Re: FM350-GL (installed in ThinkPad P1 Gen 5)
On Tue, Nov 7, 2023 at 12:46 AM Thilo-Alexander Ginkel wrote: > > Problem solved. Just submitted a MR [1] for the unlock script. > > Thanks, > Thilo > > [1] > https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/merge_requests/1091 > > Thanks! You made a lot of people happy, you wouldn't guess. -- Aleksander
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Problem solved. Just submitted a MR [1] for the unlock script. Thanks, Thilo [1] https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/merge_requests/1091 On Sun, Nov 5, 2023 at 12:02 AM Thilo-Alexander Ginkel wrote: > Hello again, > > I got a prototype working that successfully unlocks my modem via > /dev/wwan0at0. Currently I have that device name hardcoded. Is there a way > to infer it from the mbim device name? > > Thanks, > Thilo >
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Hello again, I got a prototype working that successfully unlocks my modem via /dev/wwan0at0. Currently I have that device name hardcoded. Is there a way to infer it from the mbim device name? Thanks, Thilo
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
On Wed, Sep 13, 2023 at 12:54 PM Thilo-Alexander Ginkel wrote: > > On Tue, Sep 12, 2023 at 1:31 PM Bjørn Mork wrote: >> >> > Turns out the challenge needs to be requested via --set-fcc-lock=0,0. >> >> Right. Makes sense. >> >> > Still, I can't get a valid unlock. >> >> And those challenge input values are correct? The firware isn't >> expecting something other than 0,0? > > > I patched the Linux kernel's WWAN driver to add logging of the data sent > to/from the modem and as it turns out the MBIM code path isn't even used by > the official tool (although both the firmware and the unlock tool implement > it). Instead AT commands are being used. > > Will this work for ModemManeger's firmware unlock? So far all scripts I have > seen seem to rely on the MBIM device. > We can make this work if needed, yes. The main issue is that we don't have an "AT proxy" as we do with QMI or MBIM, so it would require some sync with MM to ensure we're not touching the AT port at the same time. -- Aleksander
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
On Tue, Sep 12, 2023 at 1:31 PM Bjørn Mork wrote: > > Turns out the challenge needs to be requested via --set-fcc-lock=0,0. > > Right. Makes sense. > > > Still, I can't get a valid unlock. > > And those challenge input values are correct? The firware isn't > expecting something other than 0,0? > I patched the Linux kernel's WWAN driver to add logging of the data sent to/from the modem and as it turns out the MBIM code path isn't even used by the official tool (although both the firmware and the unlock tool implement it). Instead AT commands are being used. Will this work for ModemManeger's firmware unlock? So far all scripts I have seen seem to rely on the MBIM device. Thanks, Thilo
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Thilo-Alexander Ginkel writes: > Turns out the challenge needs to be requested via --set-fcc-lock=0,0. Right. Makes sense. > Still, I can't get a valid unlock. And those challenge input values are correct? The firware isn't expecting something other than 0,0? >> Is this problem the same with the official Lenovo unlock tool and >> scripts? >> > > Good question. The official beta tool does not even support my laptop model > - but I can convince it to run by bind-mounting a supported laptop's string > to /sys/class/dmi/id/product_family. > > Is there a way to capture the official tool's communication? AFAICS it is > using libmbim (?) for the modem communication by calling > mbim_message_intel_mutual_authentication_fcc_lock_set_new. > > Knowing a valid response for a given challenge would help validating the > hashing algorithm. If you can get the tool to use the proxy then you could simply inspect the proxy logs, I guess. See https://modemmanager.org/docs/modemmanager/debugging/#qmi-proxy-or-mbim-proxy-debug-logs Or you could hack the driver to printk the messages. Bjørn
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
On Mon, Sep 11, 2023 at 2:45 PM Bjørn Mork wrote: > > By coincidence I spotted [2]. Could that be related? Both modems are > > manufactured by Fibocom. > > Not sure. You're not using the proxy, are you? > Not that I am aware of... > But you could also try with the proxy. Some USB devices aren't > expecting clients to come and go while the MBM session is open. > I have no idea if that's relevant to PCI, but worth testing. > > > P.S.: The challenge always being zero is also somewhat suspicious - I > > haven't been able to perform a successful unlock so far. > > Yes. Something is obviously missing here. Maybe the firmware expects > this only at a certain point in the session (like immediately after > OPEN)? Or maybe we're decoding it wrong? Did you look at th debug > dump? Or maybe the firmware wants some reqeust parameter it doesn't > get? > Turns out the challenge needs to be requested via --set-fcc-lock=0,0. Still, I can't get a valid unlock. > Is this problem the same with the official Lenovo unlock tool and > scripts? > Good question. The official beta tool does not even support my laptop model - but I can convince it to run by bind-mounting a supported laptop's string to /sys/class/dmi/id/product_family. Is there a way to capture the official tool's communication? AFAICS it is using libmbim (?) for the modem communication by calling mbim_message_intel_mutual_authentication_fcc_lock_set_new. Knowing a valid response for a given challenge would help validating the hashing algorithm. Thanks, Thilo
