is also a PHONET socket and the protocol is
neither AT nor Samsung IPC but some protocol made by nokia and
implemented in ofono.
So you have exemples of different transport methods and modem protocols.
I could give you more exemples.
Of course, on Android, you need to have the user-space programs (the RIL
mainly) to match both the transport scheme and the modem protocol to
have anything working.
> Please have a look at our XDA-forum thread:
>
> "How to talk to the Modem with AT commands":
> http://forum.xda-developers.com/showthread.php?t=1471241
Apparently you were able to contact the modem with some AT commands.
Either the modem has an AT mode that can run along with IPC (would
surprise me, but why not), but it may very well be uncompleted and is
anyway not used at all in official binaries, either this is Android
emulating and AT device while sending back stuff from and to the RIL,
either this is not the modem.
Anyway I can tell you for sure that this is absolutely not the way to
talk to the modem properly. The correct way is to use the IPC protocol
and appropriate transport handling (which is way more complex than only
opening a serial line).
I just started the work on galaxy s2, I'll soon have done the transport
layer and we already know the protocol.

PaulKocialkowski said:
..Anyway I can tell you for sure that this is absolutely not the way to
talk to the modem properly. The correct way is to use the IPC protocol
and appropriate transport handling (which is way more complex than only
opening a serial line).
I just started the work on galaxy s2, I'll soon have done the transport
layer and we already know the protocol.
Click to expand...
Click to collapse
So no way to talk with the modem in Nexus S? Also if I use the REPLICANT rom?
Thanks.

alextreme said:
So no way to talk with the modem in Nexus S? Also if I use the REPLICANT rom?
Thanks.
Click to expand...
Click to collapse
Oh Nexus S status is very good (actually the best). That's the device we initally created libsamsung-ipc for (before, it was for samsung H1 and wasn't called libsamsung-ipc).
State of the modem using libsamsung-ipc and samsung-ril is at: redmine.replicant.us/projects/replicant/wiki/SamsungModems
basically, we have calls, sms, network registration and much more. Data is working but it's unclean on the code and needs more work. Note that I'm the only active dev on samsung-ril, and we're 2 on libsamsung-ipc. I'm also the one who added support for galaxy s and galaxy tab devices.
So in Nexus S, you can talk with the modem very easily, using libsamsung-ipc (which is a lib, so you need to use a binary, like modemctrl that comes with libsamsung-ipc).
Also, note that the SHR GNU/Linux distribution supports Nexus S as well and uses libsamung-ipc.

PaulKocialkowski said:
I am the Replicant developer who worked on Nexus S port and also did the work on aries (galaxy s, galaxy tab) devices and wrote a big part of the free RIL. ... I just started the work on galaxy s2, I'll soon have done the transport layer and we already know the protocol.
Click to expand...
Click to collapse
Hi Paul!
Thank you very much for your important contribution,
which really helped sort out, clarify and confirm many things!
I have just prepared a long response, but while writing it, more
fog has cleared and I will just go straight to my questions.
The rest (which is now less relevant) will be posted later as
a reference to others following this thread.
So my Questions to you at this point are:
Given the above pictures of the various abstraction layers,
how/where does the PHONET network interface fit in?
.
How does the "Samsung IPC Protocol" fit into this picture, regarding the translation and transmission of external terminal AT commands and their interpretation. [Perhaps you have link to a good/easy explanation of this protcol?]
.
How could we use this, to send ATC's from a local terminal?
I guess the ultimate reason for wanting to do this, is to be able to get closer to the radio-interface-layer, and thus be able to get access to those radio parameters, not normally available to applications via the limited Java API.
.
Alternatively, how would you propose a better way to obtain the various low-level modem variables such as the ones shown here? (Freesmartphone.org)
.
From the (poor) OMAPedia RIL-layer picture and the GT-I9100 block-diagram, it seem that there might perhaps be other channels available to communicate with the BP/Modem. (I.e. Through the UART, GPIO, McSPI?) Any ideas on how/if this could be done?
.
How could we build our own RIL(s) with minimal effort and test it?
.
For example, here is a copy of this, which is an example how to build Replicant RIL and then replace the local rild from command line to test with. Would be great to be able to do the same on the SGS2...without having to flash new ROMs.
.
How does the Replicant "libsamsung-ipc" differ from that used in the "Project-Vodoo: samsung_modemctl" ?
That was a bunch...
However, I would be happy to help contribute to Replicant if possible,
although you should keep in mind that I am not a professional
programmer in any way.
Here is the direct link to Replicant's Samsung RIL status page:
http://redmine.replicant.us/projects/replicant/wiki/SamsungModems

