EM7565 band numbers are off by one in "Get LTE Cphy CA Info"

This was reported on the libqmi-devel list, and I don’t have an EM7565 myself yet. So I cannot verify it on the Sierra Wireless QMI SDK. Apologies for that. But the actual issue is completely unrelated to host software. I hope you can investigate the issue. Reproducing it using the QMI SDK should be easy for anyone with the hardware.

The problem is that the band numbers in the “Phy CA Agg SCell Info” and “Phy CA Agg PCell Info” TLVs (0x12 and 0x13) are off by one. Example (for those no fluent in libqmi debug info: the line with 'data =" contains the complete QMI response packet as colon separate ascii hex):

[04 Dec 2017, 07:30:57] [Debug] [/dev/cdc-wdm0] received message...
<<<<<< RAW:
<<<<<<   length = 91
<<<<<<   data   =
01:5A:00:80:03:01:02:01:00:AC:00:4E:00:02:04:00:00:00:00:00:10:08:00:05:00:4C:0C:02:00:00:00:11:04:00:05:00:00:00:12:0E:00:04:00:86:0B:05:00:00:00:7F:00:02:00:00:00:13:0A:00:05:00:4C:0C:05:00:00:00:7F:00:14:01:00:01:15:10:00:01:04:00:86:0B:05:00:00:00:7F:00:02:00:00:00:01

[04 Dec 2017, 07:30:57] [Debug] [/dev/cdc-wdm0] received generic response
(translated)...
<<<<<< QMUX:
<<<<<<   length  = 90
<<<<<<   flags   = 0x80
<<<<<<   service = "nas"
<<<<<<   client  = 1
<<<<<< QMI:
<<<<<<   flags       = "response"
<<<<<<   transaction = 1
<<<<<<   tlv_length  = 78
<<<<<<   message     = "Get LTE Cphy CA Info" (0x00AC)
<<<<<< TLV:
<<<<<<   type       = "Result" (0x02)
<<<<<<   length     = 4
<<<<<<   value      = 00:00:00:00
<<<<<<   translated = SUCCESS
<<<<<< TLV:
<<<<<<   type   = 0x10
<<<<<<   length = 8
<<<<<<   value  = 05:00:4C:0C:02:00:00:00
<<<<<< TLV:
<<<<<<   type       = "DL Bandwidth" (0x11)
<<<<<<   length     = 4
<<<<<<   value      = 05:00:00:00
<<<<<<   translated = 20
<<<<<< TLV:
<<<<<<   type       = "Phy CA Agg SCell Info" (0x12)
<<<<<<   length     = 14
<<<<<<   value      = 04:00:86:0B:05:00:00:00:7F:00:02:00:00:00
<<<<<<   translated = [ physical_cell_id = '4' rx_channel = '2950'
dl_bandwidth = '20' lte_band = 'eutran-8' state = 'activated' ]
<<<<<< TLV:
<<<<<<   type       = "Phy CA Agg PCell Info" (0x13)
<<<<<<   length     = 10
<<<<<<   value      = 05:00:4C:0C:05:00:00:00:7F:00
<<<<<<   translated = [ physical_cell_id = '5' rx_channel = '3148'
dl_bandwidth = '20' lte_band = 'eutran-8' ]
<<<<<< TLV:
<<<<<<   type       = "SCell index" (0x14)
<<<<<<   length     = 1
<<<<<<   value      = 01
<<<<<<   translated = 1
<<<<<< TLV:
<<<<<<   type   = 0x15
<<<<<<   length = 16
<<<<<<   value  = 01:04:00:86:0B:05:00:00:00:7F:00:02:00:00:00:01

Notice that the band values are 0x007F, which maps to EUTRAN-8 as shown by the libqmi debug output. This is obviously incorrect, and does not match the given channel numbers.

Here is a similar example from an EM7455 to illustrate what those TLVs really should have looked like. You see the same channels, but here the band numbers are 0x007E which is correct:

[04 Dec 2017, 07:13:58] [Debug] [/dev/cdc-wdm0] received message...
<<<<<< RAW:
<<<<<<   length = 61
<<<<<<   data   =
01:3C:00:80:03:03:02:01:00:AC:00:30:00:02:04:00:00:00:00:00:11:04:00:05:00:00:00:12:0E:00:04:00:86:0B:05:00:00:00:7E:00:02:00:00:00:13:0A:00:05:00:4C:0C:05:00:00:00:7E:00:14:01:00:01

[04 Dec 2017, 07:13:58] [Debug] [/dev/cdc-wdm0] received generic response
(translated)...
<<<<<< QMUX:
<<<<<<   length  = 60
<<<<<<   flags   = 0x80
<<<<<<   service = "nas"
<<<<<<   client  = 3
<<<<<< QMI:
<<<<<<   flags       = "response"
<<<<<<   transaction = 1
<<<<<<   tlv_length  = 48
<<<<<<   message     = "Get LTE Cphy CA Info" (0x00AC)
<<<<<< TLV:
<<<<<<   type       = "Result" (0x02)
<<<<<<   length     = 4
<<<<<<   value      = 00:00:00:00
<<<<<<   translated = SUCCESS
<<<<<< TLV:
<<<<<<   type       = "DL Bandwidth" (0x11)
<<<<<<   length     = 4
<<<<<<   value      = 05:00:00:00
<<<<<<   translated = 20
<<<<<< TLV:
<<<<<<   type       = "Phy CA Agg SCell Info" (0x12)
<<<<<<   length     = 14
<<<<<<   value      = 04:00:86:0B:05:00:00:00:7E:00:02:00:00:00
<<<<<<   translated = [ physical_cell_id = '4' rx_channel = '2950'
dl_bandwidth = '20' lte_band = 'eutran-7' state = 'activated' ]
<<<<<< TLV:
<<<<<<   type       = "Phy CA Agg PCell Info" (0x13)
<<<<<<   length     = 10
<<<<<<   value      = 05:00:4C:0C:05:00:00:00:7E:00
<<<<<<   translated = [ physical_cell_id = '5' rx_channel = '3148'
dl_bandwidth = '20' lte_band = 'eutran-7' ]
<<<<<< TLV:
<<<<<<   type       = "SCell index" (0x14)
<<<<<<   length     = 1
<<<<<<   value      = 01
<<<<<<   translated = 1

