Lenovo A6000 Other phones with leaked qualcomm sources » History » Version 2
bcm61670, 12/30/2023 05:24 PM
1 | 2 | bcm61670 | h1. Lenovo A6000 and other phones with leaked qualcomm sources |
---|---|---|---|
2 | 1 | bcm61670 | |
3 | There are multiple phones that modem source code leaked, if phone has testing certificate it allows us to run on it our own modem firmware. |
||
4 | For now I testing it on Lenovo A6000 phone, but It can be any other phone with soc like MSM8916, MSM8939, MSM8974 and testing certificates. |
||
5 | |||
6 | h3. How to check if phone has testing certificate? |
||
7 | |||
8 | Look at the strings of modem.mdt file, if it using testing certificate is should contain strings like "General Use Test Key (for testing only)" |
||
9 | Phones with other certificates that we can't use contain strings like "Sony Mobile Communications AB" |
||
10 | Modem firmware is signed with certificate and if sign doesn't match firmware can't be loaded. |
||
11 | If phone contain string "General Use Test Key (for testing only)" these means we can run our firmware on it. |
||
12 | File modem.mdt can be found in /system/etc/firmware/modem.mdt or /firmware/image/modem.mdt it may be somewhere else on other phones. |
||
13 | |||
14 | h3. Files we need to build modem firmware |
||
15 | |||
16 | Toolchain: hexagon_tools_6.4.06.a.7z magnet:?xt=urn:btih:61e8b8a520181ade801c251e5ec9352e33a7bb8c&dn=qcom_msm8x26_modem&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce |
||
17 | MSM8916 modem source code: "msm8916_2014-12-03_amss_qrd" https://gitlab.com/qcom-sources15/msm8916_2014-12-03_amss_qrd/-/raw/master/modem_proc.zip?ref_type=heads |
||
18 | |||
19 | h3. Building modem firmware from leaked source code |
||
20 | |||
21 | To build modem firmware we need to create container with debian buster because newer versions of debian don't have python2.7 that we need because qualcomm tools are using python2.7. |
||
22 | <pre> |
||
23 | sudo debootstrap --arch=amd64 buster buster |
||
24 | sudo systemd-nspawn -D buster --machine buster |
||
25 | </pre> |
||
26 | Now we need to install required packages and add user. |
||
27 | <pre> |
||
28 | apt install g++ git sudo wget make cmake python2.7 lib32z1 scons libxml-parser-perl p7zip-full python-pip gcc-multilib g++-multilib |
||
29 | adduser user |
||
30 | passwd |
||
31 | exit |
||
32 | </pre> |
||
33 | After that you need to login to user account and create directories for toolchain and source code |
||
34 | <pre> |
||
35 | sudo systemd-nspawn -D buster --machine buster -b |
||
36 | </pre> |
||
37 | Login to user account |
||
38 | <pre> |
||
39 | mkdir -p Qualcomm/HEXAGON_Tools |
||
40 | mkdir -p dev/qcom/msm8916/modem_proc |
||
41 | mkdir Downloads |
||
42 | cd Downloads |
||
43 | </pre> |
||
44 | In Downloads directory put hexagon_tools_6.4.06.a.7z and modem_proc.zip. |
||
45 | <pre> |
||
46 | 7za x -y -o$HOME/Qualcomm/HEXAGON_Tools hexagon_tools_6.4.06.a.7z |
||
47 | 7za x -y -o$HOME/dev/qcom/msm8916/modem_proc modem_proc.zip |
||
48 | cd $HOME/dev/qcom/msm8916/modem_proc |
||
49 | </pre> |
||
50 | If you are building modem firmware for Lenovo A6000, you should replace few files in source code with these files https://mega.nz/file/8O1glCTS#0RU919Tbe4eSyrXXHh3vUEXPMxk6SK9EV_Iks8o6e_E |
||
51 | Configuration of PA and RF switch, LTE bands, WCDMA bands can differ in many phones and some files need to be modified to get it working, otherwise you can have issues with it like phone not receiving or transmitting. |
||
52 | Now we will prepare source code for building. |
||
53 | <pre> |
||
54 | find . -name '*.sh' -exec chmod -f 775 {} \; |
||
55 | find . -name '*.mk' -exec chmod -f 775 {} \; |
||
56 | find . -name '*.py' -exec chmod -f 775 {} \; |
||
57 | find . -name '*.pl' -exec chmod -f 775 {} \; |
||
58 | find . -name '*.lcs' -exec chmod -f 775 {} \; |
||
59 | find . -name '*.api' -exec chmod -f 775 {} \; |
||
60 | find . -name '*.xml' -exec chmod -f 775 {} \; |
||
61 | find . -name '*.scons' -exec chmod -f 775 {} \; |
||
62 | find . -name 'scons' -exec chmod -f 775 {} \; |
