Project

General

Profile

Turn off modem on Qualcomm

Added by Gu W 7 months ago

This is a similar question to https://redmine.replicant.us/boards/39/topics/13996 but focused on Qualcomm devices.

I am working on a project where I want to completely disable the modem on a Qualcomm device. With this nobody would be able to transmit exploits via broadband connection. Since the developers of Replicant have some insight into the RIL I would like to ask what your thoughts are on that and if you think that it might be possible (even though the modem has bad isolation).

Also I might need to do some work with RIL. Is there a good starting point somewhere to dive into the RIL code? (I might fix some bugs in Samsung-RIL along the way since I am using it myself).


Replies (7)

RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 7 months ago

It's not clear to me with you are doing a fresh build for the device or not. In the first case:

- wipe the relevant blobs after installation

In the latter case:

- remove the relevant repository from the manifest, if there is a dedicated repository just for the modem
- remove the relevant files from proprietary_files.txt, so they don't get pulled in during the build

You'll have to experiment though to see how the device behaves with these files missing.

RE: Turn off modem on Qualcomm - Added by Gu W 7 months ago

Thanks for the advice. I can definitely do that.
I want to have a fresh build. Something like a proof of concept that it's possible to run a Qualcomm smartphone without broadband. Through this the device should be as trustworthy as a device without the broadband chip.

RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 7 months ago

Well, you can't know for sure since you have a proprietary bootloader and you don't know what it does...

Anyways, just try to remove the blobs or build without the modem, this should be the best you can do.

RE: Turn off modem on Qualcomm - Added by Wolfgang Wiedmeyer 4 months ago

You also have to consider the worst case: The radio image is preinstalled on a dedicated partition and may be loaded by the bootloader. If that is the case and if it's not possible to disable booting the modem, then you are probably out of options. You can't assume that the modem is not running, just because you removed blobs for the radio interface. You will need to investigate how exactly the modem is booted on your device. Reading logs and figuring out what the blobs do and how they work together are the first steps. Check what the kernel drivers for the modem do. Maybe there is also some documentation. Feel free to share your findings here!

Samsung-RIL won't help you with this, except if you want to write a RIL from scratch and use it as a reference. It's specifically for modems that use Samsung's IPC protocol. Qualcomm modems have their own protocols. I started working on support for the modem on the Galaxy S3 4G (i9305): QMI-RIL. It's a Qualcomm modem, but one that is connected over an USB-like connection. If the modem on your device uses shared memory, things are probably quite different. The enabled kernel drivers for the modem will give you hints.

RE: Turn off modem on Qualcomm - Added by Gu W 4 months ago

Thanks for your reply!

I am using a harpia phone and attached my logs and blobs. It has shared memory.

So I made a list of keywords that I searched for: mss, modem, femto, pil, qmi, rmnet, kickstart, ks, ksbridge, qcks, ril, radio. After some digging I found

Qualcomm MSS QDSP6v5 Peripheral Image Loader

pil-qdsp6v5-mss is a peripheral image loader (PIL) driver. It is used for
loading QDSP6v5 (Hexagon) firmware images for modem subsystems into memory and
preparing the subsystem's processor to execute code. It's also responsible for
shutting down the processor when it's not needed.

(lineage/kernel/motorola/msm8916/Documentation/devicetree/bindings/pil/pil-q6v5-mss.txt)

Qualcomm Femtocell (FSM99XX) Peripheral Image Loader

pil-femto-modem.c is a peripheral image loader (PIL) driver. It is used for
loading firmware images on multiple modems resident on the FSM99XX platform.

(lineage/kernel/motorola/msm8916/Documentation/devicetree/bindings/pil/pil-femto-modem.txt)

I also found some other drivers related to the modem but will not post them here because this post is already too long. I then read the logs and tried to make sense of them:

Allocate memory for modem and dsp

01-01 01:02:58.031     0     0 I [    0.000000,0] cma: Found modem_adsp_region@0, memory base 0x86800000, size 85 MiB, limit 0xffffffff
01-01 01:02:58.031     0     0 I [    0.000000,0] cma: CMA: reserved 85 MiB at 0x86800000 for modem_adsp_mem

Allocate memory for Modem subsystem

01-01 01:02:58.032     0     0 I [    0.125230,0] cma: Assigned CMA region at 0 to 4080000.qcom,mss device

Some Memory? info

01-01 01:02:58.038     0     0 I         : [    0.507533,0] mmi_unit_info (SMEM) for modem: version = 0x03, device = 'harpia', radio = 0x0, radio_str = 'APAC', system_rev = 0x81b0, system_serial = bla, machine = 'Qualcomm Technologies, Inc. MSM ', barcode = 'bla', baseband = '', carrier = 'reteu', pu_reason = 0x00004000

Register QMI in shared memory

01-01 01:02:58.039     0     0 I [    0.651091,1] msm_sharedmem: sharedmem_register_qmi: qmi init successful

Initialize USB modem driver

01-01 01:02:58.039     0     0 I [    0.657950,0] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters

Mount the modem

01-01 01:02:58.048     0     0 I [    2.968951,1] fs_mgr: __mount(source=/dev/block/bootdevice/by-name/modem,target=/firmware,type=ext4)=0

