ZTE MF628

alvieboy · Post by **alvieboy** » 25 Jul 2008, 20:31

Just got a brand new MF628 and captured the modeswitch command from the windows driver. Using the MF628 to post.

Cheers,

Álvaro

Code: Select all

########################################################
# ZTE MF628 
#
# Captured with "usbmon". Has a micro SD slot.
#
# Contributor: Alvaro Lopes <alvieboy at alvie dot com>

DefaultVendor=0x19d2
DefaultProduct=0x2000

TargetVendor=0x19d2
TargetProduct=0x0015

MessageEndpoint=0x08
MessageContent="55534243f0408281000000000000061b000000030000000000000000000000"

alvieboy · Post by **alvieboy** » 26 Jul 2008, 18:56

Hi all (again),

The MF628 I have also includes a SD slot, however a modeswitch is also needed to access it.

Here's a simple script to do that. I think you cannot use the modem AND the SD card at same time. I'll investigate if I can switch to modem from SD mode (right now you'll have to replug the device).

Code: Select all

#!/bin/sh

usb_modeswitch -v 0x19d2 -p 0x2000 -m 8 \
-V 0x05c6 -P 2001 -n 1 -r 7 \
-M \
"55534243786574812000000080000a86010101180101010101000000000000"

vendis · Post by **vendis** » 17 Sep 2008, 09:06

I have a MF628+ and I cannot make it to switch, I was wondering if there are two models (628 and 628+) or if Im just doing something really wrong..

Any hints?

joke_dst · Post by **joke_dst** » 19 Sep 2008, 10:54

I tried it as well, with a MF628+ (Telia Sweden branded), didn't work. I tried a set of other codes as well (the MF622 and MF620).

When I have time I'm going to sniff it myself, but it'll have to wait a week ot two.

If anyone else feels like sniffing it, post the log here and I'll see what I can do.

(or mail it to me, jokedst at that gmail place)

joke_dst · Post by **joke_dst** » 09 Oct 2008, 13:19

Ok, I managed to get the MF628+ to switch, using this:

usb_modeswitch -v 0x19d2 -p 0x2000 -m 1 -M "5553424308403c862000000080000c85010101180101010101000000000000"

It goes from 0x19d2/0x2000 to 0x19d2/0x0031

I'm using a a branded modem from the operator "Telia" in Sweden.

jurrieovergoor · Post by **jurrieovergoor** » 14 Jul 2009, 20:48

Hello everyone,

I just bought a ZTE MF628 (at least, that's what is reads on the sticker on the back). It's supplied by KPN here in The Netherlands. I had some trouble flipping the device, but after some fiddling I came up with multiple ways. I thought I'd post them here for reference. The funny thing is... some flipping commands work almost instantly, while others take up to 60 seconds to make the device switch.

These work almost instantly (20 seconds max):

Code: Select all

sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --message-content 55534243f8f993882000000080000a85010101180101010101000000000000 
sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --message-content 5553424312345678000000000000061b000000030000000000000000000000 
sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --message-content 55534243123456782000000080000c85010101180101010101000000000000

These work in about 60 seconds:

Code: Select all

sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --detach-only
sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --message-content 55534243123456780000000000000600000000000000000000000000000000 
sudo ./usb_modeswitch --default-vendor 0x19d2 --default-product 0x2000 --message-content 55534243123456782000000080000a86010101180101010101000000000000

The device starts out with vendor 0x19d2 and product 0x2000. When flipped, it has vendor 0x19d2 (didn't change) and product 0x0015.

I use Ubuntu Jaunty (kernel 2.6.28-13) and usb_modeswitch 1.0.2-1.

With kind regards,

Jurrie

Post by **Josh** » 29 Jul 2009, 00:48

Sorry for the late answer!

This is a very valuable analysis: there are probably less differences between ZTE models than we thought. I suspect these commands all work on several different models.

Thanks indeed!

alvieboy · Post by **alvieboy** » 21 Aug 2009, 13:49

I use this one for a long time now and works perfectly:

DefaultVendor=0x19d2
DefaultProduct=0x2000
TargetVendor=0x19d2
TargetProduct=0x0015
MessageEndpoint=0x08
MessageContent="55534243f0408281000000000000061b000000030000000000000000000000"

I captured that message using a Windows XP VM and software that came with the modem.

ATI response (IMEI removed):

Manufacturer: ZTE INCORPORATED
Model: MF628
Revision: BD_TMNP671M5V1.0.0B04 BD_TMNP671M5V1.0.0B04 1 [Mar 07 2008 11:00:00]
IMEI: XXXXXXXXXXXXX
+GCAP: +CGSM,+DS,+ES

DNL-dirk · Post by **DNL-dirk** » 14 Sep 2009, 21:31

I have a ZTE MF 628 with a "Hi Vandaag Online" abonnement in the Netherlands.
When trying to get the response of usb_modeswitch that the others could supply the processing stops after
"OK, driver "usbfs" detached" (see below).
The program does not return (CTRL-C stops it) and nothing else happens.
Already the lsusb gives me less details than others apparently get (see also below).

Does anyone know what could be wrong?

My configurations: EEEPC 900A as well as Dell Inspiron 9400 with Ubunto 9.04 and usb_modeswitch 1.02 (see listing), Network manager WICD.

Thanks for any help.

