Project

General

Profile

Actions
History

Wiki » Devices » Smartphone Modems »

Lenovo A6000 and other phones with leaked qualcomm sources

There are multiple phones that modem source code leaked, if phone has testing certificate it allows us to run on it our own modem firmware.
For now I testing it on Lenovo A6000 phone, but It can be any other phone with soc like MSM8916, MSM8939, MSM8974 and testing certificates.

How to check if phone has testing certificate?

Look at the strings of modem.mdt file, if it using testing certificate is should contain strings like "General Use Test Key (for testing only)"
Phones with other certificates that we can't use contain strings like "Sony Mobile Communications AB"
Modem firmware is signed with certificate and if sign doesn't match firmware can't be loaded.
If phone contain string General Use Test Key (for testing only) these means we can run our firmware on it.
File modem.mdt can be found in /system/etc/firmware/modem.mdt or /firmware/image/modem.mdt it may be somewhere else on other phones.

Files we need to build modem firmware

Toolchain: hexagon_tools_6.4.06.a.7z magnet:?xt=urn:btih:61e8b8a520181ade801c251e5ec9352e33a7bb8c&dn=qcom_msm8x26_modem&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce
MSM8916 modem source code: "msm8916_2014-12-03_amss_qrd" https://gitlab.com/qcom-sources15/msm8916_2014-12-03_amss_qrd/-/raw/master/modem_proc.zip?ref_type=heads

Building modem firmware from leaked source code

To build modem firmware we need to create container with debian buster because newer versions of debian don't have python2.7 that we need because qualcomm tools are using python2.7.

sudo debootstrap --arch=amd64 buster buster
sudo systemd-nspawn -D buster --machine buster

Now we need to install required packages and add user.
apt install g++ git sudo wget make cmake python2.7 lib32z1 scons libxml-parser-perl p7zip-full python-pip gcc-multilib g++-multilib
adduser user
passwd
exit

After that you need to login to user account and create directories for toolchain and source code
sudo systemd-nspawn -D buster --machine buster -b

Login to user account
mkdir -p Qualcomm/HEXAGON_Tools
mkdir -p dev/qcom/msm8916/modem_proc
mkdir Downloads
cd Downloads

In Downloads directory put hexagon_tools_6.4.06.a.7z and modem_proc.zip.
7za x -y -o$HOME/Qualcomm/HEXAGON_Tools hexagon_tools_6.4.06.a.7z
7za x -y -o$HOME/dev/qcom/msm8916/modem_proc modem_proc.zip
cd $HOME/dev/qcom/msm8916/modem_proc

If you are building modem firmware for Lenovo A6000, you should replace few files in source code with these files https://mega.nz/file/8O1glCTS#0RU919Tbe4eSyrXXHh3vUEXPMxk6SK9EV_Iks8o6e_E
Configuration of PA and RF switch, LTE bands, WCDMA bands can differ in many phones and some files need to be modified to get it working, otherwise you can have issues with it like phone not receiving or transmitting.
Now we will prepare source code for building.
find . -name '*.sh' -exec chmod -f 775 {} \;
find . -name '*.mk' -exec chmod -f 775 {} \;
find . -name '*.py' -exec chmod -f 775 {} \;
find . -name '*.pl' -exec chmod -f 775 {} \;
find . -name '*.lcs' -exec chmod -f 775 {} \;
find . -name '*.api' -exec chmod -f 775 {} \;
find . -name '*.xml' -exec chmod -f 775 {} \;
find . -name '*.scons' -exec chmod -f 775 {} \;
find . -name 'scons' -exec chmod -f 775 {} \;
find . -name 'SConscript' -exec chmod -f 775 {} \;
find . -name 'SConstruct' -exec chmod -f 775 {} \;
find . -name 'Makefile' -exec chmod -f 775 {} \;
find . -name 'makefile' -exec chmod -f 775 {} \;
find . -name 'qaic' -exec chmod -f 775 {} \;
find . -name 'doxygen' -exec chmod -f 775 {} \;
find . -name 'qdsp6-image-build' -exec chmod -f 775 {} \;
find . -name 'SleepSynth' -exec chmod -f 775 {} \;
find . -name 'crypto_cbc' -exec chmod -f 775 {} \;
find . -name 'crypto_ccm' -exec chmod -f 775 {} \;
cd build/ms/
nano build.sh

Change "#!/bin/sh" to "#!/bin/bash" 
nano setenv.sh

In this file put:
export ARMTOOLS=ARMCT5.05
export ARMROOT=$HOME/ARMCompiler5.05u2
export ARM_COMPILER_PATH=$ARMROOT/bin64
export ARMHOME=$ARMROOT
export ARMLIB=$ARMROOT/lib
export ARMINCLUDE=$ARMROOT/include
export ARMBIN=$ARMROOT/bin64
export ARMINC=$ARMINCLUDE
export ARMLMD_LICENSE_FILE=$ARMROOT/Community.lic
export HEXAGON_ROOT=$HOME/Qualcomm/HEXAGON_Tools
export HEXAGON_RTOS_RELEASE=6.4.06.a
export HEXAGON_Q6VERSION=v5
export HEXAGON_IMAGE_ENTRY=0x86800000 # If you are using different phone than lenovo A6000 you may need to change this value
export PYTHON_PATH=/usr/bin/python
export PYTHONPATH=/usr/bin/python
export MAKE_PATH=/usr/bin/make
export PATH=$MAKE_PATH:$ARM_COMPILER_PATH:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/qc/bin:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/gnu/bin:$PATH:PYTHONPATH


nano build_cfg.xml

Change hexagon_rtos_release to 6.4.06.a
Change cflags to -Wno-error -Wno-tautological-constant-out-of-range-compare -Wno-medium -Wno-low -hexagon-predef-argset=modem-sw -mllvm -shrink-wrap-ext-wrapper-section=.wrap.func
cd $HOME/dev/qcom/msm8916/modem_proc/core/kernel/qurt
HEXAGON_RTOS_RELEASE=6.4.06.a
WL_PREFIX="toolsver_whitelist \\= \\[" 
find . -name 'target_tools.py' -exec sed -i "s/$WL_PREFIX/$WL_PREFIX\"$HEXAGON_RTOS_RELEASE\" ,/" {} \;
nano target_tools.py

Now we need to repalce few lines in this file.
Find:
          hexagon_root = os.path.join(default_root,toolsver)
          if(version_compare(toolsver, '5.1.03') < 0):
                  v55_workaround = "False"

Replace it with:
          hexagon_root = os.path.join(default_root,toolsver)
          v55_workaround = "False" 


cd $HOME/dev/qcom/msm8916/modem_proc
nano build/bsp/mapss_b/build/mapss_b.scons

In this file add few lines after:
elif hex_version[0] == '6':
  if hex_version[1] == '2':
    if len(hex_version) >= 3 and hex_version[2] >= '06':
      legacy_mode = False

After this lines add:
  elif hex_version[1] == '4':
    legacy_mode = False

It should look like this:
elif hex_version[0] == '6':
  if hex_version[1] == '2':
    if len(hex_version) >= 3 and hex_version[2] >= '06':
      legacy_mode = False
  elif hex_version[1] == '4':
    legacy_mode = False


nano ./geran/gmac/src/gmacidleutil.c

Find:
            if( (((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0)
           && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623))

Replace it with:
            if( /*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0)
           &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623))


nano ./geran/gmac/src/gmacutil.c

Find:
            if((((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0)
           && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623))

Replace it with:
            if(/*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0)
           &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623))

Now we prepared source code for building and it should compile without errors.
cd $HOME/dev/qcom/msm8916/modem_proc/build/ms
./build.sh 8916.genns BUILD_ID=EAAAANUZ -k

BUILD_ID / Image variant can be different on other phones.
If build was successful you should see something like this:
==============================================================================
   SCons build summary
==============================================================================
** Build time...
 Build start  : Sat Dec 30 15:51:11 2023
 Build end    : Sat Dec 30 15:57:14 2023
 Elapsed time : 0:06:03
#-------------------------------------------------------------------------------
# BUILD END: EAAAANUZ
#-------------------------------------------------------------------------------
Build EAAAANUZ: Start Time: Sat Dec 30 15:51:11 2023,  End Time: Sat Dec 30 15:57:16 2023
Build EAAAANUZ: Delta Time: 6 minutes, 5 seconds
#-------------------------------------------------------------------------------
#-------------------------------------------------------------------------------
Build 8916.genns returned code 0.
#-------------------------------------------------------------------------------
Overall Start Time: Sat Dec 30 15:51:11 2023,  Overall End Time: Sat Dec 30 15:57:16 2023
Overall Delta Time: 6 minutes, 5 seconds
#-------------------------------------------------------------------------------

Now we need to convert compiled firmware to files that phone will load.
cd $HOME/dev/qcom/msm8916/modem_proc/build/ms/bin
wget http://github.com/remittor/qcom-mbn-tools/raw/master/pil-splitter.py
BUILD_ID=EAAAANUZ
MBN_FILE=./$BUILD_ID/qdsp6sw.mbn
MBN_PREFIX=modem
python pil-splitter.py $MBN_FILE $MBN_PREFIX

This script should create files like modem.mdt, modem.b00, modem.b01, ...

flash modem firmware to phone.

Outside the container go to the directory where are files created by pil-splitter.py

adb root
adb shell mount -oremount,rw /firmware
adb push modem.* /firmware/image/.
adb push EAAAANUZ/mba.mbn /firmware/image/mba.mbn
adb shell sync
adb reboot

Lenovo A6000 stores modem firmware on /firmware partition in directory /firmware/image/ other phones can have firmware in different location.
If everything was done correctly your phone should now reboot with new modem firmware and it will be able to connect to lte/wcdma/gsm network.

Other phones that may work with leaked source code

Phone SOC Image Variant Image Version Tested
Lenovo A6000 MSM8916 EAAAANUZ MPSS.DPM.1.0.1.C1-00093 Tested, working
LG G4c H525n MSM8916 EAAAANWZ MPSS.DPM.2.0.C11-39832 Not working, bluescreen https://imgur.com/a/jfoAVDq
ASUS ZE550KL MSM8916 EAAAANUZ MPSS.DPM.2.0.2.c1.11-00021 Not tested
Files (0)

Updated by laforge 4 months ago · 3 revisions

Add picture from clipboard (Maximum size: 48.8 MB)