This talk


Cellular Modems in M2M


Device requirements

Our requirements for a good modem

Qualcomm DIAG protocol


Selecting a device



An unexpected surprise

Firmware update, hints of Linux

GPL compliance

Hardware based analysis


Serial Console


Retro-fitting Serial Console to mPCIe module


GPL compliance

I tried instruction above to build yaffs2 for MDM9615, so I downloaded source M9615AAAARNLZA1611161.xml but during compilation I faced some libs that are missing such as libQMI and acdb-loader..
— Tonino Perazzi


GPL compliance

  1. Asking for the complete and corresponding source

    • The source code of Qflash tool in Linux is attached, […]
  2. Asking again for the complete and corresponding source

We never been in legal dispute and we always make sure to understand IPR ahead of using technology belonging to third party.
— Quectel


GPL compliance

  1. Asking for the complete and corresponding source

    We appreciate the efforts that your client had put into the open source project netfilter/iptable. However, […] your client does not have the right to empower the copyright. We think software netfilter/iptable is built on the code operating system GUN/Linux, thus subject to GPL terms, where FSF requires that each author of code incorporated in FSF projects either provide copyright assignment to FSF or disclaim copyright. Therefore, It seems that your client does not have the copyright on netfilter/iptable.

    As one of the leading providers of wireless solution, Quectel is always respectful IPR. We would like to compliant with GPL and do some necessary statements,including a disclaimer or appropriate notices. Under the terms of GPL, we would like to dedicate Kernel code of EC25x to free software community.
    — Quectel

GPL compliance

  1. Asking for the complete and corresponding source

    Many thanks for your detailed explanations GPL/LGPL license terms and the practical methods. I will carefully study your suggestions again and find a proper way to open GLP/LGPL licensed software. Basically, we will simply provide a tarball of open source for download at this time. And release the git repositories in next step.
    — Quectel
  2. Asking for the complete and corresponding source

    We are always willing to achieve GPL compliance.
    — Quectel
  3. Asking for the complete and corresponding source

    So we need some time to know of all things and construct the Open Source projects. Within a short time, we cannot construct a perfect web site to present Open Source things now. However, we will continue to do like that.
    — Quectel

GPL compliance

  1. Your tarball is missing some files

We have issued all GPL licensed source code. We have no the xt_dscp file in the project, and nor Qulacomm. It must be caused by your compilation environment. If you have more question or problem during the development with Quectel module, please add my Skype ID (XXXXX), I will continue to support you on Skype.
The email will not discuss the compiling issue any more.
— Quectel

GPL compliance


MDM 9615 HW and SW

Qualcomm Hardware

MDM 9615 HW Overview

How to access the system?

MDM 9615 AP SW Overview


The software stack seems to be called Qualcomm LE

Qualcomm Linux kernel overview

Qualcomm Linux kernel subsystems

Some of the Qualcomm-specific kernel sub-systems


Shared Memory Device


Inter Processor Communications


Remote Network


Bus Access Manager


Internet Packet Accelerator


DIAG Forwarding


Socket family for Qualcomm IPC

Qualcomm LE System Architecture


DIAG in Qualcomm LE


QMI in Qualcomm LE

every rmnet data device has associated QMI control


Tools for analysis

We created some tools to help our analysis

Userspace programs

We found a bunch of proprietary Linux userspace programs


Implements Android Debug Bridge


Implement Quectel-Specific AT Commands


?; various ASoC related bits




Mobile Broadband IF Model (translates MBIM to QMI)


runs linux-base WiFi AP/router with LTE backhaul


reads GPS NMEA from /dev/nmea and writes it to /dev/ttyGS0

Funny bits + pieces

Funny AT commands

How many processes does it take to reboot a system?

read_count = read(pipe_fd,buf,MAX_BUF-1);
/* if read REBOOT_STR, then call reboot */
if(strncmp(buf,REBOOT_STR,strlen(REBOOT_STR)) == 0) {
    debug_printf("going for reboot\n");
    printf("reboot-daemon: initiating reboot\n");

C programs that look like shell scripts

echo "nau8814-aif1" > /sys/devices/platform/soc-audio.0/tx_dai_name
cp -f /cache/usb/qcfg_usbcfg /etc/; cp -f /cache/usb/usb /etc/init.d/
echo 90 >/sys/kernel/debug/pm8xxx-pwm-dbg/0/duty-cycle
pkill -f "/bin/sh /usr/bin/"
ps ef | grep "quec_bridge /dev/nmea /dev/ttyGS0" | grep -v grep
cd /cache/ufs;ls

Firmware upgrade

recovery and applypatch

// Look for an RSA signature embedded in the .ZIP file comment given
// the path to the zip.  Verify it matches one of the given public
// keys.

Qualcomm EC20 firmware upgrade


RedBend (delta update) software


Firmware upgrade overview


$ strings atfwd_daemon | egrep  "wget|QCMAP|fota|update.z"

... QCMAP_ConnectionManager /etc/mobileap_cfg.xml n n fotanet
/usr/bin/wget -T 20 -t 3 %s -O %s
mv %s %s && mkdir -p /cache/fota && echo %s > %s
rm -rf /cache/fota /cache/recovery /cache/
Start download fota for

Recommendation to modem vendors

Status and Outlook

Unrelated Announcement