Project

General

Profile

Huawei ME906

The Huawei ME906 is yet another MDM9x15 based cellular modem that uses Linux on its Cortex-A5 processor, based on Qualcomm_Linux (LE). There are several variants (ME906A, ME906C, ME906J, ME906E, ME906V). There also is a ME906S-158, which is not a Qualcomm based device.

USB configuration

The ME906v has different USB configurations:

Configuration 1

Interface Name Description
0 Huawei Mobile Connect - Modem AT Commands
1 Huawei Mobile Connect - Application DIAG
2 Huawei Mobile Connect - Pcui
3 HUAWEI Mobile Connect - Network Card qmi-wwan
4 Huawei Mobile Connect - Gps
5 Huawei Mobile Connect - Serial B

Configuration 2

Interface Name Description
0 CDC Ethernet Control Model (ECM)
1 CDC Ethernet Data
2 Huawei Mobile Connect - Modem
3 HUAWEI Mobile Connect - Application
4 HUAWEI Mobile Connect - Pcui
5 Huawei Mobile Connect - Gps
6 Huawei Mobile Connect - Serial B

Configuration 3

Interface Name Description
0 HUAWEI Mobile Connect - Network Card
2 Huawei Mobile Connect - Gps

Initialization on Linux side:

from /usr/bin/usb/ (combining multipel scripts, expanding variables)

echo "hsusb" > /sys/devices/platform/usb_bam/enable
echo 0 > /sys/class/android_usb/android0/enable
echo 0x1573 > /sys/class/android_usb/android0/idProduct
echo 0x12D1 > /sys/class/android_usb/android0/idVendor
echo diag > /sys/class/android_usb/android0/f_diag/clients
echo smd,tty > /sys/class/android_usb/android0/f_serial/transports
echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports
echo "pcui,diag,modem,ccid,rmnet,gps:usb_mbim,gps" > /sys/class/android_usb/android0/functions
echo 0 > /sys/class/android_usb/android0/mbim_name
echo 0 > /sys/module/restart/parameters/download_mode
echo 1 > /sys/class/android_usb/android0/remote_wakeup
echo 1 > /sys/class/android_usb/android0/enable

AT Command interface

Unless otherwise noted, this was done using a modem with the following firmware version:

ATI
Manufacturer: Huawei Technologies Co., Ltd.
Model: ME906V
Revision: 11.234.44.03.00
root@9615-cdp:/# cat /build.prop 
ro.build.version.release=AU_LINUX_BASE_KIWI_TARGET_ALL.03.00.032

Interesting non-standard commands

The following commands appear to be non-standard and implemented in the device:

+ES
+ESA
+CMOD
+CEMODE
+CVHU
+CECALL
+HUAWEI
^TBAT
^TCHRENABLE
^TCHRINFO
^APBATLVL
^SETMODE
$QCSIMSTAT
$QCPBMPREF
$CREG
$CCLK
$QCCNMI
*CNTI
$QCCLR
$QCDMR
$QCDNSP
$QCDNSS
$QCTER
$QCSLOT
$QCSIMAPP
$QCPINSTAT
$QCPDPP
$QCPDPLT
$QCPWRDN
$QCDGEN
$QCPDPCFGE
$BREW
$QCANTE
$QCRPW
$QCSQ
$CSQ
$QCSYSMODE
$QCCTM
$QCBANDPREF
^DSCI
$QCVOLT
$QCHWREV
$QCBOOTVER
$ECALL
$QCDEFPROF
$QCMRUE
$QCMRUC
$QCAPNE
$QCPDPIMSCFGE
$QCCLAC
$QCRMCALL
$QCDRX

AT commands in atfwd_daemon

+HUAWEI
^PSTANDBY
^TBAT
^TCHRENABLE
^TCHRINFO
^APBATLVL
^SETMODE

AT^SETMODE

This can be used to switch between different USB Product IDs.

  • AT^SETMODE=0 is for the normal 1573 product ID
  • AT^SETMODE=1 is for the 157E product ID

Unfortunately none of the two contain adb by default :(

Serial Console

Like all/most MDM9x15 targets, there is an 1.8V serial console available on ttyHSL0.

TODO: Describe soldering of serial console pads.

Once you have connected to the serial console, you should be able to observe the boot log like in the attached bootlog.txt

Keeping modem from suspend

It seems like the Linux system is suspended after very few seconds of inactivity. To keep it alive, you can write any character to any of the serial devices. For example, the following one-liner script will work (assuming /dev/ttyUSB5 is one of the AT command ports of the modem):

while [ -f /etc/passwd ]; do echo "AT" > /dev/ttyUSB5; sleep 1; done

Linux on Cortex-A5

processes

see attached ps.txt

rmnet

2: hw_rmnet: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 3a:1c:af:e4:29:03 brd ff:ff:ff:ff:ff:ff
3: hw_rmnet2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 56:f5:0f:cf:4c:cd brd ff:ff:ff:ff:ff:ff
4: rmnet0: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
5: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
6: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
7: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
8: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
9: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
10: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 
11: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000
    link/[530] 

Miscellanous

https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf

Add picture from clipboard (Maximum size: 48.8 MB)