AT+ECM for connection management, QNCM rx_framing and le16 length prefixed IP tx_framing

Bjørn Mork bjorn at mork.no
Sat Mar 22 08:54:32 PDT 2014 

Hello,

This is a followup on the info Julio posted to linux-usb about the
Olivetti Olicard 500 modem.

I took a preliminary look at the Windows USB capture Julio provided,
believing that I would see a QMI device or something else I already
knew.  Unfortunately I did not.  So I'm turning here before putting too
much work into a needless driver, in case any of you have seen something
like this before...

This is what I found:

-  Windows seems to configure the device using normal GSM AT commands
  (+COPS, +CPIN, +CGDCONT etc) on one of the serial interfaces
- Connection is established using a special "AT+ECM" command (Olivetti
  vendor specific?  I've never seen this before), still on the serial
  interface:
   AT+ECM=0,1,"timbrasil.br",4,0,"tim","tim"
- Windows verifies success by sending "AT+ECM=0,?" and receiving either
   +ECM: 0
   OK  
  or
   +ECM: 1
   OK  

- Frames from host to modem are sent as raw IP, prefixed with a length
  matching the IP packet length in 16bit little endian. Sample packet
  with a DHCP request:

                                       48 01 45 00 01   .......J...H.E..
0020  48 00 05 00 00 80 11 39 a1 00 00 00 00 ff ff ff   H......9........
0030  ff 00 44 00 43 01 34 f2 98 01 01 06 00 f6 f3 2a   ..D.C.4........*
0040  e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 a0 c6 00 00 31 00 00 00 00 00   ..........1.....
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 63 82 53 63 35 01 01 3d 07 01 00   .....c.Sc5..=...
0130  a0 c6 00 00 31 0c 0e 45 37 32 43 34 31 33 38 31   ....1..E72C41381
0140  35 44 36 31 41 3c 08 4d 53 46 54 20 35 2e 30 37   5D61A<.MSFT 5.07
0150  0c 01 0f 03 06 2c 2e 2f 1f 21 79 f9 2b ff 00 00   .....,./.!y.+...
0160  00 00 00 00 00                                    .....


- Frames from modem to host are in something resembling NCM, but with
  'QNCM' as header signature andre 'QNDP' as NDP signature.  The NDPs
  contain raw IP packets, just like MBIM, not ethernet packets like NCM.
  There are also a variable number of trailing bytes, which are not
  accounted for in the NCM headers. Might be just padding?  Sample frame
  with a single DHCP reply:

                                       51 4e 43 4d 0c   .......p...QNCM.
0020  00 02 00 70 01 0c 00 51 4e 44 50 10 00 00 00 1c   ...p...QNDP.....
0030  00 42 01 00 00 00 00 45 00 01 42 00 01 00 00 ff   .B.....E..B.....
0040  11 6b 85 b1 a4 75 ee b1 a4 75 ed 00 43 00 44 01   .k...u...u..C.D.
0050  2e 91 a2 02 01 06 00 f6 f3 2a e1 00 00 00 00 00   .........*......
0060  00 00 00 b1 a4 75 ed b1 a4 75 ee 00 00 00 00 00   .....u...u......
0070  a0 c6 00 00 31 00 00 00 00 00 00 00 00 00 00 00   ....1...........
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63   ...............c
0140  82 53 63 35 01 02 0c 0e 45 37 32 43 34 31 33 38   .Sc5....E72C4138
0150  31 35 44 36 31 41 01 04 ff ff ff fc 03 04 b1 a4   15D61A..........
0160  75 ee 06 08 bd 28 e0 50 bd 28 c6 50 33 04 00 00   u....(.P.(.P3...
0170  1c 20 36 04 b1 a4 75 ee ff 00 00 00 00 00 00 00   . 6...u.........
0180  00 00 00 00 00 00 00 00 ba 00 ba                  ...........



Anyone seen anything like this before?

making a driver for it should not be too hard, but I wonder if that is
the best action.  This seems very proprietary and specific to a single
vendor/modem family.  And I wonder if this modem maybe speaks QMI and
can be configured for an already known framing that way.  Better have
that checked out first I guess.

Comments are appreciated.



Bjørn

More information about the ModemManager-devel mailing list