Skip to content

Instantly share code, notes, and snippets.

@joar

joar/fcc-unlock.c

Last active April 11, 2023 16:54
Show Gist options
  • Save joar/416f37fe81558f5be0d5131018eb7f2a to your computer and use it in GitHub Desktop.
Save joar/416f37fe81558f5be0d5131018eb7f2a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fcc-unlock.c
#include <dlfcn.h>
#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
typedef struct FCC_OPS FCC_OPS;
typedef void *HDMOVERMBIMTOSARHANDLE;
typedef int BOOL;
struct FCC_OPS {
int version;
int size;
int (*Init)(char *);
void (*UnInit)(void);
int (*GetIsMbimReady)(HDMOVERMBIMTOSARHANDLE, BOOL *);
int (*FccUnlock)(void);
};
FCC_OPS *fcc_ops;
#define MBIM_DEVICE_PATH "/dev/wwan0mbim0"
#define MBIM2SAR_SO_PATH "/home/joar/ghidra/r2/lenovo-wwan-dpr_3.snap.squashfs/usr/lib/mbim2sar.so"
static char * DEVICE_PATH = MBIM_DEVICE_PATH;
int main() {
void *dlHandle = dlopen(MBIM2SAR_SO_PATH, 1);
if (dlHandle == 0) {
dlclose(dlHandle);
fprintf(stderr, "dlopen(%s) failed\n", MBIM2SAR_SO_PATH);
return 1;
}
fcc_ops = dlsym(dlHandle, "fcc_ops");
if (fcc_ops == 0) {
dlclose(dlHandle);
fprintf(stderr, "dlsym(): could not get 'fcc_ops'\n");
return 1;
}
fcc_ops->Init(DEVICE_PATH);
int isReady;
int err = fcc_ops->GetIsMbimReady(0, &isReady);
for (int i = 0; (err != 0 && (i < 10)); i = i + 1) {
fprintf(stderr, "fcc_ops->GetIsMbimReady(): err=%d. Retrying in 10 seconds...\n", err);
sleep(10);
err = fcc_ops->GetIsMbimReady(0, &isReady);
}
if (err != 0) {
fprintf(stderr, "fcc_ops-GetISMbimReady() err=%d\n", err);
goto err_exit;
}
if (isReady == 0) {
fprintf(stderr, "fcc_ops->GetIsMbimReady(): never was\n");
goto err_exit;
}
err = fcc_ops->FccUnlock();
if (err != 0) {
fprintf(stderr, "fcc_ops->FccUnlock() err=%d\n", err);
fprintf(stderr, "FCC unlock failed\n");
goto err_exit;
}
printf("FCC unlock completed successfully\n");
fcc_ops->UnInit();
if (dlHandle != 0) {
dlclose(dlHandle);
dlHandle = 0;
}
return 0;
err_exit:
fcc_ops->UnInit();
if (dlHandle != 0) {
dlclose(dlHandle);
dlHandle = 0;
}
return 1;
}
Raw
fcc_unlock-output.console
$ sudo env VERBOSE=1 ./fcc_unlock_v2
[09-22_09:30:08:264] mbim_proxy_connect('mbim-proxy') = 5
[09-22_09:30:08:264] mbim_read_thread is created
[09-22_09:30:08:264] > 03:00:00:00:5A:00:00:00:01:00:00:00:01:00:00:00:00:00:00:00:83:8C:F7:FB:8D:0D:4D:7F:87:1E:D7:1D:BE:FB:B3:9B:01:00:00:00:01:00:00:00:2A:00:00:00:0C:00:00:00:1E:00:00:00:0F:00:00:00:2F:00:64:00:65:00:76:00:2F:00:77:00:77:00:61:00:6E:00:30:00:6D:00:62:00:69:00:6D:00:30:00:
[09-22_09:30:08:264] > Header:
[09-22_09:30:08:264] > MessageLength = 90
[09-22_09:30:08:264] > MessageType = MBIM_COMMAND_MSG (0x00000003)
[09-22_09:30:08:264] > TransactionId = 1
[09-22_09:30:08:264] > Contents:
[09-22_09:30:08:264] > DeviceServiceId = 838cf7fb-8d0d-4d7f-871e-d71dbefbb39b (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
[09-22_09:30:08:265] > CID = MBIM_CID_PROXY_CONTROL_CONFIGURATION (1)
[09-22_09:30:08:265] > CommandType = set (1)
[09-22_09:30:08:265] > InformationBufferLength = 42
[09-22_09:30:08:589] < 03:00:00:80:30:00:00:00:01:00:00:00:01:00:00:00:00:00:00:00:83:8C:F7:FB:8D:0D:4D:7F:87:1E:D7:1D:BE:FB:B3:9B:01:00:00:00:00:00:00:00:00:00:00:00:
[09-22_09:30:08:589] < Header:
[09-22_09:30:08:589] < MessageLength = 48
[09-22_09:30:08:589] < MessageType = MBIM_COMMAND_DONE (0x80000003)
[09-22_09:30:08:589] < TransactionId = 1
[09-22_09:30:08:589] < Contents:
[09-22_09:30:08:589] < DeviceServiceId = 838cf7fb-8d0d-4d7f-871e-d71dbefbb39b (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
[09-22_09:30:08:589] < CID = MBIM_CID_PROXY_CONTROL_CONFIGURATION (1)
[09-22_09:30:08:589] < Status = 0
[09-22_09:30:08:589] < InformationBufferLength = 0
[09-22_09:30:08:589] GetIsMbimReady err=0, bValue=1
[09-22_09:30:08:589] mbim_device_service_subscribe_list_set(uuid=2d0c12c9-0e6a-495a-915c-8d174fe5d63c)
[09-22_09:30:08:589] > 03:00:00:00:64:00:00:00:02:00:00:00:01:00:00:00:00:00:00:00:A2:89:CC:33:BC:BB:8B:4F:B6:B0:13:3E:C2:AA:E6:DF:13:00:00:00:01:00:00:00:34:00:00:00:01:00:00:00:0C:00:00:00:28:00:00:00:2D:0C:12:C9:0E:6A:49:5A:91:5C:8D:17:4F:E5:D6:3C:05:00:00:00:01:00:00:00:02:00:00:00:03:00:00:00:04:00:00:00:05:00:00:00:
[09-22_09:30:08:589] > Header:
[09-22_09:30:08:589] > MessageLength = 100
[09-22_09:30:08:589] > MessageType = MBIM_COMMAND_MSG (0x00000003)
[09-22_09:30:08:589] > TransactionId = 2
[09-22_09:30:08:589] > Contents:
[09-22_09:30:08:590] > DeviceServiceId = UUID_BASIC_CONNECT (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
[09-22_09:30:08:590] > CID = MBIM_CID_DEVICE_SERVICE_SUBSCRIBE_LIST (19)
[09-22_09:30:08:590] > CommandType = set (1)
[09-22_09:30:08:590] > InformationBufferLength = 52
[09-22_09:30:08:594] < 03:00:00:80:64:00:00:00:02:00:00:00:01:00:00:00:00:00:00:00:A2:89:CC:33:BC:BB:8B:4F:B6:B0:13:3E:C2:AA:E6:DF:13:00:00:00:00:00:00:00:34:00:00:00:01:00:00:00:0C:00:00:00:28:00:00:00:2D:0C:12:C9:0E:6A:49:5A:91:5C:8D:17:4F:E5:D6:3C:05:00:00:00:01:00:00:00:02:00:00:00:03:00:00:00:04:00:00:00:05:00:00:00:
[09-22_09:30:08:594] < Header:
[09-22_09:30:08:594] < MessageLength = 100
[09-22_09:30:08:594] < MessageType = MBIM_COMMAND_DONE (0x80000003)
[09-22_09:30:08:594] < TransactionId = 2
[09-22_09:30:08:594] < Contents:
[09-22_09:30:08:594] < DeviceServiceId = UUID_BASIC_CONNECT (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
[09-22_09:30:08:594] < CID = MBIM_CID_DEVICE_SERVICE_SUBSCRIBE_LIST (19)
[09-22_09:30:08:594] < Status = 0
[09-22_09:30:08:594] < InformationBufferLength = 52
[09-22_09:30:08:594] FccUnlock
[09-22_09:30:08:594] SMBIOS 3.2.0 present.
[09-22_09:30:08:594] Table at 0x90CA4000.
[09-22_09:30:08:594] Handle 0x0030, DMI type 133, 5 bytes
[09-22_09:30:08:594] String 1
[09-22_09:30:08:594] KHOIHGIUCCHHII
[09-22_09:30:08:594] mbim_radio_state_query()
[09-22_09:30:08:594] > 03:00:00:00:30:00:00:00:03:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:00:00:00:00:00:00:00:00:
[09-22_09:30:08:594] > Header:
[09-22_09:30:08:594] > MessageLength = 48
[09-22_09:30:08:594] > MessageType = MBIM_COMMAND_MSG (0x00000003)
[09-22_09:30:08:594] > TransactionId = 3
[09-22_09:30:08:594] > Contents:
[09-22_09:30:08:594] > DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:594] > CID = Unknow (1)
[09-22_09:30:08:594] > CommandType = query (0)
[09-22_09:30:08:594] > InformationBufferLength = 0
[09-22_09:30:08:606] < 03:00:00:80:34:00:00:00:03:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:00:00:00:00:04:00:00:00:04:00:00:00:
[09-22_09:30:08:606] < Header:
[09-22_09:30:08:606] < MessageLength = 52
[09-22_09:30:08:606] < MessageType = MBIM_COMMAND_DONE (0x80000003)
[09-22_09:30:08:606] < TransactionId = 3
[09-22_09:30:08:606] < Contents:
[09-22_09:30:08:606] < DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:606] < CID = Unknow (1)
[09-22_09:30:08:606] < Status = 0
[09-22_09:30:08:606] < InformationBufferLength = 4
[09-22_09:30:08:606] HwRadioState: 4, SwRadioState: 0
[09-22_09:30:08:606] mbim_radio_state_set( 1 )
[09-22_09:30:08:606] > 03:00:00:00:34:00:00:00:04:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:01:00:00:00:04:00:00:00:01:00:00:00:
[09-22_09:30:08:606] > Header:
[09-22_09:30:08:606] > MessageLength = 52
[09-22_09:30:08:606] > MessageType = MBIM_COMMAND_MSG (0x00000003)
[09-22_09:30:08:606] > TransactionId = 4
[09-22_09:30:08:606] > Contents:
[09-22_09:30:08:606] > DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:606] > CID = Unknow (1)
[09-22_09:30:08:606] > CommandType = set (1)
[09-22_09:30:08:606] > InformationBufferLength = 4
[09-22_09:30:08:615] < 03:00:00:80:30:00:00:00:04:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:00:00:00:00:00:00:00:00:
[09-22_09:30:08:615] < Header:
[09-22_09:30:08:615] < MessageLength = 48
[09-22_09:30:08:615] < MessageType = MBIM_COMMAND_DONE (0x80000003)
[09-22_09:30:08:615] < TransactionId = 4
[09-22_09:30:08:615] < Contents:
[09-22_09:30:08:615] < DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:615] < CID = Unknow (1)
[09-22_09:30:08:615] < Status = 0
[09-22_09:30:08:615] < InformationBufferLength = 0
[09-22_09:30:08:615] mbim_radio_state_query()
[09-22_09:30:08:615] > 03:00:00:00:30:00:00:00:05:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:00:00:00:00:00:00:00:00:
[09-22_09:30:08:615] > Header:
[09-22_09:30:08:615] > MessageLength = 48
[09-22_09:30:08:615] > MessageType = MBIM_COMMAND_MSG (0x00000003)
[09-22_09:30:08:615] > TransactionId = 5
[09-22_09:30:08:615] > Contents:
[09-22_09:30:08:615] > DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:615] > CID = Unknow (1)
[09-22_09:30:08:615] > CommandType = query (0)
[09-22_09:30:08:615] > InformationBufferLength = 0
[09-22_09:30:08:627] < 03:00:00:80:34:00:00:00:05:00:00:00:01:00:00:00:00:00:00:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:11:01:00:00:00:00:00:00:00:04:00:00:00:01:00:00:00:
[09-22_09:30:08:627] < Header:
[09-22_09:30:08:627] < MessageLength = 52
[09-22_09:30:08:627] < MessageType = MBIM_COMMAND_DONE (0x80000003)
[09-22_09:30:08:627] < TransactionId = 5
[09-22_09:30:08:627] < Contents:
[09-22_09:30:08:627] < DeviceServiceId = 11223344-5566-7788-99aa-bbccddeeff11 (11223344-5566-7788-99aa-bbccddeeff11)
[09-22_09:30:08:627] < CID = Unknow (1)
[09-22_09:30:08:627] < Status = 0
[09-22_09:30:08:627] < InformationBufferLength = 4
[09-22_09:30:08:627] HwRadioState: 1, SwRadioState: 0
[09-22_09:30:08:627] FccUnlock err=0
FCC unlock completed successfully
[09-22_09:30:08:627] mbim_read_thread exit
[09-22_09:30:08:627] UnInit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment