phone-side
/
quectel-experiments
13
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
25 Commits 1 Branch 0 Tags 63 KiB
Commit Graph

25 Commits

Author SHA1 Message Date
Harald Welte 944ae2f1d7 add script to change EC20 USB composition 2016-12-28 18:09:42 +01:00
Harald Welte dd4a64b881 atcop_test: Make example actually work 
The reason it wasn't working so far is that the baseband firmware
appears have a compile-time white-list of AT commands for which the AT
command forwarding is permitted.  Any other commands are rejected with
error 48 (invalid argument) :/
 2016-12-25 22:36:44 +01:00
Harald Welte cdc4f97ab5 qmuxd_wrapper: Fix stream_append() 
we want to copy to the actual buffer... One ampersand less.
 2016-12-25 22:00:00 +01:00
Harald Welte 897ac5238e qmuxd_wrapper: reduce logging by adding a compile-time DEBUG option 2016-12-25 21:52:06 +01:00
Harald Welte f44b9565bb qmuxd_wrapper: Make hexdump buffer thread-local, to be on the safe side 2016-12-25 21:47:39 +01:00
Harald Welte f8a57056b2 qmuxd_wrapper: Add some protocol decode logic; fix recv/read bugs 
we need to actually first call libc's read/recv and then interpret the
data, rathe than interpretting the uninitialized buffer ;)
 2016-12-25 21:46:33 +01:00
Harald Welte daacff9106 qmuxd_wrapper: Reduce dlsym() load (don't call it again and again) 2016-12-25 18:13:11 +01:00
Harald Welte 86bd71c750 add .gitignore 2016-12-25 17:25:17 +01:00
Harald Welte 03c523884e qmi_test: some more debug output so it can be correlated with qmuxd traces 2016-12-25 17:23:15 +01:00
Harald Welte 377d3cf830 add a LD_PRELOAD wrapper to trace client <-> qmuxd communications 2016-12-25 17:23:15 +01:00
Holger Hans Peter Freyther bd82bb4fef Add utility to build a delta file with a single insert 
For hijacking build a complete delta for a single insert. Need to
externalize the parameters. It could work for multiple files too.
 2016-12-18 12:30:26 +01:00
Holger Hans Peter Freyther 111d55b2c4 Add crashing example 
bt
 #0  0x000133f4 in RB_FileSystemUpdate ()
 #1  0x0000bf60 in RB_ComponentDeltaOperation ()
 #2  0x0000c574 in RB_ComponentDeltaUpdate ()
 #3  0x0000cc08 in RB_DeltaTraverse ()
 #4  0x0000ccc8 in RB_vRM_Update ()

   │0x133c4 <RB_FileSystemUpdate+6864>      b      0x12a1c <RB_FileSystemUpdate+4392>               │
   │0x133c8 <RB_FileSystemUpdate+6868>      ldr    r3, [pc, #-2616]        ; 0x12998 <RB_FileSystemU│
   │0x133cc <RB_FileSystemUpdate+6872>      mov    r0, r10                                          │
   │0x133d0 <RB_FileSystemUpdate+6876>      ldr    r2, [r3, #1620] ; 0x654                          │
   │0x133d4 <RB_FileSystemUpdate+6880>      ldr    r3, [r5, #-20]  ; 0xffffffec                     │
   │0x133d8 <RB_FileSystemUpdate+6884>      ldr    r1, [pc, #-2648]        ; 0x12988 <RB_FileSystemU│
   │0x133dc <RB_FileSystemUpdate+6888>      bic    r3, r3, #-1073741824    ; 0xc0000000             │
   │0x133e0 <RB_FileSystemUpdate+6892>      cmp    r3, r2                                           │
   │0x133e4 <RB_FileSystemUpdate+6896>      movcs  r3, #0                                           │
   │0x133e8 <RB_FileSystemUpdate+6900>      movcc  r3, #1                                           │
   │0x133ec <RB_FileSystemUpdate+6904>      bl     0x8e54 <RB_Trace>                                │
   │0x133f0 <RB_FileSystemUpdate+6908>      b      0x130a4 <RB_FileSystemUpdate+6064>               │
  >│0x133f4 <RB_FileSystemUpdate+6912>      ldrb   r2, [r3], #1
 2016-12-17 19:15:24 +01:00
Holger Hans Peter Freyther e680aea708 Further document the format and produce a rogue system update 
* Truncate filesize to 20 bytes in hacked.toc (001b? IIRC)
* Add various 0x00 as well.. firsy 0x80... gets turned into the
compressed length but that fails.. needs to be bigger than 0x2000
to succeed.
* LZMA size and trailer overlap.. I was too lazy to add/deal with
padding so kept it short.. can be fixed...
* Modified path for /etc/rc2.d.. to extract new script

We seem lucky with file permissions.. that it is somehow executable
even if SetFileAttributes is not set...
 2016-12-17 18:50:08 +01:00
Harald Welte 636fe4eab9 add general EC21/EC25 patch 
This was introduced in commit 9a765881bf3dcd32847d7108cf48cb04a4ed993f
of mainline linux, but not everyone may be running 4.9-rc1 or later at
this point ;)
 2016-12-17 18:34:20 +01:00
Harald Welte a679b575f2 add kernel patches for better support of EC2x in linux 2016-12-17 18:31:55 +01:00
Harald Welte 27b3620fa5 remove qmi.txt it has moved to wiki 2016-12-17 12:35:56 +01:00
Holger Hans Peter Freyther 45d7e599ec Figure out where the first lzma data will start... 
Not sure what is inside these other bits...offsets? lengths? crc?
who knows..
 2016-12-13 11:58:50 +01:00
Holger Hans Peter Freyther bcdfcb62a9 Add some notes for lzma.. 2016-12-12 01:32:43 +01:00
Holger Hans Peter Freyther e556417966 dissect: Print the header of the actual update format 2016-12-11 23:32:37 +01:00
Holger Hans Peter Freyther edb07ccd98 start to dissect the update header itself.. 2016-12-11 23:11:28 +01:00
Holger Hans Peter Freyther c5b91afaa9 ec20: Alignment is just 16bit.. needed for userdata.diff handling 2016-12-11 22:54:15 +01:00
Holger Hans Peter Freyther fbd4dad04f update: First discovery of information about the file format.. 2016-12-11 22:40:08 +01:00
Harald Welte 5abefc8051 add patch to change IDL minor + tool versions of android_vendor_qulcomm_proprietary 2016-11-07 09:22:48 +01:00
Harald Welte 5a1a228d84 add (non-functional) example registering an AT command 2016-11-06 20:59:02 +01:00
Harald Welte 272f4318b5 initial import of qmi_test.c reading out the device IMEI 2016-11-06 19:23:17 +01:00