Re: Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock

Mon, 09 May 2022 12:50:08 -0700 

I sincerely hope you succeed. If I'll see any way I can help out, I'll try my 
best to do it.

Enrico


On Mon, 9 May 2022, Thilo-Alexander Ginkel wrote:


Date: Mon, 9 May 2022 20:13:43
From: Thilo-Alexander Ginkel <th...@ginkel.com>
To: Bjørn Mork <bj...@mork.no>
Cc: "ModemManager (development)" <modemmanager-devel@lists.freedesktop.org>,
    Aleksander Morgado <aleksan...@aleksander.es>
Subject: Re: Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock

Hi Bjørn,

thanks for your reply! I don't think that the lenovo-wwan-dpr snap
implements the OTP unlocking mechanism.

Lenovo also just posted in their forum [1] that the new firmware
deliberately broke the unlock used by ModemManager. So that was
probably my last Lenovo laptop...

With regards to reversing the OTP mechanism: I made some first
attempts at decompiling / diffing the Windows driver using Ghidra, but
have to admit that I am not very experienced doing so and am somewhat
lost as to which driver file actually implements the unlocking.

Thanks,
Thilo

[1] 
https://forums.lenovo.com/t5/Other-Linux-Discussions/Finally-X55-5G-modem-works-under-linux/m-p/5082236?page=11#5639046


On Sun, May 1, 2022 at 6:31 PM Bjørn Mork <bj...@mork.no> wrote:


Bjørn Mork <bj...@mork.no> writes:


Wrt the implementation: Any protocol depending on closed binaries is
broken by design, without exception.  It doesn't matter whether you use
a "secret" algorithm or just store keys inside the binary. Anything that
was compiled can be decompiled.  Sure it can be obfuscated to make that
harder.  We all love a challenge :-)


And just let me prove that fact without even modifying one byte of the
code:

 root@miraculix:/tmp# cat /sys/class/dmi/id/product_family
 ThinkPad X1 Carbon 4th
 root@miraculix:/tmp# echo ThinkEdge > /tmp/product_family
 root@miraculix:/tmp# mount --bind /tmp/product_family 
/sys/class/dmi/id/product_family
 root@miraculix:/tmp# cat /sys/class/dmi/id/product_family
 ThinkEdge

And what do you think?  There goes the machine check....

 May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app 
started
 May  1 18:24:59 miraculix DPR_Fcc_unlock_service: get_product(): DT
 May  1 18:24:59 miraculix DPR_Fcc_unlock_service: MACHINE = [4] --- 
THINKEDGE_SE30 = [4]
 May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app exited

This doesn't work for me of course, only having the original EM7455
modem.  But I do note that the log output changed from -1 to 4, whatever
that means.  Previously:

 May  1 18:21:01 miraculix DPR_Fcc_unlock_service: MACHINE = [-1] --- 
THINKEDGE_SE30 = [4]

Something to try out on your X1E4, maybe?


Bjørn

Reply via email to