- qc-linux-modems - lists.osmocom.org

D-Link DWN-222 modem and Windows 11 Cellular Connection Manager
by Anish 10 Aug '22

10 Aug '22

Good day OSMOCOM I see that you have done some tests on the DWM-222 modem/Qualcomm chipset. Do you know if this modem is detected by the Windows11 native cellular connection manager? D-Link DWM-222 stick - Qualcomm Linux Modems by Quectel & Co - Open Source Mobile Communications | | | | D-Link DWM-222 stick - Qualcomm Linux Modems by Quectel & Co - Open Sour... Redmine | | | Regards,Anish

1 0

Quectel SC20 / Yocto Linux
by Cyril HAENEL 25 Jan '21

25 Jan '21

3 4

DWM-222 rev A2
by Rogan Dawes 05 Aug '20

05 Aug '20

Hi folks, I have purchased a DLink DWM-222 with the intention of exploring the Linux OS running inside it, and if possible, compiling some additional USB gadgets to use with it. FWIW, the USB ID's are 2001:ac01 before modeswitch, and 2001:7e3d after switching. It creates ttyUSB[0-4] when switched, and the VID:PID added to the option driver. I was wondering if there had been any further developments in the exploration of the A1 hardware or firmware, in terms of gaining a shell on the device at all without soldering? Some initial probing has shown some 1.8v signals on some of the test points, so I will check those with a scope while booting to see if I can identify some waveforms, hopefully indicating a UART. I do have a FTDI UART with a voltage reference, so I am fairly confident that I can access those signals without damaging the device once identified. Unfortunately, the updated hardware has complete shields over the interesting bits, so I cannot identify chips, etc. I have also not been able to find firmware for the A2, the only firmware I could find was at ftp://ftp.d-link.co.za/DWM/dwm222/Firmware/, marked as A1. I'll check to see if they are compatible. And of course, will be copying the driver software from the embedded CDROM. Regards, Rogan

