Harald Welte
944ae2f1d7
add script to change EC20 USB composition
2016-12-28 18:09:42 +01:00
Harald Welte
dd4a64b881
atcop_test: Make example actually work
...
The reason it wasn't working so far is that the baseband firmware
appears have a compile-time white-list of AT commands for which the AT
command forwarding is permitted. Any other commands are rejected with
error 48 (invalid argument) :/
2016-12-25 22:36:44 +01:00
Harald Welte
cdc4f97ab5
qmuxd_wrapper: Fix stream_append()
...
we want to copy to the actual buffer... One ampersand less.
2016-12-25 22:00:00 +01:00
Harald Welte
897ac5238e
qmuxd_wrapper: reduce logging by adding a compile-time DEBUG option
2016-12-25 21:52:06 +01:00
Harald Welte
f44b9565bb
qmuxd_wrapper: Make hexdump buffer thread-local, to be on the safe side
2016-12-25 21:47:39 +01:00
Harald Welte
f8a57056b2
qmuxd_wrapper: Add some protocol decode logic; fix recv/read bugs
...
we need to actually first call libc's read/recv and then interpret the
data, rathe than interpretting the uninitialized buffer ;)
2016-12-25 21:46:33 +01:00
Harald Welte
daacff9106
qmuxd_wrapper: Reduce dlsym() load (don't call it again and again)
2016-12-25 18:13:11 +01:00
Harald Welte
86bd71c750
add .gitignore
2016-12-25 17:25:17 +01:00
Harald Welte
03c523884e
qmi_test: some more debug output so it can be correlated with qmuxd traces
2016-12-25 17:23:15 +01:00
Harald Welte
377d3cf830
add a LD_PRELOAD wrapper to trace client <-> qmuxd communications
2016-12-25 17:23:15 +01:00
Holger Hans Peter Freyther
bd82bb4fef
Add utility to build a delta file with a single insert
...
For hijacking build a complete delta for a single insert. Need to
externalize the parameters. It could work for multiple files too.
2016-12-18 12:30:26 +01:00
Holger Hans Peter Freyther
111d55b2c4
Add crashing example
...
bt
#0 0x000133f4 in RB_FileSystemUpdate ()
#1 0x0000bf60 in RB_ComponentDeltaOperation ()
#2 0x0000c574 in RB_ComponentDeltaUpdate ()
#3 0x0000cc08 in RB_DeltaTraverse ()
#4 0x0000ccc8 in RB_vRM_Update ()
│0x133c4 <RB_FileSystemUpdate+6864> b 0x12a1c <RB_FileSystemUpdate+4392> │
│0x133c8 <RB_FileSystemUpdate+6868> ldr r3, [pc, #-2616] ; 0x12998 <RB_FileSystemU│
│0x133cc <RB_FileSystemUpdate+6872> mov r0, r10 │
│0x133d0 <RB_FileSystemUpdate+6876> ldr r2, [r3, #1620 ] ; 0x654 │
│0x133d4 <RB_FileSystemUpdate+6880> ldr r3, [r5, #-20] ; 0xffffffec │
│0x133d8 <RB_FileSystemUpdate+6884> ldr r1, [pc, #-2648] ; 0x12988 <RB_FileSystemU│
│0x133dc <RB_FileSystemUpdate+6888> bic r3, r3, #-1073741824 ; 0xc0000000 │
│0x133e0 <RB_FileSystemUpdate+6892> cmp r3, r2 │
│0x133e4 <RB_FileSystemUpdate+6896> movcs r3, #0 │
│0x133e8 <RB_FileSystemUpdate+6900> movcc r3, #1 │
│0x133ec <RB_FileSystemUpdate+6904> bl 0x8e54 <RB_Trace> │
│0x133f0 <RB_FileSystemUpdate+6908> b 0x130a4 <RB_FileSystemUpdate+6064> │
>│0x133f4 <RB_FileSystemUpdate+6912> ldrb r2, [r3], #1
2016-12-17 19:15:24 +01:00
Holger Hans Peter Freyther
e680aea708
Further document the format and produce a rogue system update
...
* Truncate filesize to 20 bytes in hacked.toc (001b? IIRC)
* Add various 0x00 as well.. firsy 0x80... gets turned into the
compressed length but that fails.. needs to be bigger than 0x2000
to succeed.
* LZMA size and trailer overlap.. I was too lazy to add/deal with
padding so kept it short.. can be fixed...
* Modified path for /etc/rc2.d.. to extract new script
We seem lucky with file permissions.. that it is somehow executable
even if SetFileAttributes is not set...
2016-12-17 18:50:08 +01:00
Harald Welte
636fe4eab9
add general EC21/EC25 patch
...
This was introduced in commit 9a765881bf3dcd32847d7108cf48cb04a4ed993f
of mainline linux, but not everyone may be running 4.9-rc1 or later at
this point ;)
2016-12-17 18:34:20 +01:00
Harald Welte
a679b575f2
add kernel patches for better support of EC2x in linux
2016-12-17 18:31:55 +01:00
Harald Welte
27b3620fa5
remove qmi.txt it has moved to wiki
2016-12-17 12:35:56 +01:00
Holger Hans Peter Freyther
45d7e599ec
Figure out where the first lzma data will start...
...
Not sure what is inside these other bits...offsets? lengths? crc?
who knows..
2016-12-13 11:58:50 +01:00
Holger Hans Peter Freyther
bcdfcb62a9
Add some notes for lzma..
2016-12-12 01:32:43 +01:00
Holger Hans Peter Freyther
e556417966
dissect: Print the header of the actual update format
2016-12-11 23:32:37 +01:00
Holger Hans Peter Freyther
edb07ccd98
start to dissect the update header itself..
2016-12-11 23:11:28 +01:00
Holger Hans Peter Freyther
c5b91afaa9
ec20: Alignment is just 16bit.. needed for userdata.diff handling
2016-12-11 22:54:15 +01:00
Holger Hans Peter Freyther
fbd4dad04f
update: First discovery of information about the file format..
2016-12-11 22:40:08 +01:00
Harald Welte
5abefc8051
add patch to change IDL minor + tool versions of android_vendor_qulcomm_proprietary
2016-11-07 09:22:48 +01:00
Harald Welte
5a1a228d84
add (non-functional) example registering an AT command
2016-11-06 20:59:02 +01:00
Harald Welte
272f4318b5
initial import of qmi_test.c reading out the device IMEI
2016-11-06 19:23:17 +01:00