Recap of recent results
After the last post by Paul, things have become more clear. The following are the results I got up until then.
On the first one [Nexus S], modem Rx/Tx with AP is done via
ioctls while on Galaxy S it's done via a PHONET network interface
(svnet0). SO it's not (and particularly on Samsung phones) only a serial
interface you can open with screen: you need to understand how it's done
and write dedicated software to reproduce this...
Click to expand...
Click to collapse
The problem is to understand why I can communicate with ATC's from
outside (USB connected) terminal, but not from a local (on phone)
terminal, like for example /dev/ttyGS0. At this point I do understand that
the "SAMSUNG Mobile USB Modem" interface, together with ADB drivers,
provides some kind of (USB to HCI-socket to Modem) protocol converter,
and probably speaks directly to RIL and not the CP or Modem. We now
know that this is the Proprietary protocol called "Samsung IPC Protocol".
But if this is the case I thought I should still be able to find (and intercept)
whatever internal sockets or protocols used, to be able to establish and
send ATC's to the modem. But so far I have only been able to do the
following.
The setup:
Code:
[MY-PC] [RealTerm] <-- USB-cable --> [I9100]
Sending ATC's here is working as expected. I then tried to find the
devices/sockets/processes that handle this communication, and suddenly
I found myself in very murky waters. Trying to connect to the various local
devices on the phone, and not to sockets, as I do not know how to do that.
I had partial success, when I earlier tracked down /dev/ttyGS0 as having
something to do with the DataRouter. As I used nc to connect to
the ttyGS0 device during a RealTerm session, like this:
# nc -f /dev/ttyGS0
I could send characters to
RealTerm side, but the Modem never got anything. And when I typed on
RealTerm, only a few characters appeared on ttyGS0, but the modem did
respond normally. So I concluded that /dev/ttyGS0 is somehow used for
receiving modem responses, while some other protocol or device is used
for transmitting to modem. (This is now confirmed by the previous posts!)
How did I do this?
Unlike on other/older Android phones, the ATC's are not shown in logcat
under the tag "D/AT" but rather under "E/DataRouter"! So open another
window (adb shell) session and run: # logcat DataRouter:E *:S
Then open your (PC) terminal and send a few ATC's.
When sending an "AT"command, they will appear as:
Code:
E/DataRouter( 2585): After the usb select
E/DataRouter( 2585): Before checking the modem suspend state
E/DataRouter( 2585): PDP is resumed now
E/DataRouter( 2585): After checking the modem suspend state
E/DataRouter( 2585): Path set is [B][COLOR=Black]DATA_PATH_CHAR_MODEM[/COLOR][/B]
E/DataRouter( 2585): Send [1] bytes to SMD. message:A
E/DataRouter( 2585): Sending data to SMD: Len = [1]
E/DataRouter( 2585): buffer = [A]
E/DataRouter( 2585): Wrote 1 chars to EXTERNAL PORT [B][COLOR=Red]fd=17 ch = 41[/COLOR][/B]
E/DataRouter( 2585): Before the usb select
E/DataRouter( 2585): After the Modem Read select
E/DataRouter( 2585): Read 1 chars from SMD Modem file fd = 17
E/DataRouter( 2585): buf = A
E/DataRouter( 2585): Wrote 1 chars to USB PORT fd=29
E/DataRouter( 2585): buf=A
E/DataRouter( 2585): Before the Modem Read select
E/DataRouter( 2585): After the usb select
E/DataRouter( 2585): Before checking the modem suspend state
E/DataRouter( 2585): PDP is resumed now
E/DataRouter( 2585): After checking the modem suspend state
E/DataRouter( 2585): Path set is DATA_PATH_CHAR_MODEM
E/DataRouter( 2585): Send [1] bytes to SMD. message:T
E/DataRouter( 2585): Sending data to SMD: Len = [1]
E/DataRouter( 2585): buffer = [T]
But I didn't know exactly what to make from this, for example;
a) What is the "ch = 41" specification? It is just the ASCII of an "A" sent to
a device/file called 17. But when writing, it is called "EXTERNAL PORT"
while on reading, it's from "SMD Modem file"...
b) What is the DATA_PATH_CHAR_MODEM variable? I cannot find any
reference to this anywhere! I then found the devices and sockets by
identifying the file handles (fd) in the (datarouter) process directory:
Code:
[B]# busybox ls -al --color=never /proc/2585/fd[/B]
fd=17 --> socket:[1904]
fd=29 --> /dev/ttyGS0
NOTE: I prefer to always use the busybox binaries, as I no longer trust
the Samsung ones to give the complete/proper information...
Given the more recent information from previous posts, I decided to look for svnet.
Code:
[B]# find / -iname "*svnet*"[/B]
/proc/sys/net/ipv4/neigh/svnet0
/proc/sys/net/ipv4/conf/svnet0
/proc/sys/net/ipv6/neigh/svnet0
/proc/sys/net/ipv6/conf/svnet0
...
/proc/[B][COLOR=SeaGreen]<process-id>[/COLOR][/B]/net/dev_snmp6/svnet0
...
/sys/devices/virtual/net/svnet0
/sys/bus/usb/drivers/cdc_svnet
/sys/class/net/svnet0
[B]
# ls -l /sys/devices/virtual/net[/B]
drwxr-xr-x root root 2012-02-03 05:56 lo
drwxr-xr-x root root 2012-02-02 12:34 svnet0
drwxr-xr-x root root 2012-02-02 12:34 sit0
drwxr-xr-x root root 2012-02-02 17:21 pdp0
These are all interesting and relevant , but I have no idea what
they all do... But /sys/bus/usb/drivers/cdc_svnet are all linked to
the HCI-USB devices under: /sys/devices/platform/s5p-ehci/usb1/1-2
and contain 4 of each of:
- "CDC Communication Interface"
- "CDC Data Interface"

PaulKocialkowski said:
Oh Nexus S status is very good (actually the best). That's the device we initally created libsamsung-ipc for (before, it was for samsung H1 and wasn't called libsamsung-ipc).
State of the modem using libsamsung-ipc and samsung-ril is at: redmine.replicant.us/projects/replicant/wiki/SamsungModems
basically, we have calls, sms, network registration and much more. Data is working but it's unclean on the code and needs more work. Note that I'm the only active dev on samsung-ril, and we're 2 on libsamsung-ipc. I'm also the one who added support for galaxy s and galaxy tab devices.
So in Nexus S, you can talk with the modem very easily, using libsamsung-ipc (which is a lib, so you need to use a binary, like modemctrl that comes with libsamsung-ipc).
Also, note that the SHR GNU/Linux distribution supports Nexus S as well and uses libsamung-ipc.
Click to expand...
Click to collapse
Okay but I would like to send AT Commands from Android terminal to the modem or from an APP in Android. Can I find using REPLICANT ROM the folder /dev/smd0?

I found this an interesting read. http://download.maritex.com.pl/pdfs/wi/GSM-TM2.pdf It has a lot of information in it.

AdamOutler said:
I found this an interesting read. ... It has a lot of information in it.
Click to expand...
Click to collapse
Sorry, but I just can't see how it is relevant. Did I miss something? It's just another GSM module without HW specs as usual... Thanks anyway.

E:V:A said:
Sorry, but I just can't see how it is relevant. Did I miss something? It's just another GSM module without HW specs as usual... Thanks anyway.
Click to expand...
Click to collapse
It has AT command descriptions which may assist in adding more descriptions to the first page. I noticed alot of yours were incomplete, so I posted that.

AdamOutler said:
It has AT command descriptions which may assist in adding more descriptions to the first page. I noticed alot of yours were incomplete, so I posted that.
Click to expand...
Click to collapse
Ahh, yes. I was just updating the AT+Xzzzz sets form various sources. (The best one by far was the Google available: "AMOD HSPA Modules_AT_Command Specification".) I had to move the list to post #3. Now there are only a very few missing. The others I did not bother to re-explain/merge with the already known and "standard" ones...

There are a lot of implementations of the AT set. There are official documents with all the standard commands. Take a look at wiki.openmoko.org page: Hardware:AT_Commands (links to ETSI and 3GPP documents).
---------- Post added at 09:15 PM ---------- Previous post was at 08:41 PM ----------
IIRC, there is an UART debug line that can be used to talk to the modem directly. On Nexus S, the ttyFIQ0 node was related to UART. Maybe you can route the modem to ttyFIQ0 by dealing with /sys/class/sec/uart_switch/UART_SEL/value
Important fact: note this on Galaxy S2 init.rc:
chown radio system /sys/class/sec/uart_switch/UART_SEL/value
Really try to look at that sys node and you'll perhaps succeed to get it (modem UART line) routed on ttyFIQ0 on the device.
Also, look at the FSA something component in the kernel sources: it's highly related to the UART line. It was FSA9480 on Nexus S. Look at NexusSBootloader#Serial-Console on Replicant Redmine wiki to see how we used it.
I seriously doubt there is any kind of protocol converter that converts Samsung IPC data to AT commands on this line. In my opinion the line you get is most probably the modem debug UART line.
It looks like this:
Modem <-> UART line <-> FSA9480 <-> USB <-> Host PC
|<-> kernel driver <-> RIL <-> Android framework
And the idea would be to redirect the modem uart line to ttyFIQ0. I don't know if you have to do the routing via the FSA component. I know someone who perhaps knows better about that.
---------- Post added at 09:21 PM ---------- Previous post was at 09:15 PM ----------
The logs with DataRouter are really interesting. These are not part of the RIL (I checked with strings) but there is definitely something *software* between the modem and your terminal on PC.

[Q] Modem with oFono/oFono-ril?

