Project

General

Profile

D-Link DWM-222 stick » History » Version 1

domi, 08/15/2018 07:08 PM

1 1 domi
h1. D-Link DWM-222 stick
2 1 domi
3 1 domi
!{width:300px}dwm222_pic.jpg!
4 1 domi
5 1 domi
This stick is available at multiple operators and it is quite cheap. If you want to get into Linux-based Qualcomm dongles that are easier to attach to your laptop than Quectel modems it might be a way to go.
6 1 domi
*WARNING!
7 1 domi
Current version of the DWM-222 does NOT expose ADB, so accessing the underlying Linux is currently not possible! HOWEVER there might be ways to enable this functionality, so keep reading, but BE AWARE BEFORE PUCHASING!*
8 1 domi
9 1 domi
It is just a D-Link branded version of cheaper dongles made in China. Some of them are WiFi access points with LTE backhaul using [[QCMAP]].
10 1 domi
Example of devices that are closely related:
11 1 domi
* PTCL Charji Wingle R660
12 1 domi
* (?)D-Link DWR 901 (unsure, FIXME)
13 1 domi
14 1 domi
15 1 domi
h2. Hardware
16 1 domi
17 1 domi
!{width:500px}pcb_pic.jpg!
18 1 domi
19 1 domi
Opening the stick requires just removing the back cover (which reveals the standard size SIM slot and the microSD card reader), then unscrewing the 3 screws.
20 1 domi
The stick is based on the Qualcomm MDM9225 chipset. It is closely related to the MDM9625 apparently (based on the firmware analysis).
21 1 domi
There are two antenna connectors (U.FL) exposed on the PCB.
22 1 domi
23 1 domi
h2. Software
24 1 domi
25 1 domi
The dongle is a typical USB WWAN modem. It requires usb_modeswitch to change from mass_storage mode (enables installation of driver) to modem mode.
26 1 domi
Mass storage mode USB id: *2001:ab00*
27 1 domi
WWAN USB id: *2001:7e35*
28 1 domi
29 1 domi
After the switch you'll see 4 @ttyUSB@ devices appearing in @/dev@. For me these devices only started to work after telling the @option@ driver about the USB id of the device:
30 1 domi
<pre>
31 1 domi
echo "2001 7e35" > /sys/bus/usb-serial/drivers/option1/new_id
32 1 domi
</pre>
33 1 domi
34 1 domi
The devices are:
35 1 domi
<pre>
36 1 domi
/dev/ttyUSB0  --> DIAG
37 1 domi
/dev/ttyUSB1  --> AT commands
38 1 domi
/dev/ttyUSB2
39 1 domi
/dev/ttyUSB3
40 1 domi
/dev/cdc-wdm0 --> QMI
41 1 domi
</pre>
42 1 domi
43 1 domi
h3. Drivers
44 1 domi
45 1 domi
If in mass_storage mode there is a Windows driver available with D-Link Connection Manager. It basically just switches the device to modem mode, and then provides a GUI to establish a connection.
46 1 domi
Surprisingly D-Link provides Linux support for the dongle. A page is dedicated to guide you through the installation. https://eu.dlink.com/uk/en/support/faq/routers/mobile-routers/how-to-install-my-dwm-222-on-ubuntu
47 1 domi
However it is not recommended to follow the instructions, because the 'driver' is just a collection of bash scripts that tries to configure PPP daemon. Interestingly it has a complete collection of MCC, MNC, APN triples for all operators around the world. Based on the IMSI queried from the SIM card it tries to find the right settings and feed them to pppd.
48 1 domi
49 1 domi
h2. Firmware
50 1 domi
51 1 domi
There are 2 firmware versions available for download currently: 2.0.1 and 2.0.8. https://eu.dlink.com/uk/en/products/dwm-222-4g-lte-usb-adapter#support
52 1 domi
The dongle that I had came with an older version, 1.7.9. It doesn't really work for me, so I upgraded to 2.0.8:
53 1 domi
54 1 domi
h3. Upgrade process
55 1 domi
56 1 domi
Upgrade can only be done from Windows. The file provided is a self-extracting executable. After extracting the contents it turned out to be quite interesting: a collection of executables and batch files, as well as MBN and yaffs2 images.
