Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock

Enrico Mioso mrkiko.rs at gmail.com
Mon May 9 19:49:54 UTC 2022 

I sincerely hope you succeed. If I'll see any way I can help out, I'll try my best to do it.

Enrico


On Mon, 9 May 2022, Thilo-Alexander Ginkel wrote:

> Date: Mon, 9 May 2022 20:13:43
> From: Thilo-Alexander Ginkel <thilo at ginkel.com>
> To: Bjørn Mork <bjorn at mork.no>
> Cc: "ModemManager (development)" <modemmanager-devel at lists.freedesktop.org>,
>     Aleksander Morgado <aleksander at aleksander.es>
> Subject: Re: Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock
> 
> Hi Bjørn,
>
> thanks for your reply! I don't think that the lenovo-wwan-dpr snap
> implements the OTP unlocking mechanism.
>
> Lenovo also just posted in their forum [1] that the new firmware
> deliberately broke the unlock used by ModemManager. So that was
> probably my last Lenovo laptop...
>
> With regards to reversing the OTP mechanism: I made some first
> attempts at decompiling / diffing the Windows driver using Ghidra, but
> have to admit that I am not very experienced doing so and am somewhat
> lost as to which driver file actually implements the unlocking.
>
> Thanks,
> Thilo
>
> [1] https://forums.lenovo.com/t5/Other-Linux-Discussions/Finally-X55-5G-modem-works-under-linux/m-p/5082236?page=11#5639046
>
>
> On Sun, May 1, 2022 at 6:31 PM Bjørn Mork <bjorn at mork.no> wrote:
>>
>> Bjørn Mork <bjorn at mork.no> writes:
>>
>>> Wrt the implementation: Any protocol depending on closed binaries is
>>> broken by design, without exception.  It doesn't matter whether you use
>>> a "secret" algorithm or just store keys inside the binary. Anything that
>>> was compiled can be decompiled.  Sure it can be obfuscated to make that
>>> harder.  We all love a challenge :-)
>>
>> And just let me prove that fact without even modifying one byte of the
>> code:
>>
>>  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
>>  ThinkPad X1 Carbon 4th
>>  root at miraculix:/tmp# echo ThinkEdge > /tmp/product_family
>>  root at miraculix:/tmp# mount --bind /tmp/product_family /sys/class/dmi/id/product_family
>>  root at miraculix:/tmp# cat /sys/class/dmi/id/product_family
>>  ThinkEdge
>>
>> And what do you think?  There goes the machine check....
>>
>>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app started
>>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: get_product(): DT
>>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: MACHINE = [4] --- THINKEDGE_SE30 = [4]
>>  May  1 18:24:59 miraculix DPR_Fcc_unlock_service: main(): FCC unlock app exited
>>
>> This doesn't work for me of course, only having the original EM7455
>> modem.  But I do note that the log output changed from -1 to 4, whatever
>> that means.  Previously:
>>
>>  May  1 18:21:01 miraculix DPR_Fcc_unlock_service: MACHINE = [-1] --- THINKEDGE_SE30 = [4]
>>
>> Something to try out on your X1E4, maybe?
>>
>>
>> Bjørn
>

More information about the ModemManager-devel mailing list