Re: Novatel Wireless power cycle

[Dan Williams <dcbw redhat com>]

On Thu, 2012-10-11 at 08:45 -0400, David Pfeffer wrote:
> Hi all,
> 
> 
> I noticed in the modemmanager Novatel plugin code there's nothing
> there to power cycle the modem on disable/enable. This is a problem
> for me since I've found that one modem in particular, the MC760, it'll
> sometimes get into this state where the radio always tells the modem
> there's No Carrier until you power cycle it.
> 
> 
> I don't know about the GSM devices, but I've been developing for a
> little while now with the CDMA devices. There's definitely a way to do
> it. Using strace and the NovaCore SDK (which I have obtained from
> Novatel's software development department and without signing an NDA),
> I've found that the following goes out over the QCDM port when you
> turn the radio off in the SDK:
> 
> 
> write(4, "K\17\0\0\273`~", 7)           = 7
> write(4, "K\372\7\0\7\377\377\0\0\344o~", 12) = 12
> write(4, "K\17\0\0\273`~", 7)           = 7
> write(4, ")\1\0001@~", 6)               = 6
> write(4, "K\17\0\0\273`~", 7)           = 7
> write(4, "K\17\0\0\273`~", 7)           = 7

They break down like this:

K = DIAG_CMD_SUBSYS
\17 (decimal 15) = DIAG_SUBSYS_CM (call manager)
\0\0 = DIAG_SUBSYS_CM_STATE_INFO

K = DIAG_CMD_SUBSYS
\372 (decimal 250) = DIAG_SUBSYS_RESERVED_OEM_0
\7\0 (0x7) = DIAG_SUBSYS_NW_CONTROL_MODEM_SNAPSHOT
\7 = DIAG_SUBSYS_NW_CONTROL_MODEM_SNAPSHOT_TECH_CDMA_EVDO
\377\377\0\0 = snapshot mask

) = DIAG_CMD_CONTROL
\1 = DM_CONTROL_MODE_OFFLINE

So basically it's querying the generic modem state using the Call
Manager subsystem (see DMCmdSubsysCMStateInfoRsp in libqcdm), and then
it's asking for the Novatel-specific subsystem state (see
DMCmdSubsysNwSnapshotRsp and DMCmdSubsysNwSnapshotCdma in libqcdm) and
then it's telling the modem to go offline.  I'll assume at some point it
tells the modem to go back online too :)

> However, I have no idea what this means -- I can't find any
> documentation to speak of for QCDM so its just opaque binary to me.

Because there isn't unless you sign NDAs with Qualcomm, and then you
can't do anything open-source with it.  So we've basically reverse
engineered some stuff we need for ModemManager:

http://cgit.freedesktop.org/ModemManager/ModemManager/tree/libqcdm

and perhaps more specifically:

http://cgit.freedesktop.org/ModemManager/ModemManager/tree/libqcdm/src/dm-commands.h

The actual C API that clients of libqcdm should use is commands.h
though, since the rest of the stuff is pretty low-level and the
internals might change around if we discover something new later, which
is why the commands.h uses the QcdmResult structure instead of hardcoded
returned parameters.

> If someone is willing to assist me with the QCDM portion or give me
> some pointers, I'd be happy to reverse engineer power off, power on,
> and reset, and contribute a patch back. Again this is just for CDMA
> -- 

The CONTROL command works for both GSM and CDMA devices actually.  I'm
just missing the define for "online" so if you can capture that, that
would be great.  I'm pretty sure it'll be something like:

write(4, ")\0\0001@~", 6) or write(4, ")\3\0001@~", 6)

there are a bunch of modes though, but I'm guessing that "online" is
mode 0.

> the NovaCore SDK does support GSM devices but I don't own one. If
> someone else has one, I can send you the NovaCore SDK to reverse
> engineer this for GSM modems.

What license is the NovaCore SDK distributed under?  That has a great
deal to do with whether or not it can just be sent around.  If you've
obtained it under a method compatible with the license (ie, directly
from Novatel) that's probably fine, but downloading it off some Chinese
site may not be.  Also note that even though the EULA or license may
prohibit reverse engineering (almost all software EULAs do), it's
actually completely legal for the purpose of interoperability, which is
what we're doing here with libqcdm.  But it still depends on how you got
it...

I typically use a Windows connection manager and sniff the USB packets,
since all the connection managers are legally obtainable via the carrier
or manufacturers websites, or even in the firmware on the dongles
themselves.  Helps keep the legal things clearer.

Dan