Hi Guys,
what do you think, is it possible (would be possible) to use oFono/ofono-ril for the modem for our Wave? In theory oFono could be used with any modem that supports standard AT commands...
More info here: http://ofono.org/ and here http://gitorious.org/android-n900/ofono-ril/trees/gingerbread

Sadly Wave's CP doesn't support most of standard AT commands. :[

Rebellos said:
Sadly Wave's CP doesn't support most of standard AT commands. :[
Click to expand...
Click to collapse
heja Rebellos, dzieje się coś ciekawego w tej materii czy raczej możemy zapomnieć o andku na W 2 ?
pozdro z mazowsza

AT+CALC
Code:
Polecenie (tryb AT):
AT+CLAC
Odpowiedź:
AT+CLAC
&C
&D
&E
&F
&S
&V
&W
E
I
L
M
Q
V
X
Z
T
P
\Q
\S
\V
%V
D
A
H
O
S0
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S30
S103
S104
+ICF
+IFC
+IPR
+GMI
+GMM
+GMR
+GCAP
+GSN
+DR
+DS
+WS46
+SYNCML
+BATGETLEVEL
+BATUPDATE
+BATGETTABLE
+UPLOADUNSET
+CRLP
+CV120
+CSSN
+CREG
+CGREG
+CFUN
+GCAP
+CSCS
+CSTA
+CR
+CEER
+CRC
+CMEE
+CGDCONT
+CGDSCONT
+CGTFT
+CGEQREQ
+CGEQMIN
+CGQREQ
+CGQMIN
+CGEREP
+CGPADDR
+CGDATA
+CGCLASS
+CGSMS
+CSMS
+CMGF
+CSAS
+CRES
+CSCA
+CSMP
+CSDH
+CSCB
+FDD
+FAR
+FCL
+FIT
+ES
+ESA
+CMOD
+CVHU
+ACSENSOR
+RTCCTEST
+KEYSHORT
+PROXIMIT
+GEOMAGSS
+FIRMVERS
+APPINSTALL
+APPUNINSTALL
+APPLAUNCH
+TKSHELL
+CSQ
+CBC
+CPAS
+CPIN
+CMEC
+CKPD
+CIND
+CMER
+CGATT
+CGACT
+CGCMOD
+CPBS
+CPBR
+CPBF
+CPBW
+CPMS
+CNMI
+CMGL
+CMGR
+CMGS
+CMSS
+CMGW
+CMGD
+CMGC
+CNMA
+CMMS
+FTS
+FRS
+FTH
+FRH
+FTM
+FRM
+CHUP
+CCFC
+CCUG
+COPS
+CLCK
+CPWD
+CPWC
+CUSD
+CAOC
+CACM
+CAMM
+CPUC
+CCWA
+CHLD
+CIMI
+CGMI
+CGMM
+CGMR
+CGSN
+CNUM
+CCLK
+CLVL
+CMUT
+CLCC
+COPN
+CPOL
+CPLS
+CTZR
+CCWE
+CTZU
+CLAC
+CLIP
+COLP
+CSGT
+CRMP
+CDIP
+CTFR
+CLIR
$QCSIMSTAT
$QCCNMI
$QCCLR
$QCDMG
$QCDMR
$QCDNSP
$QCDNSS
$QCTER
$QCSLOT
$QCPINSTAT
$QCPDPP
$QCPDPLT
$QCPWRDN
$QCDGEN
$BREW
$QCSYSMODE
$QCCTM
$SUSBC
$NWMDCHNG
$SHPSLEEP
Is it helpful?

nie dajcie umrzec temu projektowi nie dajcie

That's bad news if the CP doesn't support most of the standard AT commands... So this doesn't help at all?

anghelyi said:
Hi Guys,
what do you think, is it possible (would be possible) to use oFono/ofono-ril for the modem for our Wave? In theory oFono could be used with any modem that supports standard AT commands...
More info here: http://ofono.org/ and here http://gitorious.org/android-n900/ofono-ril/trees/gingerbread
Click to expand...
Click to collapse
What you're saying just doesn't make sense. Why would you wanna use a oFono RIL on a Samsung device?
The RIL is just used to channel (and translate) android java phone/sim/modem related commands to the lower hardware layer on/for the radio processor. Thus the vendor RIL need to apply to the hardware of THAT vendor (i.e.Samsung). Why re-invent the wheel?
Now, there are some exceptions due to the fact that the RIL code is fairly closed source (although GPL'd AFAIK ==> should be released), that there are some project(s) that would like to make a "Free RIL"...
BTW. All GSM modems support the "standard AT set" (or your phone would probably not work!) The tricky part is how to access it from outside the AOS & RIL. But that's another topic.

E:V:A said:
What you're saying just doesn't make sense. Why would you wanna use a oFono RIL on a Samsung device?
Click to expand...
Click to collapse
I don't get your point... oFono is a platform agnostic library for mobile apps, with a lot of supported modems (even with standard AT command support) and oFono RIL is a RIL implementation based on it. Why not to use it?If it works with the N9 why not try to build it for Wave?

E:V:A said:
Now, there are some exceptions due to the fact that the RIL code is fairly closed source (although GPL'd AFAIK ==> should be released), that there are some project(s) that would like to make a "Free RIL"...
BTW. All GSM modems support the "standard AT set" (or your phone would probably not work!) The tricky part is how to access it from outside the AOS & RIL. But that's another topic.
Click to expand...
Click to collapse
RIL isn't GPL, it's Apache License, like most of Android platform, so doesn't have to be released.
Yea, there actually are handlers for AT cmds inside of AMSS, but modem initialization, nor any more advanced usage can't be done with these alone.

Rebellos said:
RIL isn't GPL, it's Apache License, like most of Android platform, so doesn't have to be released.
Yea, there actually are handlers for AT cmds inside of AMSS, but modem initialization, nor any more advanced usage can't be done with these alone.
Click to expand...
Click to collapse
Rebellos, how this works? like.. the modem access is through AT and then call for the other things?

anghelyi said:
I don't get your point... oFono is a platform agnostic library for mobile apps, with a lot of supported modems (even with standard AT command support) and oFono RIL is a RIL implementation based on it. Why not to use it?If it works with the N9 why not try to build it for Wave?
Click to expand...
Click to collapse
Dammit! You're absolutely right. I did the classical error of not "following the f%&ing links" before posting! So I have obviously confused the oFono project with a completely different one... Actually this seem to be a very cool project! We should try to get some of these guys involved over here or vice verse.

anonimo1w said:
Rebellos, how this works? like.. the modem access is through AT and then call for the other things?
Click to expand...
Click to collapse
Try to be a little more specific. On many platforms the phone application processor (UI/UX) does much of its normal communication (phone calls, sms, sim etc) to/from the baseband processor (modem) via an AT interface. However, in many cases this AT interface is "embedded" in other transport layers like IPC, I2C or what have you. In addition, the actual physical control mechanisms (like putting modem to sleep/wake up, power save, RF power, booting, test modes etc.) are usually done through GPIO or other forms of UART. Honestly, it's quite a mess to explain, because there are many variations on how this is handled. (That's why they needed the RIL in the first place.) Finally, since I don't have a Wave, I don't know how that is done. I just know they use a Qualcomm modem... and some of their manuals are available.

