EG25-G reverse engineering

quectel_daemon

• makes /sys/class/gpio/gpio1018/direction an output
• monitors /sys/devices/virtual/android_usb/android0/state and /sys/devices/virtual/android_usb/android0/usb_sleep and passes the state to modem via qmi
• monitors /run/gpio_data and updates /sys/class/gpio/gpio1018/direction with high/low
• opens various pcm devices (voice_pcm_ser­vice)
• handles call ringing and voice audio configuration
• touches /tmp/quec_daemon_rdy
• talks via /run/voc_svr in the main loop

quectel_mo­nitor_daemon

• if /data/ModemRestartSystem exists it writes SYSTEM to /sys/devices/4080000.qcom,mss/subsys1/restart_level or /sys/devices/4080000.qcom,mss/subsys0/restart_level
• if /data/ModemRestartRelated exists it writes RELATED to /sys/devices/4080000.qcom,mss/subsys1/restart_level or /sys/devices/4080000.qcom,mss/subsys0/restart_level
• then it monitors /sys/devices/4080000.qcom,mss/subsys1/quec_state and if it is changed to non-0 it restarts various daemons:
  • system(„ki­llall atfwd_daemon“);
  • system(„ki­llall quectel_da­emon“);
  • system(„ki­llall alsaucm_tes­t“);

quectel_pcm_d­aemon

• waits for pcm codec to probe
• reads /data/quec/conf/auxpcm.conf (written by atfwd_daemon via AT+QDAI command)
• based on values therein it:
  • loads various kernel modules for supported external co­decs
    • eg.:

      system(„echo \"nau8814-codec.2–001a\“ > /sys/devices/soc:s­ound/codec_na­me");

      system(„echo \"nau8814-aif1\“ > /sys/devices/soc:s­ound/rx_da­i_name");

      system(„echo \"nau8814-aif1\“ > /sys/devices/soc:s­ound/tx_da­i_name");

      system(„insmod /usr/lib/mo­dules/3.18­.44/kernel/sou­nd/soc/codec­s/snd-soc-nau8814.ko“);

  • configures PCM interface, like:

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/mode“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/sync“

    „echo %d > /sys/devices/soc:s­ound/pcm_mo­de_select“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/frame“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/quant“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/data“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/rate“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/num_­slots“

    „echo %d > /sys/devices/soc:q­com,msm-sec-auxpcm/slot­_mapping“

    „echo %d > /sys/devices/soc:s­ound/quec_au­xpcm_rate“

quectel_psm_a­ware

• creates fifo /run/psm_aware_cmd
• reads this fifo and issues various psm_* calls to a library
• some power saving stuff
• fifo is written from atfwd_daemon via AT+QPSM="fifo string" command

quectel_tts_s­ervice

• binds to 127.0.0.1:17824
• accepts connections and plays TTS audio from the issued command

sendcal

• creates /run/sendcal device
• does some basic processing

subsystem_ram­dump

• allow to dump ram to a file in /data

time_daemon

• reads RTC time from modem over qmi and updates the ARM CPU time

uim_test_cli­ent

• sim testing console client

quectel-uart-ddp

• reads /data/quec/conf/dynamic_console
• passes data between debug uart port and /dev/smd9

quectel-thermal

• monitors /sys/devices/virtual/thermal/thermal_zone%d/temp
• updates SAR and RF signal strength based on temperature via QMI

quectel-smd-atcmd

• probably supposed to forward commands from /dev/ttyGS0 to /dev/smd7
• does nothing, just prints some crap in a weird way to console/kmsg
• Sundy still didn't learn stdio so is using system(„echo %s > /dev/kmsg“); instead of fprintf

quectel-remotefs-service

• opens /dev/smd8
• waits for commands from the modem over /dev/smd8 and performs basic VFS operations, like open/close/re­ad/write/se­ek, etc.
• implements reaction to OMA DM push message by executing /data/ipth_dme binary, which implements vendor (Verizon, AT&T) specific remote FOTA/system config updates
  • only if fota_ip_a or fota_ip_v exist in /data/fota directory

quectel-gps-handle

• Sundy strikes again, this time using stdio in addition to system() calls for debug output!
• writes 0 to /data/quec/conf/gps_outport_flag
• opens /dev/smd7 (modem's GPS data shmem device)
• reads a number from /data/quec/conf/gps_outport_flag
  • uses /dev/ttyHSL0 or /dev/ttyGS0 for NMEA output based on the number
• forwards data from /dev/sdm7 to one of the serial ports
• monitors /sys/class/android_usb/android0/state and /sys/class/android_usb/f_serial/is_connected_flag and presumably turns off GPS output if USB is not ‚CONNECTED‘

quec_wifi_brid­ge

• opens /data/wifi_bridge_in_pipe and /data/wifi_bridge_out_pipe
• listens on ‚0.0.0.0:5555‘
• forwards data from connections to /data/wifi_bridge_in_pipe as is
• forwards data from /data/wifi_bridge_out_pipe to the last accepted connection

ql_usbcfg

• loads USB configuration for recovery mode

ql_manager_ser­ver / ql_manager_cli

• some WWAN/WIFI management server + cli client
• quectel code

…

Files

/tmp/.urc_sock

• Unix socket that can be used to send URCs from linux userspace

Un(der)-documented AT commands

AT+QPRINT=1

• (does literally cat /proc/kmsg >/dev/ttyGS0 &), you can get dmesg output from cat /dev/ttyUSB1 on the A64 side

AT+QPRINT=0

• does literally killall cat

AT+QFASTBOOT

• reboots the modem in fastboot mode

AT+QCFG=„m­odemrstlevel“,<val>

• /sys/bus/m­sm_subsys/de­vices/subsys1/res­tart_level

val == 0:

• echo SYSTEM > /sys/bus/m­sm_subsys/de­vices/subsys0/res­tart_level
• echo 00 > /data/Modem­RestartSys­tem
• rm -rf /data/Modem­RestartRela­ted

val == 1:

• echo RELATED > /sys/bus/m­sm_subsys/de­vices/subsys0/res­tart_level
• echo 11 > /data/Modem­RestartRela­ted
• rm -rf /data/Modem­RestartSys­tem

AT+QCFG=„a­prstlevel“,<val>

• echo val > /sys/bus/m­sm_subsys/de­vices/subsys0/sys­tem_reset_mo­de

AT+QCFG=„us­bid“

• handled by quectel-manager (see ql_mgmt_cl­ient_open C api)

AT+QCFG=„us­bee“

• handled by quectel-manager (see ql_mgmt_cl­ient_open C api)

AT+QCFG=„us­bcfg“

• handled by quectel-manager (see ql_mgmt_cl­ient_open C api)

AT+QCFG=„us­bnet“

• handled by quectel-manager (see ql_mgmt_cl­ient_open C api)

AT+QCFG=„p­cmclk“

• reads/writes /sys/devices/soc:q­com,msm-sec-auxpcm/ena­ble_clk
• sets some params on alsa hw:0,0 device

AT+QCFG=„t­one/incomin­g“,<val>

• reads/writes DWORD val to /data/quec/con­f/ringtype­.conf

AT+QCFG=„s­leepind/le­vel“,<val>

• echo val > /sys/devices/soc:q­uec,quectel-power-manager/sle­ep_polarity
• echo val > /data/quec/con­f/sleepind­.txt

AT+QCFG=„w­akeupin/le­vel“,<val>

• echo val > /data/quec/con­f/wakeupin­.txt

AT+QCFG=„t­hermal/modem“, „thermal/li­mit_rates“, „thermal/txpwr­lmt“

• modifies /data/quec_ther­mal_threshold (37B binary file)
• modifies /data/quec_ther­m_cfg
  • format enable=%d,sen­sor=%d,tem­pthreshold=%d,du­ration=%d,tri­g_cnt=%d,clr_cnt=%d

AT+QCFG=„c­odec/powsa­ve“

• echo val > /sys/devices/78b60­00.i2c/i2c-2/2–001b/alc5616_pow­_save_cfg

AT+QCFG=„q­cautoconnec­t“,<val>

• sed -i ‚/<AutoCon­nect>[01]</<­AutoConnec­t>‘$val'</g' /data/mobi­leap_cfg.xml

AT+QCFG=„f­tm/mbim“

• opens /data/quec/us­b/ftm_mbim and drops the fd, doesn't close it?
• kinda weird

AT+QCFG=„m­ulti_ip_pac­kage“

• configures /sys/devices/vir­tual/andro­id_usb/andro­id0/multi_pac­kage_enabled
• and some other related sysfs files

AT+QCFG=„d­bgctl“

• echo 1 > /etc/dbgctl
• or rm /etc/dbgctl
• of course it fails, since /etc is read-only fs

AT+QCFG=„b­ootup“,<op>

• 1 = start, 0 = stop, 2 = check if service (/etc/init.d) is running

AT+QCFG=„us­bmode“

• echo %d > /data/usb/qu­ec_usbmode_check
• cat /sys/devices/vir­tual/andro­id_usb/andro­id0/state (CONFIGURED / other)
• cat /sys/devices/vir­tual/andro­id_usb/andro­id0/usb_sle­ep (0/1)