3 6

Platform ALT3800 as good target?
by Elias Devoldere 07 Feb '20

07 Feb '20

Hello, I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. I was amazed when I got a U-Boot console after command at+cfun=1,1 and sending several random characters. I assume it's not news for seasoned wolves who hunt here. As a modem rookie I did not find a relevant link to this topic during Google's fast search. My questions. Is this behavior generally known? Can this be a one-piece property (I have only one piece)? Could it be useful for interesting research? Is there anyone who cares about it? I will try to extract parts of the memory using U-boot. Below you find pieces of the listing. Best, Elias # help help ? - alias for 'help' base - print or set address offset bdinfo - print Board Info structure boot - boot default, i.e., run 'bootcmd' bootd - boot default, i.e., run 'bootcmd' bootelf - Boot from an ELF image in memory bootfw - Load and boot FW from ELF image in memory bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol bootvx - Boot vxWorks from an ELF image chpart - change active partition clocks - print clock configuration cmp - memory compare coninfo - print console devices and information cp - memory copy crc32 - checksum calculation create_bdinfo- Create Board info dhcp - boot image via network using DHCP/TFTP protocol dip - show the Boot mode configuration options echo - echo args to console editenv - edit environment variable env - environment handling commands exit - exit script false - do nothing, unsuccessfully fdt - flattened device tree utility commands fsinfo - print information about filesystems fsload - load binary file from a filesystem image fsloadbsp- load bsp binary files from a filesystem image fstest - testing filesystems go - start application at address '[*]addr' (possibly be indirect address) gpio - input/set/clear/toggle gpio pins help - print command description/usage i2c - I2C sub-system iminfo - print header information for application image imxtract- extract a part of a multi-image initfw - Init FW PLLs itest - return true/false on integer compare kermit_stat- Show statistics of the last Kermit session kermit_stat_print- print kermit statistics at the end of session loadb - load binary file over serial line (kermit mode) loads - load S-Record file over serial line loady - load binary file over serial line (ymodem mode) loop - infinite loop on address range loopw - infinite write loop on address range ls - list files in a directory (default /) md - memory display md5sum - compute MD5 message digest mdc - memory display cyclic mii - MII utility commands mm - memory modify (auto-incrementing address) mtdparts- define flash/nand partitions mtest - simple RAM read/write test mw - memory write (fill) mwc - memory write cyclic nand - NAND sub-system nandotp - NAND OTP sub-system nboot - boot from NAND device nfs - boot image via network using NFS protocol nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables rarpboot- boot image via network using RARP/TFTP protocol reginfo - print register information reset - Perform RESET of the CPU reset_cause- print reset cause run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables show_bdinfo- Show board info showvar - print local hushshell variables sleep - delay execution for some time source - run script from memory test - minimal test like /bin/sh tftpboot- boot image via network using TFTP protocol true - do nothing, successfully unlzo - decopress a lzo memory region unzip - unzip a memory region version - print monitor, compiler and linker version U-Boot 2012.10 (Aug 09 2018 - 10:17:38) mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 GNU ld (GNU Binutils) 2.21 # baudrate=115200 boot_default=run flash_boot boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm boot_number=2 boot_option=boot_default boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm ${loadaddr} bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo 'GUESS MODE - NO BOOT ALLOWED !!!'; fi bootdelay=6 bootm_low=0x82100000 bootm_size=0x6000000 cdc_connect_timeout=10 consoledev=ttyS0 dtb_addr=0x84000000 dtb_file=alt3802.dtb dtb_size=0x4000 env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi env_configured_size=0x4000 env_saved=1 erase_env_nand=nand erase.part env; nand erase.part backup_env eth_phy_mode=rmii ethact=usb_ether ethaddr=00:E0:0C:00:11:A0 fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then run process_fw; fi; fastboot_loadaddr=0x82800000 fdt_high=0x83000000 fdtdbg=no flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2 console=$consoledev,$kernel_baudrate $othbootargs $kernellog gatewayip=0.0.0.0 hostname=alt3800 initrd_high=0x83000000 ipaddr=10.0.0.1 kernel_baudrate=115200 kernel_file=uImage kernellog=quiet load_fw=run load_phy_fw; run load_lte_fw load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf loadaddr=0x80100000 loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp file_list bspfilesbp loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo ${loadaddr} ${unziped_fwaddr}; loadotp=nandotp read ${ramOtpShAddr} spl 20 lte_fw=PS100_RealPHY.elf mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2) nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage) nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root /dev/mtdblock8;else setenv root /dev/mtdblock11; fi nand_erasesize=20000 nand_oobsize=40 nand_uboot_file=u-boot.bin nand_uboot_spl_file=u-boot-spl.bin.alt3800 nand_writesize=800 nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport ncinport=6665 ncip=10.0.0.10 ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc; setenv stderr ${stderr},nc ncoutport=6665 netdev=eth0 netmask=255.255.0.0 nvm_file=nvm.jffs2.img phy_dbgstreamer=0 phy_fw=Lte.out phy_sniffer=0 preboot=run env_check; if test -n $prebootcmd; then echo; echo Running pre-boot command; run prebootcmd;fi; process_fw=initfw; bootfw ${unziped_fwaddr} 0 ramFilesShAddr=0xA030004c ramOtpShAddr=0xA0300000 ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw console=$consoledev,$kernel_baudrate $othbootargs $kernellog rootfs_file=rootfs.jffs2.img ser=setenv stdin serial;setenv stdout serial;setenv stderr serial serverip=10.0.0.10 set_ip=setenv ip ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off stderr=serial,usbtty stdin=serial,usbtty stdout=serial,usbtty testdramaddress=no testdramcache=yes testdramcount=1 testdramdata=no testdramsize=0x08000000 testdramstart=0x80100000 testdramwalk=no tftpbootcmd=tftpboot toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2; else set boot_number 1; fi; saveenv unziped_fwaddr=0x83000000 update_all=run update_all_nand update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand update_dtb=run update_dtb_nand update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi update_kernel=run update_kernel_nand update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part kernel${boot_number}; nand write ${loadaddr} kernel${boot_number} ${filesize}; fi update_linux=${tftpbootcmd} uImage update_multi_img=run update_multi_img_nand update_multi_img_nand=setenv kernel_file vmlinux.uboot; run update_kernel_nand update_nvm=run update_nvm_nand update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then nand erase.part nvm; nand write ${loadaddr} nvm ${filesize}; fi update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot update_rootfs=run update_rootfs_nand update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number} ${filesize}; fi update_uboot=run update_uboot_nand update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl erase_env_nand update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand erase.part spl; nand write ${loadaddr} spl ${filesize}; fi usbphymode=0 usbtty=cdc_acm ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) Environment size: 6184/16379 bytes mtdparts device nand0 <alt3800_nfc>, # parts = 15 #: name size offset mask_flags 0: spl 0x00080000 0x00000000 0 1: uboot1 0x000c0000 0x00080000 0 2: uboot2 0x000c0000 0x00140000 0 3: env 0x00040000 0x00200000 0 4: backup_env 0x00040000 0x00240000 0 5: nvm 0x00300000 0x00280000 0 6: kernel1 0x00300000 0x00580000 0 7: dtb1 0x00040000 0x00880000 0 8: rootfs1 0x02500000 0x008c0000 0 9: kernel2 0x00300000 0x02dc0000 0 10: dtb2 0x00040000 0x030c0000 0 11: rootfs2 0x02500000 0x03100000 0 12: modem_fw1 0x00400000 0x05600000 0 13: modem_fw2 0x00400000 0x05a00000 0 14: tstorage 0x02200000 0x05e00000 0 active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000 defaults: mtdids : nand0=alt3800_nfc mtdparts: uninitialized