In modern SHP based phones hierarchy of transport layers is like:
1) oneDRAM
2) SHP IPC protocol with packet types listed below: (as per Samsung Jet S8000)
Code:
typedef enum
{
FIFO_PKT_NONE = 0, // 0
FIFO_PKT_KEY, // 1
FIFO_PKT_SIM, // 2
FIFO_PKT_PROTO, // 3
FIFO_PKT_TAPI, // 4
FIFO_PKT_PHONESTATUS, // 5
FIFO_PKT_FILE, // 6
FIFO_PKT_LCD, // 7
FIFO_PKT_LED, // 8
FIFO_PKT_SOUND, // 9 Sound means voice here
FIFO_PKT_SOUND_DATA, // 10
FIFO_PKT_H324M, // 11
FIFO_PKT_AMR_DATA, // 12
FIFO_PKT_AMR_CTRL, // 13
FIFO_PKT_CLOCK, // 14
FIFO_PKT_BOOT, // 15
FIFO_PKT_FLIP, // 16
FIFO_PKT_SYSTEM, // 17
FIFO_PKT_USBPROTO, // 18
FIFO_PKT_USBFILE, // 19
FIFO_PKT_USBDIAG, // 20
FIFO_PKT_IRDAPROTO, // 21
FIFO_PKT_IRDAFILE, // 22
FIFO_PKT_IRDADIAG, // 23
FIFO_PKT_TIMER, // 24
FIFO_PKT_DEBUG, // 25
FIFO_PKT_DIAGNOSE, // 26
FIFO_PKT_SPECIAL_BOOT, // 27
FIFO_PKT_CALL_TIME, // 28
FIFO_PKT_ALARM, // 29
FIFO_PKT_FIFO_INTERNAL,// 30
FIFO_PKT_USBCRCPROTO, // 31
FIFO_PKT_USBCRCFILE, // 32
FIFO_PKT_USBCRCDIAG, // 33
FIFO_PKT_VIBRATOR, // 34
FIFO_PKT_AMLED, // 35 AppMgr LED
FIFO_PKT_AMVIB, // 36 AppMgr Vibrator
FIFO_PKT_AMLCD, // 37 AppMgr LCD Backlight
FIFO_PKT_DATA_PCSYNC,
FIFO_PKT_CTRLCMD_PCSYNC,
FIFO_PKT_DATA_WSSSYNC,
FIFO_PKT_TIME, // 41 TimeMgr
FIFO_PKT_DVB_H_CAS_SIM, // 42 DVB-H CAS SIM
FIFO_PKT_DVB_H_CAS_TEST,// 43 DVB-H CAS Test module.
FIFO_PKT_DVB_H_CAS, // 44 DVB-H CAS Common usage.
FIFO_PKT_DVB_H_CAS_IPS, // 45 DVB-H CAS IPS usage.
FIFO_PKT_DVB_H_DebugLevel, //46 receive debug level from MSM
FIFO_PKT_Forced_Assert, // 47
FIFO_PKT_MEMORY, // 48
FIFO_PKT_NV, // 49 // NvMgrLite
FIFO_PKT_LBS, // 50 LBS
FIFO_PKT_SIM_JSR177, // 51 S8000_JSR177_kjseo
FIFO_PKT_USER = 0x80,
FIFO_PKT_DVBH = FIFO_PKT_USER + 0x06,
FIFO_PKT_DVBH_SVC,
FIFO_PKT_DVB_H_LAYER1,
FIFO_PKT_DVB_PLAYER,
FIFO_PKT_AV_PLAYER,
FIFO_PKT_PH, // BB -> MM : Protocol Handler FIFO Type
FIFO_PKT_PH_LITE, // MM -> BB : Protocol Handler Lite FIFO Type
FIFO_PKT_FX = 0x90,
FIFO_PKT_BLUETOOTH ,
FIFO_PKT_TESTMODE, // Testmode
FIFO_PKT_DRV, // driver
FIFO_PKT_AGENT,
FIFO_PKT_DEVMGR,
FIFO_PKT_SECUREBOOT,
FIFO_PKT_MAX
} FifoType;
In Wave there are also few "service" packets added. Not sure for what are these.
Actually while in intialization of modem there are used SECUREBOOT, FM (direct access to Bada file system by CP), IPC_PACKET (not listed here or named differently) BOOT, SIM (managing sim contacts and logging) and some others. Packets that are managing telephony are PROTO and TAPI (telephony API)
TAPI packets does split into few subtypes
TAPI_TYPE_CALL = 0 //53 subtypes
TAPI_TYPE_NETTEXT = 1 //around 10 subtypes
TAPI_TYPE_NETWORK = 2 //23 subtypes
TAPI_TYPE_SS = 3 //48 subtypes
TAPI_TYPE_AT = 4 //34 subtypes
TAPI_TYPE_DMH = 5 //n subtypes, called API_IDs (must be nonzero)
TAPI_TYPE_CONFIG = 6 //n subtypes, called API_IDs (must be nonzero)
Click to expand...
Click to collapse
TAPI layer splits into contexts, which might be called "channels" for managing telephony functions
CALL (3 max)
NETTEXT (SMS/MMS, few allowed)
NETWORK (up to one)
SS (security related AFAIR)
AT (this is probably route of AT commands)
Click to expand...
Click to collapse

modem
i dont know this part but i want to know wave s8500 modem work or not ics 4.0.4?

yasotharan13 said:
i dont know this part but i want to know wave s8500 modem work or not ics 4.0.4?
Click to expand...
Click to collapse
stop annoying everyone!! it's not working yet!!

[Devs only] MTD/OneNAND driver development for Samsung msm7k devices - help needed

Yesterday I discovered a very interesting source release from Samsung: GT-S5830G_GB_Opensource.zip
Normally, there is a shared Samsung source release for the msm7k range of devices (Ace, Mini, Callisto, Beni, Gio; there is also partial support included for my GT-I5500/Europa, but I adapted the source to properly support my phone). All of these devices usually depend on Samsung's proprietary FSR (Flex Sector Remapper) drivers in order to access the flash memory, which are taken from the stock ROMs, but our dependence on this driver locks us into the 2.6.35 kernel since we don't have access to the driver source.
The new source that I found for the GT-S5830G model, however, appears to contain modifications for the purpose of transitioning from Samsung's proprietary FSR driver to the open source MTD (via msm_nand) driver. If this can work correctly, using this driver would be much preferred over the proprietary Samsung stuff.
Here's the source that I uploaded to github: https://github.com/psyke83/android_kernel_samsung_msm/tree/purenand
Some observations that I have made, keeping in mind that I'm testing on my GT-I5500:
There are two separate configs for the cooper rev03 (Galaxy Ace): the standard defconfig that uses fsr/rfs, and a "purenand" config that uses the mtd/yaffs2 drivers instead of fsr/rfs. In other words, it's using the open drivers for flash access. Here is the diff: https://gist.github.com/3365123
The dpram driver (Samsung's driver for communication with baseband, used by RIL) is patched to support MTD instead of BML when the proper config is set.
The drivers/mtd/devices/msm_nand.c driver is modified by Samsung, but they applied their patches to an older revision of msm_nand.c from Froyo. Here is the diff when comparing this file vs the Froyo revision, so you can see more clearly the changes: https://gist.github.com/3365161
By default, the msm_nand.c driver causes the kernel to hang on my device (this is true for both this source and the older 2.6.35 Samsung source not based on purenand). I have isolated the hang to the flash_onfi_probe function.
As you can see here, Samsung added code to bypass this function on the Cooper board, and use the secondary detection method only. If I include my board to this ifdef block, it solves the issue with the kernel hanging on my device. I also need to patch some checks in the onenand detection, because the driver explicitly looks for onenand devices with a device_id of 0x40 and num_of_buffers as 0x201, but the chip on the GT-I5500 is different (device_id is 0x50, num_of_buffers is 0x101). This patch solves these problems: https://gist.github.com/3365222
Here is a dmesg log from my device after patching the code: https://gist.github.com/3360727. For comparison purposes, look at the block mapping that the fsr driver reports for my device when using the BML mapping: https://github.com/psyke83/android_device_samsung_galaxy5/blob/gingerbread/BoardConfig.mk#L53
As you can see, the partitions names and order detection is correct for the msm_nand driver, but the address mappings are exactly half of what they are supposed to be (e.g. the first partition, mibib, should range from 0x00000000-0x00180000, but the mtd driver detects the memory range as 0x00000000-0x000C0000.
If I try to perform a "nandump -f /sdcard/cache.img /dev/mtd/mtd13", there are no obvious errors in the dmesg log, but the tool will dump the cache partition until the sd card becomes full (over 300mb in my case, but the real /cache partition is only 25MB), and will then output "nanddump: short write". The resulting dump will be filled with 0xFF when examined with a hex editor (even though I'm sure that the /cache partition is not blank in reality).
These are my findings so far. I'd appreciate any kernel hackers to help me out. If we can crack this problem and get open onenand drivers working, then our devices will no longer be locked to any specific kernel release. If you know any developers for the Samsung devices I mentioned at the beginning of the post, or anyone else who may be able to help, please direct them to this thread. Thanks!

