Project

General

Profile

D-Link DWM-222 stick » History » Version 4

« Previous - Version 4/10 (diff) - Next » - Current version
domi, 08/15/2018 07:17 PM


D-Link DWM-222 stick

This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems (no messing around with mini-PCIe to USB adapters and what not) it might be a way to go.

WARNING!
Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!

It is just a D-Link branded version of cheaper dongles made in China. Some of them are WiFi access points with LTE backhaul using QCMAP.
Example of devices that are closely related:
  • PTCL Charji Wingle R660
  • (?)D-Link DWR 901 (unsure, FIXME)

Hardware

Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the 3 screws.
The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis).
There are two antenna connectors (U.FL) exposed on the PCB.

Software

The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode.
Mass storage mode USB id: 2001:ab00
WWAN USB id: 2001:7e35

After the switch you'll see 4 ttyUSB devices appearing in /dev. For me these devices only started to work after telling the option driver about the USB id of the device:

echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id

The devices are:

/dev/ttyUSB0  --> DIAG
/dev/ttyUSB1  --> AT commands
/dev/ttyUSB2
/dev/ttyUSB3
/dev/cdc-wdm0 --> QMI

Drivers

If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection.
Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu
However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd.

Firmware

There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support
The dongle that I had came with an older version, 1.7.9. It doesn't really work for me, so I upgraded to 2.0.8:

Upgrade process

Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images.
After tracing the upgrade process I've established its steps roughly:

Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots.

Now comes the tricky part: the bat files tries to reboot the device into fastboot mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the fastboot part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking.
So the complete upgrade cycle would look like this (based on reading the bat files):

Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots
-> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done.

Analyzing the firmware

Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place.
It is, as suspected, Linux.
They supply 2 YAFFS2 images: one is the rootfs, the other is /usr

File list of rootfs

# ls -lha
total 84K
drwxr-xr-x 20 root root 4,0K aug   10 14:58 .
drwxr-xr-x  5 root root 4,0K aug   10 15:30 ..
drwxr-xr-x  2 root root 4,0K aug   10 14:58 bin
drwxr-xr-x  2 root root 4,0K aug   10 14:58 boot
-rw-r--r--  1 root root   47 aug   10 14:58 build.prop
drwxr-xr-x  2 root root 4,0K aug   10 14:58 cache
drwxr-xr-x  2 root root 4,0K aug   10 14:58 dev
drwxr-xr-x 30 root root 4,0K aug   10 14:58 etc
drwxr-xr-x  3 root root 4,0K aug   10 14:58 home
drwxr-xr-x  5 root root 4,0K aug   10 14:58 lib
lrwxrwxrwx  1 root root   12 aug   10 14:58 linuxrc -> /bin/busybox
drwxr-xr-x 10 root root 4,0K aug   10 14:58 media
drwxr-xr-x  2 root root 4,0K aug   10 14:58 mnt
drwxr-xr-x  2 root root 4,0K aug   10 14:58 proc
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sbin
lrwxrwxrwx  1 root root   11 aug   10 14:58 sdcard -> /media/card
drwxr-xr-x  3 root root 4,0K aug   10 14:58 share
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sys
drwxr-xr-x  2 root root 4,0K aug   10 14:58 tmp
drwxr-xr-x  2 root root 4,0K aug   10 14:58 usr
drwxr-xr-x  8 root root 4,0K aug   10 14:58 var
drwxr-xr-x  3 root root 4,0K aug   10 14:58 WEBSERVER
drwxr-xr-x  5 root root 4,0K aug   10 14:58 www

The WEBSERVER and www directory are there for the WiFi router versions which use a web-based interface for settings.

I was mainly curious about ADB, so I followed the /etc/init.d/usb script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in /usr/bin/usb/compositions

ls -lha bin/usb/compositions/
total 228K
drwxr-xr-x 2 root root 4,0K aug   10 14:58 .
drwxr-xr-x 3 root root 4,0K aug   10 14:28 ..
-rw-r--r-- 1 root root 3,8K aug   10 14:28 2033
-rw-r--r-- 1 root root 4,0K aug   10 14:28 2034
-rw-r--r-- 1 root root 4,4K aug   10 14:28 2037
-rw-r--r-- 1 root root 3,8K aug   10 14:28 3443
-rw-r--r-- 1 root root 4,4K aug   10 14:28 3444
-rw-r--r-- 1 root root 4,4K aug   10 14:28 4030
-rw-r--r-- 1 root root 3,8K aug   10 14:58 7e35
-rw-r--r-- 1 root root 4,6K aug   10 14:28 7e35A
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e37
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e38
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e39
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e3c
-rw-r--r-- 1 root root 3,8K aug   10 14:28 7e3d
-rw-r--r-- 1 root root 2,3K aug   10 14:28 9002
-rw-r--r-- 1 root root 2,2K aug   10 14:28 901C
-rw-r--r-- 1 root root 2,8K aug   10 14:28 901D
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9021
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9022
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9024
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9025
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9026
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902A
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902B
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902C
-rw-r--r-- 1 root root 2,8K aug   10 14:28 902D
-rw-r--r-- 1 root root 3,9K aug   10 14:28 902E
-rw-r--r-- 1 root root 3,3K aug   10 14:28 9043
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9046
-rw-r--r-- 1 root root 2,4K aug   10 14:28 9047
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9049
-rw-r--r-- 1 root root 2,2K aug   10 14:28 904A
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9056
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9057
-rw-r--r-- 1 root root 2,9K aug   10 14:28 9059
-rw-r--r-- 1 root root 3,2K aug   10 14:28 905A
-rw-r--r-- 1 root root 3,0K aug   10 14:28 905B
-rw-r--r-- 1 root root 2,2K aug   10 14:28 9060
-rw-r--r-- 1 root root 3,2K aug   10 14:28 9063
-rw-r--r-- 1 root root 4,4K aug   10 14:28 9064
-rw-r--r-- 1 root root 4,0K aug   10 14:28 9067
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9083
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9084
-rw-r--r-- 1 root root 3,1K aug   10 14:28 9085
-rw-r--r-- 1 root root  127 aug   10 14:28 empty
-rw-r--r-- 1 root root    2 aug   10 14:28 hsic_next
-rw-r--r-- 1 root root    5 aug   10 14:28 hsusb_next

Looking into the file 7e35 (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB:

# cat bin/usb/compositions/7e35

#!/bin/sh
#
# Copyright (c) 2012, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above copyright
#       notice, this list of conditions and the following disclaimer in the
#       documentation and/or other materials provided with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived from
#       this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED.  IN NO
# EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android)

echo "Switching to composition number 0x7e35" 

if [ "$1" = "y" ]; then
    num="1" 
else
    num="0" 
fi

echo 0 > /sys/class/android_usb/android$num/enable
if [ "$2" = "y" ]; then 
    echo 0xAB00 > /sys/class/android_usb/android$num/idProduct
    echo 0x2001 > /sys/class/android_usb/android$num/idVendor
    echo mass_storage > /sys/class/android_usb/android$num/functions
    echo 1 > /sys/class/android_usb/android$num/enable
else
    run_9x15() {
        echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
        echo 0x2001 > /sys/class/android_usb/android$num/idVendor
        echo diag > /sys/class/android_usb/android0/f_diag/clients
        echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
        echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports
        echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
         echo 1 > /sys/class/android_usb/android$num/enable
      }

    run_9x25() {
        echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
        echo 0x2001 > /sys/class/android_usb/android$num/idVendor
        echo diag > /sys/class/android_usb/android0/f_diag/clients
        echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
        echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
        echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
         echo 1 > /sys/class/android_usb/android$num/enable
    }

    run_9x25_v2() {
        echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
        echo 0x2001 > /sys/class/android_usb/android$num/idVendor
        echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial
        echo diag > /sys/class/android_usb/android0/f_diag/clients
        echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
        echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
        echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
         echo 1 > /sys/class/android_usb/android$num/enable
    }

    case `source /usr/bin/usb/target` in
        *9x15* )
            run_9x15 &
            ;;
        *9x25* )
            case `cat /sys/devices/soc0/revision` in
                *1.0* )
                    run_9x25 &
                    ;;
                *2.* )
                    run_9x25_v2 &
                    ;;
                * )
                    run_9x25 &
                    ;;
            esac
            ;;
        * )
            run_9x15 &
            ;;
      esac
fi

Simple adding adb to the echos should be enough, based on the other script files. So I added the string adb to the right places in the file, re-packed the usr YAFFS2 image just to find out that because I could not get it into fastboot mode...so if someone could find a way to put the dongle into fastboot mode then simply installing a patched firmware file would enable ADB on the device.

So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices:

grep -r adb .
./905A:    echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
./905A:    echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
./9025:    echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
./9025:    echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
./9025:    echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
./9022:    echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
./9022:    echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
./9022:    echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
./9059:    echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
./9059:    echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
./9064:    echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
./9064:    echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions
./9064:    echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
./9046:    echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
./9046:    echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
./9024:    echo rndis_qc,adb > /sys/class/android_usb/android$num/functions
./9024:    echo rndis,adb > /sys/class/android_usb/android$num/functions
./9049:    echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
./9049:    echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
./9049:    echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
./902D:    echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions
./902D:    echo rndis,diag,adb > /sys/class/android_usb/android$num/functions
./901D:    echo diag,adb > /sys/class/android_usb/android$num/functions
./901D:    echo diag,adb > /sys/class/android_usb/android$num/functions
./9084:    echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
./9084:    echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
./902B:    echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions
./902B:    echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions
./9085:    echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
./9085:    echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
./2034:    echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
./2034:    echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
./2034:    echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
./9060:    echo diag,qdss,adb > /sys/class/android_usb/android$num/functions
./9056:    echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
./9056:    echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
./9056:    echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions

It would be great to find out the actual vendor of these, so we can tell people exactly what to buy. I'm assuming Chinese LTE dongles from eBay are prime candidates, but that's just a guess.

Add picture from clipboard (Maximum size: 48.8 MB)