Down the rabbit hole (uncovering the modem blackbox)
#1
A couple months ago I started poking the modem, right after reading Lukasz's comments (https://www.pine64.org/2020/01/24/settin...nceptions/), because, you know, if we're going to have an open phone, let's at least get it as open as possible. With all the work others have done with the Kernel, Crust, cameras etc, nobody had touched the modem. And I'm a bit masochist, and way out of my league, but I though I might as well try and get as far as I could, so I might at least be able to ease the way for others to open this up a bit.

Megi found a way to unlock adb, so I started playing. My first findings?

Bootloader is locked. You can actually flash whatever you want, but when you try to boot it it will refuse to do it and you will get a bricked modem. Fortunately, Pine's hardware team left test points to start the modem in Qualcomm EDL/QDL mode, and you can use it to reflash the entire thing.

So here we go to unlock the bootloader. There's traces of quectel's Source code everywhere on the net, but funny enough all the source code released officially in their site is broken. So I picked up the pieces and started putting it toghether.

First things first, what can we do with the bootloader lock?
- Bootloader is Qualcomm's standard LK
- Signature check is done in LK, and LK is itself signed, and PBL checks it before allowing it to boot
- They used Qualcomm's test keys for signing it!
- There is some source code for the LK bootloader from Quectel's AG35 Modem out there

So, after getting the necessary qualcomm bits, decomposing some factory images to understand how sectools profiled the image and patching the NAND driver in LK so it can actually start it and look for partitions... we're in!

The bootloader source code is here: https://github.com/biktorgj/quectel_lk
I added two small things to it: Support for rebooting the modem into fastboot mode by using gpios, and support to booting to recovery from fastboot, that wasn't available before

Step 1 completed, bootloader unlocked. Now let's dive in to step 2: Booting something else
Now that we've got the device freed, we can begin checking out the rest of the stuff. Need to set the expectations first:
1. Not going to rewrite the ADSP code. I know nothing of how the hexagon DSP works. There's code out there for it, but no toolchains. Even if I could compile it, it probably wouldn't boot since all that code is tailored to the specific implementation in hardware, there's calibration, there is custom code bundled into the ADSP firmware by the vendor etc. We could spend years disassembling that thing without getting anywhere, so let's focus on what's achieveable
2. Even if there are numerous leaks of qualcomm's application level daemons (atfwd, qmi_qmux etc) we can't use that source. It's proprietary, and using it will probably get either me or Pine or both a C&D letter from Qualcomm's lawyers, and I don't want that for any of us
3. What can we do then? We can get our kernel running in the modem's ACPU, and we can have our own userspace, so let's get on to it

The Kernel:
The kernel shipped with the modem is version 3.18.20. Latest update leaves it at 3.18.48. The kernel is heavily patched, sometimes with some reasoning (MSM HS Serial driver), sometimes to fuck with their customers (lock the entire modem if you try to read some of the partitions), and sometimes just because (hijack the init process to pass an argument to one of the kernel modules).
I managed to get up and running a 3.18.140 CAF based kernel. I had to backport the audio and serial driver, and all the dts board files (the closed binaries expect some pins to have some specific names).
You can find the source here: https://github.com/Biktorgj/quectel_eg25_kernel/
Currently the kernel boots, and given the correct userspace it is capable of making phone calls (audio doesn't work though), and establish data connections (that actually works). I haven't checked power management, but thermal throttling seems to be working and the modem doesn't get hot at all if left alone. 

The userspace:
The userspace is based on OpenEmbedded. It is basically Qualcomm's provided old OpenEmbedded distro with some packages added on top by Quectel. The problem with this is that you need an old linux distro to build it, and packages, even if built from source, are old. I also didn't manage to actually build it, but didn't put much attention to it
I'm trying to make the work easy to replicate, so I'm using Yocto for the userspace. Currently using version 3.1. I've forked the meta-qcom layer to patch in support for the mdm9607, and slowly added bits and pieces for everything I could.
You can find the repo here: https://github.com/Biktorgj/pinephone_modem_sdk
Once downloaded, running 'init.sh' will download yocto, the bootloader, and all the layers and dependencies, and set a lot of things for you. You will still have to install the packages required by Yocto to build image, but if you have all of Yocto's dependencies installed, you will be able to run 'make root_fs' or 'make recovery_fs' and get a bootable image you can play with. Check the Readme in the repository to see what you can do (remember to first flash an unlocked bootloader or you will brick your modem and will have to jump start it with test points -https://github.com/Biktorgj/quectel_eg25_recovery-)

I've just scratched the surface of what can be done with the modem, but hopefully this will help others to get started quickly and get us an even more open phone. Feel free to fork everything, and any fix is welcome Smile
  Reply
#2
Very intersting - Thank you for all your efforts.

