This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/qc-linux-modems@lists.osmocom.org/.
Elias Devoldere eldevoldere at gmail.comHello, This is a python script to download flash memory content. import serial import time import re dev_name = '/dev/ttyACM0' scoop_size = 0x80 def xmit(data, xtimeout=0.1): response = b'' try: with serial.Serial(dev_name, timeout=xtimeout) as ser: ser.write(data.encode()) while True: response_tmp = ser.read(1024) response += response_tmp if not len(response_tmp) == 1024: break except (OSError, FileNotFoundError, serial.serialutil.SerialException) as e: print('IO exception') time.sleep(2) return response.decode('utf-8') def send_at(at_cmd): at_cmd += '\r' return xmit(at_cmd, xtimeout=1.0) def get_mtd_table(): response = xmit('mtd\r') start = response.find('#:') if start < 0: return '' line_idx = 0 output = [] for line in response[start:].split('\n\r'): if len(line) < 2: break if line.find('#') >= 0: continue rows = line.split() row_idx = 0 row_dict ={} row_names = ["idx", "name", "size", "offset", "flags"] for row in rows: if row_idx == 0: row = re.sub('\:$', '', row) row_dict[row_names[row_idx]] = row row_idx += 1 output.append(row_dict) line_idx += 1 return output def dump_part(record): part_size = int(record['size'], 16) name = record['name'] fd = open(name, 'wb') response = xmit('nand read ${loadaddr} ' + name + '\r') print(response) response = xmit('md.l ${loadaddr} ' + hex(scoop_size) + '\r') start_part_addr = -1 start_line_addr = 0 linear_addr = 0 run = True while run: for line in response.split('\n\r'): if not run: break if line.find(':') < 0: continue rows = line.split() start_line_addr = int(re.sub('\:$', '', rows[0]), 16) if start_part_addr < 0: start_part_addr = start_line_addr if start_line_addr != linear_addr + start_part_addr: print('error: linear_addr {} != start_line_addr {}'.format(linear_addr + start_part_addr, start_line_addr)) for i in range(1,5): fd.write(int(rows[i], 16).to_bytes(4, byteorder='big', signed=False)) linear_addr += 4 if linear_addr >= part_size: run = False break print('linear_addr {}, part_size {}'.format(linear_addr, part_size)) if linear_addr >= part_size: run = False break else: response = xmit('\r') fd.close() xmit(' \r') for n in range(4): response = send_at('AT') if len(response) > 0: break else: time.sleep(4) send_at('AT') response = send_at('AT+CFUN?') if response.find('+CFUN:') >= 0: print('in AT mode') send_at('AT+CFUN=1,1') time.sleep(1) response = xmit(' \r') while response.find('#') < 0: time.sleep(1) response = xmit(' \r') if response.find('#') >= 0: print('in U-Boot') xmit(' \r') mtd_table = get_mtd_table() for record in mtd_table: dump_part(record) print('switching back into AT mode') xmit('run boot_default\r') else: print('error: switching into U-Boot failed') On Wed, 29 Jan 2020 at 00:28, Elias Devoldere <eldevoldere at gmail.com> wrote: > Hello, > I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. > I was amazed when I got a U-Boot console after command at+cfun=1,1 and > sending several random characters. I assume it's not news for seasoned > wolves who hunt here. > As a modem rookie I did not find a relevant link to this topic during > Google's fast search. > > My questions. > Is this behavior generally known? > Can this be a one-piece property (I have only one piece)? > Could it be useful for interesting research? > Is there anyone who cares about it? > > I will try to extract parts of the memory using U-boot. > > Below you find pieces of the listing. > > Best, > Elias > > # help > help > ? - alias for 'help' > base - print or set address offset > bdinfo - print Board Info structure > boot - boot default, i.e., run 'bootcmd' > bootd - boot default, i.e., run 'bootcmd' > bootelf - Boot from an ELF image in memory > bootfw - Load and boot FW from ELF image in memory > bootm - boot application image from memory > bootp - boot image via network using BOOTP/TFTP protocol > bootvx - Boot vxWorks from an ELF image > chpart - change active partition > clocks - print clock configuration > cmp - memory compare > coninfo - print console devices and information > cp - memory copy > crc32 - checksum calculation > create_bdinfo- Create Board info > dhcp - boot image via network using DHCP/TFTP protocol > dip - show the Boot mode configuration options > echo - echo args to console > editenv - edit environment variable > env - environment handling commands > exit - exit script > false - do nothing, unsuccessfully > fdt - flattened device tree utility commands > fsinfo - print information about filesystems > fsload - load binary file from a filesystem image > fsloadbsp- load bsp binary files from a filesystem image > fstest - testing filesystems > go - start application at address '[*]addr' (possibly be indirect > address) > gpio - input/set/clear/toggle gpio pins > help - print command description/usage > i2c - I2C sub-system > iminfo - print header information for application image > imxtract- extract a part of a multi-image > initfw - Init FW PLLs > itest - return true/false on integer compare > kermit_stat- Show statistics of the last Kermit session > kermit_stat_print- print kermit statistics at the end of session > loadb - load binary file over serial line (kermit mode) > loads - load S-Record file over serial line > loady - load binary file over serial line (ymodem mode) > loop - infinite loop on address range > loopw - infinite write loop on address range > ls - list files in a directory (default /) > md - memory display > md5sum - compute MD5 message digest > mdc - memory display cyclic > mii - MII utility commands > mm - memory modify (auto-incrementing address) > mtdparts- define flash/nand partitions > mtest - simple RAM read/write test > mw - memory write (fill) > mwc - memory write cyclic > nand - NAND sub-system > nandotp - NAND OTP sub-system > nboot - boot from NAND device > nfs - boot image via network using NFS protocol > nm - memory modify (constant address) > ping - send ICMP ECHO_REQUEST to network host > printenv- print environment variables > rarpboot- boot image via network using RARP/TFTP protocol > reginfo - print register information > reset - Perform RESET of the CPU > reset_cause- print reset cause > run - run commands in an environment variable > saveenv - save environment variables to persistent storage > setenv - set environment variables > show_bdinfo- Show board info > showvar - print local hushshell variables > sleep - delay execution for some time > source - run script from memory > test - minimal test like /bin/sh > tftpboot- boot image via network using TFTP protocol > true - do nothing, successfully > unlzo - decopress a lzo memory region > unzip - unzip a memory region > version - print monitor, compiler and linker version > > U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 > GNU ld (GNU Binutils) 2.21 > > # > baudrate=115200 > boot_default=run flash_boot > boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot > kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; > bootm ${loadaddr} - ${dtb_addr} > boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm > boot_number=2 > boot_option=boot_default > boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm > ${loadaddr} > bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo > 'GUESS MODE - NO BOOT ALLOWED !!!'; fi > bootdelay=6 > bootm_low=0x82100000 > bootm_size=0x6000000 > cdc_connect_timeout=10 > consoledev=ttyS0 > dtb_addr=0x84000000 > dtb_file=alt3802.dtb > dtb_size=0x4000 > env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi > env_configured_size=0x4000 > env_saved=1 > erase_env_nand=nand erase.part env; nand erase.part backup_env > eth_phy_mode=rmii > ethact=usb_ether > ethaddr=00:E0:0C:00:11:A0 > fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq > 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then > run process_fw; fi; > fastboot_loadaddr=0x82800000 > fdt_high=0x83000000 > fdtdbg=no > flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot; > nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} > ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} > flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2 > console=$consoledev,$kernel_baudrate $othbootargs $kernellog > gatewayip=0.0.0.0 > hostname=alt3800 > initrd_high=0x83000000 > ipaddr=10.0.0.1 > kernel_baudrate=115200 > kernel_file=uImage > kernellog=quiet > load_fw=run load_phy_fw; run load_lte_fw > load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf > load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf > loadaddr=0x80100000 > loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp > file_list bspfilesbp > loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo > ${loadaddr} ${unziped_fwaddr}; > loadotp=nandotp read ${ramOtpShAddr} spl 20 > lte_fw=PS100_RealPHY.elf > > mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) > > nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) > > nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2) > > nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage) > nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root > /dev/mtdblock8;else setenv root /dev/mtdblock11; fi > nand_erasesize=20000 > nand_oobsize=40 > nand_uboot_file=u-boot.bin > nand_uboot_spl_file=u-boot-spl.bin.alt3800 > nand_writesize=800 > nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc > nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport > ncinport=6665 > ncip=10.0.0.10 > ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc; > setenv stderr ${stderr},nc > ncoutport=6665 > netdev=eth0 > netmask=255.255.0.0 > nvm_file=nvm.jffs2.img > phy_dbgstreamer=0 > phy_fw=Lte.out > phy_sniffer=0 > preboot=run env_check; if test -n $prebootcmd; then echo; echo Running > pre-boot command; run prebootcmd;fi; > process_fw=initfw; bootfw ${unziped_fwaddr} 0 > ramFilesShAddr=0xA030004c > ramOtpShAddr=0xA0300000 > ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw > console=$consoledev,$kernel_baudrate $othbootargs $kernellog > rootfs_file=rootfs.jffs2.img > ser=setenv stdin serial;setenv stdout serial;setenv stderr serial > serverip=10.0.0.10 > set_ip=setenv ip > ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off > stderr=serial,usbtty > stdin=serial,usbtty > stdout=serial,usbtty > testdramaddress=no > testdramcache=yes > testdramcount=1 > testdramdata=no > testdramsize=0x08000000 > testdramstart=0x80100000 > testdramwalk=no > tftpbootcmd=tftpboot > toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2; > else set boot_number 1; fi; saveenv > unziped_fwaddr=0x83000000 > update_all=run update_all_nand > update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand > update_dtb=run update_dtb_nand > update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part > dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi > update_kernel=run update_kernel_nand > update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part > kernel${boot_number}; nand write ${loadaddr} kernel${boot_number} > ${filesize}; fi > update_linux=${tftpbootcmd} uImage > update_multi_img=run update_multi_img_nand > update_multi_img_nand=setenv kernel_file vmlinux.uboot; run > update_kernel_nand > update_nvm=run update_nvm_nand > update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then nand erase.part nvm; > nand write ${loadaddr} nvm ${filesize}; fi > update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot > update_rootfs=run update_rootfs_nand > update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part > rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number} > ${filesize}; fi > update_uboot=run update_uboot_nand > update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl > erase_env_nand > update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand > erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand > erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi > update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand > erase.part spl; nand write ${loadaddr} spl ${filesize}; fi > usbphymode=0 > usbtty=cdc_acm > ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > > Environment size: 6184/16379 bytes > > mtdparts > > device nand0 <alt3800_nfc>, # parts = 15 > #: name size offset mask_flags > 0: spl 0x00080000 0x00000000 0 > 1: uboot1 0x000c0000 0x00080000 0 > 2: uboot2 0x000c0000 0x00140000 0 > 3: env 0x00040000 0x00200000 0 > 4: backup_env 0x00040000 0x00240000 0 > 5: nvm 0x00300000 0x00280000 0 > 6: kernel1 0x00300000 0x00580000 0 > 7: dtb1 0x00040000 0x00880000 0 > 8: rootfs1 0x02500000 0x008c0000 0 > 9: kernel2 0x00300000 0x02dc0000 0 > 10: dtb2 0x00040000 0x030c0000 0 > 11: rootfs2 0x02500000 0x03100000 0 > 12: modem_fw1 0x00400000 0x05600000 0 > 13: modem_fw2 0x00400000 0x05a00000 0 > 14: tstorage 0x02200000 0x05e00000 0 > > active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000 > > defaults: > mtdids : nand0=alt3800_nfc > mtdparts: uninitialized > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/qc-linux-modems/attachments/20200203/33acdbd2/attachment.htm>