Platform ALT3800 as good target?

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/qc-linux-modems@lists.osmocom.org/.

Elias Devoldere eldevoldere at gmail.com
Mon Feb 3 12:04:10 UTC 2020 

Hello,
This is a python script to download flash memory content.

import serial
import time
import re

dev_name = '/dev/ttyACM0'
scoop_size = 0x80

def xmit(data, xtimeout=0.1):
response = b''
try:
with serial.Serial(dev_name, timeout=xtimeout) as ser:
ser.write(data.encode())
while True:
response_tmp = ser.read(1024)
response += response_tmp
if not len(response_tmp) == 1024:
break
except (OSError, FileNotFoundError, serial.serialutil.SerialException) as e:
print('IO exception')
time.sleep(2)
return response.decode('utf-8')

def send_at(at_cmd):
at_cmd += '\r'
return xmit(at_cmd, xtimeout=1.0)

def get_mtd_table():
response = xmit('mtd\r')
start = response.find('#:')
if start < 0:
return ''
line_idx = 0
output = []
for line in response[start:].split('\n\r'):
if len(line) < 2:
break
if line.find('#') >= 0:
continue
rows = line.split()
row_idx = 0
row_dict ={}
row_names = ["idx", "name", "size", "offset", "flags"]
for row in rows:
if row_idx == 0:
row = re.sub('\:$', '', row)
row_dict[row_names[row_idx]] = row
row_idx += 1
output.append(row_dict)
line_idx += 1
return output

def dump_part(record):
part_size = int(record['size'], 16)
name = record['name']
fd = open(name, 'wb')
response = xmit('nand read ${loadaddr} ' + name + '\r')
print(response)
response = xmit('md.l ${loadaddr} ' + hex(scoop_size) + '\r')
start_part_addr = -1
start_line_addr = 0
linear_addr = 0
run = True
while run:
for line in response.split('\n\r'):
if not run:
break
if line.find(':') < 0:
continue
rows = line.split()
start_line_addr = int(re.sub('\:$', '', rows[0]), 16)
if start_part_addr < 0:
start_part_addr = start_line_addr
if start_line_addr != linear_addr + start_part_addr:
print('error: linear_addr {} != start_line_addr {}'.format(linear_addr +
start_part_addr, start_line_addr))
for i in range(1,5):
fd.write(int(rows[i], 16).to_bytes(4, byteorder='big', signed=False))
linear_addr += 4
if linear_addr >= part_size:
run = False
break
print('linear_addr {}, part_size {}'.format(linear_addr, part_size))
if linear_addr >= part_size:
run = False
break
else:
response = xmit('\r')
fd.close()
xmit(' \r')

for n in range(4):
response = send_at('AT')
if len(response) > 0:
break
else:
time.sleep(4)
send_at('AT')
response = send_at('AT+CFUN?')
if response.find('+CFUN:') >= 0:
print('in AT mode')
send_at('AT+CFUN=1,1')
time.sleep(1)
response = xmit(' \r')
while response.find('#') < 0:
time.sleep(1)
response = xmit(' \r')
if response.find('#') >= 0:
print('in U-Boot')
xmit(' \r')
mtd_table = get_mtd_table()
for record in mtd_table:
dump_part(record)
print('switching back into AT mode')
xmit('run boot_default\r')
else:
print('error: switching into U-Boot failed')

On Wed, 29 Jan 2020 at 00:28, Elias Devoldere <eldevoldere at gmail.com> wrote:

> Hello,
> I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset.
> I was amazed when I got a U-Boot console after command at+cfun=1,1 and
> sending several random characters. I assume it's not news for seasoned
> wolves who hunt here.
> As a modem rookie I did not find a relevant link to this topic during
> Google's fast search.
>
> My questions.
> Is this behavior generally known?
> Can this be a one-piece property (I have only one piece)?
> Could it be useful for interesting research?
> Is there anyone who cares about it?
>
> I will try to extract parts of the memory using U-boot.
>
> Below you find pieces of the listing.
>
> Best,
> Elias
>
> # help
> help
> ?       - alias for 'help'
> base    - print or set address offset
> bdinfo  - print Board Info structure
> boot    - boot default, i.e., run 'bootcmd'
> bootd   - boot default, i.e., run 'bootcmd'
> bootelf - Boot from an ELF image in memory
> bootfw  - Load and boot FW from ELF image in memory
> bootm   - boot application image from memory
> bootp   - boot image via network using BOOTP/TFTP protocol
> bootvx  - Boot vxWorks from an ELF image
> chpart  - change active partition
> clocks  - print clock configuration
> cmp     - memory compare
> coninfo - print console devices and information
> cp      - memory copy
> crc32   - checksum calculation
> create_bdinfo- Create Board info
> dhcp    - boot image via network using DHCP/TFTP protocol
> dip     - show the Boot mode configuration options
> echo    - echo args to console
> editenv - edit environment variable
> env     - environment handling commands
> exit    - exit script
> false   - do nothing, unsuccessfully
> fdt     - flattened device tree utility commands
> fsinfo  - print information about filesystems
> fsload  - load binary file from a filesystem image
> fsloadbsp- load bsp binary files from a filesystem image
> fstest  - testing filesystems
> go      - start application at address '[*]addr' (possibly be indirect
> address)
> gpio    - input/set/clear/toggle gpio pins
> help    - print command description/usage
> i2c     - I2C sub-system
> iminfo  - print header information for application image
> imxtract- extract a part of a multi-image
> initfw  - Init FW PLLs
> itest   - return true/false on integer compare
> kermit_stat- Show statistics of the last Kermit session
> kermit_stat_print- print kermit statistics at the end of session
> loadb   - load binary file over serial line (kermit mode)
> loads   - load S-Record file over serial line
> loady   - load binary file over serial line (ymodem mode)
> loop    - infinite loop on address range
> loopw   - infinite write loop on address range
> ls      - list files in a directory (default /)
> md      - memory display
> md5sum  - compute MD5 message digest
> mdc     - memory display cyclic
> mii     - MII utility commands
> mm      - memory modify (auto-incrementing address)
> mtdparts- define flash/nand partitions
> mtest   - simple RAM read/write test
> mw      - memory write (fill)
> mwc     - memory write cyclic
> nand    - NAND sub-system
> nandotp - NAND OTP sub-system
> nboot   - boot from NAND device
> nfs     - boot image via network using NFS protocol
> nm      - memory modify (constant address)
> ping    - send ICMP ECHO_REQUEST to network host
> printenv- print environment variables
> rarpboot- boot image via network using RARP/TFTP protocol
> reginfo - print register information
> reset   - Perform RESET of the CPU
> reset_cause- print reset cause
> run     - run commands in an environment variable
> saveenv - save environment variables to persistent storage
> setenv  - set environment variables
> show_bdinfo- Show board info
> showvar - print local hushshell variables
> sleep   - delay execution for some time
> source  - run script from memory
> test    - minimal test like /bin/sh
> tftpboot- boot image via network using TFTP protocol
> true    - do nothing, successfully
> unlzo   - decopress a lzo memory region
> unzip   - unzip a memory region
> version - print monitor, compiler and linker version
>
> U-Boot 2012.10 (Aug 09 2018 - 10:17:38)
> mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3
> GNU ld (GNU Binutils) 2.21
>
> #
> baudrate=115200
> boot_default=run flash_boot
> boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot
> kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size};
> bootm ${loadaddr} - ${dtb_addr}
> boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm
> boot_number=2
> boot_option=boot_default
> boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm
> ${loadaddr}
> bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo
> 'GUESS MODE - NO BOOT ALLOWED !!!'; fi
> bootdelay=6
> bootm_low=0x82100000
> bootm_size=0x6000000
> cdc_connect_timeout=10
> consoledev=ttyS0
> dtb_addr=0x84000000
> dtb_file=alt3802.dtb
> dtb_size=0x4000
> env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi
> env_configured_size=0x4000
> env_saved=1
> erase_env_nand=nand erase.part env; nand erase.part backup_env
> eth_phy_mode=rmii
> ethact=usb_ether
> ethaddr=00:E0:0C:00:11:A0
> fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq
> 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then
> run process_fw; fi;
> fastboot_loadaddr=0x82800000
> fdt_high=0x83000000
> fdtdbg=no
> flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot;
> nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number}
> ${dtb_size}; bootm ${loadaddr} - ${dtb_addr}
> flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2
> console=$consoledev,$kernel_baudrate $othbootargs $kernellog
> gatewayip=0.0.0.0
> hostname=alt3800
> initrd_high=0x83000000
> ipaddr=10.0.0.1
> kernel_baudrate=115200
> kernel_file=uImage
> kernellog=quiet
> load_fw=run load_phy_fw; run load_lte_fw
> load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf
> load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf
> loadaddr=0x80100000
> loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp
> file_list bspfilesbp
> loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo
> ${loadaddr} ${unziped_fwaddr};
> loadotp=nandotp read ${ramOtpShAddr} spl 20
> lte_fw=PS100_RealPHY.elf
>
> mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage)
>
> nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage)
>
> nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2)
>
> nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage)
> nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root
> /dev/mtdblock8;else setenv root /dev/mtdblock11; fi
> nand_erasesize=20000
> nand_oobsize=40
> nand_uboot_file=u-boot.bin
> nand_uboot_spl_file=u-boot-spl.bin.alt3800
> nand_writesize=800
> nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc
> nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport
> ncinport=6665
> ncip=10.0.0.10
> ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc;
> setenv stderr ${stderr},nc
> ncoutport=6665
> netdev=eth0
> netmask=255.255.0.0
> nvm_file=nvm.jffs2.img
> phy_dbgstreamer=0
> phy_fw=Lte.out
> phy_sniffer=0
> preboot=run env_check; if test -n $prebootcmd; then echo; echo Running
> pre-boot command; run prebootcmd;fi;
> process_fw=initfw; bootfw ${unziped_fwaddr} 0
> ramFilesShAddr=0xA030004c
> ramOtpShAddr=0xA0300000
> ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw
> console=$consoledev,$kernel_baudrate $othbootargs $kernellog
> rootfs_file=rootfs.jffs2.img
> ser=setenv stdin serial;setenv stdout serial;setenv stderr serial
> serverip=10.0.0.10
> set_ip=setenv ip
> ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off
> stderr=serial,usbtty
> stdin=serial,usbtty
> stdout=serial,usbtty
> testdramaddress=no
> testdramcache=yes
> testdramcount=1
> testdramdata=no
> testdramsize=0x08000000
> testdramstart=0x80100000
> testdramwalk=no
> tftpbootcmd=tftpboot
> toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2;
> else set boot_number 1; fi; saveenv
> unziped_fwaddr=0x83000000
> update_all=run update_all_nand
> update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand
> update_dtb=run update_dtb_nand
> update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part
> dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi
> update_kernel=run update_kernel_nand
> update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part
> kernel${boot_number}; nand write ${loadaddr} kernel${boot_number}
> ${filesize}; fi
> update_linux=${tftpbootcmd} uImage
> update_multi_img=run update_multi_img_nand
> update_multi_img_nand=setenv kernel_file vmlinux.uboot; run
> update_kernel_nand
> update_nvm=run update_nvm_nand
> update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then  nand erase.part nvm;
> nand write ${loadaddr} nvm ${filesize}; fi
> update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot
> update_rootfs=run update_rootfs_nand
> update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part
> rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number}
> ${filesize}; fi
> update_uboot=run update_uboot_nand
> update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl
> erase_env_nand
> update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand
> erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand
> erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi
> update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand
> erase.part spl; nand write ${loadaddr} spl ${filesize}; fi
> usbphymode=0
> usbtty=cdc_acm
> ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38)
>
> Environment size: 6184/16379 bytes
>
> mtdparts
>
> device nand0 <alt3800_nfc>, # parts = 15
>  #: name    size    offset    mask_flags
>  0: spl                 0x00080000  0x00000000  0
>  1: uboot1              0x000c0000  0x00080000  0
>  2: uboot2              0x000c0000  0x00140000  0
>  3: env                 0x00040000  0x00200000  0
>  4: backup_env          0x00040000  0x00240000  0
>  5: nvm                 0x00300000  0x00280000  0
>  6: kernel1             0x00300000  0x00580000  0
>  7: dtb1                0x00040000  0x00880000  0
>  8: rootfs1             0x02500000  0x008c0000  0
>  9: kernel2             0x00300000  0x02dc0000  0
> 10: dtb2                0x00040000  0x030c0000  0
> 11: rootfs2             0x02500000  0x03100000  0
> 12: modem_fw1           0x00400000  0x05600000  0
> 13: modem_fw2           0x00400000  0x05a00000  0
> 14: tstorage            0x02200000  0x05e00000  0
>
> active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000
>
> defaults:
> mtdids  : nand0=alt3800_nfc
> mtdparts: uninitialized
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/qc-linux-modems/attachments/20200203/33acdbd2/attachment.htm>

More information about the qc-linux-modems mailing list