57 1 domi
After tracing the upgrade process I've established its steps roughly:
58 1 domi
59 1 domi
<pre>
60 1 domi
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots.
61 1 domi
</pre>
62 1 domi
63 1 domi
Now comes the tricky part: the bat files tries to reboot the device into @fastboot@ mode using ADB shell. However D-Link requested ADB to be turned off for the device, so the @fastboot@ part fails. Basically you'll end up with a device that has new DSP software, but the Android part is unchanged. Fortunately the device stays operational after the failed update, only its LED is stuck on white instead of different colors/blinking.
64 1 domi
So the complete upgrade cycle would look like this (based on reading the bat files):
65 1 domi
66 1 domi
<pre>
67 1 domi
Start 1key.bat -> Installs drivers (ADB, QDLoader, Fastboot) -> Runs dl.exe -> Device goes into QDL mode -> MBN files are flashed -> Device reboots
68 1 domi
-> ADB shell to reboot into fastboot mode -> Android images are flashed using fastboot (rootfs, usr) -> Device rebooted again, check if it is not stuck in bootloader -> Done.
69 1 domi
</pre>
70 1 domi
71 1 domi
h3. Analyzing the firmware
72 1 domi
73 1 domi
Since it is just YAFFS2 it was easy to unpack the firmware and poke around it. No encryption/signatures/etc. was in place.
74 1 domi
It is, as suspected, Linux.
75 1 domi
76 1 domi
<pre>
77 1 domi
# ls -lha
78 1 domi
total 84K
79 1 domi
drwxr-xr-x 20 root root 4,0K aug   10 14:58 .
80 1 domi
drwxr-xr-x  5 root root 4,0K aug   10 15:30 ..
81 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 bin
82 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 boot
83 1 domi
-rw-r--r--  1 root root   47 aug   10 14:58 build.prop
84 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 cache
85 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 dev
86 1 domi
drwxr-xr-x 30 root root 4,0K aug   10 14:58 etc
87 1 domi
drwxr-xr-x  3 root root 4,0K aug   10 14:58 home
88 1 domi
drwxr-xr-x  5 root root 4,0K aug   10 14:58 lib
89 1 domi
lrwxrwxrwx  1 root root   12 aug   10 14:58 linuxrc -> /bin/busybox
90 1 domi
drwxr-xr-x 10 root root 4,0K aug   10 14:58 media
91 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 mnt
92 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 proc
93 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sbin
94 1 domi
lrwxrwxrwx  1 root root   11 aug   10 14:58 sdcard -> /media/card
95 1 domi
drwxr-xr-x  3 root root 4,0K aug   10 14:58 share
96 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 sys
97 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 tmp
98 1 domi
drwxr-xr-x  2 root root 4,0K aug   10 14:58 usr
99 1 domi
drwxr-xr-x  8 root root 4,0K aug   10 14:58 var
100 1 domi
drwxr-xr-x  3 root root 4,0K aug   10 14:58 WEBSERVER
101 1 domi
drwxr-xr-x  5 root root 4,0K aug   10 14:58 www
102 1 domi
</pre>
103 1 domi
104 1 domi
The WEBSERVER and www directory are there for the WiFi router versions which use a web-based interface for settings.
105 1 domi
106 1 domi
I was mainly curious about ADB, so I followed the @/etc/init.d/usb@ script. It saves the USB device id of the device to a file, then based on the id it starts a bash script located in @/usr/bin/usb/compositions@
107 1 domi
108 1 domi
<pre>
109 1 domi
ls -lha bin/usb/compositions/
110 1 domi
total 228K
111 1 domi
drwxr-xr-x 2 root root 4,0K aug   10 14:58 .