One question came up when reading this thread and trying all the proposed codes/messages: Could it be that a user or system specific code is generated => each 628 has its own message to be sent? (sorry if this should be a stupid question - I know just about nothing about those modems and their protocols).

lsusb
...
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 005: ID 19d2:2000
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
...

usb_modeswitch -v 19d2 -p 2000 -W

* usb_modeswitch: tool for controlling "flip flop" mode USB devices
* Version 1.0.2 (C) Josua Dietze 2009
* Works with libusb 0.1.12 and probably other versions

Taking all parameters from the command line

DefaultVendor= 0x19d2
DefaultProduct= 0x2000
TargetVendor= not set
TargetProduct= not set
TargetClass= not set

DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
MessageEndpoint= not set
MessageContent= not set
NeedResponse=0
ResponseEndpoint= not set
Interface=0x00

InquireDevice enabled (default)
Success check disabled

usb_set_debug: Setting debugging level to 15 (on)
usb_os_find_busses: Found 001
usb_os_find_busses: Found 005
usb_os_find_busses: Found 004
usb_os_find_busses: Found 003
usb_os_find_busses: Found 002
usb_os_find_devices: Found 005 on 001
skipped 1 class/vendor specific interface descriptors
usb_os_find_devices: Found 004 on 001
skipped 1 class/vendor specific interface descriptors
skipped 1 class/vendor specific interface descriptors
usb_os_find_devices: Found 003 on 001
usb_os_find_devices: Found 002 on 001
usb_os_find_devices: Found 001 on 001
error obtaining child information: Inappropriate ioctl for device
error obtaining child information: Inappropriate ioctl for device
usb_os_find_devices: Found 001 on 005
usb_os_find_devices: Found 001 on 004
usb_os_find_devices: Found 005 on 003
usb_os_find_devices: Found 001 on 003
error obtaining child information: Inappropriate ioctl for device
usb_os_find_devices: Found 001 on 002

Looking for default devices ...
Found default devices (1)
Accessing device 005 on bus 003 ...
Using endpoints 0x08 (out) and 0x87 (in)
Inquiring device details; driver will be detached ...
Looking for active driver ...
OK, driver found ("usbfs")
OK, driver "usbfs" detached

*** here the program hangs

alvieboy · Post by **alvieboy** » 14 Sep 2009, 21:55

OK, driver found ("usbfs")
OK, driver "usbfs" detached

Now this is not usual. It should be tied to usb-storage, not usbfs.

Does it appear like a CDROM on your system before the switch ?

Can you also post a "lsusb -v" of the relevant parts (ie, your device only) ?

Álvaro

DNL-dirk · Post by **DNL-dirk** » 15 Sep 2009, 15:51

In my Pupeee Linux it had the symbol of a CD drive ... (but there I do not have lsusb).

Ubuntu: 9-04, Kernel 2.6.28-15, (WICD, usb_modeswitch installed)
When I insert it before booting then the system hangs somewhere during the boot (early). (Same in Windows XP, but this hangs at the very end of the boot process)
So I plug it in after booting. Then Ubuntu does not show it. No USB Stick nor CD drive ...

I am not sure whether it worked when I first attached it. Anyways now it does not work on both of my Ubuntu 9-04 computers.

Code: Select all

lsusb -v -s 003:003

Bus 003 Device 003: ID 19d2:2000  
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x19d2 
  idProduct          0x2000 
  bcdDevice            0.00
  iManufacturer           1 
  iProduct                2 
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           32
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk (Zip)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x08  EP 8 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
cannot read device status, Connection timed out (110)

****
Then another test:
"virgin" Ubuntu 8-04, Kernel 2.6.24-24

boot, then put Stick (with SD card) in USB =>
- first there is a CD drive symbol for a moment
- after a while a nautilus file listing opens (the manuals part, if I remember right)
- I close this (no unmount)
- by that time the CD drive symbol is replaced by a "Hi" symbol

Check with lsusb:

Code: Select all

Bus 002 Device 003: ID 19d2:2000  
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x19d2 
  idProduct          0x2000 
  bcdDevice            0.00
  iManufacturer           1 Qualcomm, Incorporated
  iProduct                2 USB ZTE Storage
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           32
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk (Zip)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x08  EP 8 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Device Status:     0x0000
  (Bus Powered)

- Hi symbol gone (not sure when exactly that happened)
- surprisingly two file windows open (one for manuals, one for SD card) automatically
- I close them and unmount them

re-check with lsusb => new device with new ID:

Code: Select all

Bus 002 Device 005: ID 19d2:0015  
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x19d2 
  idProduct          0x0015 
  bcdDevice            0.00
  iManufacturer           1 Qualcomm, Incorporated
  iProduct                2 ZTE CDMA Technologies MSM
  iSerial                 3 Data Interface
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          108
    bNumInterfaces          4
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk (Zip)
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x08  EP 8 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              3 Data Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval             128
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              3 Data Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              3 Data Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x86  EP 6 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x06  EP 6 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Device Status:     0x0000
  (Bus Powered)

- note: "manuals" and SD card are still available in the file system but have no entry w.r.t. lsusb

last test: reboot 8-04 with 628 plugged in =>
- briefly "Hi" symbol, then gone
- two file windows open (one for manuals, one for SD card)
- lsusb: listed as 19d2-0015 !
So for some reason it is switched automatically to the right mode in Ubuntu 8-04 ?!

Long listing, hope this helps ...

ZTE MF628

SD interface

My MF628

MF 628, mostly no response