Lenovo T99W175 / Foxconn SDX55 update on LVFS breaks FCC unlock
Thilo-Alexander Ginkel
thilo at ginkel.com
Thu May 12 21:08:57 UTC 2022
Hello Bjørn, hi all,
fascinating ;-) I made some limited progress with analysing the
binary's code. There are plenty of conditions for different firmware
versions (some of which I have never seen in the wild). The most
recent version computes some data from the IMEI, but I don't really
understand (using static analysis only) what is actually sent to the
modem.
Regards,
Thilo
Viele Grüße aus Hamburg
Thilo Ginkel
--
Thilo-Alexander Ginkel · Isestr. 6 · D-20144 Hamburg · Germany
E-Mail/Jabber: thilo at ginkel.com · @thiloginkel
Phone: +49 (0)40 68895028 · Mobile/Signal: +49 (0)177 8033300
On Tue, May 10, 2022 at 11:00 AM Bjørn Mork <bjorn at mork.no> wrote:
>
> More interesting stuff from that binary. The resource section contains
> 3 zip-files among other stuff. Two of these contain DPR_Table.txt files
> per device-id(?) and some binary blobs I don't recognise. Names might
> indicate NV entries?
>
>
> bjorn at miraculix:/tmp$ unzip -l resources/101.bin
> Archive: resources/101.bin
> Length Date Time Name
> --------- ---------- ----- ----
> 0 2020-05-04 16:27 TuneCode/
> 0 2020-05-04 16:27 TuneCode/tunecode_876D/
> 3752 2019-12-24 15:18 TuneCode/tunecode_876D/DPR_Table.txt
> --------- -------
> 3752 3 files
> bjorn at miraculix:/tmp$ unzip -l resources/102.bin
> Archive: resources/102.bin
> Length Date Time Name
> --------- ---------- ----- ----
> 0 2021-03-08 17:14 TuneCode/
> 0 2021-03-08 17:15 TuneCode/tunecode_093D/
> 7462 2021-03-15 13:40 TuneCode/tunecode_093D/DPR_Table.txt
> 0 2021-03-08 17:16 TuneCode/tunecode_098C/
> 7462 2021-03-15 13:40 TuneCode/tunecode_098C/DPR_Table.txt
> 0 2020-05-29 19:02 TuneCode/tunecode_09C6/
> 36067 2020-04-22 16:11 TuneCode/tunecode_09C6/00029653
> 510 2020-04-30 10:40 TuneCode/tunecode_09C6/00029654
> 7403 2020-05-29 18:57 TuneCode/tunecode_09C6/DPR_Table.txt
> 0 2020-10-07 14:00 TuneCode/tunecode_0A3F/
> 40314 2020-10-12 18:38 TuneCode/tunecode_0A3F/00029653
> 510 2020-10-12 18:40 TuneCode/tunecode_0A3F/00029654
> 7443 2020-10-07 13:35 TuneCode/tunecode_0A3F/DPR_Table.txt
> 0 2021-02-04 10:22 TuneCode/tunecode_0A5B/
> 48254 2021-01-25 12:41 TuneCode/tunecode_0A5B/00029653
> 510 2021-01-25 12:36 TuneCode/tunecode_0A5B/00029654
> 7208 2021-02-26 15:46 TuneCode/tunecode_0A5B/DPR_Table.txt
> 0 2021-03-08 14:41 TuneCode/tunecode_0A69/
> 39619 2021-03-08 14:37 TuneCode/tunecode_0A69/00029653
> 510 2021-03-08 14:37 TuneCode/tunecode_0A69/00029654
> 0 2021-03-08 14:42 TuneCode/tunecode_0A6A/
> 39619 2021-03-08 14:37 TuneCode/tunecode_0A6A/00029653
> 510 2021-03-08 14:37 TuneCode/tunecode_0A6A/00029654
> --------- -------
> 243401 23 files
>
>
> The DPR_table files contains lines with different system+band
> conbinations followed by 8 numbers which looks like they could be dB or
> dBm values. Sample data:
>
> LTE B39 24 24 24 24 24 24 24 24
> LTE B40 24 24 24 24 24 24 23 23
> LTE B41 27 27 27 24 27 27 22.5 22.5
> LTE B42 24 24 24 24 24 22.5 24 22.5
> LTE B48 22 22 22 22 21 20.5 22 20.5
> LTE B66 24 24 24 24 24 24 18 18
> SA N1 24 24 24 24 24 24 24 24
> SA N2 24 24 24 24 24 18 24 18
> SA N3 24 24 24 24 24 24 24 24
> SA N5 24 24 24 24 24 24 19.5 19.5
> SA N7 24 24 24 24 21.5 15 24 15
> SA N8 24 24 24 24 24 24 24 24
> SA N12 24 24 24 24 24 24 19 19
> SA N20 24 24 24 24 24 24 24 24
> SA N28 24 24 24 24 24 24 24 24
> SA N38 24 24 24 24 24 14 24 14
> SA N41 27 27 27 27 21.5 15 27 15
> SA N66 24 24 24 24 24 18 24 18
> SA N77 27 27 27 27 27 18.5 27 18.5
> SA N78 27 27 27 27 27 20.5 27 20.5
> SA N79 27 27 27 27 27 16 27 16
> ENDC B5 N2 24.5 24.5 24.5 24.5 24.5 24.5 18.5 18.5
> NSA N2 B5 24 24 24 24 24 18 24 18
> ENDC B12 N2 24.5 24.5 24.5 24.5 24.5 24.5 19.5 19.5
> NSA N2 B12 24 24 24 24 24 18 24 18
> ENDC B13 N2 24.5 24.5 24.5 24.5 24.5 24.5 21.5 21.5
> NSA N2 B13 24 24 24 24 24 18 24 18
> ENDC B7 N5 24 24 24 24 21.5 14 24 14
> NSA N5 B7 24 24 24 24 24 24 18.5 18.5
> ENDC B48 N5 22 22 22 22 21 19.5 22 19.5
> NSA N5 B48 24 24 24 24 24 24 18.5 18.5
>
>
> The last zip contains rtsar_config_fcc and rtsar_config_row data for a
> number of other(?) devices. Some of them in 2dB and 0dB variants.