112 1 domi
drwxr-xr-x 3 root root 4,0K aug   10 14:28 ..
113 1 domi
-rw-r--r-- 1 root root 3,8K aug   10 14:28 2033
114 1 domi
-rw-r--r-- 1 root root 4,0K aug   10 14:28 2034
115 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 2037
116 1 domi
-rw-r--r-- 1 root root 3,8K aug   10 14:28 3443
117 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 3444
118 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 4030
119 1 domi
-rw-r--r-- 1 root root 3,8K aug   10 14:58 7e35
120 1 domi
-rw-r--r-- 1 root root 4,6K aug   10 14:28 7e35A
121 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e37
122 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e38
123 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e39
124 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 7e3c
125 1 domi
-rw-r--r-- 1 root root 3,8K aug   10 14:28 7e3d
126 1 domi
-rw-r--r-- 1 root root 2,3K aug   10 14:28 9002
127 1 domi
-rw-r--r-- 1 root root 2,2K aug   10 14:28 901C
128 1 domi
-rw-r--r-- 1 root root 2,8K aug   10 14:28 901D
129 1 domi
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9021
130 1 domi
-rw-r--r-- 1 root root 3,4K aug   10 14:28 9022
131 1 domi
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9024
132 1 domi
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9025
133 1 domi
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9026
134 1 domi
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902A
135 1 domi
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902B
136 1 domi
-rw-r--r-- 1 root root 2,7K aug   10 14:28 902C
137 1 domi
-rw-r--r-- 1 root root 2,8K aug   10 14:28 902D
138 1 domi
-rw-r--r-- 1 root root 3,9K aug   10 14:28 902E
139 1 domi
-rw-r--r-- 1 root root 3,3K aug   10 14:28 9043
140 1 domi
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9046
141 1 domi
-rw-r--r-- 1 root root 2,4K aug   10 14:28 9047
142 1 domi
-rw-r--r-- 1 root root 3,5K aug   10 14:28 9049
143 1 domi
-rw-r--r-- 1 root root 2,2K aug   10 14:28 904A
144 1 domi
-rw-r--r-- 1 root root 3,6K aug   10 14:28 9056
145 1 domi
-rw-r--r-- 1 root root 2,7K aug   10 14:28 9057
146 1 domi
-rw-r--r-- 1 root root 2,9K aug   10 14:28 9059
147 1 domi
-rw-r--r-- 1 root root 3,2K aug   10 14:28 905A
148 1 domi
-rw-r--r-- 1 root root 3,0K aug   10 14:28 905B
149 1 domi
-rw-r--r-- 1 root root 2,2K aug   10 14:28 9060
150 1 domi
-rw-r--r-- 1 root root 3,2K aug   10 14:28 9063
151 1 domi
-rw-r--r-- 1 root root 4,4K aug   10 14:28 9064
152 1 domi
-rw-r--r-- 1 root root 4,0K aug   10 14:28 9067
153 1 domi
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9083
154 1 domi
-rw-r--r-- 1 root root 3,0K aug   10 14:28 9084
155 1 domi
-rw-r--r-- 1 root root 3,1K aug   10 14:28 9085
156 1 domi
-rw-r--r-- 1 root root  127 aug   10 14:28 empty
157 1 domi
-rw-r--r-- 1 root root    2 aug   10 14:28 hsic_next
158 1 domi
-rw-r--r-- 1 root root    5 aug   10 14:28 hsusb_next
159 1 domi
</pre>
160 1 domi
161 1 domi
Looking into the file @7e35@ (the id of the D-Link device) reveals why ADB is missing - the Android USB Gadget is configured without ADB:
