Lenovo/X1C FM350-GL FCC Unlock
I own a X1C Gen 10 with the FM350-GL and was able to reverse engineer the unlock mechanism using the Lenovo beta "non-US" unlock utility. It's a convoluted hash scheme using a challenge code from the modem along with an entry in the DMI tables. Here's the quick 'n dirty python script that implements this.
#!/usr/bin/python
import hashlib
import sys
import subprocess
challenge_str = subprocess.check_output("/usr/bin/mbimcli --device-open-proxy --device=/dev/wwan0mbim0 --set-fcc-lock 0,0", shell=True).decode('utf-8').split(':')
if (len(challenge_str) == 2 and challenge_str[1].strip() == 'unlocked'):
print("Modem already unlocked!")
sys.exit(0)
if (len(challenge_str) < 3):
print("Invalid response from mbimbcli: {}".format(challenge_str))
sys.exit(1)
challenge = int(challenge_str[2].strip(), 10).to_bytes(4, byteorder='little')
dmi_val = subprocess.check_output('/usr/sbin/dmidecode -H 0x0034', shell=True).decode('utf-8').split(':')
if (len(dmi_val) < 3):
print("Invalid response from dmidecode: {}".format(dmi_val))
sys.exit(1)
devcode = bytes(dmi_val[2].strip(), 'utf-8')
m = hashlib.sha256()
m.update(devcode)
devcode_hash = m.digest()[:4]
m = hashlib.sha256()
m.update(challenge)
m.update(devcode_hash)
resp = str(int.from_bytes(m.digest()[:4], byteorder='little'))
result = subprocess.check_output("/usr/bin/mbimcli --device-open-proxy --device=/dev/wwan0mbim0 --set-fcc-lock 1,{}".format(resp), shell=True).decode('utf-8').split(':')[1].strip()
if (result != 'unlocked'):
print("Modem didn't unlock!")
sys.exit(1)
sys.exit(0)
I would love to get this into the tree, but admittedly by bash skills aren't super good, so I'm putting it here so others can benefit and perhaps someone can do that bash translation
Edited by Evan Anderson