Load modem image and multi-boot agent

01-01 01:02:58.879     0     0 I         : [    3.877710,0] pil-q6v5-mss 4080000.qcom,mss: modem: loading from 0x86800000 to 0x8bd00000
01-01 01:02:58.886     0     0 I         : [    3.883739,2] pil-q6v5-mss 4080000.qcom,mss: MBA: loading from 0xa4300000 to 0xa4400000
01-01 01:02:58.939     0     0 I         : [    3.937772,0] pil-q6v5-mss 4080000.qcom,mss: MBA boot done
01-01 01:02:59.576     0     0 I         : [    4.572986,0] pil-q6v5-mss 4080000.qcom,mss: modem: Brought out of reset
01-01 01:02:59.683     0     0 I         : [    4.678610,0] pil-q6v5-mss 4080000.qcom,mss: Subsystem error monitoring/handling services are up
01-01 01:02:59.684     0     0 I         : [    4.678866,0] pil-q6v5-mss 4080000.qcom,mss: modem: Power/Clock ready interrupt received

Start Daemons

01-01 01:02:59.812     0     0 I [    4.805939,1] init: Starting service 'ril-daemon'...
01-01 01:02:59.812     0     0 I [    4.807001,1] init: Starting service 'imsqmidaemon'...
01-01 01:02:59.906     0     0 I [    4.902669,1] init: Starting service 'rild2-wrapper'...
01-01 01:03:00.096     0     0 I [    5.079639,3] init: Starting service 'imsdatadaemon'...

I then tried to figure out what the executable blobs do, but since there are so many of them I basically just googled them:

Daemons

bin/ims_rtp_daemon: Something with VoLTE?

bin/imsdatadaemon: WiFi calling? https://forum.xda-developers.com/nexus-6/general/tmobile-nexus-6-news-t3036135/page37

bin/imsqmidaemon: Something withe VoLET? https://forum.xda-developers.com/redmi-2/development/rom-lineageos-14-1-t3529286/page35

They also use their own rild vendor/motorola/msm8916-common/proprietary/bin/

bin/imscmservice: Process is started when property sys.ims.DATA_DAEMON_STATUS = 1 https://forum.xda-developers.com/android/software-hacking/developing-epdg-p-s-scsf-problem-t3419111

bin/netmgrd: Seems to be needed for RIL to properly work. Something with SIM card and radio https://forum.xda-developers.com/general/security/android-ports-t3593343

bin/qmuxd: QMI multiplex daemon acts as a proxy between the shared memory device and various userspace processes accessing QMI services. https://projects.osmocom.org/projects/quectel-modems/wiki/QMI

Apps

vendor/app/ims/ims.apk: something with VoLTE https://forum.xda-developers.com/redmi-note-3/themes/mod-remove-stubborn-device-hd-capable-t3520457

vendor/app/imssettings/imssettings.apk: something with wifi calling and VoLTE https://forum.xda-developers.com/galaxy-s6/development/rom-dennxisbaseromstable-t3517112/page7 and https://forum.xda-developers.com/tmobile-galaxy-s5/development/mavrick-s6-port-g925tbased-ka-s6-t3160514/page4

priv-app/qcrilmsgtunnel/qcrilmsgtunnel.apk: Qualcomm Radio Interface Layer Message Tunnel. Removing it seems to cause no problems for users. Part of the phone app https://stackoverflow.com/questions/19894112/android-logcat-full-of-qcrilmsgtunnelsocket

bin/irsc_util

bin/radish: IPv6 Tethering? https://forum.xda-developers.com/galaxy-s-i9000/i9001-development/gt-i9001-cyanogenmod-12-0-adc-team-t2971987/page30

bin/rmt_storage: Shared Memory. Allows permanent changes of the system. https://android.stackexchange.com/questions/24099/rmt-storage-keeps-polling-and-spam-logcat https://forum.xda-developers.com/oneplus-one/general/guide-unlock-aditional-bands-qualcomm-t2877031

bin/qmi_motext_hook

First of all. Do you think this is roughly correct? Also, I am a bit unsure what to do with these findings. Looks like pil-femto-modem and pil-qdsp6v5-mss are the main drivers responsible for booting the modem. However, I did not find something like kickstart. Maybe removing them and the blobs will do the trick?

PS: Here is a useful list with abbreviations that I stumbles upon and had to search for. Maybe someone knows what to fill in the missing abbreviations?:
aDSP = Application Digital signal processing
APAC = Asia Pacific?
APSS
CDC = Communication Device Class
CIFS = Common Internet File System (Version of SMB)
CM = Control Model?
CMA = Contiguous Memory Allocator
DMA = Direct memory access
EFS = embedded file system
fs_mgr = Androids fstab manager?
HLOS = High-Level Operating Systems
HSIC = High-Speed Inter-Chip
IMS = IP Multimedia Subsystem
LA
MBA = Multi-Boot Agent
MPSS
MMI
MSM = Mobile Station Modem
MSS = Modem Subsystem
NITZ = Network Identity and Time Zone
qdsp6v5 = Qualcomm Hexagon Microarchitecture for a digital signal processor
QMI = Qualcomm MSM Interface
RFSA = Remote File System Access
SMB = Server Message Block
SMEM = Shared Memory
SMD = Shared Memory Device
TZ = TrustZone
UIO = Userspace I/O
WCM = Wireless Control Module?
WWAN = wireless wide area network
Peripheral processor = BP

logcat_all.txt View (1.79 MB)

dumpsys.txt View (1.75 MB)

blobs.txt View (3.7 KB)

RE: Turn off modem on Qualcomm - Added by Daniel Kulesz 3 months ago

Well, I think one more thing you could try if you are brave is to wipe the whole radio partition (make a backup first). You can find it by inspecting /proc/partitions. However, if the bootloader really loads something from there on startup you might end up with a hard brick from which you can only recover by direct access to the flash chip via JTAG/external flasher.

RE: Turn off modem on Qualcomm - Added by Gu W 2 months ago

Thanks for the advice. Interesting idea. However, I do not think I am brave enough just yet.

    (1-7/7)