


Qualcomm Kernel » History » Revision 16

Revision 15 (laforge, 12/26/2016 06:55 PM) → Revision 16/22 (laforge, 12/26/2016 06:59 PM)


 h1. Qualcomm Kernel 

 Random notes about the Qualcomm Kernel as used on the MDM9615 and MDM9x07.    May also apply to other Qualcomm Linux based systems such as Android smartphones. 

 h2. diag 

 h3. diag forwarding 


 * the usb diag gadget handles diag packet read/write over usb 
 * issues events like USB_DIAG_READ_DONE 
 * picked up by diagfwd.c 
 ** can forward diag requests via SMD shared memory to other processors 

 h3. diag char 

 The kernel exports a /dev/diag char device which userspce processes can 
 use to register/listen for DIAG events from the system, or actually 
 register a DIAG 'subsystem' themselves which can then be controlled from 


 * ioctl()s for diag configuration 
 * supports several concurrent diag clients 
 * diag logging can be directed to USB/HSIC, character device and more 


 * DCI table is a routing table where pid/sockets can register for a 
   given DCI.    socket close/cleanup code releases all DCI routes for 
   that socket. 


 * Register a new DIAG command so it can be used from the outside world (QXDM) 
 * use 'struct diag_cmd_reg_entry_t' per command 
 * driver keeps a driver->cmd_reg_list of registered commands 


 * unregister debug command 












 * switch between USB and shared-memory diag 







 * doen't really do anything but checking arguments ?!? 


 enable or disable HDLC framing of /dev/diag 

 h2. IRSC (IPC Router Security Control) 


 h2. SMD (shared memory) 

 * SMD sub-systems: 
 ** Modem (assumed to be hexagon with modem firmware?) 
 ** Q6 (formerly known as LPASS == Low Power Audio SubSystem) 
 ** DSPS 
 ** WCNSS (Wireless Connectivity Sub System) aka 'riva' 
 ** RPM (Resource Power Manager) 
 * inter-processor-interrupts for various 'edges' 

 h3. core driver 

 * arch/arm/mach-msm/smd.c 

 h4. api 

 * smd_open() 
 * smd_close() 
 * smd_write*() 
 * smd_read*() 
 * smsm_*() 

 h3. smd_tty 

 Seems to expose tty devices (/dev/smdN) bound to SMD channels. 

 h3. smd_nmea 

 Exposes a tty device (/dev/nmea) bound to a SMD channel named "GPSNMEA". 

 h3. MSM IPC (Inter Process Communications) socket 

 Qualcomm implements a socket-based inter process communication on Linux.    It is implemented using a new address family, @AF_MSM_IPC@ (27). 

 The socket is used as datagram type socket (SOCK_DGRAM). 

 The socket address of a related socket consists of: 

 * the socket family (AF_MSM_IPC) 
 * a @struct msm_ipc_addr@, consisting of 
 ** a single address type byte 
 ** a port address (node_id, port_id) 
 ** a port name (service, instance) 

 * arch/arm/mach-msm/ipc_socket.c 


 h3. packet ports 

 * Some kind of packet oriented interface towards the SMD 
 * msm_smd_pkt.c contains driver 
 ** smdpkt0..7+smd22 devices, 2048 byte buffer 
 ** open/release/read/write/poll syscalls implemented 

 h3. available SMD devices 

 From an EC25: 
 Primary allocation table: 
 root@mdm9607-perf:~# cat /sys/kernel/debug/smd/ch 
  4|rpm_requests         |P|APPS |OPENED |0x00400|0x001E0|0x001E0|DCCiwRsB|0x00000 
   |                     | |RPM    |OPENED |0x00400|0x00118|0x00118|DCCiwrsB|0x00000 
  5|rpm_requests         |P|MDMSW| Access Restricted 
   |                     | |RPM    | Access Restricted 
  6|rpm_requests         |P|WCNSS| Access Restricted 
   |                     | |RPM    | Access Restricted 
  7|rpm_requests         |P|TZ     | Access Restricted 
   |                     | |RPM    | Access Restricted 
  8|rpm_requests         |P|ADSP | Access Restricted 
   |                     | |RPM    | Access Restricted 

 APPS <-> MDMSW Primary allocation table: 
  0|DS                   |S|APPS |OPENED |0x02000|0x00000|0x00000|dcCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|dCciwrsb|0x00000 
  1|IPCRTR               |P|APPS |OPENED |0x02000|0x012E4|0x012E4|DCCiwrsB|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x011F8|0x011F8|DCCiwrsB|0x00000 
  2|SSM_RTR_MODEM_APPS |P|APPS |CLOSED |0x02000|0x00000|0x00000|dcciwrsb|0x00000 
   |                     | |MDMSW|OPENING|0x02000|0x00000|0x00000|DCCiwrSb|0x00000 
  3|DIAG_2_CMD           |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
  4|DIAG_2               |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
  5|DIAG_CNTL            |P|APPS |OPENED |0x02000|0x00062|0x00062|DCCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x007F5|0x007F5|DCCiwrsB|0x00000 
  6|DIAG_CMD             |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
  7|DIAG                 |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00026|0x00026|DCCiwrsB|0x00000 
  8|apr_audio_svc        |P|APPS |OPENED |0x02000|0x002F0|0x002F0|DCCiwrsB|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00248|0x00248|DCCiwrsB|0x00000 
  9|apr_apps2            |P|APPS |CLOSED |0x02000|0x00000|0x00000|dcciwrsb|0x00000 
   |                     | |MDMSW|OPENING|0x02000|0x00000|0x00000|DCCiwrSb|0x00000 
 10|DATA1                |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsB|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|dCciwrsb|0x00000 
 11|DATA2                |P|APPS |CLOSED |0x02000|0x00000|0x00000|dcciwrsb|0x00000 
   |                     | |MDMSW|OPENING|0x02000|0x00000|0x00000|dCciwrSb|0x00000 
 12|DATA3                |P|APPS |OPENED |0x02000|0x00000|0x00000|dcCiwrsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|dCciwrsb|0x00000 
 13|DATA4                |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsB|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00000|0x00000|dCciwrsb|0x00000 
 14|DATA11               |S|APPS |OPENED |0x02000|0x00089|0x00089|dcCiwRsb|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x0012B|0x0012B|dCciwrsB|0x00000 
 15|DATA40               |P|APPS |CLOSED |0x02000|0x00000|0x00000|dcciwrsb|0x00000 
   |                     | |MDMSW|OPENING|0x02000|0x00000|0x00000|dcciwrSb|0x00000 
 16|DATA5_CNTL           |P|APPS |CLOSED |0x00400|0x00000|0x00000|dcciwrsb|0x00000 
   |                     | |MDMSW|OPENING|0x00400|0x00000|0x00000|DCCiwrSb|0x00000 
 17|DATA40_CNTL          |P|APPS |OPENED |0x02000|0x00000|0x00000|DCCiwrsB|0x00000 
   |                     | |MDMSW|OPENED |0x02000|0x00100|0x00100|DCCiwrsB|0x00000 

 From an [[EC20]]: 

 /sys/kernel/debug/smd # cat ch  
 ch00:     OPENED(0000/0000) dcCiwrsb <->     OPENED(0000/0000) dCciwrsB :    2000 
 ch04:     OPENED(27336/27336) DCCiwrsB <->     OPENED(6552/6552) DCCiwrsB :    8000 
 ch05:     OPENED(0000/0000) DCCiwrsb <->     OPENED(12568/12568) DCCiwrsB : 10000 
 ch06:     OPENED(1872/1872) DCCiwrsB <->     OPENED(0216/0216) DCCiwrsB :    2000 
 ch07:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch08:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :     400 
 ch09:     OPENED(0952/0952) DCCiwrsb <->     OPENED(0438/0438) DCCiwrsB :     400 
 ch10:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) DCCiwrsb :    2000 
 ch11:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch12:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) DCCiwrsb :    2000 
 ch13:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch14:     OPENED(0480/0480) DCCiwrsB <->     OPENED(0376/0376) DCCiwrsB :     400 
 ch15:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch16:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch17:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :     400 
 ch18:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) DCCiwrsb :    2000 
 ch19:     OPENED(0952/0952) DCCiwrsb <->     OPENED(0370/0370) DCCiwrsB :     400 
 ch20:     OPENED(0021/0021) DCCiwrsb <->     OPENED(0078/0078) DCCiwrsB :    2000 
 ch21:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) DCCiwrSb :    2000 
 ch22:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) dCciwrSb :    2000 
 ch23:     OPENED(0000/0000) dcCiwrsb <->     OPENED(0000/0000) dCciwrsB :    2000 
 ch24:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) dCciwrsb :    2000 
 ch25:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) dCciwrSb :    2000 
 ch26:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) dCciwrSb :    2000 
 ch27:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) dcciwrSb :    2000 
 ch28:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) DCCiwrsB :    2000 
 ch29:     CLOSED(0000/0000) dcciwrsb <->    OPENING(0000/0000) dcciwrSb :    2000 
 ch30:     OPENED(0295/0295) DCCiwrsB <->     OPENED(0563/0563) DCCiwrsB :     400 
 ch31:     OPENED(0237/0237) DCCiwrsB <->     OPENED(0415/0415) DCCiwrsB :     400 
 ch32:     OPENED(0237/0237) DCCiwrsB <->     OPENED(0415/0415) DCCiwrsB :     400 
 ch33:     OPENED(0237/0237) DCCiwrsB <->     OPENED(0415/0415) DCCiwrsB :     400 
 ch34:     OPENED(0000/0000) DCCiwrsb <->     OPENED(0000/0000) dCciwrsb :    2000 