> Interestingly enough, this seems to be made for another Foxconn customer
> and not intended for Lenovo devices at all. Doesn't look like there are
> similar resources for any Lenovo modem/PC. Talk about mess.
>
>
> bjorn at miraculix:/tmp$ unzip -l resources/106.bin
> Archive: resources/106.bin
> Length Date Time Name
> --------- ---------- ----- ----
> 0 2020-12-30 10:51 MipiTable_HP_TALISKER/
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86F9/
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86F9/2dB/
> 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_fcc
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_fcc_md5.txt
> 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_row
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/86F9/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86FA/
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/86FA/2dB/
> 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_fcc
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_fcc_md5.txt
> 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_row
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/86FA/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/8709/
> 0 2020-12-30 10:55 MipiTable_HP_TALISKER/8709/2dB/
> 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_fcc
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_fcc_md5.txt
> 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_row
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/8709/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:56 MipiTable_HP_TALISKER/870A/
> 0 2020-12-30 10:56 MipiTable_HP_TALISKER/870A/2dB/
> 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_fcc
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_fcc_md5.txt
> 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_row
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/870A/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/
> 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/0db/
> 1708 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_fcc
> 32 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_fcc_md5.txt
> 1680 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_row
> 32 2020-10-09 12:14 MipiTable_HP_TALISKER/8716/0db/rtsar_config_row_md5.txt
> 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8716/2db/
> 1708 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_fcc
> 32 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_fcc_md5.txt
> 1680 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_row
> 32 2020-10-09 12:15 MipiTable_HP_TALISKER/8716/2db/rtsar_config_row_md5.txt
> 125 2020-12-10 13:34 MipiTable_HP_TALISKER/8716/MIPI_Table.txt
> 0 2020-12-30 13:51 MipiTable_HP_TALISKER/8720/
> 0 2020-12-31 15:23 MipiTable_HP_TALISKER/8720/2db/
> 1660 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_fcc
> 32 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_fcc_md5.txt
> 1632 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_row
> 32 2020-06-11 09:51 MipiTable_HP_TALISKER/8720/2db/rtsar_config_row_md5.txt
> 0 2020-12-30 10:56 MipiTable_HP_TALISKER/87BA/
> 0 2020-12-30 10:56 MipiTable_HP_TALISKER/87BA/2dB/
> 1612 2020-10-07 09:07 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_fcc
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_fcc_md5.txt
> 1584 2020-10-07 09:07 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_row
> 32 2020-10-07 09:08 MipiTable_HP_TALISKER/87BA/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 13:52 MipiTable_HP_TALISKER/87CD/
> 0 2020-12-30 13:53 MipiTable_HP_TALISKER/87CD/0db/
> 1636 2020-10-21 09:19 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_fcc
> 32 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_fcc_md5.txt
> 1608 2020-10-21 09:19 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_row