Reserved for future use

I have also posted this topic on the MadTeam forum, and posted a lot of further details. Please see: http://madteam.co/forum/development-8/(devs-only)-mtdonenand-driver-development/

Post this on General Discussion, this section is inactive

[Q] Archidroid, included debian error.

Hi, i have archidroid 2.3.8 , devil kernel ,f2fs. I can't install (for example) update:
Code:
Do you want to continue? [Y/n] Y
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Extracting templates from packages: 100%
Preconfiguring packages ...
(Reading database ... 12938 files and directories currently installed.)
Preparing to unpack .../libc6_2.18-4_armhf.deb ...
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Checking for services that may need to be restarted...
Checking init scripts...
WARNING: Your kernel version indicates a revision number
of 255 or greater. Glibc has a number of built in
assumptions that this revision number is less than 255.
If you\'ve built your own kernel, please make sure that any
custom version numbers are appended to the upstream
kernel number with a dash or some other delimiter.
dpkg: error processing archive /var/cache/apt/archives/libc6_2.18-4_armhf.deb (--unpack):
.
How I can fix this ?
Sorry for my bad english :/.

WARNING: Your kernel version indicates a revision number
of 255 or greater. Glibc has a number of built in
assumptions that this revision number is less than 255.
If you\'ve built your own kernel, please make sure that any
custom version numbers are appended to the upstream
kernel number with a dash or some other delimiter
It's clearly stated what's wrong. My pocket debian depends on the running kernel (because it doesn't use any slow emulation or virtualization - it's chrooted environment), so it requires certain things to be GNU-compatible, it looks like devil kernel version is not.

[DEV only] Random Development thoughts

I have started this thread as a place to discuss random development thought that probably don't need their own threads, and as a place to discuss issues so other threads don't go too far off topic.
Table of Contents:
DBV for c6843: Posts 1 - 6
GPL: Post 7
F2FS: Post 8
wlan: post 9, 11 -
Optimisation Bookmark: post 10
Original Post 1:
First thought
@dbolivar Have you tried building you (DooMKernel) with CONFIG_DVB_CORE = y/m to see if you can get the TV function to work?

blueether said:
I have started this thread as a place to discuss random development thought that probably don't need their own threads, and as a place to discuss issues so other threads don't go too far off topic.
First thought
@dbolivar Have you tried building you (DooMKernel) with CONFIG_DVB_CORE = y/m to see if you can get the TV function to work?
Click to expand...
Click to collapse
Hi, good start. In fact I have, the differences in the kernel options between C6833 and C6843 (Brazilian model with digital TV) are:
Code:
47c47
< CONFIG_MACH_SONY_TOGARI_BRAZIL=y
---
> CONFIG_MACH_SONY_TOGARI_ROW=y
275d274
< CONFIG_ISDBT_TUNER_SMTEJ11X=y
325a325,327
> CONFIG_TOUCHSCREEN_CLEARPAD=y
> CONFIG_TOUCHSCREEN_CLEARPAD_I2C=y
> CONFIG_TOUCHSCREEN_CLEARPAD_RMI_DEV=y
Yes, I don't know why the Clearpad touchscreen is enabled for the C6833, but not for the C6843; I think it's just garbage (perhaps they made the togari defconfig based off honami, and corrected that when making the togari_brazil defconfig). It doesn't make any difference for me, disabling them keep the touchscreen (MAX1187) functions normal.
Well, back to the point: even when applying these differences to the ZU DooMKernel, the digital TV doesn't work. The app stays a long time in a black screen, and finally closes (FC). I investigated the kmsg and logcat, but nothing useful.
CONFIG_DVB_CORE is "m" by default. I tried insmod'ing every module in /system/lib/modules, but same result. I temporarily gave up, because I don't watch the crap they broadcast on the open TV here. But yeah, it would be good to have everything working...

dbolivar said:
Hi, good start. In fact I have, the differences in the kernel options between C6833 and C6843 (Brazilian model with digital TV) are:
Code:
47c47
< CONFIG_MACH_SONY_TOGARI_BRAZIL=y
---
> CONFIG_MACH_SONY_TOGARI_ROW=y
275d274
< CONFIG_ISDBT_TUNER_SMTEJ11X=y
325a325,327
> CONFIG_TOUCHSCREEN_CLEARPAD=y
> CONFIG_TOUCHSCREEN_CLEARPAD_I2C=y
> CONFIG_TOUCHSCREEN_CLEARPAD_RMI_DEV=y
Yes, I don't know why the Clearpad touchscreen is enabled for the C6833, but not for the C6843; I think it's just garbage (perhaps they made the togari defconfig based off honami, and corrected that when making the togari_brazil defconfig). It doesn't make any difference for me, disabling them keep the touchscreen (MAX1187) functions normal.
Well, back to the point: even when applying these differences to the ZU DooMKernel, the digital TV doesn't work. The app stays a long time in a black screen, and finally closes (FC). I investigated the kmsg and logcat, but nothing useful.
CONFIG_DVB_CORE is "m" by default. I tried insmod'ing every module in /system/lib/modules, but same result. I temporarily gave up, because I don't watch the crap they broadcast on the open TV here. But yeah, it would be good to have everything working...
Click to expand...
Click to collapse
I hadn't got around to diff'ing them I just noticed the DVB line and had a quick look at the brazil defconfig.
I guess there is a binary blob that is needed?
For some reason I have to include the clearpad stuff at the moment in the pimped kernel, I should dig to find out why so the kernel is a tad smaller.

blueether said:
I hadn't got around to diff'ing them I just noticed the DVB line and had a quick look at the brazil defconfig.
I guess there is a binary blob that is needed?
For some reason I have to include the clearpad stuff at the moment in the pimped kernel, I should dig to find out why so the kernel is a tad smaller.
Click to expand...
Click to collapse
Hmm very good insight about the binary blob... It's very possible. I have FTFs for the C6833 and C6843, I'll extract them and compare the file list.

