133 lines
12 KiB
HTML
133 lines
12 KiB
HTML
<!DOCTYPE html>
|
||
<html><head>
|
||
<meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><link rel="stylesheet" href="EG25-G%20reverse%20engineering_files/style.css"><title>EG25-G reverse engineering</title></head><body><header><div class="title"><a href="https://xnux.eu/index.html">xnux.eu</a> - <a href="https://xnux.eu/map.html">site map</a> - <a href="https://xnux.eu/news.html">news</a></div></header><main><section><h1 id="toc-eg25-g-reverse-engineering">EG25-G reverse engineering</h1><h2 id="toc-quectel-daemon">quectel_daemon</h2><ul><li>makes
|
||
<code>/sys/class/gpio/gpio1018/direction</code> an output</li><li>monitors
|
||
<code>/sys/devices/virtual/android_usb/android0/state</code> and
|
||
<code>/sys/devices/virtual/android_usb/android0/usb_sleep</code> and passes the
|
||
state to modem via qmi</li><li>monitors <code>/run/gpio_data</code> and updates
|
||
<code>/sys/class/gpio/gpio1018/direction</code> with
|
||
<code>high</code>/<code>low</code></li><li>opens various pcm devices
|
||
(voice_pcm_service)</li><li>handles call ringing and voice audio
|
||
configuration</li><li>touches <code>/tmp/quec_daemon_rdy</code></li><li>talks
|
||
via <code>/run/voc_svr</code> in the main loop</li></ul><h2 id="toc-quectel-monitor-daemon">quectel_monitor_daemon</h2><ul><li>if
|
||
<code>/data/ModemRestartSystem</code> exists it writes <code>SYSTEM</code> to
|
||
<code>/sys/devices/4080000.qcom,mss/subsys1/restart_level</code>
|
||
or <code>/sys/devices/4080000.qcom,mss/subsys0/restart_level</code></li><li>if
|
||
<code>/data/ModemRestartRelated</code> exists it writes <code>RELATED</code> to
|
||
<code>/sys/devices/4080000.qcom,mss/subsys1/restart_level</code>
|
||
or <code>/sys/devices/4080000.qcom,mss/subsys0/restart_level</code></li><li>then
|
||
it monitors <code>/sys/devices/4080000.qcom,mss/subsys1/quec_state</code> and if
|
||
it is changed to non-0 it restarts various daemons:<ul><li>system(„killall
|
||
atfwd_daemon“);</li><li>system(„killall
|
||
quectel_daemon“);</li><li>system(„killall
|
||
alsaucm_test“);</li></ul></li></ul><h2 id="toc-quectel-pcm-daemon">quectel_pcm_daemon</h2><ul><li>waits for pcm codec
|
||
to probe</li><li>reads <code>/data/quec/conf/auxpcm.conf</code> (written by
|
||
<code>atfwd_daemon</code> via AT+QDAI command)</li><li>based on values therein
|
||
it:<ul><li>loads various kernel modules for supported
|
||
external codecs<ul><li>eg.:<p>system(„echo \"nau8814-codec.2–001a\“
|
||
> /sys/devices/soc:sound/codec_name");</p><p>system(„echo
|
||
\"nau8814-aif1\“ >
|
||
/sys/devices/soc:sound/rx_dai_name");</p><p>system(„echo
|
||
\"nau8814-aif1\“ >
|
||
/sys/devices/soc:sound/tx_dai_name");</p><p>system(„insmod
|
||
/usr/lib/modules/3.18.44/kernel/sound/soc/codecs/snd-soc-nau8814.ko“);</p></li></ul></li><li>configures
|
||
PCM interface, like:<p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/mode“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/sync“</p><p>„echo %d >
|
||
