-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connection with Username/Password/Authentication Settings #62
Comments
Although I haven't got a running WWAN card yet, I will have the same things to configure. An ini file or commandline arguments would be great for those settings. |
Yeah, currently there's no interface to configure these settings AFAIK. We'd need to figure out how these actually get set. |
Any clues where to start looking how to set the password? I want to invest some time checking this one... |
I'm really not too sure! There's a reversing repo which is what this driver was originally written against I think, If it's possible to set these under windows, then it's probably going to be an undocumented RPC call. There's some discussion in #63 about the reversing repo too. Maybe setting these settings might be possible via AT also? 👀 |
Who originally figured out where to place I believe I can figure out where the APN auth options are, if only I could see what data is windows driver passing with auth options configured, when executing |
Given the commit logs, almost definitely @abrasive.
No idea if this was captured, but it was definitely reversed. (https://github.com/xmm7360/reversing). If you want to have a try at reversing xmm7360/reversing#3 this PR has all the XML & IDC dumps of abrasive's IDBs which you can import into IDA or Ghidra |
I loaded the IDB dumps in Ghidra, but this thing is overwhelming, and I can barely understand what am I doing... |
Tbh I feel the same (no ARM reversing experience here). I was preempted by other projects; might try again in the coming weeks. |
This is kinda why I've taken a bit of a back seat on this stuff :) Happy for people with experience with this to play around but I wasn't able to get the dumps loaded either. :/ |
I did all the reversing based on logs from the Windows driver. I ran a windows VM under a patched qemu - see the relevant stuff in the reversing repo. On the reversing front, look in the function |
@abrasive I've built patched qemu, it installs and runs, but I can't get to the point that I have functioning XMM7360 PCI device in Windoze. I've tried a loads of stuff; non-patched qemu, 3 different kernels, 3 different T14 BIOS revisions, 3 different Win10 releases, it won't budge :| The best thing I could get in Windoze is this in the Device Manager:
On the kernel(s) side I see this being logged, so I guess that's not the issue::
I've tried vfio-ing other PCI devices from the T14, such as Ethernet ports, and that works just fine, but XMM7360 just won't budge, damn it! @abrasive, in your README, I don't see any actual |
@sibradzic I'm sorry, it looks like I posted the wrong run script. This is the one I have on disk. It has a bunch of stuff (eg. license passthrough) that is unlikely to be useful to you, but it does have the device passthrough with all of the magic flags I'd forgotten it needs. My apologies for the incorrect doucmentation.
|
Can I assume that And |
@abrasive Thanks for the info. I tried the vfio flags you suggest in Do you still have your snooping setup available? If you do, I believe we could easily get the APN credentials from what resembles a |
Reading through the AT command guide from Fibrocom, there seems to be a way to set PAP, CHAP and authentication using an AT command AT+XGAUTH=? This proprietary command allows to enter the type of authentication for a user-name(using a password) Set command allows to enter the type of authentication for a user-name (using a password) for the specified PDP context. |
I tried to dig into this issue again. I installed Win10 as a qemu (v8.2.2) guest with direct access to the modem device (via vfio-pci). The device is recognized by the Windows (Lenovo) driver and it shows the firmware version and carrier. When Windows boots, there is some activity on the RPC channel (mostly related to FCC unlocking). However, first thing after login, the driver tries to flash a firmware update. After a while, it says "Firmware update failed" and will stop interacting with the modem device. So, no way for me to continue using the device and snooping RPC commands. @abrasive Do you remember facing similar problems when you did the PCI snooping? I tried all versions of the Windows driver that have been released since early 2019 and all of them tried to flash a firmware update, then failed and stopped doing anything afterwards. |
@tuxor1337 they have a somewhat weird design where it insists on flashing the modem depending on the SIM card provider. I think I let it run in native Windows before I got started. It should be possible to pass through the device in FW update mode, but might be fiddly. Does it flip into USB mode and enumerate on the host that way? Or does it come up as a PCI device with different ID, which would presumably need a rescan on the host? Possibly with a remove beforehand? |
