Hello, I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. I was amazed when I got a U-Boot console after command at+cfun=1,1 and sending several random characters. I assume it's not news for seasoned wolves who hunt here. As a modem rookie I did not find a relevant link to this topic during Google's fast search. My questions. Is this behavior generally known? Can this be a one-piece property (I have only one piece)? Could it be useful for interesting research? Is there anyone who cares about it? I will try to extract parts of the memory using U-boot. Below you find pieces of the listing. Best, Elias # help help ? - alias for 'help' base - print or set address offset bdinfo - print Board Info structure boot - boot default, i.e., run 'bootcmd' bootd - boot default, i.e., run 'bootcmd' bootelf - Boot from an ELF image in memory bootfw - Load and boot FW from ELF image in memory bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol bootvx - Boot vxWorks from an ELF image chpart - change active partition clocks - print clock configuration cmp - memory compare coninfo - print console devices and information cp - memory copy crc32 - checksum calculation create_bdinfo- Create Board info dhcp - boot image via network using DHCP/TFTP protocol dip - show the Boot mode configuration options echo - echo args to console editenv - edit environment variable env - environment handling commands exit - exit script false - do nothing, unsuccessfully fdt - flattened device tree utility commands fsinfo - print information about filesystems fsload - load binary file from a filesystem image fsloadbsp- load bsp binary files from a filesystem image fstest - testing filesystems go - start application at address '[*]addr' (possibly be indirect address) gpio - input/set/clear/toggle gpio pins help - print command description/usage i2c - I2C sub-system iminfo - print header information for application image imxtract- extract a part of a multi-image initfw - Init FW PLLs itest - return true/false on integer compare kermit_stat- Show statistics of the last Kermit session kermit_stat_print- print kermit statistics at the end of session loadb - load binary file over serial line (kermit mode) loads - load S-Record file over serial line loady - load binary file over serial line (ymodem mode) loop - infinite loop on address range loopw - infinite write loop on address range ls - list files in a directory (default /) md - memory display md5sum - compute MD5 message digest mdc - memory display cyclic mii - MII utility commands mm - memory modify (auto-incrementing address) mtdparts- define flash/nand partitions mtest - simple RAM read/write test mw - memory write (fill) mwc - memory write cyclic nand - NAND sub-system nandotp - NAND OTP sub-system nboot - boot from NAND device nfs - boot image via network using NFS protocol nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables rarpboot- boot image via network using RARP/TFTP protocol reginfo - print register information reset - Perform RESET of the CPU reset_cause- print reset cause run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables show_bdinfo- Show board info showvar - print local hushshell variables sleep - delay execution for some time source - run script from memory test - minimal test like /bin/sh tftpboot- boot image via network using TFTP protocol true - do nothing, successfully unlzo - decopress a lzo memory region unzip - unzip a memory region version - print monitor, compiler and linker version U-Boot 2012.10 (Aug 09 2018 - 10:17:38) mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 GNU ld (GNU Binutils) 2.21 # baudrate=115200 boot_default=run flash_boot boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm boot_number=2 boot_option=boot_default boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm ${loadaddr} bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo 'GUESS MODE - NO BOOT ALLOWED !!!'; fi bootdelay=6 bootm_low=0x82100000 bootm_size=0x6000000 cdc_connect_timeout=10 consoledev=ttyS0 dtb_addr=0x84000000 dtb_file=alt3802.dtb dtb_size=0x4000 env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi env_configured_size=0x4000 env_saved=1 erase_env_nand=nand erase.part env; nand erase.part backup_env eth_phy_mode=rmii ethact=usb_ether ethaddr=00:E0:0C:00:11:A0 fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then run process_fw; fi; fastboot_loadaddr=0x82800000 fdt_high=0x83000000 fdtdbg=no flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2 console=$consoledev,$kernel_baudrate $othbootargs $kernellog gatewayip=0.0.0.0 hostname=alt3800 initrd_high=0x83000000 ipaddr=10.0.0.1 kernel_baudrate=115200 kernel_file=uImage kernellog=quiet load_fw=run load_phy_fw; run load_lte_fw load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf loadaddr=0x80100000 loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp file_list bspfilesbp loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo ${loadaddr} ${unziped_fwaddr}; loadotp=nandotp read ${ramOtpShAddr} spl 20 lte_fw=PS100_RealPHY.elf mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2) nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage) nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root /dev/mtdblock8;else setenv root /dev/mtdblock11; fi nand_erasesize=20000 nand_oobsize=40 nand_uboot_file=u-boot.bin nand_uboot_spl_file=u-boot-spl.bin.alt3800 nand_writesize=800 nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport ncinport=6665 ncip=10.0.0.10 ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc; setenv stderr ${stderr},nc ncoutport=6665 netdev=eth0 netmask=255.255.0.0 nvm_file=nvm.jffs2.img phy_dbgstreamer=0 phy_fw=Lte.out phy_sniffer=0 preboot=run env_check; if test -n $prebootcmd; then echo; echo Running pre-boot command; run prebootcmd;fi; process_fw=initfw; bootfw ${unziped_fwaddr} 0 ramFilesShAddr=0xA030004c ramOtpShAddr=0xA0300000 ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw console=$consoledev,$kernel_baudrate $othbootargs $kernellog rootfs_file=rootfs.jffs2.img ser=setenv stdin serial;setenv stdout serial;setenv stderr serial serverip=10.0.0.10 set_ip=setenv ip ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off stderr=serial,usbtty stdin=serial,usbtty stdout=serial,usbtty testdramaddress=no testdramcache=yes testdramcount=1 testdramdata=no testdramsize=0x08000000 testdramstart=0x80100000 testdramwalk=no tftpbootcmd=tftpboot toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2; else set boot_number 1; fi; saveenv unziped_fwaddr=0x83000000 update_all=run update_all_nand update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand update_dtb=run update_dtb_nand update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi update_kernel=run update_kernel_nand update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part kernel${boot_number}; nand write ${loadaddr} kernel${boot_number} ${filesize}; fi update_linux=${tftpbootcmd} uImage update_multi_img=run update_multi_img_nand update_multi_img_nand=setenv kernel_file vmlinux.uboot; run update_kernel_nand update_nvm=run update_nvm_nand update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then nand erase.part nvm; nand write ${loadaddr} nvm ${filesize}; fi update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot update_rootfs=run update_rootfs_nand update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number} ${filesize}; fi update_uboot=run update_uboot_nand update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl erase_env_nand update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand erase.part spl; nand write ${loadaddr} spl ${filesize}; fi usbphymode=0 usbtty=cdc_acm ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) Environment size: 6184/16379 bytes mtdparts device nand0 <alt3800_nfc>, # parts = 15 #: name size offset mask_flags 0: spl 0x00080000 0x00000000 0 1: uboot1 0x000c0000 0x00080000 0 2: uboot2 0x000c0000 0x00140000 0 3: env 0x00040000 0x00200000 0 4: backup_env 0x00040000 0x00240000 0 5: nvm 0x00300000 0x00280000 0 6: kernel1 0x00300000 0x00580000 0 7: dtb1 0x00040000 0x00880000 0 8: rootfs1 0x02500000 0x008c0000 0 9: kernel2 0x00300000 0x02dc0000 0 10: dtb2 0x00040000 0x030c0000 0 11: rootfs2 0x02500000 0x03100000 0 12: modem_fw1 0x00400000 0x05600000 0 13: modem_fw2 0x00400000 0x05a00000 0 14: tstorage 0x02200000 0x05e00000 0 active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000 defaults: mtdids : nand0=alt3800_nfc mtdparts: uninitialized

I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset.

I was amazed when I got a U-Boot console after command at+cfun=1,1 and sending several random characters. I assume it's not news for seasoned wolves who hunt here.

Is this behavior generally known?

Can this be a one-piece property (I have only one piece)?

Could it be useful for interesting research?

Is there anyone who cares about it?

I will try to extract parts of the memory using U-boot.

U-Boot 2012.10 (Aug 09 2018 - 10:17:38) mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3

'GUESS MODE - NO BOOT ALLOWED !!!'; fi

dtb_file=alt3802.dtb

lte_fw=PS100_RealPHY.elf

ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38)