Post Reply

[XMM6260][X-GOLD 626] Modem Specification / Documentation / Hack-Pack

6th February 2012, 04:54 AM   |  #1  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,801
 
1,347 posts
Join Date:Joined: Dec 2011
Intel / Infineon XMM6260 & X-GOLD 626 Modem Hack-Pack Release!

After several unsuccessful months of trying to get my phone (application) to
talk AT-commands with the baseband processor (BP), I've had to learn a lot of
hardware and internal Android and OEM based tricks and secrets. Although this
have not been enough to make anything of practical use, it is definitely worth
sharing. If not at least some more talented people may be able to continue
where I have left of...

Now, it should be immediately stated that there is nothing revolutionary
in here
, apart the Infineon manual for tuning your GSM modem, using the
AT CLI and GTI sequencer. This is something that could potentially be very
useful for better understanding the advanced features that the modem
platform incorporates. However, it is also a sure way of making a an
expensive brick out of your phone! You have been warned...


Brief Modem Description
The XMM6260 is the "platform" that consists of:
  • The X-GOLD 626 baseband processor
  • The SMARTi UE2 RF-transceiver DSP
  • The 3GPP Release 7 HSPA+ protocol stack with:
    Downlink: Category 14, Uplink: Category 7
The X-GOLD 626 baseband processor (labelled "PMB 9811") is communicating
with the DSP RF-tranceiver chip called SMARTi-UE2 (labelled "PBM 5712 A1"),
using a communication interface that corresponds to the MIPI DigRF-3G
(V.3.09) standard. Through this protocol the BP can control some or all
aspects of the RF DSP.

Alternative Names
  • Infineon IFX6260
  • Intel IMC6260
  • Intel XMM626

Some other devices using this platform:
Code:
- Lava XOLO X900                        [Phone]                         FCC ID: ???
- Lenovo K800                           [Tablet/Pad]                    FCC ID: ???
- LG-P920  (LG ?)                       [Phone]                         FCC ID: BEJP920
- LG-P925  (LG Optimus 3D?)             [Phone]                         FCC ID: BEJP925

- Huawei E369 (3G Hi-Universe)          [USB 3G Modem]                  FCC ID: QISE369         (Russian distrubutor: Merlion)
- Huawei MU733/MU739                    [PC/CE Module]                  FCC ID: QISMU739        
- Samsung Galaxy Nexus (I9200)          [Phone]                         FCC ID: ???     

Other devices that may (!?) also contain the X-GOLD 626:
---------------------------------------------------------
- LG Optimus 4X HD                      [Phone]                         FCC ID: ???     
- HTC One X                             [Phone]                         FCC ID: ???
- Huawei Ascend D Quad                  [Phone]                         FCC ID: QIS ???
- Huawei E392   (E392u-511)             [LTE Multi-mode USB stick]      FCC ID: QISE392U-511
- Huawei E353   (E352s-6)               [HSPA+ USB stick]               FCC ID: QIS ???
Hack-Pack Content
Code:
        - Pictures/Diagrams:
                - XMM6260 colored pinout map
                - XMM6260 mounted in a Samsung Galaxy S2
                - SMARTi UE DSP RF-tranceiver chip mounted in the SGS-2
                - IPC xxxxxx stuff
                - Infineon PhoneTools testing program
                - Raw 1byte greyscale PNG of modem.bin from XXKI1

        - PDF files/documents:
                - ITA-RF-Adjustment-GSM (XMM6260 Specification)
                - Infineon MIPI-HSI Product Brief
                - X-GOLD 616 Product Brief
                - Fairchild FSA9280/88A USB/UART switch/MUX datasheet

        - Similar Modem AT sets/documents:
                - AT_Command_Set_3GPP-TS-27007-940.pdf
                - AT_Command_Set_AMOD_HSPA.pdf
                - AT_Command_Set_Gobi.pdf
                - AT_Command_Set_Motorola_XM7200S.pdf
                - AT_Command_Set_Teltonika_TM3.pdf
                - AT_Command_Set_iWOW_TR-900.pdf

