view TCS211-fw-arch @ 107:dfa5f99631a6

TCH-tap-modes: document FACCH/H observations
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 22 Jul 2024 23:02:54 +0000
parents f5ddeacbe744
children
line wrap: on
line source

This document describes the architecture of TI's TCS211 firmware and that of
our FreeCalypso Magnetite and Selenite firmwares which are based on it.

What is TCS211, and why we use it as our reference
==================================================

TI were in the business of making GSM baseband chipsets for about a decade
from the late 1990s up until 2009, and over that time span both their silicon
and their firmware architecture had evolved in many different ways.  All of our
work in the FreeCalypso family of projects is based on one fairly arbitrary
snapshot, a rather arbitrarily picked single point in that long evolutionary
line: we use the Calypso chipset as opposed to both the ones before and the
ones after, and we use TI's TCS211 firmware from 2007 as our golden reference,
as opposed to other equally valid ways of architecturing the fw that came
before and after our arbitrarily picked snapshot.

Q: Why do we use the Calypso chipset as opposed to LoCosto or E-Costo or
whatever was TI's very last offering before they got out of that business?

A: Because that's what Openmoko used: their Neo FreeRunner aka GTA02 smartphones
were our primary hardware target for many years before we gathered the money
and the courage to build our own board-level hardware starting from just chips
bought on the Chinese surplus market.

Q: Why do we use TI's TCS211 firmware from 2007 and its architecture as our
golden reference, as opposed to any of the other infinitely many equally valid
ways of architecturing a working firmware implementation for the same Calypso
chipset?

A: Because it works flawlessly, and is extremely stable as a commercial product.
The firmware which Openmoko got from TI had only a tiny difference from TI's
internal TCS211 mainline (TSPACT signal definitions in tpudrv12.h which are
different between the quadband RFFE on TI's internal reference hw and the
triband one in FIC's commercial implementation), and with only a few additional
changes related to our use of a newer flash chip that wasn't supported back in
TI's and Openmoko's days, this golden reference fw can run equally well on our
own FCDEV3B.

Relation between TCS211 and FreeCalypso
=======================================

The only "pure" TCS211 firmware we got is the one that has been salvaged from
the ruins of Openmoko.  To the best of our knowledge, it is the world's only
surviving copy of any version of TCS211 - it is entirely possible that even TI
may not have it any more in any of their archives, given the length of time that
has passed and the total lack of interest in this "ancient junk".  In its pure
form, this world's sole surviving copy of TI's TCS211 fw is laden with blobs
(many components exist only as binary object libraries with no corresponding
source), and it features a build system that is very thoroughly Windows-based.
And to top it off, that configuration and build system has many critical
components which also exist only as compiled binaries (Windows executables or
Java bytecode) with no corresponding source.

We started by replacing the original configuration and build system of TCS211
with our own one that is Unix-based rather than Windows-based, and implemented
in Bourne shell with a few C helpers instead of XML, Java and Perl.  The result
was named FreeCalypso Magnetite.  At first we changed only the configuration
and build system, but kept all of the original TCS211 code, including all of
the binary-only components.  Then we deblobbed it gradually, replacing binary-
only components with source, one component at a time.  Where did we get the
source for the pieces that came as binary objects with no corresponding source?
The answer is different for different components:

* For GSM Layer 1 (a very critical and highly chipset-dependent component), we
  did a painstaking reconstruction which you can see in the tcs211-l1-reconst
  repository.  That world's last surviving copy of TCS211 which we got only had
  *.c files censored out, while all of the original *.h files were preserved -
  and thanks to the preserved configuration and build system, we also got all
  of the original compilation lines including compiler options, -D definitions
  and -I include paths.  For most of the missing *.c files we got a "wrong"
  version from the TCS3/LoCosto source.  The reconstruction proceeded by taking
  these "wrong version" *.c files, putting them one module (one *.c file) at a
  time into the TCS211 build environment, and massaging each individual *.c
  file until it compiled into a perfect match to the original binary object.
  Thus we have reconstructed a full C source for the L1 component which for all
  practical purposes can be treated as if it were the lost original source.

* For some small pieces like the tpudrv12 RF driver and the OSL and OSX
  components of GPF it was more of a translation from disassembly to C: the C
  code we use is of our own writing, but it faithfully matches the logic
  implemented by the original blobs as recovered through disassembly.

* The G23M protocol stack is a very large and complex component, and our copy
  of TCS211 (the world's only surviving copy to the best of our knowledge) has
  it in binary-only form.  Trying to source-reconstruct it precisely like we
  did with L1 would have been infeasible, hence we took a different approach:
  we put together a TCS2/TCS3 hybrid in which we made a wholesale replacement
  of all G23M components: we adopted the new version of G23M wholesale without
  trying to recreate the old version.

* Both TCS211 and TI's newer TCS3.2 fw for the LoCosto chipset are based on
  Nucleus PLUS RTOS (different versions), and both firmwares have their Nucleus
  only as binary object libraries, no source.  However, we got another version
  of Nucleus from about the same time frame (slightly newer than the one TI used
  in TCS211, but slightly older than the one in TCS3.2) from a non-TI source
  (it was posted on a Russian web forum by Comrade XVilka), and in FreeCalypso
  Selenite we use this new Nucleus as a replacement for TCS211 original version
  in the same manner as how we had earlier made a wholesale replacement of the
  G23M protocol stack.

With two major components (Nucleus and the G23M PS) replaced with non-TCS211
versions, our Magnetite hybrid and Selenite firmwares are no longer TCS211, but
they still faithfully follow the _architecture_ of TCS211: in each case when we
replaced the code, we made the new code version fit perfectly into the original
architecture without any disruptive changes.  Thus anyone who desires to
understand our current FreeCalypso firmwares (Magnetite and Selenite) needs to
first understand the original TCS211 architecture, as it is essentially
unchanged.

Why not use the LoCosto chipset and its TCS3.2 firmware?
========================================================

We went the Calypso route and not the LoCosto route because of the circumstances
that surrounded the beginning of our family of projects.  We did not get all of
the tools needed for working with LoCosto chips and TI's TCS3.2 fw (CSST and
SBuild) until the spring of 2015, and by that time we had invested too much into
the Calypso to throw it all away and restart anew in the uncharted waters of
LoCosto.  Another factor is that the software for talking to LoCosto's ROM
bootloader (CSST) exists only as Windows binaries sans source, and it would
require some effort to reverse-engineer the protocol and implement a free and
Unix-based alternative - whereas for the Calypso this work was already done by
OsmocomBB folks before we entered the scene.  Finally, in the case of the
Calypso we have read out the actual content of the ROMs (both the ARM boot ROM
and the DSP ROM) and the ARM boot ROM code has been disassembled and thoroughly
understood - whereas in the case of LoCosto it is not certain if we can even
read out the ROM content, as it is said to be protected against reading.

If someone else desires to play with LoCosto, either by hacking a Peek device
or by building an I-Sample board from the available PADS PCB file, go for it!
But the FreeCalypso core team is sticking with the Calypso chipset for now, and
our actively maintained Magnetite and Selenite firmwares follow the architecture
of TCS211, not that of TCS3.2.

Relation between the ARM and DSP cores in the Calypso
=====================================================

The Calypso digital baseband processor chip has two processor cores in it: an
ARM7TDMI core that runs the main firmware and a C54x DSP core that performs the
more burdensome signal processing tasks.  The DSP is subservient to the ARM:
only the ARM comes out of reset and starts executing code upon power-up, while
the DSP is held in reset (does not run) until and unless the ARM firmware starts
it running.

The ARM core executes code from outside of the Calypso chip itself: in normal
operation (outside of development) there is a flash memory chip connected to
Calypso's external memory bus, and the Calypso's ARM core executes firmware
stored in this flash.  There is an optional (enabled or disabled by a hardware
pin) ARM boot ROM inside the Calypso chip; when this boot ROM is enabled by
nIBOOT pin strapping on the board (like it is on Openmoko and FreeCalypso
hardware), the ARM core executes code from this boot ROM first upon power-up or
reset before jumping to external flash.  The tiny piece of code that is hard-
cast in this mask ROM acts as an unbricking aid: it gives a certain time window
during which the boot process can be interrupted and diverted if certain magic
characters are sent into either of Calypso's two UARTs by an external
development host, and if nothing is received on either UART during that time
window (as would be the case in normal usage of a Calypso phone or modem), the
boot ROM transfers control to the firmware image in the external flash.  The
end result is that the ARM core always runs code from outside of the Calypso
chip itself, either the firmware image in the flash or whatever code is fed by
an external development host to the boot ROM serially over a UART.

There is also an internal RAM inside the Calypso from which the ARM can execute
code (512 KiB on the full Calypso version or 256 KiB on Calypso Lite silicon
used in some historical low-end phones); the primary purpose of this internal
RAM is to allow chosen sections of code to execute faster without the
performance penalty of the external memory bus, but it is volatile RAM, not ROM
or flash, hence it doesn't have any code in it until and unless loaded by the
firmware copying code from flash or via the serial boot protocol.

In contrast, the DSP is very different.  The DSP core can never execute any
code from outside the chip, and has no access to the Calypso chip's external
memory bus at all.  Instead the only two memories accessible to the DSP are a
mask ROM and a fast internal RAM.  The DSP's dedicated mask ROM is 128 Kwords;
the DSP's RAM is 28 Kwords, out of which 8 Kwords constitute the so-called API
RAM which is accessible to both ARM and DSP cores.  (The C54x DSP addresses
memory by words instead of bytes, hence the memory sizes are given in Kwords
instead of KiB.)

The main bulk of the DSP's operating program is already hard-cast in the silicon
in the 128 Kword mask ROM.  The DSP ROM code is structured in such a way that
any part of it can be overridden by downloadable patch codes which get loaded
somewhere in the DSP's 28 Kword RAM, but because the RAM is significantly
smaller than the ROM, downloadable DSP code cannot replace the entirety of the
ROM code - instead the code needs to be patched very selectively only where
necessary to fix a bug that was discovered after the silicon was made or to
extend the DSP functionality with a new feature.

The DSP ROM code in the Calypso silicon we are using has been successfully read
out, but it is only the executable binary code and data - we never found a copy
of the source for this DSP ROM code.  And even if we had this source, we would
not be able to casually modify and recompile it without spending millions of
dollars to fab a new chip revision with a modified mask ROM.  Having this source
would allow us to develop our own DSP patch codes and to understand and maintain
the existing ones, hence we need to make an effort to convince TI to release
the source for the DSP ROM if they have it in their archives, but if no
surviving copy of this source exists anywhere in the world, the fallback plan
would be to reverse-engineer the DSP ROM code by disassembly.  The latter plan
has not been pursued yet because of the very high labor cost it would involve.

It is possible to run the Calypso DSP without any patches, i.e., have it run
only the code that is already in the mask ROM.  Our competitor OsmocomBB
operates in this manner, and we have also built and run modified versions of
our TCS211-based FreeCalypso firmware with DSP patch loading disabled as an
experiment.  However, all ARM-side firmwares that have been officially released
by TI for production use including our TCS211-20070608 golden reference do apply
downloadable patches to the DSP, and are designed to run with this patched DSP;
running them with DSP patching disabled results in unstable operation.

DSP patch codes that are included in ARM-side Calypso firmwares take the form
of const char arrays initialized with hex bytes; these C source files with hex
char arrays inside were apparently produced from C54x COFF files with a tool
called coff2c, but we never got any of those COFF files or whatever source (C
or assembly) they were built from.  At the present time in the FreeCalypso
family of projects we use the DSP patch codes (hex char arrays) which we got
with our copy of TCS211 from 20070608, and we treat the entire DSP block (the
combination of mask ROM plus patches) as a functional black box.

