Huawei ME906 » History » Version 11
laforge, 01/15/2017 09:50 PM
| 1 | 10 | laforge | {{>toc}} |
|---|---|---|---|
| 2 | |||
| 3 | 11 | laforge | h1. Huawei ME906 |
| 4 | 1 | laforge | |
| 5 | 11 | laforge | The Huawei ME906 is yet another MDM9x15 based cellular modem that uses Linux on its Cortex-A5 processor, based on [[Qualcomm_Linux]] (LE). There are several variants (ME906A, ME906C, ME906J, ME906E, ME906V). There also is a ME906S-158, which is *not* a Qualcomm based device. |
| 6 | 2 | laforge | |
| 7 | h2. USB configuration |
||
| 8 | |||
| 9 | The ME906v has different USB configurations: |
||
| 10 | |||
| 11 | h3. Configuration 1 |
||
| 12 | |||
| 13 | |Interface|Name|Description| |
||
| 14 | |0|Huawei Mobile Connect - Modem|AT Commands| |
||
| 15 | |1|Huawei Mobile Connect - Application|DIAG| |
||
| 16 | |2|Huawei Mobile Connect - Pcui|| |
||
| 17 | |3|HUAWEI Mobile Connect - Network Card|qmi-wwan| |
||
| 18 | |4|Huawei Mobile Connect - Gps|| |
||
| 19 | |5|Huawei Mobile Connect - Serial B|| |
||
| 20 | |||
| 21 | h3. Configuration 2 |
||
| 22 | |||
| 23 | |Interface|Name|Description| |
||
| 24 | |0|CDC Ethernet Control Model (ECM)|| |
||
| 25 | |1|CDC Ethernet Data|| |
||
| 26 | |2|Huawei Mobile Connect - Modem|| |
||
| 27 | |3|HUAWEI Mobile Connect - Application|| |
||
| 28 | |4|HUAWEI Mobile Connect - Pcui|| |
||
| 29 | |5|Huawei Mobile Connect - Gps|| |
||
| 30 | |6|Huawei Mobile Connect - Serial B|| |
||
| 31 | |||
| 32 | h3. Configuration 3 |
||
| 33 | |||
| 34 | |Interface|Name|Description| |
||
| 35 | |0|HUAWEI Mobile Connect - Network Card|| |
||
| 36 | 1 | laforge | |2|Huawei Mobile Connect - Gps|| |
| 37 | 4 | laforge | |
| 38 | h3. Initialization on Linux side: |
||
| 39 | |||
| 40 | from /usr/bin/usb/ (combining multipel scripts, expanding variables) |
||
| 41 | |||
| 42 | <pre> |
||
| 43 | echo "hsusb" > /sys/devices/platform/usb_bam/enable |
||
| 44 | echo 0 > /sys/class/android_usb/android0/enable |
||
| 45 | echo 0x1573 > /sys/class/android_usb/android0/idProduct |
||
| 46 | echo 0x12D1 > /sys/class/android_usb/android0/idVendor |
||
| 47 | echo diag > /sys/class/android_usb/android0/f_diag/clients |
||
| 48 | echo smd,tty > /sys/class/android_usb/android0/f_serial/transports |
||
| 49 | echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports |
||
| 50 | echo "pcui,diag,modem,ccid,rmnet,gps:usb_mbim,gps" > /sys/class/android_usb/android0/functions |
||
| 51 | echo 0 > /sys/class/android_usb/android0/mbim_name |
||
| 52 | echo 0 > /sys/module/restart/parameters/download_mode |
||
| 53 | echo 1 > /sys/class/android_usb/android0/remote_wakeup |
||
| 54 | echo 1 > /sys/class/android_usb/android0/enable |
||
| 55 | </pre> |
||
| 56 | 2 | laforge | |
| 57 | h2. AT Command interface |
||
| 58 | |||
| 59 | Unless otherwise noted, this was done using a modem with the following firmware version: |
||
| 60 | |||
| 61 | <pre> |
||
| 62 | ATI |
||
| 63 | Manufacturer: Huawei Technologies Co., Ltd. |
||
| 64 | Model: ME906V |
||
| 65 | Revision: 11.234.44.03.00 |
||
| 66 | </pre> |
||
| 67 | |||
| 68 | 3 | laforge | <pre> |
| 69 | root@9615-cdp:/# cat /build.prop |
||
| 70 | ro.build.version.release=AU_LINUX_BASE_KIWI_TARGET_ALL.03.00.032 |
||
| 71 | </pre> |
||
| 72 | |||
| 73 | 2 | laforge | h3. Interesting non-standard commands |
| 74 | |||
| 75 | The following commands appear to be non-standard and implemented in the device: |
||
| 76 | |||
| 77 | <pre> |
||
| 78 | +ES |
||
| 79 | +ESA |
||
| 80 | +CMOD |
||
| 81 | +CEMODE |
||
| 82 | +CVHU |
||
| 83 | +CECALL |
||
| 84 | +HUAWEI |
||
| 85 | ^TBAT |
||
| 86 | ^TCHRENABLE |
||
| 87 | ^TCHRINFO |
||
| 88 | ^APBATLVL |
||
| 89 | ^SETMODE |
||
| 90 | $QCSIMSTAT |
||
| 91 | $QCPBMPREF |
||
| 92 | $CREG |
||
| 93 | $CCLK |
||
| 94 | $QCCNMI |
||
| 95 | *CNTI |
||
| 96 | $QCCLR |
||
| 97 | $QCDMR |
||
| 98 | $QCDNSP |
||
| 99 | $QCDNSS |
||
| 100 | $QCTER |
||
| 101 | $QCSLOT |
||
| 102 | $QCSIMAPP |
||
| 103 | $QCPINSTAT |
||
| 104 | $QCPDPP |
||
| 105 | $QCPDPLT |
||
| 106 | $QCPWRDN |
||
| 107 | $QCDGEN |
||
| 108 | $QCPDPCFGE |
||
| 109 | $BREW |
||
| 110 | $QCANTE |
||
| 111 | $QCRPW |
||
| 112 | $QCSQ |
||
| 113 | $CSQ |
||
| 114 | $QCSYSMODE |
||
| 115 | $QCCTM |
||
| 116 | $QCBANDPREF |
||
| 117 | ^DSCI |
||
| 118 | $QCVOLT |
||
| 119 | $QCHWREV |
||
| 120 | $QCBOOTVER |
||
| 121 | $ECALL |
||
| 122 | $QCDEFPROF |
||
| 123 | $QCMRUE |
||
| 124 | $QCMRUC |
||
| 125 | $QCAPNE |
||
| 126 | $QCPDPIMSCFGE |
||
| 127 | $QCCLAC |
||
| 128 | $QCRMCALL |
||
| 129 | $QCDRX |
||
| 130 | </pre> |
||
| 131 | 5 | laforge | |
| 132 | 6 | laforge | h3. AT commands in atfwd_daemon |
| 133 | |||
| 134 | <pre> |
||
| 135 | +HUAWEI |
||
| 136 | ^PSTANDBY |
||
| 137 | ^TBAT |
||
| 138 | ^TCHRENABLE |
||
| 139 | ^TCHRINFO |
||
| 140 | ^APBATLVL |
||
| 141 | ^SETMODE |
||
| 142 | </pre> |
||
| 143 | |||
| 144 | 8 | laforge | h4. AT^SETMODE |
| 145 | |||
| 146 | This can be used to switch between different USB Product IDs. |
||
| 147 | |||
| 148 | * @AT^SETMODE=0@ is for the normal 1573 product ID |
||
| 149 | * @AT^SETMODE=1@ is for the 157E product ID |
||
| 150 | |||
| 151 | Unfortunately none of the two contain adb by default :( |
||
| 152 | 6 | laforge | |
| 153 | 5 | laforge | h2. Serial Console |
| 154 | |||
| 155 | Like all/most MDM9x15 targets, there is an 1.8V serial console available on ttyHSL0. |
||
| 156 | |||
| 157 | TODO: Describe soldering of serial console pads. |
||
| 158 | |||
| 159 | Once you have connected to the serial console, you should be able to observe the boot log like in the attached @bootlog.txt@ |
||
| 160 | |||
| 161 | h3. Keeping modem from suspend |
||
| 162 | |||
| 163 | It seems like the Linux system is suspended after very few seconds of inactivity. To keep it alive, you can write any character to any of the serial devices. For example, the following one-liner script will work (assuming /dev/ttyUSB5 is one of the AT command ports of the modem): |
||
| 164 | <pre> |
||
| 165 | while [ -f /etc/passwd ]; do echo "AT" > /dev/ttyUSB5; sleep 1; done |
||
| 166 | </pre> |
||
| 167 | 7 | laforge | |
| 168 | h2. Linux on Cortex-A5 |
||
| 169 | |||
| 170 | h3. processes |
||
| 171 | |||
| 172 | see attached @ps.txt@ |
||
| 173 | |||
| 174 | h3. rmnet |
||
| 175 | |||
| 176 | <pre> |
||
| 177 | 2: hw_rmnet: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 |
||
| 178 | link/ether 3a:1c:af:e4:29:03 brd ff:ff:ff:ff:ff:ff |
||
| 179 | 3: hw_rmnet2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 |
||
| 180 | link/ether 56:f5:0f:cf:4c:cd brd ff:ff:ff:ff:ff:ff |
||
| 181 | 4: rmnet0: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 182 | link/[530] |
||
| 183 | 5: rmnet1: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 184 | link/[530] |
||
| 185 | 6: rmnet2: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 186 | link/[530] |
||
| 187 | 7: rmnet3: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 188 | link/[530] |
||
| 189 | 8: rmnet4: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 190 | link/[530] |
||
| 191 | 9: rmnet5: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 192 | link/[530] |
||
| 193 | 10: rmnet6: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 194 | link/[530] |
||
| 195 | 11: rmnet7: <> mtu 2000 qdisc noop state DOWN qlen 1000 |
||
| 196 | link/[530] |
||
| 197 | </pre> |
||
| 198 | 10 | laforge | |
| 199 | h2. Miscellanous |
||
| 200 | |||
| 201 | https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mickey-Shkatov-Jesse-Michael-Scared-poopless-LTE-and-your-laptop-UPDATED.pdf |