Not knowing any technical detail about Quectel, could you please explain me what is the relation of this company and their products towards Qualcomm? It somehow looks as if Quectel would cooperate with them?
  Reply
#3
(10-12-2020, 01:40 AM)LinAdmin2 Wrote: Very intersting - Thank you for all your efforts.

Not knowing any technical detail about Quectel, could you please explain me what is the relation of this company and their products towards Qualcomm? It somehow looks as if Quectel would cooperate with them?

Quectel is a modem manufacturer. They have a wide catalog of 3G/4G modems for different product categories. Some of them, like Pinephone's modem, use Qualcomm chipsets, and others are based on Mediatek SoCs.

Qualcomm provides source code for their chipsets, and OEMs build their stuff on top of it
  Reply
#4
wow ! I'm speechless. So much work.

Thank you !

I mean - now I can think of buying pinephone. I've been waiting for that.
  Reply
#5
A masochist is always the requirement in an initiative at gathering these pieces. Thanks for doing this and describing the boot loader. It redefines the trusted domain allowing inspection, hacking and development of the user space in a transparent method. Agreed there's no need to delve in to Hexagon ADSP and other DSPs but opening the user space allows us to note any quirks and create seamless compensation.
  Reply
#6
Interesting findings, thanks a lot!

Just out of curiosity: Did you hear about other projects who tried to achieve something similar? Or is the Pinephone the first piece of hardware where a foss entusiast succeeded to disassemble and modify the modem's firmware?
  Reply
#7
(10-12-2020, 01:25 AM)biktorgj Wrote: A couple months ago I started poking the modem, right after reading Lukasz's comments (https://www.pine64.org/2020/01/24/settin...nceptions/), because, you know, if we're going to have an open phone, let's at least get it as open as possible. With all the work others have done with the Kernel, Crust, cameras etc, nobody had touched the modem. And I'm a bit masochist, and way out of my league, but I though I might as well try and get as far as I could, so I might at least be able to ease the way for others to open this up a bit.

Megi found a way to unlock adb, so I started playing. My first findings?

Bootloader is locked. You can actually flash whatever you want, but when you try to boot it it will refuse to do it and you will get a bricked modem. Fortunately, Pine's hardware team left test points to start the modem in Qualcomm EDL/QDL mode, and you can use it to reflash the entire thing.

So here we go to unlock the bootloader. There's traces of quectel's Source code everywhere on the net, but funny enough all the source code released officially in their site is broken. So I picked up the pieces and started putting it toghether.

First things first, what can we do with the bootloader lock?
- Bootloader is Qualcomm's standard LK
- Signature check is done in LK, and LK is itself signed, and PBL checks it before allowing it to boot
- They used Qualcomm's test keys for signing it!
- There is some source code for the LK bootloader from Quectel's AG35 Modem out there

So, after getting the necessary qualcomm bits, decomposing some factory images to understand how sectools profiled the image and patching the NAND driver in LK so it can actually start it and look for partitions... we're in!

The bootloader source code is here: https://github.com/biktorgj/quectel_lk
I added two small things to it: Support for rebooting the modem into fastboot mode by using gpios, and support to booting to recovery from fastboot, that wasn't available before

Step 1 completed, bootloader unlocked. Now let's dive in to step 2: Booting something else
Now that we've got the device freed, we can begin checking out the rest of the stuff. Need to set the expectations first:
1. Not going to rewrite the ADSP code. I know nothing of how the hexagon DSP works. There's code out there for it, but no toolchains. Even if I could compile it, it probably wouldn't boot since all that code is tailored to the specific implementation in hardware, there's calibration, there is custom code bundled into the ADSP firmware by the vendor etc. We could spend years disassembling that thing without getting anywhere, so let's focus on what's achieveable
2. Even if there are numerous leaks of qualcomm's application level daemons (atfwd, qmi_qmux etc) we can't use that source. It's proprietary, and using it will probably get either me or Pine or both a C&D letter from Qualcomm's lawyers, and I don't want that for any of us
3. What can we do then? We can get our kernel running in the modem's ACPU, and we can have our own userspace, so let's get on to it

The Kernel:
The kernel shipped with the modem is version 3.18.20. Latest update leaves it at 3.18.48. The kernel is heavily patched, sometimes with some reasoning (MSM HS Serial driver), sometimes to fuck with their customers (lock the entire modem if you try to read some of the partitions), and sometimes just because (hijack the init process to pass an argument to one of the kernel modules).
I managed to get up and running a 3.18.140 CAF based kernel. I had to backport the audio and serial driver, and all the dts board files (the closed binaries expect some pins to have some specific names).
You can find the source here: https://github.com/Biktorgj/quectel_eg25_kernel/
Currently the kernel boots, and given the correct userspace it is capable of making phone calls (audio doesn't work though), and establish data connections (that actually works). I haven't checked power management, but thermal throttling seems to be working and the modem doesn't get hot at all if left alone. 

The userspace:
The userspace is based on OpenEmbedded. It is basically Qualcomm's provided old OpenEmbedded distro with some packages added on top by Quectel. The problem with this is that you need an old linux distro to build it, and packages, even if built from source, are old. I also didn't manage to actually build it, but didn't put much attention to it
I'm trying to make the work easy to replicate, so I'm using Yocto for the userspace. Currently using version 3.1. I've forked the meta-qcom layer to patch in support for the mdm9607, and slowly added bits and pieces for everything I could.
You can find the repo here: https://github.com/Biktorgj/pinephone_modem_sdk
Once downloaded, running 'init.sh' will download yocto, the bootloader, and all the layers and dependencies, and set a lot of things for you. You will still have to install the packages required by Yocto to build image, but if you have all of Yocto's dependencies installed, you will be able to run 'make root_fs' or 'make recovery_fs' and get a bootable image you can play with. Check the Readme in the repository to see what you can do (remember to first flash an unlocked bootloader or you will brick your modem and will have to jump start it with test points -https://github.com/Biktorgj/quectel_eg25_recovery-)

I've just scratched the surface of what can be done with the modem, but hopefully this will help others to get started quickly and get us an even more open phone. Feel free to fork everything, and any fix is welcome Smile

This is fantastic work. I may have to fiddle with it.

I do hope quectel doesn't rectify the test key usage locking us out. I'm hoping the Pine production/community is too small for them to bother
  Reply
#8
(10-12-2020, 08:42 PM)SwordfishII Wrote: I do hope quectel doesn't rectify the test key usage locking us out. I'm hoping the Pine production/community is too small for them to bother
The actions of Quectel will _not_ depend on the size of the Pine production/community. Blush
  Reply
#9
(10-13-2020, 05:20 AM)LinAdmin2 Wrote:
(10-12-2020, 08:42 PM)SwordfishII Wrote: I do hope quectel doesn't rectify the test key usage locking us out. I'm hoping the Pine production/community is too small for them to bother
The actions of Quectel will _not_ depend on the size of the Pine production/community. Blush

I have you on ignore. Don't respond to me. I suggest you ignore me as well.
  Reply
#10
(10-13-2020, 07:43 AM)SwordfishII Wrote:
(10-13-2020, 05:20 AM)LinAdmin2 Wrote:
(10-12-2020, 08:42 PM)SwordfishII Wrote: I do hope quectel doesn't rectify the test key usage locking us out. I'm hoping the Pine production/community is too small for them to bother
The actions of Quectel will _not_ depend on the size of the Pine production/community. Blush

I have you on ignore. Don't respond to me. I suggest you ignore me as well.
That kind of 'ignoring' me seems not to have been successful. Dodgy
Do as you like, but please stop making me silly suggestions.
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Modem Issues with the Pinephone Temmie19 2 389 10-16-2024, 07:54 AM
Last Post: Temmie19
  Supported Carrier and Modem Bands NachoMomma 4 2,477 03-23-2024, 02:00 PM
Last Post: Kevin Kofler
  power circuit can't charge battery and can't supply enough power for modem or wifi vortex 2 1,262 02-17-2024, 04:15 PM
Last Post: vortex
Bug PinePhone modem keeps "disappearing" Kevin Kofler 14 8,507 03-22-2023, 05:28 PM
Last Post: Kevin Kofler
  modem not working michelinux 0 1,229 02-16-2023, 04:56 AM
Last Post: michelinux
  modem not detected al_x 3 5,162 02-15-2023, 11:17 AM
Last Post: fxc
  firmware udate Quectel EG25-G modem alwi 7 7,367 07-06-2022, 01:43 PM
Last Post: user641
  Need command to tell what modem firmware I am on. purpletiger 4 3,942 07-06-2022, 12:35 PM
Last Post: Zebulon Walton
  The modem does not recognize Korean SIM cards (what?) bdicewk 9 5,806 06-13-2022, 04:12 AM
Last Post: zetabeta
  Modem Hardware bad? Not ready for 5g?? linux76 8 6,288 05-31-2022, 06:41 PM
Last Post: SwordfishII

Forum Jump:


Users browsing this thread: 6 Guest(s)