D-Link DWM-222 stick¶
- Table of contents
- D-Link DWM-222 stick
This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems (no messing around with mini-PCIe to USB adapters and what not) it might be a way to go.
WARNING!
Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!
Example of devices that are closely related:
- PTCL Charji Wingle R660
- (?)D-Link DWR 901 (unsure, FIXME)
Hardware¶
Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the Philips 3 screws.
The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis).
There are two antenna connectors (U.FL) exposed on the PCB.
Software¶
The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode.
Mass storage mode USB id: 2001:ab00
WWAN USB id: 2001:7e35
After the switch you'll see 4 ttyUSB devices appearing in /dev. For me these devices only started to work after telling the option driver about the USB id of the device:
echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id
The devices are:
/dev/ttyUSB0 --> DIAG /dev/ttyUSB1 --> AT commands /dev/ttyUSB2 /dev/ttyUSB3 /dev/cdc-wdm0 --> QMI
Drivers¶
If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection.
Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu
However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd.
Firmware¶
There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support
The dongle that I had came with an older version, 1.7.9. It didn't really work for me, so I upgraded to 2.0.8:
Upgrade process¶
Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images.
After tracing the upgrade process I've established its steps roughly:
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots.
Now comes the tricky part: the bat files tries to reboot the device into fastboot mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the fastboot part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking.
So the complete upgrade cycle would look like this (based on reading the bat files):
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots -> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done.
Analyzing the firmware¶
Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place.
It is, as suspected, Linux.
They supply 2 YAFFS2 images: one is the rootfs, the other is /usr
File list of rootfs
# ls -lha total 84K drwxr-xr-x 20 root root 4,0K aug 10 14:58 . drwxr-xr-x 5 root root 4,0K aug 10 15:30 .. drwxr-xr-x 2 root root 4,0K aug 10 14:58 bin drwxr-xr-x 2 root root 4,0K aug 10 14:58 boot -rw-r--r-- 1 root root 47 aug 10 14:58 build.prop drwxr-xr-x 2 root root 4,0K aug 10 14:58 cache drwxr-xr-x 2 root root 4,0K aug 10 14:58 dev drwxr-xr-x 30 root root 4,0K aug 10 14:58 etc drwxr-xr-x 3 root root 4,0K aug 10 14:58 home drwxr-xr-x 5 root root 4,0K aug 10 14:58 lib lrwxrwxrwx 1 root root 12 aug 10 14:58 linuxrc -> /bin/busybox drwxr-xr-x 10 root root 4,0K aug 10 14:58 media drwxr-xr-x 2 root root 4,0K aug 10 14:58 mnt drwxr-xr-x 2 root root 4,0K aug 10 14:58 proc drwxr-xr-x 2 root root 4,0K aug 10 14:58 sbin lrwxrwxrwx 1 root root 11 aug 10 14:58 sdcard -> /media/card drwxr-xr-x 3 root root 4,0K aug 10 14:58 share drwxr-xr-x 2 root root 4,0K aug 10 14:58 sys drwxr-xr-x 2 root root 4,0K aug 10 14:58 tmp drwxr-xr-x 2 root root 4,0K aug 10 14:58 usr drwxr-xr-x 8 root root 4,0K aug 10 14:58 var drwxr-xr-x 3 root root 4,0K aug 10 14:58 WEBSERVER drwxr-xr-x 5 root root 4,0K aug 10 14:58 www
The WEBSERVER and www directory are there for the WiFi router versions which use a web-based interface for settings.
I was mainly curious about ADB, so I followed the /etc/init.d/usb script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in /usr/bin/usb/compositions
ls -lha bin/usb/compositions/ total 228K drwxr-xr-x 2 root root 4,0K aug 10 14:58 . drwxr-xr-x 3 root root 4,0K aug 10 14:28 .. -rw-r--r-- 1 root root 3,8K aug 10 14:28 2033 -rw-r--r-- 1 root root 4,0K aug 10 14:28 2034 -rw-r--r-- 1 root root 4,4K aug 10 14:28 2037 -rw-r--r-- 1 root root 3,8K aug 10 14:28 3443 -rw-r--r-- 1 root root 4,4K aug 10 14:28 3444 -rw-r--r-- 1 root root 4,4K aug 10 14:28 4030 -rw-r--r-- 1 root root 3,8K aug 10 14:58 7e35 -rw-r--r-- 1 root root 4,6K aug 10 14:28 7e35A -rw-r--r-- 1 root root 4,4K aug 10 14:28 7e37 -rw-r--r-- 1 root root 4,4K aug 10 14:28 7e38 -rw-r--r-- 1 root root 4,4K aug 10 14:28 7e39 -rw-r--r-- 1 root root 4,4K aug 10 14:28 7e3c -rw-r--r-- 1 root root 3,8K aug 10 14:28 7e3d -rw-r--r-- 1 root root 2,3K aug 10 14:28 9002 -rw-r--r-- 1 root root 2,2K aug 10 14:28 901C -rw-r--r-- 1 root root 2,8K aug 10 14:28 901D -rw-r--r-- 1 root root 3,4K aug 10 14:28 9021 -rw-r--r-- 1 root root 3,4K aug 10 14:28 9022 -rw-r--r-- 1 root root 2,7K aug 10 14:28 9024 -rw-r--r-- 1 root root 3,6K aug 10 14:28 9025 -rw-r--r-- 1 root root 3,5K aug 10 14:28 9026 -rw-r--r-- 1 root root 2,7K aug 10 14:28 902A -rw-r--r-- 1 root root 2,7K aug 10 14:28 902B -rw-r--r-- 1 root root 2,7K aug 10 14:28 902C -rw-r--r-- 1 root root 2,8K aug 10 14:28 902D -rw-r--r-- 1 root root 3,9K aug 10 14:28 902E -rw-r--r-- 1 root root 3,3K aug 10 14:28 9043 -rw-r--r-- 1 root root 3,0K aug 10 14:28 9046 -rw-r--r-- 1 root root 2,4K aug 10 14:28 9047 -rw-r--r-- 1 root root 3,5K aug 10 14:28 9049 -rw-r--r-- 1 root root 2,2K aug 10 14:28 904A -rw-r--r-- 1 root root 3,6K aug 10 14:28 9056 -rw-r--r-- 1 root root 2,7K aug 10 14:28 9057 -rw-r--r-- 1 root root 2,9K aug 10 14:28 9059 -rw-r--r-- 1 root root 3,2K aug 10 14:28 905A -rw-r--r-- 1 root root 3,0K aug 10 14:28 905B -rw-r--r-- 1 root root 2,2K aug 10 14:28 9060 -rw-r--r-- 1 root root 3,2K aug 10 14:28 9063 -rw-r--r-- 1 root root 4,4K aug 10 14:28 9064 -rw-r--r-- 1 root root 4,0K aug 10 14:28 9067 -rw-r--r-- 1 root root 3,0K aug 10 14:28 9083 -rw-r--r-- 1 root root 3,0K aug 10 14:28 9084 -rw-r--r-- 1 root root 3,1K aug 10 14:28 9085 -rw-r--r-- 1 root root 127 aug 10 14:28 empty -rw-r--r-- 1 root root 2 aug 10 14:28 hsic_next -rw-r--r-- 1 root root 5 aug 10 14:28 hsusb_next
Looking into the file 7e35 (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB:
# cat bin/usb/compositions/7e35
#!/bin/sh
#
# Copyright (c) 2012, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO
# EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android)
echo "Switching to composition number 0x7e35"
if [ "$1" = "y" ]; then
num="1"
else
num="0"
fi
echo 0 > /sys/class/android_usb/android$num/enable
if [ "$2" = "y" ]; then
echo 0xAB00 > /sys/class/android_usb/android$num/idProduct
echo 0x2001 > /sys/class/android_usb/android$num/idVendor
echo mass_storage > /sys/class/android_usb/android$num/functions
echo 1 > /sys/class/android_usb/android$num/enable
else
run_9x15() {
echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
echo 0x2001 > /sys/class/android_usb/android$num/idVendor
echo diag > /sys/class/android_usb/android0/f_diag/clients
echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports
echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
echo 1 > /sys/class/android_usb/android$num/enable
}
run_9x25() {
echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
echo 0x2001 > /sys/class/android_usb/android$num/idVendor
echo diag > /sys/class/android_usb/android0/f_diag/clients
echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
echo 1 > /sys/class/android_usb/android$num/enable
}
run_9x25_v2() {
echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
echo 0x2001 > /sys/class/android_usb/android$num/idVendor
echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial
echo diag > /sys/class/android_usb/android0/f_diag/clients
echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
echo 1 > /sys/class/android_usb/android$num/enable
}
case `source /usr/bin/usb/target` in
*9x15* )
run_9x15 &
;;
*9x25* )
case `cat /sys/devices/soc0/revision` in
*1.0* )
run_9x25 &
;;
*2.* )
run_9x25_v2 &
;;
* )
run_9x25 &
;;
esac
;;
* )
run_9x15 &
;;
esac
fi
Simple adding adb to the echos should be enough, based on the other script files. So I added the string adb to the right places in the file, re-packed the usr YAFFS2 image just to find out that because I could not get it into fastboot mode...so if someone could find a way to put the dongle into fastboot mode then simply installing a patched firmware file would enable ADB on the device.
So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices:
grep -r adb . ./905A: echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions ./905A: echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions ./9025: echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions ./9025: echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions ./9025: echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions ./9022: echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions ./9022: echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions ./9022: echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions ./9059: echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions ./9059: echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions ./9064: echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions ./9064: echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions ./9064: echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions ./9046: echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions ./9046: echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions ./9024: echo rndis_qc,adb > /sys/class/android_usb/android$num/functions ./9024: echo rndis,adb > /sys/class/android_usb/android$num/functions ./9049: echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions ./9049: echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions ./9049: echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions ./902D: echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions ./902D: echo rndis,diag,adb > /sys/class/android_usb/android$num/functions ./901D: echo diag,adb > /sys/class/android_usb/android$num/functions ./901D: echo diag,adb > /sys/class/android_usb/android$num/functions ./9084: echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions ./9084: echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions ./902B: echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions ./902B: echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions ./9085: echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions ./9085: echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions ./2034: echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions ./2034: echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions ./2034: echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions ./9060: echo diag,qdss,adb > /sys/class/android_usb/android$num/functions ./9056: echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions ./9056: echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions ./9056: echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
It would be great to find out the actual vendor of these, so we can tell people exactly what to buy. I'm assuming Chinese LTE dongles from eBay are prime candidates, but that's just a guess.
UPDATE:Starting to collect devices (based on Internet searches, so no warranty on these):
- Alcatel/Bell ASB TL131 - 05c6: 9025
- Novatel USB620L (Enterprise mode?) - 1410: 9022
Updated by domi about 5 years ago · 10 revisions