I made it work!! Well, involves some manual steps, but it's a very good progress. I started by comparing the file listing in /system from stock C6833 and C6843 firmwares, and although there is no kernel blob, there ARE some files related to DTV, mostly dynamic libs (.so), some configuration, but most importantly, these two:
Code:
/system/bin/dtvsdserver
/system/bin/dtvserver
So, I insmod'ed every module related to DTV/DVB, and then started these guys... And the TV works! BUT, as soon as I quit the Mobile TV app, the process "dtvserver" is killed with a hangup signal, and opening the app again does not restart it, so I have to manually bring the dtvserver up first (otherwise the same previous issue happens, black screen and finally Mobile TV FC's).
I notice some DTV/DVB modules couldn't be insmod'ed:
Code:
insmod: init_module 'dib3000mc.ko' failed (No such file or directory)
insmod: init_module 'dib7000m.ko' failed (No such file or directory)
insmod: init_module 'dib7000p.ko' failed (No such file or directory)
insmod: init_module 'dib8000.ko' failed (No such file or directory)
insmod: init_module 'dib9000.ko' failed (No such file or directory)
insmod: init_module 'mpq-dmx-hw-plugin.ko' failed (No such file or directory)
insmod: init_module 'tuner-simple.ko' failed (No such file or directory)
But the modules are there, and they are the new ones... I don't get it why they can't be insmod'ed, perhaps something is missing from the kernel config? It could be one of the reasons.
Another thing I've been wondering, is why the DVB modules necessary for the Mobile TV are not loaded automatically, like the wlan module is, for instance. Perhaps a difference in the ramdisk? Something to investigate next.

dbolivar said:
I made it work!! Well, involves some manual steps...
Another thing I've been wondering, is why the DVB modules necessary for the Mobile TV are not loaded automatically, like the wlan module is, for instance. Perhaps a difference in the ramdisk? Something to investigate next.
Click to expand...
Click to collapse
Congrats on getting that far with the DTV, will make for a more complete device for the c6843 users that want to use custom ROMs
Any differences in udev or init.rc or whatever android uses?

Development using the GPL and GPL'd code
The GPL is a very powerful tool, as are the other OSS licences. One has to know how they are used and can/can't be enforced before publishing any code under these licences or modifying code that that been published under a OSS licence. Using a OSS licence brings with it risks and rewords, often these are one and the same.
When we do anything with Android [Linux] kernels we fall under the bounds of the GPL v2 that it is published under. Any modification to the kernel has to be published under the same licence, and we have to publish the newly modified source in a sate that can recreate the binary that you publish to the public/xda.
I'll leave you with this quote from http://programmers.stackexchange.com
...are you prepared to live by it, and let other people use what you've written, rather than just liking it because of what you can get out of it?
Click to expand...
Click to collapse

F2FS mount and sysfs options
Now that we have an F2FS-enabled firmware by default, I've been reading about the mount options and sysfs entries available. As many of us know, there are lots of tweaks out there for EXT4, but what about F2FS? Well, here is the official documentation from the Linux kernel:
https://www.kernel.org/doc/Documentation/filesystems/f2fs.txt
As for the mount options, I think only discard could be interesting (but it's questionable, some people say it's better to schedule a regular fstrim call instead). There are also some sysfs tunables which I think can have a noticeable impact in battery life, and performance. Testing them would require a lot of trial and error. I'm pasting them below for those who don't want to go through the full document:
Code:
================================================================================
SYSFS ENTRIES
================================================================================
Information about mounted f2f2 file systems can be found in
/sys/fs/f2fs. Each mounted filesystem will have a directory in
/sys/fs/f2fs based on its device name (i.e., /sys/fs/f2fs/sda).
The files in each per-device directory are shown in table below.
Files in /sys/fs/f2fs/<devname>
(see also Documentation/ABI/testing/sysfs-fs-f2fs)
..............................................................................
File Content
gc_max_sleep_time This tuning parameter controls the maximum sleep
time for the garbage collection thread. Time is
in milliseconds.
gc_min_sleep_time This tuning parameter controls the minimum sleep
time for the garbage collection thread. Time is
in milliseconds.
gc_no_gc_sleep_time This tuning parameter controls the default sleep
time for the garbage collection thread. Time is
in milliseconds.
gc_idle This parameter controls the selection of victim
policy for garbage collection. Setting gc_idle = 0
(default) will disable this option. Setting
gc_idle = 1 will select the Cost Benefit approach
& setting gc_idle = 2 will select the greedy aproach.
reclaim_segments This parameter controls the number of prefree
segments to be reclaimed. If the number of prefree
segments is larger than the number of segments
in the proportion to the percentage over total
volume size, f2fs tries to conduct checkpoint to
reclaim the prefree segments to free segments.
By default, 5% over total # of segments.
max_small_discards This parameter controls the number of discard
commands that consist small blocks less than 2MB.
The candidates to be discarded are cached until
checkpoint is triggered, and issued during the
checkpoint. By default, it is disabled with 0.
ipu_policy This parameter controls the policy of in-place
updates in f2fs. There are five policies:
0: F2FS_IPU_FORCE, 1: F2FS_IPU_SSR,
2: F2FS_IPU_UTIL, 3: F2FS_IPU_SSR_UTIL,
4: F2FS_IPU_DISABLE.
min_ipu_util This parameter controls the threshold to trigger
in-place-updates. The number indicates percentage
of the filesystem utilization, and used by
F2FS_IPU_UTIL and F2FS_IPU_SSR_UTIL policies.
max_victim_search This parameter controls the number of trials to
find a victim segment when conducting SSR and
cleaning operations. The default value is 4096
which covers 8GB block address range.
dir_level This parameter controls the directory level to
support large directory. If a directory has a
number of files, it can reduce the file lookup
latency by increasing this dir_level value.
Otherwise, it needs to decrease this value to
reduce the space overhead. The default value is 0.
ram_thresh This parameter controls the memory footprint used
by free nids and cached nat entries. By default,
10 is set, which indicates 10 MB / 1 GB RAM.

@blueether & @dbolivar :
our primary concern should be to get custom wlan (prima/pronto) drivers working on custom compiled kernel for stock ROMs.. once we have that there are a LOT of features which we can add!
so far I havent had much luck but you can find all my tests here
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_stock_4.3_wlan
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_stock_4.3_wlan_clean
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_z1_gpe_port_wlan

A bookmark
Worth the read @dbolivar
http://forum.xda-developers.com/showthread.php?t=2754997

DooMLoRD said:
@blueether & @dbolivar :
our primary concern should be to get custom wlan (prima/pronto) drivers working on custom compiled kernel for stock ROMs.. once we have that there are a LOT of features which we can add!
so far I havent had much luck but you can find all my tests here
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_stock_4.3_wlan
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_stock_4.3_wlan_clean
https://github.com/DooMLoRD/android_kernel_sony_msm8974/commits/testing_z1_gpe_port_wlan
Click to expand...
Click to collapse
I'm giving it a try - downloaded the latest sources from CodeAurora and applied to your kernel (adjusting Kconfigs, Makefiles and defconfig). The compilation stops here:
Code:
drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c: In function ‘wlan_hdd_send_avoid_freq_event’:
drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c:574:18: warning: assignment makes pointer from integer without a cast
error, forbidden warning: wlan_hdd_cfg80211.c:574
make[3]: *** [drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.o] Error 1
OK, so I edited wlan_hdd_cfg80211.c and changed line 574 to add an explicit cast:
Code:
vendor_event = (struct sk_buff *)cfg80211_vendor_event_alloc(pHddCtx->wiphy,
Then it passes by this point, but stops in following lines with similar errors (not even pasting here). What I noticed from these errors it that CodeAurora's sources seem to be incompatible with Sony's kernel, because for instance, the function cfg80211_vendor_event_alloc is not defined anywhere (ran a grep over all *.c and *.h files in the kernel).
Comparing with a CM11 kernel, this function is also not defined anywhere, but the prima sources are very different, they don't call it. So I thought: let's use CM11's prima sources.
Bingo!
Compiled fine, booted, and with the correspoding firmware in /system/etc/firmware/wlan/prima, WLAN came up normally after boot. :victory:
Now you mentioned something about CM11's prima sources, from what I understood they are not ideal. Is that true? Because there are CM11-based custom kernels which implement intelliplug (dependent on custom WLAN drivers), for instance.
Hope it works for you. In this case, I'll put together a more organized how-to of what I did.

dbolivar said:
I'm giving it a try - downloaded the latest sources from CodeAurora and applied to your kernel (adjusting Kconfigs, Makefiles and defconfig). The compilation stops here:
Code:
drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c: In function ‘wlan_hdd_send_avoid_freq_event’:
drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c:574:18: warning: assignment makes pointer from integer without a cast
error, forbidden warning: wlan_hdd_cfg80211.c:574
make[3]: *** [drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.o] Error 1
OK, so I edited wlan_hdd_cfg80211.c and changed line 574 to add an explicit cast:
Code:
vendor_event = (struct sk_buff *)cfg80211_vendor_event_alloc(pHddCtx->wiphy,
Then it passes by this point, but stops in following lines with similar errors (not even pasting here). What I noticed from these errors it that CodeAurora's sources seem to be incompatible with Sony's kernel, because for instance, the function cfg80211_vendor_event_alloc is not defined anywhere (ran a grep over all *.c and *.h files in the kernel).
Comparing with a CM11 kernel, this function is also not defined anywhere, but the prima sources are very different, they don't call it. So I thought: let's use CM11's prima sources.
Bingo!
Compiled fine, booted, and with the correspoding firmware in /system/etc/firmware/wlan/prima, WLAN came up normally after boot. :victory:
Now you mentioned something about CM11's prima sources, from what I understood they are not ideal. Is that true? Because there are CM11-based custom kernels which implement intelliplug (dependent on custom WLAN drivers), for instance.
Hope it works for you. In this case, I'll put together a more organized how-to of what I did.
Click to expand...
Click to collapse
great!
can you just fork my repo and shift to the branch which worked for you, then send pull request? i will investigate on the Z1...
and yes please do send the steps!
well if we get custom compiled WLAN modules properly working on custom compiled kernel for stock ROM then i can have features like intelli-plug, F2FS, AsyncFS and lots more on stock ROMs!

DooMLoRD said:
great!
can you just fork my repo and shift to the branch which worked for you, then send pull request? i will investigate on the Z1...
and yes please do send the steps!
well if we get custom compiled WLAN modules properly working on custom compiled kernel for stock ROM then i can have features like intelli-plug, F2FS, AsyncFS and lots more on stock ROMs!
Click to expand...
Click to collapse
Well I'm still learning my way around git & GitHub, so I think it will be faster if you just reproduce the steps below:
1) Copy Prima WLAN sources from CM11-based kernel:
I copied from SlimRom's kernel source. Put the sources under drivers/staging/prima.
2) Modify related Kconfig and Makefile:
drivers/staging/Kconfig
Code:
131,132d130
< source "drivers/staging/prima/Kconfig"
<
drivers/staging/Makefile
Code:
58,59d57
< obj-$(CONFIG_PRIMA_WLAN) += prima/
< obj-$(CONFIG_PRONTO_WLAN) += prima/
3) Modify defconfig:
I'm pasting every option related to WLAN. The Prima options should appear after a "make menuconfig".
Code:
CONFIG_WIRELESS=y
CONFIG_WIRELESS_EXT=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_WEXT_SPY=y
CONFIG_WEXT_PRIV=y
CONFIG_CFG80211=y
CONFIG_NL80211_TESTMODE=y
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
# CONFIG_CFG80211_REG_DEBUG is not set
CONFIG_CFG80211_DEFAULT_PS=y
# CONFIG_CFG80211_DEBUGFS is not set
CONFIG_CFG80211_INTERNAL_REGDB=y
# CONFIG_CFG80211_WEXT is not set
# CONFIG_WIRELESS_EXT_SYSFS is not set
# CONFIG_LIB80211 is not set
# CONFIG_CFG80211_ALLOW_RECONNECT is not set
# CONFIG_MAC80211 is not set
# CONFIG_WIMAX is not set
CONFIG_RFKILL=y
CONFIG_RFKILL_PM=y
CONFIG_RFKILL_LEDS=y
# CONFIG_RFKILL_INPUT is not set
# CONFIG_RFKILL_REGULATOR is not set
# CONFIG_RFKILL_GPIO is not set
...
# CONFIG_WIFI_CONTROL_FUNC is not set
...
CONFIG_WLAN=y
# CONFIG_USB_ZD1201 is not set
# CONFIG_USB_NET_RNDIS_WLAN is not set
# CONFIG_LIBRA_SDIOIF is not set
# CONFIG_ATH6K_LEGACY_EXT is not set
CONFIG_WCNSS_CORE=y
CONFIG_WCNSS_CORE_PRONTO=y
CONFIG_WCNSS_MEM_PRE_ALLOC=y
CONFIG_WCNSS_REGISTER_DUMP_ON_BITE=y
# CONFIG_ATH_COMMON is not set
# CONFIG_BCMDHD is not set
# CONFIG_BRCMFMAC is not set
# CONFIG_HOSTAP is not set
# CONFIG_IWM is not set
# CONFIG_LIBERTAS is not set
# CONFIG_MWIFIEX is not set
...
#
# Qualcomm Atheros Prima WLAN module
#
CONFIG_PRIMA_WLAN=m
CONFIG_PRONTO_WLAN=y
# CONFIG_PRIMA_WLAN_BTAMP is not set
CONFIG_PRIMA_WLAN_LFR=y
CONFIG_PRIMA_WLAN_OKC=y
CONFIG_PRIMA_WLAN_11AC_HIGH_TP=y
CONFIG_WLAN_FEATURE_11W=y
CONFIG_QCOM_VOWIFI_11R=y
CONFIG_CONFIG_ENABLE_LINUX_REG=y
4) Include Prima WLAN firmware in kernel ZIP file:
Copy from a CM11-based firmware (I used PAC-Rom). Remember to set permissions as 644.
/system/etc/firmware/wlan/prima
Code:
WCNSS_cfg.dat
WCNSS_qcom_cfg.ini
WCNSS_qcom_wlan_nv.bin
5) Include wlan.ko in kernel ZIP file:
Actually I include every compiled kernel module, because we are using a different toolchain and they may benefit from it too. Remember that /system/lib/module/wlan.ko is a symlink, but in my test the target got updated accordingly.

dbolivar said:
Well I'm still learning my way around git & GitHub, so I think it will be faster if you just reproduce the steps below:
1) Copy Prima WLAN sources from CM11-based kernel:
I copied from SlimRom's kernel source. Put the sources under drivers/staging/prima.
2) Modify related Kconfig and Makefile:
drivers/staging/Kconfig
Code:
131,132d130
< source "drivers/staging/prima/Kconfig"
<
drivers/staging/Makefile
Code:
58,59d57
< obj-$(CONFIG_PRIMA_WLAN) += prima/
< obj-$(CONFIG_PRONTO_WLAN) += prima/
3) Modify defconfig:
I'm pasting every option related to WLAN. The Prima options should appear after a "make menuconfig".
Code:
CONFIG_WIRELESS=y
CONFIG_WIRELESS_EXT=y
CONFIG_WEXT_CORE=y
CONFIG_WEXT_PROC=y
CONFIG_WEXT_SPY=y
CONFIG_WEXT_PRIV=y
CONFIG_CFG80211=y
CONFIG_NL80211_TESTMODE=y
# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
# CONFIG_CFG80211_REG_DEBUG is not set
CONFIG_CFG80211_DEFAULT_PS=y
# CONFIG_CFG80211_DEBUGFS is not set
CONFIG_CFG80211_INTERNAL_REGDB=y
# CONFIG_CFG80211_WEXT is not set
# CONFIG_WIRELESS_EXT_SYSFS is not set
# CONFIG_LIB80211 is not set
# CONFIG_CFG80211_ALLOW_RECONNECT is not set
# CONFIG_MAC80211 is not set
# CONFIG_WIMAX is not set
CONFIG_RFKILL=y
CONFIG_RFKILL_PM=y
CONFIG_RFKILL_LEDS=y
# CONFIG_RFKILL_INPUT is not set
# CONFIG_RFKILL_REGULATOR is not set
# CONFIG_RFKILL_GPIO is not set
...
# CONFIG_WIFI_CONTROL_FUNC is not set
...
CONFIG_WLAN=y
# CONFIG_USB_ZD1201 is not set
# CONFIG_USB_NET_RNDIS_WLAN is not set
# CONFIG_LIBRA_SDIOIF is not set
# CONFIG_ATH6K_LEGACY_EXT is not set
CONFIG_WCNSS_CORE=y
CONFIG_WCNSS_CORE_PRONTO=y
CONFIG_WCNSS_MEM_PRE_ALLOC=y
CONFIG_WCNSS_REGISTER_DUMP_ON_BITE=y
# CONFIG_ATH_COMMON is not set
# CONFIG_BCMDHD is not set
# CONFIG_BRCMFMAC is not set
# CONFIG_HOSTAP is not set
# CONFIG_IWM is not set
# CONFIG_LIBERTAS is not set
# CONFIG_MWIFIEX is not set
...
#
# Qualcomm Atheros Prima WLAN module
#
CONFIG_PRIMA_WLAN=m
CONFIG_PRONTO_WLAN=y
# CONFIG_PRIMA_WLAN_BTAMP is not set
CONFIG_PRIMA_WLAN_LFR=y
CONFIG_PRIMA_WLAN_OKC=y
CONFIG_PRIMA_WLAN_11AC_HIGH_TP=y
CONFIG_WLAN_FEATURE_11W=y
CONFIG_QCOM_VOWIFI_11R=y
CONFIG_CONFIG_ENABLE_LINUX_REG=y
4) Include Prima WLAN firmware in kernel ZIP file:
Copy from a CM11-based firmware (I used PAC-Rom). Remember to set permissions as 644.
/system/etc/firmware/wlan/prima
Code:
WCNSS_cfg.dat
WCNSS_qcom_cfg.ini
WCNSS_qcom_wlan_nv.bin
5) Include wlan.ko in kernel ZIP file:
Actually I include every compiled kernel module, because we are using a different toolchain and they may benefit from it too. Remember that /system/lib/module/wlan.ko is a symlink, but in my test the target got updated accordingly.
Click to expand...
Click to collapse
which branch did u test this with?
also can you please upload the correct firmware (/system/etc/firmware/wlan/prima) which worked for you?

DooMLoRD said:
which branch did u test this with?
also can you please upload the correct firmware (/system/etc/firmware/wlan/prima) which worked for you?
Click to expand...
Click to collapse
The branch from your kernel was master_kk-4.4.2. The Prima WLAN sources were, as I mentioned, from SlimRom's kernel, branch kk4.4.
I'm attaching the firmware to this post.

blueether said:
A bookmark
Worth the read @dbolivar
http://forum.xda-developers.com/showthread.php?t=2754997
Click to expand...
Click to collapse
Wow this is very nice! Follows the same line of research I've been doing, but this is more "elegant" and in-depth, especially because of all the benchmarks and other comparisons he has done. I'll try this approach myself on my custom builds.
One thing I noticed is that we may still have to use the "hammer" approach with the find & replace of the "-O" flags in *.mk and Makefiles I've been doing, because some of them have these flags hardcoded (i.e. they don't take the value from core/combo/TARGET_linux-arm.mk or other base files). I'll tip JustArchi in his thread about it.

Hi guys, I posted this in the general android section and have had no answer, maybe some one here might know?
I'm trying to build AOSP using CM 11's device tree for togari/togari_gpe and have hit a brick wall after solving the first few make errors.
I have to errors, that I suspect are the same problem:
The first is if I just build with make I get this error:
Code:
Import includes file: out/target/product/togari/obj/SHARED_LIBRARIES/copybit.msm8974_intermediates/import_includes
Import includes file: out/target/product/togari/obj/SHARED_LIBRARIES/libmemalloc_intermediates/import_includes
target thumb C++: libqdutils <= hardware/qcom/display/msm8974/libqdutils/profiler.cpp
target thumb C++: libqdutils <= hardware/qcom/display/msm8974/libqdutils/mdp_version.cpp
target thumb C++: libqdutils <= hardware/qcom/display/msm8974/libqdutils/idle_invalidator.cpp
target thumb C++: libqdutils <= hardware/qcom/display/msm8974/libqdutils/comptype.cpp
hardware/qcom/display/msm8974/libqdutils/mdp_version.cpp:33:27: fatal error: linux/msm_mdp.h: No such file or directory
#include <linux/msm_mdp.h>
^
Import includes file: out/target/product/togari/obj/SHARED_LIBRARIES/gps.msm8974_intermediates/import_includes
compilation terminated.
make: *** [out/target/product/togari/obj/SHARED_LIBRARIES/libqdutils_intermediates/mdp_version.o] Error 1
make: *** Waiting for unfinished jobs....
and if I do make bootimage I get this:
Code:
make: *** No rule to make target `out/target/product/togari/kernel', needed by `out/target/product/togari/boot.img'. Stop.
I suspect that both stem from aosp not finding the kernel source?
kernel source is at ~/dev/aosp/kernel/sony/msm8974/ and I'm building in ~/dev/aosp
I'm also trying to build vanir aosp using the same device tree and kernel and make bootimage completes fine.
Any help would be great

Yo, @DooMLoRD, @blueether @dbolivar
You guys have probably registred that Geohot (iPhone, PS3 jailbreaker) has successfully rooted the Galaxy S5 (and can now claim the $18,000 bounty), but i just read that this one-click root tool should work on any device running a pre-June 3rd kernel, i.e Android 4.4.2. The question is, does it work on the Ultra? I'm aware that it's easy to root an UItra AS LONG as the bootloader is unlocked, but this thing circumvents that part, and roots it. I think.
Are there anyone here still left on 4.4.2 that can try?
More here: Click

LordManhattan said:
Yo, @DooMLoRD, @blueether @dbolivar
You guys have probably registred that Geohot (iPhone, PS3 jailbreaker) has successfully rooted the Galaxy S5 (and can now claim the $18,000 bounty), but i just read that this one-click root tool should work on any device running a pre-June 3rd kernel, i.e Android 4.4.2. The question is, does it work on the Ultra? I'm aware that it's easy to root an UItra AS LONG as the bootloader is unlocked, but this thing circumvents that part, and roots it. I think.
Are there anyone here still left on 4.4.2 that can try?
More here: Click
Click to expand...
Click to collapse
Can't say... Will have to test
Sent from my C6902 using XDA Free mobile app

DooMLoRD said:
Can't say... Will have to test
Sent from my C6902 using XDA Free mobile app
Click to expand...
Click to collapse
I made a thread here. It should work.
http://forum.xda-developers.com/showthread.php?t=2783982