Hacking HSDPA’s modem from DealExtreme

What device ?

This one

Under which conditions ?

On Debian Linux wheezy (actually ARMv5, but any flavor would do)

What to expect ?

  1. Use the modem — minimum goal
  2. Send an receive SMS
  3. Place and answer a call
  4. Establish data connection

What were the pitfalls ?

  • The modem comes from China without a IMEI set. This prevents using it in most country in the world.
  • The modem does not appear as a modem to the operating system until it’s forced to do so.
  • The modem uses a non standard, non documented protocol
  • The chinese software is buggy and freeze the computer which make it hard for reverse engineering

1) Use the modem

By default, the modem starts by emulating a CDROM. It’s quite usual for these devices.

Under Linux, the “usual” way to switch the modem from CDROM mode to normal mode is to use “usb_modeswitch” tool.

However this modem does not requires such a tool, but a quirk when installing the usb_serial and usb_storage modules.

You need to append this to your /etc/modules

usb_storage quirks=0685:8000:i
usbserial vendor=0x0685 product=0x8000

When this is done (after a reboot or a sequence of rmmod & modprobe), the modem should be enumerated as 5 TTY USB (check your dmesg for the TTY’s name)

The second TTY enumerated is the application TTY where you can send command. The last TTY is the data port where you’ll read voice data and write it (at least on my computer)

Update (06/2015) : Using the tool usb_modeswitch is required for Debian Jessie (with linux kernel 3.16) in addition to the quirks above because the VID/PID for this device is still not-in-kernel.

2) Send and receive SMS

Before you can send a SMS with the usual AT+CMGS command, you must first write a IMEI to the modem because it’s not delivered with (to check if your modem as an IMEI set, type: AT+CGSN in your terminal, on error, your modem as no IMEI),

You can choose any IMEI (it’s a hack, remember), but you should not connect your modem to a public network with a fake IMEI. I reused a IMEI from a old phone that went to the trash, but be warned about this (and do not use the IMEI number from the article below).

BEWARE: You can only write the IMEI once so  DO NOT USE THE IMEI from this article, it’ll not work, your device will become useless if you do.

To write your IMEI follow this guide.

Once the IMEI is written, you can send and receive SMS (no more ERROR reported for the AT+CMGS command)

3) Place and answer a call

This modem does not follow usual protocol for placing a call (ATD command fails). Receiving a call works out of the box, and the voice data is send to the last TTY. By capturing the stream and trying to figure out the format, it’s µ-law encoded (8 bits), 8KHz sampling rate. Unlike Huawei (where you need to read 320 bytes each 20ms), it does not seem to have any timing restriction to read from the device.

So, first let’s try to figure out how the original, Windows only, software works with this modem. In order to do so, I booted a Windows 7 machine, put the modem, then installed API Monitor which is an excellent tool to figure out what a software does.

Typically, you run the provided software under API Monitor (capturing all system and API calls, a bit like strace on linux). After analysis of the COMM port communication only (via WriteFile / ReadFile examination), the software issues these commands:

AT+SYSSEL?  -- Modem answers: ERROR 
AT+CPIN?
AT+CPIN="1234"
AT+ZSTART -- Start timer
AT+CSCA? -- Get SMS Carrier
AT+ZPAS? -- Get beartype
AT+ZDON? -- Get operator MCC and status
AT+CSQ -- Get quality of link
AT+COPS? -- Get connection status
AT+BEARTYPE? -- Get beartype
AT+CGDCONT=1,"IP","whatever",,0,0 -- Set APN
AT+CLCK="SC",2
AT+CIMI -- Get IMSI
AT+CGSN -- Get IMEI
AT+ZSNT? -- Configuration of network selection mode 0,1,0 ?
AT+CLCK="SC",2
AT+CSCA? -- Get SMS Carrier
AT+CPBR=? -- Get phonebook entry
AT+CLVL?
AT+HELLOW -- 224? 192 ? 96? different number each time
AT+READCODE -- 113 ?
AT+HELLOW=101
AT+HELLOW=5
AT+CNMI=3,1,0,2,0 -- Set the notification on message arrival (see below)
AT+CMGF=0
AT+CPMS="SM","SM","SM" -- Set message storage in SIM
AT+CLVL=5 -- Loudspeaker volume level
ATD0123456789;
AT+CMGL=4
AT+CPMS?
AT+CPBR=1,250
AT+ZSTOPT -- Stop timer

