Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 08-07-2011, 10:50 PM   #1
khmann
Enthusiast
khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.
 
Posts: 43
Karma: 1658
Join Date: Jul 2011
Device: b006
k3-CDMA

EDIT 10/18/11: This totally works. If you just want the "HOWTO", ignore these first two posts; I tend to babble online in web forums... kind of a "stream of consciousness" thing - and I like to get my Google keywords out there. Skip to the 3rd post for the nuts and bolts.
------------------------

OK... so for some reason I feel compelled to convert my Kindle 3 from AT&T GSM to Sprint CDMA. This is not about TOS (Theft of Service) which I absolutely do not condone, but better reception and the K2's embedded GPS.

So, I got a couple K2 CDMA cards... Novatel E727NV SPCS I believe is K2 US Wireless B002 - EVDO Rev0 and E727NV NW2 from Kindle DX is RevA. I have played with a number of GSM modems; these units are very unfriendly and Novatel provides no documentation. I gathered the following primarily through the Sprint SmartView software with the card in a WinXP. In my free time I might try to install a serial port sniffing shim and see how the Sprint software gathers this information, but I am wary of killing another card (see below)

I would like to caution against the idea that these units could be used in non-Kindle devices for arbitrary access... I had some success establishing a Kindle connection using AT commands, but made the mistake of clicking the "Connect" button to bring up a connection from Windows... "Connection Failed" and no longer performs with AT commands GSM operators often control access in M2M (Machine 2 Machine) environments using a service-specific APN to which SIM cards are granted access. In CDMA, authentication seems to be username/password paired to ESN, all stored in the radio. Either way, access is tied to a specific profile is likely monitored for abnormalities to "protect revenue". In GSM, they can nuke your SIM and blacklist your IMEI. The CDMA equiv would be to disable your username/password and blacklist the ESN. Mobile operators are very adept at network monitoring... subtle differences in PPP implementation, combined with a knowledge of "allowed applications" on the platform; where DNS should be going, TCP ports in use, and volume of data transferred, etc. can trigger an alarm resulting in a permanent block. Don't waste your money trying to steal...

Anyway, I gathered the following info:
Code:
Network Name	Sprint
System ID	4376

E727NV SPCS, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 009-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-131 [Sep 05 2008 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		131
ESN			5B??????		91/10??????
Firmware Version	131
User Name		shrek7?????@SPP0??.dl.sprintpcs.com
Phone Number		908???????
Home Carrier Name
Home Carrier ID		0
Prl version		50413
Imsi			908???????



E727NV WN2, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 106-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-132 [Mar 25 2009 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem #2
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		132
ESN			5B??????		91/11??????
Technology		CDMA
Firmware Version	132
User Name		whnet2?????@SPP3??.dl.sprintpcs.com
Phone Number		586???????
Home Carrier Name
Home Carrier ID		0
Prl version		50428
Imsi			586???????


AT&V (under Windows driver)
&C: 2; &D: 2; &F: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 0; Z: 0; S0: 0;
S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95;
+FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6;
+CDR: 0; +CDS: 0,1,2048,6; +CFC: 0; +CFG: ""; +CMUX: C,2; +CQD: 10;
+CRC: 0; +CRM: 2; +CTA: 60; +CXT: 0; +EB: 1,0,30; +EFCS: 1; +ER: 0;
+ES: 3,0,2; +ESR: 1; +ETBM: 1,1,20; +ILRR: 0; +MA: ; +MR: 0; +MS: ;
+MV18R: 0; +MV18S: 0,0,0; +FAA: 0; +FAP: 0,0,0; +FBO: 0; +FBU: 0;
+FCQ: 1,0; +FCC: 0,1,0,0,0,0,0,0;  +FCR: 0; +FCT: 1E; +FEA: 0;
+FFC: 0,0,0,0; +FHS: 0; +FIE: 0; +FIP: 0; +FIS: 0,1,0,0,0,0,0,0;
+FLI: ""; +FLO: 1; +FLP: 0; +FMS: 0; +FNR: 0,0,0,0; +FNS: ""; +FPA: "";
+FPI: ""; +FPP: 0; +FPR: 8; +FPS: 1; +FPW: ""; +FRQ: 0,0; +FRY: 0;
+FSA: ""; +FSP: 0; +IOTA: 1; +OMADM: 1; +PRL: 1; +HFA: 0; +GPSNMEA: 1;
+GPSLOCATION: 1
looking at the Kindle WAN scripts, seems that connection setup is way more straightforward then the Anydata DTP-600W, which seems to require a firmware download. The 3.1 K3's 3G kernel module automatically detects the VID 1410, PID 8000 IDs, but makes no provision for selecting the correct modem type in PPP chat script.

