Skip to content

Instantly share code, notes, and snippets.

@ynezz

ynezz/qadbkey-unlock.c

Last active May 4, 2023 10:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ynezz/9327a847125c633b318d570066708009 to your computer and use it in GitHub Desktop.
Save ynezz/9327a847125c633b318d570066708009 to your computer and use it in GitHub Desktop.
Download ZIP
quectel ec25-e notes
Raw
qadbkey-unlock.c
/*
* Written by igem, 2020 ;)
*
* gcc qadbkey-unlock.c -o qadbkey-unlock -lcrypt
*
*/
#include <crypt.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int ac, char* av[])
{
if (ac != 2) {
printf("Usage: qadbkey-unlock <serial>\nUse AT+QADBKEY? to get the serial number.\n");
exit(1);
}
char salt[128];
snprintf(salt, sizeof salt, "$1$%s$", av[1]);
char *code = crypt("SH_adb_quectel", salt);
code += 12;
code[16] = 0;
printf("AT+QADBKEY=\"%s\"\n", code);
printf("AT+QCFG=\"usbcfg\",0x2C7C,0x125,1,1,1,1,1,1,0\n\n");
printf("To disable ADB, run: (beware that modem will not be able to enter sleep with ADB enabled!!)\n");
printf("AT+QCFG=\"usbcfg\",0x2C7C,0x125,1,1,1,1,1,0,0\n");
return 0;
}
Raw
quectel ec25-e notes.md

Source https://xnux.eu/devices/feature/modem-pp.html#toc-unlock-adb-access

Unlock ADB access

It's possible to access the Linux side of the modem via adb, or reboot the modem to fastboot mode and boot your own kernel, The modem is rooted by default, and you can install and run your own software inside the modem. It's possible to communicate between A64 and the modem's ARM CPU via USB serial port (ttyGS0 on modem side and ttyUSB1 on A64).

It's also possible to create your own URCs up to 128B in size by sending them as a datagram message to UNIX socket /tmp/.urc_sock. See urc.c.

To install your own program on the modem persistently you need to remount modem's root filesystem read write and install your program somewhere in /usr/bin. Add your startup script to /etc/init.d.

To get adb access to the modem:

  • Get adb key via AT+QADBKEY?
  • Enter the adb key to the unlocker utility
  • Follow the instructions from the qadbkey-unlock
  • adb shell should get you a root shell on the modem
    • in case the root shell is password protected, disable the root password 
      $ adb pull /etc/shadow
$ sed -i 's/root:\(.*\.\)\:\(.*\)$/root::\2/' shadow
$ adb push shadow /etc/shadow
  • adb pull and adb push can be used to copy files to/from the modem
Raw
urc.c
/*
* Written by Ondrej Jirman <megous@megous.com>
*/
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/un.h>
int main(int ac, char* av[])
{
struct sockaddr_un addr = {
.sun_family = AF_UNIX,
.sun_path = "/tmp/.urc_sock",
};
int fd;
if (ac < 2) {
printf("Usage: %s <urc>\n", av[0]);
printf("Example %s '+MYURC: hello world'\n", av[0]);
return 1;
}
fd = socket(AF_UNIX, SOCK_DGRAM, 0);
if (fd < 0) {
perror("socket");
return 1;
}
ssize_t ret = sendto(fd, av[1], strlen(av[1]), 0, (const struct sockaddr*)&addr, sizeof(struct sockaddr_un));
if (ret < 0) {
perror("sendto");
return 1;
}
close(fd);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment