Remove All Ads from XDA

[XMM6260][X-GOLD 626] Modem Specification / Documentation / Hack-Pack

1,443 posts
Thanks Meter: 2,127
By E:V:A, Recognized Developer on 6th February 2012, 04:54 AM
Post Reply Email Thread
23rd February 2013, 08:23 PM |#21  
Senior Member
Flag Kaluga/Moscow
Thanks Meter: 680
Guys and girls, the modem bootup sequence via the bootloader IPC transport is reversed ages ago by me for galaxy s2 and galaxy nexus. Take a look at the recent libsamsung-ipc and samsung-ril from replicant
The Following 2 Users Say Thank You to sp3dev For This Useful Post: [ View ] Gift sp3dev Ad-Free
23rd February 2013, 09:03 PM |#22  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,127
Originally Posted by sp3dev

Guys and girls, the modem bootup sequence via the bootloader IPC transport is reversed ages ago by me for galaxy s2 and galaxy nexus. Take a look at the recent libsamsung-ipc and samsung-ril from replicant

Excellent! But how can we use it? (We need a binary or App that can actually connect to ATCoP from userspace. As far as I can see, the only such interface binary (modemctl.c) is just doing some very rudimentary On/Off/reset stuff.

void print_help()
{    printf("usage: modemctrl <command>\n");
    printf("\tstart                 bootstrap modem and start read loop\n");
    printf("\tbootstrap             bootstrap modem only\n");
    printf("\tpower-on              power on the modem\n");
    printf("\tpower-off             power off the modem\n");
    printf("\t--debug               enable debug messages\n");
    printf("\t--pin=[PIN]           provide SIM card PIN\n");
We need an actual way (like ipctool) to send receive AT command responses.

In addition, it only works (AFAIK) on XMM6260 type CP/BP's and not on Qualcomm. It also seem to require some funky way of installing a new kernel...which would preferably be avoided. While at the same time being incomplete not supporting other features like GPS, 3D graphics engine and BT. At least according to your I9100 4.0 Status page.
24th March 2013, 10:56 PM |#23  
Senior Member
Thanks Meter: 136
Torrent for your XGOLD626_Modem_HackPack.7z
Torrent attached. Seed if desired.
Attached Files
File Type: torrent XGOLD626_Modem_HackPack.7z.torrent - [Click for QR Code] (4.7 KB, 451 views)
The Following User Says Thank You to Bob Smith42 For This Useful Post: [ View ] Gift Bob Smith42 Ad-Free
3rd April 2013, 08:59 AM |#24  
Junior Member
Thanks Meter: 1
I also have x-gold 626. And I send sequence AT commands into /dev/ttyACM0 and receive IP, GW, DNS from operator. Them I used ioctl codes for assign IP, GW and bringing up interface. But I dont pinging gw: destination host unreachable. What I need to do more? I used IDA for disasm
The Following User Says Thank You to trynd For This Useful Post: [ View ] Gift trynd Ad-Free
12th June 2013, 06:57 AM |#25  
Junior Member
Thanks Meter: 0
Don't know if its been mentioned...
Hey all,

Sorry for not reading the whole thread to make sure it hasn't been told before...

I am using my Nexus 7 for GSM calls, with a workaround... I am using the paid app Tablet Talk, and a Samsung Pocket (couldn't find a cheaper phone). The phone basically is a dead weight, but still it works! Till you guys figure it out )))

Thanks for all the hard work,
15th June 2013, 02:27 PM |#26  
Junior Member
Thanks Meter: 7
Smile even enbraz
Originally Posted by sparkyuiop

I have removed my BB CPU and here is the pinout if it helps anyone

can i have it for playbook please? blackberry playbook. and secondly i am not an electronics engineer. so i dont know electronics much. what is/are the pinouts for blackberry playbook 16/32/64gb. i need it badly. as i am trying to port coreboot for bootloader and debian as main OS. but this doesnt mean we cant run linux. i need to know which are the
hxxp :// but i need to know the traces and also jtag points for blackberry playbook.
thanks in advance.
26th July 2013, 03:33 PM |#27  
Senior Member
Flag Copenhague
Thanks Meter: 289
Originally Posted by clevcoder


Nice work. I'm working on reversing the xgold626 baseband as well. Specifically, I'm looking at the NELK2 baseband for my GT-i9300.

Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.

I'm reachable at: je at, or on my ircd (, port 7000, SSL, nick je).


Hi Joel,

For the XMM6180 radio image (Nexus S), remove the 0x5000 (first bootloader, not really necessary) and load image @ 0x60000000. Could apply to newer basebands as well. Usually looking at the code in the first bootloader can give a good idea of the loading addresses.
The Following User Says Thank You to xd.bx For This Useful Post: [ View ] Gift xd.bx Ad-Free
22nd August 2013, 08:35 PM |#28  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,127
For anyone more interested in reversing baseband for XMM modems, I suggest you first getting used to some of their AT commands in the thread: [A][SGS2][Serial] How to talk to the Modem with AT commands

And specifically with the production mode "sequencer" running in pmode_ptest/pmode_normal that is mentioned in post 39
... I'd like to see further progress on how to use these internal features... And to explain the details of the ATCoP options shown in at@help ...

Why is this interesting? Because there are a lot more XMM's on the horizon!

27th March 2014, 11:53 AM |#29  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,127
PLEASE NOTE: These instructions are for Intel XMM based devices only!

Lats night I tried to get some GSM variables out of my I9100, by installing xgoldmon (2b-as) following the README info there. Unfortunately that info is lacking in detail for my I9100, so I can't get anything out of it. What Am I missing here? Has anyone got this to work? Please explain.

