Untitled

3 Mobile Broadband Dongle - ZTE MF627 USB Modem

Hardware
========

Chip			Function
----			--------
MSM6246 		Main CPU
RTR6285 		3G Tranceiver with GPS
SAMSUNG K5D1258AC8-D075 Combination NAND flash and SDRAM, unknown size
7M5012 			Power amplifier (Quad-band GSM)
AVAGO ACPM-7381 	Power amplifier (UMTS 2100MHz)
PM6658 			Power controller

Operation
=========

Upon first connection the device appears as a USB storage CDROM device. This CD
contains the drivers for Windows and Linux. To switch the modem in to a normal
mode use usb_modeswitch package with the following config:

--- begin switch-zte.conf ---
########################################################
# ZTE MF628+ (tested version from Telia / Sweden)
#
# Contributor: Joakim Wennergren
#
# Also applies to MF627 (Tested 3 UK) JF

DefaultVendor=  0x19d2
DefaultProduct= 0x2000

TargetVendor=   0x19d2
TargetProduct=  0x0031

MessageEndpoint=0x01
MessageContent="55534243123456782000000080000c85010101180101010101000000000000"
--- end switch-zte.conf ---

Then: sudo usb_modeswitch -c switch-zte.conf

It also may be possible to get the same result by sending a SCSI eject command.

Now the modem will reregister on USB. You should see three USB serial devices
and the USB storage will still appear. You should have:

/dev/ttyUSB0 	Diagnostic port
/dev/ttyUSB1	NMEA port (not really NMEA)
/dev/ttyUSB2	Modem port

Ports 1 and 2 respond to AT commands, port 0 is silent. Port 1 is called the
NMEA port by Windows driver but does not seem to really do NMEA - maybe it can
be enabled?

You can permanently disable the CD autorun mode with the AT+ZCDRUN=8 command.
Other things you can do with that command:

AT+ZCDRUN=4 	Query autorun state: 1=Open/On 0=Close/Off
AT+ZCDRUN=8 	Close autorun state (CD mode off)
AT+ZCDRUN=9 	Open autorun state (CD mode on)

AT+ZCDRUN=E	Enter download mode
AT+ZCDRUN=F	Exit download mode

When "AT+ZCDRUN=8" both modem and CD appear on USB. When in download mode, CD
device will never appear.

Other values output some version strings:

AT+ZCDRUN=A	3Connect 1.1.0 BL 62:3Connect 1.1.0 BL 62
AT+ZCDRUN=B	3Connect Version 2.5.3(86 r66):3Connect Version 2.5.3(86 r66)
AT+ZCDRUN=C	3UK_PC_LinuxUIV1.0.0B10:3UK_PC_LinuxUIV1.0.0B09
AT+ZCDRUN=D	3UK_UK_P673A4V1.0.0B08

Flashing
========

Firstly, flashing did not work for me. It fails at "skip to armprg.bin"
armprg.bin looks like a second stage flash program to be uploaded and run on
the modem.

When you run the FlashUpdater.exe the firmware files are extracted to:
C:\Program Files\Windows Service\MF626newversion

And this is what you get:

    Size  Name			What
    ----  ----			----
      40  amsshd.mbn		?
13809070  amss.mbn		Main firmware (ARM LSB ELF)
   81064  armprg.bin		Second stage flash tool
12141568  efs.mbn		Software install CD ISO + header
      40  oemsblhd.mbn		?
  211420  oemsbl.mbn		?
     464  partition.mbn		?
    1337  qcsblhd_cfgdata.mbn	?
   45211  qcsbl.mbn		?
   61440  ResetUSB.dll		Used to force reenumeration of device

Disassembly
===========

The top of the case (with "3" printed on it) is attached to the green part by
two screws at the end nearest the USB connector. To open, go in by the memory
card slot and unclip the far end of the top casing. Go around and carefully
unclip all the clips but the top won't come off yet because of the screws.
The plastic SIM card punch-out is useful for this.

Now you have the top part-way off, look at the far end, and find the large black
clip holding the bottom black casing on. Lever it with a screw driver to open
up a crack and then unclip all around with the credit card.

Once the bottom case is off you will see the screws. Undo those and the top will
come off.

