Project

General

Profile

D-Link DWM-222 stick » History » Revision 7

Revision 6 (domi, 08/15/2018 07:19 PM) → Revision 7/10 (domi, 08/15/2018 07:24 PM)

h1. D-Link DWM-222 stick 



 !{width:300px}dwm222_pic.jpg! 



 This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems (no messing around with mini-PCIe to USB adapters and what not) it might be a way to go. 

 *WARNING! 
 Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!* 

 It is just a D-Link branded version of cheaper dongles made in China. Some of them are WiFi access points with LTE backhaul using [[QCMAP]]. 
 Example of devices that are closely related: 
 * PTCL Charji Wingle R660 
 * (?)D-Link DWR 901 (unsure, FIXME) 




 h2. Hardware 


 !{width:500px}pcb_pic.jpg! 


 Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the Philips 3 screws. 
 The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis). 
 There are two antenna connectors (U.FL) exposed on the PCB. 

 h2. Software 

 The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode. 
 Mass storage mode USB id: *2001:ab00* 
 WWAN USB id: *2001:7e35* 

 After the switch you'll see 4 @ttyUSB@ devices appearing in @/dev@. For me these devices only started to work after telling the @option@ driver about the USB id of the device: 
 <pre> 
 echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id 
 </pre> 

 The devices are: 
 <pre> 
 /dev/ttyUSB0    --> DIAG 
 /dev/ttyUSB1    --> AT commands 
 /dev/ttyUSB2 
 /dev/ttyUSB3 
 /dev/cdc-wdm0 --> QMI 
 </pre> 

 h3. Drivers 

 If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection. 
 Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu 
 However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd. 

 h2. Firmware 

 There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support 
 The dongle that I had came with an older version, 1.7.9. It didn't doesn't really work for me, so I upgraded to 2.0.8: 

 h3. Upgrade process 

 Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images. 
 After tracing the upgrade process I've established its steps roughly: 

 <pre> 
 Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots. 
 </pre> 

 Now comes the tricky part: the bat files tries to reboot the device into @fastboot@ mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the @fastboot@ part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking. 
 So the complete upgrade cycle would look like this (based on reading the bat files): 

 <pre> 
 Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots 
 -> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done. 
 </pre> 

 h3. Analyzing the firmware 

 Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place. 
 It is, as suspected, Linux. 
 They supply 2 YAFFS2 images: one is the @rootfs@, the other is @/usr@ 

 File list of @rootfs@ 

 <pre> 
 # ls -lha 
 total 84K 
 drwxr-xr-x 20 root root 4,0K aug     10 14:58 . 
 drwxr-xr-x    5 root root 4,0K aug     10 15:30 .. 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 bin 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 boot 
 -rw-r--r--    1 root root     47 aug     10 14:58 build.prop 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 cache 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 dev 
 drwxr-xr-x 30 root root 4,0K aug     10 14:58 etc 
 drwxr-xr-x    3 root root 4,0K aug     10 14:58 home 
 drwxr-xr-x    5 root root 4,0K aug     10 14:58 lib 
 lrwxrwxrwx    1 root root     12 aug     10 14:58 linuxrc -> /bin/busybox 
 drwxr-xr-x 10 root root 4,0K aug     10 14:58 media 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 mnt 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 proc 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 sbin 
 lrwxrwxrwx    1 root root     11 aug     10 14:58 sdcard -> /media/card 
 drwxr-xr-x    3 root root 4,0K aug     10 14:58 share 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 sys 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 tmp 
 drwxr-xr-x    2 root root 4,0K aug     10 14:58 usr 
 drwxr-xr-x    8 root root 4,0K aug     10 14:58 var 
 drwxr-xr-x    3 root root 4,0K aug     10 14:58 WEBSERVER 
 drwxr-xr-x    5 root root 4,0K aug     10 14:58 www 
 </pre> 

 The @WEBSERVER@ and @www@ directory are there for the WiFi router versions which use a web-based interface for settings. 