Having to treat the DSP as a black box is certainly a major shortcoming of our
FreeCalypso solution.  However, I (Mother Mychaela) would much rather have a
phone or modem in which only the DSP is a black box while I get to maintain all
of the upper layers with full freedom, as opposed to the status quo alternative
of a very high-level black box with FOTA backdoors.  Unlike the ubiquitous
high-level black boxes from the likes of Qualcomm, the DSP in the Calypso cannot
be backdoored: it has no access to the ARM address space, thus no access to the
flash (cannot surreptitiously modify the firmware) and no access to any of the
higher-level radio protocol state maintained by the ARM, all it can do is
modulate and demodulate bursts and run voice codecs _as commanded by the ARM_.
Furthermore, the DSP has no access to the Calypso chip's TPU (Time Processing
Unit, the block that controls board-level RF hardware) and thus has no direct
control over any of the RF hardware: it cannot initiate radio transmission or
even reception on its own, instead the ARM firmware has to configure the RF
hardware via the TPU for each and every Rx or Tx time window.

Finally, if anyone is truly paranoid about the possibility of backdoors in the
DSP, the DSP ROM code has been read out - you are welcome to hire a professional
reverser of your choice to disassemble and audit it as thoroughly as you like.
This code is unchangeable by virtue of being hard-cast in a mask ROM in the
silicon.

The rest of this document covers the firmware that runs on the ARM core; it
controls the DSP via its API RAM, a form of shared memory interface.

High-level structure of TCS211 firmware
=======================================

The code base that makes up TI's TCS211 firmware consists of 3 main divisions:
chipset software, Condat G23M (GSM and GPRS L23 protocol stacks, ACI and
optional handset UI layers) and GPF.  Let us look at them in turn:

chipsetsw division
------------------

In the original TCS211 delivery there was a top-level directory named chipsetsw
(chipset software), containing code that is specific to TI's chipsets in
particular and was never intended to run on any other hardware.  This code
division has been retained intact in our FreeCalypso Magnetite and Selenite
firmwares, taken in its entirety from our TCS211 golden reference, although we
have shortened the name: this code division now resides under src/cs in
Magnetite and Selenite.  Aside from a few bits of system glue, this chipsetsw
breaks down into two further subdivisions: the L1+drivers core and the SSA
division.

L1+drivers core
---------------

This division resides under chipsetsw/layer1 and chipsetsw/drivers/drv_core, or
under src/cs/layer1 and src/cs/drivers/drv_core in our version.  The most
important piece here is L1 (GSM Layer 1): this code drives the DSP and the RF
hardware, and thereby makes the Calypso function as a GSM MS (mobile station)
and not merely as a general purpose microprocessor platform.  This code can be
considered to be the most important part of the entire firmware.

At one time TI had a so-called standalone L1 configuration, selected by the
OP_L1_STANDALONE C preprocessor symbol.  We don't have the bits that are needed
to build this configuration (they were probably never released outside of TI at
all), but it appears that this fw build configuration consisted of just Nucleus,
L1, the drivers under drv_core, the OSL and OSX parts of GPF without the rest,
and some stubs for the few higher-level functions that are intertied with L1.

The drivers under chipsetsw/drivers are divided into drv_core and drv_app: the
former are the most essential or fundamental ones, used by L1 and/or needed for
the OP_L1_STANDALONE config; the latter belong to the higher-level SSA division
described below.

SSA division
------------

TI had a group called System Software and Applications (SSA), and they supplied
those parts of the firmware that are neither L1+drv_core nor Condat G23M.  The
more interesting pieces here include the flash file system (FFS), the debug
trace facility (RVT), the Enhanced Test Mode (ETM) facility that allows
external development and production tools to poke at the firmware, RiViera Audio
Service (playing various beeps and ringtones through the DSP, a front-end to L1
audio functions), LCD and keypad drivers for Calypso-based handsets, and various
supportive functions implemented via the Iota ABB: switch-on and switch-off
logic, battery monitoring and charging, backlight LED control.

All firmware components in the SSA division are built on top of a framework
called RiViera - more will be said about it later.  Everything under
chipsetsw/drivers/drv_app, chipsetsw/riviera and chipsetsw/services (or under
src/cs/drivers/drv_app, src/cs/riviera and src/cs/services in our version)
belongs to the SSA realm.

Condat G23M division
--------------------

At the beginning of TI's involvement in the GSM baseband chipset business, they
only developed and maintained their own L1 code, which eventually grew into the
larger chipsetsw division described above, while the rest of the protocol stack
(which is hardware-independent) was licensed from another company called Condat.
Later Condat as a company was fully acquired by TI, and the once-customer of
this code became its owner.  The name of TI/Condat's implementation of GSM
layers 2&3 for the MS side is G23M, and it forms its own major division of the
overall fw architecture.

The overall Condat code realm can be further subdivided into GSM and GPRS L23
protocol stacks, the Application Control Interface (ACI) which includes the AT
command interpreter (ATI), and additional phone UI layers which are only
included in handset but not modem firmwares.

We don't know exactly how TI maintained this software internally: given that it
is mostly hardware-independent aside from integration details and some minor
features which may be present on one hw platform but not on another, it would
have made the most sense for TI to maintain a single internal mainline common
to both Calypso and LoCosto, and then integrate the code from this mainline into
chipset-specific customer releases.  We have no way of knowing if TI indeed
followed this approach or not, but when we took the version of G23M from the
TCS3.2 source for the LoCosto chipset and grafted it onto the chipsetsw
foundation from TCS211 for the Calypso to produce our TCS2/TCS3 hybrid, the
integration went surprisingly smoothly.  The full-source version of G23M which
we took from TCS3/LoCosto is newer than the binary-only version featured in the
world's last surviving copy of TCS211 from Openmoko.

GPF island of stability
-----------------------

Underlying the G23M protocol stack is a special layer called GPF, which was
originally Condat's Generic Protocol stack Framework.  Apparently Condat were
in the business of developing and maintaining a whole bunch of protocol stacks:
GSM MS side, GSM network side, TETRA and who knows what else.  GPF was their
common underpinning for all of their protocol stack projects, which ran on top
of many different OS environments: Nucleus, pSOS, VxWorks, Unix/Linux, Win32
and who knows what else.

In the case of TI/FreeCalypso GSM fw, both the protocol stack and the underlying
OS environment are fixed: GSM and Nucleus, respectively.  But GPF is still a
critically important layer in the firmware architecture: in addition to serving
as the glue between the G23M stack and Nucleus, it provides some important
support infrastructure for the protocol stack.

However, what makes GPF very special is the way in which it relates to the rest
of the firmware architecture.  GPF remained common and unchanged across TI's
many different projects, and it is so independent from the rest of the firmware
and its build configuration that TI were able to make company-wide GPF library
builds and then plop them into multiple fw projects which used them as
configuration-independent prebuilt libraries.  All TI firmware (semi-)sources
we've got use GPF in prebuilt library form and are not set up to recompile any
part of it from source.

Our FC Magnetite firmware uses the original binary libs from TCS211-Openmoko
for its GPF component, but for FC Selenite the project requirement is to be
completely blob-free, hence we had to reconstruct the source for GPF.  The
original source for most parts of GPF was found between TCS3.2 from Peek/FGW
and TCS211 from OM (the former had the source for the core "frame" modules and
the latter had the source for misc and tst), but we never got the source for the
OSL and OSX components, hence we had to reconstruct them from disassembly.  OSL
is the glue layer between GPF and Nucleus, OSX is the glue layer between GPF
and L1.

Firmware boot process
=====================

As already mentioned earlier, the Calypso chip itself includes an ARM boot ROM
in the silicon that serves as an unbricking aid: it provides a certain time
window during which the boot process can be interrupted and diverted if certain
magic characters are sent into either of Calypso's two UARTs by an external
host, and if nothing is received on either UART during that time window, the
boot ROM transfers control to the firmware image in the external flash.  As we
understand it, Calypso was TI's first DBB (digital baseband processor) chip to
include this boot ROM, and their previous DBB chips did not have such: they
would always execute code directly from external flash immediately out of reset.

TI's TCS211 and earlier firmwares are structured in such a way that they boot
and run exactly the same way whether the Calypso boot ROM is present and
enabled, present but disabled, or not present at all.  They put magic constant
0x00000001 in the 32-bit word at flash address 0x2000, which tells the Calypso
boot ROM (if it is present and enabled) to boot the flash fw image in legacy
mode: after providing the unbricking time window, the boot ROM moves itself out
of the way (sets two bits in the FFFF:FB10 register which tell the chip to unmap
the boot ROM and to map external memory at address 0) and induces a watchdog
reset, causing the chip to re-execute the reset vector, this time directly out
of external flash - thus the firmware boots as if the boot ROM weren't there,
but the ROM's unbricking function is retained.

In order to make it easier to load new firmware images during development on
pre-Calypso platforms which didn't have a boot ROM, TI had developed a flash-
resident bootloader stage and included it in their fw architecture.  This
bootloader stage is placed at the beginning of the flash at the reset vector,
and the rest of the firmware begins at an erase unit boundary.  The bootloader
stage executes first, and before it jumps to the main firmware entry point
(_INT_Initialize) for normal boot, it offers an opportunity for the boot process
to be interrupted and diverted if an external host sends certain magic command
packets into either of the two UARTs during the allotted time window.  If the
external host does interrupt and divert the boot process in this manner, it can
feed a code image to the bootloader to be written somewhere in target RAM, and
then command the bootloader to jump to it.  It is exactly the same functionality
(though with different serial protocol specifics) as implemented in the Calypso
boot ROM.  The ROM version is obviously superior because it is unbrickable, but
the flash-resident, built-with-firmware version is what TI used before they
came up with the idea of the boot ROM for the Calypso.

When the boot-ROM-equipped Calypso came along, TI kept the flash-resident
bootloader in the firmware: it does no harm aside from adding a little bit of
delay to the boot process, it does not conflict with the ROM bootloader as the
two speak different serial protocols and respond to different interrupt-boot
sequences, and it allowed TI to keep the same firmware architecture for
platforms with and without a boot ROM.  However, in our FreeCalypso firmwares
starting with Magnetite we have removed this extra bootloader stage for the
following reasons:

* It is not useful to us on any of our hardware targets: on those devices that
  have the Calypso boot ROM enabled, we use that boot ROM and get full
  unbrickability, whereas on Mot C1xx phones we have to work with Mot/Compal's
  own different bootloader and serial protocol at least initially, hence it
  makes the most sense to stick with the same after the conversion to
  FreeCalypso as well.

* As delivered by TI with their full production TCS211 fw releases, their
  firmware-resident bootloader works as intended only on hw platforms with
  13 MHz VCXOs like the original D-Sample (Clara RF), and is broken on platforms
  like Rita RF (the only RF chip for which we have driver code!) with 26 MHz
  VCXOs: there is no conditionally-compiled code anywhere in the bootloader
  code path to set the VCLKOUT_DIV2 bit in the CNTL_CLK register on 26 MHz
  platforms, thus the UARTs are fed with 26 MHz instead of the standard 13 MHz
  clock expected in normal operation, and the intended baud rate of 115200 bps
  turns into 230400.  Because 230400 bps is a baud rate which Calypso UARTs
  *cannot* produce in normal GSM operation (when the peripheral clock network
  runs at the expected 13 MHz), tools that are designed to talk to Calypso GSM
  devices are typically not designed to support this baud rate.  In particular
  for CP2102 USB-serial adapters, the precedent established by the factory
  CP2102 EEPROM programming in the Pirelli DP-L10 phone is that the baud rate
  entry for 230400 bps is replaced with 203125 bps, which is a valid baud rate
  for Calypso UARTs running at 13 MHz.

* We have no source for TI's firmware-resident bootloader, only linkable binary
  objects that came with our world's last surviving copy of TCS211, which are
  incompatible with our goal of blob-free firmware.