Test Points
===========

With the case off you should see some test points near the USB connector:

A B C D E F G H I
O O O O O O O O O
    J  K L  M
    o  o o  o
        N
        o
    O P Q R S
    o o o o o
   \_________/
    |       |
    | || || |
    |_______|

Readings:
--------
A GND
B 0v
C 0v
D 2.53v
E 2.53v
F 2.53v
G 0v
H 2.6v - resets device if shorted/pulled low
I GND

J 4.8v
K 0v
L 0v
M 0v

N GND

O 3.88v
P 3.88v
Q 0v
R 0v
S 0.22v

AT Commands
===========

AT+CLAC outputs this list:

&C
&D
&E
&F
&S
&V
&W
E
I
L
M
Q
V
X
Z
T
P
\Q
\S
\V
%V
D
A
H
O
S0
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S30
S103
S104
+FCLASS
+ICF
+IFC
+IPR
+GMI
+GMM
+GMR
+GCAP
+GSN
+DR
+DS
+WS46
+CBST
+CRLP
+CV120
+CHSN
+CSSN
+CREG
+CGREG
+CFUN
+GCAP
+CSCS
+CSTA
+CR
+CEER
+CRC
+CMEE
+CGDCONT
+CGDSCONT
+CGTFT
+CGEQREQ
+CGEQMIN
+CGQREQ
+CGQMIN
+CGEREP
+CGPADDR
+CGDATA
+CGCLASS
+CGSMS
+CSMS
+CMGF
+CSAS
+CRES
+CSCA
+CSMP
+CSDH
+CSCB
+FDD
+FAR
+FCL
+FIT
+ES
+ESA
+CMOD
+CVHU
+CSQ
+ZRSSI
+CBC
+CPAS
+CPIN
+CMEC
+CKPD
+CGATT
+CGACT
+CGCMOD
+CPBS
+CPBR
+ZCPBR
+ZUSIM
+CPBF
+CPBW
+ZCPBW
+CPMS
+CNMI
+CMGL
+CMGR
+CMGS
+CMSS
+CMGW
+CMGD
+CMGC
+CNMA
+CMMS
+CHUP
+CCFC
+CCUG
+COPS
+CLCK
+CPWD
+CUSD
+CAOC
+CACM
+CAMM
+CPUC
+CCWA
+CHLD
+CIMI
+CGMI
+CGMM
+CGMR
+CGSN
+CNUM
+CSIM
+CRSM
+CCLK
+CLVL
+CMUT
+CLCC
+COPN
+CPOL
+CPLS
+CTZR
+CTZU
+CLAC
+CLIP
+COLP
+CDIP
+CTFR
+CLIR
$QCSIMSTAT
$QCCNMI
$QCCLR
$QCDMG
$QCDMR
$QCDNSP
$QCDNSS
$QCTER
$QCSLOT
$QCPINSTAT
$QCPDPP
$QCPDPLT
$QCPWRDN
$QCDGEN
$BREW
$QCSYSMODE

Grepping the firmware amms.mbn shows these commands:

+ZDON
+ZSNT
+ZPINPUK
+ZBANDI
+ZSTOPT
+ZSTART
+ZPAS
+ZSMSD
+ZNVR
+ZINFO
+ZDIAG
+ZCDRUN
+ZVN
+ZOPRT
+ZCIN
+ZSPD
+ZPCB
+ZSNT
+ZRST
+CLVL
+CMUT
+VTS
+ZDET
+CMVL
+ZECC
+ZSTM
+ZSELI
+ZSELM
{o
+ZBK
up
+ZINPR
+ZINKR
Wr
+ZDISTR
+ZSEC
+ZNCK
(0,1)
SM
DC
FD
LD
MC
ME
RC
EN
ON
(3)
(72,73,74,96,97,98)
IP
PPP
IPV6
("IP","PPP","IPV6")
&+
+CSQ
+ZRSSI
+CBC
+CPAS
+CPIN
`*
X*
+CMEC
x@
+CKPD
P+
D+
+CGATT
,*
 D
+CGACT
8*
#D
+CGCMOD
[,D
+CPBS
t<
+CPBR
+ZCPBR
+ZUSIM
+CPBF
+CPBW
+ZCPBW
+CPMS
x<
+CNMI
+CMGL
+CMGR
+CMGS
+CMSS
+CMGW
+CMGD
+CMGC
+CNMA
+CMMS
+FTS
l=
+FRS
p=
+FTH
t=
+FRH
x=
+FTM
|=
+FRM
p(
+CHUP
{C
+CCFC
"!
p*
+CCUG