3 6

Diag output structure of Qualcomm modems
by morteza ali Ahmadi 09 Dec '19

09 Dec '19

Hi friends... Sorry to disturb you... I have a Qualcomm Quectel EC25 modem which I can send AT-Commands to this module with reciving the response. I store this modem diag bytes using a python opensource app (qcsuper <https://github.com/P1sec/QCSuper>) with a little code manipulation. Here is a sample diag bytes: 21 00 00 0A 08 01 01 00 00 50 1C 00 04 00 03 03 FF FF 00 FF 11 90 02 00 00 10 00 00 00 EF 1F AA 4C 0B 1E 03 00 00 11 90 02 00 00 00 00 08 01 02 63 ... 02 00 B2 00 4F 00 C0 *7E* 01 00 D2 00 FD 00 C0 8E 00 00 C5 00 C5 01 C0 7E 01 00 BA 00 ... 00 00 00 00 14 *7E* 01 00 50 81 01 00 40 7D 01 00 2C ... 8D 00 00 48 8C 00 00 *7E* 00 00 00 7D 00 00 00 78 00 00 QCSuper can also run Wireshark automatically to dissect RRC Signaling messages. I had an experience with Qualcomm Snapdragon mobile phone and after receiving the bytes I could dissect them using a specific structure. Some of the patterns of this structures were indicated in a python-c++ opensource app (mobile-insight <https://github.com/mobile-insight/mobileinsight-core>) e.g. the frames in the diag bytes starts with *98 00* and timestamp and frame type with a specific size follow it. Also *7E* is indicated the end of the frame. Now, I want to know is there a similar structure in this modem diag outputs to allow for dissecting? Can you offer me a suitable document or app like mobile-insight? I saw a project in Osmocom as osmo-qcdiag. <https://github.com/osmocom/libosmocore> Can I use that to get this structure? I hope you help me... Thank you very much -- *When there is much light, The shadow is deep...*

2 1

EC25 password for the Debug uart interface
by Florian Eckert 07 Feb '19

07 Feb '19

Hello, I am working on a EC25-1 which has problem with the USB communication with a dwc2 usb host controller [1]. To find the problem my next step was to connect to the EC25 debug UART on pin 11/12. But the system needs a root password! The one you have on your wiki does not work anymore [2]. I think I have the same version "msm LNX.LE.5.0.1-57031-9x40 mdm9607-perf /dev/ttyHSL0" Do you have another password for this interface or where did you get this information from? Thanks for help Flo [1] https://www.spinics.net/lists/linux-usb/msg176613.html [2] https://osmocom.org/projects/quectel-modems/wiki/EC25_Linux#root-password

