Armageddon421's Hackingblog

Tag: Modem

LTE USB-Stick Samsung GT-B3740 on Ubuntu!

by on Jun.05, 2011, under Projects, quickhack

Yesterday, Onny from project-insanity.org got himself a Vodafone contract for the new LTE-Mobile-Broadband-Connection that came with a Samsung GT-B3740 USB modem. It works on Windows, it works on Mac,…

So now we come to the interesting part: Can we get it to work on linux?

We got us this driver that is for the B3730, did everything the README file told us to and hoped it would work with our device… It didn’t. So we tried to find out why. Our first guess was the chatscript not initializing the modem corectly. It turned out we were right. After analyzing the USB-traffic on windows, we were able to reconstruct the AT-commands that are being sent to the modem in order to initialize it and establish the connection. We sketched it on paper. Here the pictures of it in case someone needs it for debugging. The right column are the replies that the modem sends back.

After having created the corresponding chatscript and executed it, the light turned first blue, then green and it magically connected. Executing dhclient sets everything else up.

This is how our working chatscript looks like:


ABORT 'TIME OUT' ABORT 'ERROR'
'' ATE1
'OK' AT+CSCS="UCS2"
'OK' AT+CMGF=0
'OK' AT+CHANGEALLPATH?
'OK' AT+VERSNAME=1,0
'OK' AT+VERSNAME=1,1
'OK' AT+CMEE=2
'OK' AT+CGREG=2
'OK' AT+CFUN=5
'OK' AT+CPIN?
'OK' AT+CNUM
'OK' AT+MODESELECT=2
'OK' AT+CSQ?
'OK' AT+COPSNAME
'OK' AT+CSQ?
'OK' AT+CGACT?
'OK' AT+CSQ?
'OK' AT+CSQ?
'OK' AT+CSQ?
'OK' AT+CSQ?
'OK' AT+CSQ?
'OK' AT+CSQ?
'OK' AT+CGDCONT=1,"IP","web.vodafone.de"
'OK' AT+CGATT=1

'CGACT:1,1'

For the more unexperienced folks, I have tried to mash up a little tutorial.


git clone https://github.com/mkotsbak/Samsung-GT-B3730-linux-driver.git
cd Samsung-GT-B3730-linux-driver
sh build.sh
cd option
sh build.sh
cd ..

sudo vim /etc/usb_modeswitch.d/04e8:689a
        #make sure the line "NoDriverLoading=1" has no "#" in front of it
        #also make sure that there is no file "04e8:6889" in that folder

vim chatscript.txt
#replace the content of this file with the chatscript from above


#this was the basic setup, it only has to be done once.
#from here, you can make yourself a script because
#this has to be at least executed after each reboot

sudo modprobe option    #load the default option driver to get the dependencies
sudo rmmod option        #unload it again
sudo insmod ./option/option.ko    #load the custom option module
sudo modprobe usbnet
sudo insmod ./kalmia.ko    #load the driver module for the modem

sh chat.sh    #this initializes and connects the modem using out chatscript.txt!
sudo ifconfig wwan0 up    #bring the ethernet device up
sudo dhclient wwan0        #get an ip, gateway and dns

#finally, you have to monitor the connection to prevent the serial
#buffer on the modem from overflowing

sudo minicom -o -D /dev/ttyUSB0    #just leave this open while you are connected

Voila! It should work!

You might have to adjust some values, for example /dev/ttyUSB1 instead of USB0 if you already have another USB-to-serial device. This has to be changed in the chat.sh script and the minicom command.

If you have promlems, you could also try disabling the Ubuntu network-manager and killing the modem-manager by doing


sudo /etc/init.d/network-manager stop
sudo killall modem-manager

Also remember that you might have to install minicom and usb-modechange.

Finally, a picture of me doing a ubuntu upgrade from 10.10 to 11.04.

I hope I could help you out!

Have a nice connection! See ya!

Edit:

In case you have usb-modeswitch installed and the file in /etc/usb_modeswitch.d/ is still empty or missing, you may create it with the following content:



#######################################################
# Samsung GT-B3730

DefaultVendor= 0x04e8
DefaultProduct=0x689a

TargetVendor=  0x04e8
TargetProduct= 0x6889

MessageContent="55534243785634120100000080000601000000000000000000000000000000"

CheckSuccess=20

NoDriverLoading=1

Update:

Onny from Project-Insanity.org got the new driver version running on Arch Linux x64, Kernel 2.6.39 using the following method


git clone https://github.com/mkotsbak/Samsung-GT-B3730-linux-driver.git
cd Samsung-GT-B3730-linux-driver
wget https://raw.github.com/mkotsbak/linux-2.6/Samsung_kalmia_driver-3.0/drivers/net/usb/kalmia.c
wget -O option/option.c “http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.38.y.git;a=blob_plain;f=drivers/usb/serial/option.c;hb=HEAD”
sh build.sh && sh option/build.sh
* if not grep NoDriver /etc/usb_modeswitch.conf; sudo echo “NoDriverLoading=1″ >> /etc/usb_modeswitch.conf; fi;
sudo modprobe option && sudo rmmod option (to get module deps)
sudo insmod ./option/option.ko
sudo modprobe usbnet
sudo insmod ./kalmia.ko
wget -O chatscript.txt http://onny.project-insanity.org/files/chatscript_vodafone.txt
sudo sh chat.sh
sudo dhcpcd wwan0
minicom -o -D /dev/ttyUSB0

15 Comments :, , , , , , , , , , , , , , , , , , , more...

Stats from the “Alice Modem 1111″

by on Jan.24, 2011, under quickhack

This weekend a friend of mine asked me if I could make his fileserver display some intersting stats. One of those stats would be the internet traffic. The problem was the crappy modem/router thing from Alice that he has to use. The webinterface has very sparse information, there is also no traffic monitor.

Running nmap revealed that the modem has a telnet interface.


Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-24 10:18 CET
Interesting ports on alicebox.localdomain (192.168.1.1):
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
2800/tcp open unknown
8008/tcp open http

I tried connecting, and then there was the next problem: It asked for login and password. I found out that it is not the same as for the webinterface, so I googled. The login would be “admin” and the password would consist of “Alice” + the last 6 Bytes of the MAC in hex + “123″, for example “AliceFFFFFF123″.

The I was confronted with some strange shell that allowed to press “?” to display the possibilities.


Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

Alice Modem 1111
Alice Software Version : 4.19

Login: admin
Password: **************

Login successful

-->
agent            Get a file from a remote host
bridge           Configure layer 2 bridge.
bridgevlan       VLAN transport configuration
classifier       Packet classifier configuration commands
console          Console access
dhcpclient       DHCP client configuration commands
dhcprelay        DHCP relay Configuration
dhcpserver       DHCP server configuration commands
dnsrelay         DNS relay configuration
ethernet         Commands to configure ethernet transports
firewall         Firewall configuration commands
help             Top level CLI help
imdebug          Directly access the information model
ip               Configure IP router
l2filter         Packet filter configuration commands
nat              NAT configuration commands
port             Physical port configuration commands
pppoa            PPP over ATM configuration
pppoe            PPP over Ethernet Configuration
security         Security configuration commands not specific to NAT or firewall
sntpclient       Simple Network Time Protocol Client commands
stop
system           System administration commands
transports       Transport configuration commands
upnp             UPnP configuration commands
user             User commands
-->

After toying around a bit, I found what I needed:

--> port ethernet show

Version = 1.01
RxNoBuffer = 121
TxNoBuffer = 0
PortClassEthernet = true
Disable = false
PromiscuousEnable = true
RxBroadcastEnable = true
RxMulticastEnable = true
RxMulticastAllEnable = true
RxUnicastEnable = true
RxAddressEnable = false
RxPassBad = false
FullDuplexEnable = true
CrcEnable = false
PadShortDataEnable = false
Loopback = false
HaltImmediately = true
MAC = 00:85:a0:01:01:00
RxOK = 4657743
TxOK = 6663192
MaxFilterEntries = 21
TxIntTx = 6663192
Tx10Stat = 0
TxPar = 0
TxHalted = 0
TxSQErr = 0
TxMCast = 7788
TxBCast = 2018
TxVLAN = 0
TxMACC = 0
TxPause = 0
TxExcessiveCollisions = 0
TxLateCollisions = 0
TxUnderrun = 0
TxCarrierLoss = 0
TxDeferred = 0
TxAfterOneCollision = 0
TxAfterMoreCollision = 0
TxCollisions = 0
TxExcessiveDeferrals = 0
RxIntRx = 0
RxMIIErrors = 0
RxPar = 0
RxHalted = 0
RxMulticastPackets = 62675
RxBroadcastPackets = 693755
RxVLAN1Frames = 0
RxPAUSE = 0
RxCRCErrors = 0
RxErrorAlign = 0
RxOverlongPackets = 0
RxOverruns = 112852
RxControlFrames = 0
RxShortPackets = 749
txOKBytes = 211726529
rxOKBytes = 541541832

txUCastPkts = 6653390
rxUCastPkts = 4012768
PhyMode = MII
resetDefaults = false
portSnmpIfIndex = 0
portSnmpIfType = 0

All I had to do now was automate this process. The finished python script, using expect to simulate the interaction and rrdtool to store and graph the data, looked like this:

#!/usr/bin/python

import pexpect, sys, os

os.linesep = "\r"  #telnet expects \r instead of \n, expect uses os.liensep

#Connect and simulate interaction
c = pexpect.spawn("telnet 192.168.1.1 23")
c.expect("Login: ")
c.sendline("admin")
c.expect("Password: ")
c.sendline("AliceFFFFFF123")
c.expect("--> ")
c.sendline("port ethernet show")
c.expect("--> ")
res = c.before
c.close()

#Find the required values
lines = res.split("\r\n")
for line in lines:
	if line.startswith("txOKBytes"):
		tx = line.split("= ")[1]
	if line.startswith("rxOKBytes"):
		rx = line.split("= ")[1]

#Update RRD
pexpect.run("rrdtool update /home/ave/rrd/database/internet.rrd N:%s:%s" % (tx,rx))

The finished output of rrdtool looks like this:

Later I added a second graph that shows the number of devices in the LAN that respond to ping probes. It’s as simple as

#!/bin/bash

res=`nmap -sP 192.168.1.50-253 | wc -l`   #nmap the LAN, count the lines
num=$(($res - 3))                         #substract nmap's static status lines
rrdtool update /home/ave/rrd/database/devices.rrd N:$num     #update RRD

I hope I could give some of you an example on how to approach such a problem. Comment if you did something similar or want to do it!

Leave a Comment :, , , , , , , , more...