Because this extra bootloader stage is ultimately unnecessary in our
environment, the deblobbing goal was easier accomplished by removing it
altogether instead of expending effort on a blob-free replacement.  Because I
wasn't comfortable with modifying TMS470 assembly code and linker script magic,
the removal of the bootloader was accomplished by stubbing out its C body with
an empty function.  In the gcc-built FC Selenite version it is removed
completely, without any leftover stubs.

Finally, it needs to be noted for the sake of completeness that Compal's
bootloader used on Mot C1xx phones is a modified version based on TI's original
bootloader.  However, this factoid matters only for historians and genealogists;
for all practical purposes it is an unrelated animal, as Mot/Compal's serial
protocol for interrupting and diverting the boot process is their own and bears
no resemblance to TI's version.  And yes, Mot/Compal's version does set the
VCLKOUT_DIV2 bit in the CNTL_CLK register to adjust for the 26 MHz clock input
as its first order of business; it was probably the very first issue they had
to fix.

When we build FC Magnetite or FC Selenite TMS470 firmware for Mot C1xx targets,
we use dd to strip off the first 64 KiB of the image produced by TI's linker
(the part where TI's bootloader resides, be it intact or stubbed out) and flash
the remaining image (the main body of the fw) starting at flash address 0x10000.
In the gcc-built Selenite version we natively link images that are designed to
be flashed at 0x10000 without any dirty hacks.  Common to all FC firmwares for
C1xx targets, the bootloader image we put at 0 (in the brickable flash sector)
is a modified version based on one of Mot/Compal's originals: we have binary-
patched it to redirect the exception vectors from Mot/Compal's 0x20A0 to 0x10000
and to move the main fw entry point from Mot/Compal's 0x20F8 to TI's 0x10058.

None of this muckery applies to our own FreeCalypso hardware or to our
predecessor Openmoko's hw: on these good hw targets the complete fw image as
built is flashed at 0, and there is no possibility of bricking because we use
the boot ROM to gain access irrespective of what's in the flash.

Main firmware entry point
-------------------------

With the bootloader distraction out of the way, the main fw entry point is at
the _INT_Initialize symbol in the int.s assembly module, located in
src/cs/system/main/int.s in Magnetite and Selenite.  The functional equivalent
for the gcc environment in Selenite is in src/cs/system/main/gcc/bootentry.S.
This assembly code performs some basic hardware initialization, sets up
sensible memory timings for the boot path phase before DPLL setup, copies the
IRAM code (the code that is intended to execute out of the fast internal RAM)
from flash to where it needs to be, zeros both IRAM and XRAM .bss regions, does
TI's cinit/auto_init business for initialized data in the TMS470 environment
(Selenite gcc version copies .data from flash to RAM instead), sets up the
system, IRQ, FIQ and exception stacks, does some assembly initialization for
Nucleus and finally jumps to Nucleus' C entry point INC_Initialize().

Further initialization takes place in the Init_Target() and Init_Drivers()
functions called from Application_Initialize(), which is the last function
called by INC_Initialize() before starting the Nucleus task scheduler.

Nucleus environment
===================

Like all classic TI firmwares, ours is based on the Nucleus PLUS RTOS.  Just
like TI's original code on which we are based, we use only a small subset of
the functionality provided by Nucleus - but because the latter is a library,
the pieces we don't use simply don't get pulled into the link.  The main
function we get out of Nucleus is the scheduling of threads, or tasks as
Nucleus calls them.

Aside from pre-stack-setup assembly init code and ARM exception handlers, every
piece of code in the firmware executes in one of the following contexts:

* Application_Initialize(): this function and everything called from it execute
  just before Nucleus' thread scheduler starts; at this point interrupts are
  disabled at the ARM7 core level (in the CPSR) and must not be enabled; the
  stack is Nucleus' "system stack" which is also used by the scheduler and LISRs
  as explained below.

* Regular threads or tasks: once Application_Initialize() finishes, all code
  with the exception of interrupt handlers (LISRs and HISRs as explained below)
  runs in the context of some Nucleus task.  Whenever you are trying to debug
  or simply understand some piece of code in the firmware, the first question
  you should ask is "which task does this code execute in?".  Most functional
  components run in their own tasks, i.e., a given piece of code is only
  intended to run within the Nucleus task that belongs to the component in
  question.  On the other hand, some components are implemented as APIs,
  functions to be called from other components: these don't have their own task
  associated with them, and instead they run in the context of whatever task
  they were called from.  Some only get called from one task: for example, the
  "uartfax" driver API calls only get called from the protocol stack's UART
  entity, which is its own task.  Other component API functions like FFS and
  trace can get called from just about any task in the system.  Many components
  have both their own task and some API functions to be called from other tasks,
  and the API functions oftentimes post messages to the task to be worked on by
  the latter; the just-mentioned FFS and trace functions work in this manner.

  In our TCS211-mimicking Magnetite and Selenite firmwares every Nucleus task is
  created either through RiViera or through GPF, and not in any other way - see
  the description of RiViera and GPF below.

* LISRs (Low level Interrupt Service Routines): these are the interrupt handlers
  that run immediately when an ARM IRQ or FIQ comes in.  The code at the IRQ and
  FIQ vector entry points calls Nucleus' magic stack switching function
  (switches the CPU from IRQ/FIQ into SVC mode, saves the interrupted thread's
  registers on that thread's stack, and switches to the "system" stack) and
  then calls TI's IRQ dispatcher implemented in C.  The latter figures out
  which Calypso interrupt needs to be handled and calls the handler configured
  in the compiled-in table.  Nucleus' LISR registration framework is not used
  by the GSM fw, but these interrupt handlers should be viewed as LISRs
  nonetheless.

  There is one additional difference between canonical Nucleus and TI's version
  (we've replicated the latter): canonical Nucleus was designed to support
  nested LISRs, i.e., IRQs re-enabled in the magic stack switching function,
  but in TI's version which we follow this IRQ re-enabling is removed: each LISR
  runs with interrupts disabled and cannot be interrupted.  (The corner case of
  an FIQ interruping an IRQ remains to be looked at more closely as bugs may be
  hiding there, but Calypso doesn't really use FIQ interrupts.)  There is really
  no need for LISR nesting in our GSM fw, as each LISR is very short: most LISRs
  do nothing more than trigger the corresponding HISR.

* HISRs (High level Interrupt Service Routines): these hold an intermediate
  place between LISRs and tasks, similar to softirqs in the Linux kernel.  A
  HISR can be activated by a LISR calling NU_Activate_HISR(), and when the LISR
  returns, the HISR will run before the interrupted task (or some higher
  priority task, see below) can resume.  HISRs run with CPU interrupts enabled,
  thus more interrupts can occur, with their LISRs executing and possibly
  triggering other HISRs.  All triggered HISRs must complete and thereby go
  "quiescent" before task scheduling resumes, i.e., all HISRs as a group have a
  higher scheduling priority than tasks.

Nucleus implements priority scheduling for tasks.  Tasks have their priority set
when they are created (through RiViera or GPF, see below), and a higher priority
task will run until it gets blocked waiting for something, at which time lower
priority tasks will run.  If a lower priority task sends a message to a higher
priority task, unblocking the latter which was waiting for incoming messages,
the lower priority task will effectively suspend itself immediately while the
higher priority task runs to process the message it was sent.

HISRs oftentimes post messages to their associated tasks as well; if one of
these messages unblocks a higher priority task, that unblocked task will run
upon the completion of the HISR instead of the original lower priority task
that was interrupted by the LISR that triggered the HISR.  Nucleus' scheduler
is fun!

RiViera and GPF
===============

RiViera and GPF are two parallel/independent/competing wrappers around or
layers above Nucleus.  GPF comes from Condat and is used by the G23M protocol
stack and indirectly by L1 (the peculiar way in which L1 ties in with the rest
of the firmware will be covered later), whereas RiViera is used by the fw
components from TI's SSA group: flash file system, debug trace, RiViera Audio
Service and so forth.

At some point in their post-Calypso TCS3.x program TI decided to eliminate
RiViera as an independent framework and to reimplement RiViera APIs (used by
peripheral but necessary code such as FFS, ETM, various drivers etc) over GPF.
This arrangement is used in the TCS3.2 LoCosto firmware from which we have
lifted our source replacements for much of the code that came as binary objects
in our reference TCS211 version.  However, our current Magnetite and Selenite
firmwares follow the architecture of TCS211, not that of TCS3.2, and because
the entire SSA division of the fw including the RiViera core came in full source
form in our copy of TCS211, it was only natural to keep this code and its
architecture.

Start-up process continued
==========================

As mentioned earlier, Nucleus calls the application's software init function
called Application_Initialize() after it initializes itself but before starting
the task scheduler.  This function in TCS211 is just the following:

Application_Initialize()
{
	Init_Target();
	Init_Drivers();
	Cust_Init_Layer1();
	Init_Serial_Flows();
	StartFrame();
	Init_Unmask_IT();
}

Cust_Init_Layer1() is in L1, StartFrame() is in GPF, and the remaining 4 init
functions live in the init.c module under src/cs/system/main.

The Init_Target() function finishes the hardware initialization that was
started by the assembly code at the firmware boot entry point (int.s): among
other things, it sets up the final memory timings that will be used by the
running fw and configures the Calypso DPLL which provides multiplied internal
clocks to both ARM and DSP cores.  On Calypso C035 silicon which is used on our
own FreeCalypso boards and on most of our pre-existing hw targets the DPLL and
the DSP run at 104 MHz and the ARM gets half of that, running at 52 MHz.
Init_Target() also calls AI_InitIOConfig(), the function that initializes
Calypso GPIO directions and initial outputs; both of these functions typically
need to be tweaked when adding support for a new Calypso board target.

The Init_Drivers() function is primarily responsible for initializing RiViera
and FFS, although it also does a bit of init related to ABB and SIM drivers.

I mentioned earlier that every Nucleus task in our firmware gets created and
started either through RiViera or through GPF.  All GPF tasks are created and
placed into the runable state in the Application_Initialize() context: the work
is done by GPF init code in gpf/frame/frame.c, and the top level GPF init
function called from Application_Initialize() is StartFrame().  Thus when
Application_Initialize() finishes and the Nucleus thread scheduler starts
running for the first time, all GPF tasks are there to be scheduled.

There is a compiled-in table of all protocol stack entities and the tasks in
which they need to run; in TCS211 these GPF config bits live under
g23m/condat/frame/config for the GSM+GPRS configuration and under
g23m/condat/com/src/config for the GSM-only config without GPRS.  Canonically
each protocol stack entity runs in its own task, but sometimes two or more are
combined to run in the same task: for example, in the minimal GSM "voice only"
configuration (no CSD, fax or GPRS) CC, SMS and SS entities share the same task
named CM.  Unlike RiViera, GPF does not support dynamic starting and stopping
of tasks.

As each GPF task starts running (immediately upon entry into Nucleus' scheduling
loop as Application_Initialize() finishes), pf_TaskEntry() function in
gpf/frame/frame.c is the first code it runs.  This function creates the queue
for messages to be sent to all entities running within the task in question,
calls each entity's pei_init() function (repeatedly until it succeeds: it will
fail until the other entities to which this entity needs to send messages have
created their message queues), and then falls into the main body of the task:
for all "regular" entities/tasks except L1, this main body consists of waiting
for messages (or signals or timeouts) to arrive on the queue and dispatching
each received message to the appropriate handler in the right entity.

RiViera tasks get started in a different way.  The responsible code lives in
src/cs/system/main/create_RVtasks.c, and the create_tasks() function found in
that module is called by Init_Drivers() in the Application_Initialize() context.
But this function does not directly create and start every configured RiViera
task like StartFrame() does for GPF.  Instead it creates a special helper task
which will do this work once scheduled.  Thus at the completion of
Application_Initialize() and the beginning of scheduling the set of runable
Nucleus tasks consists of all GPF ones plus the special RV starter task.  Once
the RV starter task gets scheduled, it will call rvm_start_swe() to launch
every configured RiViera SWE (SoftWare Entity), which in turns entails creating
the tasks in which these SWEs are to run.

