Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock

Mon May 9 18:21:13 UTC 2022

Hello again,

quick update if anyone wants to have a look before I find time to do so:
The unlock is most probably in SIMService.exe, which contains the magic
string "KHOIHGIUCCHHII" that is checked for in DMI and also used by the
unlocking Snap...

Regards,
Thilo

On Mon, May 9, 2022 at 8:13 PM Thilo-Alexander Ginkel <thilo at ginkel.com>
wrote:

> Hi Bjørn,
>
> thanks for your reply! I don't think that the lenovo-wwan-dpr snap
> implements the OTP unlocking mechanism.
>
> Lenovo also just posted in their forum [1] that the new firmware
> deliberately broke the unlock used by ModemManager. So that was
> probably my last Lenovo laptop...
>
> With regards to reversing the OTP mechanism: I made some first
> attempts at decompiling / diffing the Windows driver using Ghidra, but
> have to admit that I am not very experienced doing so and am somewhat
> lost as to which driver file actually implements the unlocking.
>
> Thanks,
> Thilo
>
> [1]
> https://forums.lenovo.com/t5/Other-Linux-Discussions/Finally-X55-5G-modem-works-under-linux/m-p/5082236?page=11#5639046
>
>
> On Sun, May 1, 2022 at 6:31 PM Bjørn Mork <bjorn at mork.no> wrote:
> >
> > Bjørn Mork <bjorn at mork.no> writes:
> >
> > > Wrt the implementation: Any protocol depending on closed binaries is
> > > broken by design, without exception.  It doesn't matter whether you use
> > > a "secret" algorithm or just store keys inside the binary. Anything
> that
> > > was compiled can be decompiled.  Sure it can be obfuscated to make that
> > > harder.  We all love a challenge :-)
> >
> > And just let me prove that fact without even modifying one byte of the
> > code:
> >
> >  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
> >  ThinkPad X1 Carbon 4th
> >  root at miraculix:/tmp# echo ThinkEdge > /tmp/product_family
> >  root at miraculix:/tmp# mount --bind /tmp/product_family
> /sys/class/dmi/id/product_family
> >  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
> >  ThinkEdge
> >
> > And what do you think?  There goes the machine check....
> >
> >  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock
> app started
> >  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: get_product(): DT
> >  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: MACHINE = [4] ---
> THINKEDGE_SE30 = [4]
> >  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock
> app exited
> >
> > This doesn't work for me of course, only having the original EM7455
> > modem.  But I do note that the log output changed from -1 to 4, whatever
> > that means.  Previously:
> >
> >  May  1 18:21:01 miraculix DPR_Fcc_unlock_service: MACHINE = [-1] ---
> THINKEDGE_SE30 = [4]
> >
> > Something to try out on your X1E4, maybe?
> >
> >
> > Bjørn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/modemmanager-devel/attachments/20220509/89829e06/attachment.htm>