from where did you have the ioctls??
i checked libsec-ril.so

Code:

EXPORT onedram_phone_pow_on
onedram_phone_pow_on
PUSH    {R4,LR}
LDR     R4, =(_GLOBAL_OFFSET_TABLE_ - 0x33CC8)
LDR     R0, =(fd_onedram_ptr - 0x45164)
LDR     R1, =0x6FD0     ; request
ADD     R4, PC
LDR     R3, [R4,R0]
MOVS    R2, #0
LDR     R0, [R3]        ; fd
BLX     ioctl
CMP     R0, #0
BGE     loc_33CEE

My reference is the dpram driver shipped with GT-I5700_OpenSource.zip.

But I see that you're right, in true Samsung-style there are multiple defines for the ioctls. The ones in my patch are unused.

DPRAM_PHONE_POWON is indeed 0x6FD0. Try setting that as power_on ioctl.

DPRAM_PHONE_ON is 0xF0C0 - which seems to be called to init the OneDRAM memory, and appears to depend on POWON. If it doesn't work after the POWON ioctl, send this one as well (or even better, strace your original RIL to see the ioctls required).

There's one more ioctl (0x6FD3) related to booting, but I *think* it's only used when a modem image is uploaded. Refer to dpram.h/dpram.c for more info..

hi!

hmm it doesn't work!
Can you tell me how the image upload (over serial) works and if i need to do it??

Further how do you strace rild??
rild is startet from init and the sockets are created on startup!
if i stop rild it restarts and i can not strace it!

so i go to bed... good night

I don't know about the image upload. Either the bootloader handles it (didn't check in detail) or it's handled by the baseband itself. For my phone I can simply send the power_on ioctl and off it goes - probably it's just the same for Spica.

As for stracing, you might be able to modify init.rc so rild is started straced.

What might be easier though is simply reversing it. Seeing you already have the RIL lib in IDA, just find all xrefs to ioctl and you should be able to figure all needed.

hi,

I tried a lot, but i did not get it to work!
I changed the power_IOCTL to 0x6FD0!
It return 0 = OK

but the phone do not start!
The orignial lib loads a phone-image and a nv_data.bin and then it uses 0x6FD3 to start the phone.
But my assembly knowlegde not so good.

Can you have a look if you have time????
i attach libsec-ril.so. open it with ida and go to function RIL_Init!

the magic happens in dload_test

thx in advance

Had a quick look. You're right, Spica appears to load the phone fw/nvs from Android.

Quick writeup (in order):
- onedram_open(): Open /dev/dpram0
- dload_read_dbl(): Read /dev/bml9, 0x5000 bytes
- onedram_phone_pow_on(): ioctl 0x6fd0 (DPRAM_PHONE_POWON)
- dload_uart_init(): open /dev/s3c_serial0, 115200
- dload_hdlc_init(): init some data related to hdlc parsing
- dload_packet_init(): init some packet struct
- nop_req()
- onedram_phone_image_load(): ioctl 0x6fd1 (DPRAM_PHONEIMG_LOAD)
- onedram_nv_data_load(): load /efv/nv_data.bin 0x80000 bytes, ioctl(fd, 0x6FD2 (DPRAM_NVDATA_LOAD), buf_with_nvdata)
- onedram_phone_boot_start(): ioctl 0x6fd3 DPRAM_PHONE_BOOTSTART

onedram_nv_data_load() reads the nvdata and passes it as a param along with the ioctl, the nop_req is sent over the uart.

The baseband firmware itself seems to be read by libsecril, but not used (?) - the kernel driver contains code to read bml too when DPRAM_PHONEIMG_LOAD is issued.

I haven't traced into nop_req - no time to reverse it right now. You can import these functions from libsec-ril.so for testing (all are exported) and later replace them with your own implementation. (You can then easily strace your binary to recover the nop_req data).

I'm looking for RIL logs of Samsung phones in order to speed up development.
'logcat -b radio' might provide some, but given a specific phone model I could look up alternative log locations (i5500 for instance appears to dump RIL traffic to /data/log/).

Anyone able to help?

Nexus S

---

Hi,

out of curiosity I opened the 'libsec-ril.so' from the Nexus S in IDA.
although 'ioctl' is imported, I cannot really find calls to it.

Since i'm unfamiliar with Arm opcodes, I probably overlook something.
Does this code make sense to anyone ?

EDIT: Quite a lot of functions seem to call 'IPC_send_singleIPC', so I suppose
I might be looking at the wrong file...

EDIT2: Ahh, 'IPC_send_singleIPC' can print an IOCTL error message, just haven't found the actual call to ioctl() yet..

Code:

.text:00016BC4                 EXPORT requestDTMFStop
.text:00016BC4 requestDTMFStop
.text:00016BC4                 LDR     R3, =(dword_62428 - 0x16BD0)
.text:00016BC6                 PUSH    {R4-R6,LR}
.text:00016BC8                 MOV     R4, R2
.text:00016BCA                 LDR     R2, =0xFFFFFDC4
.text:00016BCC                 ADD     R3, PC
.text:00016BCE                 MOV     R6, R0
.text:00016BD0                 MOV     R5, R1
.text:00016BD2                 LDR     R0, [R3,R2]
.text:00016BD4                 LDRB    R3, [R0]
.text:00016BD6                 CBZ     R3, loc_16BEC
.text:00016BD8                 LDR     R3, =(aOndialtimeout - 0x16BE4)
.text:00016BDA                 MOVS    R0, #6
.text:00016BDC                 LDR     R1, =(aRil - 0x16BE6)
.text:00016BDE                 LDR     R2, =(aS - 0x16BEA)
.text:00016BE0                 ADD     R3, PC          ; "onDialTimeout"
.text:00016BE2                 ADD     R1, PC          ; "RIL"
.text:00016BE4                 ADDS    R3, #0x6C
.text:00016BE6                 ADD     R2, PC          ; "%s()"
.text:00016BE8                 BLX     sub_10D2C    ; NOTE: this seems to be a printf() function
.text:00016BEC
.text:00016BEC loc_16BEC                               ; CODE XREF: .text:00016BD6j
.text:00016BEC                 MOV     R0, R6
.text:00016BEE                 MOV     R1, R5
.text:00016BF0                 MOV     R2, R4
.text:00016BF2                 MOVS    R3, #2
.text:00016BF4                 BL      sub_16B28
.text:00016BF8                 POP     {R4-R6,PC}
.text:00016BFA ; ---------------------------------------------------------------------------
.text:00016BFA                 NOP
.text:00016BFA ; ---------------------------------------------------------------------------
.text:00016BFC off_16BFC       DCD dword_62428 - 0x16BD0 ; DATA XREF: .text:requestDTMFStopr
.text:00016C00 dword_16C00     DCD 0xFFFFFDC4          ; DATA XREF: .text:00016BCAr
.text:00016C04 off_16C04       DCD aOndialtimeout - 0x16BE4 ; DATA XREF: .text:00016BD8r
.text:00016C04                                         ; "onDialTimeout"
.text:00016C08 off_16C08       DCD aRil - 0x16BE6      ; DATA XREF: .text:00016BDCr
.text:00016C08                                         ; "RIL"
.text:00016C0C off_16C0C       DCD aS - 0x16BEA        ; DATA XREF: .text:00016BDEr
.text:00016C0C                                         ; "%s()"
.text:00016C10 ; ---------------------------------------------------------------------------

Quote:

Originally Posted by Tuigje

out of curiosity I opened the 'libsec-ril.so' from the Nexus S in IDA.
although 'ioctl' is imported, I cannot really find calls to it.

Did you try to find xrefs to it?

Quote:

Since i'm unfamiliar with Arm opcodes, I probably overlook something.
Does this code make sense to anyone ?

It does, but it's just an excerpt from a RIL request handler (requestDTMFStop).

Quote:

EDIT: Quite a lot of functions seem to call 'IPC_send_singleIPC', so I suppose
I might be looking at the wrong file...

Wrong file? What are you looking for exactly? The send_single_IPC function is used to send a message to the baseband, thus it's called quite often.

Nexus S has a slightly different kernel driver for dpram, probably Google kindly requested Samsung to clean their crap up. Instead of a chardev + read/write they use ioctls to perform read/write. That would explain the ioctl references you're seeing in IPC_send_singleIPC.

Quote:

Originally Posted by iuss

Did you try to find xrefs to it?

Nope. I must have done something wrong loading the libsec-ril.so into IDA. all
imports are shown at the end of the file as:

Code:

extern:0009E54C ; int ioctl(int fd, unsigned __int32 request, ...)
extern:0009E54C                 IMPORT ioctl

Quote:

It does, but it's just an excerpt from a RIL request handler (requestDTMFStop).

Wrong file? What are you looking for exactly? The send_single_IPC function is used to send a message to the baseband, thus it's called quite often.

Ok. I was wondering whether it is possible to get e.g. 'timing advance' data from the gsm-modem. So I started by digging through the android sources. Now I'm at libsec-ril.so. (and libril.so, but I can't make much sense out of that one yet).

Is it correct that libril.so and the kernel-mode gsm driver are also closed-source for the Nexus S ?
Edit: libril looks awfully similar to the android sources (device/libs/telephony/ril.cpp)

Do you know the name of the kernel driver (module filename), or is it directly compiled into the kernel ?
I haven't stumbled onto it yet, neither in the system.img nor in the ramdisk of the boot.img.

Quote:

Nexus S has a slightly different kernel driver for dpram, probably Google kindly requested Samsung to clean their crap up. Instead of a chardev + read/write they use ioctls to perform read/write. That would explain the ioctl references you're seeing in IPC_send_singleIPC.

Is there any other place to get such information, or is it all hard work figuring this out by yourself ?