Dynamic memory allocation
=========================

All dynamic memory allocation (i.e., all RAM usage beyond statically allocated
variables and buffers) is once again done either through RiViera or through GPF,
and in no other way.  Ultimately all areas of the physical RAM that will ever
be used by the fw in any way are allocated when the fw is compiled and linked:
the areas from which RiViera and GPF serve their dynamic memory allocations are
statically allocated as char arrays in the respective C modules and placed in
the appropriate IRAM or XRAM .bss section by the linker script; RiViera and GPF
then provide API functions that allocate memory dynamically from these
statically allocated large pools.

RiViera and GPF have entirely separate memory pools from which they serve their
respective clients, hence there is no possibility of one affecting the other.
Riviera's memory allocation scheme is very much like the classic malloc&free:
there is one large unstructured pool from which all allocations are made, one
can allocate a chunk of any size, free chunks are merged when physically
adjacent, and fragmentation is an issue: a memory allocation request may fail
even when there is enough memory available in total if it is too fragmented.

GPF's dynamic memory allocation facility is considerably more robust: while it
does maintain one or two (depending on configuration) memory pools of the
traditional "dynamic" kind (like malloc&free, susceptible to fragmentation),
most GPF memory allocation works on "partition" memory instead.  Here GPF
maintains 3 separate groups of pools: PRIM, TEST and DMEM; each allocation
request must specify the appropriate pool group and cannot affect the others.
Within each pool there is a fixed number of partitions of a fixed size: for
example, in TI's TCS211 GSM+GPRS configuration the PRIM pool group consists of
190 partitions of 60 bytes, 110 partitions of 128 bytes, 50 partitions of 632
bytes and 7 partitions of 1600 bytes.  An allocation request from a given pool
group (e.g., PRIM) can request any arbitrary size in bytes, but it gets rounded
up to the nearest partition size and allocated out of the respective pool.  If
no free partition is available, the requesting task is suspended until another
task frees one.  Because these partitions are used primarily for intertask
communication, if none are free, it can only mean (assuming that the firmware
functions correctly) that all partitions have been allocated and sent to some
queue for some task to work on, hence eventually they will get freed.

This scheme implemented in GPF is extremely robust in the opinion of this
author, and the other purely "dynamic" scheme is used (in the case of GPF) only
for init-time allocations which are never freed, such as task stacks - hence
the GPF-based part of the firmware is not suspectible at all to the problem of
memory fragmentation.  But Riviera does suffer from this problem, and the
concern is more than just theoretical: one major user of Riviera-based dynamic
memory allocation is the trace facility (described in its own section below),
and my observation of the trace output from Pirelli's proprietary fw (which
appears to use the same architecture with separate Riviera and GPF) suggests
that after the fw has been running for a while, Riviera memory gets fragmented
to a point where many traces are being dropped.  Replacing Riviera's poor
dynamic memory allocation scheme with a GPF-like partition-based one is a to-do
item for our project.

Message-based intertask communication
=====================================

Even though all entities of the G23M protocol stack are linked together into
one monolithic fw image and there is nothing to stop them from calling each
other's functions and accessing each other's variables, they don't work that
way.  Instead all communication between entities is done through messages, just
as if they ran in separate address spaces or even on separate processors.
Buffers for this message exchange are allocated from a GPF partition pool: an
entity that needs to send a message to another entity allocates a buffer of the
needed size, fills it with the message to be sent, and posts it on the recipient
entity's message queue, all through GPF services.  The other entity simply
processes the stream of messages that arrives on its message queue, freeing each
message (returning the buffer to the partition pool it came from) as it is
processed.

Riviera-based tasks use a similar mechanism: unlike G23M protocol stack
entities, most Riviera-based functional modules provide APIs that are called as
functions from other tasks, but these API functions typically allocate a memory
buffer (through Riviera), fill it with the call parameters, and post it to the
associated task's message queue (also in the Riviera land) to be worked on.
Once the worker task gets the job done, it will either call a callback function
or post a response message back to the requestor - the latter option is only
possible if the requesting entity is also Riviera-based.

A closer look at GPF
====================

There are certain sublayers within GPF which need to be pointed out.  The 3
major subdivisions within GPF are:

* The meaty core of GPF: this part is the code under src/gpf/frame in our
  Selenite GPF reconstruction, originating from gpf/FRAME in the TCS3.2 source
  from Peek/FGW.  It appears that this part was originally intended to be both
  project-independent (same for GSM, TETRA etc) and OS-independent (same for
  Nucleus, pSOS, VxWorks etc).  This is the part of GPF that matters for the
  G23M stack: all APIs called by PS entities are implemented here, and so are
  all other PS-facing functions such as startup.  (PS = protocol stack)

* OS adaptation layer (OSL): this is the part of GPF that adapts it to a given
  underlying OS, in our case Nucleus.

* Test interface: see the code under gpf/tst in TCS211 from Openmoko or in
  FC Selenite.  This part handles the trace output from all entities that run
  under GPF and the mechanism for sending external debug commands to the GPF+PS
  subsystem.

GPF was a difficult step in our GSM firmware deblobbing process because no
complete source for it could be found anywhere: apparently GPF was so stable
and so independent of firmware particulars (Calypso or LoCosto, GSM only or
GSM+GPRS, modem or complete phone with UI etc) that it appears to have been
used and distributed as prebuilt binary libraries even inside TI.  All TI fw
(semi-)sources we've got use GPF in prebuilt library form and are not set up to
recompile any part of it from source.  (They had to include all GPF header
files though, as most of them are included by G23M C modules, and it would be
too much hassle to figure out which ones are or aren't needed, hence all were
included.)

Fortunately though, we were able to find the sources for most parts of GPF:

* The LoCosto source in TCS3.2_N5.24_M18_V1.11_M23BTH_PSL1_src.zip features the
  source for the "core" part of GPF under gpf/FRAME - these sources aren't
  actually used by that fw's build system (it only uses the prebuilt binary
  libs for GPF), but they are there.

* Our TCS211 semi-src doesn't have any sources for the core part of GPF, but
  instead it features the source for the test interface and some "misc" parts:
  under gpf/MISC and gpf/tst in that source tree - these sources are not present
  in the LoCosto version from Peek.

The GPF frame, misc and tst sources we have found have been verified to match
the binary objects that came with TCS211 from OM: they can be compiled into a
bit-for-bit match.  However, one critical piece was still missing: the OS
adaptation layer.  It appears that the GPF core (vsi_??? modules) and OSL
(os_??? modules) were maintained and built together, ending up together in
frame_<blah>.lib files in the binary form used to build firmwares, but the
source for the "frame" part in the Peek find contained only vsi_*.c and others,
but not any of os_*.c.

Our FC Magnetite firmware uses the original binary libs from TCS211-Openmoko
for its GPF component, but for FC Selenite the project requirement is to be
completely blob-free, hence we had to reconstruct the source for the OSL part
of GPF from disassembly.  This work was originally done in 2014 in the context
of our first attempt at gcc-built blob-free GSM fw (FC Citrine, now deemed to
be a dead end and fully retired); this reconstruction was then dug up and
adapted for Selenite in 2018.  As of this writing, this reconstruction is still
not 100% complete (one complex error handling function is stubbed out) and not
yet trusted to be fully correct, thus our fully deblobbed Selenite firmware is
currently considered experimental; our current production fw is still Magnetite
with blobs for GPF.

A closer look at L1
===================

The L1 code is remarkable in how little intertie it has with the rest of the
firmware it is linked into.  It is almost entirely self-contained, expecting
only 4 functions to be provided by the underlying OS environment:

os_alloc_sig	-- allocate message buffer
os_free_sig	-- free message buffer
os_send_sig	-- send message to upper layers
os_receive_sig	-- receive message from upper layers

It helps to remember that at the beginning of TI's involvement in the GSM
baseband chipset business, L1 was the only thing they "owned", while Condat,
the maintainers of the higher level protocol stack, was a separate company.
TI's "turnkey" solution must have consisted of their own L1 code plus G23M code
(including GPF etc) licensed from Condat, but I'm guessing that TI probably
wanted to retain the ability to sell their chips with their L1 without being
entangled by Condat: let the customer use their own GSM L23 stack, or perhaps
work out their own independent licensing arrangements with Condat.  I'm
guessing that L1 was maintained as its own highly independent and at least
conceptually portable entity for these reasons.

The way in which L1 is intertied into the rest of the fw is the same in all TI
production firmwares we have seen, including both our TCS211 reference and the
TCS3.2 LoCosto version.  There is a module called OSX, which is an extremely
thin adaptation layer that implements the APIs expected by L1 in terms of GPF.
Furthermore, this OSX layer provides header file isolation: the only "outside"
(non-L1) header included by L1 is cust_os.h, and it defines the necessary
interface to OSX *without* including any other headers (no GPF headers in
particular), using only the C language's native types.  Apart from this
cust_os.h header, the entire OSX layer is implemented in one C module (osx.c,
which we had to reconstruct from osx.obj as the source was missing - but it's
very simple) which does include some GPF headers and implements the OSX API in
terms of GPF services.  Thus in both TI's production firmwares and our own ones,
L1 does sit on top of GPF, but very indirectly.

More specifically, the "production" version of OSX implements its API in terms
of *high-level* GPF functions, i.e., VSI.  However, they also had an interesting
OP_L1_STANDALONE configuration which omitted not only all of G23M, but also the
core of GPF and possibly the Riviera environment as well.  We don't have a way
to recreate this configuration exactly as it existed inside TI because we don't
have the source bits specific to this configuration, but we do have a little
bit of insight into how it worked.

It appears that TI's OP_L1_STANDALONE build used a special "gutted" version of
GPF in which the "meaty core" (VSI etc) was removed.  The OS layer (os_???
modules implementing os_*() functions) that interfaces to Nucleus was kept, and
so was OSX used by L1 - but this time the OSX API functions were implemented in
terms of os_*() ones (low-level wrappers around Nucleus) instead of the higher-
level VSI APIs provided by the "meaty core" of GPF.  It is purely a guess on my
part, but perhaps this hack was also done in the days before TI's acquisition
of Condat, and by omitting the "meaty core" of GPF, TI could claim that their
OP_L1_STANDALONE configuration did not contain any of Condat's "intellectual
property".

Run-time structure of L1
========================

L1 consists of two major parts: L1S and L1A.  L1S is the synchronous part where
the most time-critical functions are performed; it runs as a Nucleus HISR.  The
hardware in the Calypso generates an interrupt on every TDMA frame (4.615 ms,
or more precisely 60/13 ms), and the LISR handler for this interrupt triggers
the L1S HISR.  L1S communicates with L1A through a shared memory data structure,
and also sometimes allocates message buffers and posts them to L1A's incoming
message queue (both via OSX API functions, i.e., via GPF in disguise).

L1A runs as a regular task under Nucleus, and includes a blocking call (to GPF
via OSX) to wait for incoming messages on its queue.  It is one big loop that
waits for incoming messages, then processes each received message and commands
L1S to do most of the work.  The entry point to L1A in the L1 code proper is
l1a_task(), although the responsibility for running it as a task falls on some
"glue" code outside of L1 proper.  TI's production firmwares with G23M included
have an L1 protocol stack entity within G23M whose only job (aside from some
initialization) is to run l1a_task() in the Nucleus task created by GPF for
that protocol stack entity; we do the same in our firmwares.

Communication between L1 and G23M
=================================

It is remarkable that L1 and G23M don't have any header files in common: L1
uses its own (almost fully self-contained), whereas the G23M+GPF realm is its
own world with its own header files.  One has to ask then: how do they
communicate?  OK, we know they communicate through primitives (messages in
buffers allocated from GPF's PRIM partition memory pool) passed via message
queues, but what about the data structures in these messages?  Where are those
defined if there are no header files in common between L1 and G23M?

