Hello Bjørn, hi all, fascinating ;-) I made some limited progress with analysing the binary's code. There are plenty of conditions for different firmware versions (some of which I have never seen in the wild). The most recent version computes some data from the IMEI, but I don't really understand (using static analysis only) what is actually sent to the modem.
Regards, Thilo Viele Grüße aus Hamburg Thilo Ginkel -- Thilo-Alexander Ginkel · Isestr. 6 · D-20144 Hamburg · Germany E-Mail/Jabber: th...@ginkel.com · @thiloginkel Phone: +49 (0)40 68895028 · Mobile/Signal: +49 (0)177 8033300 On Tue, May 10, 2022 at 11:00 AM Bjørn Mork <bj...@mork.no> wrote: > > More interesting stuff from that binary. The resource section contains > 3 zip-files among other stuff. Two of these contain DPR_Table.txt files > per device-id(?) and some binary blobs I don't recognise. Names might > indicate NV entries? > > > bjorn@miraculix:/tmp$ unzip -l resources/101.bin > Archive: resources/101.bin > Length Date Time Name > --------- ---------- ----- ---- > 0 2020-05-04 16:27 TuneCode/ > 0 2020-05-04 16:27 TuneCode/tunecode_876D/ > 3752 2019-12-24 15:18 TuneCode/tunecode_876D/DPR_Table.txt > --------- ------- > 3752 3 files > bjorn@miraculix:/tmp$ unzip -l resources/102.bin > Archive: resources/102.bin > Length Date Time Name > --------- ---------- ----- ---- > 0 2021-03-08 17:14 TuneCode/ > 0 2021-03-08 17:15 TuneCode/tunecode_093D/ > 7462 2021-03-15 13:40 TuneCode/tunecode_093D/DPR_Table.txt > 0 2021-03-08 17:16 TuneCode/tunecode_098C/ > 7462 2021-03-15 13:40 TuneCode/tunecode_098C/DPR_Table.txt > 0 2020-05-29 19:02 TuneCode/tunecode_09C6/ > 36067 2020-04-22 16:11 TuneCode/tunecode_09C6/00029653 > 510 2020-04-30 10:40 TuneCode/tunecode_09C6/00029654 > 7403 2020-05-29 18:57 TuneCode/tunecode_09C6/DPR_Table.txt > 0 2020-10-07 14:00 TuneCode/tunecode_0A3F/ > 40314 2020-10-12 18:38 TuneCode/tunecode_0A3F/00029653 > 510 2020-10-12 18:40 TuneCode/tunecode_0A3F/00029654 > 7443 2020-10-07 13:35 TuneCode/tunecode_0A3F/DPR_Table.txt > 0 2021-02-04 10:22 TuneCode/tunecode_0A5B/ > 48254 2021-01-25 12:41 TuneCode/tunecode_0A5B/00029653 > 510 2021-01-25 12:36 TuneCode/tunecode_0A5B/00029654 > 7208 2021-02-26 15:46 TuneCode/tunecode_0A5B/DPR_Table.txt > 0 2021-03-08 14:41 TuneCode/tunecode_0A69/ > 39619 2021-03-08 14:37 TuneCode/tunecode_0A69/00029653 > 510 2021-03-08 14:37 TuneCode/tunecode_0A69/00029654 > 0 2021-03-08 14:42 TuneCode/tunecode_0A6A/ > 39619 2021-03-08 14:37 TuneCode/tunecode_0A6A/00029653 > 510 2021-03-08 14:37 TuneCode/tunecode_0A6A/00029654 > --------- ------- > 243401 23 files > > > The DPR_table files contains lines with different system+band > conbinations followed by 8 numbers which looks like they could be dB or > dBm values. Sample data: > > LTE B39 24 24 24 24 24 24 24 24 > LTE B40 24 24 24 24 24 24 23 23 > LTE B41 27 27 27 24 27 27 22.5 22.5 > LTE B42 24 24 24 24 24 22.5 24 22.5 > LTE B48 22 22 22 22 21 20.5 22 20.5 > LTE B66 24 24 24 24 24 24 18 18 > SA N1 24 24 24 24 24 24 24 24 > SA N2 24 24 24 24 24 18 24 18 > SA N3 24 24 24 24 24 24 24 24 > SA N5 24 24 24 24 24 24 