Project

General

Profile

Sierra Wireless Modems » History » Version 4

Version 3 (domi, 08/15/2018 08:22 PM) → Version 4/5 (laforge, 10/11/2019 12:21 PM)

h1. Sierra Wireless Modems

Sierra Wireless also seems to offer a number of modems that run on MDM9615 or its successors, with Linux inside the module.

h2. List of related modems

* EM7455
* many others suspected, FIXME.

h2. Getting access to the Linux system

Sierra Wireless uses a bitmapped NVRAM variable to tell the system which functions to enable. One of these functions is 'adb'. They also implement an AT command to set this variable, but you cannot enable 'adb' there anymore (or maybe you can, using some other password?).

This AT command help text is taken from an old memory dump:

<pre>
#AT!USBCOMP=<Config Index>,<Config Type>,<Interface bitmask>
# <Config Index> - configuration index to which the composition applies, should be 1
# <Config Type> - 1:Generic, 2:USBIF-MBIM, 3:RNDIS
# config type 2/3 should only be used for specific Sierra PIDs: 68B1, 9068
# customized VID/PID should use config type 1
# <Interface bitmask> - DIAG - 0x00000001,
# ADB - 0x00000002,
# NMEA - 0x00000004,
# MODEM - 0x00000008,
# RMNET0 - 0x00000100,
# RMNET1 - 0x00000400,
# RMNET2 - 0x00000800,
# MBIM - 0x00001000,
# RNDIS - 0x00004000,
# AUDIO - 0x00010000,
# ECM - 0x00080000,
# UBIST - 0x00200000
</pre>

There are other ways to set this and other variables, so the AT comand interpreter restriction is not a show stopper. Note that there are invalid gadget combinations, so you can softbrick the modem by changing this variable.



h2. Enable DIAG and AT interface - EM7455

Based on my testing done with the EM7455 (found in Lenovo ThinkPads for example) you cannot use AT commands, because the AT serial port is not exposed. To enable the DIAG interface as well as the AT shell you can try to use the script attachment:swi_usbcomp.pl, "swi_usbcomp.pl" attached, created by Bjørn Mork. It is capable of showing the USB configurations available, and also changing the configuration.

Example output - querying the available configurations (the * denotes the active configuration):

<pre>
./swi_usbcomp.pl
Running in MBIM mode (driver=cdc_mbim)
MBIM OPEN succeeded
QMI msg '0x0021' returned status = 1
MBIM QMI support verified
supports 33 QMI subsystems:
0x00 (1.5) 'QMI_CTL' - Control service
0x01 (1.67) 'QMI_WDS' - Wireless data service
0x02 (1.14) 'QMI_DMS' - Device management service
0x03 (1.25) 'QMI_NAS' - Network access service
0x04 (1.6) 'QMI_QOS' - Quality of service, err, service
0x05 (1.10) 'QMI_WMS' - Wireless messaging service
0x07 (1.3) 'QMI_AUTH' - Authentication service
0x08 (1.2) 'QMI_AT' - AT command processor service
0x09 (2.1) 'QMI_VOICE' - Voice service
0x0a (2.24) 'QMI_CAT2' - Card application toolkit service (new)
0x0b (1.45) 'QMI_UIM' - UIM service
0x0c (1.4) 'QMI_PBM' - Phonebook service
0x0f (1.0) 'QMI_TEST' - Test service
0x10 (2.0) 'QMI_LOC' - Location service
0x11 (1.0) 'QMI_SAR' - Specific absorption rate service
0x17 (1.0) 'QMI_TS' - Thermal sensors service
0x18 (1.0) 'QMI_TMD' - Thermal mitigation device service
0x1a (1.16) 'QMI_WDA' - Wireless data administrative service
0x1d (1.1) 'QMI_CSVT' - Circuit switched videotelephony service
0x22 (1.0) 'QMI_COEX' - Coexistence service
0x24 (1.0) 'QMI_PDC' - Persistent device configuration service
0x29 (1.0) 'QMI_RFRPE' - RF radiated performance enhancement service
0x2a (1.0) 'QMI_DSD' - Data system determination service
0x2b (1.0) 'QMI_SSCTL' - Subsystem control service
0x2e (1.0) 'unknown' -
0x30 (1.0) 'unknown' -
0x31 (1.0) 'unknown' -
0x36 (1.0) 'unknown' -
0xe1 (1.0) 'QMI_RMS' - Remote management service
0xf0 (1.0) 'unknown' -
0xf3 (1.0) 'unknown' -
0xf5 (1.0) 'unknown' -
0xf6 (1.0) 'unknown' -
QMI msg '0x0022' returned status = 1
Got QMI DMS client ID '3'
QMI msg '0x555b' returned status = 1
Current USB composition: 9
USB compositions:
0 - HIP DM NMEA AT MDM1 MDM2 MDM3 MS NOT SUPPORTED
1 - HIP DM NMEA AT MDM1 MS NOT SUPPORTED
2 - HIP DM NMEA AT NIC1 MS NOT SUPPORTED
3 - HIP DM NMEA AT MDM1 NIC1 MS NOT SUPPORTED
4 - HIP DM NMEA AT NIC1 NIC2 NIC3 MS NOT SUPPORTED
5 - HIP DM NMEA AT ECM1 MS NOT SUPPORTED
6 - DM NMEA AT QMI SUPPORTED
7 - DM NMEA AT RMNET1 RMNET2 RMNET3 NOT SUPPORTED
8 - DM NMEA AT MBIM SUPPORTED
* 9 - MBIM SUPPORTED
10 - NMEA MBIM NOT SUPPORTED
11 - DM MBIM NOT SUPPORTED
12 - DM NMEA MBIM NOT SUPPORTED
13 - Config1: comp6 Config2: comp8 NOT SUPPORTED
14 - Config1: comp6 Config2: comp9 NOT SUPPORTED
15 - Config1: comp6 Config2: comp10 NOT SUPPORTED
16 - Config1: comp6 Config2: comp11 NOT SUPPORTED
17 - Config1: comp6 Config2: comp12 NOT SUPPORTED
18 - Config1: comp7 Config2: comp8 NOT SUPPORTED
19 - Config1: comp7 Config2: comp9 NOT SUPPORTED
20 - Config1: comp7 Config2: comp10 NOT SUPPORTED
21 - Config1: comp7 Config2: comp11 NOT SUPPORTED
22 - Config1: comp7 Config2: comp12 NOT SUPPORTED
QMI msg '0x0023' returned status = 1
</pre>

Changing the configuration is simple:

<pre>
./swi_usbcomp.pl –usbcomp=8
./swi_usbcomp.pl –reset
</pre>

As you can see ADB cannot be enabled for EM7455 using swi_usbcomp.pl, but at least DIAG and AT shell can be made accessible.
Add picture from clipboard (Maximum size: 48.8 MB)