The answer is that there are separate definitions of the L1<->G23M interface on
each side, and TI must have kept them in sync manually.  Not exactly a
recommended programming or software maintenance practice for sure, but TI took
care of it, and the existing proprietary products based on TI's firmware are
rock solid, so it is not really our place to complain.

TI's firmwares from the era we are working with (both our TCS211 golden
reference and the TCS3.2/LoCosto source from which we took the newer full-source
version of G23M for our TCS2/TCS3 hybrid) also include a component called ALR.
It resides in the G23M code realm: G23M coding style, uses Condat header files,
runs as its own protocol stack entity under GPF.  This component appears to
serve as a glue layer between the rest of the G23M stack (which is supposed to
be truly hardware-independent) and TI's L1.

Speaking of ALR, it is worth mentioning that there is a little naming
inconsistency here.  ALR is known to the connect-by-name logic in GPF as "PL"
(physical layer, apparently), while the ACI entity (Application Control
Interface, the top level entity) is known to the same logic as "MMI".  No big
deal really, but hopefully knowing this quirk will save someone some confusion.

A closer look at our FreeCalypso TCS2/TCS3 hybrid
=================================================

Because we don't have an official TI firmware release for the Calypso in full
source form and because I am not willing to throw away all of our Calypso work
and restart anew with LoCosto with its own host of unknowns, the only currently
available way for us to have blob-free production-quality GSM mobile station fw
is the TCS2/TCS3 hybrid implemented in FC Magnetite and Selenite.  This hybrid
is made by taking the G23M version from TCS3/LoCosto and grafting it onto the
chipsetsw foundation from TCS211, including the original TCS211/Calypso version
of L1 which we have meticulously source-reconstructed.  The version of GPF used
for this hybrid is also the TCS211 version in Magnetite or our source
reconstruction thereof in Selenite.

The Condat G23M pieces have been hybridized as follows:

* cdginc generated header files are a special hybrid version described below;

* The include files under condat/com/inc and condat/com/include are the TCS3
  version, except for pwr.h and rtc.h for which we use the TCS2 version;

* comlib is the TCS2 version, except for cl_rlcmac.c which is from TCS3;

* config modules (condat/com/src/config and condat/frame/config) are the TCS2
  version, with some fixes for the needs of the TCS3 version of G23M PS and our
  own FreeCalypso fixes;

* Condat drivers (condat/com/src/driver) are the TCS2 version;

* All G23M PS components are the TCS3 version by necessity, as this is the part
  for which the source is missing in our TCS211 version, with the exception of
  ALR - the original source for the TCS211 version of ALR has miraculously
  survived, the ALR source in TCS211 from OM can be compiled into a perfect
  match for the binary lib version;

* We use the TCS2 version of ALR (the interface to our TCS211 L1) and not the
  TCS3 version (a change from Citrine), but it is compiled with the same hybrid
  cdginc headers as the rest of hybrid G23M, not the old TCS211 ones;

* ACI is the TCS3 version - we have the source for both versions, but trying to
  use the old TCS2 version of ACI on top of the new TCS3 version of the PS
  would cause untold breakage;

* The UI layers (MFW and BMI) for handset fw builds are handled like ACI: we
  have the source for both versions, but we use the TCS3 version which works
  with the TCS3 versions of ACI and cdginc;

* The CST (Customer Specific Task) component is the TCS2 version - while it
  logically belongs in the Condat realm, the code lives in the chipsetsw realm
  under chipsetsw/services/cst (yes, it's under services with SSA stuff even
  though it doesn't use RiViera) and thus our copy of TCS211 from OM has this
  source preserved.

With this hybrid arrangement the main splice point lies above ALR, and there
are many little splice points throughout the code where some upper-level code
from TCS3 needs to talk to lower-level code from TCS2.  There are no inversions,
i.e., no places where TCS2 code sits on top of code from TCS3, although there
are a few instances where TCS2 C code uses some TCS3 header files.

TCS3 feature flags
------------------

Our TCS3.2/LoCosto code from Peek/FGW from 20090327 supports several new GSM
features (apparently related to GSM release 99) which are not supported by our
TCS211-20070608 golden reference from OM.  All of these new features can be
enabled or disabled with conditional compilation flags.  Our TCS2/TCS3 hybrid
currently has all of these new features disabled: it was too difficult for me
to figure out if these new features require some support from the hardware or
the DSP which is present on LoCosto but not Calypso, and even if our hw and DSP
have all of the necessary capabilities, at least some of the new features
require adding some code to L1, which is incompatible with my approach of
reconstructing TCS211 L1 pristinely.

In any case, the GSM functionality we get by using the new version of G23M with
new feature flags disabled on top of pristine TCS211 L1 cannot be any worse
than what we would have had if we had the full corresponding source for our
TCS211-20070608 golden reference, and it is probably a little better because we
are using a newer version of G23M code.

cdginc headers
--------------

Much of the code in the Condat G23M realm makes heavy use of a set of machine-
generated C header files called cdginc.  These header files contain various
definitions related both to the GSM air protocols being implemented and to G23M
protocol stack internals (interfaces and message structures between components),
and they are generated from a set of message definition files (*.mdf) and
primitive definition files (*.pdf) by a tool called ccdgen.  The *.{mdf,pdf}
inputs to ccdgen are human-readable ASCII, and of course the generated C header
files are human-readable too, but we have no source for the ccdgen tool itself,
only a Windows binary which we can run under Wine.

The ccdgen binary problem is yet another instance of so far incomplete
liberation of the GSM firmware.  It is currently a very low-priority problem:
we do not casually edit any of the *.{mdf,pdf} inputs to ccdgen, and we don't
run ccdgen on every fw build - instead we have run ccdgen once and checked its
output files (generated C headers) into our Magnetite and Selenite trees as if
they were sources.  If we are not able to convince TI to dig up and release the
source for ccdgen, there is a viable albeit costly alternative: hire a Windows
reverser to RE the ccdgen.exe binary (262144 bytes) and produce a C
reimplementation that replicates all of its logic.  It is a Win32 console app,
no GUI, and it is a pure data processing application without any hardware access
or OS functions or any other muckery: it is probably pure ANSI C code that reads
and parses a bunch of ASCII input files, performs some business logic on the
data, and writes another bunch of ASCII text files as outputs.  It is currently
a very low-priority task though; reversing the Calypso DSP ROM code should
probably be a higher priority.

The set of cdginc headers for our TCS2/TCS3 hybrid has been generated as
follows:

* All of the *.mdf files are the TCS3 version;

* All of the *.pdf files except mphc.pdf and mphp.pdf are also the TCS3 version;

* mphc.pdf and mphp.pdf are the TCS211 version - this is the interface to
  TCS211 L1;

* All new feature flags (see discussion above) are set to disabled.

Condat Coder and Decoder (CCD)
------------------------------

CCD is a firmware component in the Condat G23M realm which I haven't really
studied yet.  It consists of two parts:

* A fixed portion which TI used to distribute in binary form and which various
  firmware projects used as a prebuilt library like GPF - technically TI
  considered it to be a part of GPF, although we prefer to treat it as its own
  more independent entity;

* The ccddata portion which needs to be compiled with cdginc headers for each
  given project.

We got the source for both parts of CCD only in the TCS3.2/LoCosto version, but
not in the TCS211 version, hence the decision was easy: we use the TCS3 version
of CCD (both parts) with the TCS3 version of cdginc with the TCS3 version of
the G23M PS.

TCS3.2 GPF discrepancy
----------------------

A careful examination of the prebuilt GPF libraries under gpf/LIB in the TCS3.2
LoCosto source tree has revealed that a few of the binary objects exhibit some
differences from the TCS211 version which we've been treating as our golden
reference:

* The os_mis module (OSL miscellany) in the IRAM library implements a new
  function called os_CheckQueueEvent() and defines a new global data object
  named my_os_mis_Protect;

* The os_tim module (OSL timer code) in the flash (XIP) library has some code
  differences;

* The vsi_tim module (VSI timer code) in the flash (XIP) library has some code
  differences;

* The vsi_tim module (VSI timer code) in the IRAM library has some code
  differences and makes use of the new os_CheckQueueEvent() function.

In the case of os_??? modules we have no corresponding source for either
version, but the vsi_tim difference is more bizarre: we got our vsi_tim.c source
(and the rest of vsi_*.c) from the TCS3.2/LoCosto source, but this source
matches the TCS211 binary version and not the newer and different binary version
used by the TCS3.2 build system!  (Remember that none of TI's firmware build
systems that we have seen are set up to recompile any part of GPF from source,
they used it only as prebuilt libraries.)

Because we have the corresponding source for the "old" version of GPF frame core
but not for the "new" version, we are continuing to treat the "old" TCS211
version as our golden reference: we use the source pieces which we got, and we
use the "old" os_???.obj blobs as our basis for reconstruction via disassembly.

Because the changes in the TCS3.2 binary version of GPF involve only the
implementation of a part of VSI but not its API (there are no changes to any
part of the GPF API presented to the G23M PS that I can see anywhere), I have
every good reason to believe that there is no problem with using the new TCS3.2
version of G23M with the old version of GPF from TCS211: it should work no worse
than pure TCS211.

It should also be noted that if we ever succeed in getting some more complete
GPF source out of TI (including the source for the OS adaptation layer which is
difficult to reconstruct), thanks to the great stability and independence of
GPF, we will be happy with *any* version, does not need to match either TCS211
or TCS3.2.

GPRS implementation differences
-------------------------------

There is a visible difference between the way GPRS is implemented in the old
TCS211-20070608 blob version of G23M and the way it is implemented in the newer
TCS3.2/LoCosto version we are using for our hybrid.  The new implementation adds
a new protocol stack entity named UPM (User Plane Manager), and the pre-existing
SM and SNDCP entities have been significantly changed to work with this UPM.
Because we are using the GPRS config modules (condat/frame/config) from TCS211,
we had to add a -DFF_UPM compilation flag to include UPM in the GPF
configuration for the GSM+GPRS protocol stack.

A closer look at ACI
====================

The Application Control Interface (ACI) is the crown that sits on top of the
G23M protocol stack.  It includes the AT command interpreter (ATI) component,
and this AT command interface is brought to the outside world via the UART
protocol stack entity.  The UART entity implements the GSM 07.10 MUX, can
operate the physical UART in either multiplexed or non-multiplexed mode (the
latter is the default on boot for a plain ASCII AT command interface) as
commanded by ACI, and establishes 1 to 4 logical channels carrying AT commands
to ACI.  When a CSD or fax call or a GPRS PPP session is in progress, the data
path is switched to run between the UART entity and the appropriate GSM or GPRS
protocol stack destination.  In the case of modem products that are designed to
be controlled by an external host via AT commands, this combination of ACI and
UART entities provides the ultimate end function of the device.

The set of implemented AT commands is defined in ati_cmd.c: this is the C file
where new AT commands get added; there is also an enum of command IDs in
aci_cmh.h which needs to be extended.  For every AT command listed in the table
in ati_cmd.c there is a handler function: for example, for the AT+CFUN command
there is a setatPlusCFUN() function that handles setting and a queatPlusCFUN()
function that handles querying.  For some simple AT commands like AT+CGxx
queries the function listed in ati_cmd.c does the entirety of the work, but for
most of the interesting GSM commands (including the AT+CFUN example just used)
the set and query functions implemented in the ATI layer only handle the parsing
of ASCII arguments and generation of ASCII output (if any), whereas the actual
command implementation happens in the CMH layer below.

Below ATI but still within ACI lies the sublayer of command handlers (CMH).
For each AT command that does something to the GSM mobile station there is a
functional equivalent, a C function that performs the same operation as the
spec-defined AT command, but is designed to be used natively from C code,
without AT command string parsing or output formatting.  For the AT+CFUN example
used above, the setatPlusCFUN() ATI function parses the arguments from ASCII
and then calls sAT_PlusCFUN() to perform the actual operation, whereas the
queatPlusCFUN() ATI function calls qAT_PlusCFUN() to retrieve the current state
and then prints it out in ASCII.  This functional interface is used by TI's
demo/prototype phone UI implementation described in the Handset-UI-fw companion
document.