162 1 domi
163 1 domi
<pre>
164 1 domi
# cat bin/usb/compositions/7e35
165 1 domi
166 1 domi
#!/bin/sh
167 1 domi
#
168 1 domi
# Copyright (c) 2012, The Linux Foundation. All rights reserved.
169 1 domi
#
170 1 domi
# Redistribution and use in source and binary forms, with or without
171 1 domi
# modification, are permitted provided that the following conditions are met:
172 1 domi
#     * Redistributions of source code must retain the above copyright
173 1 domi
#       notice, this list of conditions and the following disclaimer.
174 1 domi
#     * Redistributions in binary form must reproduce the above copyright
175 1 domi
#       notice, this list of conditions and the following disclaimer in the
176 1 domi
#       documentation and/or other materials provided with the distribution.
177 1 domi
#     * Neither the name of The Linux Foundation nor the names of its
178 1 domi
#       contributors may be used to endorse or promote products derived from
179 1 domi
#       this software without specific prior written permission.
180 1 domi
#
181 1 domi
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
182 1 domi
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
183 1 domi
# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED.  IN NO
184 1 domi
# EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
185 1 domi
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
186 1 domi
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
187 1 domi
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
188 1 domi
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
189 1 domi
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
190 1 domi
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
191 1 domi
192 1 domi
# DESCRIPTION: DIAG + MODEM + AT + NMEA + QMI_RMNET + ADB + Mass Storage (Android)
193 1 domi
194 1 domi
echo "Switching to composition number 0x7e35"
195 1 domi
196 1 domi
if [ "$1" = "y" ]; then
197 1 domi
	num="1"
198 1 domi
else
199 1 domi
	num="0"
200 1 domi
fi
201 1 domi
202 1 domi
echo 0 > /sys/class/android_usb/android$num/enable
203 1 domi
if [ "$2" = "y" ]; then 
204 1 domi
	echo 0xAB00 > /sys/class/android_usb/android$num/idProduct
205 1 domi
	echo 0x2001 > /sys/class/android_usb/android$num/idVendor
206 1 domi
	echo mass_storage > /sys/class/android_usb/android$num/functions
207 1 domi
	echo 1 > /sys/class/android_usb/android$num/enable
208 1 domi
else
209 1 domi
	run_9x15() {
210 1 domi
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
211 1 domi
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
212 1 domi
		echo diag > /sys/class/android_usb/android0/f_diag/clients
213 1 domi
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
214 1 domi
		echo SMD,BAM2BAM > /sys/class/android_usb/android0/f_rmnet/transports
215 1 domi
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
216 1 domi
 		echo 1 > /sys/class/android_usb/android$num/enable
217 1 domi
  	}
218 1 domi
219 1 domi
	run_9x25() {
220 1 domi
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
221 1 domi
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
222 1 domi
		echo diag > /sys/class/android_usb/android0/f_diag/clients
223 1 domi
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
224 1 domi
		echo SMD,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
225 1 domi
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
226 1 domi
 		echo 1 > /sys/class/android_usb/android$num/enable
227 1 domi
	}
228 1 domi
229 1 domi
	run_9x25_v2() {
230 1 domi
		echo 0x7e35 > /sys/class/android_usb/android$num/idProduct
231 1 domi
		echo 0x2001 > /sys/class/android_usb/android$num/idVendor
232 1 domi
		echo 0123456789ABCDEF > /sys/class/android_usb/android$num/iSerial
233 1 domi
		echo diag > /sys/class/android_usb/android0/f_diag/clients
234 1 domi
		echo smd,smd,tty > /sys/class/android_usb/android0/f_serial/transports
235 1 domi
		echo QTI,BAM2BAM_IPA > /sys/class/android_usb/android0/f_rmnet/transports
236 1 domi
		echo diag,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
237 1 domi
 		echo 1 > /sys/class/android_usb/android$num/enable
238 1 domi
	}
239 1 domi
240 1 domi
	case `source /usr/bin/usb/target` in
241 1 domi
		*9x15* )
242 1 domi
			run_9x15 &
243 1 domi
			;;
244 1 domi
		*9x25* )
245 1 domi
			case `cat /sys/devices/soc0/revision` in
246 1 domi
				*1.0* )
247 1 domi
					run_9x25 &
248 1 domi
					;;
249 1 domi
				*2.* )
250 1 domi
					run_9x25_v2 &
251 1 domi
					;;
252 1 domi
				* )
253 1 domi
					run_9x25 &
254 1 domi
					;;
255 1 domi
			esac
256 1 domi
			;;
257 1 domi
		* )
258 1 domi
			run_9x15 &
259 1 domi
			;;
260 1 domi
  	esac
261 1 domi
fi
262 1 domi
263 1 domi
</pre>
264 1 domi
265 1 domi
Simple adding @adb@ to the echos should be enough, based on the other script files.