@abrasive Thanks for the quick response! Unfortunately, I currently don't have a native Windows for testing. Maybe I will install Win10 to some external drive and boot from there. Unfortunately, I don't have spare external media, currently :) I found that, when in USB mode, the device will show up under a particular xhci controller on the host. Fortunately, I don't really need that xhci controller (apart from the modem in flash mode, it controls my webcam and fingerprint reader). So, I use vfio to pass through the whole xhci controller AND the modem in PCI mode. That means that my qemu host is really completely agnostic of the modem device the whole time while qemu is running, and everything is directly accessible from the Win10 guest. Still, for some reason, the firmware update fails. |
@tuxor1337 you might have to use sysfs to remove the PCI device and then rescan the bus while the Windows side is waiting for the device to come back in FW update mode? Alternatively, not sure if you can get away with this, but you might be able to pass the parent bus of the card through to Windows and have the hotplugging handling run on the Windows side. Figure out which root port is handling it with |
@abrasive Removing the PCI device through sysfs (while qemu is running with vfio-pci) permanently removes the device for the Win10 guest - even after rescanning the bus and after vfio-pci binds to it again. For the alternative: Unfortunately, vfio-pci cannot bind to PCI root ports. I can unbind the |
@tuxor1337 I suspect removing and re-adding to the guest would involve using the qemu console, but I guess I'm more curious about what Windows needs to see for it to know it's in FW update mode. When you rescan, does it come up with the same PCI ID & subsystem ID when it's in FW update mode? |
@abrasive The output of That's why I am using vfio-pci to pass over the diff -su normal/lspci.txt fwupd/lspci.txt
Files normal/lspci.txt and fwupd/lspci.txt are identical
diff -su normal/lshw.txt fwupd/lshw.txt
--- normal/lshw.txt 2024-07-04 08:48:40.448839530 +0200
+++ fwupd/lshw.txt 2024-07-04 08:50:24.383382277 +0200
@@ -178,7 +178,15 @@
version: 1.08
capabilities: usb-2.01 usb
configuration: driver=usbhid maxpower=96mA speed=12Mbit/s
- *-usb:1
+ *-usb:1 UNCLAIMED
+ description: Communication device
+ vendor: Intel Corp. [8087]
+ physical id: 7
+ bus info: usb@1:7
+ version: 0.00
+ capabilities: usb-2.10
+ configuration: maxpower=500mA speed=480Mbit/s
+ *-usb:2
description: Video
product: Integrated Camera [4F2:B67C]
vendor: Chicony Electronics Co.,Ltd. [4F2]
@@ -188,7 +196,7 @@
serial: 6726
capabilities: usb-2.01
configuration: driver=uvcvideo maxpower=500mA speed=480Mbit/s
- *-usb:2 UNCLAIMED
+ *-usb:3 UNCLAIMED
description: Generic USB device
product: Prometheus MIS Touch Fingerprint Reader [6CB:BD]
vendor: Synaptics, Inc. [6CB]
diff -su normal/lsusb.txt fwupd/lsusb.txt
--- normal/lsusb.txt 2024-07-04 08:48:40.543839599 +0200
+++ fwupd/lsusb.txt 2024-07-04 08:50:24.462382403 +0200
@@ -4,6 +4,9 @@
|__ Port 006: Dev 002, If 0, Class=Human Interface Device, Driver=usbhid, 12M
ID 2386:4328 Raydium Corporation Touch System
/sys/bus/usb/devices/1-6 /dev/bus/usb/001/002
+ |__ Port 007: Dev 006, If 0, Class=CDC Data, Driver=[none], 480M
+ ID 8087:07f5 Intel Corp.
+ /sys/bus/usb/devices/1-7 /dev/bus/usb/001/006
|__ Port 008: Dev 003, If 0, Class=Video, Driver=uvcvideo, 480M
ID 04f2:b67c Chicony Electronics Co., Ltd
/sys/bus/usb/devices/1-8 /dev/bus/usb/001/003 |
I located some config and log files in From the From the |
I was finally able to run the driver on a native Windows (I installed Win10 to a 32 GB USB pen drive that I got from a friend). On that native Win10 setup, the modem works very well. The modem firmware is now up to date and, in the Win10 guest under qemu, the driver will not make any attempts at updating the firmware. So far, so good. However, the Win10 qemu-guest is not able to FCC unlock the card. This is really fascinating because I have no idea what might cause this. I snoop the RPC commands and see that it executes the well-known init sequence (as expected!):
After that, the driver requests an unlock challenge ( How is it possible that the driver acts so weird when inside a qemu guest? I double-checked that it is the exact same version that is used in the native Win10 installation. However: I found that permanently disabling the FCC lock with |
I have been able to reverse engineer where to put the information about APN cert type (none, PAP or CHAP), APN user, and APN password. It's part of my merge request for ModemManager, see here: https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/merge_requests/1200 |
Fantastic! Well done and thank you :) |
So, does it mean I can now bring the connection up and later, when done, shut it down gracefully? |
Yes, connecting and disconnecting is now both part of the merge request. |
So sweet. Thank you so much. I shall test it shortly on my DELL laptop. |
Hello!
Thanks for great work!
It seems the script is working well but I have an issue that my sim card requires additional APN setting like id, password, cert type (CHAP), APN protocol, APN type.
Can I give those settings in .ini and run the script?
Thanks!
The text was updated successfully, but these errors were encountered: