Cellular Modem Information » Qualcomm Linux Modems by Quectel & Co

h1. D-Link DWM-222 stick

!{width:300px}dwm222_pic.jpg!

This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems it might be a way to go.

*WARNING!

Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!*

It is just a D-Link branded version of cheaper dongles made in China. Some of them are WiFi access points with LTE backhaul using [[QCMAP]].

Example of devices that are closely related:

* PTCL Charji Wingle R660

* (?)D-Link DWR 901 (unsure, FIXME)

h2. Hardware

!{width:500px}pcb_pic.jpg!

Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the 3 screws.

The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis).

There are two antenna connectors (U.FL) exposed on the PCB.

h2. Software

The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode.

Mass storage mode USB id: *2001:ab00*

WWAN USB id: *2001:7e35*

After the switch you'll see 4 @ttyUSB@ devices appearing in @/dev@. For me these devices only started to work after telling the @option@ driver about the USB id of the device:

<pre>

echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id

</pre>

The devices are:

<pre>

/dev/ttyUSB0  --> DIAG

/dev/ttyUSB1  --> AT commands

/dev/ttyUSB2

/dev/ttyUSB3

/dev/cdc-wdm0 --> QMI

</pre>

h3. Drivers

If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection.

Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu

However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd.

h2. Firmware

There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support

The dongle that I had came with an older version, 1.7.9. It doesn't really work for me, so I upgraded to 2.0.8:

h3. Upgrade process

Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images.

After tracing the upgrade process I've established its steps roughly:

<pre>

Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots.

</pre>

Now comes the tricky part: the bat files tries to reboot the device into @fastboot@ mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the @fastboot@ part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking.

So the complete upgrade cycle would look like this (based on reading the bat files):

<pre>

Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots

-> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done.

</pre>

h3. Analyzing the firmware

Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place.

It is, as suspected, Linux.

<pre>

# ls -lha

total 84K

drwxr-xr-x 20 root root 4,0K aug   10 14:58 .

drwxr-xr-x  5 root root 4,0K aug   10 15:30 ..

drwxr-xr-x  2 root root 4,0K aug   10 14:58 bin

drwxr-xr-x  2 root root 4,0K aug   10 14:58 boot

-rw-r--r--  1 root root   47 aug   10 14:58 build.prop

drwxr-xr-x  2 root root 4,0K aug   10 14:58 cache

drwxr-xr-x  2 root root 4,0K aug   10 14:58 dev

drwxr-xr-x 30 root root 4,0K aug   10 14:58 etc

drwxr-xr-x  3 root root 4,0K aug   10 14:58 home

drwxr-xr-x  5 root root 4,0K aug   10 14:58 lib

lrwxrwxrwx  1 root root   12 aug   10 14:58 linuxrc -> /bin/busybox

drwxr-xr-x 10 root root 4,0K aug   10 14:58 media

drwxr-xr-x  2 root root 4,0K aug   10 14:58 mnt

drwxr-xr-x  2 root root 4,0K aug   10 14:58 proc

drwxr-xr-x  2 root root 4,0K aug   10 14:58 sbin

lrwxrwxrwx  1 root root   11 aug   10 14:58 sdcard -> /media/card

drwxr-xr-x  3 root root 4,0K aug   10 14:58 share

drwxr-xr-x  2 root root 4,0K aug   10 14:58 sys

drwxr-xr-x  2 root root 4,0K aug   10 14:58 tmp

drwxr-xr-x  2 root root 4,0K aug   10 14:58 usr

drwxr-xr-x  8 root root 4,0K aug   10 14:58 var

drwxr-xr-x  3 root root 4,0K aug   10 14:58 WEBSERVER

drwxr-xr-x  5 root root 4,0K aug   10 14:58 www

</pre>

The WEBSERVER and www directory are there for the WiFi router versions which use a web-based interface for settings.

I was mainly curious about ADB, so I followed the @/etc/init.d/usb@ script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in @/usr/bin/usb/compositions@

<pre>

ls -lha bin/usb/compositions/

total 228K

drwxr-xr-x 2 root root 4,0K aug   10 14:58 .

drwxr-xr-x 3 root root 4,0K aug   10 14:28 ..

-rw-r--r-- 1 root root 3,8K aug   10 14:28 2033

-rw-r--r-- 1 root root 4,0K aug   10 14:28 2034

-rw-r--r-- 1 root root 4,4K aug   10 14:28 2037

-rw-r--r-- 1 root root 3,8K aug   10 14:28 3443

-rw-r--r-- 1 root root 4,4K aug   10 14:28 3444

-rw-r--r-- 1 root root 4,4K aug   10 14:28 4030

-rw-r--r-- 1 root root 3,8K aug   10 14:58 7e35

-rw-r--r-- 1 root root 4,6K aug   10 14:28 7e35A

-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e37

-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e38

-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e39

-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e3c

-rw-r--r-- 1 root root 3,8K aug   10 14:28 7e3d

-rw-r--r-- 1 root root 2,3K aug   10 14:28 9002

-rw-r--r-- 1 root root 2,2K aug   10 14:28 901C

-rw-r--r-- 1 root root 2,8K aug   10 14:28 901D

-rw-r--r-- 1 root root 3,4K aug   10 14:28 9021

-rw-r--r-- 1 root root 3,4K aug   10 14:28 9022

-rw-r--r-- 1 root root 2,7K aug   10 14:28 9024

-rw-r--r-- 1 root root 3,6K aug   10 14:28 9025

-rw-r--r-- 1 root root 3,5K aug   10 14:28 9026

-rw-r--r-- 1 root root 2,7K aug   10 14:28 902A

-rw-r--r-- 1 root root 2,7K aug   10 14:28 902B

-rw-r--r-- 1 root root 2,7K aug   10 14:28 902C

-rw-r--r-- 1 root root 2,8K aug   10 14:28 902D

-rw-r--r-- 1 root root 3,9K aug   10 14:28 902E

-rw-r--r-- 1 root root 3,3K aug   10 14:28 9043

-rw-r--r-- 1 root root 3,0K aug   10 14:28 9046

-rw-r--r-- 1 root root 2,4K aug   10 14:28 9047

-rw-r--r-- 1 root root 3,5K aug   10 14:28 9049

-rw-r--r-- 1 root root 2,2K aug   10 14:28 904A

-rw-r--r-- 1 root root 3,6K aug   10 14:28 9056

-rw-r--r-- 1 root root 2,7K aug   10 14:28 9057

-rw-r--r-- 1 root root 2,9K aug   10 14:28 9059

-rw-r--r-- 1 root root 3,2K aug   10 14:28 905A

-rw-r--r-- 1 root root 3,0K aug   10 14:28 905B

-rw-r--r-- 1 root root 2,2K aug   10 14:28 9060

-rw-r--r-- 1 root root 3,2K aug   10 14:28 9063

-rw-r--r-- 1 root root 4,4K aug   10 14:28 9064

-rw-r--r-- 1 root root 4,0K aug   10 14:28 9067

-rw-r--r-- 1 root root 3,0K aug   10 14:28 9083

-rw-r--r-- 1 root root 3,0K aug   10 14:28 9084

-rw-r--r-- 1 root root 3,1K aug   10 14:28 9085

-rw-r--r-- 1 root root  127 aug   10 14:28 empty

-rw-r--r-- 1 root root    2 aug   10 14:28 hsic_next

-rw-r--r-- 1 root root    5 aug   10 14:28 hsusb_next

</pre>

Looking into the file @7e35@ (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB:

<pre>

# cat bin/usb/compositions/7e35

#!/bin/sh

#

# Copyright (c) 2012, The Linux Foundation. All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#     * Redistributions of source code must retain the above copyright

#       notice, this list of conditions and the following disclaimer.

#     * Redistributions in binary form must reproduce the above copyright

#       notice, this list of conditions and the following disclaimer in the

#       documentation and/or other materials provided with the distribution.

#     * Neither the name of The Linux Foundation nor the names of its

#       contributors may be used to endorse or promote products derived from

#       this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,

# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,

# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED.  IN NO

# EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android)

echo "Switching to composition number 0x7e35"

if [ "$1" = "y" ]; then

	num="1"

else

	num="0"

fi

echo 0 > /sys/class/android_usb/android$num/enable

if [ "$2" = "y" ]; then 

	echo 0xAB00 > /sys/class/android_usb/android$num/idProduct

	echo 0x2001 > /sys/class/android_usb/android$num/idVendor

	echo mass_storage > /sys/class/android_usb/android$num/functions

	echo 1 > /sys/class/android_usb/android$num/enable

else

	run_9x15() {

		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct

		echo 0x2001 > /sys/class/android_usb/android$num/idVendor

		echo diag > /sys/class/android_usb/android0/f_diag/clients

		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports

		echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports

		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

 		echo 1 > /sys/class/android_usb/android$num/enable

  	}

	run_9x25() {

		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct

		echo 0x2001 > /sys/class/android_usb/android$num/idVendor

		echo diag > /sys/class/android_usb/android0/f_diag/clients

		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports

		echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports

		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

 		echo 1 > /sys/class/android_usb/android$num/enable

	}

	run_9x25_v2() {

		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct

		echo 0x2001 > /sys/class/android_usb/android$num/idVendor

		echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial

		echo diag > /sys/class/android_usb/android0/f_diag/clients

		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports

		echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports

		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

 		echo 1 > /sys/class/android_usb/android$num/enable

	}

	case `source /usr/bin/usb/target` in

		*9x15* )

			run_9x15 &

			;;

		*9x25* )

			case `cat /sys/devices/soc0/revision` in

				*1.0* )

					run_9x25 &

					;;

				*2.* )

					run_9x25_v2 &

					;;

				* )

					run_9x25 &

					;;

			esac

			;;

		* )

			run_9x15 &

			;;

  	esac

fi

</pre>

Simple adding @adb@ to the echos should be enough, based on the other script files.

So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices:

<pre>

grep -r adb .

./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions

./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions

./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions

./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions

./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions

./9059:	echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions

./9059:	echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions

./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions

./9064:	echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions

./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions

./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions

./9024:	echo rndis_qc,adb > /sys/class/android_usb/android$num/functions

./9024:	echo rndis,adb > /sys/class/android_usb/android$num/functions

./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions

./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions

./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions

./902D:	echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions

./902D:	echo rndis,diag,adb > /sys/class/android_usb/android$num/functions

./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions

./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions

./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions

./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions

./902B:	echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions

./902B:	echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions

./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions

./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions

./2034:	echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions

./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions

./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions

./9060:	echo diag,qdss,adb > /sys/class/android_usb/android$num/functions

./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions

./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions

./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions

</pre>

It would be great to find out the actual vendor of these device IDs, so we can offer people ideas what to buy.