After having analyzed the Samsung Stick firmware, it was time to make something useful out of it. When first plugged into a linux machine, it appears to be a usb Storage.
With the help of usb_modswitch, it is possible to activate the ttyUSB device, as well as the control device.Here is the output of a lsusb
# lsusb
Bus 001 Device 038: ID 04e8:689a Samsung Electronics Co., Ltd LTE Storage Driver [CMC2xx]
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
The command line for the usb_modswitch would be:
usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000'
Here is an output log:
# usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000'
Taking all parameters from the command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.3 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x04e8
DefaultProduct= 0x689a
TargetVendor= not set
TargetProduct= not set
TargetClass= not set
TargetProductList=""
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint= not set
MessageContent="55534243785634120100000080000601000000000000000000000000000000"
NeedResponse=0
ResponseEndpoint= not set
InquireDevice disabled
Success check disabled
System integration mode disabled
usb_set_debug: Setting debugging level to 15 (on)
usb_os_find_busses: Found 006
usb_os_find_busses: Found 005
usb_os_find_busses: Found 004
usb_os_find_busses: Found 003
usb_os_find_busses: Found 002
usb_os_find_busses: Found 001
usb_os_find_devices: Found 001 on 006
skipping descriptor 0x30
skipped 1 class/vendor specific endpoint descriptors
usb_os_find_devices: Found 001 on 005
usb_os_find_devices: Found 001 on 004
usb_os_find_devices: Found 001 on 003
usb_os_find_devices: Found 002 on 002
skipping descriptor 0xB
skipped 1 class/vendor specific endpoint descriptors
skipped 5 class/vendor specific interface descriptors
skipping descriptor 0x25
skipped 1 class/vendor specific endpoint descriptors
skipped 18 class/vendor specific interface descriptors
usb_os_find_devices: Found 001 on 002
error obtaining child information: Inappropriate ioctl for device
usb_os_find_devices: Found 038 on 001
usb_os_find_devices: Found 001 on 001
error obtaining child information: Inappropriate ioctl for device
Looking for default devices ...
searching devices, found USB ID 1d6b:0003
searching devices, found USB ID 1d6b:0002
searching devices, found USB ID 1d6b:0001
searching devices, found USB ID 1d6b:0001
searching devices, found USB ID 05ca:18c2
searching devices, found USB ID 1d6b:0002
searching devices, found USB ID 04e8:689a
found matching vendor ID
found matching product ID
adding device
searching devices, found USB ID 1d6b:0002
Found device in default mode, class or configuration (1)
Accessing device 038 on bus 001 ...
Getting the current device configuration ...
USB error: error sending control message: Connection timed out
Error getting the current configuration (error -110). Assuming configuration 1.
Using first interface: 0x00
Using endpoints 0x06 (out) and 0x85 (in)
USB description data (for identification)
-------------------------
Manufacturer: not provided
Product: not provided
Serial No.: not provided
-------------------------
Looking for active driver ...
OK, driver found ("usb-storage")
OK, driver "usb-storage" detached
Setting up communication with interface 0
Using endpoint 0x06 for message sending ...
Trying to send message 1 to endpoint 0x06 ...
OK, message successfully sent
Resetting response endpoint 0x85
USB error: could not clear/halt ep 133: Connection timed out
Could not reset endpoint (probably harmless): -110
Resetting message endpoint 0x06
-> Run lsusb to note any changes. Bye.
So after that, a new lsusb would show us:
# lsusb
Bus 001 Device 040: ID 04e8:6889 Samsung Electronics Co., Ltd GT-B3730 Composite LTE device (Commercial)
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Modifying the linux driver
In order to have a device descriptor for the stick, we need to modify the linux driver already available.
https://github.com/mkotsbak/linux-2.6/blob/Samsung_kalmia_driver-3.0/drivers/net/usb/kalmia.c
The new file kalmia.c is present HERE
. (Special thx to Xavier Martin for his this)
and I added the Makefile that let me compile it
obj-m += kalmia.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Now 2 new devices are present:
Now the /dev/c2xx device will give us all the debug packet, including NAS and RRC, so we could look at them with wireshark.
In order to do that, we need a wireshark dissector that: packet-c2xx.c
As seen on the following picture, the dissector takes a packet that we named c2xx.
This packet is itself composed of a header, a HDLC flag, and a frame.
Packet containing NAS are then visible