/sys/devices/soc:sound/pcm_mode_select“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/frame“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/quant“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/data“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/rate“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/num_slots“</p><p>„echo %d >
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/slot_mapping“</p><p>„echo %d >
|
||
/sys/devices/soc:sound/quec_auxpcm_rate“</p></li></ul></li></ul><h2 id="toc-quectel-psm-aware">quectel_psm_aware</h2><ul><li>creates fifo
|
||
<code>/run/psm_aware_cmd</code></li><li>reads this fifo and issues various
|
||
<code>psm_*</code> calls to a library</li><li>some power saving
|
||
stuff</li><li>fifo is written from <code>atfwd_daemon</code> via
|
||
<code>AT+QPSM="fifo string"</code> command</li></ul><h2 id="toc-quectel-tts-service">quectel_tts_service</h2><ul><li>binds to
|
||
127.0.0.1:17824</li><li>accepts connections and plays TTS audio from the issued
|
||
command</li></ul><h2 id="toc-sendcal">sendcal</h2><ul><li>creates
|
||
<code>/run/sendcal</code> device</li><li>does some basic processing</li></ul><h2 id="toc-subsystem-ramdump">subsystem_ramdump</h2><ul><li>allow to dump ram to
|
||
a file in /data</li></ul><h2 id="toc-time-daemon">time_daemon</h2><ul><li>reads
|
||
RTC time from modem over qmi and updates the ARM CPU time</li></ul><h2 id="toc-uim-test-client">uim_test_client</h2><ul><li>sim testing console
|
||
client</li></ul><h2 id="toc-quectel-uart-ddp">quectel-uart-ddp</h2><ul><li>reads
|
||
<code>/data/quec/conf/dynamic_console</code></li><li>passes data between debug
|
||
uart port and <code>/dev/smd9</code></li></ul><h2 id="toc-quectel-thermal">quectel-thermal</h2><ul><li>monitors
|
||
<code>/sys/devices/virtual/thermal/thermal_zone%d/temp</code></li><li>updates
|
||
SAR and RF signal strength based on temperature via QMI</li></ul><h2 id="toc-quectel-smd-atcmd">quectel-smd-atcmd</h2><ul><li>probably supposed to
|
||
forward commands from <code>/dev/ttyGS0</code>
|
||
to <code>/dev/smd7</code></li><li>does nothing, just prints some crap in a
|
||
weird way to console/kmsg</li><li>Sundy still didn't learn stdio so is using
|
||
system(„echo %s > /dev/kmsg“); instead of fprintf</li></ul><h2 id="toc-quectel-remotefs-service">quectel-remotefs-service</h2><ul><li>opens
|
||
<code>/dev/smd8</code></li><li>waits for commands from the modem over
|
||
<code>/dev/smd8</code> and performs basic VFS operations, like
|
||
open/close/read/write/seek, etc.</li><li>implements reaction to OMA DM push
|
||
message by executing <code>/data/ipth_dme</code> binary, which implements vendor
|
||
(Verizon, AT&T) specific remote FOTA/system config updates<ul><li>only if
|
||
<code>fota_ip_a</code> or <code>fota_ip_v</code> exist in
|
||
<code>/data/fota</code> directory</li></ul></li></ul><h2 id="toc-quectel-gps-handle">quectel-gps-handle</h2><ul><li>Sundy strikes again,
|
||
this time using stdio in addition to system() calls for debug
|
||
output!</li><li>writes 0 to
|
||
<code>/data/quec/conf/gps_outport_flag</code></li><li>opens
|
||
<code>/dev/smd7</code> (modem's GPS data shmem device)</li><li>reads a number
|
||
from <code>/data/quec/conf/gps_outport_flag</code><ul><li>uses
|
||
<code>/dev/ttyHSL0</code> or <code>/dev/ttyGS0</code> for NMEA output based on
|
||
the number</li></ul></li><li>forwards data from <code>/dev/sdm7</code> to one
|
||
of the serial ports</li><li>monitors
|
||
<code>/sys/class/android_usb/android0/state</code> and
|
||
<code>/sys/class/android_usb/f_serial/is_connected_flag</code> and presumably
|
||
turns off GPS output if USB is not ‚CONNECTED‘</li></ul><h2 id="toc-quec-wifi-bridge">quec_wifi_bridge</h2><ul><li>opens
|
||
<code>/data/wifi_bridge_in_pipe</code> and
|
||
<code>/data/wifi_bridge_out_pipe</code></li><li>listens on
|
||
‚0.0.0.0:5555‘</li><li>forwards data from connections to
|
||
<code>/data/wifi_bridge_in_pipe</code> as is</li><li>forwards data from
|
||
<code>/data/wifi_bridge_out_pipe</code> to the last accepted
|
||
connection</li></ul><h2 id="toc-ql-usbcfg">ql_usbcfg</h2><ul><li>loads USB
|
||
configuration for recovery mode</li></ul><h2 id="toc-ql-manager-server-ql-manager-cli">ql_manager_server /
|
||
ql_manager_cli</h2><ul><li>some WWAN/WIFI management server + cli
|
||
client</li><li>quectel code</li></ul><p>…</p><h1 id="toc-files">Files</h1><h2 id="toc-tmp-urc-sock">/tmp/.urc_sock</h2><ul><li>Unix socket that can be used to
|
||
send URCs from linux userspace</li></ul><h1 id="toc-un-der-documented-at-commands">Un(der)-documented AT commands</h1><h2 id="toc-at-qprint-1">AT+QPRINT=1</h2><ul><li>(does literally
|
||
<code>cat /proc/kmsg >/dev/ttyGS0 &</code>), you can get dmesg output
|
||
from <code>cat /dev/ttyUSB1</code> on the A64 side</li></ul><h2 id="toc-at-qprint-0">AT+QPRINT=0</h2><ul><li>does literally
|
||
<code>killall cat</code></li></ul><h2 id="toc-at-qfastboot">AT+QFASTBOOT</h2><ul><li>reboots the modem in fastboot
|
||
mode</li></ul><h2 id="toc-at-qcfg-modemrstlevel-val">AT+QCFG=„modemrstlevel“,<code><val></code></h2><ul><li>/sys/bus/msm_subsys/devices/subsys1/restart_level</li></ul><p>val
|
||
== 0:</p><ul><li>echo SYSTEM >
|
||
/sys/bus/msm_subsys/devices/subsys0/restart_level</li><li>echo 00 >
|
||
/data/ModemRestartSystem</li><li>rm -rf
|
||
/data/ModemRestartRelated</li></ul><p>val == 1:</p><ul><li>echo RELATED >
|
||
/sys/bus/msm_subsys/devices/subsys0/restart_level</li><li>echo 11 >
|
||
/data/ModemRestartRelated</li><li>rm -rf
|
||
/data/ModemRestartSystem</li></ul><h2 id="toc-at-qcfg-aprstlevel-val">AT+QCFG=„aprstlevel“,<code><val></code></h2><ul><li>echo
|
||
<code>val</code> >
|
||
/sys/bus/msm_subsys/devices/subsys0/system_reset_mode</li></ul><h2 id="toc-at-qcfg-usbid">AT+QCFG=„usbid“</h2><ul><li>handled by
|
||
quectel-manager (see ql_mgmt_client_open C api)</li></ul><h2 id="toc-at-qcfg-usbee">AT+QCFG=„usbee“</h2><ul><li>handled by
|
||
quectel-manager (see ql_mgmt_client_open C api)</li></ul><h2 id="toc-at-qcfg-usbcfg">AT+QCFG=„usbcfg“</h2><ul><li>handled by
|
||
quectel-manager (see ql_mgmt_client_open C api)</li></ul><h2 id="toc-at-qcfg-usbnet">AT+QCFG=„usbnet“</h2><ul><li>handled by
|
||
quectel-manager (see ql_mgmt_client_open C api)</li></ul><h2 id="toc-at-qcfg-pcmclk">AT+QCFG=„pcmclk“</h2><ul><li>reads/writes
|
||
/sys/devices/soc:qcom,msm-sec-auxpcm/enable_clk</li><li>sets some params on
|
||
alsa hw:0,0 device</li></ul><h2 id="toc-at-qcfg-tone-incoming-val">AT+QCFG=„tone/incoming“,<code><val></code></h2><ul><li>reads/writes
|
||
DWORD <code>val</code> to /data/quec/conf/ringtype.conf</li></ul><h2 id="toc-at-qcfg-sleepind-level-val">AT+QCFG=„sleepind/level“,<code><val></code></h2><ul><li>echo
|
||
<code>val</code> >
|
||
/sys/devices/soc:quec,quectel-power-manager/sleep_polarity</li><li>echo
|
||
<code>val</code> > /data/quec/conf/sleepind.txt</li></ul><h2 id="toc-at-qcfg-wakeupin-level-val">AT+QCFG=„wakeupin/level“,<code><val></code></h2><ul><li>echo
|
||
<code>val</code> > /data/quec/conf/wakeupin.txt</li></ul><h2 id="toc-at-qcfg-thermal-modem-thermal-limit-rates-thermal-txpwrlmt">AT+QCFG=„thermal/modem“,
|
||
„thermal/limit_rates“, „thermal/txpwrlmt“</h2><ul><li>modifies
|
||
/data/quec_thermal_threshold (37B binary file)</li><li>modifies
|
||
/data/quec_therm_cfg<ul><li>format
|
||
enable=%d,sensor=%d,tempthreshold=%d,duration=%d,trig_cnt=%d,clr_cnt=%d</li></ul></li></ul><h2 id="toc-at-qcfg-codec-powsave">AT+QCFG=„codec/powsave“</h2><ul><li>echo
|
||
<code>val</code> >
|
||
/sys/devices/78b6000.i2c/i2c-2/2–001b/alc5616_pow_save_cfg</li></ul><h2 id="toc-at-qcfg-qcautoconnect-val">AT+QCFG=„qcautoconnect“,<code><val></code></h2><ul><li>sed
|
||
-i ‚/<AutoConnect>[01]</<AutoConnect>‘$val'</g'
|
||
/data/mobileap_cfg.xml</li></ul><h2 id="toc-at-qcfg-ftm-mbim">AT+QCFG=„ftm/mbim“</h2><ul><li>opens
|
||
/data/quec/usb/ftm_mbim and drops the fd, doesn't close it?</li><li>kinda
|
||
weird</li></ul><h2 id="toc-at-qcfg-multi-ip-package">AT+QCFG=„multi_ip_package“</h2><ul><li>configures
|
||
/sys/devices/virtual/android_usb/android0/multi_package_enabled</li><li>and
|
||
some other related sysfs files</li></ul><h2 id="toc-at-qcfg-dbgctl">AT+QCFG=„dbgctl“</h2><ul><li><code>echo 1 > /etc/dbgctl</code></li><li>or
|
||
<code>rm /etc/dbgctl</code></li><li>of course it fails, since /etc is read-only
|
||
fs</li></ul><h2 id="toc-at-qcfg-bootup-op">AT+QCFG=„bootup“,<code><op></code></h2><ul><li>1
|
||
= start, 0 = stop, 2 = check if service (/etc/init.d) is running</li></ul><h2 id="toc-at-qcfg-usbmode">AT+QCFG=„usbmode“</h2><ul><li>echo %d >
|
||
/data/usb/quec_usbmode_check</li><li>cat
|
||
/sys/devices/virtual/android_usb/android0/state (CONFIGURED
|
||
/ other)</li><li>cat
|
||
/sys/devices/virtual/android_usb/android0/usb_sleep (0/1)</li></ul></section></main><footer><p>E-mail: <a href="mailto:x@xnux.eu">x@xnux.eu</a> - <a href="https://xnux.eu/map.html" accesskey="m">site map</a> - <a href="https://xnux.eu/rss.xml">RSS</a></p></footer></body></html> |