Finally, at the bottom of ACI lies the sublayer of Protocol Stack Adapters
(PSA): these are pieces of code that execute within the ACI task and exchange
primitives with various G23M protocol stack entities below.

We have the source for both TCS2 and TCS3 versions of ACI.  The TCS2 version is
from Openmoko, containing OM's modifications, and we had to go through these
changes and additions by OM, reject the bogus ones and reimplement the sensible
ones in the new TCS3 version of ACI for our TCS2/TCS3 hybrid going forward.

Flash file system
=================

Every GSM device that is based on TI's firmware architecture contains not only
the firmware image proper, but also a flash file system that is separate from
the fw image and is maintained in a different part of the flash chip.  The FFS
implementation code is a mandatory part of the firmware; in TCS211 it resides
in chipsetsw/drivers/drv_app/ffs and logically belongs to the SSA realm.  This
code initializes early in the fw boot process in the Application_Initialize()
context before the start of Nucleus task scheduling; the responsible function
is ffs_main_init() called from Init_Drivers().

Flash driver support and FFS location
-------------------------------------

Determining the location of the flash area allocated for FFS and the flash
driver to be used to write to it is a combination of autodetection and hard-
coding.  The approach implemented in the original TCS211 code is as follows:
there is a piece of autodetection code that reads the flash chip ID, and the
autodetected ID is then looked up in a hard-coded table that gives the driver
and geometry details and the location of the FFS sectors for each supported
flash chip type.  However, this approach has its limitations:

* The sequence of write operations which TI's original autodetection code
  issues in order to put the flash chip into its Read ID mode worked for older
  flash chips that were used by TI and Openmoko, but does not work for the newer
  Spansion S71PL129NC0HFW4B flash chip which we (FreeCalypso) have copied from
  the Pirelli DP-L10 phone.  We have now fixed it, but until recently we had to
  disable flash autodetection and hard-code the flash chip type on Pirelli and
  FCDEV3B targets.

* While the physical flash chip used on a given phone or modem board is a
  physical property that can be autodetected, the choice of which flash sectors
  should be used for FFS is a matter of policy.  Before we built our own
  FreeCalypso hardware, we had to run our fw on some pre-existing "alien" hw
  targets, and we still support such usage to a limited extent.  When we run
  our FreeCalypso fw on an alien hw target as an aftermarket deal, our
  aftermarket FFS location needs to be chosen quite carefully.

* Some flash chips have two chip select banks, and with such chips it is
  generally desirable to put the FFS in the second bank.  However, it is a
  matter of board wiring whether that second flash chip select is connected to
  Calypso chip select nCS2, nCS3 or nCS4 - thus FFS addresses in the second bank
  have to be hard-coded with conditional compilation per board type and cannot
  be autodetected.

To support our new repertoire of possible hardware targets, we have made the
following changes in our Magnetite and Selenite firmwares:

* We have a new version of the ffsdrv_device_id_read() autodetection function
  that issues AMD's Read ID command sequence in a way that works with all flash
  chips which we've encountered so far in real life, including Openmoko's
  Samsung K5A3281 and our new (originally Pirelli's) Spansion flash chip.  We
  have also incorporated the logic from Pirelli's firmware that distinguishes
  between S71PL-J and S71PL-N chips: they have different sector sizes which FFS
  needs to know about, but they have the same ID codes and can only be
  distinguished through CFI.

* The autodetected flash ID code is looked up in a compiled-in table like
  before, but we now have 4 different versions of this table selected by
  conditional compilation based on the target for which the firmware is being
  built:

  - For our own FC hardware family (CONFIG_TARGET_FCFAM) we have our brand-new
    table of possible flash configurations which we keep free of any legacy
    gunk;

  - For Mot C1xx targets (CONFIG_TARGET_COMPAL) we have a dedicated table
    giving our aftermarket FFS configurations for Intel flash chip types found
    in these phones;

  - For the Pirelli DP-L10 target (CONFIG_TARGET_PIRELLI) we likewise have
    another dedicated table giving our aftermarket FFS config for Pirelli's
    S71PL-J or S71PL-N flash;

  - The #else clause is the original table from TI/Openmoko, used on
    dsample and gtamodem targets.

The advantages of this new approach over our previous approach of disabling
flash autodetection and using a strictly fixed hard-coded FFS config for
FreeCalypso and Pirelli targets are:

* The high-capacity flash chip we are currently using (S71PL129NC0HFW4B) is
  great for development boards or perhaps for a high-end Pirelli-like feature
  phone, but it would be way overkill for an embedded modem product - for the
  latter device class a smaller flash chip like Openmoko's K5A32xx would be
  more appropriate.  The new autodetection approach makes it possible to build
  a single fw image that can run on both large-flash and small-flash boards.

* I've only seen Pirelli phones with S71PL-N flash so far, but their original
  fw supports both S71PL-J and S71PL-N with autodetection.  We can now do
  likewise in our FreeCalypso fw.

Finally, independent of flash chip type autodetection vs. hard-coding issues,
we have had to change the AMD multibank flash driver to issue write commands in
a way that is compatible with our new S71PL129NC0HFW4B chip.  It still works
just as well with Openmoko's K5A32xx.

FFS life cycle
--------------

In products that have been built according to TI's original way, including
Openmoko GTA01/02 and our own FreeCalypso devices, the FFS is formatted and
initialized with some essential content at the time of device manufacture, and
this factory-created and factory-initialized FFS then persists for the lifetime
of the device.  In our factory environment at FreeCalypso hardware manufacturing
we initialize the flash on our freshly assembled boards like this:

flash erase 0 0x800000
flash program-bin 0 fwimage.bin
flash2 erase 0 0x800000

This factory procedure (which should ONLY be executed at the factory and never
by any end users or even sw/fw developers and tinkerers) ensures that the flash
is completely blank everywhere except the fw image loaded at the time of
production, and when this fw image boots for the first time, it will see blank
flash in the FFS sectors.  When TI's FFS code in ffs_main_init() sees this
condition, it performs what TI called a preformat: it writes a basic FFS block
header into each FFS sector, but does not automatically perform a full format -
instead the latter needs to be commanded explicitly by the production station
via one of TMFFS command packet protocols as described later in this article.
In FreeCalypso we have adopted TMFFS2 as our choice of Test Mode FFS access
protocol, our host side implementation of this protocol is fc-fsio, and we
format and initialize the FFS on our devices with an fc-fsio command script as
part of our factory procedure.

FFS content and usage
---------------------

TI's firmware architecture uses the FFS for many purposes:

* The IMEI is stored in the FFS - GSMA can proclaim all they want that it
  "MUST" be stored in some kind of super-secure one-time programmable fuses,
  but in TI's architecture and in FreeCalypso it is just a regular file in the
  FFS.

* A number of RF calibration tables are stored in FFS and read by the RF code
  in L1.  If you have a Rohde&Schwarz CMU200 instrument which is itself in good
  repair and calibration standing and a metrology-grade RF cabling setup whose
  insertion loss at the relevant GSM frequencies is precisely known, creating
  or recreating these RF calibration values is as simple as executing one shell
  script that takes a few minutes to run - this is how we do it at FreeCalypso
  hw manufacturing - but if you are an ordinary user or sw/fw developer or
  tinkerer without a professional calibration station setup, you need to use
  the RF calibration values that have been written into the FFS by the device
  manufacturer.  These RF calibration tables live under /gsm/rf.

* /gsm/com/rfcap tells the RR component in the G23M protocol stack (not L1!)
  which frequency bands are supported on a given device - on our devices it is
  a factory-programmed file distinguishing between tri900 and tri850 units and
  telling the firmware which bands it should scan for possible GSM cells.

* Manufacturer, model and revision ID strings may be written into /pcm/CGMI,
  /pcm/CGMM and /pcm/CGMR, respectively, to be returned by the corresponding
  AT+CGxx query commands.

* The G23M protocol stack writes a number of dynamically updated files under
  the /gsm hierarchy and under /pcm.

* TI's demo/prototype UI code (see Handset-UI-fw companion document) writes its
  persistent state in files under /mmi.

* Audio mode configuration files are kept under /aud - see the Audio-mode-config
  article in freecalypso-tools.

* If a given product uses the Melody E1 mechanism, melody files to be played
  through the RiViera Audio Service are kept in FFS - see the Melody_E1 article
  in freecalypso-tools.

Building firmware for different targets
=======================================

TI's TCS3.2 firmware for their LoCosto chipset which was rejected by the Mother
for reasons described near the beginning of this article makes a complete break
from the past and has no possibility of supporting any pre-LoCosto chips such
as our beloved Calypso, but TI's previous evolutionary developments weren't so
drastic: the evolution to Calypso from previous chips such as Hercules and
Ulysse was smoother, and our reference TCS211 fw is littered with C preprocessor
conditionals supporting TI's earlier development boards prior to D-Sample and
DBB chips prior to Calypso.

TI's configuration management architecture supported only TI's own development
boards and not any of the end product boards: unfortunately they did not follow
a development model like the Linux kernel where everyone is encouraged to
contribute their custom board support bits upstream and the mainline kernel
strives to support every hw target that was ever supported with a single source
tree, instead it was the divergent model where every end device manufacturer
would take TI's reference firmware source and hack it for their specific needs
with no concern for upstreamability or support for targets or applications
other than their own.  TI's firmware build configuration model defined the
following C preprocessor symbols relating to support for different hw targets,
all numeric, i.e., each symbol is always defined to a number:

BOARD identifies which board is to be targeted, with numbers assigned for
different development boards made by various TI groups, but generally not for
customer boards.  The only Calypso-based BOARD number is 41, originally
assigned for the D-Sample but then also reused for the Leonardo; all other
BOARD numbers are for some other chipsets that aren't Calypso.  The previous
board before D-Sample was C-Sample, which is BOARD 9, but I am not sure exactly
what chipset it had - perhaps it was Ulysse/Nausica/Clara.  There is still
plenty of support for BOARD 9 and even earlier boards in the firmware source we
got.

CHIPSET identifies the main DBB chip.  The interesting numbers are 7 for the
very original Calypso C05 rev A, 8 for Calypso C05 rev B (found on the D-Sample
board which the Mother scored in 2015), 10 for Calypso C035 (the Calypso silicon
version we work with in FreeCalypso), 11 for Calypso Lite (same as the regular
Calypso except for smaller IRAM), 12 for Calypso+ (a short-lived intermediate
step between Calypso and LoCosto) and 15 for LoCosto.

ANLG_FAM (previously ANALOG) identifies the ABB chip.  The numbers are 1 for
Nausica, 2 for Iota (what we use) and 3 for Syren (typically used with Calypso+
like on the E-Sample board).

RF_FAM (previously just RF) identifies the RF hardware hooked up to the baseband
chipset.  The interesting numbers are 10 for Clara (D-Sample) and 12 for Rita,
the latter being the only RF chip for which we have driver support.

Naturally any code that cares about DBB register differences would use the
CHIPSET definition, ABB support code would use ANLG_FAM, RF support code would
use RF_FAM, and finally code that needs to know about board-level peripherals
like LCDs and keypads would use the BOARD symbol.  This model worked fine up to
D-Sample: for example, the code for C-Sample vs. D-Sample LCDs and keypads is
cleanly conditionalized on BOARD 9 vs. BOARD 41.  However, the waters got badly
muddied when TI introduced their Leonardo board and instead of giving it its
own BOARD number, reused BOARD number 41 from D-Sample.