        - Text Files:
                - 3GPP 27.007 AT-list
                - XMM6260 official AT-set       
                - XMM6260 internal AT-set
                - XMM6260 homebrew specifications
                        + X-GOLD 626 Modem pinouts
                        + MUX pinouts
                        + AP connections (SGS2)
                        + AP relevant info
                - Strings of modem.bin (stock firmware image: XXKI1)
                - Strings of drexe
                - Strings of rild
                - Strings of libril.so
                - Strings of libsec-ril.so

        - GT-I9100 stock (GB 2.3.4) binary files: 
          (Taken from:  PDA:XWKI4, Phone:XXKI1)
                - libKiesDataRouter.so
                - libril.so
                - libsec-ril.so
                - libsecril-client.so
                - drexe
                - rild

        - Android hardware hacking binaries (tools):
                - dbus-monitor
                - dbus-send
                - hciconfig
                - hcidump
                - hcitool
                - i2cdetect
                - i2cdump
                - i2cget
                - i2cset
                - ipcfilter
                - ipcdump
                - ipctool
                - procmem
                - showmap
                - showslab
                - strace
                - tcpdump
                - viewmem

        + various other content
Download Here! (57.72 MB)

The modem firmware referred to and studied can be
found here (Modem.bin.7z) or here, under "XXKI1".
-------------------------------------------------------------------------------
DISCLAIMER:
All the material in this collection was found on internet by
appropriate Google-Fu and/or by laborious manual creation.
Nothing is stolen or reversed, so I am not held responsible
for the origin or problems affiliated with the use of these
documents, programs or other binaries.
-------------------------------------------------------------------------------


If you are a developer or other corporate official of Intel or Infineon:

Please contact your superiors and ask them to release the proper
datasheets and documentation of these products to the public.

Why? Because:
  1. It would significantly increase the sales of your hardware, by promoting
    a much more open approach to hardware development. There are currently
    more than 10 open-sourced and open-hardware smartphone projects around
    the world, who would benefit from the use of a more modern baseband than
    what is currently and openly available.
    .
  2. It would significantly promote your hardware in front of your competitors,
    as your company would be the first one to open up your documentation to the
    public. Thus increasing public technical knowledge of your hardware, which
    would ultimately lead to you having an easier time to find qualified
    developers that cost you less!
    .
  3. It would significantly reduce the cost and time for firmware development,
    while increasing the firmware code-quality and compatibility, as you
    would be able to benefit from the large community and knowledge from
    other professional developers as well as hardware-hackers.

    (Yes, there are several bugs found in your firmware, but since there is
    no way to report and discuss these with your developers, they will
    continue to cost you money and head-scratching for all developers
    having to deal with your platform.)
    .
  4. Your competitive advantage due to 1-3, would promote new and better
    future hardware developments, that would not only benefit your
    company/business but also society as a whole.
    .
  5. Its simply the right thing to do!
The thread where all this become crisply relevant is this one:
[A][SGS2][Serial] How to talk to the Modem with AT commands

There you will find all documents which I have found to date, which
is essentially none. At least nothing that can be of ANY practical use.
Last edited by E:V:A; 10th April 2012 at 12:06 AM.
The Following 11 Users Say Thank You to E:V:A For This Useful Post: [ View ]
16th February 2012, 05:47 PM   |  #2  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,801
 
1,347 posts
Join Date:Joined: Dec 2011
UPDATE: [2012-04-17]
As soon as I get a chance I'll update the HackPack (HP) with new data regarding the MUX
and some other hardware used in the SGS2. This data, as presented within HP, is simply wrong!
Last edited by E:V:A; 17th April 2012 at 02:57 PM.
16th February 2012, 05:49 PM   |  #3  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,801
 
1,347 posts
Join Date:Joined: Dec 2011
Reserved 2 me 3
4th April 2012, 04:33 PM   |  #4  
Senior Member
Flag Copenhague
Thanks Meter: 284
 
408 posts
Join Date:Joined: May 2011
More
Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
5th April 2012, 10:57 PM   |  #5  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,801
 
1,347 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by xd.bx

Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?

Thanks! The ServiceMode app is mostly interesting because its code actually reside inside the Modem firmware, where the java app is acting as a wrapper. I'm not familiar with the Qualcomm modems, could you elaborate on what that "diagnostic mode" does? (The x-gold firmware is FULL of various modes. Just depends on what you want to do, and to get the proper documentation on how to use it!)
12th June 2012, 07:41 PM   |  #6  
viperbjk's Avatar
Recognized Developer
Flag Munich
Thanks Meter: 45
 
10
391 posts
Join Date:Joined: Nov 2007
More
Just found ... a bit older, but still very interesting

http://hwplatform.googlecode.com/svn/trunk/Infineon/
The Following 2 Users Say Thank You to viperbjk For This Useful Post: [ View ]
24th August 2012, 11:29 AM   |  #7  
Junior Member
Thanks Meter: 0
 
5 posts
Join Date:Joined: Oct 2009
RNC States from libsec-ril.so
Hi

Very valuable information! Does anyone have an idea about how to get the information displayed from serviceMode programatically? Looks like most of it is being polled directly to the libsec-ril.so. In my case I'm interested in obtaining information about the RNC states on the handset
12th November 2012, 06:25 AM   |  #8  
Junior Member
Thanks Meter: 1
 
2 posts
Join Date:Joined: Nov 2012
Thumbs up Thanks for this information
Thanks for the info E:V:A. I did quite some figuring out about the Radio/DSP unit of the Nokia DCT3 back in the day and also the GSM protocol (anyone remember Project Blacksphere / OpenGPA?).
Things have likely come a long way since then. One thing that is clearly different is that the baseband processor is completely isolated from the application processor. In the DCT3 there was one ARM processor that drove both the user interface and parts of the GSM protocol, and connected to a DSP for the low-level radio stuff.

I wonder how other things have changed with 3G. I may get back in the game. This will give me an headstart
Last edited by witchspace; 12th November 2012 at 06:37 AM.
25th November 2012, 09:55 AM   |  #9  
Junior Member
Thanks Meter: 1
 
2 posts
Join Date:Joined: Nov 2012
Memory map and boot process
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:

Code:
    Offset    Size      Address     Description
    0x000000  0x00f000  0x00800000  PSI
    0x00f000  0x019000  0x60000000? EBL
    0x028000  0x9d8000  0x60300000  Main image
    0x9ff800  0x000800              Used for verification (buliding ReqSecStart command)?
    0xa00000  0x200000  0x60e80000   NV data (file contains default data)
    0xc00000  0x000200              Unused?
Offset is offset in file, address is flash/ram offset on device. Whereabouts about the EBL are a bit unknown, address 0x60000000 is based on a guess the others are sure.

Also I did an attempt at constructing the run-time memory map of the device, based on static analysis but as I've not found a way yet to actually probe it there are quite a few question marks.
Code:
Device memory map:

0x00000000  RAM/ROM? (what is here?)
0x00080000  PSI bootloader *RAM*
0x40000000  Flash (what is flashed here?)
0x60000000?  Code (EBL)
0x60100000  Flash
0x60300000  Code (Flash)
0x60e80000  NVram data (Flash)
0xe0000000  Peripheral mapping for memory-mapped I/O (256MB)
0xffff0000  Memory (initial stack)
As for I/O devices in peripheral mapping, my understanding is still very limited and based on the bootloader only. I have a longer list of addresses from static analysis, but as I can't yet label anything it is pointless to publish. As usual, the upper bits (how many? 8?) select which peripheral, the lower bits (20?) select a port within that peripheral.
Code:
0xe4d00164   ? status bits
0xe4d00384   ? status bits
0xe8000070   ? status bits
Entry points:
Code:
Offset   Address      Description
0x000000 0x00080000   Boot loader
0x00f400 0x60000000?  EBL
0x1a8000 0x60480000   Main stack
I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
Last edited by witchspace; 27th November 2012 at 05:52 AM. Reason: fix a typo
The Following User Says Thank You to witchspace For This Useful Post: [ View ]
1st December 2012, 09:15 PM   |  #10  
Junior Member
Thanks Meter: 1
 
6 posts
Join Date:Joined: Nov 2012
just thought it might be of interest and help - http---en.samaanet.com/?p=2390

Post Reply Subscribe to Thread

Tags
bp/cp, infineon, intel, modem, xmm6260
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes