On Android, the RIL (Radio Interface Layer) is a good way to get information about the radio modem states.

States (in 3G networks, such as IDLE, FACH, DCH) are interesting because they greatly affect the battery life of the mobile. Researchers are using this to characterize the energy consumption of mobile phone for example.

The Galaxy S2/s3 from Samsung offer a good level of access thanks to an embedded software accessible with the classical keypad combo (*#*#197328640*#*#) but this is a combinaison of Java software (SamsungServiceApp), support in the RIL librairies and daemon, that at the end talks to the modem, in that case an Infineon chip.

Recently a new software emerges – xgoldmon – that attempts to do the same thing through the USB port. This is possible because the Galaxy family has a software switch to give access to the modem through the USB port, in a very similar Qualcomm is doing with his QXDM software suite.

I was curious if the Galaxy Nexus was able to do the same, as it is 1)made by samsung 2) running the same radio chip (x-gold).

Apparently the following command are able to change the USB port behavior :

echo MODEM > /sys/devices/tuna_otg/usb_sel

The Galaxy Nexus is then recognized as a comeon device – with 7 /dev/ttyACMX device on Linux 🙂 . Now the main issue is to bring this to life in xgoldmon (still unsure if messages are sent through these interfaces). Rebooting restores the original device state.

UPDATE (19/02/03) : got the Galaxy Nexus working with xgoldmon. Once the gnex is configured to exhibit the ttyACM port in linux, just activate trace by sending AT+TRACE=1 to /dev/ttyACM0.

You should obtain :


+TRACE: description START

at+trace=[<mode>],[<speed>],[« <unit>=<umode>[,<unit>=<umode>[;…]]] »,[« <method> »],[PowerSavingCountdown]



0:        sets all units OFF [param <unit> will be ignored !]

1:        sets all units ON  [param <unit> will be ignored !]

no param: 3rd param. <units> configures trace-units

-> trace? will then display 128 as <mode>

<speed>: (115200,230400,460800,921600,1843200,3000000,3250000,6000000)



ap: apoxi

st: stack

db: debug

pr: printf

bt: bluetooth

lt: LLT

li: LwIP

gt: GATE




0: unit-trace OFF

1: unit-trace ON



« BTM »:  byte stuffing trace method

« DTM »:  direct trace method

« EBTM »: extended byte stuffing trace method

<PowerSavingCountdown in msecs>: (0-30000)





at+trace=,115200, »st=1,pr=1,bt=1,ap=0,db=1,lt=0,li=0″

at+trace=,, »lt=1,db=1,ga=0″

at+trace=,,, »EBTM »


+TRACE: description END


You can then enable the debug mode :



Then xgoldmon should parse the messages on port  /dev/ttyACM1.

user@hostname:~/xgoldmon$ ./xgoldmon -t s2 -l /dev/ttyACM1
LOG:>>URC Type : SIGNALSTRENGTH >< SIM ID : 0>< count of processors : 4

UPDATE (21/02/2013) : With the latest version of xgoldmon, bboscom, and wireshark, we can get a good trace on wireshark.



Catégories : Hack