||
63 | find . -name 'SConscript' -exec chmod -f 775 {} \; |
||
64 | find . -name 'SConstruct' -exec chmod -f 775 {} \; |
||
65 | find . -name 'Makefile' -exec chmod -f 775 {} \; |
||
66 | find . -name 'makefile' -exec chmod -f 775 {} \; |
||
67 | find . -name 'qaic' -exec chmod -f 775 {} \; |
||
68 | find . -name 'doxygen' -exec chmod -f 775 {} \; |
||
69 | find . -name 'qdsp6-image-build' -exec chmod -f 775 {} \; |
||
70 | find . -name 'SleepSynth' -exec chmod -f 775 {} \; |
||
71 | find . -name 'crypto_cbc' -exec chmod -f 775 {} \; |
||
72 | find . -name 'crypto_ccm' -exec chmod -f 775 {} \; |
||
73 | cd build/ms/ |
||
74 | nano build.sh |
||
75 | </pre> |
||
76 | Change "#!/bin/sh" to "#!/bin/bash" |
||
77 | <pre> |
||
78 | nano setenv.sh |
||
79 | </pre> |
||
80 | In this file put: |
||
81 | <pre> |
||
82 | export ARMTOOLS=ARMCT5.05 |
||
83 | export ARMROOT=$HOME/ARMCompiler5.05u2 |
||
84 | export ARM_COMPILER_PATH=$ARMROOT/bin64 |
||
85 | export ARMHOME=$ARMROOT |
||
86 | export ARMLIB=$ARMROOT/lib |
||
87 | export ARMINCLUDE=$ARMROOT/include |
||
88 | export ARMBIN=$ARMROOT/bin64 |
||
89 | export ARMINC=$ARMINCLUDE |
||
90 | export ARMLMD_LICENSE_FILE=$ARMROOT/Community.lic |
||
91 | export HEXAGON_ROOT=$HOME/Qualcomm/HEXAGON_Tools |
||
92 | export HEXAGON_RTOS_RELEASE=6.4.06.a |
||
93 | export HEXAGON_Q6VERSION=v5 |
||
94 | export HEXAGON_IMAGE_ENTRY=0x86800000 # If you are using different phone than lenovo A6000 you may need to change this value |
||
95 | export PYTHON_PATH=/usr/bin/python |
||
96 | export PYTHONPATH=/usr/bin/python |
||
97 | export MAKE_PATH=/usr/bin/make |
||
98 | export PATH=$MAKE_PATH:$ARM_COMPILER_PATH:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/qc/bin:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/gnu/bin:$PATH:PYTHONPATH |
||
99 | </pre> |
||
100 | <pre> |
||
101 | nano build_cfg.xml |
||
102 | </pre> |
||
103 | Change hexagon_rtos_release to 6.4.06.a |
||
104 | Change cflags to -Wno-error -Wno-tautological-constant-out-of-range-compare -Wno-medium -Wno-low -hexagon-predef-argset=modem-sw -mllvm -shrink-wrap-ext-wrapper-section=.wrap.func |
||
105 | <pre> |
||
106 | cd $HOME/dev/qcom/msm8916/modem_proc/core/kernel/qurt |
||
107 | HEXAGON_RTOS_RELEASE=6.4.06.a |
||
108 | WL_PREFIX="toolsver_whitelist \\= \\[" |
||
109 | find . -name 'target_tools.py' -exec sed -i "s/$WL_PREFIX/$WL_PREFIX\"$HEXAGON_RTOS_RELEASE\" ,/" {} \; |
||
110 | nano target_tools.py |
||
111 | </pre> |
||
112 | Now we need to repalce few lines in this file. |
||
113 | Find: |
||
114 | <pre> |
||
115 | hexagon_root = os.path.join(default_root,toolsver) |
||
116 | if(version_compare(toolsver, '5.1.03') < 0): |
||
117 | v55_workaround = "False" |
||
118 | </pre> |
||
119 | Replace it with: |
||
120 | <pre> |
||
121 | hexagon_root = os.path.join(default_root,toolsver) |
||
122 | v55_workaround = "False" |
||
123 | </pre> |
||
124 | <pre> |
||
125 | cd $HOME/dev/qcom/msm8916/modem_proc |
||
126 | nano build/bsp/mapss_b/build/mapss_b.scons |
||
127 | </pre> |
||
128 | In this file add few lines after: |
||
129 | <pre> |
||
130 | elif hex_version[0] == '6': |
||
131 | if hex_version[1] == '2': |
||
132 | if len(hex_version) >= 3 and hex_version[2] >= '06': |
||
133 | legacy_mode = False |
||
134 | </pre> |
||
135 | After this lines add: |
||
136 | <pre> |
||
137 | elif hex_version[1] == '4': |
||
138 | legacy_mode = False |
||
139 | </pre> |
||
140 | It should look like this: |
||
141 | <pre> |
||
142 | elif hex_version[0] == '6': |
||
143 | if hex_version[1] == '2': |
||
144 | if len(hex_version) >= 3 and hex_version[2] >= '06': |
||
145 | legacy_mode = False |
||
146 | elif hex_version[1] == '4': |
||
147 | legacy_mode = False |
||
148 | </pre> |
||
149 | <pre> |
||
150 | nano ./geran/gmac/src/gmacidleutil.c |
||
151 | </pre> |
||
152 | Find: |
||
153 | <pre> |
||
154 | if( (((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) |
||
155 | && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) |
||
156 | </pre> |
||
157 | Replace it with: |
||
158 | <pre> |
||
159 | if( /*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) |
||
160 | &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) |
||
161 | </pre> |
||
162 | <pre> |
||
163 | nano ./geran/gmac/src/gmacutil.c |
||
164 | </pre> |
||
165 | Find: |
||
166 | <pre> |
||
167 | if((((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) |
||
168 | && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) |
||
169 | </pre> |
||
170 | Replace it with: |
||
171 | <pre> |
||
172 | if(/*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) |
||
173 | &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) |
||
174 | </pre> |
||
175 | Now we prepared source code for building and it should compile without errors. |
||
176 | <pre> |
||
177 | cd $HOME/dev/qcom/msm8916/modem_proc/build/ms |
||
178 | ./build.sh 8916.genns BUILD_ID=EAAAANUZ -k |
||
179 | </pre> |
||
180 | BUILD_ID / Image variant can be different on other phones. |
||
181 | If build was successful you should see something like this: |
||
182 | <pre> |
||
183 | ============================================================================== |
||
184 | SCons build summary |
||
185 | ============================================================================== |
||
186 | ** Build time... |
||
187 | Build start : Sat Dec 30 15:51:11 2023 |
||
188 | Build end : Sat Dec 30 15:57:14 2023 |
||
189 | Elapsed time : 0:06:03 |
||
190 | #------------------------------------------------------------------------------- |
||
191 | # BUILD END: EAAAANUZ |
||
192 | #------------------------------------------------------------------------------- |
||
193 | Build EAAAANUZ: Start Time: Sat Dec 30 15:51:11 2023, End Time: Sat Dec 30 15:57:16 2023 |
||
194 | Build EAAAANUZ: Delta Time: 6 minutes, 5 seconds |
||
195 | #------------------------------------------------------------------------------- |
||
196 | #------------------------------------------------------------------------------- |
||
197 | Build 8916.genns returned code 0. |
||
198 | #------------------------------------------------------------------------------- |
||
199 | Overall Start Time: Sat Dec 30 15:51:11 2023, Overall End Time: Sat Dec 30 15:57:16 2023 |
||
200 | Overall Delta Time: 6 minutes, 5 seconds |
||
201 | #------------------------------------------------------------------------------- |
||
202 | </pre> |
||
203 | Now we need to convert compiled firmware to files that phone will load. |
||
204 | <pre> |
||
205 | cd $HOME/dev/qcom/msm8916/modem_proc/build/ms/bin |
||
206 | wget http://github.com/remittor/qcom-mbn-tools/raw/master/pil-splitter.py |
||
207 | BUILD_ID=EAAAANUZ |
||
208 | MBN_FILE=./$BUILD_ID/qdsp6sw.mbn |
||
209 | MBN_PREFIX=modem |
||
210 | python pil-splitter.py $MBN_FILE $MBN_PREFIX |
||
211 | </pre> |
||
212 | This script should create files like modem.mdt, modem.b00, modem.b01, ... |
||
213 | |||
214 | h3. flash modem firmware to phone. |
||
215 | |||
216 | Outside the container go to the directory where are files created by pil-splitter.py |
||
217 | <pre> |
||
218 | adb root |
||
219 | adb shell mount -oremount,rw /firmware |
||
220 | adb push modem.* /firmware/image/. |
||
221 | adb push EAAAANUZ/mba.mbn /firmware/image/mba.mbn |
||
222 | adb shell sync |
||
223 | adb reboot |
||
224 | </pre> |
||
225 | Lenovo A6000 stores modem firmware on /firmware partition in directory /firmware/image/ other phones can have firmware in different location. |
||
226 | If everything was done correctly your phone should now reboot with new modem firmware and it will be able to connect to lte/wcdma/gsm network. |
||
227 | |||
228 | h3. Other phones that may work with leaked source code |
||
229 | |||
230 | |_. Phone |_. SOC |_. Image Variant |_. Image Version |_. Tested | |
||
231 | | Lenovo A6000 | MSM8916 | EAAAANUZ | MPSS.DPM.1.0.1.C1-00093 | Tested, working | |
||
232 | | LG G4c H525n | MSM8916 | EAAAANWZ | MPSS.DPM.2.0.C11-39832 | Not working, bluescreen https://imgur.com/a/jfoAVDq | |
||
233 | | ASUS ZE550KL | MSM8916 | EAAAANUZ | MPSS.DPM.2.0.2.c1.11-00021 | Not tested | |