 I was mainly curious about ADB, so I followed the @/etc/init.d/usb@ script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in @/usr/bin/usb/compositions@ 

 <pre> 
 ls -lha bin/usb/compositions/ 
 total 228K 
 drwxr-xr-x 2 root root 4,0K aug     10 14:58 . 
 drwxr-xr-x 3 root root 4,0K aug     10 14:28 .. 
 -rw-r--r-- 1 root root 3,8K aug     10 14:28 2033 
 -rw-r--r-- 1 root root 4,0K aug     10 14:28 2034 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 2037 
 -rw-r--r-- 1 root root 3,8K aug     10 14:28 3443 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 3444 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 4030 
 -rw-r--r-- 1 root root 3,8K aug     10 14:58 7e35 
 -rw-r--r-- 1 root root 4,6K aug     10 14:28 7e35A 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 7e37 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 7e38 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 7e39 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 7e3c 
 -rw-r--r-- 1 root root 3,8K aug     10 14:28 7e3d 
 -rw-r--r-- 1 root root 2,3K aug     10 14:28 9002 
 -rw-r--r-- 1 root root 2,2K aug     10 14:28 901C 
 -rw-r--r-- 1 root root 2,8K aug     10 14:28 901D 
 -rw-r--r-- 1 root root 3,4K aug     10 14:28 9021 
 -rw-r--r-- 1 root root 3,4K aug     10 14:28 9022 
 -rw-r--r-- 1 root root 2,7K aug     10 14:28 9024 
 -rw-r--r-- 1 root root 3,6K aug     10 14:28 9025 
 -rw-r--r-- 1 root root 3,5K aug     10 14:28 9026 
 -rw-r--r-- 1 root root 2,7K aug     10 14:28 902A 
 -rw-r--r-- 1 root root 2,7K aug     10 14:28 902B 
 -rw-r--r-- 1 root root 2,7K aug     10 14:28 902C 
 -rw-r--r-- 1 root root 2,8K aug     10 14:28 902D 
 -rw-r--r-- 1 root root 3,9K aug     10 14:28 902E 
 -rw-r--r-- 1 root root 3,3K aug     10 14:28 9043 
 -rw-r--r-- 1 root root 3,0K aug     10 14:28 9046 
 -rw-r--r-- 1 root root 2,4K aug     10 14:28 9047 
 -rw-r--r-- 1 root root 3,5K aug     10 14:28 9049 
 -rw-r--r-- 1 root root 2,2K aug     10 14:28 904A 
 -rw-r--r-- 1 root root 3,6K aug     10 14:28 9056 
 -rw-r--r-- 1 root root 2,7K aug     10 14:28 9057 
 -rw-r--r-- 1 root root 2,9K aug     10 14:28 9059 
 -rw-r--r-- 1 root root 3,2K aug     10 14:28 905A 
 -rw-r--r-- 1 root root 3,0K aug     10 14:28 905B 
 -rw-r--r-- 1 root root 2,2K aug     10 14:28 9060 
 -rw-r--r-- 1 root root 3,2K aug     10 14:28 9063 
 -rw-r--r-- 1 root root 4,4K aug     10 14:28 9064 
 -rw-r--r-- 1 root root 4,0K aug     10 14:28 9067 
 -rw-r--r-- 1 root root 3,0K aug     10 14:28 9083 
 -rw-r--r-- 1 root root 3,0K aug     10 14:28 9084 
 -rw-r--r-- 1 root root 3,1K aug     10 14:28 9085 
 -rw-r--r-- 1 root root    127 aug     10 14:28 empty 
 -rw-r--r-- 1 root root      2 aug     10 14:28 hsic_next 
 -rw-r--r-- 1 root root      5 aug     10 14:28 hsusb_next 
 </pre> 

 Looking into the file @7e35@ (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB: 

 <pre> 
 # cat bin/usb/compositions/7e35 

 #!/bin/sh 
 # 
 # Copyright (c) 2012, The Linux Foundation. All rights reserved. 
 # 
 # Redistribution and use in source and binary forms, with or without 
 # modification, are permitted provided that the following conditions are met: 
 #       * Redistributions of source code must retain the above copyright 
 #         notice, this list of conditions and the following disclaimer. 
 #       * Redistributions in binary form must reproduce the above copyright 
 #         notice, this list of conditions and the following disclaimer in the 
 #         documentation and/or other materials provided with the distribution. 
 #       * Neither the name of The Linux Foundation nor the names of its 
 #         contributors may be used to endorse or promote products derived from 
 #         this software without specific prior written permission. 
 # 
 # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, 
 # FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED.    IN NO 
 # EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
 # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
 # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
 # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

 # DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android) 

 echo "Switching to composition number 0x7e35" 

 if [ "$1" = "y" ]; then 
	 num="1" 
 else 
	 num="0" 
 fi 

 echo 0 > /sys/class/android_usb/android$num/enable 
 if [ "$2" = "y" ]; then  
	 echo 0xAB00 > /sys/class/android_usb/android$num/idProduct 
	 echo 0x2001 > /sys/class/android_usb/android$num/idVendor 
	 echo mass_storage > /sys/class/android_usb/android$num/functions 
	 echo 1 > /sys/class/android_usb/android$num/enable 
 else 
	 run_9x15() { 
		 echo 0x7e35 > /sys/class/android_usb/android$num/idProduct 
		 echo 0x2001 > /sys/class/android_usb/android$num/idVendor 
		 echo diag > /sys/class/android_usb/android0/f_diag/clients 
		 echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports 
		 echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports 
		 echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 		 echo 1 > /sys/class/android_usb/android$num/enable 
  	 } 

	 run_9x25() { 
		 echo 0x7e35 > /sys/class/android_usb/android$num/idProduct 
		 echo 0x2001 > /sys/class/android_usb/android$num/idVendor 
		 echo diag > /sys/class/android_usb/android0/f_diag/clients 
		 echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports 
		 echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports 
		 echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 		 echo 1 > /sys/class/android_usb/android$num/enable 
	 } 

	 run_9x25_v2() { 
		 echo 0x7e35 > /sys/class/android_usb/android$num/idProduct 
		 echo 0x2001 > /sys/class/android_usb/android$num/idVendor 
		 echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial 
		 echo diag > /sys/class/android_usb/android0/f_diag/clients 
		 echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports 
		 echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports 
		 echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 		 echo 1 > /sys/class/android_usb/android$num/enable 
	 } 

	 case `source /usr/bin/usb/target` in 
		 *9x15* ) 
			 run_9x15 & 
			 ;; 
		 *9x25* ) 
			 case `cat /sys/devices/soc0/revision` in 
				 *1.0* ) 
					 run_9x25 & 
					 ;; 
				 *2.* ) 
					 run_9x25_v2 & 
					 ;; 
				 * ) 
					 run_9x25 & 
					 ;; 
			 esac 
			 ;; 
		 * ) 
			 run_9x15 & 
			 ;; 
  	 esac 
 fi 

 </pre> 

 Simple adding @adb@ to the echos should be enough, based on the other script files. So I added the string @adb@ to the right places in the file, re-packed the @usr@ YAFFS2 image just to find out that because I could not get it into fastboot mode...so if someone could find a way to put the dongle into fastboot mode then simply installing a patched firmware file would enable ADB on the device. 

 So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices: 

 <pre> 
 grep -r adb . 
 ./905A: 	 echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions 
 ./905A: 	 echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions 
 ./9025: 	 echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9025: 	 echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9025: 	 echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9022: 	 echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions 
 ./9022: 	 echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions 
 ./9022: 	 echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions 
 ./9059: 	 echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions 
 ./9059: 	 echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions 
 ./9064: 	 echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions 
 ./9064: 	 echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions 
 ./9064: 	 echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions 
 ./9046: 	 echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9046: 	 echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9024: 	 echo rndis_qc,adb > /sys/class/android_usb/android$num/functions 
 ./9024: 	 echo rndis,adb > /sys/class/android_usb/android$num/functions 
 ./9049: 	 echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions 
 ./9049: 	 echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions 
 ./9049: 	 echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions 
 ./902D: 	 echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions 
 ./902D: 	 echo rndis,diag,adb > /sys/class/android_usb/android$num/functions 
 ./901D: 	 echo diag,adb > /sys/class/android_usb/android$num/functions 
 ./901D: 	 echo diag,adb > /sys/class/android_usb/android$num/functions 
 ./9084: 	 echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions 
 ./9084: 	 echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions 
 ./902B: 	 echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions 
 ./902B: 	 echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9085: 	 echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions 
 ./9085: 	 echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions 
 ./2034: 	 echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions 
 ./2034: 	 echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions 
 ./2034: 	 echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions 
 ./9060: 	 echo diag,qdss,adb > /sys/class/android_usb/android$num/functions 
 ./9056: 	 echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions 
 ./9056: 	 echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions 
 ./9056: 	 echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions 
 </pre> 

 It would be great to find out the actual vendor of these, so we can tell people exactly what to buy. I'm assuming Chinese LTE dongles from eBay are prime candidates, but that's just a guess.
Add picture from clipboard (Maximum size: 48.8 MB)