What device ?
Under which conditions ?
On Debian Linux wheezy (actually ARMv5, but any flavor would do)
What to expect ?
- Use the modem — minimum goal
- Send an receive SMS
- Place and answer a call
- Establish data connection
What were the pitfalls ?
- The modem comes from China without a IMEI set. This prevents using it in most country in the world.
- The modem does not appear as a modem to the operating system until it’s forced to do so.
- The modem uses a non standard, non documented protocol
- The chinese software is buggy and freeze the computer which make it hard for reverse engineering
1) Use the modem
By default, the modem starts by emulating a CDROM. It’s quite usual for these devices.
Under Linux, the “usual” way to switch the modem from CDROM mode to normal mode is to use “usb_modeswitch” tool.
However this modem does not requires such a tool, but a quirk when installing the usb_serial and usb_storage modules.
You need to append this to your /etc/modules
usb_storage quirks=0685:8000:i usbserial vendor=0x0685 product=0x8000
When this is done (after a reboot or a sequence of rmmod & modprobe), the modem should be enumerated as 5 TTY USB (check your dmesg for the TTY’s name)
The second TTY enumerated is the application TTY where you can send command. The last TTY is the data port where you’ll read voice data and write it (at least on my computer)
Update (06/2015) : Using the tool usb_modeswitch is required for Debian Jessie (with linux kernel 3.16) in addition to the quirks above because the VID/PID for this device is still not-in-kernel.
2) Send and receive SMS
Before you can send a SMS with the usual AT+CMGS command, you must first write a IMEI to the modem because it’s not delivered with (to check if your modem as an IMEI set, type: AT+CGSN in your terminal, on error, your modem as no IMEI),
You can choose any IMEI (it’s a hack, remember), but you should not connect your modem to a public network with a fake IMEI. I reused a IMEI from a old phone that went to the trash, but be warned about this (and do not use the IMEI number from the article below).
BEWARE: You can only write the IMEI once so DO NOT USE THE IMEI from this article, it’ll not work, your device will become useless if you do.
To write your IMEI follow this guide.
Once the IMEI is written, you can send and receive SMS (no more ERROR reported for the AT+CMGS command)
3) Place and answer a call
This modem does not follow usual protocol for placing a call (ATD command fails). Receiving a call works out of the box, and the voice data is send to the last TTY. By capturing the stream and trying to figure out the format, it’s µ-law encoded (8 bits), 8KHz sampling rate. Unlike Huawei (where you need to read 320 bytes each 20ms), it does not seem to have any timing restriction to read from the device.
So, first let’s try to figure out how the original, Windows only, software works with this modem. In order to do so, I booted a Windows 7 machine, put the modem, then installed API Monitor which is an excellent tool to figure out what a software does.
Typically, you run the provided software under API Monitor (capturing all system and API calls, a bit like strace on linux). After analysis of the COMM port communication only (via WriteFile / ReadFile examination), the software issues these commands:
AT+SYSSEL? -- Modem answers: ERROR AT+CPIN? AT+CPIN="1234" AT+ZSTART -- Start timer AT+CSCA? -- Get SMS Carrier AT+ZPAS? -- Get beartype AT+ZDON? -- Get operator MCC and status AT+CSQ -- Get quality of link AT+COPS? -- Get connection status AT+BEARTYPE? -- Get beartype AT+CGDCONT=1,"IP","whatever",,0,0 -- Set APN AT+CLCK="SC",2 AT+CIMI -- Get IMSI AT+CGSN -- Get IMEI AT+ZSNT? -- Configuration of network selection mode 0,1,0 ? AT+CLCK="SC",2 AT+CSCA? -- Get SMS Carrier AT+CPBR=? -- Get phonebook entry AT+CLVL? AT+HELLOW -- 224? 192 ? 96? different number each time AT+READCODE -- 113 ? AT+HELLOW=101 AT+HELLOW=5 AT+CNMI=3,1,0,2,0 -- Set the notification on message arrival (see below) AT+CMGF=0 AT+CPMS="SM","SM","SM" -- Set message storage in SIM AT+CLVL=5 -- Loudspeaker volume level ATD0123456789; AT+CMGL=4 AT+CPMS? AT+CPBR=1,250 AT+ZSTOPT -- Stop timer
From the few documents I could find, I’ve found this documentation for the unusual commands:
ZSNT = cm,net,pref net: 0 Automatic, 1 manual cm,net,pref: 0 Automatic 1 GSM preferred 2 WCDMA preferred Read: 0,1,0 => Manual network, UMTS prefered
Set notification for messages: A+CNMI=mode,mt,bm,ds,bfr mode: 3 to use the current terminal mt: 1 if SMS-DELIVER is stored into me/ta, indication of the mem locations is routed to the terminal using unsollicited result code: +CMTI: <mem>, <index> bm: 0 No CBM indications is routed to terminal 2 CBM indications are routed to term ds: 2 if SMS-STATUS-REPORT is stored in ME/TA, indi... : +CDSI: <mem>, <index> bfr: 0 TA buffer of unsolicited result code is flushed to TE
Set Operational Mode AT+ZSNT=0,0,0 (Auto) - Default AT+ZSNT=1,0,0 GPRS Only AT+ZSNT=2,0,0 3G Only AT+ZSNT=0,0,1 GPRS Preferred AT+ZSNT=0,0,2 3G Preferred
Query Operational Mode AT+ZPAS? <CR><LF>+ZPAS:<network>,<srv_domain><CR><LF>OK<CR> <LF> <network>: the type of current network No Service Limited Service GPRS GSM UMTS EDGE HSDPA <srv_domain>: service domain CS_ONLY: CS domain service available. PS_ONLY: PS domain service available. CS_PS: CS&PS domain service available. CAMPED: camped in a cell. example Command: AT+ZPAS? Response: +ZPAS: "GPRS","CS_PS" OK
If you issue the same commands via linux, in the same order, some of the commands are failing (up to the ATD which fails everytime).
One sequence of commands is very important, and, unfortunately, no documentation can be found on it from the Internet:
AT+HELLOW then AT+READCODE then AT+HELLOW=x
seems to give a different code each time called (unless it’s verified, see below), and so does AT+HELLOW.
Without sending the right pair (HELLOW gives a number, you must answer with another number), the calling feature is disabled.
This handshake is strange because it seems to have very low variation (and entropy). Without entering a nuclear war with the binary (understand: disassemble, find the place where this number is computed and sort out the algorithm), a simple solution seems to run the capture numerous time to find out the pattern for the algorithm.
I could find the pattern on my system, typically the 2 values, when XOR’ed gives 101.
So if AT+HELLOW returned x, you must answer by y such that x ^ y = 101. Since XOR is transitive, you can figure out y such that y = x ^ 101.
I’ve no idea if the returned code depends on the network, the IMEI or IMSI. So your mileage may vary.
Once you have an algorithm between read code and what to answer, under your linux serial terminal, you can then place a call.
If you do so, the AT+HELLOW=x results in “OK”, and then, you can dial.
4) Establish data connection
I’ve not tested this part, but I’ve read here that the modem behaves as any other modem for this feature (once you’ve sorted out the quirks), so usual wvdial / networkmanager tool should work.