Re: Novatel Wireless power cycle

[David Pfeffer <david fivepmtechnology com>]

I've obtained it directly from a software engineer at Novatel named
Ali Taheri, also included on the email was Charles Wang. I was never
asked to sign anything. The SDK is closed source (distributed as a
shared object) but can be easily captured using strace. I can
definitely get you the sequence for power on as well, I just hadn't
bothered yet.

On Thu, Oct 11, 2012 at 5:23 PM, Dan Williams <dcbw redhat com> wrote:
>
> On Thu, 2012-10-11 at 16:20 -0500, Dan Williams wrote:
> > On Thu, 2012-10-11 at 08:45 -0400, David Pfeffer wrote:
> > > Hi all,
> > >
> > >
> > > I noticed in the modemmanager Novatel plugin code there's nothing
> > > there to power cycle the modem on disable/enable. This is a problem
> > > for me since I've found that one modem in particular, the MC760, it'll
> > > sometimes get into this state where the radio always tells the modem
> > > there's No Carrier until you power cycle it.
> > >
> > >
> > > I don't know about the GSM devices, but I've been developing for a
> > > little while now with the CDMA devices. There's definitely a way to do
> > > it. Using strace and the NovaCore SDK (which I have obtained from
> > > Novatel's software development department and without signing an NDA),
> > > I've found that the following goes out over the QCDM port when you
> > > turn the radio off in the SDK:
> > >
> > >
> > > write(4, "K\17\0\0\273`~", 7)           = 7
> > > write(4, "K\372\7\0\7\377\377\0\0\344o~", 12) = 12
> > > write(4, "K\17\0\0\273`~", 7)           = 7
> > > write(4, ")\1\0001@~", 6)               = 6
> > > write(4, "K\17\0\0\273`~", 7)           = 7
> > > write(4, "K\17\0\0\273`~", 7)           = 7
> >
> > They break down like this:
> >
> > K = DIAG_CMD_SUBSYS
> > \17 (decimal 15) = DIAG_SUBSYS_CM (call manager)
> > \0\0 = DIAG_SUBSYS_CM_STATE_INFO
> >
> > K = DIAG_CMD_SUBSYS
> > \372 (decimal 250) = DIAG_SUBSYS_RESERVED_OEM_0
> > \7\0 (0x7) = DIAG_SUBSYS_NW_CONTROL_MODEM_SNAPSHOT
> > \7 = DIAG_SUBSYS_NW_CONTROL_MODEM_SNAPSHOT_TECH_CDMA_EVDO
> > \377\377\0\0 = snapshot mask
> >
> > ) = DIAG_CMD_CONTROL
> > \1 = DM_CONTROL_MODE_OFFLINE
>
> Forgot to mention the last 3 bytes in all of these are the CRC-16 and
> 0x7E.  The DM/DIAG packet format is <cmdcode><stuff><crc-16><0x7E>.  And
> of course everything before the 0x7E is HDLC encoded so that 0x7E never
> appears in the body, and thus you can use it as the frame marker.
>
> Dan
>
> > So basically it's querying the generic modem state using the Call
> > Manager subsystem (see DMCmdSubsysCMStateInfoRsp in libqcdm), and then
> > it's asking for the Novatel-specific subsystem state (see
> > DMCmdSubsysNwSnapshotRsp and DMCmdSubsysNwSnapshotCdma in libqcdm) and
> > then it's telling the modem to go offline.  I'll assume at some point it
> > tells the modem to go back online too :)
> >
> > > However, I have no idea what this means -- I can't find any
> > > documentation to speak of for QCDM so its just opaque binary to me.
> >
> > Because there isn't unless you sign NDAs with Qualcomm, and then you
> > can't do anything open-source with it.  So we've basically reverse
> > engineered some stuff we need for ModemManager:
> >
> > http://cgit.freedesktop.org/ModemManager/ModemManager/tree/libqcdm
> >
> > and perhaps more specifically:
> >
> > http://cgit.freedesktop.org/ModemManager/ModemManager/tree/libqcdm/src/dm-commands.h
> >
> > The actual C API that clients of libqcdm should use is commands.h
> > though, since the rest of the stuff is pretty low-level and the
> > internals might change around if we discover something new later, which
> > is why the commands.h uses the QcdmResult structure instead of hardcoded
> > returned parameters.
> >
> > > If someone is willing to assist me with the QCDM portion or give me
> > > some pointers, I'd be happy to reverse engineer power off, power on,
> > > and reset, and contribute a patch back. Again this is just for CDMA
> > > --
> >
> > The CONTROL command works for both GSM and CDMA devices actually.  I'm
> > just missing the define for "online" so if you can capture that, that
> > would be great.  I'm pretty sure it'll be something like:
> >
> > write(4, ")\0\0001@~", 6) or write(4, ")\3\0001@~", 6)
> >
> > there are a bunch of modes though, but I'm guessing that "online" is
> > mode 0.
> >
> > > the NovaCore SDK does support GSM devices but I don't own one. If
> > > someone else has one, I can send you the NovaCore SDK to reverse
> > > engineer this for GSM modems.
> >
> > What license is the NovaCore SDK distributed under?  That has a great
> > deal to do with whether or not it can just be sent around.  If you've
> > obtained it under a method compatible with the license (ie, directly
> > from Novatel) that's probably fine, but downloading it off some Chinese
> > site may not be.  Also note that even though the EULA or license may
> > prohibit reverse engineering (almost all software EULAs do), it's
> > actually completely legal for the purpose of interoperability, which is
> > what we're doing here with libqcdm.  But it still depends on how you got
> > it...
> >
> > I typically use a Windows connection manager and sniff the USB packets,
> > since all the connection managers are legally obtainable via the carrier
> > or manufacturers websites, or even in the firmware on the dongles
> > themselves.  Helps keep the legal things clearer.
> >
> > Dan
> >
> > _______________________________________________
> > networkmanager-list mailing list
> > networkmanager-list gnome org
> > https://mail.gnome.org/mailman/listinfo/networkmanager-list
>
>