Lenovo ThinkPad Yoga 460 Convertible containing Sierra Wireless EM7455
Linux 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux
kali-rolling
General |
General |
path |
/org/freedesktop/ModemManager1/Modem/0 |
device id |
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
Hardware |
Hardware |
manufacturer |
Sierra Wireless, Incorporated |
model |
Sierra Wireless EM7455 Qualcomm Snapdragon X7 LTE-A |
firmware revision |
SWI9X30C_02.20.03.00 |
carrier config |
default |
h/w revision |
EM7455 |
supported |
gsm-umts, lte |
current |
gsm-umts, lte |
equipment id |
xxxxxxxxxxxxx |
System |
System |
device |
/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2 |
drivers |
qcserial, cdc_mbim |
plugin |
sierra |
primary port |
cdc-wdm0 |
ports |
cdc-wdm0 (mbim), ttyUSB0 (qcdm), ttyUSB2 (at), wwan0 (net) |
Status |
Status |
lock |
sim-pin2 |
unlock retries |
sim-pin (3), sim-pin2 (3) |
state |
disabled |
power state |
low |
Modes |
Modes |
supported |
allowed: 3g; preferred: none |
|
allowed: 4g; preferred: none |
|
allowed: 3g, 4g; preferred: 4g |
|
allowed: 3g, 4g; preferred: 3g |
current |
allowed: 3g, 4g; preferred: 4g |
Bands |
Bands |
supported |
utran-1, utran-3, utran-4, utran-5, utran-8, utran-2, eutran-1, eutran-2, eutran-3, eutran-4, eutran-5, eutran-7, eutran-8, eutran-12, eutran-13, eutran-20, eutran-25, eutran-26, eutran-41 |
current |
utran-1, utran-3, utran-4, utran-5, utran-8, utran-2, eutran-1, eutran-2, eutran-3, eutran-4, eutran-5, eutran-7, eutran-8, eutran-12, eutran-13, eutran-20, eutran-25, eutran-26, eutran-41 |
IP |
IP |
supported |
ipv4, ipv6, ipv4v6 |
3GPP |
3GPP |
imei |
xxxxxxxxxxxxx |
enabled locks |
sim, fixed-dialing |
packet service state |
detached |
3GPP EPS |
3GPP EPS |
ue mode of operation |
csps-2 |
SIM |
SIM |
primary sim path |
/org/freedesktop/ModemManager1/SIM/0 |
sim path slot 1 |
/org/freedesktop/ModemManager1/SIM/0 (active) |
sim path slot 2 |
none |
$ ModemManager
ModemManager[3774]: <info> ModemManager (version 1.20.4) starting in system bus...
ModemManager[3774]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:1c.5/0000:03:00.0': not supported by any plugin
ModemManager[3774]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:1f.6': not supported by any plugin
ModemManager[3774]: <info> [cdc-wdm0/mbim] MBIM device is not QMI capable
ModemManager[3774]: <info> [device /sys/devices/pci0000:00/0000:00:14.0/usb1/1-2] creating modem with plugin 'sierra' and '5' ports
ModemManager[3774]: <warn> [plugin/sierra] could not grab port ttyUSB1: Cannot add port 'tty/ttyUSB1', unhandled port type
ModemManager[3774]: <info> [base-manager] modem for device '/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2' successfully created
ModemManager[3774]: <info> [modem0/cdc-wdm0/mbim] MBIM device is QMI capable
ModemManager[3774]: <info> [modem0] QMI-based capability and mode switching support enabled
ModemManager[3774]: <warn> [modem0/sim0] couldn't load list of emergency numbers: Failed to parse CRSM query result '+CRSM: 105,129,""'
ModemManager[3774]: <warn> [modem0] couldn't load initial EPS bearer settings: LTE attach status info is unsupported
ModemManager[3774]: <warn> [modem0] couldn't load 5GNR registration settings: 5GNR registration settings are unsupported
ModemManager[3774]: <info> [modem0] state changed (unknown -> disabled)
ModemManager[3774]: <info> [modem0] state changed (disabled -> enabling)
ModemManager[3774]: <warn> [modem0] Failure
ModemManager[3774]: <warn> [modem0] Failure
ModemManager[3774]: <warn> [modem0] couldn't enable interface: 'Invalid transition'
ModemManager[3774]: <info> [modem0] 3GPP registration state changed (unknown -> unknown)
ModemManager[3774]: <info> [modem0] state changed (enabling -> disabled)
Trying to enable with mmcli:
$ mmcli -m 0 -e
error: couldn't enable the modem: 'GDBus.Error:org.freedesktop.ModemManager1.Error.Core.Retry: Invalid transition'
According to the FCC Unlock script it needs two parameters but first is skipped, so we provide just a 0
as first parameter. However, it returns an error:
$ /etc/ModemManager/fcc-unlock.d/1199:9079 0 cdc-wdm0
error: couldn't set FCC authentication: QMI protocol error (26): 'NoEffect'
echo $?
1
This issue only persists since I upgraded kali after a fresh install. Before that the system asked for PIN and I most likely would have been able to setup a mobile broadband connection. However, I only tried that after the upgrade and always fail. I've learned that this is due to FCC Lock, but I can't unlock it. What I found during my research is that ModemManager handles FCC Lock differently since 1.18.xx version. Before that it would be working.
What I discoverred further is that the script from ModemManager obviously tries QMI while in fact it's MBIM device. So I removed the link which was referring to 1199 like this:
cd /usr/share/ModemManager/fcc-unlock.available.d
sudo unlink 1199:9079
Then I created a modified copy for some other modem, so 1199:9079 now is a file with the following content:
#!/bin/sh
# SPDX-License-Identifier: CC0-1.0
# 2021 Aleksander Morgado <aleksander@aleksander.es>
#
# Sierra Wireless FCC unlock mechanism
# HP 820 G1 (EM7355), 03f0:4e1d
# Dell DW5570 (MC8805), 413c:81a3
# Dell DW5808 (MC7355), 413c:81a8
# Lenovo-shipped EM7455, 1199:9079
#
# require program name and at least 2 arguments
[ $# -lt 2 ] && exit 1
# first argument is DBus path, not needed here
shift
# second and next arguments are control port names
for PORT in "$@"; do
# match port name
echo "$PORT" | grep -q cdc-wdm && {
CDC_WDM_PORT=$PORT
break
}
done
# fail if no cdc-wdm port exposed
[ -n "$CDC_WDM_PORT" ] || exit 2
# run qmicli operation
mbimcli --device-open-proxy --device="/dev/$CDC_WDM_PORT" --set-radio-state=on
exit $?
However, I can in fact unlock the SIM with the PIN, but an actual activation of the modem fails still:
$ sudo mbimcli -d /dev/cdc-wdm0 --device-open-proxy --enter-pin=pin1,XXXX -v
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] opening device...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] read max control message size from descriptors file: 4096
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 88
<<<<<< data = 03:00:00:00:58:00:00:00:01:00:00:00...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 88
<<<<<< type = command (0x00000003)
<<<<<< transaction = 1
<<<<<< Fragment header:
<<<<<< total = 1
<<<<<< current = 0
<<<<<< Contents:
<<<<<< service = 'proxy-control' (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
<<<<<< cid = 'configuration' (0x00000001)
<<<<<< type = 'set' (0x00000001)
<<<<<< Fields:
<<<<<< DevicePath = '/dev/cdc-wdm0'
<<<<<< Timeout = '30'
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 48
>>>>>> data = 03:00:00:80:30:00:00:00:01:00:00:00...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] received message (translated)...
>>>>>> Header:
>>>>>> length = 48
>>>>>> type = command-done (0x80000003)
>>>>>> transaction = 1
>>>>>> Fragment header:
>>>>>> total = 1
>>>>>> current = 0
>>>>>> Contents:
>>>>>> status error = 'None' (0x00000000)
>>>>>> service = 'proxy-control' (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
>>>>>> cid = 'configuration' (0x00000001)
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 16
<<<<<< data = 01:00:00:00:10:00:00:00:02:00:00:00...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 16
<<<<<< type = open (0x00000001)
<<<<<< transaction = 2
<<<<<< Contents:
<<<<<< max control transfer = 4096
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 16
>>>>>> data = 01:00:00:80:10:00:00:00:02:00:00:00...
[14 Feb 2023, 14:50:28] [Debug] MBIM Device at '/dev/cdc-wdm0' ready
[14 Feb 2023, 14:50:28] [Debug] Asynchronously entering PIN...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 80
<<<<<< data = 03:00:00:00:50:00:00:00:03:00:00:00...
[14 Feb 2023, 14:50:28] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 80
<<<<<< type = command (0x00000003)
<<<<<< transaction = 3
<<<<<< Fragment header:
<<<<<< total = 1
<<<<<< current = 0
<<<<<< Contents:
<<<<<< service = 'basic-connect' (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
<<<<<< cid = 'pin' (0x00000004)
<<<<<< type = 'set' (0x00000001)
<<<<<< Fields:
<<<<<< PinType = 'pin1'
<<<<<< PinOperation = 'enter'
<<<<<< Pin = 'XXXX'
<<<<<< NewPin = '(null)'
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 60
>>>>>> data = 03:00:00:80:3C:00:00:00:03:00:00:00...
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] received message (translated)...
>>>>>> Header:
>>>>>> length = 60
>>>>>> type = command-done (0x80000003)
>>>>>> transaction = 3
>>>>>> Fragment header:
>>>>>> total = 1
>>>>>> current = 0
>>>>>> Contents:
>>>>>> status error = 'None' (0x00000000)
>>>>>> service = 'basic-connect' (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
>>>>>> cid = 'pin' (0x00000004)
>>>>>> Fields:
>>>>>> PinType = 'unknown'
>>>>>> PinState = 'unlocked'
>>>>>> RemainingAttempts = '0'
[/dev/cdc-wdm0] PIN operation successful
[/dev/cdc-wdm0] PIN info:
PIN state: 'unlocked'
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] closing device...
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 12
<<<<<< data = 02:00:00:00:0C:00:00:00:04:00:00:00...
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 12
<<<<<< type = close (0x00000002)
<<<<<< transaction = 4
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 16
>>>>>> data = 02:00:00:80:10:00:00:00:04:00:00:00...
[14 Feb 2023, 14:50:31] [Debug] [/dev/cdc-wdm0] channel destroyed
[14 Feb 2023, 14:50:31] [Debug] Device closed
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] opening device...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] read max control message size from descriptors file: 4096
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 88
<<<<<< data = 03:00:00:00:58:00:00:00:01:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 88
<<<<<< type = command (0x00000003)
<<<<<< transaction = 1
<<<<<< Fragment header:
<<<<<< total = 1
<<<<<< current = 0
<<<<<< Contents:
<<<<<< service = 'proxy-control' (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
<<<<<< cid = 'configuration' (0x00000001)
<<<<<< type = 'set' (0x00000001)
<<<<<< Fields:
<<<<<< DevicePath = '/dev/cdc-wdm0'
<<<<<< Timeout = '30'
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 48
>>>>>> data = 03:00:00:80:30:00:00:00:01:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message (translated)...
>>>>>> Header:
>>>>>> length = 48
>>>>>> type = command-done (0x80000003)
>>>>>> transaction = 1
>>>>>> Fragment header:
>>>>>> total = 1
>>>>>> current = 0
>>>>>> Contents:
>>>>>> status error = 'None' (0x00000000)
>>>>>> service = 'proxy-control' (838cf7fb-8d0d-4d7f-871e-d71dbefbb39b)
>>>>>> cid = 'configuration' (0x00000001)
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 16
<<<<<< data = 01:00:00:00:10:00:00:00:02:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 16
<<<<<< type = open (0x00000001)
<<<<<< transaction = 2
<<<<<< Contents:
<<<<<< max control transfer = 4096
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 16
>>>>>> data = 01:00:00:80:10:00:00:00:02:00:00:00...
$ sudo mbimcli -d /dev/cdc-wdm0 --device-open-proxy --set-radio-state=on -v
[14 Feb 2023, 14:52:35] [Debug] MBIM Device at '/dev/cdc-wdm0' ready
[14 Feb 2023, 14:52:35] [Debug] Asynchronously setting radio state to on...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 52
<<<<<< data = 03:00:00:00:34:00:00:00:03:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 52
<<<<<< type = command (0x00000003)
<<<<<< transaction = 3
<<<<<< Fragment header:
<<<<<< total = 1
<<<<<< current = 0
<<<<<< Contents:
<<<<<< service = 'basic-connect' (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
<<<<<< cid = 'radio-state' (0x00000003)
<<<<<< type = 'set' (0x00000001)
<<<<<< Fields:
<<<<<< RadioState = 'on'
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 56
>>>>>> data = 03:00:00:80:38:00:00:00:03:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message (translated)...
>>>>>> Header:
>>>>>> length = 56
>>>>>> type = command-done (0x80000003)
>>>>>> transaction = 3
>>>>>> Fragment header:
>>>>>> total = 1
>>>>>> current = 0
>>>>>> Contents:
>>>>>> status error = 'Failure' (0x00000002)
>>>>>> service = 'basic-connect' (a289cc33-bcbb-8b4f-b6b0-133ec2aae6df)
>>>>>> cid = 'radio-state' (0x00000003)
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] closing device...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message...
<<<<<< RAW:
<<<<<< length = 12
<<<<<< data = 02:00:00:00:0C:00:00:00:04:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] sent message (translated)...
<<<<<< Header:
<<<<<< length = 12
<<<<<< type = close (0x00000002)
<<<<<< transaction = 4
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] received message...
>>>>>> RAW:
>>>>>> length = 16
>>>>>> data = 02:00:00:80:10:00:00:00:04:00:00:00...
[14 Feb 2023, 14:52:35] [Debug] [/dev/cdc-wdm0] channel destroyed
[14 Feb 2023, 14:52:35] [Debug] Device closed
error: operation failed: Failure
I'm not an expert there. Just tried to troubleshoot as far as I can and this is it for now. Somehow since an upgrade of ModemManager and even after linking the scripts as described (even as there's an obvious error in my opinion) it does not work. Not even does it ask me for the PIN automatically, which it did before the upgrade of kali.
So, any ideas? If that's not a bug with ModemManager, what else could it be?