PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2023-07-09T18:06:49+00:00

P4wnP1-LTE

I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly a FriendlyArm NanoPi R1S. The downside of these platforms is that you need to be in fairly close physical proximity in order to access the WiFi interface, or even closer to access Bluetooth. The NanoPi R1S can support an LTE modem, to give you much bigger range, but the downside to that is that it looks pretty clunky.

I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly a FriendlyArm NanoPi R1S. The downside of these platforms is that you need to be in fairly close physical proximity in order to access the WiFi interface, or even closer to access Bluetooth. The NanoPi R1S can support an LTE modem, to give you much bigger range, but the downside to that is that it looks pretty clunky.

In this post, I’m going to show you how to install and use P4wnP1 on the LTE modem itself, skipping the NanoPi R1S completely.

Wait, what!? Is this a trick? How on earth can you install software on an LTE modem? Good question!

About six years ago, the Osmocom folks posted about how some Qualcomm modems are actually just running Linux under the hood. There are a bunch of modems that fall into this category, which you can find here. Having just created USaBUSe, I immediately saw the potential for running USaBUSE on such a platform – it had the USB gadget capability, and a long range network interface. Just PERFECT! I immediately purchased a DLink DWM222 modem, which is on that list. But it languished, as I was unable to get it to the ADB shell immediately, and then other projects came along pushing it down the stack.

Then last year, Hackaday posted this article, about how a hacker named HandsomeYingyan had figured out that a particular LTE modem was running Linux, and was able to build his own distribution for it. His github repo was in Chinese, and another hacker named extrowerk had gone to the trouble of running it through Google Translate, and making notes on how to actually use it for the rest of us. Seeing this, I immediately went searching for a suitable vendor on AliExpress, and added one to my shopping cart. But personal hacking budgets intervened (I’ve never been good at asking SensePost to pay for my toys, but I am getting better – I submitted this claim at least!), and it languished there until about two months ago when I finally pulled the trigger. Two months later, thanks to the vagaries of the South African Post Office, it finally arrived.

Having opened it up, I found it labeled as “FY_UZ801_V3.2”, which appeared to be a newer revision of one of the “known-working” variants. Good news! It’s actually quite a capable little device. Quad core, 512MB RAM, 4GB flash, WiFi and Bluetooth (Bluetooth not yet working), and of course, USB gadget enabled with an LTE interface. Just check that the GSM frequency bands on the modem you choose match up to what is available in your area.

I lost no time in following extrowerk’s instructions, and soon had Debian installed and running successfully on my modem! Whoop! Note: When flashing the “base” files, you want to be in the base/ directory, and run ./flash.sh, rather than base/flash.sh, as many of the required files are not found otherwise. Note2: Be smarter than me, and take a backup of the modem’s firmware using this comment’s advice, before gaily wiping everything out!

I was soon logged on using adb shell, and exploring the new playground I found myself in. First things first, let’s get it online using the WiFi interface. After setting your TERM variable to something suitable like TERM=xterm, you can run nmtui and select your AP.

It is a very limited installation of Debian, many necessities you would expect are not installed, such as vi. (OK, or nano!) But the /etc/apt/sources.list contains references to some Chinese mirrors that were not responding when I tried to run apt update. Without an editor, how are you supposed to fix this? My approach was the following:

cat > /etc/apt/sources.list <<EOF
deb http://deb.debian.org/debian bullseye main contrib non-free
deb-src http://deb.debian.org/debian bullseye main contrib non-free

deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free

deb http://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free

deb http://security.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://security.debian.org/debian-security/ bullseye-security main contrib non-free
EOF

Now you can run apt update and install your preferred editor and other niceties.

One of my first priorities was to get the LTE interface working, as this was the whole point of the device. And this is where my struggles began …

After way too much frustration wondering why the modem was reporting “NotReady”, I realised that I probably had the wrong firmware loaded for the LTE peripheral. And in my haste to get Debian installed, I had merrily blown away the entire firmware for the entire modem, including that for the LTE peripheral!

Note: There are two things that could quite reasonably be called an “LTE modem”. One is the entire device, with a USB connector sticking out of it. The other is the actual LTE peripheral. Both of these have firmware which is required to make them functional. One is a Linux operating system, and the other is a program for the Hexagon Digital Signal Processor chip. The LTE peripheral’s firmware just happens to be a file in the “entire device” firmware. So I’ll call it the LTE peripheral firmware, clumsy as it is.

Fortunately, I then found another person ddscentral who had built their own version of the kernel, but had also made the LTE peripheral firmware available to download.

ddscentral even hacked the bootloader to enter fastboot mode when the reset button is pressed while applying power. This means that you can’t brick the device by making the Linux distribution unbootable, which would prevent you from successfully invoking adb bootloader. If it won’t boot, just hold the button while plugging it in to the host, and it will show up in fastboot devices. Magic! Just follow the instructions at the link above, and all should be good. With that done, I was able to get an LTE peripheral that recognised the modem, and my Vodacom SIM card, but I was still unable to get online.

After a lot of hair pulling, I finally figured out that there are some built-in profiles in the LTE peripheral firmware that do not have the correct APN set. Running qmicli -d /dev/wwan0qmi0 -p --wds-get-profile-list=3gpp showed 3 profiles, two with an empty APN, and one with "m2m". None of which will work for Vodacom in South Africa. I made sure that the APN setting in the NetworkManager interface definition was correctly set to "internet", but that still did not work. After much going around, I discovered that the following script run at startup would do the trick.

#!/bin/sh

# wait for the modem to enumerate to the host OS
while [ ! -e /dev/wwan0qmi0 ] ; do
sleep 5
done

for i in 1 2 3 ; do
/usr/bin/qmicli -d /dev/wwan0qmi0 -p --wds-modify-profile="3gpp,$i,apn=internet,pdp-type=ipv4v6"
done 2>&1 | tee /tmp/qmicli.log

This was run in the background from /etc/rc.local, after enabling the rc-local systemd unit, and creating /etc/rc.local as an executable shell script.

[...]

Original source

Reply