From the few documents I could find, I’ve found this documentation for the unusual commands:

ZSNT = cm,net,pref
net: 0 Automatic, 1 manual
cm,net,pref: 0 Automatic
 1 GSM preferred
 2 WCDMA preferred
Read: 0,1,0 => Manual network, UMTS prefered
Set notification for messages:
A+CNMI=mode,mt,bm,ds,bfr
mode: 3 to use the current terminal
mt: 1 if SMS-DELIVER is stored into me/ta, indication of the mem locations is routed to the terminal using unsollicited result code:
+CMTI: <mem>, <index>
bm: 0 No CBM indications is routed to terminal
 2 CBM indications are routed to term
ds: 2 if SMS-STATUS-REPORT is stored in ME/TA, indi... :
+CDSI: <mem>, <index>
bfr: 0 TA buffer of unsolicited result code is flushed to TE
Set Operational Mode
AT+ZSNT=0,0,0 (Auto) - Default
AT+ZSNT=1,0,0 GPRS Only
AT+ZSNT=2,0,0 3G Only
AT+ZSNT=0,0,1 GPRS Preferred
AT+ZSNT=0,0,2 3G Preferred
Query Operational Mode
AT+ZPAS?
<CR><LF>+ZPAS:<network>,<srv_domain><CR><LF>OK<CR> <LF>
<network>: the type of current network
No Service
Limited Service
GPRS
GSM
UMTS
EDGE
HSDPA
<srv_domain>: service domain
CS_ONLY: CS domain service available.
PS_ONLY: PS domain service available.
CS_PS: CS&PS domain service available.
CAMPED: camped in a cell.
example
Command: AT+ZPAS?
Response: +ZPAS: "GPRS","CS_PS"
OK

If you issue the same commands via linux, in the same order, some of the commands are failing (up to the ATD which fails everytime).

One sequence of commands is very important, and, unfortunately, no documentation can be found on it from the Internet:

AT+HELLOW then AT+READCODE then AT+HELLOW=x

seems to give a different code each time called (unless it’s verified, see below), and so does AT+HELLOW.

Without sending the right pair (HELLOW gives a number, you must answer with another number), the calling feature is disabled.

This handshake is strange because it seems to have very low variation (and entropy). Without entering a nuclear war with the binary (understand: disassemble, find the place where this number is computed and sort out the algorithm), a simple solution seems to run the capture numerous time to find out the pattern for the algorithm.

I could find the pattern on my system, typically the 2 values, when XOR’ed gives 101.

So if AT+HELLOW returned x, you must answer by y such that x ^ y = 101. Since XOR is transitive, you can figure out y such that y = x ^ 101.

I’ve no idea if the returned code depends on the network, the IMEI or IMSI. So your mileage may vary.

Once you have an algorithm between read code and what to answer, under your linux serial terminal, you can then place a call.

If you do so, the AT+HELLOW=x results in “OK”, and then, you can dial.

4) Establish data connection

I’ve not tested this part, but I’ve read here that the modem behaves as any other modem for this feature (once you’ve sorted out the quirks), so usual wvdial / networkmanager tool should work.

Advertisements

One thought on “Hacking HSDPA’s modem from DealExtreme

  1. Thank you for another informative web site. The place else may I get that kind of
    information written in such an ideal approach? I have a undertaking that I am
    simply now running on, and I’ve been on the glance
    out for such information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s