k3CDMA

khmann · 08-07-2011, 10:50 PM

EDIT 10/18/11: This totally works. If you just want the "HOWTO", ignore these first two posts; I tend to babble online in web forums... kind of a "stream of consciousness" thing - and I like to get my Google keywords out there. Skip to the 3rd post for the nuts and bolts.
------------------------

OK... so for some reason I feel compelled to convert my Kindle 3 from AT&T GSM to Sprint CDMA. This is not about TOS (Theft of Service) which I absolutely do not condone, but better reception and the K2's embedded GPS.

So, I got a couple K2 CDMA cards... Novatel E727NV SPCS I believe is K2 US Wireless B002 - EVDO Rev0 and E727NV NW2 from Kindle DX is RevA. I have played with a number of GSM modems; these units are very unfriendly and Novatel provides no documentation. I gathered the following primarily through the Sprint SmartView software with the card in a WinXP. In my free time I might try to install a serial port sniffing shim and see how the Sprint software gathers this information, but I am wary of killing another card (see below)

I would like to caution against the idea that these units could be used in non-Kindle devices for arbitrary access... I had some success establishing a Kindle connection using AT commands, but made the mistake of clicking the "Connect" button to bring up a connection from Windows... "Connection Failed" and no longer performs with AT commands

GSM operators often control access in M2M (Machine 2 Machine) environments using a service-specific APN to which SIM cards are granted access. In CDMA, authentication seems to be username/password paired to ESN, all stored in the radio. Either way, access is tied to a specific profile is likely monitored for abnormalities to "protect revenue". In GSM, they can nuke your SIM and blacklist your IMEI. The CDMA equiv would be to disable your username/password and blacklist the ESN. Mobile operators are very adept at network monitoring... subtle differences in PPP implementation, combined with a knowledge of "allowed applications" on the platform; where DNS should be going, TCP ports in use, and volume of data transferred, etc. can trigger an alarm resulting in a permanent block. Don't waste your money trying to steal...

Anyway, I gathered the following info:

Code:

Network Name	Sprint
System ID	4376

E727NV SPCS, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 009-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-131 [Sep 05 2008 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		131
ESN			5B??????		91/10??????
Firmware Version	131
User Name		shrek7?????@SPP0??.dl.sprintpcs.com
Phone Number		908???????
Home Carrier Name
Home Carrier ID		0
Prl version		50413
Imsi			908???????



E727NV WN2, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 106-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-132 [Mar 25 2009 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem #2
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		132
ESN			5B??????		91/11??????
Technology		CDMA
Firmware Version	132
User Name		whnet2?????@SPP3??.dl.sprintpcs.com
Phone Number		586???????
Home Carrier Name
Home Carrier ID		0
Prl version		50428
Imsi			586???????


AT&V (under Windows driver)
&C: 2; &D: 2; &F: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 0; Z: 0; S0: 0;
S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95;
+FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6;
+CDR: 0; +CDS: 0,1,2048,6; +CFC: 0; +CFG: ""; +CMUX: C,2; +CQD: 10;
+CRC: 0; +CRM: 2; +CTA: 60; +CXT: 0; +EB: 1,0,30; +EFCS: 1; +ER: 0;
+ES: 3,0,2; +ESR: 1; +ETBM: 1,1,20; +ILRR: 0; +MA: ; +MR: 0; +MS: ;
+MV18R: 0; +MV18S: 0,0,0; +FAA: 0; +FAP: 0,0,0; +FBO: 0; +FBU: 0;
+FCQ: 1,0; +FCC: 0,1,0,0,0,0,0,0;  +FCR: 0; +FCT: 1E; +FEA: 0;
+FFC: 0,0,0,0; +FHS: 0; +FIE: 0; +FIP: 0; +FIS: 0,1,0,0,0,0,0,0;
+FLI: ""; +FLO: 1; +FLP: 0; +FMS: 0; +FNR: 0,0,0,0; +FNS: ""; +FPA: "";
+FPI: ""; +FPP: 0; +FPR: 8; +FPS: 1; +FPW: ""; +FRQ: 0,0; +FRY: 0;
+FSA: ""; +FSP: 0; +IOTA: 1; +OMADM: 1; +PRL: 1; +HFA: 0; +GPSNMEA: 1;
+GPSLOCATION: 1

looking at the Kindle WAN scripts, seems that connection setup is way more straightforward then the Anydata DTP-600W, which seems to require a firmware download. The 3.1 K3's 3G kernel module automatically detects the VID 1410, PID 8000 IDs, but makes no provision for selecting the correct modem type in PPP chat script.

Be aware that _all_ of this data is available to Amazon (regardless of how hacked up your device is), and should they choose to co-ordinate their server logs with Sprint they would immediately know what is going on. Hopefully they do not disapprove that I want to buy books on the beach where there is no ATT...

khmann · 08-09-2011, 10:42 PM

blah blah blah... I talk to myself in webforum : ) k3-cdma works... stock K3 are able to detect and activate modem, bring up PPP connection, create route, etc. I have not tried to pass traffic; my unit is not in any position to communicate with Amazon right now... I'll try it on my GF's "unhacked" unit soon.

http://igor.chudov.com/manuals/AT_Co...lcomm_U300.pdf seems to mostly accurately reflect the Qualcomm commands.

modemcmd -v -c "AT\$QCMIPGETP", for example, spits out the EVDO profile like I got from the Sprint software. The following from my "non working" modem, included for example only...

Code:

[root@kindle root]# modemcmd -v -c "AT\$QCMIPGETP"
modemcmd 0.3.3 Copyright (C) 2008, 2009 Amazon Technologies, Inc.  All
rights reserved.
Profile:1 Enabled
NAI:shrek7?????@SPP0??.dl.sprintpcs.com
Home Addr:0.0.0.0
Primary HA:255.255.255.255
Secondary HA:68.28.18.18
MN-AAA SPI:1234
MN-HA SPI:1234
Rev Tun:1
MN-AAA SS:Set
MN-HA SS:Set

modemcmd -v -c "AT+CSS?" seems like the CDMA way to gather signal strength and connection status. Nonworking SPCS module gives me "?,Z,99999,0" which indicates "Mobile is not registered" or somesuch. With NV2 modem, registered, I see
[root@kindle root]# modemcmd -v -c "AT+CSS?"
1,PD,4376,6
OK

got NV2 to connect... the "wancontrol" script relies on variables in /var/local/wan/info to determine which modem module is in use. Remove /opt/wan/firstboot.done and /var/local/wan/info, reboot, and the file gets rebuilt. I neglected to save a copy of the stock file, but with the SPCS modem (which I can't get to connect… I wonder if it is not really a Kindle modem or the account is blacklisted)

Code:

WAN_INFO_VERSION=4
WAN_TYPE=1
WAN_PROVIDER=1
WAN_CARRIER=1
WAN_PEER=1
WAN_FW_VERSION=m6801B-RAPTOR65_S_HYBRID-131
WAN_INFO_UID=0101

With the NV2

Code:

WAN_INFO_VERSION=4
WAN_TYPE=1
WAN_PROVIDER=2
WAN_CARRIER=1
WAN_PEER=2
WAN_FW_VERSION=m6801B-RAPTOR65_S_HYBRID-132
WAN_INFO_UID=0201

peers are defined under /etc/ppp, I added -v to the chat line to make it more talkie.

For some reason I had to send an AT&F before "wancontrol pppstart" would work for me, but it might just be a software problem on my part - previously I was getting a failure "NO CARRIER".

syslog:

Code:

info 100731:002635 system: I wancontrol:pc:processing "pppstart"
notice 100731:002635 pppd[5425]: pppd 2.4.4 started by root, uid 0
info 100731:002636 chat[5429]: timeout set to 60 seconds
info 100731:002636 chat[5429]: abort on (BUSY)
info 100731:002636 chat[5429]: abort on (ERROR)
info 100731:002636 chat[5429]: abort on (NO ANSWER)
info 100731:002636 chat[5429]: abort on (NO CARRIER)
info 100731:002636 chat[5429]: send (ATZ^M)
info 100731:002636 chat[5429]: expect (OK)
info 100731:002636 chat[5429]: ^M
info 100731:002636 chat[5429]: OK
info 100731:002636 chat[5429]:  -- got it
info 100731:002636 chat[5429]: send (ATE0V1^M)
info 100731:002636 chat[5429]: expect (OK)
info 100731:002636 chat[5429]: ^M
info 100731:002636 chat[5429]: ATE0V1^M^M
info 100731:002636 chat[5429]: OK
info 100731:002636 chat[5429]:  -- got it
info 100731:002636 chat[5429]: send (ATD#777^M)
info 100731:002636 chat[5429]: expect (CONNECT)
info 100731:002636 chat[5429]: ^M
info 100731:002637 chat[5429]: ^M
info 100731:002637 chat[5429]: CONNECT
info 100731:002637 chat[5429]:  -- got it
info 100731:002637 chat[5429]: send (^M)
info 100731:002637 pppd[5425]: Serial connection established.
info 100731:002637 pppd[5425]: Using interface ppp0
notice 100731:002637 pppd[5425]: Connect: ppp0 <--> /dev/tts/USB0
info 100731:002638 PPP Deflate Compression module registered

It is interesting the Sprint seems to support compression; this would tend to make things faster and reduce wireless bandwidth usage. This has the side effect of making it IMMEDIATELY obvious if you attempt to connect using a Windows or Mac. According to the scripts, this compression is explicitly disabled for GSM.

Code:

notice 100731:002638 pppd[5425]: local  IP address xxx.xxx.xxx.xxx
notice 100731:002638 pppd[5425]: remote IP address xxx.xxx.69.241
notice 100731:002639 lipc-get-prop[5471]: I lipc:gip:prop=shouldRoute,
source=com.lab126.wan:Get int property
info 100731:002639 system: I ip-up:def:PPP interface up ppp0
/dev/tts/USB0 230400 xxx.xxx.xxx.xxx xxx.xxx.69.241

[root@kindle root]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
xx.xx.69.241    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
207.171.165.149 xx.xx.69.241    255.255.255.255 UGH       0 0          0 ppp0
207.171.165.150 xx.xx.69.241    255.255.255.255 UGH       0 0          0 ppp0
10.xx.xx.0      0.0.0.0         255.255.255.0   U         0 0          0 wlan0
0.0.0.0         10.xx.xx.1      0.0.0.0         UG        0 0          0 wlan0

We see here that specific, static routes to Amazon get created; perhaps these are because of DNS. A default route was not created, probably because my wifi was active.

khmann · 10-19-2011, 02:34 PM

k3cdma works almost out of the box. Nothing above matters. Clean install of OS3.1 with just a jailbreak, /usr/sbin/wand is responsible to activate the 3G, but stock k3 doesn't include the modules - check "Kindle Update" on isohunt. Put the modules in, reboot, golden.

p373 · 10-19-2011, 10:40 PM

Quote:

Originally Posted by khmann

k3cdma works. Put the modules in, reboot, golden.

Your words don't make any sense. Pay $50 extra for working 3G Kindle then void warranty and spend extra $20 for unsupported 3G card from ebay?! Wow, really?

khmann · 10-19-2011, 11:30 PM

true, something like that. My girlfriend laughed at me also.

1. GPS works, not really useful
2. Significantly better coverage in my place
3. IMSI better than ereader ; )
4. Easier to retrofit to non-3G kindles because only 4 USB wires needed, no SIM holder...

/usr/sbin/wand ac317b1e9aa1ead67923165b88ec590e

At startup a generic USB serial kernel module is loaded, wand examines the port and determines modem type. wand loads wan library with management functions (connect, signal strength. statistics. diagnostics, etc.). These are /usr/lib/... since they are linked against wand they are only useful on working Kindle.

libwan_module.0101.so -> libdmd_module.so.0.1 71472bc04847870de52ec9a78b530ea9
libwan_module.0201.so -> libe725_module.so.0.1 5bfc465b12c668882fa9e924565ee042
libwan_module.0302.so -> libe860_module.so.0.1 debd142629865f88db4e9fdd23516aac
libwan_module.0303.so -> libdtp_module.so.0.1 ce7b7b42bcb870a63ce222f0f52cc9cc
libwan_module.0403.so -> libdtp_module.so

0403 is the AnyData module in the latest K3 3G, and the only library included "anymore".

08-07-2011, 10:50 PM	#1
khmann Enthusiast Posts: 43 Karma: 1658 Join Date: Jul 2011 Device: b006	k3-CDMA EDIT 10/18/11: This totally works. If you just want the "HOWTO", ignore these first two posts; I tend to babble online in web forums... kind of a "stream of consciousness" thing - and I like to get my Google keywords out there. Skip to the 3rd post for the nuts and bolts. ------------------------ OK... so for some reason I feel compelled to convert my Kindle 3 from AT&T GSM to Sprint CDMA. This is not about TOS (Theft of Service) which I absolutely do not condone, but better reception and the K2's embedded GPS. So, I got a couple K2 CDMA cards... Novatel E727NV SPCS I believe is K2 US Wireless B002 - EVDO Rev0 and E727NV NW2 from Kindle DX is RevA. I have played with a number of GSM modems; these units are very unfriendly and Novatel provides no documentation. I gathered the following primarily through the Sprint SmartView software with the card in a WinXP. In my free time I might try to install a serial port sniffing shim and see how the Sprint software gathers this information, but I am wary of killing another card (see below) I would like to caution against the idea that these units could be used in non-Kindle devices for arbitrary access... I had some success establishing a Kindle connection using AT commands, but made the mistake of clicking the "Connect" button to bring up a connection from Windows... "Connection Failed" and no longer performs with AT commands GSM operators often control access in M2M (Machine 2 Machine) environments using a service-specific APN to which SIM cards are granted access. In CDMA, authentication seems to be username/password paired to ESN, all stored in the radio. Either way, access is tied to a specific profile is likely monitored for abnormalities to "protect revenue". In GSM, they can nuke your SIM and blacklist your IMEI. The CDMA equiv would be to disable your username/password and blacklist the ESN. Mobile operators are very adept at network monitoring... subtle differences in PPP implementation, combined with a knowledge of "allowed applications" on the platform; where DNS should be going, TCP ports in use, and volume of data transferred, etc. can trigger an alarm resulting in a permanent block. Don't waste your money trying to steal... Anyway, I gathered the following info: Code: Network Name Sprint System ID 4376 E727NV SPCS, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725 PCB: REV 2 17018322, 009-9 >ati Manufacturer: NOVATEL WIRELESS INCORPORATED Model: E727 SPRINT Revision: m6801B-RAPTOR65_S_HYBRID-131 [Sep 05 2008 12:00:00] ESN: 0x5B?????? +GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS Device Description Novatel Wireless Modem Manufacturer Novatel Wireless Incorporated Modem Model E727 SPRINT Revision 131 ESN 5B?????? 91/10?????? Firmware Version 131 User Name shrek7?????@SPP0??.dl.sprintpcs.com Phone Number 908??????? Home Carrier Name Home Carrier ID 0 Prl version 50413 Imsi 908??????? E727NV WN2, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725 PCB: REV 2 17018322, 106-9 >ati Manufacturer: NOVATEL WIRELESS INCORPORATED Model: E727 SPRINT Revision: m6801B-RAPTOR65_S_HYBRID-132 [Mar 25 2009 12:00:00] ESN: 0x5B?????? +GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS Device Description Novatel Wireless Modem #2 Manufacturer Novatel Wireless Incorporated Modem Model E727 SPRINT Revision 132 ESN 5B?????? 91/11?????? Technology CDMA Firmware Version 132 User Name whnet2?????@SPP3??.dl.sprintpcs.com Phone Number 586??????? Home Carrier Name Home Carrier ID 0 Prl version 50428 Imsi 586??????? AT&V (under Windows driver) &C: 2; &D: 2; &F: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 0; Z: 0; S0: 0; S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95; +FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6; +CDR: 0; +CDS: 0,1,2048,6; +CFC: 0; +CFG: ""; +CMUX: C,2; +CQD: 10; +CRC: 0; +CRM: 2; +CTA: 60; +CXT: 0; +EB: 1,0,30; +EFCS: 1; +ER: 0; +ES: 3,0,2; +ESR: 1; +ETBM: 1,1,20; +ILRR: 0; +MA: ; +MR: 0; +MS: ; +MV18R: 0; +MV18S: 0,0,0; +FAA: 0; +FAP: 0,0,0; +FBO: 0; +FBU: 0; +FCQ: 1,0; +FCC: 0,1,0,0,0,0,0,0; +FCR: 0; +FCT: 1E; +FEA: 0; +FFC: 0,0,0,0; +FHS: 0; +FIE: 0; +FIP: 0; +FIS: 0,1,0,0,0,0,0,0; +FLI: ""; +FLO: 1; +FLP: 0; +FMS: 0; +FNR: 0,0,0,0; +FNS: ""; +FPA: ""; +FPI: ""; +FPP: 0; +FPR: 8; +FPS: 1; +FPW: ""; +FRQ: 0,0; +FRY: 0; +FSA: ""; +FSP: 0; +IOTA: 1; +OMADM: 1; +PRL: 1; +HFA: 0; +GPSNMEA: 1; +GPSLOCATION: 1 looking at the Kindle WAN scripts, seems that connection setup is way more straightforward then the Anydata DTP-600W, which seems to require a firmware download. The 3.1 K3's 3G kernel module automatically detects the VID 1410, PID 8000 IDs, but makes no provision for selecting the correct modem type in PPP chat script. Be aware that _all_ of this data is available to Amazon (regardless of how hacked up your device is), and should they choose to co-ordinate their server logs with Sprint they would immediately know what is going on. Hopefully they do not disapprove that I want to buy books on the beach where there is no ATT... Last edited by khmann; 10-18-2011 at 10:31 PM.

10-19-2011, 02:34 PM	#3
khmann Enthusiast Posts: 43 Karma: 1658 Join Date: Jul 2011 Device: b006	k3cdma works almost out of the box. Nothing above matters. Clean install of OS3.1 with just a jailbreak, /usr/sbin/wand is responsible to activate the 3G, but stock k3 doesn't include the modules - check "Kindle Update" on isohunt. Put the modules in, reboot, golden. Attached Thumbnails Last edited by khmann; 10-19-2011 at 11:46 PM.

10-19-2011, 11:30 PM	#5
khmann Enthusiast Posts: 43 Karma: 1658 Join Date: Jul 2011 Device: b006	true, something like that. My girlfriend laughed at me also. 1. GPS works, not really useful 2. Significantly better coverage in my place 3. IMSI better than ereader ; ) 4. Easier to retrofit to non-3G kindles because only 4 USB wires needed, no SIM holder... /usr/sbin/wand ac317b1e9aa1ead67923165b88ec590e At startup a generic USB serial kernel module is loaded, wand examines the port and determines modem type. wand loads wan library with management functions (connect, signal strength. statistics. diagnostics, etc.). These are /usr/lib/... since they are linked against wand they are only useful on working Kindle. libwan_module.0101.so -> libdmd_module.so.0.1 71472bc04847870de52ec9a78b530ea9 libwan_module.0201.so -> libe725_module.so.0.1 5bfc465b12c668882fa9e924565ee042 libwan_module.0302.so -> libe860_module.so.0.1 debd142629865f88db4e9fdd23516aac libwan_module.0303.so -> libdtp_module.so.0.1 ce7b7b42bcb870a63ce222f0f52cc9cc libwan_module.0403.so -> libdtp_module.so 0403 is the AnyData module in the latest K3 3G, and the only library included "anymore".