> 32 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/0db/rtsar_config_row_md5.txt
> 0 2020-12-30 13:53 MipiTable_HP_TALISKER/87CD/2db/
> 1636 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_fcc
> 32 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_fcc_md5.txt
> 1608 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_row
> 32 2020-10-21 09:20 MipiTable_HP_TALISKER/87CD/2db/rtsar_config_row_md5.txt
> 0 2020-12-30 13:54 MipiTable_HP_TALISKER/880D/
> 0 2020-12-31 15:25 MipiTable_HP_TALISKER/880D/2dB/
> 2024 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_fcc
> 32 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_fcc_md5.txt
> 1992 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_row
> 32 2020-09-18 17:03 MipiTable_HP_TALISKER/880D/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:54 MipiTable_HP_TALISKER/8846/
> 0 2020-12-30 10:54 MipiTable_HP_TALISKER/8846/0dB/
> 15282 2020-09-29 17:51 MipiTable_HP_TALISKER/8846/0dB/Cadillac 15 inch_Talisker_rtsar_0dB_20200917-LTE_WCDMA_0929.xlsx
> 2024 2020-09-29 13:48 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_fcc
> 32 2020-09-29 13:49 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_fcc_md5.txt
> 1992 2020-09-29 13:48 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_row
> 32 2020-09-29 13:49 MipiTable_HP_TALISKER/8846/0dB/rtsar_config_row_md5.txt
> 0 2020-12-31 15:26 MipiTable_HP_TALISKER/8846/2dB/
> 2024 2020-09-29 17:39 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_fcc
> 32 2020-09-29 17:39 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_fcc_md5.txt
> 1992 2020-09-29 17:39 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_row
> 32 2020-09-29 17:40 MipiTable_HP_TALISKER/8846/2dB/rtsar_config_row_md5.txt
> 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/
> 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/0db/
> 1660 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_fcc
> 32 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_fcc_md5.txt
> 1632 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_row
> 32 2020-10-16 14:43 MipiTable_HP_TALISKER/8847/0db/rtsar_config_row_md5.txt
> 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8847/2db/
> 1660 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_fcc
> 32 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_fcc_md5.txt
> 1632 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_row
> 32 2020-10-16 14:44 MipiTable_HP_TALISKER/8847/2db/rtsar_config_row_md5.txt
> 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8890/
> 0 2020-12-30 10:58 MipiTable_HP_TALISKER/8890/0db/
> 1708 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_fcc
> 32 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_fcc_md5.txt
> 1680 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_row
> 32 2020-10-09 12:14 MipiTable_HP_TALISKER/8890/0db/rtsar_config_row_md5.txt
> 0 2020-12-30 10:57 MipiTable_HP_TALISKER/8890/2db/
> 1708 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_fcc
> 32 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_fcc_md5.txt
> 1680 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_row
> 32 2020-10-09 12:15 MipiTable_HP_TALISKER/8890/2db/rtsar_config_row_md5.txt
> 125 2020-12-10 13:34 MipiTable_HP_TALISKER/8890/MIPI_Table.txt
> --------- -------
> 74564 101 files
>
>
>
> I don't think that the Excel file necessarily was meant to be included
> regardless of HP or Lenovo. Very eductional. It contains these 3
> sheets:
>
>
>
> 1. Header:
>
> "By default this workbook contains an MCC list worksheet. Any FCC supported MCC's should be added in that sheet.
> Note that, only one of the workbooks (rtsar_fcc/ rtsar_row) should contain the mcc_list."
>
>
>
> version 12
> reserve_power_margin_db_10 0
> primary_max_power_dbm10 265
> num_dsi 2
>
>
> 2. tech_records:
>
> DSI 1 2
> Tech Antenna Band Tx power at SAR design target (dBm10) Tx power at SAR design target (dBm10)
