• Table of contents
• Qualcomm Kernel
  • remote_spinlock
  • SMD (shared memory)
  • smem_log
  • rmnet (Remote Network)
  • bam (Bus Access Manager/Module)
  • IPA (Internet Packet Accelerator)
  • bam2bam
  • Android USB Gadget
  • IPC Router
  • IPC Logging
  • diag
    • diag forwarding
    • diag char
      • DIAG_IOCTL_COMMAND_REG
      • DIAG_IOCTL_COMMAND_DEREG
      • DIAG_IOCTL_GET_DELAYED_RSP_ID
      • DIAG_IOCTL_DCI_REG
      • DIAG_IOCTL_DCI_DEINIT
      • DIAG_IOCTL_DCI_SUPPORT
      • DIAG_IOCTL_DCI_HEALTH_STATS
      • DIAG_IOCTL_DCI_LOG_STATUS
      • DIAG_IOCTL_DCI_EVENT_STATUS
      • DIAG_IOCTL_DCI_CLEAR_LOGS
      • DIAG_IOCTL_DCI_CLEAR_EVENTS
      • DIAG_IOCTL_LSM_DEINIT
      • DIAG_IOCTL_SWITCH_LOGGING
      • DIAG_IOCTL_REMOTE_DEV
      • DIAG_IOCTL_VOTE_REAL_TIME
      • DIAG_IOCTL_GET_REAL_TIME
      • DIAG_IOCTL_PERIPHERAL_BUF_CONFIG
      • DIAG_IOCTL_PERIPHERAL_BUF_DRAIN
      • DIAG_IOCTL_REGISTER_CALLBACK
      • DIAG_IOCTL_HDLC_TOGGLE
  • IRSC (IPC Router Security Control)

Qualcomm Kernel¶

Random notes about the Qualcomm Kernel as used on the MDM9615 and MDM9x07. May also apply to other Qualcomm Linux based systems such as Android smartphones.

remote_spinlock¶

You probably know the regular spinlocks inside the linux kernel: They protect you from multiple processors entering the same critical section of code in the kernel. All but one processor core will be busy-waiting while the spinlock is held.

In the Qualcomm multi-CPU SoCs they have implemented a remote spinlock mechanism, in which e.g. the APPS processor can prevent the MODEM processor from entering a critical section (or rather, access critical shared data between the processors).

SMD (shared memory)¶

See Qualcomm_Linux_SMD

smem_log¶

This is some kidn of high speed shared memory based event log to which all processors can log events.

Userspace applications can use write() to /dev/smem_log to add log entries.

Qualcomm uses a proprietary minimal shim layer offering SMEM_LOG_EVENT and SMEM_LOG_EVENT6 macros
that can be used to write events with an event ID plus three data words or six data words, respectively.

The shared memory log can be read from linux userspace via debugfs, see the devices in /sys/kernel/debug/smem_log
and simply use cat on them. You will get lines like

MODM: 3982377401 000d0000: 00000001: 03000019 01000028 01000015 53505041 00000061 5f696d71
MODM: 3982378159      QCSI: 00000004: 00040029 00240015 00000003 00000001 0000002b 00000000
MODM: 3982378619 000d0000: 00000001: 03000019 0100002b 01000015 53505041 00000061 5f696d71
APPS: 3982397356      QCCI: 00000005: 0004001d 0024000e 00000003 00000003 00000019 00000000
APPS: 3982400571      QCCI: 00000005: 00040029 0024000e 00000003 00000003 00000019 00000000
MODM: 1841235211      QCSI: 00000004: 0004001e 0024001c 00000003 00000001 00000028 00000000
MODM: 1841236665 000d0000: 00000001: 03000019 01000028 0101001c 53505041 00000061 5f696d71
MODM: 1841241411      QCSI: 00000004: 0004002a 0024001c 00000003 00000001 0000002b 00000000
MODM: 1841242246 000d0000: 00000001: 03000019 0100002b 0100001c 53505041 00000061 5f696d71
MODM: 1841243796      QCSI: 00000004: 0004002b 00660019 00000003 00000001 0000002b 00000000
MODM: 1841244286 000d0000: 00000001: 03000019 0100002b 01000019 53505041 00000061 5f696d71
APPS: 1841255456      QCCI: 00000005: 0004001e 00240015 00000003 00000003 00000019 00000000
MODM: 1841255335 000d0000: 00000002: 0100ffff 0300ffff 07000014 53505041 0000016c 74646d73
MODM: 1841255828 000d0000: 00000702: 00000001 00000028 00000007
APPS: 1841261430      QCCI: 00000005: 0004002a 00240015 00000003 00000003 00000019 00000000

More information in smem_log.h

rmnet (Remote Network)¶

• consists of control channel and data channel
• data channel carries IP data
• control channel carries QMI messages

• drivers/net/ethernet/msm/msm_rmnet_bam.c
  • ioctl() to set ethernet or rawip (RMNET_IOCTL_SET_LLP_ETHERNET, RMNET_IOCTL_SET_LLP_IP, RMNET_IOCTL_GET_LLP), initial boot time config is ETHERNET
  • use msm_bam_dmux_open() to attach
  • use RMNET_IOCTL_GET_EPID to get the BAM_DMUX endpoint id

bam (Bus Access Manager/Module)¶

• The Bus Access Manager/Module (BAM) can be
  considered as a distributed data mover (DM)
• some kind of DMA controller/engine
• A number of the on-chip devices have their own BAM DMA controller
  and use it to move data between system memory and peripherals or
  between two peripherals.

Files:

./drivers/dma/qcom_bam_dma.c
./drivers/net/ethernet/msm/msm_rmnet_bam.c
./drivers/platform/msm/sps/bam.c
./drivers/platform/msm/sps/sps_bam.c
./drivers/platform/msm/usb_bam.c

• channels (BAM_DMUX_)
  • RMNET_0...7
  • USB_RMNET_0
  • DATA_REV_RMNET_0..8
  • USB_DPL

seem to be be based on dmux ./drivers/soc/qcom/bam_dmux.c

IPA (Internet Packet Accelerator)¶

Internet Packet Accelerator (IPA) is a programmable protocol
processor HW block. It is designed to support generic HW processing
of UL/DL IP packets for various use cases independent of radio
technology.

See drivers/platform/msm/ipa/

http://www.sumobrain.com/patents/wipo/Accelerator/WO2013063791A1.pdf

bam2bam¶

maybe soem kind of direct connection between two peripherals by means of the BAM?

Android USB Gadget¶

see Android_USB_Gadget

IPC Router¶

IPC is a Qualcomm mechanism for Inter-Processor-Communications.

The IPC router binds to the the following SMD channels: RPCRPY_CNTL, IPCRTR

IPC Logging¶

see IPC_Logging

diag¶

Please see DIAG for more details on Qualcomm DIAG in the context of the modems we are documenting here.

diag forwarding¶

drivers/char/diag/diagfwd.[ch]
drivers/usb/gadget/f_diag.[ch]
drivers/usb/misc/diag_bridge.c

• the usb diag gadget handles diag packet read/write over usb
• issues events like USB_DIAG_READ_DONE
• picked up by diagfwd.c
  • can forward diag requests via SMD shared memory to other processors

diag char¶

The kernel exports a /dev/diag char device which userspce processes can
use to register/listen for DIAG events from the system, or actually
register a DIAG 'subsystem' themselves which can then be controlled from
QXDM.

drivers/char/diag/diagchar_core.c

• ioctl()s for diag configuration
• supports several concurrent diag clients
• diag logging can be directed to USB/HSIC, character device and more
  • {USB,CALLBACK,MEMORY_DEVICE,UART,NO_LOGGING}_MODE

drivers/char/diag/diag_dci.c

• DCI table is a routing table where pid/sockets can register for a
  given DCI. socket close/cleanup code releases all DCI routes for
  that socket.

DIAG_IOCTL_COMMAND_REG¶

• Register a new DIAG command so it can be used from the outside world (QXDM)
• use 'struct diag_cmd_reg_entry_t' per command
• driver keeps a driver->cmd_reg_list of registered commands

DIAG_IOCTL_COMMAND_DEREG¶

• unregister debug command

DIAG_IOCTL_GET_DELAYED_RSP_ID¶

DIAG_IOCTL_DCI_REG¶

DIAG_IOCTL_DCI_DEINIT¶

DIAG_IOCTL_DCI_SUPPORT¶

DIAG_IOCTL_DCI_HEALTH_STATS¶

DIAG_IOCTL_DCI_LOG_STATUS¶

DIAG_IOCTL_DCI_EVENT_STATUS¶

DIAG_IOCTL_DCI_CLEAR_LOGS¶

DIAG_IOCTL_DCI_CLEAR_EVENTS¶

DIAG_IOCTL_LSM_DEINIT¶

DIAG_IOCTL_SWITCH_LOGGING¶

• switch between USB and shared-memory diag *

DIAG_IOCTL_REMOTE_DEV¶

DIAG_IOCTL_VOTE_REAL_TIME¶

DIAG_IOCTL_GET_REAL_TIME¶

DIAG_IOCTL_PERIPHERAL_BUF_CONFIG¶

DIAG_IOCTL_PERIPHERAL_BUF_DRAIN¶

DIAG_IOCTL_REGISTER_CALLBACK¶

• doen't really do anything but checking arguments ?!?

DIAG_IOCTL_HDLC_TOGGLE¶

enable or disable HDLC framing of /dev/diag

IRSC (IPC Router Security Control)¶

FIXME