Lenovo A6000 Other phones with leaked qualcomm sources » History » Revision 2
Revision 1 (bcm61670, 12/30/2023 05:24 PM) → Revision 2/3 (bcm61670, 12/30/2023 05:24 PM)
h1. Lenovo A6000 and other Other phones with leaked qualcomm sources There are multiple phones that modem source code leaked, if phone has testing certificate it allows us to run on it our own modem firmware. For now I testing it on Lenovo A6000 phone, but It can be any other phone with soc like MSM8916, MSM8939, MSM8974 and testing certificates. h3. How to check if phone has testing certificate? Look at the strings of modem.mdt file, if it using testing certificate is should contain strings like "General Use Test Key (for testing only)" Phones with other certificates that we can't use contain strings like "Sony Mobile Communications AB" Modem firmware is signed with certificate and if sign doesn't match firmware can't be loaded. If phone contain string "General Use Test Key (for testing only)" these means we can run our firmware on it. File modem.mdt can be found in /system/etc/firmware/modem.mdt or /firmware/image/modem.mdt it may be somewhere else on other phones. h3. Files we need to build modem firmware Toolchain: hexagon_tools_6.4.06.a.7z magnet:?xt=urn:btih:61e8b8a520181ade801c251e5ec9352e33a7bb8c&dn=qcom_msm8x26_modem&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce MSM8916 modem source code: "msm8916_2014-12-03_amss_qrd" https://gitlab.com/qcom-sources15/msm8916_2014-12-03_amss_qrd/-/raw/master/modem_proc.zip?ref_type=heads h3. Building modem firmware from leaked source code To build modem firmware we need to create container with debian buster because newer versions of debian don't have python2.7 that we need because qualcomm tools are using python2.7. <pre> sudo debootstrap --arch=amd64 buster buster sudo systemd-nspawn -D buster --machine buster </pre> Now we need to install required packages and add user. <pre> apt install g++ git sudo wget make cmake python2.7 lib32z1 scons libxml-parser-perl p7zip-full python-pip gcc-multilib g++-multilib adduser user passwd exit </pre> After that you need to login to user account and create directories for toolchain and source code <pre> sudo systemd-nspawn -D buster --machine buster -b </pre> Login to user account <pre> mkdir -p Qualcomm/HEXAGON_Tools mkdir -p dev/qcom/msm8916/modem_proc mkdir Downloads cd Downloads </pre> In Downloads directory put hexagon_tools_6.4.06.a.7z and modem_proc.zip. <pre> 7za x -y -o$HOME/Qualcomm/HEXAGON_Tools hexagon_tools_6.4.06.a.7z 7za x -y -o$HOME/dev/qcom/msm8916/modem_proc modem_proc.zip cd $HOME/dev/qcom/msm8916/modem_proc </pre> If you are building modem firmware for Lenovo A6000, you should replace few files in source code with these files https://mega.nz/file/8O1glCTS#0RU919Tbe4eSyrXXHh3vUEXPMxk6SK9EV_Iks8o6e_E Configuration of PA and RF switch, LTE bands, WCDMA bands can differ in many phones and some files need to be modified to get it working, otherwise you can have issues with it like phone not receiving or transmitting. Now we will prepare source code for building. <pre> find . -name '*.sh' -exec chmod -f 775 {} \; find . -name '*.mk' -exec chmod -f 775 {} \; find . -name '*.py' -exec chmod -f 775 {} \; find . -name '*.pl' -exec chmod -f 775 {} \; find . -name '*.lcs' -exec chmod -f 775 {} \; find . -name '*.api' -exec chmod -f 775 {} \; find . -name '*.xml' -exec chmod -f 775 {} \; find . -name '*.scons' -exec chmod -f 775 {} \; find . -name 'scons' -exec chmod -f 775 {} \; find . -name 'SConscript' -exec chmod -f 775 {} \; find . -name 'SConstruct' -exec chmod -f 775 {} \; find . -name 'Makefile' -exec chmod -f 775 {} \; find . -name 'makefile' -exec chmod -f 775 {} \; find . -name 'qaic' -exec chmod -f 775 {} \; find . -name 'doxygen' -exec chmod -f 775 {} \; find . -name 'qdsp6-image-build' -exec chmod -f 775 {} \; find . -name 'SleepSynth' -exec chmod -f 775 {} \; find . -name 'crypto_cbc' -exec chmod -f 775 {} \; find . -name 'crypto_ccm' -exec chmod -f 775 {} \; cd build/ms/ nano build.sh </pre> Change "#!/bin/sh" to "#!/bin/bash" <pre> nano setenv.sh </pre> In this file put: <pre> export ARMTOOLS=ARMCT5.05 export ARMROOT=$HOME/ARMCompiler5.05u2 export ARM_COMPILER_PATH=$ARMROOT/bin64 export ARMHOME=$ARMROOT export ARMLIB=$ARMROOT/lib export ARMINCLUDE=$ARMROOT/include export ARMBIN=$ARMROOT/bin64 export ARMINC=$ARMINCLUDE export ARMLMD_LICENSE_FILE=$ARMROOT/Community.lic export HEXAGON_ROOT=$HOME/Qualcomm/HEXAGON_Tools export HEXAGON_RTOS_RELEASE=6.4.06.a export HEXAGON_Q6VERSION=v5 export HEXAGON_IMAGE_ENTRY=0x86800000 # If you are using different phone than lenovo A6000 you may need to change this value export PYTHON_PATH=/usr/bin/python export PYTHONPATH=/usr/bin/python export MAKE_PATH=/usr/bin/make export PATH=$MAKE_PATH:$ARM_COMPILER_PATH:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/qc/bin:$HEXAGON_ROOT/$HEXAGON_RTOS_RELEASE/gnu/bin:$PATH:PYTHONPATH </pre> <pre> nano build_cfg.xml </pre> Change hexagon_rtos_release to 6.4.06.a Change cflags to -Wno-error -Wno-tautological-constant-out-of-range-compare -Wno-medium -Wno-low -hexagon-predef-argset=modem-sw -mllvm -shrink-wrap-ext-wrapper-section=.wrap.func <pre> cd $HOME/dev/qcom/msm8916/modem_proc/core/kernel/qurt HEXAGON_RTOS_RELEASE=6.4.06.a WL_PREFIX="toolsver_whitelist \\= \\[" find . -name 'target_tools.py' -exec sed -i "s/$WL_PREFIX/$WL_PREFIX\"$HEXAGON_RTOS_RELEASE\" ,/" {} \; nano target_tools.py </pre> Now we need to repalce few lines in this file. Find: <pre> hexagon_root = os.path.join(default_root,toolsver) if(version_compare(toolsver, '5.1.03') < 0): v55_workaround = "False" </pre> Replace it with: <pre> hexagon_root = os.path.join(default_root,toolsver) v55_workaround = "False" </pre> <pre> cd $HOME/dev/qcom/msm8916/modem_proc nano build/bsp/mapss_b/build/mapss_b.scons </pre> In this file add few lines after: <pre> elif hex_version[0] == '6': if hex_version[1] == '2': if len(hex_version) >= 3 and hex_version[2] >= '06': legacy_mode = False </pre> After this lines add: <pre> elif hex_version[1] == '4': legacy_mode = False </pre> It should look like this: <pre> elif hex_version[0] == '6': if hex_version[1] == '2': if len(hex_version) >= 3 and hex_version[2] >= '06': legacy_mode = False elif hex_version[1] == '4': legacy_mode = False </pre> <pre> nano ./geran/gmac/src/gmacidleutil.c </pre> Find: <pre> if( (((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) </pre> Replace it with: <pre> if( /*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) </pre> <pre> nano ./geran/gmac/src/gmacutil.c </pre> Find: <pre> if((((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) && (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) </pre> Replace it with: <pre> if(/*(((starting_time_fn - reception_fn_mod_42432) % 42432) >= 0) &&*/ (((starting_time_fn - reception_fn_mod_42432) % 42432) <= 31623)) </pre> Now we prepared source code for building and it should compile without errors. <pre> cd $HOME/dev/qcom/msm8916/modem_proc/build/ms ./build.sh 8916.genns BUILD_ID=EAAAANUZ -k </pre> BUILD_ID / Image variant can be different on other phones. If build was successful you should see something like this: <pre> ============================================================================== SCons build summary ============================================================================== ** Build time... Build start : Sat Dec 30 15:51:11 2023 Build end : Sat Dec 30 15:57:14 2023 Elapsed time : 0:06:03 #------------------------------------------------------------------------------- # BUILD END: EAAAANUZ #------------------------------------------------------------------------------- Build EAAAANUZ: Start Time: Sat Dec 30 15:51:11 2023, End Time: Sat Dec 30 15:57:16 2023 Build EAAAANUZ: Delta Time: 6 minutes, 5 seconds #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- Build 8916.genns returned code 0. #------------------------------------------------------------------------------- Overall Start Time: Sat Dec 30 15:51:11 2023, Overall End Time: Sat Dec 30 15:57:16 2023 Overall Delta Time: 6 minutes, 5 seconds #------------------------------------------------------------------------------- </pre> Now we need to convert compiled firmware to files that phone will load. <pre> cd $HOME/dev/qcom/msm8916/modem_proc/build/ms/bin wget http://github.com/remittor/qcom-mbn-tools/raw/master/pil-splitter.py BUILD_ID=EAAAANUZ MBN_FILE=./$BUILD_ID/qdsp6sw.mbn MBN_PREFIX=modem python pil-splitter.py $MBN_FILE $MBN_PREFIX </pre> This script should create files like modem.mdt, modem.b00, modem.b01, ... h3. flash modem firmware to phone. Outside the container go to the directory where are files created by pil-splitter.py <pre> adb root adb shell mount -oremount,rw /firmware adb push modem.* /firmware/image/. adb push EAAAANUZ/mba.mbn /firmware/image/mba.mbn adb shell sync adb reboot </pre> Lenovo A6000 stores modem firmware on /firmware partition in directory /firmware/image/ other phones can have firmware in different location. If everything was done correctly your phone should now reboot with new modem firmware and it will be able to connect to lte/wcdma/gsm network. h3. Other phones that may work with leaked source code |_. Phone |_. SOC |_. Image Variant |_. Image Version |_. Tested | | Lenovo A6000 | MSM8916 | EAAAANUZ | MPSS.DPM.1.0.1.C1-00093 | Tested, working | | LG G4c H525n | MSM8916 | EAAAANWZ | MPSS.DPM.2.0.C11-39832 | Not working, bluescreen https://imgur.com/a/jfoAVDq | | ASUS ZE550KL | MSM8916 | EAAAANUZ | MPSS.DPM.2.0.2.c1.11-00021 | Not tested |