19.5 19.5 > SA N7 24 24 24 24 21.5 15 24 15 > SA N8 24 24 24 24 24 24 24 24 > SA N12 24 24 24 24 24 24 19 19 > SA N20 24 24 24 24 24 24 24 24 > SA N28 24 24 24 24 24 24 24 24 > SA N38 24 24 24 24 24 14 24 14 > SA N41 27 27 27 27 21.5 15 27 15 > SA N66 24 24 24 24 24 18 24 18 > SA N77 27 27 27 27 27 18.5 27 18.5 > SA N78 27 27 27 27 27 20.5 27 20.5 > SA N79 27 27 27 27 27 16 27 16 > ENDC B5 N2 24.5 24.5 24.5 24.5 24.5 24.5 18.5 18.5 > NSA N2 B5 24 24 24 24 24 18 24 18 > ENDC B12 N2 24.5 24.5 24.5 24.5 24.5 24.5 19.5 19.5 > NSA N2 B12 24 24 24 24 24 18 24 18 > ENDC B13 N2 24.5 24.5 24.5 24.5 24.5 24.5 21.5 21.5 > NSA N2 B13 24 24 24 24 24 18 24 18 > ENDC B7 N5 24 24 24 24 21.5 14 24 14 > NSA N5 B7 24 24 24 24 24 24 18.5 18.5 > ENDC B48 N5 22 22 22 22 21 19.5 22 19.5 > NSA N5 B48 24 24 24 24 24 24 18.5 18.5 > > > The last zip contains rtsar_config_fcc and rtsar_config_row data for a > number of other(?) devices. Some of them in 2dB and 0dB variants. > Interestingly enough, this seems to be made for another Foxconn customer > and not intended for Lenovo devices at all. Doesn't look like there are > similar resources for any Lenovo modem/PC. Talk about mess. > > > bjorn@miraculix:/tmp$ unzip -l resources/106.bin > Archive: resources/106.bin > Length Date Time Name > --------- ---------- ----- ---- > 0 2020-12-30 10:51 MipiTable_HP_TALISKER/ > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86F9/ > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86F9/2dB/ > 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_fcc > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_fcc_md5.txt > 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_row > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86FA/ > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86FA/2dB/ > 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_fcc > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_fcc_md5.txt > 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_row > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/8709/ > 0 2020-12-30 10:55 MipiTable_HP_TALISKER/8709/2dB/ > 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_fcc > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/8709/2dB/rtsar_config_fcc_md5.txt > 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_row > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/8709/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:56 MipiTable_HP_TALISKER/870A/ > 0 2020-12-30 10:56 MipiTable_HP_TALISKER/870A/2dB/ > 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_fcc > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/870A/2dB/rtsar_config_fcc_md5.txt > 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_row > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/870A/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/ > 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/0db/ > 1708 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_fcc > 32 2020-10-09 12:14 > MipiTable_HP_TALISKER/8716/0db/rtsar_config_fcc_md5.txt > 1680 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_row > 32 2020-10-09 12:14 > MipiTable_HP_TALISKER/8716/0db/rtsar_config_row_md5.txt > 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/2db/ > 1708 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_fcc > 32 2020-10-09 12:15 > MipiTable_HP_TALISKER/8716/2db/rtsar_config_fcc_md5.txt > 1680 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_row > 32 2020-10-09 12:15 > MipiTable_HP_TALISKER/8716/2db/rtsar_config_row_md5.txt > 125 2020-12-10 13:34 MipiTable_HP_TALISKER/8716/MIPI_Table.txt > 0 2020-12-30 13:51 MipiTable_HP_TALISKER/8720/ > 0 2020-12-31 15:23 MipiTable_HP_TALISKER/8720/2db/ > 1660 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_fcc > 32 2020-06-11 09:51 > MipiTable_HP_TALISKER/8720/2db/rtsar_config_fcc_md5.txt > 1632 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_row > 32 2020-06-11 09:51 > MipiTable_HP_TALISKER/8720/2db/rtsar_config_row_md5.txt > 0 2020-12-30 10:56 MipiTable_HP_TALISKER/87BA/ > 0 2020-12-30 10:56 MipiTable_HP_TALISKER/87BA/2dB/ > 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_fcc > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_fcc_md5.txt > 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_row > 32 2020-10-07 09:08 > MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 13:52 MipiTable_HP_TALISKER/87CD/ > 0 2020-12-30 13:53 MipiTable_HP_TALISKER/87CD/0db/ > 1636 2020-10-21 09:19 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_fcc > 32 2020-10-21 09:20 > MipiTable_HP_TALISKER/87CD/0db/rtsar_config_fcc_md5.txt > 1608 2020-10-21 09:19 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_row > 32 2020-10-21 09:20 > MipiTable_HP_TALISKER/87CD/0db/rtsar_config_row_md5.txt > 0 2020-12-30 13:53 MipiTable_HP_TALISKER/87CD/2db/ > 1636 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_fcc > 32 2020-10-21 09:20 > MipiTable_HP_TALISKER/87CD/2db/rtsar_config_fcc_md5.txt > 1608 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_row > 32 2020-10-21 09:20 > MipiTable_HP_TALISKER/87CD/2db/rtsar_config_row_md5.txt > 0 2020-12-30 13:54 MipiTable_HP_TALISKER/880D/ > 0 2020-12-31 15:25 MipiTable_HP_TALISKER/880D/2dB/ > 2024 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_fcc > 32 2020-09-18 17:03 > MipiTable_HP_TALISKER/880D/2dB/rtsar_config_fcc_md5.txt > 1992 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_row > 32 2020-09-18 17:03 > MipiTable_HP_TALISKER/880D/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:54 MipiTable_HP_TALISKER/8846/ > 0 2020-12-30 10:54 MipiTable_HP_TALISKER/8846/0dB/ > 15282 2020-09-29 17:51 MipiTable_HP_TALISKER/8846/0dB/Cadillac 15 > inch_Talisker_rtsar_0dB_20200917-LTE_WCDMA_0929.xlsx > 2024 2020-09-29 13:48 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_fcc > 32 2020-09-29 13:49 > MipiTable_HP_TALISKER/8846/0dB/rtsar_config_fcc_md5.txt > 1992 2020-09-29 13:48 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_row > 32 2020-09-29 13:49 > MipiTable_HP_TALISKER/8846/0dB/rtsar_config_row_md5.txt > 0 2020-12-31 15:26 MipiTable_HP_TALISKER/8846/2dB/ > 2024 2020-09-29 17:39 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_fcc > 32 2020-09-29 17:39 > MipiTable_HP_TALISKER/8846/2dB/rtsar_config_fcc_md5.txt > 1992 2020-09-29 17:39 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_row > 32 2020-09-29 17:40 > MipiTable_HP_TALISKER/8846/2dB/rtsar_config_row_md5.txt > 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/ > 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/0db/ > 1660 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_fcc > 32 2020-10-16 14:43 > MipiTable_HP_TALISKER/8847/0db/rtsar_config_fcc_md5.txt > 1632 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_row > 32 2020-10-16 14:43 > MipiTable_HP_TALISKER/8847/0db/rtsar_config_row_md5.txt > 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/2db/ > 1660 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_fcc > 32 2020-10-16 14:44 > MipiTable_HP_TALISKER/8847/2db/rtsar_config_fcc_md5.txt > 1632 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_row > 32 2020-10-16 14:44 > MipiTable_HP_TALISKER/8847/2db/rtsar_config_row_md5.txt > 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8890/ > 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8890/0db/ > 1708 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_fcc > 32 2020-10-09 12:14 > MipiTable_HP_TALISKER/8890/0db/rtsar_config_fcc_md5.txt > 1680 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_row > 32 2020-10-09 12:14 > MipiTable_HP_TALISKER/8890/0db/rtsar_config_row_md5.txt > 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8890/2db/ > 1708 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_fcc > 32 2020-10-09 12:15 > MipiTable_HP_TALISKER/8890/2db/rtsar_config_fcc_md5.txt > 1680 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_row > 32 2020-10-09 12:15 > MipiTable_HP_TALISKER/8890/2db/rtsar_config_row_md5.txt > 125 2020-12-10 13:34 MipiTable_HP_TALISKER/8890/MIPI_Table.txt > --------- ------- > 74564 101 files > > > > I don't think that the Excel file necessarily was meant to be included > regardless of HP or Lenovo. Very eductional. It contains these 3 > sheets: > > > > 1. Header: > > "By default this workbook contains an MCC list worksheet. Any FCC supported > MCC's should be added in that sheet. > Note that, only one of the workbooks (rtsar_fcc/ rtsar_row) should contain > the mcc_list." > > > > version 12 > reserve_power_margin_db_10 0 > primary_max_power_dbm10 265 > num_dsi 2 > > > 2. tech_records: > > DSI 1 2 > Tech Antenna Band Tx power at SAR design target (dBm10) Tx power at > SAR design target (dBm10) > LTE 0 120 230 230 LTE B1 @ ANT#5 > LTE 2 120 271 271 LTE B1 @ ANT#8 > LTE 0 121 284 284 LTE B2 @ ANT#5 > LTE 2 121 218 218 LTE B2 @ ANT#8 > LTE 0 122 230 230 LTE B3 @ ANT#5 > LTE 2 122 288 288 LTE B3 @ ANT#8 > LTE 0 123 281 281 LTE B4 @ ANT#5 > LTE 2 123 280 280 LTE B4 @ ANT#8 sportan w/o data > LTE 0 124 275 275 LTE B5 @ ANT#5 > LTE 0 126 296 296 LTE B7 @ ANT#5 > LTE 2 126 193 193 LTE B7 @ ANT#8 > LTE 0 127 235 235 LTE B8 @ ANT#5 > LTE 0 131 290 290 LTE B12 @ ANT#5 > LTE 0 132 295 295 LTE B13 @ ANT#5 > LTE 0 133 296 296 LTE B14 @ ANT#5 > LTE 0 136 290 290 LTE B17 @ ANT#5 > LTE 0 137 280 280 LTE B18 @ ANT#5 > LTE 0 138 280 280 LTE B19 @ ANT#5 > LTE 0 139 