D-Sample was TI's primary internal development platform for the Calypso,
featuring Iota for the ABB and Clara for the RF part.  It was a great solid
platform in every way except the RF part: the old Clara RF is inconvenient
(needs more external parts) and TI were marketing their newer Rita RF to real
end device manufacturers, but the D-Sample still worked great for development:
if you aren't working specifically on the RF part, it doesn't matter as long as
you have a working driver for it, which we lack.  Then TI made another Calypso
development board called Leonardo, featuring the same Calypso+Iota baseband
plus the newer Rita RF.  But this Leonardo never fully replaced the D-Sample
for any of the high-level development in the SSA and UI groups.

Openmoko's modem is a direct derivative of the Leonardo, the only change being
the RFFE (for some reason FIC didn't like TI's quadband RFFE as implemented on
Leonardo and E-Sample boards and used their own slightly hobbled triband RFFE
instead), and the firmware build given to OM was TI's Leonardo fw with just a
few tweaks in tpudrv12.h to account for the RFFE control signal differences.
However, because Leonardo never got its own BOARD number and the BOARD symbol
is still set to 41, all of the SSA/UI code (LCD, keypad, battery charging etc)
is still built as if for D-Sample - but none of that code is used on a pure AT
command modem without UI functions or UI hardware, hence OM probably never
noticed anything odd.

And it wasn't just Openmoko - it appears that TI used their Leonardo boards
mostly or perhaps even solely in the ACI configuration without UI layers
(MMI=0 build configuration), while all or most UI development was done on
D-Sample kits.  Their TCS211 reference fw product officially supported both
D-Sample and Leonardo targets in both ACI and BMI+MFW configurations, but if
one were to build a high-end UI-enabled config for the Leonardo like pdt_2272,
it would target a 176x220 pixel color LCD, the LCD output driver would be the
one for the D-Sample (expecting memory-mapped LCD registers on nCS3), and the
keypad driver would expect D-Sample keypad wiring.  Looking at the available
Leonardo schematics I see a serial (uWire) LCD interface instead and a more
basic keypad with different wiring, so I don't see how those Leonardo+UI
firmware builds could possibly work.  Perhaps some other group at TI did some
UI work on Leonardo boards, but never made it into the internal mainline
from which TCS211 releases were cut - who knows...

Finally, aside from the basic failure to distinguish properly between D-Sample
and Leonardo boards, this whole BOARD number system provides absolutely no
mechanism to distinguish between TI's development boards and end product boards
derived from them, or between end product boards of vendor A vs. vendor B, or
between end product model A and model B from the same vendor - it's always
BOARD 41 as far as TI's code is concerned.  When TI had to modify their code
for OM to support FIC's different TSPACT signal wiring, they just edited the
definitions in tpudrv12.h without any conditionals, so one couldn't build
binaries for the original Leonardo vs. OM's hardware from the same source tree
in different configs.

The build system of TCS211 produces a set of generated C header files named
*.cfg (instead of the more natural *.h); these generated config headers define
all of the C preprocessor symbols listed above and many more.  They are included
sometimes as #include "board.cfg" and othertimes as #include "config/board.cfg"
(ditto for other *.cfg), thus the list of -I directories passed by the build
system on compiler invocation lines needs to include both the config directory
and its parent.  In our Magnetite and Selenite build systems we likewise
generate these *.cfg headers; some of the symbols defined therein are variable
and originate from Bourne shell variables in our own configuration system, but
many others are fixed.  See scripts/cfg-template in our Magnetite and Selenite
trees for the magic.

The BOARD symbol is always fixed at 41 in all FreeCalypso firmwares,
corresponding to TI's D-Sample and Leonardo, and we use our own different
mechanism to distinguish among our supported targets.  The solution adopted in
Magnetite and Selenite is as follows: we are supplementing TI's *.cfg and
rv_swe.h files with our own fc-target.h (included as #include "fc-target.h" or
as #include "config/fc-target.h" matching whatever existing TI code we are
gently extending), and this fc-target.h header is populated by the build system
by copying the appropriate targets/*.h header file.  These targets/*.h
header snippets define C preprocessor symbols of our own invention like
CONFIG_TARGET_xxx, and whenever we need to know our target in C code, we
#include "fc-target.h" and use #ifdef logic based on these preprocessor symbols
of our own addition.

RVTMUX debug and development interface
======================================

The Calypso chip has two UARTs, and TI's TCS211 firmware and its predecessors
are designed with the assumption that both of these UARTs are available.  Per
TI's fw architecture, Calypso's MODEM UART presents the standard AT command
interface with GSM 07.10 MUX, CSD, fax and GPRS capabilities as described
earlier when we looked at ACI and ATI, whereas the other UART (called the IrDA
UART in hardware docs but not used for that purpose) presents a vitally
important debug, development and production interface called RVTMUX.  This
RVTMUX interface can also be moved to the MODEM UART, in which case the standard
AT command interface is lost.

RVTMUX is a binary packet interface, and it got its name because it is a MUX of
multiple logical channels managed by the RiViera Trace (RVT) firmware component.
RVTMUX is often thought of as being primarily a debug trace interface, as that
is the primary use to which it is put: in normal operation the firmware emits
quite voluminous debug trace output on the IrDA UART, encapsulated in 3
different RVTMUX channels as explained below.  However, it is also possible to
send a number of different debug and development commands to the firmware via
this interface, and this functionality is used as a critical component in
Calypso GSM device factory production line processes: this RVTMUX interface is
the only way by which the FFS can be initialized, RF calibration and tests can
be performed and the IMEI can be set at the factory.

Communication with a running firmware over this RVTMUX interface in a
development or production setting (whether passively reading debug traces or
actively sending development or test commands to the running fw) requires
specialized host tools.  TI originally had a suite of Windows-based tools for
this purpose, but we are not using them in FreeCalypso: we only got Windows
binaries without any sources, and even in the case of those binaries we only
got an incomplete set with some important tools missing.  Instead we are using
our own Unix-based tools called FreeCalypso host tools; these tools have been
developed from scratch by Mother Mychaela after studying the firmware components
with which they need to communicate.

Debug trace output
==================

The firmware component that "owns" the physical UART channel assigned to RVTMUX
is RVT, contained in chipsetsw/riviera/rvt in TCS211 or in src/cs/riviera/rvt
in our Magnetite and Selenite firmwares.  It is a Riviera-based component,
and it has a Nucleus task that is created and started through Riviera.  All
calls to the actual driver for the UART are made from RVT.  In the case of
output from the Calypso GSM device to an external host, all such output is
performed in the context of RVT's Nucleus task; this task drains RVT's message
queue and emits the content of allocated buffers posted to it, freeing them
afterward.  (The dynamic memory allocation system in this case is Riviera's,
which is susceptible to fragmentation - see discussion earlier in this article.)
Therefore, every trace or other output packet emitted from a GSM device running
our fw (or any of the proprietary firmwares based on the same architecture)
appears as a result of a message in a dynamically allocated buffer having been
posted to RVT's queue.

RVT exports several API functions that are intended to be called from other
tasks, it is by way of these functions that most output is submitted to RVT.
One can call rvt_send_trace_cpy() with a fully prepared output message, and
that function will allocate a buffer from Riviera's dynamic memory allocator
properly accounted to RVT, fill it and post it to the RVT task's queue.
Alternatively, one can call rvt_mem_alloc() to allocate the buffer, fill it in
and then pass it to rvt_send_trace_no_cpy().

At higher levels, there are a total of 3 kinds of debug traces that can be
emitted:

* Riviera traces: these are generated by various components implemented in
  Riviera land, although in reality any component can generate a trace of this
  form by calling rvf_send_trace() - this function can be called from any task.

* L1 traces: L1 has its own trace facility implemented in
  src/cs/layer1/cfile/l1_trace.c; it generates its traces as ASCII messages and
  sends them out via rvt_send_trace_cpy().

* GPF traces: code that runs in GPF/G23M land and uses those header files and
  coding conventions etc can emit traces through GPF.  GPF's trace functions
  (implemented in gpf/frame/vsi_trc.c) allocate a memory partition from
  GPF's TEST pool, format the trace into it, and send the trace primitive to
  GPF's special test interface task.  That task receives trace and other GPF
  test interface primitives on its queue, performs some manipulations on them,
  and ultimately generates RVT trace output, i.e., a new dynamic memory buffer
  is allocated in the Riviera land, the trace is copied there, and the Riviera
  buffer goes to the RVT task for the actual output.

Trace masking
=============

The RV trace facility invoked via rvf_send_trace() has a crude masking ability,
but by default all traces are enabled.  In TI's standard firmwares most of the
trace output comes from L1: L1's trace output is very voluminous, and most of
it is fully enabled by default.

On the other hand, GPF and therefore G23M traces are mostly disabled by default.
One can turn the trace verbosity level from any GPF-based entity up or down by
sending a "system primitive" command to the running fw, and another such command
can be used to save these masks in FFS, so that they will be restored on the
next boot cycle and be effective at the earliest possible time.  Enabling *all*
GPF trace output for all entities is generally not useful though, as it is so
verbose that a developer trying to make sense of it will likely drown in it -
and it will also overwhelm the debug trace facility itself, causing most of
these far too voluminous traces to be lost.  Therefore, a developer seeking to
debug an issue in the G23M protocol stack needs to enable traces very
judiciously.

GPF compressed trace hack
=========================

TI's Windows-based GSM firmware build systems include a hack called str2ind.
Seeking to reduce the fw image size by eliminating trace ASCII strings from it,
and seeking to reduce the load on the RVTMUX serial interface by eliminating
the transmission time of these strings, they passed their sources through an
ad hoc preprocessor that replaces these ASCII strings with numeric indices.
The compilation process with this str2ind hack becomes very messy: each source
file is first passed through the C preprocessor, then the intermediate form is
passed through str2ind, and finally the de-string-ified form is compiled, with
the compiler being told not to run the C preprocessor again.

TI's str2ind tool maintains a table of correspondence between the original trace
ASCII strings and the indices they've been turned into, and a copy of this table
becomes essential for making sense of GPF trace output: the firmware now emits
only numeric indices which are useless without this str2ind.tab mapping table.

Our FC Magnetite build system retains the option of using str2ind, but it is
disabled by default: str2ind significantly increases firmware compilation times,
the resulting fw image sizes without str2ind are fine (the slight increase does
not push us over any limits), and we haven't had any issues with ASCII strings
overloading the trace interface.  However, there is an additional complication
stemming from the choice of two possible G23M PS versions, one of which is a
set of blob libraries:

* If Magnetite is compiled in a pure TCS211 configuration using the original
  blob version of G23M PS, these blobs already have str2ind indices baked into
  them instead of trace ASCII strings, hence the frozen str2ind.tab file from
  Openmoko that maps these indices back to strings needs to be used.

* If Magnetite is compiled in a TCS2/TCS3 hybrid config without G23M blobs,
  then unless you enable it explicitly with USE_STR2IND=1, no str2ind will be
  used at all.

Our blob-free FC Selenite firmware does not support str2ind at all - we shall
stick with full ASCII string traces until and unless we run into an actual (as
opposed to hypothetical) problem with either fw image size or serial interface
load.

RVTMUX command input
====================

RVTMUX is not just debug trace output: it is also possible for an external host
to send commands to the running fw via RVTMUX.

Inside the fw RVTMUX input is handled by the RVT entity by way of a Nucleus
HISR.  This HISR gets triggered when Rx bytes arrive at the designated UART,
and it calls the UART driver to collect the input.  RVT code running in this
HISR parses the message structure and figures out which fw component the
incoming message is addressed to.  Any fw component can register to receive
RVTMUX packets, and provides a callback function with this registration; this
callback function is called in the context of the HISR.

In the original TCS211 fw there are only two components that register to receive
external host commands via RVTMUX: ETM and GPF, hence these are the only command
packet types that can be sent to this original fw.  In FreeCalypso we have kept
these, and we've also added some new RVTMUX channels of our own invention.

