Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock

Thilo-Alexander Ginkel thilo at ginkel.com
Mon May 9 18:13:43 UTC 2022 

Hi Bjørn,

thanks for your reply! I don't think that the lenovo-wwan-dpr snap
implements the OTP unlocking mechanism.

Lenovo also just posted in their forum [1] that the new firmware
deliberately broke the unlock used by ModemManager. So that was
probably my last Lenovo laptop...

With regards to reversing the OTP mechanism: I made some first
attempts at decompiling / diffing the Windows driver using Ghidra, but
have to admit that I am not very experienced doing so and am somewhat
lost as to which driver file actually implements the unlocking.

Thanks,
Thilo

[1] https://forums.lenovo.com/t5/Other-Linux-Discussions/Finally-X55-5G-modem-works-under-linux/m-p/5082236?page=11#5639046


On Sun, May 1, 2022 at 6:31 PM Bjørn Mork <bjorn at mork.no> wrote:
>
> Bjørn Mork <bjorn at mork.no> writes:
>
> > Wrt the implementation: Any protocol depending on closed binaries is
> > broken by design, without exception.  It doesn't matter whether you use
> > a "secret" algorithm or just store keys inside the binary. Anything that
> > was compiled can be decompiled.  Sure it can be obfuscated to make that
> > harder.  We all love a challenge :-)
>
> And just let me prove that fact without even modifying one byte of the
> code:
>
>  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
>  ThinkPad X1 Carbon 4th
>  root at miraculix:/tmp# echo ThinkEdge > /tmp/product_family
>  root at miraculix:/tmp# mount --bind /tmp/product_family /sys/class/dmi/id/product_family
>  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
>  ThinkEdge
>
> And what do you think?  There goes the machine check....
>
>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app started
>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: get_product(): DT
>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: MACHINE = [4] --- THINKEDGE_SE30 = [4]
>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app exited
>
> This doesn't work for me of course, only having the original EM7455
> modem.  But I do note that the log output changed from -1 to 4, whatever
> that means.  Previously:
>
>  May  1 18:21:01 miraculix DPR_Fcc_unlock_service: MACHINE = [-1] --- THINKEDGE_SE30 = [4]
>
> Something to try out on your X1E4, maybe?
>
>
> Bjørn

More information about the ModemManager-devel mailing list