266 1 domi
267 1 domi
So now the question arises: what kind of dongle would you need to buy that has ADB out of the box? I could tell you the USB device id of such devices:
268 1 domi
269 1 domi
<pre>
270 1 domi
grep -r adb .
271 1 domi
./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
272 1 domi
./905A:	echo diag,adb,usb_mbim:ecm_qc > /sys/class/android_usb/android$num/functions
273 1 domi
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
274 1 domi
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
275 1 domi
./9025:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
276 1 domi
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
277 1 domi
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
278 1 domi
./9022:	echo diag,adb,rmnet > /sys/class/android_usb/android$num/functions
279 1 domi
./9059:	echo rndis_qc,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
280 1 domi
./9059:	echo rndis,diag,adb:ecm_qc > /sys/class/android_usb/android$num/functions
281 1 domi
./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
282 1 domi
./9064:	echo diag,adb,serial,rmnet:ecm:usb_mbim > /sys/class/android_usb/android$num/functions
283 1 domi
./9064:	echo diag,adb,serial,rmnet:ecm_qc:usb_mbim > /sys/class/android_usb/android$num/functions
284 1 domi
./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
285 1 domi
./9046:	echo diag,adb,serial,rmnet,mass_storage > /sys/class/android_usb/android$num/functions
286 1 domi
./9024:	echo rndis_qc,adb > /sys/class/android_usb/android$num/functions
287 1 domi
./9024:	echo rndis,adb > /sys/class/android_usb/android$num/functions
288 1 domi
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
289 1 domi
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
290 1 domi
./9049:	echo diag,adb,serial,rmnet,mass_storage,qdss > /sys/class/android_usb/android$num/functions
291 1 domi
./902D:	echo rndis_qc,diag,adb > /sys/class/android_usb/android$num/functions
292 1 domi
./902D:	echo rndis,diag,adb > /sys/class/android_usb/android$num/functions
293 1 domi
./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions
294 1 domi
./901D:	echo diag,adb > /sys/class/android_usb/android$num/functions
295 1 domi
./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
296 1 domi
./9084:	echo diag,qdss,adb,rmnet > /sys/class/android_usb/android$num/functions
297 1 domi
./902B:	echo rndis_qc,adb,mass_storage > /sys/class/android_usb/android$num/functions
298 1 domi
./902B:	echo rndis,adb,mass_storage > /sys/class/android_usb/android$num/functions
299 1 domi
./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
300 1 domi
./9085:	echo diag,adb,usb_mbim,gps > /sys/class/android_usb/android$num/functions
301 1 domi
./2034:	echo rndis_qc,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
302 1 domi
./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
303 1 domi
./2034:	echo rndis,diag,serial,adb,mass_storage > /sys/class/android_usb/android$num/functions
304 1 domi
./9060:	echo diag,qdss,adb > /sys/class/android_usb/android$num/functions
305 1 domi
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
306 1 domi
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
307 1 domi
./9056:	echo diag,adb,serial,rmnet,mass_storage,audio > /sys/class/android_usb/android$num/functions
308 1 domi
</pre>
309 1 domi
310 1 domi
It would be great to find out the actual vendor of these device IDs, so we can offer people ideas what to buy.
Add picture from clipboard (Maximum size: 48.8 MB)