USB layout changes using DMS 0x5556 in HP lt4210

[Bjørn Mork]

Aleksander Morgado <aleksander at aleksander.es> writes:

> Hey everyone,
>
> I recently got a HP lt4120 in order to play with the fastboot-based
> firmware download process. By default the modem boots with VID:PID
> 03f0:9d1d and a USB layout with 3 different configurations:
>
> Conf 0:
>   * iface 0: ??

Did you test this and the other unknown interfaces with to bulk
endpoints for QCDM?  It's pretty common for Qualcomm devices to have
that as interface 0.

>   * iface 1: QMI
>   * iface 2: (ff/00/00) serial
>   * iface 3: (ff/00/00) serial
>   * iface 4: (ff/00/00) serial

Do all the serial functions provide an AT command interface?

> Conf 1:
>   * ifaces 0/1: ECM
> Conf 2:
>   * ifaces 0/1: MBIM
>   * iface 2: ??

This unknown interface puzzles me.  There aren't that many function
types where a single interrupt endpoint is enough.  That would typically
mean a low speed function running over control requests, just needing an
interrupt endpoint to signal the host that more data is available.  Such
as e.g. CDC WDM.

Need to go looking for the Windows drivers, I guess.

> Right now the kernel switches automatically to configuration #2, but
> the next usb_modeswitch release will come with support for
> automatically switching the device to configuration #3 (as MBIM will
> be preferred by usb_modeswitch by default).
>
> Back to the firmware download, the fastboot mode is requested using
> the DMS 0x5556 command that we have in our DB as "Change Device
> Download Mode". This command was snooped by Alexander Borovsky, see
> https://github.com/borovsky/x5-snapdragon-linux.
>
> We pass the 0x01 TLV to this command with an integer number; the magic
> integer to get the fastboot mode is 5, so I just ended up playing with
> other numbers to see what happens :)
>
> Note that the --device-open-mbim option would only be needed if the
> cdc-wdm is MBIM.
>
> Also, I'm attaching the lsusbs I got in the different steps.
>
> I also prepared some qmi_wwan and qcserial patches that I'll send to
> the LKML once I test a bit more.
>
> Finally, note that the 0x5556 command is also implemented in Sierra,
> but as Bjørn found out some time ago it just returns several firmware
> version strings, regardless of the "mode" parameter given.

I seem to recall that we have seen similar things before? The Sierra
variant could be simply a dummy response, to support generic firmware
tools which would otherwise bail out.

> I have no idea why but in this mode the modem ends up power cycling
> itself several times:

Probably the firmware crashing because you set a mode it was never
tested with.

> And luckily, after some reboots it'll go back to the original mode
> with 3 configurations.

Yes, lucky.  I assume that is a bootloader failsafe mechanism kicking
in. We've all been rescued by that.

And then there are those bootloaders which don't have any such thing.
The Huawei E392 for example.  Killed one "permanently" by making it boot
loop.  That is: It could probably still have been save by someone with
skills.  Letting me take it apart was the final deathblow.

> MODE 5:
> Changes VID:PID to 03f0:9f1d and switches to FASTBOOT mode.
>
> $ sudo qmicli -d /dev/cdc-wdm2 --dms-change-device-download-mode=5
> --device-open-mbim
> (changes right away)
>
> $ sudo fastboot devices
> MDM9625 fastboot
>
> If we don't do any fastboot operation, plugging and replugging takes
> us to the last mode we had.

So there is no timeout, like in the Sierra bootloader?

>
> =======================================
> MODE 6:
>
> Changes VID:PID to 03f0:9e1d (same one we had in mode 4) and ends up
> with a USB layout with one single interface.
>
> $ sudo qmicli -d /dev/cdc-wdm2 --dms-change-device-download-mode=6
> --device-open-mbim
> (changes right away)
>
>   * iface 0:   ??

This also looks like a serial function of some sort. Maybe one of the
assorted Qualcomm serial protocols used by bootloaders?  SAHARA maybe?

Could be a debugger mode, allowing ramdumps etc.


Bjørn