I guess this is something for Qualcomm. Could you please report the issue to them if you are able to reproduce? This will make a mess of any software trying to use these values.

Hi,

libqmi is not supported but it will be validated against or own QMI client and its API’s so if there is an issue against this then it will be corrected.

Regards

Matt

Just got an EM7565. So now I can reproduce this using the GobiNet driver (version S2.30N2.48) and the QMI SDK (version SLQS04.00.11). And as expected, the result is stil the same: The firmware is off-by-one in the band values returned by SLQSNASGetLTECPHYCaInfo().

For simplest possible testing, I just added this function to the Connection_Manager sample app:

static void CAtest()
{
	nasGetLTECphyCa ca;
	PhyCaAggPcellInfo *p;
	ULONG   res;

	res = SLQSNASGetLTECPHYCaInfo(&ca);
	p = &ca.sPhyCaAggPcellInfo;

	if( eQCWWAN_ERR_NONE == res )
	{
		fprintf(stderr, "pci=%d, freq=%d, dl_bw_value=%d, iLTEbandValue=%d, TlvPresent=%d\n",
			p->pci, p->freq, p->dl_bw_value, p->iLTEbandValue, p->TlvPresent);
	}
}

Example outout from the EM7565 is:

pci=261, freq=3050, dl_bw_value=5, iLTEbandValue=127, TlvPresent=1

and according to the SDK docs, the band values are coded as:

..
126 - LTE E-UTRA Operating Band 7
127 - LTE E-UTRA Operating Band 8
128 - LTE E-UTRA Operating Band 9
..

so the result from the firmware is obviously bogus. Channel 3050 is corect, but this channel is in band 7.

Tor some reason, the AT commands still report correct values:

at!gstatus?
!GSTATUS: 
Current Time:  6542             Temperature: 28
Reset Counter: 1                Mode:        ONLINE         
System mode:   LTE              PS state:    Attached     
LTE band:      B7               LTE bw:      20 MHz  
LTE Rx chan:   3050             LTE Tx chan: 21050
LTE SSC1 state:INACTIVE         LTE SSC1 band: B3     
LTE SSC1 bw  : Unknown          LTE SSC1 chan: 1450
LTE SSC2 state:NOT ASSIGNED
LTE SSC3 state:NOT ASSIGNED
LTE SSC4 state:NOT ASSIGNED
EMM state:     Registered       Normal Service 
RRC state:     RRC Connected  
IMS reg state: No Srv  

PCC RxM RSSI:  -63              PCC RxM RSRP:  -90
PCC RxD RSSI:  -64              PCC RxD RSRP:  -90
SCC1 RxM RSSI: -86              SCC1 RxM RSRP: -122
SCC1 RxD RSSI: -80              SCC1 RxD RSRP: -115
Tx Power:      --               TAC:         78bf (30911)
RSRQ (dB):     -6.5             Cell ID:     01058802 (17139714)
SINR (dB):     23.2


OK
at!lteinfo?
!LTEINFO: 
Serving:   EARFCN MCC MNC   TAC      CID Bd D U SNR PCI  RSRQ   RSRP   RSSI RXLV
             3050 242  01 30911 01058802  7 5 5  16 261  -6.6  -91.1  -64.4 --

IntraFreq:                                          PCI  RSRQ   RSRP   RSSI RXLV
                                                    261  -6.6  -91.1  -64.4 --

InterFreq: EARFCN ThresholdLow ThresholdHi Priority PCI  RSRQ   RSRP   RSSI RXLV
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0
             1450            0           0        0   0   0.0    0.0    0.0   0

GSM:       ThreshL ThreshH Prio NCC ARFCN 1900 valid BSIC RSSI RXLV

WCDMA:     UARFCN ThreshL ThreshH Prio PSC   RSCP  ECN0 RXLV

CDMA 1x:   Chan BC Offset Phase Str

CDMA HRPD: Chan BC Offset Phase Str


OK
ati
Manufacturer: Sierra Wireless, Incorporated
Model: EM7565
Revision: SWI9X50C_01.00.02.00 6ff48a jenkins 2017/09/29 05:54:26
MEID: 359260080xxxxx
IMEI: 359260080xxxxx5
IMEI SV:  2
FSN: UF7424865xxxxx
+GCAP: +CGSM


OK

BTW, there is an error in the docs of the PhyCaAggPcellInfo struct in the SDK: It doesn’t document the iLTEbandValue field, but instead docuemnts a ‘scell_state’ field which does not exist in this struct. Obvious copy-and-paste error when coyping the PhyCaAggScellInfo struct docs…