EM7565 firmware updates
Aleksander Morgado
aleksander at aleksander.es
Mon Jun 24 21:03:59 UTC 2019
Hey,
> >> AFAIK MC7xxx_Image_Management is actually an older application which
> >> may not have been updated for the EM7565 (yet). Could you please retry
> >> with the Firmware_Download sample application from version 04.00.12 of
> >> the Linux QMI SDK and see if you get any further?
> >
> > Yes, I will.
> >
> > But AFAICS, both these applications simply defer everything interesting
> > to the "magic" in UpgradeFirmware2k(). Which is part of the binary only
> > library. That's why we have to guess what they do based on USB snooping,
> > and why we might as well use the Windows application as guide.
>
> I got my hands on a Windows7 laptop and captured a successful firmware
> update there (81M file):
> https://get.ze.mork.no/em7565-win7-firmware-upgrade.pcap
>
Months late, but I also went through that capture file. Thanks Bjørn,
because it really was a very nice thing to have as reference.
My notes regarding the firehose protocol are basically the same as
yours, but I also added additional info about the QMI setup before
getting into sahara/firehose mode.
***********************
QMI
packet #2041: HOST->DEVICE: DMS Get Firmware Preference request
packet #2055: DEVICE->HOST: DMS Get Firmware Preference response
TLV 0x01 (image list)
* image: modem (0), unique id "001.015_000", build id "01.02.01.00_GENERIC"
* image: pri (1), unique id "001.015_000", build id "01.02.01.00_GENERIC"
packet #2048: HOST->DEVICE: DMS 0x557A request
packet #2052: DEVICE->HOST: DMS 0x557A response
TLV 0x02 value 0 (response ok)
TLV 0x01 (image list with additional unknown fields)
* image: modem (0), <04 ff 01 01 00>, unique id "?_?", build
id "01.00.02.00_?", <03 01 00 00>
* image: pri (1), <32 ff 01 ff ff>, unique id "001.012_000", build
id "01.00.02.00_GENERIC", <03 00 00 00>
packet #2055: HOST->DEVICE: DMS Set Firmware Preference request
TLV 0x01 (image list)
* image: modem (0), unique id "?_?", build id "01.02.01.00_?"
* image: pri (1), unique id "001.015_000", build id "01.02.01.00_GENERIC"
packet #2059: DEVICE->HOST: DMS Set Firmware Preference response
TLV 0x02 value 0 (response ok)
TLV 0x01 image download list: modem (0) and pri (1)
packet #2062: HOST->DEVICE: DMS Set Operating Mode request
TLV 0x01: Offline (0x3)
packet #2066: DEVICE->HOST: DMS Set Operating Mode response
TLV 0x02 value 0 (response ok)
packet #2069: HOST->DEVICE: DMS Set Operating Mode
TLV 0x01: Reset (0x4)
packet #2073: DEVICE->HOST: DMS Set Operating Mode response
TLV 0x02 value 0 (response ok)
packet #2076: HOST->DEVICE: DMS Get Firmware Preference request
packet #2080: DEVICE->HOST:
0000 01 10 00 80 02 01 04 01 00 01 00 04 00 14 01 00 ................
0010 04 .
packet #2084: DEVICE->HOST:
0000 01 10 00 80 02 01 04 02 00 01 00 04 00 14 01 00 ................
0010 03 .
packet #2088: DEVICE->HOST: DMS Get Firmware Preference response
TLV 0x01 (image list)
* image: modem (0), unique id "001.015_000", build id "01.02.01.00_GENERIC"
* image: pri (1), unique id "001.015_000", build id "01.02.01.00_GENERIC"
packet #2091: HOST->DEVICE: DMS Get Firmware Preference request
packet #2095: DEVICE->HOST: DMS Get Firmware Preference response
TLV 0x01 (image list)
* image: modem (0), unique id "001.015_000", build id "01.02.01.00_GENERIC"
* image: pri (1), unique id "001.015_000", build id "01.02.01.00_GENERIC"
packet #2098: HOST->DEVICE: DMS Get Firmware Preference request
***********************
SAHARA
packet #2120: DEVICE->HOST: SAHARA hello request (0x01)
version: 2
compatible: 1
max len: 1024
mode: 2 (memory debug)
reserved: 0 (x24)
packet #2121: HOST->DEVICE: SAHARA hello response (0x02)
version: 2
compatible: 1
status: 0 (success)
mode: 3 (command)
reserved: 0 (x24)
packet #2122: DEVICE->HOST: SAHARA command ready (0x0b)
packet #2123: HOST->DEVICE: SAHARA command execute request (0x0d)
execute cmd: 0x0000ff00 (switch to firehose)
packet #2124: DEVICE->HOST: SAHARA command execute response (0x0e)
executed cmd: 0x0000ff00 (switch to firehose)
expected data length: 9
packet #2125: HOST->DEVICE: SAHARA command execute data request (0x0f)
executed cmd: 0x0000ff00 (switch to firehose)
// indicates that we're now ready to receive those 9 bytes in the
expected data length
packet #2126: DEVICE->HOST: <data>
"confirmed" <- 9 bytes
***********************
FIREHOSE
packet #2127: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Binary build date: Sep 29 2017 @ 05:58:36"/>
</data>
packet #2128: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Supported Functions: program configure power benchmark
read getstorageinfo erase nop "/>
</data>
packet #2129: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI supported functions: CWE"/>
</data>
packet #2130: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<NOP value="ping" />
</data>
packet #2131: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Binary build date: Sep 29 2017 @ 05:58:36
"/>
</data>
packet #2132: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="fh.attrs.Verbose is set to 0"/>
</data>
packet #2133: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Supported Functions: program configure power benchmark
read getstorageinfo erase nop "/>
</data>
packet #2134: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI supported functions: CWE"/>
</data>
packet #2135: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" />
</data>
packet #2136: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<configure MemoryName="eMMC" Verbose="0" AlwaysValidate="0"
MaxDigestTableSizeInBytes="8192"
MaxPayloadSizeToTargetInBytes="1048576" ZlpAwareHost="1"
SkipStorageInit="0" TargetName="8960" />
</data>
packet #2137: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" MemoryName="NAND"
MaxPayloadSizeFromTargetInBytes="2048"
MaxPayloadSizeToTargetInBytes="8192"
MaxPayloadSizeToTargetInBytesSupported="8192" TargetName="9x55" />
</data>
packet #2138: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<getStorageInfo physical_partition_number="0" />
</data>
packet #2139: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="[FLASH_INFO]"/>
</data>
packet #2140: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value=";This section provides flash info"/>
</data>
packet #2141: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="FLASH_NAME=MT29F4G08ABBEA3W "/>
</data>
packet #2142: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SECTOR_SIZE_IN_BYTES = 4096"/>
</data>
packet #2143: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="NUM_PARTITION_SECTORS = 131072"/>
</data>
packet #2144: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="num_physical_partitions = 1"/>
</data>
packet #2145: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="TOTAL_SECTOR_SIZE_IN_BYTES= 4320"/>
</data>
packet #2146: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="PAGES_IN_BLOCK = 64"/>
</data>
packet #2147: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="CONFIGURATION SELECTION FOR THIS DEVICE: BLOCKSIZE:256KB
and PAGESIZE:4KB"/>
</data>
packet #2148: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="
"/>
</data>
packet #2149: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="[BAD_BLOCK_LIST]"/>
</data>
packet #2150: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value=";This section provides bad block list"/>
</data>
packet #2151: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="TOTAL_BAD_BLOCK=0"/>
</data>
packet #2152: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" />
</data>
packet #2153: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<program PAGES_PER_BLOCK="64" SECTOR_SIZE_IN_BYTES="4096"
filename="spkg.cwe" num_partition_sectors="20339"
physical_partition_number="0" start_sector="-1" />
</data>
packet #2154: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INSIDE HANDLE PROGRAM"/>
</data>
packet #2155: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="start_sector 0, last_sector_address 20339"/>
</data>
packet #2156: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI program command for CWE image spkg.cwe"/>
</data>
packet #2157: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" rawmode="true" />
</data>
packet #2158: HOST->DEVICE:
<8192 bytes of data>
packet #2159: HOST->DEVICE:
ZLP
packet #2160: HOST->DEVICE:
<8192 bytes of data>
packet #2161: HOST->DEVICE:
ZLP
........
packet #22496: HOST->DEVICE:
<4096 bytes of data>
This is the last packet, after having sent 20339*4096 bytes.
Minimum data size is one full sector, so the last packet contains the
last bytes of the file, padded up to 4096 bytes.
packet #22497: HOST->DEVICE:
ZLP
packet #22498: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Finished sector address 0"/>
</data>
packet #22499: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image received"/>
</data>
packet #22500: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22501: DEVICE->HOST // 17s later
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22502: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22502: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22503: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22504: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22505: DEVICE->HOST // 52s later
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22506: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22507: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22508: DEVICE->HOST // 43s later
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22509: DEVICE->HOST // 6s later
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22510: DEVICE->HOST
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processed ..."/>
</data>
packet #22511: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" rawmode="false" />
</data>
packet #22512: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<configure MemoryName="eMMC" Verbose="0" AlwaysValidate="0"
MaxDigestTableSizeInBytes="8192" MaxPayloadSizeToTargetInBytes="8192"
ZlpAwareHost="1" SkipStorageInit="0" TargetName="8960" />
</data>
packet #22513: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" MemoryName="NAND"
MaxPayloadSizeFromTargetInBytes="2048"
MaxPayloadSizeToTargetInBytes="8192"
MaxPayloadSizeToTargetInBytesSupported="8192" TargetName="9x55" />
</data>
packet #22514: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<getStorageInfo physical_partition_number="0" />
</data>
packet #22515: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="[FLASH_INFO]"/>
</data>
packet #22516: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value=";This section provides flash info"/>
</data>
packet #22517: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="FLASH_NAME=MT29F4G08ABBEA3W "/>
</data>
packet #22518: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SECTOR_SIZE_IN_BYTES = 4096"/>
</data>
packet #22519: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="NUM_PARTITION_SECTORS = 131072"/>
</data>
packet #22520: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="num_physical_partitions = 1"/>
</data>
packet #22521: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="TOTAL_SECTOR_SIZE_IN_BYTES= 4320"/>
</data>
packet #22522: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="PAGES_IN_BLOCK = 64"/>
</data>
packet #22523: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="CONFIGURATION SELECTION FOR THIS DEVICE: BLOCKSIZE:256KB
and PAGESIZE:4KB"/>
</data>
packet #22524: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="
"/>
</data>
packet #22525: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="[BAD_BLOCK_LIST]"/>
</data>
packet #22526: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value=";This section provides bad block list"/>
</data>
packet #22527: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="TOTAL_BAD_BLOCK=0"/>
</data>
packet #22528: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" />
</data>
packet #22529: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<program PAGES_PER_BLOCK="64" SECTOR_SIZE_IN_BYTES="4096"
filename="spkg.cwe" num_partition_sectors="1"
physical_partition_number="0" start_sector="-1" />
</data>
packet #22530: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INSIDE HANDLE PROGRAM"/>
</data>
packet #22531: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="start_sector 0, last_sector_address 1"/>
</data>
packet #22532: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI program command for CWE image spkg.cwe"/>
</data>
packet #22533: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" rawmode="true" />
</data>
packet #22534: HOST->DEVICE:
<4096 bytes of data>
packet #22535: HOST->DEVICE:
ZLP
packet #22536: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Finished sector address 0"/>
</data>
packet #22537: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image received"/>
</data>
packet #22538: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processing ..."/>
</data>
packet #22539: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="SWI CWE image processed OK"/>
</data>
packet #22540: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" rawmode="false" />
</data>
packet #22541: HOST->DEVICE:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<power DelayInSeconds="0" value="reset" />
</data>
packet #22542: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Inside handlePower() - Requested POWER_RESET"/>
</data>
packet #22543: DEVICE->HOST:
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" />
</data>
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list