USB layout changes using DMS 0x5556 in HP lt4210

Aleksander Morgado aleksander at aleksander.es
Thu Jan 12 13:02:38 UTC 2017 

Hey,

>>
>> I recently got a HP lt4120 in order to play with the fastboot-based
>> firmware download process. By default the modem boots with VID:PID
>> 03f0:9d1d and a USB layout with 3 different configurations:
>>
>> Conf 0:
>>   * iface 0: ??
>
> Did you test this and the other unknown interfaces with to bulk
> endpoints for QCDM?  It's pretty common for Qualcomm devices to have
> that as interface 0.
>

Yes, this looks like DIAG for all modes.

>>   * iface 1: QMI
>>   * iface 2: (ff/00/00) serial
>>   * iface 3: (ff/00/00) serial
>>   * iface 4: (ff/00/00) serial
>
> Do all the serial functions provide an AT command interface?
>

Actually no. I'm going to base my patch for the kernel on the
interfaces listed by the windows drivers only.

>> Conf 1:
>>   * ifaces 0/1: ECM
>> Conf 2:
>>   * ifaces 0/1: MBIM
>>   * iface 2: ??
>
> This unknown interface puzzles me.  There aren't that many function
> types where a single interrupt endpoint is enough.  That would typically
> mean a low speed function running over control requests, just needing an
> interrupt endpoint to signal the host that more data is available.  Such
> as e.g. CDC WDM.
>
> Need to go looking for the Windows drivers, I guess.
>

Didn't find anything about that in the drivers, or maybe I didn't look
well enough.

>> Right now the kernel switches automatically to configuration #2, but
>> the next usb_modeswitch release will come with support for
>> automatically switching the device to configuration #3 (as MBIM will
>> be preferred by usb_modeswitch by default).
>>
>> Back to the firmware download, the fastboot mode is requested using
>> the DMS 0x5556 command that we have in our DB as "Change Device
>> Download Mode". This command was snooped by Alexander Borovsky, see
>> https://github.com/borovsky/x5-snapdragon-linux.
>>
>> We pass the 0x01 TLV to this command with an integer number; the magic
>> integer to get the fastboot mode is 5, so I just ended up playing with
>> other numbers to see what happens :)
>>
>> Note that the --device-open-mbim option would only be needed if the
>> cdc-wdm is MBIM.
>>
>> Also, I'm attaching the lsusbs I got in the different steps.
>>
>> I also prepared some qmi_wwan and qcserial patches that I'll send to
>> the LKML once I test a bit more.
>>
>> Finally, note that the 0x5556 command is also implemented in Sierra,
>> but as Bjørn found out some time ago it just returns several firmware
>> version strings, regardless of the "mode" parameter given.
>
> I seem to recall that we have seen similar things before? The Sierra
> variant could be simply a dummy response, to support generic firmware
> tools which would otherwise bail out.
>

Worth testing the same command with other vendors and see what happens.

>> I have no idea why but in this mode the modem ends up power cycling
>> itself several times:
>
> Probably the firmware crashing because you set a mode it was never
> tested with.
>
>> And luckily, after some reboots it'll go back to the original mode
>> with 3 configurations.
>
> Yes, lucky.  I assume that is a bootloader failsafe mechanism kicking
> in. We've all been rescued by that.
>

Yeah :) I was a bit afraid when it didn't work until suddenly I got
back my MBIM interface, very lucky.

> And then there are those bootloaders which don't have any such thing.
> The Huawei E392 for example.  Killed one "permanently" by making it boot
> loop.  That is: It could probably still have been save by someone with
> skills.  Letting me take it apart was the final deathblow.
>
>> MODE 5:
>> Changes VID:PID to 03f0:9f1d and switches to FASTBOOT mode.
>>
>> $ sudo qmicli -d /dev/cdc-wdm2 --dms-change-device-download-mode=5
>> --device-open-mbim
>> (changes right away)
>>
>> $ sudo fastboot devices
>> MDM9625 fastboot
>>
>> If we don't do any fastboot operation, plugging and replugging takes
>> us to the last mode we had.
>
> So there is no timeout, like in the Sierra bootloader?
>

Doesn't seem like there's one, although I may not have waited enough.

>>
>> =======================================
>> MODE 6:
>>
>> Changes VID:PID to 03f0:9e1d (same one we had in mode 4) and ends up
>> with a USB layout with one single interface.
>>
>> $ sudo qmicli -d /dev/cdc-wdm2 --dms-change-device-download-mode=6
>> --device-open-mbim
>> (changes right away)
>>
>>   * iface 0:   ??
>
> This also looks like a serial function of some sort. Maybe one of the
> assorted Qualcomm serial protocols used by bootloaders?  SAHARA maybe?
>
> Could be a debugger mode, allowing ramdumps etc.
>

According to windows drivers, 9e1d iface 0 is DIAG as well, so that
would apply in this mode I suppose.

-- 
Aleksander
https://aleksander.es

More information about the libqmi-devel mailing list