[GH-ISSUE #212] RM520n VID/PID switch. #68

Open
opened 2026-02-27 14:38:56 +03:00 by kerem · 5 comments
Owner

Originally created by @reconnectrus on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/iamromulan/quectel-rgmii-toolkit/issues/212

Hello, i was reading through your issues @iamromulan @1alessandro1 and I saw discussion of changing the PCIe VID/PID on the RM520n

https://github.com/fwupd/fwupd/issues/8382#issuecomment-3239201651

Is this possible? I tried reading the rawdata partition and found only USB VID/PID configuration and also decompiled all the binaries of the sysfs and didn't find any strings relating to setting the PCIe VID/PID. But when flashing different firmware(HP to Generic or back), the vid/pid changes. Any help?

I can access both the PCIe EDL from Windows and Linux and the PBL EDL (usb) by shorting two pins.

Originally created by @reconnectrus on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/iamromulan/quectel-rgmii-toolkit/issues/212 Hello, i was reading through your issues @iamromulan @1alessandro1 and I saw discussion of changing the PCIe VID/PID on the RM520n https://github.com/fwupd/fwupd/issues/8382#issuecomment-3239201651 Is this possible? I tried reading the rawdata partition and found only USB VID/PID configuration and also decompiled all the binaries of the sysfs and didn't find any strings relating to setting the PCIe VID/PID. But when flashing different firmware(HP to Generic or back), the vid/pid changes. Any help? I can access both the PCIe EDL from Windows and Linux and the PBL EDL (usb) by shorting two pins.
Author
Owner

@iamromulan commented on GitHub (Feb 12, 2026):

The PCIe endpoint initialization ( when mhi BHI appears) happens in SBL so it's probably in the sbl image.

How'd you read rawdata?

Also you might be interested in my qdl fork qfenix. Static binaries available under releases. Its still a work in progress but a lot of things are already working. Hadn't had a chance to fully test on PCIe modems yet though.
https://github.com/iamromulan/qfenix/releases

<!-- gh-comment-id:3891887564 --> @iamromulan commented on GitHub (Feb 12, 2026): The PCIe endpoint initialization ( when mhi BHI appears) happens in SBL so it's probably in the sbl image. How'd you read rawdata? Also you might be interested in my qdl fork qfenix. Static binaries available under releases. Its still a work in progress but a lot of things are already working. Hadn't had a chance to fully test on PCIe modems yet though. https://github.com/iamromulan/qfenix/releases
Author
Owner

@reconnectrus commented on GitHub (Feb 12, 2026):

I made a little tool to dump rawdata with correct sizes and rawdata IDs.

#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <errno.h>

#define QUEC_DEVICE        "/proc/quec_rawdata"
#define QUEC_IOCTL_CMD     0x50001
#define QUEC_MAX_DATA      512
#define MAX_ITEM_ID        1024
#define MAX_CONSEC_FAIL    512

#pragma pack(push, 1)
struct quec_rawdata_req {
    uint32_t item;
    uint32_t length;              /* MUST be 32-bit for armhf */
    uint8_t  data[QUEC_MAX_DATA];
};
#pragma pack(pop)

static void hex_dump(const uint8_t *buf, uint32_t len)
{
    for (uint32_t i = 0; i < len; i++) {

        if (i % 16 == 0)
            printf("%04x: ", i);

        printf("%02x ", buf[i]);

        if ((i % 16 == 15) || (i == len - 1))
            printf("\n");
    }
}

int main(void)
{
    int fd;
    struct quec_rawdata_req req;
    int consecutive_fail = 0;

    fd = open(QUEC_DEVICE, O_RDONLY);
    if (fd < 0) {
        perror("open");
        return 1;
    }

    printf("Dumping %s\n\n", QUEC_DEVICE);

    for (uint32_t item = 0; item < MAX_ITEM_ID; item++) {

        memset(&req, 0, sizeof(req));
        req.item = item;

        if (ioctl(fd, QUEC_IOCTL_CMD, &req) == 0 &&
            req.length > 0 &&
            req.length <= QUEC_MAX_DATA)
        {
            printf("Item %u: %u bytes\n", item, req.length);
            hex_dump(req.data, req.length);
            printf("\n");

            consecutive_fail = 0;
        }
        else {
            consecutive_fail++;

            if (consecutive_fail >= MAX_CONSEC_FAIL) {
                printf("Stopping after %d consecutive failures\n",
                       MAX_CONSEC_FAIL);
                break;
            }
        }
    }

    close(fd);
    return 0;
}

Or you can just dd /dev/mtd3

<!-- gh-comment-id:3892613092 --> @reconnectrus commented on GitHub (Feb 12, 2026): I made a little tool to dump rawdata with correct sizes and rawdata IDs. ```#include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> #define QUEC_DEVICE "/proc/quec_rawdata" #define QUEC_IOCTL_CMD 0x50001 #define QUEC_MAX_DATA 512 #define MAX_ITEM_ID 1024 #define MAX_CONSEC_FAIL 512 #pragma pack(push, 1) struct quec_rawdata_req { uint32_t item; uint32_t length; /* MUST be 32-bit for armhf */ uint8_t data[QUEC_MAX_DATA]; }; #pragma pack(pop) static void hex_dump(const uint8_t *buf, uint32_t len) { for (uint32_t i = 0; i < len; i++) { if (i % 16 == 0) printf("%04x: ", i); printf("%02x ", buf[i]); if ((i % 16 == 15) || (i == len - 1)) printf("\n"); } } int main(void) { int fd; struct quec_rawdata_req req; int consecutive_fail = 0; fd = open(QUEC_DEVICE, O_RDONLY); if (fd < 0) { perror("open"); return 1; } printf("Dumping %s\n\n", QUEC_DEVICE); for (uint32_t item = 0; item < MAX_ITEM_ID; item++) { memset(&req, 0, sizeof(req)); req.item = item; if (ioctl(fd, QUEC_IOCTL_CMD, &req) == 0 && req.length > 0 && req.length <= QUEC_MAX_DATA) { printf("Item %u: %u bytes\n", item, req.length); hex_dump(req.data, req.length); printf("\n"); consecutive_fail = 0; } else { consecutive_fail++; if (consecutive_fail >= MAX_CONSEC_FAIL) { printf("Stopping after %d consecutive failures\n", MAX_CONSEC_FAIL); break; } } } close(fd); return 0; } ``` Or you can just dd /dev/mtd3
Author
Owner

@1alessandro1 commented on GitHub (Feb 13, 2026):

#include <stdio.h> was missing

I would also check a python equivalent for those who don't want to deal with cross compiling and have the rawdata.bin file dumped from 9008.

Just in case
arm-linux-gnueabihf-gcc -static rawdata_tool.c -o rawdata_tool

<!-- gh-comment-id:3894300503 --> @1alessandro1 commented on GitHub (Feb 13, 2026): `#include <stdio.h>` was missing I would also check a python equivalent for those who don't want to deal with cross compiling and have the rawdata.bin file dumped from 9008. Just in case `arm-linux-gnueabihf-gcc -static rawdata_tool.c -o rawdata_tool`
Author
Owner

@reconnectrus commented on GitHub (Feb 13, 2026):

@1alessandro1 This needs to be ran on the device itself with adb.
You could also just dd /dev/mtd3
But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.

<!-- gh-comment-id:3895360564 --> @reconnectrus commented on GitHub (Feb 13, 2026): @1alessandro1 This needs to be ran on the device itself with adb. You could also just dd /dev/mtd3 But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.
Author
Owner

@iamromulan commented on GitHub (Feb 13, 2026):

@1alessandro1 This needs to be ran on the device itself with adb.
You could also just dd /dev/mtd3
But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.

Can either use dd save to usrdata as rawdata.bin then ADB pull your rawdata.bin

Or

Use my new tool qfenix. Yep the 520 programer works for reading :)

Usage for my tool would be:
cd to dir with programer
(sudo) qfenix read -s nand rawdata -o ./

Or if you want it all:
(sudo) qfenix readall -s nand -o ./

As an added bonus if you want to generate a read and erase+program XML for the entirety of the modules flash:
(sudo) qfenix printgpt -s nand --make-xml=read --make-xml=program

<!-- gh-comment-id:3897361348 --> @iamromulan commented on GitHub (Feb 13, 2026): > @1alessandro1 This needs to be ran on the device itself with adb. > You could also just dd /dev/mtd3 > But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash. > Can either use dd save to usrdata as rawdata.bin then ADB pull your rawdata.bin Or Use my new tool qfenix. Yep the 520 programer works for reading :) Usage for my tool would be: cd to dir with programer (sudo) `qfenix read -s nand rawdata -o ./` Or if you want it all: (sudo) `qfenix readall -s nand -o ./` As an added bonus if you want to generate a read and erase+program XML for the entirety of the modules flash: (sudo) `qfenix printgpt -s nand --make-xml=read --make-xml=program`
Sign in to join this conversation.
No labels
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/quectel-rgmii-toolkit#68
No description provided.