Be aware that _all_ of this data is available to Amazon (regardless of how hacked up your device is), and should they choose to co-ordinate their server logs with Sprint they would immediately know what is going on. Hopefully they do not disapprove that I want to buy books on the beach where there is no ATT...

Last edited by khmann; 10-18-2011 at 10:31 PM.
khmann is offline   Reply With Quote
Old 08-09-2011, 10:42 PM   #2
khmann
Enthusiast
khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.
 
Posts: 43
Karma: 1658
Join Date: Jul 2011
Device: b006
blah blah blah... I talk to myself in webforum : ) k3-cdma works... stock K3 are able to detect and activate modem, bring up PPP connection, create route, etc. I have not tried to pass traffic; my unit is not in any position to communicate with Amazon right now... I'll try it on my GF's "unhacked" unit soon.

http://igor.chudov.com/manuals/AT_Co...lcomm_U300.pdf seems to mostly accurately reflect the Qualcomm commands.

modemcmd -v -c "AT\$QCMIPGETP", for example, spits out the EVDO profile like I got from the Sprint software. The following from my "non working" modem, included for example only...
Code:
[root@kindle root]# modemcmd -v -c "AT\$QCMIPGETP"
modemcmd 0.3.3 Copyright (C) 2008, 2009 Amazon Technologies, Inc.  All
rights reserved.
Profile:1 Enabled
NAI:shrek7?????@SPP0??.dl.sprintpcs.com
Home Addr:0.0.0.0
Primary HA:255.255.255.255
Secondary HA:68.28.18.18
MN-AAA SPI:1234
MN-HA SPI:1234
Rev Tun:1
MN-AAA SS:Set
MN-HA SS:Set
modemcmd -v -c "AT+CSS?" seems like the CDMA way to gather signal strength and connection status. Nonworking SPCS module gives me "?,Z,99999,0" which indicates "Mobile is not registered" or somesuch. With NV2 modem, registered, I see
[root@kindle root]# modemcmd -v -c "AT+CSS?"
1,PD,4376,6
OK

got NV2 to connect... the "wancontrol" script relies on variables in /var/local/wan/info to determine which modem module is in use. Remove /opt/wan/firstboot.done and /var/local/wan/info, reboot, and the file gets rebuilt. I neglected to save a copy of the stock file, but with the SPCS modem (which I can't get to connect… I wonder if it is not really a Kindle modem or the account is blacklisted)
Code:
WAN_INFO_VERSION=4
WAN_TYPE=1
WAN_PROVIDER=1
WAN_CARRIER=1
WAN_PEER=1
WAN_FW_VERSION=m6801B-RAPTOR65_S_HYBRID-131
WAN_INFO_UID=0101
With the NV2
Code:
WAN_INFO_VERSION=4
WAN_TYPE=1
WAN_PROVIDER=2
WAN_CARRIER=1
WAN_PEER=2
WAN_FW_VERSION=m6801B-RAPTOR65_S_HYBRID-132
WAN_INFO_UID=0201
peers are defined under /etc/ppp, I added -v to the chat line to make it more talkie.

For some reason I had to send an AT&F before "wancontrol pppstart" would work for me, but it might just be a software problem on my part - previously I was getting a failure "NO CARRIER".

syslog:
Code:
info 100731:002635 system: I wancontrol:pc:processing "pppstart"
notice 100731:002635 pppd[5425]: pppd 2.4.4 started by root, uid 0
info 100731:002636 chat[5429]: timeout set to 60 seconds
info 100731:002636 chat[5429]: abort on (BUSY)
info 100731:002636 chat[5429]: abort on (ERROR)
info 100731:002636 chat[5429]: abort on (NO ANSWER)
info 100731:002636 chat[5429]: abort on (NO CARRIER)
info 100731:002636 chat[5429]: send (ATZ^M)
info 100731:002636 chat[5429]: expect (OK)
info 100731:002636 chat[5429]: ^M
info 100731:002636 chat[5429]: OK
info 100731:002636 chat[5429]:  -- got it
info 100731:002636 chat[5429]: send (ATE0V1^M)
info 100731:002636 chat[5429]: expect (OK)
info 100731:002636 chat[5429]: ^M
info 100731:002636 chat[5429]: ATE0V1^M^M
info 100731:002636 chat[5429]: OK
info 100731:002636 chat[5429]:  -- got it
info 100731:002636 chat[5429]: send (ATD#777^M)
info 100731:002636 chat[5429]: expect (CONNECT)
info 100731:002636 chat[5429]: ^M
info 100731:002637 chat[5429]: ^M
info 100731:002637 chat[5429]: CONNECT
info 100731:002637 chat[5429]:  -- got it
info 100731:002637 chat[5429]: send (^M)
info 100731:002637 pppd[5425]: Serial connection established.
info 100731:002637 pppd[5425]: Using interface ppp0
notice 100731:002637 pppd[5425]: Connect: ppp0 <--> /dev/tts/USB0
info 100731:002638 PPP Deflate Compression module registered
It is interesting the Sprint seems to support compression; this would tend to make things faster and reduce wireless bandwidth usage. This has the side effect of making it IMMEDIATELY obvious if you attempt to connect using a Windows or Mac. According to the scripts, this compression is explicitly disabled for GSM.

Code:
notice 100731:002638 pppd[5425]: local  IP address xxx.xxx.xxx.xxx
notice 100731:002638 pppd[5425]: remote IP address xxx.xxx.69.241
notice 100731:002639 lipc-get-prop[5471]: I lipc:gip:prop=shouldRoute,
source=com.lab126.wan:Get int property
info 100731:002639 system: I ip-up:def:PPP interface up ppp0
/dev/tts/USB0 230400 xxx.xxx.xxx.xxx xxx.xxx.69.241

[root@kindle root]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
xx.xx.69.241    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
207.171.165.149 xx.xx.69.241    255.255.255.255 UGH       0 0          0 ppp0
207.171.165.150 xx.xx.69.241    255.255.255.255 UGH       0 0          0 ppp0
10.xx.xx.0      0.0.0.0         255.255.255.0   U         0 0          0 wlan0
0.0.0.0         10.xx.xx.1      0.0.0.0         UG        0 0          0 wlan0
We see here that specific, static routes to Amazon get created; perhaps these are because of DNS. A default route was not created, probably because my wifi was active.

Last edited by khmann; 08-09-2011 at 11:07 PM.
khmann is offline   Reply With Quote
Old 10-19-2011, 02:34 PM   #3
khmann
Enthusiast
khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.
 
Posts: 43
Karma: 1658
Join Date: Jul 2011
Device: b006
k3cdma works almost out of the box. Nothing above matters. Clean install of OS3.1 with just a jailbreak, /usr/sbin/wand is responsible to activate the 3G, but stock k3 doesn't include the modules - check "Kindle Update" on isohunt. Put the modules in, reboot, golden.
Attached Thumbnails
Click image for larger version

Name:	_k3cdma1.jpg
Views:	485
Size:	58.9 KB
ID:	77980  

Last edited by khmann; 10-19-2011 at 11:46 PM.
khmann is offline   Reply With Quote
Old 10-19-2011, 10:40 PM   #4
p373
Junior Member
p373 began at the beginning.
 
Posts: 2
Karma: 10
Join Date: Oct 2011
Device: gnu
Quote:
Originally Posted by khmann View Post
k3cdma works. Put the modules in, reboot, golden.
Your words don't make any sense. Pay $50 extra for working 3G Kindle then void warranty and spend extra $20 for unsupported 3G card from ebay?! Wow, really?
Attached Files
File Type: bz2 wanpatch.tar.bz2 (141.1 KB, 237 views)

Last edited by p373; 10-20-2011 at 07:51 PM. Reason: attached wan script
p373 is offline   Reply With Quote
Old 10-19-2011, 11:30 PM   #5
khmann
Enthusiast
khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.khmann once ate a cherry pie in a record 7 seconds.
 
Posts: 43
Karma: 1658
Join Date: Jul 2011
Device: b006
true, something like that. My girlfriend laughed at me also.

1. GPS works, not really useful
2. Significantly better coverage in my place
3. IMSI better than ereader ; )
4. Easier to retrofit to non-3G kindles because only 4 USB wires needed, no SIM holder...

/usr/sbin/wand ac317b1e9aa1ead67923165b88ec590e

At startup a generic USB serial kernel module is loaded, wand examines the port and determines modem type. wand loads wan library with management functions (connect, signal strength. statistics. diagnostics, etc.). These are /usr/lib/... since they are linked against wand they are only useful on working Kindle.

libwan_module.0101.so -> libdmd_module.so.0.1 71472bc04847870de52ec9a78b530ea9
libwan_module.0201.so -> libe725_module.so.0.1 5bfc465b12c668882fa9e924565ee042
libwan_module.0302.so -> libe860_module.so.0.1 debd142629865f88db4e9fdd23516aac
libwan_module.0303.so -> libdtp_module.so.0.1 ce7b7b42bcb870a63ce222f0f52cc9cc
libwan_module.0403.so -> libdtp_module.so

0403 is the AnyData module in the latest K3 3G, and the only library included "anymore".
khmann is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump


All times are GMT -4. The time now is 12:36 AM.


MobileRead.com is a privately owned, operated and funded community.