 /sys/kernel/debug/smd # cat tbl 
 name=DS cid=0 ch type=0 xfer type=1 ref_count=2 
 name= cid=0 ch type=0 xfer type=0 ref_count=0 
 name= cid=0 ch type=0 xfer type=0 ref_count=0 
 name= cid=0 ch type=0 xfer type=0 ref_count=0 
 name=MSGR_SMD_P1 cid=4 ch type=11 xfer type=2 ref_count=2 
 name=MSGR_SMD_P0 cid=5 ch type=11 xfer type=2 ref_count=2 
 name=IPCRTR cid=6 ch type=1 xfer type=2 ref_count=1 
 name=IPCRTR cid=7 ch type=2 xfer type=2 ref_count=1 
 name=sys_mon cid=8 ch type=1 xfer type=2 ref_count=1 
 name=DIAG_CNTL cid=9 ch type=1 xfer type=2 ref_count=2 
 name=DIAG cid=10 ch type=1 xfer type=2 ref_count=2 
 name=apr_audio_svc cid=11 ch type=1 xfer type=2 ref_count=1 
 name=apr_voice_svc cid=12 ch type=2 xfer type=2 ref_count=2 
 name=apr_apps2 cid=13 ch type=1 xfer type=2 ref_count=1 
 name=RPCRPY_CNTL cid=14 ch type=0 xfer type=2 ref_count=2 
 name=IPCROUTER cid=15 ch type=0 xfer type=0 ref_count=1 
 name=SSM_RTR cid=16 ch type=0 xfer type=2 ref_count=1 
 name=sys_mon cid=17 ch type=0 xfer type=2 ref_count=1 
 name=DIAG_2 cid=18 ch type=0 xfer type=2 ref_count=2 
 name=DIAG_CNTL cid=19 ch type=0 xfer type=2 ref_count=2 
 name=DIAG cid=20 ch type=0 xfer type=2 ref_count=2 
 name=apr_voice_svc cid=21 ch type=0 xfer type=2 ref_count=1 
 name=DATA1 cid=22 ch type=0 xfer type=2 ref_count=2 
 name=DATA2 cid=23 ch type=0 xfer type=2 ref_count=2 
 name=DATA3 cid=24 ch type=0 xfer type=2 ref_count=2 
 name=DATA4 cid=25 ch type=0 xfer type=2 ref_count=2 
 name=DATA11 cid=26 ch type=0 xfer type=1 ref_count=2 
 name=DATA40 cid=27 ch type=0 xfer type=2 ref_count=2 
 name=DATA40_CNTL cid=28 ch type=0 xfer type=2 ref_count=2 
 name=DATA8 cid=29 ch type=0 xfer type=2 ref_count=2 
 name=DATA5_CNTL cid=30 ch type=0 xfer type=2 ref_count=2 
 name=DATA6_CNTL cid=31 ch type=0 xfer type=2 ref_count=2 
 name=DATA7_CNTL cid=32 ch type=0 xfer type=2 ref_count=2 
 name=DATA8_CNTL cid=33 ch type=0 xfer type=2 ref_count=2 
 name=GPSNMEA cid=34 ch type=0 xfer type=2 ref_count=2 

 h2. smem_log 

 This is some kidn of high speed shared memory based event log to which all processors can log events. 

 Userspace applications can use write() to @/dev/smem_log@ to add log entries. 

 Qualcomm uses a proprietary minimal shim layer offering SMEM_LOG_EVENT and SMEM_LOG_EVENT6 macros 
 that can be used to write events with an event ID plus three data words or six data words, respectively. 

 The shared memory log can be read from linux userspace via debugfs, see the devices in @/sys/kernel/debug/smem_log@ 
 and simply use @cat@ on them. You will get lines like 
 MODM: 3982377401 000d0000: 00000001: 03000019 01000028 01000015 53505041 00000061 5f696d71 
 MODM: 3982378159        QCSI: 00000004: 00040029 00240015 00000003 00000001 0000002b 00000000 
 MODM: 3982378619 000d0000: 00000001: 03000019 0100002b 01000015 53505041 00000061 5f696d71 
 APPS: 3982397356        QCCI: 00000005: 0004001d 0024000e 00000003 00000003 00000019 00000000 
 APPS: 3982400571        QCCI: 00000005: 00040029 0024000e 00000003 00000003 00000019 00000000 
 MODM: 1841235211        QCSI: 00000004: 0004001e 0024001c 00000003 00000001 00000028 00000000 
 MODM: 1841236665 000d0000: 00000001: 03000019 01000028 0101001c 53505041 00000061 5f696d71 
 MODM: 1841241411        QCSI: 00000004: 0004002a 0024001c 00000003 00000001 0000002b 00000000 
 MODM: 1841242246 000d0000: 00000001: 03000019 0100002b 0100001c 53505041 00000061 5f696d71 
 MODM: 1841243796        QCSI: 00000004: 0004002b 00660019 00000003 00000001 0000002b 00000000 
 MODM: 1841244286 000d0000: 00000001: 03000019 0100002b 01000019 53505041 00000061 5f696d71 
 APPS: 1841255456        QCCI: 00000005: 0004001e 00240015 00000003 00000003 00000019 00000000 
 MODM: 1841255335 000d0000: 00000002: 0100ffff 0300ffff 07000014 53505041 0000016c 74646d73 
 MODM: 1841255828 000d0000: 00000702: 00000001 00000028 00000007 
 APPS: 1841261430        QCCI: 00000005: 0004002a 00240015 00000003 00000003 00000019 00000000 

 More information in @smem_log.h@ 

 h2. rmnet 

 "remote network" ? 
 * consists of control channel and data channel 
 * data channel carries IP data 
 * control channel carries QMI messages 

 * drivers/net/ethernet/msm/msm_rmnet_bam.c 
 ** ioctl() to set ethernet or rawip (RMNET_IOCTL_SET_LLP_ETHERNET, RMNET_IOCTL_SET_LLP_IP, RMNET_IOCTL_GET_LLP), initial boot time config is ETHERNET 
 ** use msm_bam_dmux_open() to attach 
 ** use RMNET_IOCTL_GET_EPID to get the BAM_DMUX endpoint id 

 h2. bam (Bus Access Manager/Module) 

 * The Bus Access Manager/Module (BAM) can be 
   considered as a distributed data mover (DM) 
 * some kind of DMA controller/engine 
 * A number of the on-chip devices have their own BAM DMA controller 
   and use it to move data between system memory and peripherals or 
   between two peripherals. 


 * channels (BAM_DMUX_) 
 ** RMNET_0...7 
 ** USB_RMNET_0 
 ** DATA_REV_RMNET_0..8 
 ** USB_DPL 

 seem to be be based on dmux ./drivers/soc/qcom/bam_dmux.c 

 h2. IPA (Internet Packet Accelerator) 

 Internet Packet Accelerator (IPA) is a programmable protocol 
 processor HW block. It is designed to support generic HW processing 
 of UL/DL IP packets for various use cases independent of radio 

 See drivers/platform/msm/ipa/ 

 h2. bam2bam 

 maybe soem kind of direct connection between two peripherals by means of the BAM? 

 h2. Android USB Gadget 

 see [[Android_USB_Gadget]] 

 h2. IPC Logging 

 see [[IPC_Logging]]
Add picture from clipboard (Maximum size: 48.8 MB)