[LEDE-DEV] Open and secure firmware for Quectel 4G modems [Was: Re: Quectel EC20 QMI autoconnect issues [Was: Re: [LEDE-DEV, 3/3, v3] uqmi: Prevent 'POLICY MISMATCH' error.]]

Bjørn Mork bjorn at mork.no
Mon Jan 9 01:01:18 PST 2017

Petr Štetiar <ynezz at true.cz> writes:
> Bjørn Mork <bjorn at mork.no> [2017-01-08 23:10:20]:
>> The output above comes from the Sierra Wireless EM7455 originally delivered
>> as part of my Lenovo X1 Carbon, running bog standard firmare.
> Oops. How did you get into the shell of your modem? Is it a root shell also?

Sierra Wireless uses a bitmapped NVRAM variable to tell the system
which functions to enable. One of these functions is 'adb'. They also
implement an AT command to set this variable, but you cannot enable
'adb' there anymore (or maybe you can, using some other password?).

This AT command help text is taken from an old memory dump:

#AT!USBCOMP=<Config Index>,<Config Type>,<Interface bitmask>
#  <Config Index>      - configuration index to which the composition applies, should be 1
#  <Config Type>       - 1:Generic, 2:USBIF-MBIM, 3:RNDIS
#                        config type 2/3 should only be used for specific Sierra PIDs: 68B1, 9068
#                        customized VID/PID should use config type 1
#  <Interface bitmask> - DIAG     - 0x00000001,
#                        ADB      - 0x00000002,
#                        NMEA     - 0x00000004,
#                        MODEM    - 0x00000008,
#                        RMNET0   - 0x00000100,
#                        RMNET1   - 0x00000400,
#                        RMNET2   - 0x00000800,
#                        MBIM     - 0x00001000,
#                        RNDIS    - 0x00004000,
#                        AUDIO    - 0x00010000,
#                        ECM      - 0x00080000,
#                        UBIST    - 0x00200000

There are other ways to set this and other variables, so the AT comand
interpreter restriction is not a show stopper.  Note that there are
invalid gadget combinations, so you can softbrick the modem by changing
this variable.

Anyway, this is not Android and you don't have the Android user
separation. Everything runs as root by default, including adbd. If you
enable the adb gadget, then you have a root shell.


More information about the Lede-dev mailing list