Test Mode (TM) and Enhanced Test Mode (ETM)
===========================================

A major use of the RVTMUX interface is sending so-called Test Mode commands
from an external host to a running GSM device.  Depending on the firmware
version, a GSM device can be commanded to do any of the following things
through this mechanism:

* Exercise RF test modes, e.g., transmit continuously at a set frequency and
  power level;
* Read and write arbitrary memory locations in the Calypso ARM7 address space;
* Read and write ABB chip registers;
* Reboot or power off;
* Access and manipulate the device's flash file system (FFS).

In the segment of history of interest to us TI has produced two different
target firmware components that can receive, interpret and act upon Test Mode
command packets:

* The original Test Mode component of Layer 1, called L1TM or TML1: this
  component handles all RF test modes (needed for RF calibration on device
  production lines), and originally it also implemented memory and ABB register
  read and write commands, and provided access to TMFFS1 (see below).  In the
  original implementation this component registered itself as the handler for
  the "TM" RVTMUX channel (RVT packet type 0x14), so it would receive all TM
  packets sent to the device.

* Enhanced Test Mode (ETM) is a later invention.  It registers itself (instead
  of the old TM in L1) with RVT as the handler for the "TM" RVTMUX channel, and
  then provides a registration service of its own, such that various components
  in the fw suite can register to receive external command packets passing
  first through RVT, then through ETM, and can send responses passing through
  ETM, then through RVT back to the external host.  If a given fw version
  contains both ETM and L1TM like TCS211 does, then L1TM registers itself with
  ETM; an external host would send exactly the same binary command packets to
  exercise RF test modes, but inside the firmware they now pass through ETM on
  their way to L1TM.

The ETM_CORE module contained within ETM itself provides some low-level debug
commands: by sending the right binary command packets to the GSM device via the
RVTMUX serial channel, an external host can examine or modify any memory
location and any hardware register, cause the device to reset, etc.  Prior to
ETM some of these functions (but not all) could be exercised through older TM3
commands, but in FreeCalypso we became familiar with the ETM versions of these
commands long before the older ones because we got the ETM component in full
source form, whereas the sole surviving copy of TCS211 that serves as our golden
reference came with L1TM in binary object form like the rest of L1, and we got
to source-reconstructing it only much later.

ETM is implemented as a Riviera SWE and has its own Nucleus task; the callback
function that gets called from the RVT HISR posts received messages onto ETM's
own queue drained by its task.  The ETM task gets scheduled, picks up the
command posted to its queue, executes it, and sends a response message back to
the external host through RVT.

Because all ETM commands funnel through ETM's queue and task, and that task
won't start looking at a new command until it finished handling the previous
one, all ETM commands and responses are in strict lock-step: it is not possible
to send two commands and have their responses come in out of order, and it makes
no sense to send another ETM command prior to receiving the response to the
previous one.  (But there can still be debug traces or other traffic intermixed
on RVTMUX in between an ETM command and the corresponding response!)

L1TM commands get posted to the message queue of the L1A task and then executed
in that task's context.

FFS access via TM/ETM
=====================

One of the essential facilities provided in one form or another in all known
incarnations of the Test Mode mechanism (at least in TI's original architecture,
as opposed to Motorola's bastardized version) is the ability to access and
manipulate the GSM device's flash file system (FFS) that was described earlier
in this article.  TI's TMFFS1 and TMFFS2 protocols provide a command and
response packet interface to the FFS API functions inside the fw, and enable an
external host connected to the GSM device via the RVTMUX channel to perform
arbitrary read and write operations on the device file system.

In the segment of history of interest to us TI has produced two different
and entirely incompatible versions of the TMFFS protocol: TMFFS1 and TMFFS2.
Or rather, what is now called TMFFS1 was originally just TMFFS, and then came
TMFFS2.  TMFFS2 works only through ETM, whereas TMFFS1 predates ETM: in the
original implementation the tm_ffs() function in the FFS code was called from
L1TM code.

Our copy of TCS211 reference fw includes the source for both TMFFS1 and TMFFS2;
it is theoretically possible to build a firmware image that includes both TMFFS
versions (they won't conflict because they respond to different command
packets), but it is pretty clear that TI never intended to have both enabled
at the same time.  Our copy of TCS211 came with TMFFS1 enabled and we didn't
change it when we made the moko12 (leo2moko-r1) fw release for the Openmoko
community (the previous proprietary mokoN firmwares also implement TMFFS1),
but we have subsequently switched to TMFFS2 for our current Magnetite and
Selenite firmwares.

Our choice of TMFFS2 over TMFFS1 was driven by the need to develop our own host
tools to replace TI's original ones which we never got.  We needed to develop
our own host tools for operating on GSM device FFS via one of the two TMFFS
protocols, and after studying the fw source implementing both, I (Mother
Mychaela) came to the conclusion that TMFFS2 is both more capable and more
reliable; my guess is that TMFFS1 was likely kept around only because some of
TI's crappy Weendoze host software depended on it.  (See the implementation
code in chipsetsw/drivers/drv_app/ffs/board/tmffs.c in TCS211 if you would like
to judge for yourself.)  Our host tool that speaks the TMFFS2 protocol is
fc-fsio.

GPF external command input
==========================

The other component that can receive external commands is GPF.  GPF's test
interface can receive so-called "system primitives", which are ASCII string
commands parsed and acted upon by GPF, and also binary protocol stack
primitives.  Remember how all entities in the G23M stack communicate by sending
messages to each other?  Well, GPF's test interface allows such messages to be
injected externally as well, directed to any entity in the running fw.  System
primitive commands can also be used to cause entities to send their outgoing
primitives to the test interface, either instead of or in addition to the
originally intended recipient.

AT commands over RVTMUX
=======================

There is one more use to which we put the RVTMUX debug serial interface that is
an original FreeCalypso invention: communicating with the AT command interpreter
(ATI).  TI's original architecture assumes that if a product is to offer a
standard AT command interface (the product is either a GSM/GPRS modem for which
this AT command interface is the sole mode of usage or a feature phone that
offers a data port as one of its features), then it will be presented on a
dedicated UART separate from RVTMUX.

However, in the case of our FreeCalypso family of projects about 2 years had
passed between our first functional GSM fw attempts in 2015 and us successfully
building our own development board in 2017; during this time we had to work on
various crippled pre-existing Calypso devices, and many of them had only one
UART practically accessible.  In response to this situation we developed a way
to pass AT commands over RVTMUX.  We created a new RVTMUX channel for this
interface and assigned it RVT packet type 0x1A.  Packets sent from an external
host to the GSM device carry AT commands and SMS string input, whereas packets
flowing the other way carry ATI's responses to commands and asynchronous
notifications such as incoming calls.  The host utility for talking AT commands
to a FreeCalypso GSM device via RVTMUX is fc-shell, described below.

Now that we have built a proper FreeCalypso development board with two UARTs,
the use of this AT-over-RVTMUX hack is deprecated for general usage: this hack
does not support any data services (CSD or GPRS), and even for SMS it was
crippled for a long time because maximum-length messages could not be sent in
the more capable PDU mode until our recent extension that works around this
limitation.  However, it still comes in handy during certain casual testing
sessions, and it is required if one needs to run our FreeCalypso firmware on
Mot C1xx or Pirelli DP-L10 hardware.

FC host tools for talking to firmwares via RVTMUX
=================================================

The fundamental tool for talking to running firmwares via RVTMUX is a program
called rvinterf.  It runs on a Unix/Linux host machine, opens a serial port
that is expected to be connected to the RVTMUX UART on the target, and then
speaks TI's binary packet protocol on that serial port.  It then performs two
functions:

* If rvinterf is run in the foreground in a terminal window (or more precisely,
  if its default terminal output is not disabled), every packet received from
  the target is decoded and printed on stdout in human-readable ASCII.  For
  some packets like TM/ETM responses this "human-readable" form is just a hex
  dump, but the trace messages which the firmware emits on its own are printed
  in truly human-readable form.  This output can also be saved to a log file.

* Rvinterf creates a local UNIX domain socket on the machine it is running on,
  and other host tools can then connect to this socket to exchange packets with
  the firmware.  Client programs connected to rvinterf via this local socket
  interface can register to receive copies of packets sent by the target on
  specific RVTMUX channels, and they can also send arbitrary packets to the
  target.

Our main "client" programs for actively interacting with running firmwares via
rvinterf are:

fc-tmsh		This utility speaks the TM/ETM protocol.  It supports almost
		all ETM and L1TM commands that are supported by our reference
		TCS211 fw with the important exception of TMFFS; support means
		that fc-tmsh can issue these commands and decode the firmware's
		responses to them.  fc-tmsh operates asynchronously in that the
		issuance of commands to the target and the display of firmware
		responses are completely decoupled; this asynchronous model is
		a good match for L1/RF test mode commands and simple ETM
		operations, but is a poor fit for FFS manipulation.  fc-tmsh's
		companion fc-fsio implements FFS access via TMFFS2, and we
		don't have a host side implementation for TI's older TMFFS1
		protocol.

fc-fsio		This utility speaks the TMFFS2 protocol over the TM/ETM RVTMUX
		channel (same channel as used by fc-tmsh, so don't try to run
		both at the same time) and implements fairly high-level FFS read
		and write operations.  fc-fsio is used to format and initialize
		the FFS on newly made devices in our hardware manufacturing
		environment, it can upload files or entire subtrees into target
		device FFS, it has higher-level commands for writing some files
		like the IMEI, rfcap and AT+CGxx ID strings, and it can list and
		read out FFS content.  Unlike fc-tmsh, fc-fsio is synchronous:
		it is built on command-response (send a command and expect a
		response) primitives, and a single user command can turn into a
		large number of command-response exchanges on the RVTMUX
		interface.  fc-fsio also implements a few non-FFS commands
		because they naturally fit into this ETM synchronous model.

fc-shell	This tool is asynchronous like fc-tmsh, but instead of talking
		and listening on the TM/ETM RVTMUX channel, it talks and listens
		on GPF's channel and on the new AT-over-RVTMUX channel which we
		added in FreeCalypso.  fc-shell can be used to issue system
		primitive commands to GPF (and to see firmware responses to
		them), and to talk AT commands via RVTMUX.

Finally, if you only need to passively observe the firmware's debug trace output
and don't need to make any active pokes at the target, our rvtdump utility is a
stripped-down version of rvinterf (or historically its predecessor) that only
decodes and prints/logs the output from the target without sending anything to
it.

Further reading
===============

Believe it or not, some of the documentation that was written by the original
vendors of the software in question and which we've been able to locate turns
out to be fairly relevant and helpful, such that I recommend reading it.

Documentation for Nucleus PLUS RTOS:

	ftp://ftp.freecalypso.org/pub/embedded/Nucleus/nucleus_manuals.tar.bz2

	Quite informative, and fits our version of Nucleus just fine.

Riviera environment:

	ftp://ftp.freecalypso.org/pub/GSM/Calypso/riviera_preso.pdf

	It's in slide presentation form, not a detailed technical document, but
	it covers a lot of points, and all that Riviera stuff described in the
	preso *is* present in our fw for real, hence it should be considered
	relevant.

GPF documentation:

	https://www.freecalypso.org/LoCosto-docs/SW%20doc/frame_users_guide.pdf
	https://www.freecalypso.org/LoCosto-docs/SW%20doc/vsipei_api.pdf

	Very good reading, helped me understand GPF when I first reached this
	part of firmware reintegration.

TCS3.x/LoCosto fw architecture:

	https://www.freecalypso.org/LoCosto-docs/SW%20doc/TCS2_1_to_3_2_Migration_v0_8.pdf
	ftp://ftp.freecalypso.org/pub/GSM/LoCosto/LoCosto_Software_Architecture_Specification_Document.pdf

	These TI docs focus mostly on how they changed the fw architecture from
	their TCS2.x program (Calypso) to their newer TCS3.x (LoCosto), but one
	can still get a little insight into the "old" TCS211 architecture they
	were moving away from, which is the architecture we've adopted for
	FreeCalypso.