> LTE 0 120 230 230 LTE B1 @ ANT#5
> LTE 2 120 271 271 LTE B1 @ ANT#8
> LTE 0 121 284 284 LTE B2 @ ANT#5
> LTE 2 121 218 218 LTE B2 @ ANT#8
> LTE 0 122 230 230 LTE B3 @ ANT#5
> LTE 2 122 288 288 LTE B3 @ ANT#8
> LTE 0 123 281 281 LTE B4 @ ANT#5
> LTE 2 123 280 280 LTE B4 @ ANT#8 sportan w/o data
> LTE 0 124 275 275 LTE B5 @ ANT#5
> LTE 0 126 296 296 LTE B7 @ ANT#5
> LTE 2 126 193 193 LTE B7 @ ANT#8
> LTE 0 127 235 235 LTE B8 @ ANT#5
> LTE 0 131 290 290 LTE B12 @ ANT#5
> LTE 0 132 295 295 LTE B13 @ ANT#5
> LTE 0 133 296 296 LTE B14 @ ANT#5
> LTE 0 136 290 290 LTE B17 @ ANT#5
> LTE 0 137 280 280 LTE B18 @ ANT#5
> LTE 0 138 280 280 LTE B19 @ ANT#5
> LTE 0 139 235 235 LTE B20 @ ANT#5
> LTE 0 144 284 284 LTE B25 @ ANT#5
> LTE 2 144 280 280 LTE B25 @ ANT#8 add new
> LTE 0 145 275 275 LTE B26 @ ANT#5
> LTE 0 147 235 235 LTE B28 @ ANT#5
> LTE 0 149 299 299 LTE B30 @ ANT#5
> LTE 2 149 280 280 LTE B30 @ ANT#8 add new
> LTE 0 153 230 230 LTE B34 @ ANT#5
> LTE 2 153 280 280 LTE B34 @ ANT#8 add new
> LTE 0 157 296 296 LTE B38 @ ANT#5
> LTE 2 157 280 280 LTE B38 @ ANT#8 add new
> LTE 0 158 280 280 LTE B39 @ ANT#5
> LTE 2 158 280 280 LTE B39 @ ANT#8 add new
> LTE 0 159 230 230 LTE B40 @ ANT#5
> LTE 2 159 280 280 LTE B40 @ ANT#8 add new
> LTE 0 160 296 296 LTE B41 @ ANT#5
> LTE 2 160 280 280 LTE B41 @ ANT#8 add new
> LTE 2 161 233 233 LTE B42 @ ANT#8
> LTE 0 168 281 281 LTE B66 @ ANT#5
> LTE 2 168 203 203 LTE B66 @ ANT#8
> LTE 2 178 216 216 LTE B48 @ ANT#8
> LTE 0 179 280 280 LTE B71 @ ANT#5 not support
> NR5G 0 182 280 280 NR B1 @ ANT#5 sportan w/o data
> NR5G 2 182 274 274 NR B1 @ ANT#8
> NR5G 0 183 276 276 NR B2 @ ANT#5
> NR5G 2 183 207 207 NR B2 @ ANT#8
> NR5G 0 184 280 280 NR B3 @ ANT#5 sportan w/o data
> NR5G 2 184 322 322 NR B3 @ ANT#8
> NR5G 0 185 276 276 NR B5 @ ANT#5
> NR5G 0 186 280 280 NR B7 @ ANT#5 sportan w/o data
> NR5G 2 186 187 187 NR B7 @ ANT#8
> NR5G 0 187 230 230 NR B8 @ ANT#5
> NR5G 0 188 230 230 NR B20 @ ANT#5
> NR5G 0 189 230 230 NR B28 @ ANT#5
> NR5G 0 190 280 280 NR B38 @ ANT#5
> NR5G 2 190 208 208 NR B38 @ ANT#8
> NR5G 0 191 280 280 NR B41 @ ANT#5 add new
> NR5G 1 191 280 280 add new
> NR5G 2 191 208 208 NR B41 @ ANT#8
> NR5G 3 191 280 280 add new
> NR5G 0 194 281 281 NR B66 @ ANT#5
> NR5G 2 194 225 225 NR B66 @ ANT#8
> NR5G 0 196 280 280 NR B71 @ ANT#5 not support
> NR5G 2 200 230 230 NR B77 @ ANT#8
> NR5G 2 201 230 230 NR B78 @ ANT#8
> NR5G 2 202 280 280 NR B79 @ ANT#8
> NR5G 0 212 280 280 mmW n260 not support
> NR5G 0 213 280 280 mmW n260 not support
> NR5G 0 215 290 290 NR N12 @ ANT#5
> NR5G 0 216 280 280 NR N25 @ ANT#5 add new
> NR5G 2 216 280 280 NR N25 @ ANT#8 add new
> NR5G 0 219 280 280 NR N40 @ ANT#5 add new
> NR5G 2 219 280 280 NR N40 @ ANT#8 add new
> NR5G 2 222 280 280 NR N48 @ ANT#8 add new
> WCDMA 0 80 235 235 WCDMA B1 @ ANT#5
> WCDMA 0 81 284 284 WCDMA B2 @ ANT#5
> WCDMA 0 82 280 280 WCDMA B3 @ ANT#5
> WCDMA 0 83 281 281 WCDMA B4 @ ANT#5
> WCDMA 0 84 276 276 WCDMA B5 @ ANT#5
> WCDMA 0 85 280 280 WCDMA B6 @ ANT#5
> WCDMA 0 87 235 235 WCDMA B8 @ ANT#5
> WCDMA 0 88 280 280 WCDMA B9 @ ANT#5
> WCDMA 0 91 280 280 WCDMA B19 @ ANT#5
>
>
> 3. mcc_list:
>
> FCC supported MCC
> 310
> 311
> 312
> 313
> 314
> 316
> 1
> 466
>
>
>
> Well, not that useful info I guess. But this is part of the explanation
> why the Windows binaries are so bloated. Because they are. The above
> is only looking at resources. But there is no reason to believe the
> code is any different. You could probably strip away 99% of it, and
> still keep all the *intended* functionality.
>
> I don't think it's intentional, but all the mess helps obfuscating the
> real code in there. So the first step when trying to analyze this is to
> identify which parts are actually executed. No need to wade through the
> rest.
>
>
>
> Bjørn
More information about the ModemManager-devel
mailing list