search

P1sec / QCSuper

QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
GNU General Public License v3.0
1.38k stars 245 forks source link

Works with Huawei Nexus 6P (angler), but DIAG_VERNO_F is not supported #24

Open initbrain opened 5 years ago

initbrain commented 5 years ago

Using a rooted Nexus 6P (angler) running LineageOS 15.1 (Oreo 8.1) and a NetHunter kernel:

$ su -c './qcsuper.py --adb --wireshark-live --reassemble-sibs --decrypt-nas --include-ip-traffic'

[+] Enabled logging for: 1X (1), WCDMA (4), GSM (5), UMTS (7), DTV (10), APPS/LTE/WIMAX (11), TDSCDMA (13)

Trying the --info CLI argument with verbosity:

$ su -c './qcsuper.py -v --adb --info'
[>] Running adb command: /usr/bin/adb exec-out id
[<] Obtained result for running "/usr/bin/adb exec-out id": b'uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0\n'
[>] Running adb command: /usr/bin/adb exec-out "test -w /dev/diag; echo DIAG_NOT_WRITEABLE=$?; test -e /dev/diag; echo DIAG_NOT_EXISTS=$?; test -r /dev; echo DEV_NOT_READABLE=$?; su -c id"
[<] Obtained result for running "/usr/bin/adb exec-out "test -w /dev/diag; echo DIAG_NOT_WRITEABLE=$?; test -e /dev/diag; echo DIAG_NOT_EXISTS=$?; test -r /dev; echo DEV_NOT_READABLE=$?; su -c id"": b'DIAG_NOT_WRITEABLE=0\nDIAG_NOT_EXISTS=0\nDEV_NOT_READABLE=0\nuid=0(root) gid=0(root) groups=0(root) context=u:r:sudaemon:s0\r\n'
[>] Running adb command: /usr/bin/adb exec-out "test -e /dev/diag; echo DIAG_NOT_EXISTS=$?"
[<] Obtained result for running "/usr/bin/adb exec-out "test -e /dev/diag; echo DIAG_NOT_EXISTS=$?"": b'DIAG_NOT_EXISTS=0\n'
[>] Running adb command: /usr/bin/adb push /home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge /data/local/tmp
[<] Obtained result for running "/usr/bin/adb push /home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge /data/local/tmp": b'[100%] /data/local/tmp/adb_bridge\n/home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge: 1 file pushed. 2.8 MB/s (11636 bytes in 0.004s)\n'
[>] Running adb command: /usr/bin/adb exec-out "killall -q adb_bridge; chmod 755 /data/local/tmp/adb_bridge"
[<] Obtained result for running "/usr/bin/adb exec-out "killall -q adb_bridge; chmod 755 /data/local/tmp/adb_bridge"": b'killall: adb_bridge: No such process\n'
[>] Running adb command: /usr/bin/adb forward tcp:43555 tcp:43555
[>] Sending request DIAG_LOG_CONFIG_F of length 7: b'\x00\x00\x00\x00\x00\x00\x00'
[<] Received response DIAG_LOG_CONFIG_F of length 11: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[>] Sending request DIAG_EXT_MSG_CONFIG_F of length 7: b'\x05\x00\x00\x00\x00\x00\x00'
[<] Received response DIAG_EXT_MSG_CONFIG_F of length 7: b'\x05\x01\x00\x00\x00\x00\x00'

[>] Sending request DIAG_VERNO_F of length 0: b''
[<] Received response DIAG_BAD_CMD_F of length 1: b'\x00'
Error: error response received: DIAG_BAD_CMD_F with payload b'\x00', while the request was DIAG_VERNO_F with payload b''. Maybe this operation is not supported by your device.

Trying to circumvent this error:

$ sed -i 's/accept_error = False)/accept_error = True)  # DEBUG/' modules/info.py

$ su -c './qcsuper.py -v --adb --info'
[>] Running adb command: /usr/bin/adb exec-out id
[<] Obtained result for running "/usr/bin/adb exec-out id": b'uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0\n'
[>] Running adb command: /usr/bin/adb exec-out "test -w /dev/diag; echo DIAG_NOT_WRITEABLE=$?; test -e /dev/diag; echo DIAG_NOT_EXISTS=$?; test -r /dev; echo DEV_NOT_READABLE=$?; su -c id"
[<] Obtained result for running "/usr/bin/adb exec-out "test -w /dev/diag; echo DIAG_NOT_WRITEABLE=$?; test -e /dev/diag; echo DIAG_NOT_EXISTS=$?; test -r /dev; echo DEV_NOT_READABLE=$?; su -c id"": b'DIAG_NOT_WRITEABLE=0\nDIAG_NOT_EXISTS=0\nDEV_NOT_READABLE=0\nuid=0(root) gid=0(root) groups=0(root) context=u:r:sudaemon:s0\r\n'
[>] Running adb command: /usr/bin/adb exec-out "test -e /dev/diag; echo DIAG_NOT_EXISTS=$?"
[<] Obtained result for running "/usr/bin/adb exec-out "test -e /dev/diag; echo DIAG_NOT_EXISTS=$?"": b'DIAG_NOT_EXISTS=0\n'
[>] Running adb command: /usr/bin/adb push /home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge /data/local/tmp
[<] Obtained result for running "/usr/bin/adb push /home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge /data/local/tmp": b'[100%] /data/local/tmp/adb_bridge\n/home/initbrain/Outils/qcsuper/inputs/adb_bridge/adb_bridge: 1 file pushed. 4.1 MB/s (11636 bytes in 0.003s)\n'
[>] Running adb command: /usr/bin/adb exec-out "killall -q adb_bridge; chmod 755 /data/local/tmp/adb_bridge"
[<] Obtained result for running "/usr/bin/adb exec-out "killall -q adb_bridge; chmod 755 /data/local/tmp/adb_bridge"": b'killall: adb_bridge: No such process\n'
[>] Running adb command: /usr/bin/adb forward tcp:43555 tcp:43555
[>] Sending request DIAG_LOG_CONFIG_F of length 7: b'\x00\x00\x00\x00\x00\x00\x00'
[<] Received response DIAG_LOG_CONFIG_F of length 11: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[>] Sending request DIAG_EXT_MSG_CONFIG_F of length 7: b'\x05\x00\x00\x00\x00\x00\x00'
[<] Received response DIAG_EXT_MSG_CONFIG_F of length 7: b'\x05\x01\x00\x00\x00\x00\x00'

[>] Sending request DIAG_VERNO_F of length 0: b''
[<] Received response DIAG_BAD_CMD_F of length 1: b'\x00'
[>] Sending request DIAG_EXT_BUILD_ID_F of length 0: b''
[<] Received response DIAG_BAD_CMD_F of length 1: b'|'
[>] Sending request DIAG_DIAG_VER_F of length 0: b''
[<] Received response DIAG_BAD_CMD_F of length 1: b'\x1c'
[>] Sending request DIAG_ESN_F of length 0: b''
[<] Received response DIAG_BAD_CMD_F of length 0: b''

$ sed -i 's/accept_error = True)  # DEBUG/accept_error = False)/' modules/info.py

Extract of raw information about the device:

$ adb shell

angler:/ $ getprop | grep -iE 'hardware|network|version|cpu|baseband|qualcomm|model|build'
[gsm.network.type]: [LTE]
[...]
[gsm.version.baseband]: [angler-03.88]
[gsm.version.ril-impl]: [Qualcomm RIL 1.0]
[...]
[ro.baseband]: [msm]
[ro.boot.baseband]: [msm]
[ro.boot.hardware]: [angler]
[...]
[ro.boot.hardware.revision]: [ANGLER-ROW-VN1]
[ro.boot.hardware.sku]: [H1512]
[ro.boot.secure_hardware]: [1]
[ro.bootimage.build.date]: [Fri Mar 22 10:41:56 UTC 2019]
[ro.bootimage.build.date.utc]: [1553251316]
[ro.bootimage.build.fingerprint]: [google/angler/angler:8.1.0/OPM7.181205.001/5080180:user/release-keys]
[ro.build.characteristics]: [nosdcard]
[ro.build.date]: [Fri Mar 22 10:41:56 UTC 2019]
[ro.build.date.utc]: [1553251316]
[ro.build.description]: [angler-user 8.1.0 OPM7.181205.001 5080180 release-keys]
[ro.build.display.id]: [lineage_angler-userdebug 8.1.0 OPM7.181205.001 51a828909b]
[ro.build.fingerprint]: [google/angler/angler:8.1.0/OPM7.181205.001/5080180:user/release-keys]
[ro.build.flavor]: [lineage_angler-userdebug]
[ro.build.host]: [lineage-runner]
[ro.build.id]: [OPM7.181205.001]
[ro.build.product]: [angler]
[ro.build.selinux]: [1]
[ro.build.tags]: [release-keys]
[ro.build.type]: [userdebug]
[ro.build.user]: [gitlab-runner]
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [51a828909b]
[ro.build.version.preview_sdk]: [0]
[ro.build.version.release]: [8.1.0]
[ro.build.version.sdk]: [27]
[ro.build.version.security_patch]: [2019-03-05]
[ro.hardware]: [angler]
[ro.lineage.build.version]: [15.1]
[ro.lineage.build.version.plat.rev]: [0]
[ro.lineage.build.version.plat.sdk]: [9]
[ro.lineage.display.version]: [15.1-20190322-NIGHTLY-angler]
[ro.lineage.version]: [15.1-20190322-NIGHTLY-angler]
[ro.modversion]: [15.1-20190322-NIGHTLY-angler]
[...]
[ro.product.cpu.abi]: [arm64-v8a]
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: [arm64-v8a]
[ro.product.model]: [Nexus 6P]
[...]
[ro.vendor.build.date]: [Fri Oct 19 16:45:06 UTC 2018]
[ro.vendor.build.date.utc]: [1539967506]
[ro.vendor.build.fingerprint]: [google/angler/angler:8.1.0/OPM7.181205.001/5080180:user/release-keys]
[ro.vendor.product.model]: [Nexus 6P]
[...]

angler:/ $ cat /proc/cpuinfo                                                                                    
processor   : 0
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part    : 0xd03
CPU revision    : 2

processor   : 1
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part    : 0xd03
CPU revision    : 2

processor   : 2
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part    : 0xd03
CPU revision    : 2

processor   : 3
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x0
CPU part    : 0xd03
CPU revision    : 2

processor   : 4
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part    : 0xd07
CPU revision    : 1

processor   : 5
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part    : 0xd07
CPU revision    : 1

processor   : 6
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part    : 0xd07
CPU revision    : 1

processor   : 7
Features    : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part    : 0xd07
CPU revision    : 1

Hardware    : Qualcomm Technologies, Inc MSM8994

PS: regarding the absence of the latest security patches, this is due to the fact that it is no longer my main smartphone ;)

Anyway, I can't tell you how much I appreciate your work. Thank you for sharing with the community <3

ohmg1401 commented 1 year ago

I got the same error with Huawei G620s !!! Any help is appreciated.

It is QUALCOMM and rooted.

theopoon commented 3 months ago

Report same error on Nexus 6P, stock, rooted

angler:/ $ getprop | grep -iE 'hardware|network|version|cpu|baseband|qualcomm|model|build'

[gsm.version.ril-impl]: [Qualcomm RIL 1.0]

[ro.bootimage.build.date]: [Tue May 8 19:17:49 UTC 2018]

[ro.build.date]: [Tue May 8 19:17:49 UTC 2018]

[ro.build.description]: [angler-user 8.1.0 OPM6.171019.030.B1 4768815 release-keys]

[ro.product.model]: [Nexus 6P]

[ro.vendor.build.date]: [Tue May 8 19:17:49 UTC 2018]

[ro.vendor.product.model]: [Nexus 6P]

Please consider remove Nexus 6P support from the documentation