[XMM6260][X-GOLD 626] Modem Specification / Documentation / Hack-Pack

Search This thread
By:
Advanced…
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
Intel / Infineon XMM6260 & X-GOLD 626 Modem Hack-Pack Release!

After several unsuccessful months of trying to get my phone (application) to
talk AT-commands with the baseband processor (BP), I've had to learn a lot of
hardware and internal Android and OEM based tricks and secrets. Although this
have not been enough to make anything of practical use, it is definitely worth
sharing. If not at least some more talented people may be able to continue
where I have left of...

Now, it should be immediately stated that there is nothing revolutionary
in here, apart the Infineon manual for tuning your GSM modem, using the
AT CLI and GTI sequencer. This is something that could potentially be very
useful for better understanding the advanced features that the modem
platform incorporates. However, it is also a sure way of making a an
expensive brick out of your phone! You have been warned...


Brief Modem Description
The XMM6260 is the "platform" that consists of:

  • The X-GOLD 626 baseband processor
  • The SMARTi UE2 RF-transceiver DSP
  • The 3GPP Release 7 HSPA+ protocol stack with:
    Downlink: Category 14, Uplink: Category 7
The X-GOLD 626 baseband processor (labelled "PMB 9811") is communicating
with the DSP RF-tranceiver chip called SMARTi-UE2 (labelled "PBM 5712 A1"),
using a communication interface that corresponds to the MIPI DigRF-3G
(V.3.09) standard. Through this protocol the BP can control some or all
aspects of the RF DSP.

Alternative Names

  • Infineon IFX6260
  • Intel IMC6260
  • Intel XMM626

Some other devices using this platform:
Code: 
- Lava XOLO X900                        [Phone]                         FCC ID: ???
- Lenovo K800                           [Tablet/Pad]                    FCC ID: ???
- LG-P920  (LG ?)                       [Phone]                         FCC ID: BEJP920
- LG-P925  (LG Optimus 3D?)             [Phone]                         FCC ID: BEJP925

- Huawei E369 (3G Hi-Universe)          [USB 3G Modem]                  FCC ID: QISE369         (Russian distrubutor: Merlion)
- Huawei MU733/MU739                    [PC/CE Module]                  FCC ID: QISMU739        
- Samsung Galaxy Nexus (I9200)          [Phone]                         FCC ID: ???     

Other devices that may (!?) also contain the X-GOLD 626:
---------------------------------------------------------
- LG Optimus 4X HD                      [Phone]                         FCC ID: ???     
- HTC One X                             [Phone]                         FCC ID: ???
- Huawei Ascend D Quad                  [Phone]                         FCC ID: QIS ???
- Huawei E392   (E392u-511)             [LTE Multi-mode USB stick]      FCC ID: QISE392U-511
- Huawei E353   (E352s-6)               [HSPA+ USB stick]               FCC ID: QIS ???
Hack-Pack Content
Code: 
        - Pictures/Diagrams:
                - XMM6260 colored pinout map
                - XMM6260 mounted in a Samsung Galaxy S2
                - SMARTi UE DSP RF-tranceiver chip mounted in the SGS-2
                - IPC xxxxxx stuff
                - Infineon PhoneTools testing program
                - Raw 1byte greyscale PNG of modem.bin from XXKI1

        - PDF files/documents:
                - ITA-RF-Adjustment-GSM (XMM6260 Specification)
                - Infineon MIPI-HSI Product Brief
                - X-GOLD 616 Product Brief
                - Fairchild FSA9280/88A USB/UART switch/MUX datasheet

        - Similar Modem AT sets/documents:
                - AT_Command_Set_3GPP-TS-27007-940.pdf
                - AT_Command_Set_AMOD_HSPA.pdf
                - AT_Command_Set_Gobi.pdf
                - AT_Command_Set_Motorola_XM7200S.pdf
                - AT_Command_Set_Teltonika_TM3.pdf
                - AT_Command_Set_iWOW_TR-900.pdf

        - Text Files:
                - 3GPP 27.007 AT-list
                - XMM6260 official AT-set       
                - XMM6260 internal AT-set
                - XMM6260 homebrew specifications
                        + X-GOLD 626 Modem pinouts
                        + MUX pinouts
                        + AP connections (SGS2)
                        + AP relevant info
                - Strings of modem.bin (stock firmware image: [B]XXKI1[/B])
                - Strings of drexe
                - Strings of rild
                - Strings of libril.so
                - Strings of libsec-ril.so

        - GT-I9100 stock (GB 2.3.4) binary files: 
          (Taken from:  PDA:[B]XWKI4[/B], Phone:[B]XXKI1[/B])
                - libKiesDataRouter.so
                - libril.so
                - libsec-ril.so
                - libsecril-client.so
                - drexe
                - rild

        - Android hardware hacking binaries (tools):
                - dbus-monitor
                - dbus-send
                - hciconfig
                - hcidump
                - hcitool
                - i2cdetect
                - i2cdump
                - i2cget
                - i2cset
                - ipcfilter
                - ipcdump
                - ipctool
                - procmem
                - showmap
                - showslab
                - strace
                - tcpdump
                - viewmem

        + various other content
Download Here! (57.72 MB)
The modem firmware referred to and studied can be
found here (Modem.bin.7z) or here, under "XXKI1".
-------------------------------------------------------------------------------
DISCLAIMER:
All the material in this collection was found on internet by
appropriate Google-Fu and/or by laborious manual creation.
Nothing is stolen or reversed, so I am not held responsible
for the origin or problems affiliated with the use of these
documents, programs or other binaries.
-------------------------------------------------------------------------------

If you are a developer or other corporate official of Intel or Infineon:

Please contact your superiors and ask them to release the proper
datasheets and documentation of these products to the public.

Why? Because:

  1. It would significantly increase the sales of your hardware, by promoting
    a much more open approach to hardware development. There are currently
    more than 10 open-sourced and open-hardware smartphone projects around
    the world, who would benefit from the use of a more modern baseband than
    what is currently and openly available.
    .
  2. It would significantly promote your hardware in front of your competitors,
    as your company would be the first one to open up your documentation to the
    public. Thus increasing public technical knowledge of your hardware, which
    would ultimately lead to you having an easier time to find qualified
    developers that cost you less!
    .
  3. It would significantly reduce the cost and time for firmware development,
    while increasing the firmware code-quality and compatibility, as you
    would be able to benefit from the large community and knowledge from
    other professional developers as well as hardware-hackers.

    (Yes, there are several bugs found in your firmware, but since there is
    no way to report and discuss these with your developers, they will
    continue to cost you money and head-scratching for all developers
    having to deal with your platform.)
    .
  4. Your competitive advantage due to 1-3, would promote new and better
    future hardware developments, that would not only benefit your
    company/business but also society as a whole.
    .
  5. Its simply the right thing to do!
The thread where all this become crisply relevant is this one:
[A][SGS2][Serial] How to talk to the Modem with AT commands

There you will find all documents which I have found to date, which
is essentially none. At least nothing that can be of ANY practical use.
 
Last edited:
  • Like
Reactions: mirhl, blakbox, CCD and 13 others
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
UPDATE: [2012-04-17]
As soon as I get a chance I'll update the HackPack (HP) with new data regarding the MUX
and some other hardware used in the SGS2. This data, as presented within HP, is simply wrong!​
 
Last edited:
  • Like
Reactions: duttyend
X

xd.bx

Senior Member
May 14, 2011
431
292
Awesome info :) I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
 
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
xd.bx said:
Awesome info :) I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
Click to expand...
Click to collapse
Thanks! The ServiceMode app is mostly interesting because its code actually reside inside the Modem firmware, where the java app is acting as a wrapper. I'm not familiar with the Qualcomm modems, could you elaborate on what that "diagnostic mode" does? (The x-gold firmware is FULL of various modes. Just depends on what you want to do, and to get the proper documentation on how to use it!)
 
N

Narseo

Member
Oct 1, 2009
5
0
RNC States from libsec-ril.so

Hi

Very valuable information! Does anyone have an idea about how to get the information displayed from serviceMode programatically? Looks like most of it is being polled directly to the libsec-ril.so. In my case I'm interested in obtaining information about the RNC states on the handset
 
W

witchspace

New member
Nov 12, 2012
2
1
Thanks for this information

Thanks for the info E:V:A. I did quite some figuring out about the Radio/DSP unit of the Nokia DCT3 back in the day and also the GSM protocol (anyone remember Project Blacksphere / OpenGPA?).
Things have likely come a long way since then. One thing that is clearly different is that the baseband processor is completely isolated from the application processor. In the DCT3 there was one ARM processor that drove both the user interface and parts of the GSM protocol, and connected to a DSP for the low-level radio stuff.

I wonder how other things have changed with 3G. I may get back in the game. This will give me an headstart :)
 
Last edited:
W

witchspace

New member
Nov 12, 2012
2
1
Memory map and boot process

It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:

Code: 
    Offset    Size      Address     Description
    0x000000  0x00f000  0x00800000  PSI
    0x00f000  0x019000  0x60000000? EBL
    0x028000  0x9d8000  0x60300000  Main image
    0x9ff800  0x000800              Used for verification (buliding ReqSecStart command)?
    0xa00000  0x200000  0x60e80000   NV data (file contains default data)
    0xc00000  0x000200              Unused?

Offset is offset in file, address is flash/ram offset on device. Whereabouts about the EBL are a bit unknown, address 0x60000000 is based on a guess the others are sure.

Also I did an attempt at constructing the run-time memory map of the device, based on static analysis but as I've not found a way yet to actually probe it there are quite a few question marks.
Code: 
Device memory map:

0x00000000  RAM/ROM? (what is here?)
0x00080000  PSI bootloader *RAM*
0x40000000  Flash (what is flashed here?)
0x60000000?  Code (EBL)
0x60100000  Flash
0x60300000  Code (Flash)
0x60e80000  NVram data (Flash)
0xe0000000  Peripheral mapping for memory-mapped I/O (256MB)
0xffff0000  Memory (initial stack)
As for I/O devices in peripheral mapping, my understanding is still very limited and based on the bootloader only. I have a longer list of addresses from static analysis, but as I can't yet label anything it is pointless to publish. As usual, the upper bits (how many? 8?) select which peripheral, the lower bits (20?) select a port within that peripheral.
Code: 
0xe4d00164   ? status bits
0xe4d00384   ? status bits
0xe8000070   ? status bits
Entry points:
Code: 
Offset   Address      Description
0x000000 0x00080000   Boot loader
0x00f400 0x60000000?  EBL
0x1a8000 0x60480000   Main stack

I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
 
Last edited:
  • Like
Reactions: E:V:A
P

Polarfuchs

Senior Member
Apr 20, 2008
967
105
How should I know, I just posted the link as "service" because the user above me could't post links.
 
  • Like
Reactions: E:V:A
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
I've been informed that the download link doesn't work. i will upload again as soon as I have time...
 
A

androo45

Senior Member
Apr 24, 2011
85
12
Really interesting stuff you have got here.

One thing I've been searching for a while now: I own a Galaxy Nexus, which has a XMM6260 modem. Samsung had on their stock ROM a feature in service mode where you can check the power modes of the 3G data connection. Since the Galaxy S2 has the same modem, thus it should be possible to get that feature.
I'm interested in this stuff because my Galaxy Nexus likes to drain like crazy on the 3G network that I use and I suspect that it has to do with the 3G data power modes. 3G+wifi is extremely efficient in power use but 3G+mobile date is al big battery hog.

I hope you post a working link soon, than I can start reading this stuff.
 
Synman

Synman

Recognized Developer
Nov 2, 2010
831
543
Outside Philadelphia
www.shellware.com
Seems like this might be the best place to ask this... I also asked in the "fun with AT commands" thread so my apologies up front for the spam.

I'm looking for a fastboot friendly radio baseband I can flash with a 4.2.1 friendly RIL. This may be more than what I actually need but I've got a full telephony build of the Nexus 7 3G going and while SMS and MMS are fully functional I'm getting a CME ERROR: 4 when I try to do voice dialing and don't see anything coming in via logcat on an inbound call.

The mobile plan I'm using is full voice capable and verified as functional.

Doing a strings of the included RIL (libxgold-ril.so) shows all the necessary voice functions listed (although I guess this could be a false positive if it is interface based).

The modem mounts up on /dev/ttyACM0 and I'm able to do all the basics with radiooptions, except voice dialing and answering of course.

Any pointers / advice / direction would be greatly appreciated... coming up to speed real quick in this area.
 
  • Like
Reactions: admin856 and Shinj1EVA
Z

zad522

Member
Feb 16, 2013
7
1
How to start?

I'm a rookie so is anyone can provide a step-by-step tutorial about how to send AT commands to the baseband processor directly? Right now I only can use i2cdetect to list i2c channels, but how to do next?

Thanks,
Andong
 
C

clevcoder

New member
Feb 13, 2013
1
0
Uppsala
www.clevcode.org
XGold 626 Reversing

witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:
[snip]
Click to expand...
Click to collapse

Hi!

Nice work. :) I'm working on reversing the xgold626 baseband as well. Specifically, I'm looking at the NELK2 baseband for my GT-i9300.

Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.

I'm reachable at: je at clevcode.org, or on my ircd (irc.clevcode.org, port 7000, SSL, nick je).

Cheers,
Joel
 
E:V:A

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:...

I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
Click to expand...
Click to collapse

clevcoder said:
Specifically, I'm looking at the NELK2 baseband for my GT-i9300. Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.
Click to expand...
Click to collapse

Yep, that is very interesting. Send me PM if there are more interest in pursuing this further! What's the primary interest of doing this?
 
You must log in or register to reply here.

Similar threads

AdamOutler
The all-in-one Galaxy S2 Hack Pack
Replies
47
Views
128K
camp0s
camp0s
E:V:A
[R&D] Hacking the Huawei E589 (4G LTE Mobile Router)
Replies
70
Views
310K
adrscu
adrscu
AdamOutler
The All-In-One GalaxyS Hack Pack
Replies
29
Views
78K
DomZg
DomZg
A
Hack Xiaomi Mijia Walkie Talkie
Replies
275
Views
109K
A
alexeenko
O
[Soldering?] Move internal memory chip
Replies
49
Views
110K
Yamaha169
Yamaha169

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 16
    E:V:A
    E:V:A
    Intel / Infineon XMM6260 & X-GOLD 626 Modem Hack-Pack Release!

    After several unsuccessful months of trying to get my phone (application) to
    talk AT-commands with the baseband processor (BP), I've had to learn a lot of
    hardware and internal Android and OEM based tricks and secrets. Although this
    have not been enough to make anything of practical use, it is definitely worth
    sharing. If not at least some more talented people may be able to continue
    where I have left of...

    Now, it should be immediately stated that there is nothing revolutionary
    in here    , apart the Infineon manual for tuning your GSM modem, using the
    AT CLI and GTI sequencer. This is something that could potentially be very
    useful for better understanding the advanced features that the modem
    platform incorporates. However, it is also a sure way of making a an
    expensive brick out of your phone! You have been warned...


    Brief Modem Description
    The XMM6260 is the "platform" that consists of:

    • The X-GOLD 626 baseband processor
    • The SMARTi UE2 RF-transceiver DSP
    • The 3GPP Release 7 HSPA+ protocol stack with:
      Downlink: Category 14, Uplink: Category 7
    The X-GOLD 626 baseband processor (labelled "PMB 9811") is communicating
    with the DSP RF-tranceiver chip called SMARTi-UE2 (labelled "PBM 5712 A1"),
    using a communication interface that corresponds to the MIPI DigRF-3G
    (V.3.09) standard. Through this protocol the BP can control some or all
    aspects of the RF DSP.

    Alternative Names

    • Infineon IFX6260
    • Intel IMC6260
    • Intel XMM626

    Some other devices using this platform:
    Code: 
    - Lava XOLO X900                        [Phone]                         FCC ID: ???
- Lenovo K800                           [Tablet/Pad]                    FCC ID: ???
- LG-P920  (LG ?)                       [Phone]                         FCC ID: BEJP920
- LG-P925  (LG Optimus 3D?)             [Phone]                         FCC ID: BEJP925

- Huawei E369 (3G Hi-Universe)          [USB 3G Modem]                  FCC ID: QISE369         (Russian distrubutor: Merlion)
- Huawei MU733/MU739                    [PC/CE Module]                  FCC ID: QISMU739        
- Samsung Galaxy Nexus (I9200)          [Phone]                         FCC ID: ???     

Other devices that may (!?) also contain the X-GOLD 626:
---------------------------------------------------------
- LG Optimus 4X HD                      [Phone]                         FCC ID: ???     
- HTC One X                             [Phone]                         FCC ID: ???
- Huawei Ascend D Quad                  [Phone]                         FCC ID: QIS ???
- Huawei E392   (E392u-511)             [LTE Multi-mode USB stick]      FCC ID: QISE392U-511
- Huawei E353   (E352s-6)               [HSPA+ USB stick]               FCC ID: QIS ???
    Hack-Pack Content
    Code: 
            - Pictures/Diagrams:
                - XMM6260 colored pinout map
                - XMM6260 mounted in a Samsung Galaxy S2
                - SMARTi UE DSP RF-tranceiver chip mounted in the SGS-2
                - IPC xxxxxx stuff
                - Infineon PhoneTools testing program
                - Raw 1byte greyscale PNG of modem.bin from XXKI1

        - PDF files/documents:
                - ITA-RF-Adjustment-GSM (XMM6260 Specification)
                - Infineon MIPI-HSI Product Brief
                - X-GOLD 616 Product Brief
                - Fairchild FSA9280/88A USB/UART switch/MUX datasheet

        - Similar Modem AT sets/documents:
                - AT_Command_Set_3GPP-TS-27007-940.pdf
                - AT_Command_Set_AMOD_HSPA.pdf
                - AT_Command_Set_Gobi.pdf
                - AT_Command_Set_Motorola_XM7200S.pdf
                - AT_Command_Set_Teltonika_TM3.pdf
                - AT_Command_Set_iWOW_TR-900.pdf

        - Text Files:
                - 3GPP 27.007 AT-list
                - XMM6260 official AT-set       
                - XMM6260 internal AT-set
                - XMM6260 homebrew specifications
                        + X-GOLD 626 Modem pinouts
                        + MUX pinouts
                        + AP connections (SGS2)
                        + AP relevant info
                - Strings of modem.bin (stock firmware image: [B]XXKI1[/B])
                - Strings of drexe
                - Strings of rild
                - Strings of libril.so
                - Strings of libsec-ril.so

        - GT-I9100 stock (GB 2.3.4) binary files: 
          (Taken from:  PDA:[B]XWKI4[/B], Phone:[B]XXKI1[/B])
                - libKiesDataRouter.so
                - libril.so
                - libsec-ril.so
                - libsecril-client.so
                - drexe
                - rild

        - Android hardware hacking binaries (tools):
                - dbus-monitor
                - dbus-send
                - hciconfig
                - hcidump
                - hcitool
                - i2cdetect
                - i2cdump
                - i2cget
                - i2cset
                - ipcfilter
                - ipcdump
                - ipctool
                - procmem
                - showmap
                - showslab
                - strace
                - tcpdump
                - viewmem

        + various other content
    Download Here! (57.72 MB)
    The modem firmware referred to and studied can be
    found here (Modem.bin.7z) or here, under "XXKI1".
    -------------------------------------------------------------------------------
    DISCLAIMER:
    All the material in this collection was found on internet by
    appropriate Google-Fu and/or by laborious manual creation.
    Nothing is stolen or reversed, so I am not held responsible
    for the origin or problems affiliated with the use of these
    documents, programs or other binaries.
    -------------------------------------------------------------------------------

    If you are a developer or other corporate official of Intel or Infineon:

    Please contact your superiors and ask them to release the proper
    datasheets and documentation of these products to the public.

    Why? Because:

    1. It would significantly increase the sales of your hardware, by promoting
      a much more open approach to hardware development. There are currently
      more than 10 open-sourced and open-hardware smartphone projects around
      the world, who would benefit from the use of a more modern baseband than
      what is currently and openly available.
      .
    2. It would significantly promote your hardware in front of your competitors,
      as your company would be the first one to open up your documentation to the
      public. Thus increasing public technical knowledge of your hardware, which
      would ultimately lead to you having an easier time to find qualified
      developers that cost you less!
      .
    3. It would significantly reduce the cost and time for firmware development,
      while increasing the firmware code-quality and compatibility, as you
      would be able to benefit from the large community and knowledge from
      other professional developers as well as hardware-hackers.

      (Yes, there are several bugs found in your firmware, but since there is
      no way to report and discuss these with your developers, they will
      continue to cost you money and head-scratching for all developers
      having to deal with your platform.)
      .
    4. Your competitive advantage due to 1-3, would promote new and better
      future hardware developments, that would not only benefit your
      company/business but also society as a whole.
      .
    5. Its simply the right thing to do!
    The thread where all this become crisply relevant is this one:
    [A][SGS2][Serial] How to talk to the Modem with AT commands

    There you will find all documents which I have found to date, which
    is essentially none. At least nothing that can be of ANY practical use.
    View
    2
    viperbjk
    viperbjk
    Just found ... a bit older, but still very interesting :)

    http://hwplatform.googlecode.com/svn/trunk/Infineon/
    View
    2
    S
    sp3dev
    Guys and girls, the modem bootup sequence via the bootloader IPC transport is reversed ages ago by me for galaxy s2 and galaxy nexus. Take a look at the recent libsamsung-ipc and samsung-ril from replicant

    https://github.com/morphis/libsamsung-ipc
    https://gitorious.org/replicant/hardware_ril_samsung-ril/commits/master
    View
    2
    Synman
    Synman
    Seems like this might be the best place to ask this... I also asked in the "fun with AT commands" thread so my apologies up front for the spam.

    I'm looking for a fastboot friendly radio baseband I can flash with a 4.2.1 friendly RIL. This may be more than what I actually need but I've got a full telephony build of the Nexus 7 3G going and while SMS and MMS are fully functional I'm getting a CME ERROR: 4 when I try to do voice dialing and don't see anything coming in via logcat on an inbound call.

    The mobile plan I'm using is full voice capable and verified as functional.

    Doing a strings of the included RIL (libxgold-ril.so) shows all the necessary voice functions listed (although I guess this could be a false positive if it is interface based).

    The modem mounts up on /dev/ttyACM0 and I'm able to do all the basics with radiooptions, except voice dialing and answering of course.

    Any pointers / advice / direction would be greatly appreciated... coming up to speed real quick in this area.
    View
    1
    CCD
    CCD
    @E:V:A the link for hack-pack is dead
    Could you please upload it again
    It will be really very helpful
    View

New posts