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Thilo-Alexander Ginkel writes: > By coincidence I spotted [2]. Could that be related? Both modems are > manufactured by Fibocom. Not sure. You're not using the proxy, are you? But you could also try with the proxy. Some USB devices aren't expecting clients to come and go while the MBM session is open. I have no idea if that's relevant to PCI, but worth testing. > P.S.: The challenge always being zero is also somewhat suspicious - I > haven't been able to perform a successful unlock so far. Yes. Something is obviously missing here. Maybe the firmware expects this only at a certain point in the session (like immediately after OPEN)? Or maybe we're decoding it wrong? Did you look at th debug dump? Or maybe the firmware wants some reqeust parameter it doesn't get? Is this problem the same with the official Lenovo unlock tool and scripts? Bjørn
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Just noticed that I did not reply to the list... Next try... On Thu, Sep 7, 2023 at 10:46 AM Bjørn Mork wrote: > Nice! And I assume you have some ideas on how to compute the sha256 > hash? Blind guessing would be very hard > I hope so (keeping fingers crossed) ;-) > > Is there a way to try this procedure through mbimcli? I am currently > > running libmbim 1.28.4-1. > > I guess you need the "Intel Mutual Authentication" service for that, > which looks like it will be in libmbim 1.30 > > I.e. you need to build a current development version of libmbim to test > it for now. > I built the current dev version and applied a Linux kernel patch [1] on top of 6.5.2 that is supposed to improve handling for the FM350-GL's T7xx chipset, but I am still seeing pretty unreliable behavior communicating with the modem: $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock [10 Sep 2023, 20:23:35] -Warning ** [/dev/wwan0mbim0] error reading from the IOChannel: 'Input/output error' error: operation failed: Transaction timed out $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 error: couldn't close device: Transaction timed out $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock error: operation failed: Transaction timed out $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock FCC lock status: locked Challenge: 0 $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock [10 Sep 2023, 20:36:39] -Warning ** [/dev/wwan0mbim0] error reading from the IOChannel: 'Input/output error' error: operation failed: Transaction timed out $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock error: operation failed: Transaction timed out error: couldn't close device: Transaction timed out $ sudo mbimcli -d /dev/wwan0mbim0 --query-fcc-lock error: operation failed: Transaction timed out dmesg error log (for some of the above errors): [ 8012.377611] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8012.377632] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8012.390960] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8012.409126] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8257.303095] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8257.313695] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8265.620529] mtk_t7xx :08:00.0: Port AT is not opened, drop packets [ 8265.622356] mtk_t7xx :08:00.0: Port AT is not opened, drop packets By coincidence I spotted [2]. Could that be related? Both modems are manufactured by Fibocom. Regards, Thilo P.S.: The challenge always being zero is also somewhat suspicious - I haven't been able to perform a successful unlock so far. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/patch/?id=ba2274dcfda859b8a27193e68ad37bfe4da28ddc [2] https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/merge_requests/184
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Thilo-Alexander Ginkel writes: > meanwhile I have an idea how the FCC unlock for the FM350-GL works: > > 1. Retrieve radio state (only continue iff locked [== 0]) > 2. Get challenge from modem > via mbim_message_intel_mutual_authentication_fcc_lock_set_new > 3. Compute a SHA256 hash > 4. Unlock the modem > using mbim_message_intel_mutual_authentication_fcc_lock_set_new > 5. Validate radio state == 1 > > There is also a dev code from DMI that probably influences the hash > computation. Nice! And I assume you have some ideas on how to compute the sha256 hash? Blind guessing would be very hard > Is there a way to try this procedure through mbimcli? I am currently > running libmbim 1.28.4-1. I guess you need the "Intel Mutual Authentication" service for that, which looks like it will be in libmbim 1.30 I.e. you need to build a current development version of libmbim to test it for now. Bjørn
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Hello everyone, meanwhile I have an idea how the FCC unlock for the FM350-GL works: 1. Retrieve radio state (only continue iff locked [== 0]) 2. Get challenge from modem via mbim_message_intel_mutual_authentication_fcc_lock_set_new 3. Compute a SHA256 hash 4. Unlock the modem using mbim_message_intel_mutual_authentication_fcc_lock_set_new 5. Validate radio state == 1 There is also a dev code from DMI that probably influences the hash computation. Is there a way to try this procedure through mbimcli? I am currently running libmbim 1.28.4-1. Thanks, Thilo On Mon, Oct 17, 2022 at 5:52 PM Bjørn Mork wrote: > Aleksander Morgado writes: > > > See also > https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/merge_requests/157 > > Nice. That will make it much easier to experiment with this. > > I found that UUID in the Windows code earlier, but Google didn't turn up > much. Only relevant hit was this: > https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/258 > > which makes sense, assuming that the L860 and FM350 use the same > methods. > > The log shows that the L860 supports CID 1 on this service, as expected: > > Service: 'unknown' > UUID: [f85d46ef-ab26-4081-9868-4d183c0a3aec]: > DSS payload: 2 > Max DSS instances: 1 > CIDs: 1 > > > None of this helps with the hard part, of course. Let's hope Lenovo > comes up with something reasonable this time. > > > Bjørn >
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Aleksander Morgado writes: > See also > https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/merge_requests/157 Nice. That will make it much easier to experiment with this. I found that UUID in the Windows code earlier, but Google didn't turn up much. Only relevant hit was this: https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/258 which makes sense, assuming that the L860 and FM350 use the same methods. The log shows that the L860 supports CID 1 on this service, as expected: Service: 'unknown' UUID: [f85d46ef-ab26-4081-9868-4d183c0a3aec]: DSS payload: 2 Max DSS instances: 1 CIDs: 1 None of this helps with the hard part, of course. Let's hope Lenovo comes up with something reasonable this time. Bjørn
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Hey > > > > as Lenovo couldn't fix my ThinkPad X1E4 (featuring an SDX55) I got a P1G5 > > as a replacement, that, however, comes with a FM350-GL as WWAN modem. I > > guess we need to play the FCC unlock game again (as it does not work out of > > the box), but first wanted to ask if anyone has any experience with this > > kind of modem under Linux and their FCC unlock procedure. > > No experience unfortunately. But looking at strings in > DRIVERS/WAN/20221110.15030030/WwanNet/IntelWWANModemAuthenticator.exe > I see stuff like > > DoFccUnlock > %s cancel... > %s: MBIM interface is not available, retry: %d > %s: Reach the max retry times > %s: QueryCommand FAILED > %s: Get challenge value from Modem FAILED! > %s: Send finial hash value to Modem FAILED! > DO result: %d > %s: No need > Set_INTEL_FCC_MBIM_Extension > %s: ulResponseLength is INVILED > Query_INTEL_FCC_MBIM_Extension > %s: QueryCommand FAILED hr: 0x%X > aVERSION: %ls > > > > I guess you know the way from there :-) > See also https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/merge_requests/157 -- Aleksander
Re: FM350-GL (installed in ThinkPad P1 Gen 5)
Thilo-Alexander Ginkel writes: > Hi there, > > as Lenovo couldn't fix my ThinkPad X1E4 (featuring an SDX55) I got a P1G5 > as a replacement, that, however, comes with a FM350-GL as WWAN modem. I > guess we need to play the FCC unlock game again (as it does not work out of > the box), but first wanted to ask if anyone has any experience with this > kind of modem under Linux and their FCC unlock procedure. No experience unfortunately. But looking at strings in DRIVERS/WAN/20221110.15030030/WwanNet/IntelWWANModemAuthenticator.exe I see stuff like DoFccUnlock %s cancel... %s: MBIM interface is not available, retry: %d %s: Reach the max retry times %s: QueryCommand FAILED %s: Get challenge value from Modem FAILED! %s: Send finial hash value to Modem FAILED! DO result: %d %s: No need Set_INTEL_FCC_MBIM_Extension %s: ulResponseLength is INVILED Query_INTEL_FCC_MBIM_Extension %s: QueryCommand FAILED hr: 0x%X aVERSION: %ls I guess you know the way from there :-) Bjørn
FM350-GL (installed in ThinkPad P1 Gen 5)
Hi there, as Lenovo couldn't fix my ThinkPad X1E4 (featuring an SDX55) I got a P1G5 as a replacement, that, however, comes with a FM350-GL as WWAN modem. I guess we need to play the FCC unlock game again (as it does not work out of the box), but first wanted to ask if anyone has any experience with this kind of modem under Linux and their FCC unlock procedure. Thanks, Thilo