1) The GT-I9100 is a rooted stock GB 2.3.4. Yes, that is ancient, but you'd be surprised how many such ancient devices are around! I will try to keep my BB related development on ancient devices until people stop using them. When I say ancient, I refer to the AOS API level. Many AP/BP FW updates remove and patch BB access. This is a way to avoid this. In other cases, access is simplified, i.e. in the later Qualcomm Snapdragon series. We'll always be able to make more fun additions to newer devices, once the basics is done.

2) I'm also running this on an ancient but fully updated Cygwin/Windows box.
I have successfully compiled libosmocore, following the instructions there.

This is how you do it:

mkdir osmocom
cd osmocom 

git clone git://

cd libosmocore/
autoreconf -i
sudo make install
cd ..
Take note of the pkgconfig installation path. You will need to set this
to the PKG_CONFIG_PATH environment variable in the next step.

Unfortunately, the xgoldmon.git by Tobias Engel has not been updated/patched to fix a GSMTAP (gsmtap.h)
message copy/paste error. Everything still works, but you'll get the wrong message in Wireshark.
The bug details can be found HERE.

However, harpreet-s has forked this project and applied the patch,
so we will use his.

git clone git://

cd xgoldmon/
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
You will now have an executable called: xgoldmon.exe

So far, so good.

Now tricky part, the instructions say:


Before running xgoldmon

To enable the logging mode ("diag mode") on the S2, S3 and Note2:
- Go to the Phone application, enter *#9900# and set "Debug Level
  Enabled" to "HIGH". The phone will reboot.
- Go to the Phone application again, enter *#7284# and set "USB" to
  "MODEM" and tap "SAVE and RESET". The phone will reboot again.

The Galaxy Nexus has to be rooted first to activate diag mode! Then:
- In the adb shell, as root, enter:
  echo MODEM > /sys/devices/tuna_otg/usb_sel
- Connect to the first of the serial devices (e.g. /dev/ttyACM0) with
  a terminal emulator and enter

When connecting the phone via USB to the computer, several new
pseudo-tty devices should be created. The one with the second lowest
number should be the logging port. So for example on Linux, if you
have no other ttyACM* devices, it should be /dev/ttyACM1.

xgoldmon tries to set proper serial attributes on the device if the
"-s" option is specified. If that fails, you might have to do that
yourself with something like

  stty 115200 pass8 raw -noflsh -F /dev/ttyACM1

Running xgoldmon


  xgoldmon -t s3 -l /dev/ttyACM1

Full usage:
usage: ./xgoldmon [-t <phone type>] [-l] [-s] [-i <ip address>] [-v] <logfile or device>
  -t: select 's4', 's3', 'gnex', 's2' or 'note2' (default: 's3')
  -l: print baseband log messages
  -s: set proper serial device attributes
  -i: send gsmtap packets to given ip address (default: 'localhost')
  -v: show debugging messages (more than once for more messages)

In some situations, the phone might close the device, causing xgoldmon
to exit. If you want to do some unsupervised logging, it might be a
good idea to put the call to xgoldmon in a loop.

Watching the radio messages in Wireshark

xgoldmon uses libosmocore to send the radio messages in GSMTAP format
( to UDP port 4729 on the local
host. In order to monitor the packages with Wireshark, something has
to listen on that port, e.g.

  nc -u -l 4729

Then, in Wireshark, start a capture on the loopback interface. To see
only the GSMTAP messages, set this filter:


GSM messages will be decoded out-of-the box in Wireshark. For UMTS/RRC
messages, you need a recent development version of Wireshark (at least
revision 47792), which you most likely will have to build yourself.

If everything works, it should look a bit like the
It contains a screenshot of Wireshark that shows an S3 receiving a
text message while in a call. (Lots of messages filtered out to show
the more relevant messages)

This create problems for people not using Linux and on older API's.

For example,

1) On my I9100, there is no "Debug Level Enabled" to "HIGH" in the *#9900# menu, but many other options.
2) The phone does not reboot after changing anything in there.
3) There is no "SAVE and RESET" button in the *#7284# menu, and therefore no reboot. But regardless, the phone recognize the changes when unplugged and plugged in again.
4) When reconnecting phone, I'm asked for 7 CDC drivers. I remember wrestling with this 2-3 years ago, unfortunately I don't remember if I found the drivers or hacked them and uninstalled them since, or just abandon that problem. It is possible it's using Infineon's COMNEON drivers... but I can't seem find them on my computer at the moment... looking.
5) Thus no new pseudo TTY's for me to connect and look at.

I'd very much appreciate if someone can provide a solution or more info on this.


EDIT: 2014-03-27

I have found some more details, but I still have to collect and try...
5th June 2014, 01:50 AM |#30  
Senior Member
Thanks Meter: 26
comneon driver
Hi EVA , search the below post in google and download cdc driver for windows from there( I use linux for default access to these com ports without additional drivers.

The Following User Says Thank You to harpreet.s For This Useful Post: [ View ] Gift harpreet.s Ad-Free
5th June 2014, 01:16 PM |#31  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,127
Originally Posted by harpreet.sooden

Hi EVA , search the below post in google and download cdc driver for windows from there( I use linux for default access to these com ports without additional drivers.

Oops I had almost forgotten about this thread and my last posts. Just to inform everyone, I have gotten both xgoldmon working and have made a whole thread about the 7CDCs drivers + installation etc. I meant to publish a write up about how to connect windows network in loopback mode, but just haven't gotten around to do it yet. Soon I hope.

[REF][XMM] Infineon FlashTool & Comneon 7 CDCs Driver
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
Post Reply Subscribe to Thread

bp/cp, infineon, intel, modem, xmm6260

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes