Turn off modem on Qualcomm
This is a similar question to https://redmine.replicant.us/boards/39/topics/13996 but focused on Qualcomm devices.
I am working on a project where I want to completely disable the modem on a Qualcomm device. With this nobody would be able to transmit exploits via broadband connection. Since the developers of Replicant have some insight into the RIL I would like to ask what your thoughts are on that and if you think that it might be possible (even though the modem has bad isolation).
Also I might need to do some work with RIL. Is there a good starting point somewhere to dive into the RIL code? (I might fix some bugs in Samsung-RIL along the way since I am using it myself).
RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 7 months ago
It's not clear to me with you are doing a fresh build for the device or not. In the first case:
- wipe the relevant blobs after installation
In the latter case:
- remove the relevant repository from the manifest, if there is a dedicated repository just for the modem
- remove the relevant files from proprietary_files.txt, so they don't get pulled in during the build
You'll have to experiment though to see how the device behaves with these files missing.
RE: Turn off modem on Qualcomm - Added by Gu W 7 months ago
Thanks for the advice. I can definitely do that.
I want to have a fresh build. Something like a proof of concept that it's possible to run a Qualcomm smartphone without broadband. Through this the device should be as trustworthy as a device without the broadband chip.
RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 7 months ago
Well, you can't know for sure since you have a proprietary bootloader and you don't know what it does...
Anyways, just try to remove the blobs or build without the modem, this should be the best you can do.
RE: Turn off modem on Qualcomm - Added by Wolfgang Wiedmeyer 4 months ago
You also have to consider the worst case: The radio image is preinstalled on a dedicated partition and may be loaded by the bootloader. If that is the case and if it's not possible to disable booting the modem, then you are probably out of options. You can't assume that the modem is not running, just because you removed blobs for the radio interface. You will need to investigate how exactly the modem is booted on your device. Reading logs and figuring out what the blobs do and how they work together are the first steps. Check what the kernel drivers for the modem do. Maybe there is also some documentation. Feel free to share your findings here!
Samsung-RIL won't help you with this, except if you want to write a RIL from scratch and use it as a reference. It's specifically for modems that use Samsung's IPC protocol. Qualcomm modems have their own protocols. I started working on support for the modem on the Galaxy S3 4G (i9305): QMI-RIL. It's a Qualcomm modem, but one that is connected over an USB-like connection. If the modem on your device uses shared memory, things are probably quite different. The enabled kernel drivers for the modem will give you hints.
RE: Turn off modem on Qualcomm - Added by Gu W 4 months ago
Thanks for your reply!
I am using a harpia phone and attached my logs and blobs. It has shared memory.
So I made a list of keywords that I searched for:
mss, modem, femto, pil, qmi, rmnet, kickstart, ks, ksbridge, qcks, ril, radio. After some digging I found
Qualcomm MSS QDSP6v5 Peripheral Image Loader¶
pil-qdsp6v5-mss is a peripheral image loader (PIL) driver. It is used for
loading QDSP6v5 (Hexagon) firmware images for modem subsystems into memory and
preparing the subsystem's processor to execute code. It's also responsible for
shutting down the processor when it's not needed.
Qualcomm Femtocell (FSM99XX) Peripheral Image Loader¶
pil-femto-modem.c is a peripheral image loader (PIL) driver. It is used for
loading firmware images on multiple modems resident on the FSM99XX platform.
I also found some other drivers related to the modem but will not post them here because this post is already too long. I then read the logs and tried to make sense of them:
Allocate memory for modem and dsp
01-01 01:02:58.031 0 0 I [ 0.000000,0] cma: Found modem_adsp_region@0, memory base 0x86800000, size 85 MiB, limit 0xffffffff 01-01 01:02:58.031 0 0 I [ 0.000000,0] cma: CMA: reserved 85 MiB at 0x86800000 for modem_adsp_mem
Allocate memory for Modem subsystem
01-01 01:02:58.032 0 0 I [ 0.125230,0] cma: Assigned CMA region at 0 to 4080000.qcom,mss device
Some Memory? info
01-01 01:02:58.038 0 0 I : [ 0.507533,0] mmi_unit_info (SMEM) for modem: version = 0x03, device = 'harpia', radio = 0x0, radio_str = 'APAC', system_rev = 0x81b0, system_serial = bla, machine = 'Qualcomm Technologies, Inc. MSM ', barcode = 'bla', baseband = '', carrier = 'reteu', pu_reason = 0x00004000
Register QMI in shared memory
01-01 01:02:58.039 0 0 I [ 0.651091,1] msm_sharedmem: sharedmem_register_qmi: qmi init successful
Initialize USB modem driver
01-01 01:02:58.039 0 0 I [ 0.657950,0] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Mount the modem
01-01 01:02:58.048 0 0 I [ 2.968951,1] fs_mgr: __mount(source=/dev/block/bootdevice/by-name/modem,target=/firmware,type=ext4)=0
Load modem image and multi-boot agent
01-01 01:02:58.879 0 0 I : [ 3.877710,0] pil-q6v5-mss 4080000.qcom,mss: modem: loading from 0x86800000 to 0x8bd00000 01-01 01:02:58.886 0 0 I : [ 3.883739,2] pil-q6v5-mss 4080000.qcom,mss: MBA: loading from 0xa4300000 to 0xa4400000 01-01 01:02:58.939 0 0 I : [ 3.937772,0] pil-q6v5-mss 4080000.qcom,mss: MBA boot done 01-01 01:02:59.576 0 0 I : [ 4.572986,0] pil-q6v5-mss 4080000.qcom,mss: modem: Brought out of reset 01-01 01:02:59.683 0 0 I : [ 4.678610,0] pil-q6v5-mss 4080000.qcom,mss: Subsystem error monitoring/handling services are up 01-01 01:02:59.684 0 0 I : [ 4.678866,0] pil-q6v5-mss 4080000.qcom,mss: modem: Power/Clock ready interrupt received
01-01 01:02:59.812 0 0 I [ 4.805939,1] init: Starting service 'ril-daemon'... 01-01 01:02:59.812 0 0 I [ 4.807001,1] init: Starting service 'imsqmidaemon'... 01-01 01:02:59.906 0 0 I [ 4.902669,1] init: Starting service 'rild2-wrapper'... 01-01 01:03:00.096 0 0 I [ 5.079639,3] init: Starting service 'imsdatadaemon'...
I then tried to figure out what the executable blobs do, but since there are so many of them I basically just googled them:
bin/ims_rtp_daemon: Something with VoLTE?
bin/imsdatadaemon: WiFi calling? https://forum.xda-developers.com/nexus-6/general/tmobile-nexus-6-news-t3036135/page37
bin/imsqmidaemon: Something withe VoLET? https://forum.xda-developers.com/redmi-2/development/rom-lineageos-14-1-t3529286/page35
They also use their own
bin/imscmservice: Process is started when property sys.ims.DATA_DAEMON_STATUS = 1 https://forum.xda-developers.com/android/software-hacking/developing-epdg-p-s-scsf-problem-t3419111
bin/netmgrd: Seems to be needed for RIL to properly work. Something with SIM card and radio https://forum.xda-developers.com/general/security/android-ports-t3593343
bin/qmuxd: QMI multiplex daemon acts as a proxy between the shared memory device and various userspace processes accessing QMI services. https://projects.osmocom.org/projects/quectel-modems/wiki/QMI
vendor/app/ims/ims.apk: something with VoLTE https://forum.xda-developers.com/redmi-note-3/themes/mod-remove-stubborn-device-hd-capable-t3520457
vendor/app/imssettings/imssettings.apk: something with wifi calling and VoLTE https://forum.xda-developers.com/galaxy-s6/development/rom-dennxisbaseromstable-t3517112/page7 and https://forum.xda-developers.com/tmobile-galaxy-s5/development/mavrick-s6-port-g925tbased-ka-s6-t3160514/page4
priv-app/qcrilmsgtunnel/qcrilmsgtunnel.apk: Qualcomm Radio Interface Layer Message Tunnel. Removing it seems to cause no problems for users. Part of the phone app https://stackoverflow.com/questions/19894112/android-logcat-full-of-qcrilmsgtunnelsocket
bin/rmt_storage: Shared Memory. Allows permanent changes of the system. https://android.stackexchange.com/questions/24099/rmt-storage-keeps-polling-and-spam-logcat https://forum.xda-developers.com/oneplus-one/general/guide-unlock-aditional-bands-qualcomm-t2877031
First of all. Do you think this is roughly correct? Also, I am a bit unsure what to do with these findings. Looks like
pil-qdsp6v5-mss are the main drivers responsible for booting the modem. However, I did not find something like
kickstart. Maybe removing them and the blobs will do the trick?
PS: Here is a useful list with abbreviations that I stumbles upon and had to search for. Maybe someone knows what to fill in the missing abbreviations?:
aDSP = Application Digital signal processing
APAC = Asia Pacific?
CDC = Communication Device Class
CIFS = Common Internet File System (Version of SMB)
CM = Control Model?
CMA = Contiguous Memory Allocator
DMA = Direct memory access
EFS = embedded file system
fs_mgr = Androids fstab manager?
HLOS = High-Level Operating Systems
HSIC = High-Speed Inter-Chip
IMS = IP Multimedia Subsystem
MBA = Multi-Boot Agent
MSM = Mobile Station Modem
MSS = Modem Subsystem
NITZ = Network Identity and Time Zone
qdsp6v5 = Qualcomm Hexagon Microarchitecture for a digital signal processor
QMI = Qualcomm MSM Interface
RFSA = Remote File System Access
SMB = Server Message Block
SMEM = Shared Memory
SMD = Shared Memory Device
TZ = TrustZone
UIO = Userspace I/O
WCM = Wireless Control Module?
WWAN = wireless wide area network
Peripheral processor = BP
RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 3 months ago
Well, I think one more thing you could try if you are brave is to wipe the whole radio partition (make a backup first). You can find it by inspecting /proc/partitions. However, if the bootloader really loads something from there on startup you might end up with a hard brick from which you can only recover by direct access to the flash chip via JTAG/external flasher.
RE: Turn off modem on Qualcomm - Added by Gu W 2 months ago
Thanks for the advice. Interesting idea. However, I do not think I am brave enough just yet.