Project

General

Profile

D-Link DWM-222 stick » History » Version 10

domi, 08/20/2018 11:18 AM

1 1 domi
h1. D-Link DWM-222 stick
2
3 8 domi
{{>toc}}
4 5 domi
5
6 1 domi
!{width:300px}dwm222_pic.jpg!
7
8 5 domi
9
10 3 domi
This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems (no messing around with mini-PCIe to USB adapters and what not) it might be a way to go.
11 4 domi
12 1 domi
*WARNING!
13
Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!*
14
15
It is just a D-Link branded version of cheaper dongles made in China. Some of them are WiFi access points with LTE backhaul using [[QCMAP]].
16
Example of devices that are closely related:
17
* PTCL Charji Wingle R660
18
* (?)D-Link DWR 901 (unsure, FIXME)
19
20
21 5 domi
22
23 1 domi
h2. Hardware
24
25 5 domi
26 1 domi
!{width:500px}pcb_pic.jpg!
27 5 domi
28 1 domi
29 6 domi
Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the Philips 3 screws.
30 1 domi
The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis).
31
There are two antenna connectors (U.FL) exposed on the PCB.
32
33
h2. Software
34
35
The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode.
36
Mass storage mode USB id: *2001:ab00*
37
WWAN USB id: *2001:7e35*
38
39
After the switch you'll see 4 @ttyUSB@ devices appearing in @/dev@. For me these devices only started to work after telling the @option@ driver about the USB id of the device:
40
<pre>
41
echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id
42
</pre>
43
44
The devices are:
45
<pre>
46
/dev/ttyUSB0  --> DIAG
47
/dev/ttyUSB1  --> AT commands
48
/dev/ttyUSB2
49
/dev/ttyUSB3
50
/dev/cdc-wdm0 --> QMI
51
</pre>
52
53
h3. Drivers
54
55
If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection.
56
Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu
57
However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd.
58
59
h2. Firmware
60
61
There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support
62 7 domi
The dongle that I had came with an older version, 1.7.9. It didn't really work for me, so I upgraded to 2.0.8:
63 1 domi
64
h3. Upgrade process
65
66
Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images.
67
After tracing the upgrade process I've established its steps roughly:
68
69
<pre>
70
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots.
71
</pre>
72
73
Now comes the tricky part: the bat files tries to reboot the device into @fastboot@ mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the @fastboot@ part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking.
74
So the complete upgrade cycle would look like this (based on reading the bat files):
75
76
<pre>
77
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots
78
-> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done.
79
</pre>
80
81
h3. Analyzing the firmware
82
83
Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place.
84
It is, as suspected, Linux.
85 2 domi
They supply 2 YAFFS2 images: one is the @rootfs@, the other is @/usr@
86 1 domi
87 2 domi
File list of @rootfs@
88
89 1 domi
<pre>
90
# ls -lha
91
total 84K
92
drwxr-xr-x 20 root root 4,0K aug   10 14:58 .
93
drwxr-xr-x  5 root root 4,0K aug   10 15:30 ..
94
drwxr-xr-x  2 root root 4,0K aug   10 14:58 bin
95
drwxr-xr-x  2 root root 4,0K aug   10 14:58 boot
96
-rw-r--r--  1 root root   47 aug   10 14:58 build.prop
97
drwxr-xr-x  2 root root 4,0K aug   10 14:58 cache
98
drwxr-xr-x  2 root root 4,0K aug   10 14:58 dev
99
drwxr-xr-x 30 root root 4,0K aug   10 14:58 etc
100
drwxr-xr-x  3 root root 4,0K aug   10 14:58 home
101
drwxr-xr-x  5 root root 4,0K aug   10 14:58 lib
102
lrwxrwxrwx  1 root root   12 aug   10 14:58 linuxrc -> /bin/busybox
103
drwxr-xr-x 10 root root 4,0K aug   10 14:58 media
104
drwxr-xr-x  2 root root 4,0K aug   10 14:58 mnt
105
drwxr-xr-x  2 root root 4,0K aug   10 14:58 proc
106
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sbin
107
lrwxrwxrwx  1 root root   11 aug   10 14:58 sdcard -> /media/card
108
drwxr-xr-x  3 root root 4,0K aug   10 14:58 share
109
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sys
110
drwxr-xr-x  2 root root 4,0K aug   10 14:58 tmp
111
drwxr-xr-x  2 root root 4,0K aug   10 14:58 usr
112
drwxr-xr-x  8 root root 4,0K aug   10 14:58 var
113
drwxr-xr-x  3 root root 4,0K aug   10 14:58 WEBSERVER
114
drwxr-xr-x  5 root root 4,0K aug   10 14:58 www
115
</pre>
116
117 2 domi
The @WEBSERVER@ and @www@ directory are there for the WiFi router versions which use a web-based interface for settings.
118 1 domi
119
I was mainly curious about ADB, so I followed the @/etc/init.d/usb@ script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in @/usr/bin/usb/compositions@
120
121
<pre>
122
ls -lha bin/usb/compositions/
123
total 228K
124
drwxr-xr-x 2 root root 4,0K aug   10 14:58 .
125
drwxr-xr-x 3 root root 4,0K aug   10 14:28 ..
126
-rw-r--r-- 1 root root 3,8K aug   10 14:28 2033
127
-rw-r--r-- 1 root root 4,0K aug   10 14:28 2034
128
-rw-r--r-- 1 root root 4,4K aug   10 14:28 2037
129
-rw-r--r-- 1 root root 3,8K aug   10 14:28 3443
130
-rw-r--r-- 1 root root 4,4K aug   10 14:28 3444
131
-rw-r--r-- 1 root root 4,4K aug   10 14:28 4030
132
-rw-r--r-- 1 root root 3,8K aug   10 14:58 7e35
133
-rw-r--r-- 1 root root 4,6K aug   10 14:28 7e35A
134
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e37
135
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e38
136
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e39
137
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e3c
138
-rw-r--r-- 1 root root 3,8K aug   10 14:28 7e3d
139
-rw-r--r-- 1 root root 2,3K aug   10 14:28 9002
140
-rw-r--r-- 1 root root 2,2K aug   10 14:28 901C
141
-rw-r--r-- 1 root root 2,8K aug   10 14:28 901D
142
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9021
143
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9022
144
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9024
145
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9025
146
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9026
147
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902A
148
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902B
149
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902C
150
-rw-r--r-- 1 root root 2,8K aug   10 14:28 902D
151
-rw-r--r-- 1 root root 3,9K aug   10 14:28 902E
152
-rw-r--r-- 1 root root 3,3K aug   10 14:28 9043
153
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9046
154
-rw-r--r-- 1 root root 2,4K aug   10 14:28 9047
155
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9049
156
-rw-r--r-- 1 root root 2,2K aug   10 14:28 904A
157
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9056
158
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9057
159
-rw-r--r-- 1 root root 2,9K aug   10 14:28 9059
160
-rw-r--r-- 1 root root 3,2K aug   10 14:28 905A
161
-rw-r--r-- 1 root root 3,0K aug   10 14:28 905B
162
-rw-r--r-- 1 root root 2,2K aug   10 14:28 9060
163
-rw-r--r-- 1 root root 3,2K aug   10 14:28 9063
164
-rw-r--r-- 1 root root 4,4K aug   10 14:28 9064
165
-rw-r--r-- 1 root root 4,0K aug   10 14:28 9067
166
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9083
167
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9084
168
-rw-r--r-- 1 root root 3,1K aug   10 14:28 9085
169
-rw-r--r-- 1 root root  127 aug   10 14:28 empty
170
-rw-r--r-- 1 root root    2 aug   10 14:28 hsic_next
171
-rw-r--r-- 1 root root    5 aug   10 14:28 hsusb_next
172
</pre>
173
174
Looking into the file @7e35@ (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB:
175
176
<pre>
177
# cat bin/usb/compositions/7e35
178
179
#!/bin/sh
180
#
181
# Copyright (c) 2012, The Linux Foundation. All rights reserved.
182
#
183
# Redistribution and use in source and binary forms, with or without
184
# modification, are permitted provided that the following conditions are met:
185
#     * Redistributions of source code must retain the above copyright
186
#       notice, this list of conditions and the following disclaimer.
187
#     * Redistributions in binary form must reproduce the above copyright
188
#       notice, this list of conditions and the following disclaimer in the
189
#       documentation and/or other materials provided with the distribution.
190
#     * Neither the name of The Linux Foundation nor the names of its
191
#       contributors may be used to endorse or promote products derived from
192
#       this software without specific prior written permission.
193
#
194
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
195
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
196
# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED.  IN NO
197
# EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
198
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
199
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
200
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
201
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
202
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
203
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
204
205
# DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android)
206
207
echo "Switching to composition number 0x7e35"
208
209
if [ "$1" = "y" ]; then
210
	num="1"
211
else
212
	num="0"
213
fi
214
215
echo 0 > /sys/class/android_usb/android$num/enable
216
if [ "$2" = "y" ]; then 
217
	echo 0xAB00 > /sys/class/android_usb/android$num/idProduct
218
	echo 0x2001 > /sys/class/android_usb/android$num/idVendor
219
	echo mass_storage > /sys/class/android_usb/android$num/functions
220
	echo 1 > /sys/class/android_usb/android$num/enable
221
else
222
	run_9x15() {
223
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
224
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
225
		echo diag > /sys/class/android_usb/android0/f_diag/clients
226
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
227
		echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports
228
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
229
 		echo 1 > /sys/class/android_usb/android$num/enable
230
  	}
231
232
	run_9x25() {
233
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
234
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
235
		echo diag > /sys/class/android_usb/android0/f_diag/clients
236
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
237
		echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
238
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
239
 		echo 1 > /sys/class/android_usb/android$num/enable
240
	}
241
242
	run_9x25_v2() {
243
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
244
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
245
		echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial
246
		echo diag > /sys/class/android_usb/android0/f_diag/clients
247
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
248
		echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
249
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
250
 		echo 1 > /sys/class/android_usb/android$num/enable
251
	}
252
253
	case `source /usr/bin/usb/target` in
254
		*9x15* )
255
			run_9x15 &
256
			;;
257
		*9x25* )
258
			case `cat /sys/devices/soc0/revision` in
259
				*1.0* )
260
					run_9x25 &
261
					;;
262
				*2.* )
263
					run_9x25_v2 &
264
					;;
265
				* )
266
					run_9x25 &
267
					;;
268
			esac
269
			;;
270
		* )
271
			run_9x15 &
272
			;;
273
  	esac
274
fi
275
276
</pre>
277
278 2 domi
Simple adding @adb@ to the echos should be enough, based on the other script files. So I added the string @adb@ to the right places in the file, re-packed the @usr@ YAFFS2 image just to find out that because I could not get it into fastboot mode...so if someone could find a way to put the dongle into fastboot mode then simply installing a patched firmware file would enable ADB on the device.
279 1 domi
280
So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices:
281
282
<pre>
283
grep -r adb .
284
./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
285
./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
286
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
287
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
288
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
289
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
290
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
291
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
292
./9059:	echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
293
./9059:	echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
294
./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
295
./9064:	echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions
296
./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
297
./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
298
./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
299
./9024:	echo rndis_qc,adb > /sys/class/android_usb/android$num/functions
300
./9024:	echo rndis,adb > /sys/class/android_usb/android$num/functions
301
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
302
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
303
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
304
./902D:	echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions
305
./902D:	echo rndis,diag,adb > /sys/class/android_usb/android$num/functions
306
./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions
307
./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions
308
./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
309
./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
310
./902B:	echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions
311
./902B:	echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions
312
./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
313
./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
314
./2034:	echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
315
./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
316
./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
317
./9060:	echo diag,qdss,adb > /sys/class/android_usb/android$num/functions
318
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
319
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
320
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
321
</pre>
322
323 2 domi
It would be great to find out the actual vendor of these, so we can tell people exactly what to buy. I'm assuming Chinese LTE dongles from eBay are prime candidates, but that's just a guess.
324 9 domi
325
UPDATE:
326
Starting to collect devices (based on Internet searches, so no warranty on these):
327 10 domi
* Alcatel/Bell ASB TL131 - 05c6: *9025*
328
* Novatel USB620L (Enterprise mode?) - 1410: *9022*
Add picture from clipboard (Maximum size: 48.8 MB)