3 3

Quectel EC25-J Dial up failure
by Mashkur Ahmad 07 Feb '19

07 Feb '19

Hi All, i found the problem to start the qmi dial up, can someone help me out. sudo qmi-network /dev/cdc-wdm0 start Loading profile at /etc/qmi-network.conf... APN: isp.docomoiot.net APN user: unset APN password: unset qmi-proxy: yes Checking data format with 'qmicli -d /dev/cdc-wdm0 --wda-get-data-format --device-open-proxy'... [07 Feb 2019, 09:52:49] -Warning ** [/dev/cdc-wdm0] requested auto mode but no MBIM QMUX support available Device link layer protocol retrieved: raw-ip Getting expected data format with 'qmicli -d /dev/cdc-wdm0 --get-expected-data-format'... [07 Feb 2019, 09:52:49] -Warning ** [/dev/cdc-wdm0] requested auto mode but no MBIM QMUX support available Expected link layer protocol retrieved: 802-3 Updating kernel link layer protocol with 'qmicli -d /dev/cdc-wdm0 --set-expected-data-format=raw-ip'... [07 Feb 2019, 09:52:49] -Warning ** [/dev/cdc-wdm0] requested auto mode but no MBIM QMUX support available error: cannot set expected data format: Expected data format not updated properly to 'raw-ip': got '802-3' instead Error updating kernel link layer protocol Starting network with 'qmicli -d /dev/cdc-wdm0 --wds-start-network=apn=' isp.docomoiot.net' --client-no-release-cid --device-open-proxy'... [07 Feb 2019, 09:52:49] -Warning ** [/dev/cdc-wdm0] requested auto mode but no MBIM QMUX support available error: couldn't start network: QMI protocol error (26): 'NoEffect' Saving state at /tmp/qmi-network-state-cdc-wdm0... (CID: 20) error: network start failed, no packet data handle [07 Feb 2019, 09:52:49] -Warning ** [/dev/cdc-wdm0] requested auto mode but no MBIM QMUX support available Clearing state at /tmp/qmi-network-state-cdc-wdm0... Thanks Mashur Khadmi

1 0

Addme
by Mashkur Ahmad 07 Feb '19

07 Feb '19

Hi Addme

1 0

Adding some info to the wiki pages
by Tomcsányi, Domonkos 15 Aug '18

15 Aug '18

Hi all, I've been looking into Qualcomm based devices mainly for collecting radio traces using Holger's diag-parser tool. I'd like to add the information I was able to collect to the Wiki pages (one new device, and some info on the Sierra EM7455 found in Thinkpads mainly). I've already registered an account in redmine, I'd like to know what's the next step to get to contributing. Thank you! Regards, Domi

2 2

RFC: new type for NAS/EPS in gsmtap.h and question
by Shinjo Park 27 Nov '17

27 Nov '17

Hi list, While I was experimenting with osmo-qcdiag and other LTE stuff, I want to add NAS/EPS as a new payload type for gsmtap.h. Unlike GSM and UMTS, LTE introduced separate layer for encryption of NAS and RRC. As a result, while NAS messages are piggybacked to LTE RRC, but after NAS security had been activated only encrypted NAS messages are available at RRC layer. This is reflected into the baseband diagnostics of various makers: Qualcomm provides separate diagnostic item for LTE NAS (both encrypted and plain) and RRC. Separate payload type for LTE RRC and LTE NAS will solve this issue. I can submit a patch if this looks positive. Also, I have a question regarding ARFCN field. Currently (in version 2) ARFCN is a 16-bit integer, with 2-bit of flags (PCS band, uplink) therefore making 14-bits available for raw value. This causes some problem in LTE: 1) EARFCNs for uplink are starting from 18000, which is larger than 2^14 2) There are EARFCNs even larger than 2^16 (Bands 65+, LTE-U frequencies) 3) No separate indicator for ARFCNs used by UMTS/LTE-TDD network Also in UMTS, there are overlapping UARFCNs between bands, which necessitates a separate field for band indicator. Changes regarding these will break the GSMTAP header structure, therefore I want to discuss about how these could be addressed. Best Regards, Shinjo -- Shinjo Park <pshinjo(a)sec.t-labs.tu-berlin.de> Security in Telecommunications <sec.t-labs.tu-berlin.de> TU Berlin / Telekom Innovation Laboratories Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany Phone: +49 30 8353 58272

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

qc-linux-modems