FreeCalypso > hg > freecalypso-sw
view doc/RVTMUX @ 359:144b5d222de8
tfc139 hack utility started, compiles
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Thu, 15 May 2014 10:32:30 +0000 |
parents | d6dfad22cccd |
children | 821a26f90968 |
line wrap: on
line source
TI's Calypso GSM/GPRS baseband processor chip has not one but two UART serial ports, called "MODEM" and "IrDA" in the hardware documentation. In hardware terms, both support basic data-leads-only UART operation at a fixed baud rate, but their extended capabilities differ: the IrDA UART adds IrDA capability (no surprise), whereas the MODEM UART adds hardware flow control and autobaud. If one is not implementing an actual IrDA interface, then the so-called "IrDA" UART becomes a strict subset of the MODEM one in terms of hw capabilities - just an extra UART, but a somewhat less capable one. In a classic modem design such as that present in the GTA0x smartphones made by FIC/Openmoko, the Calypso presents a standard AT command interface on its MODEM UART port. (In the case of GTA0x phones this serial channel is wired to the phone's application processor; in a standalone modem it would be wired to a USB-serial chip or even to a classic RS-232 DB25 port.) However, what is less known is that the standard firmware for such modems simultaneously presents an entirely different interface on the IrDA UART - an interface intended for development, debugging and factory production testing (which includes RF calibration and IMEI etc programming), rather than for "normal" end users. Normally this debug/development serial interface (called RVTMUX as will be explained momentarily) is hidden from "ordinary" users - for example, on FIC GTA0x phones it is wired to the analog headset jack through a hardware switch which needs to be enabled through a GPIO signal from the AP. But there also exist some oddball devices on which the RVTMUX interface is presented "in your face". The Pirelli DP-L10 phone has a USB charging port which is also wired (through a CP2102 USB-serial chip) to the IrDA UART on the Calypso - that's right, IrDA, not MODEM - a design decision with which this hacker strongly disagrees. (It'll definitely be wired to the MODEM UART instead on our own semi-clone of this phone, but I digress.) Apparently Foxconn (the designers of this phone) had no desire to provide a standard AT command interface, and instead the only "official" way to use the "data" function of their USB port (rather than the charging function) is for their "PC sync" feature, i.e., their proprietary Weendoze software. And guess what, their proprietary "PC sync" feature works over TI's RVTMUX interface, as that is what's presented on Calypso's IrDA UART behind the CP2102! OK, so what is this RVTMUX? RV stands for RiViera, an application framework which TI added to their GSM firmware suite in the early 2000s, T stands for trace, and MUX stands for multiplexor. It's a binary packet interface, although many of these packets contain ASCII debug messages inside. The framing format is the same in both directions: each packet begins and ends with an STX (0x02) byte, all payload bytes except 0x02 and 0x10 are sent literally, and there is a DLE (0x10) byte prepended before any 0x02 or 0x10 in the payload. It's the same general principle as asynchronous HDLC (RFC 1662): packets can contain any binary data, and the framing provides packet boundaries - although TI's version is a little less robust than async-HDLC when it comes to recovering after lost synchronization. The firmware suite component responsible for actually sending and receiving these packets over the assigned UART port (usually IrDA, but can be MODEM too) is called RVT (RiViera Trace), and it implements a MUX function. There are several logical channels multiplexed over one physical serial port, and the first byte of every packet indicates which logical channel it belongs to. Any component within the GSM firmware suite can send packets to RVT for transmission on this serial interface, and can also register to receive packets beginning with a particular type ID byte. Use in FreeCalypso ================== The FreeCalypso project has adopted the same general firmware architecture as that exhibited by TI's standard firmwares from the Moko/Pirelli time frame. We use TI's RiViera framework lifted directly out of the TCS211 reference fw, and that includes the RVT module and the RVTMUX interface it presents. At the present time (early development stage, none of the actual GSM functionality has been integrated yet) this RVTMUX interface is put to the following uses in our own gsm-fw: * Debug trace output from various components sent via the rvf_send_trace() function - it is the RiViera Trace output in the proper sense; * The ETM module and the associated FFS access protocol described below. In the existing proprietary firmwares which serve as our reference, the RVTMUX serial channel is continuously spewing very voluminous debug output. This debug output exhibits 3 different packet types: RV traces described above, and also L1 and G23 traces, each in its own format. We expect that our own gsm-fw will become just like these reference versions in this regard, once we integrate those code layers. ETM and FFS access ================== Another component which we have lifted out of the TCS211 reference fw is ETM, which stands for Enhanced Test Mode. This module registers its own "top level" protocol over RVTMUX, and provides a registration service of its own, such that various components in the fw suite can register to receive external command packets passing first through RVT, then through ETM, and can send responses passing through ETM, then through RVT back to the external host. The ETM_CORE module contained within ETM itself provides some low-level debug commands: by sending the right binary command packets to the GSM device via the RVTMUX serial channel, an external host can examine or modify any memory location and any hardware register, cause the device to reset, etc. The only other ETM-based functionality currently integrated in our gsm-fw besides ETM_CORE is TMFFS (Test Mode for FFS), which is the external access channel to the device file system - see TIFFS-Overview. The TMFFS1 and TMFFS2 protocols provide a command/response packet interface to the FFS API functions inside the fw, and enable an external host connected to the GSM device via the RVTMUX channel to perform arbitrary read and write operations on the device file system. TMFFS protocol versions ======================= TI made two different and entirely incompatible versions of the TMFFS protocol for accessing a device's FFS via RVT/ETM: TIFFS1 and TIFFS2. The fw sources available to us contain implementations of both versions, so we have the freedom to use whichever we like better for FreeCalypso. After studying the fw source implementing the two TMFFS protocols, I (Space Falcon) came to the conclusion that TMFFS2 is both more capable and more reliable; my guess is that TMFFS1 was likely kept around only because some of TI's crappy Weendoze host software depended on it. (See gsm-fw/services/ffs/tmffs.c if you would like to judge for yourself.) Thus TMFFS2 is currently the "officially adopted" version for FreeCalypso. Our fc-tmsh utility (described below) allows a developer-operator to send TMFFS "get version" queries to a running GSM fw in both ETM_FFS1 and ETM_FFS2 formats; this capability allows us to determine experimentally which protocol (if any) is implemented by a given proprietary firmware version. Experiments reveal that Openmoko's moko11 firmware implements TMFFS1, whereas Pirelli's fw implements TMFFS2. The leo2moko-r1 firmware produced by the FreeCalypso project in 2013-10 implements TMFFS1, simply because that was the selected configuration in the found Leonardo source that transitional fw is based on, and that release was made before I learned RVTMUX, FFS, ETM and TMFFS properly. All future FreeCalypso firmwares will use TIFFS2, or at least that's the current plan. Host utility support ==================== As one would naturally expect, the FreeCalypso project has developed some host tools that allow a PC running GNU/Linux (or other Unix systems) to interface to running firmwares on GSM devices via RVTMUX. The following tools are currently available: rvtdump Opens the serial port, decodes TI's binary packet protocol, and simply dumps every received/decoded packet on stdout in a human- readable form. No provision for sending anything to the target. Intended use: observing the debug trace output which all TI firmwares emit as standard "background noise". This utility allows one to observe/log/study the "noise" that appears on Pirelli's USB-serial port (running Pirelli's original fw), as well as that emitted on the IrDA (headset jack) port on the GTA02 by mokoN/leo2moko firmwares. rvinterf Provides a bidirectional interface to RVTMUX on the host side. It dumps and/or logs the "background noise" emitted by the target just like rvtdump, but also creates a local UNIX domain socket on the host machine to which other programs can connect, replicating the MUXing function on the host side. fc-tmsh Interactive asynchronous test mode shell. This program connects to a target GSM device through rvinterf and allows a developer- operator to send various ETM commands to the target. ETM responses are decoded (sometimes only lightly) and displayed. fc-tmsh is fully asynchronous in that it continuously listens (via select(2)) for both user input and for packets from the target at the same time, translating any user-entered commands into packets to the target and conversely, scribbling on the terminal when a packet arrives from the target. It has no knowledge of any correspondence between commands and responses they normally elicit. fc-tmsh implements some low-level ffs2 commands (see above regarding our design decision to use TMFFS2 rather than TMFFS1), but it is already known that this implementation approach is a dead end, and a different host utility is planned to be written for full FFS read/write access via the TMFFS2 protocol.