235 235 LTE B20 @ ANT#5 > LTE 0 144 284 284 LTE B25 @ ANT#5 > LTE 2 144 280 280 LTE B25 @ ANT#8 add new > LTE 0 145 275 275 LTE B26 @ ANT#5 > LTE 0 147 235 235 LTE B28 @ ANT#5 > LTE 0 149 299 299 LTE B30 @ ANT#5 > LTE 2 149 280 280 LTE B30 @ ANT#8 add new > LTE 0 153 230 230 LTE B34 @ ANT#5 > LTE 2 153 280 280 LTE B34 @ ANT#8 add new > LTE 0 157 296 296 LTE B38 @ ANT#5 > LTE 2 157 280 280 LTE B38 @ ANT#8 add new > LTE 0 158 280 280 LTE B39 @ ANT#5 > LTE 2 158 280 280 LTE B39 @ ANT#8 add new > LTE 0 159 230 230 LTE B40 @ ANT#5 > LTE 2 159 280 280 LTE B40 @ ANT#8 add new > LTE 0 160 296 296 LTE B41 @ ANT#5 > LTE 2 160 280 280 LTE B41 @ ANT#8 add new > LTE 2 161 233 233 LTE B42 @ ANT#8 > LTE 0 168 281 281 LTE B66 @ ANT#5 > LTE 2 168 203 203 LTE B66 @ ANT#8 > LTE 2 178 216 216 LTE B48 @ ANT#8 > LTE 0 179 280 280 LTE B71 @ ANT#5 not support > NR5G 0 182 280 280 NR B1 @ ANT#5 sportan w/o data > NR5G 2 182 274 274 NR B1 @ ANT#8 > NR5G 0 183 276 276 NR B2 @ ANT#5 > NR5G 2 183 207 207 NR B2 @ ANT#8 > NR5G 0 184 280 280 NR B3 @ ANT#5 sportan w/o data > NR5G 2 184 322 322 NR B3 @ ANT#8 > NR5G 0 185 276 276 NR B5 @ ANT#5 > NR5G 0 186 280 280 NR B7 @ ANT#5 sportan w/o data > NR5G 2 186 187 187 NR B7 @ ANT#8 > NR5G 0 187 230 230 NR B8 @ ANT#5 > NR5G 0 188 230 230 NR B20 @ ANT#5 > NR5G 0 189 230 230 NR B28 @ ANT#5 > NR5G 0 190 280 280 NR B38 @ ANT#5 > NR5G 2 190 208 208 NR B38 @ ANT#8 > NR5G 0 191 280 280 NR B41 @ ANT#5 add new > NR5G 1 191 280 280 add new > NR5G 2 191 208 208 NR B41 @ ANT#8 > NR5G 3 191 280 280 add new > NR5G 0 194 281 281 NR B66 @ ANT#5 > NR5G 2 194 225 225 NR B66 @ ANT#8 > NR5G 0 196 280 280 NR B71 @ ANT#5 not support > NR5G 2 200 230 230 NR B77 @ ANT#8 > NR5G 2 201 230 230 NR B78 @ ANT#8 > NR5G 2 202 280 280 NR B79 @ ANT#8 > NR5G 0 212 280 280 mmW n260 not support > NR5G 0 213 280 280 mmW n260 not support > NR5G 0 215 290 290 NR N12 @ ANT#5 > NR5G 0 216 280 280 NR N25 @ ANT#5 add new > NR5G 2 216 280 280 NR N25 @ ANT#8 add new > NR5G 0 219 280 280 NR N40 @ ANT#5 add new > NR5G 2 219 280 280 NR N40 @ ANT#8 add new > NR5G 2 222 280 280 NR N48 @ ANT#8 add new > WCDMA 0 80 235 235 WCDMA B1 @ ANT#5 > WCDMA 0 81 284 284 WCDMA B2 @ ANT#5 > WCDMA 0 82 280 280 WCDMA B3 @ ANT#5 > WCDMA 0 83 281 281 WCDMA B4 @ ANT#5 > WCDMA 0 84 276 276 WCDMA B5 @ ANT#5 > WCDMA 0 85 280 280 WCDMA B6 @ ANT#5 > WCDMA 0 87 235 235 WCDMA B8 @ ANT#5 > WCDMA 0 88 280 280 WCDMA B9 @ ANT#5 > WCDMA 0 91 280 280 WCDMA B19 @ ANT#5 > > > 3. mcc_list: > > FCC supported MCC > 310 > 311 > 312 > 313 > 314 > 316 > 1 > 466 > > > > Well, not that useful info I guess. But this is part of the explanation > why the Windows binaries are so bloated. Because they are. The above > is only looking at resources. But there is no reason to believe the > code is any different. You could probably strip away 99% of it, and > still keep all the *intended* functionality. > > I don't think it's intentional, but all the mess helps obfuscating the > real code in there. So the first step when trying to analyze this is to > identify which parts are actually executed. No need to wade through the > rest. > > > > Bjørn
