[GH-ISSUE #212] RM520n VID/PID switch. #68

New issue

Open

opened 2026-02-27 14:38:56 +03:00 by kerem · 5 comments

kerem commented 2026-02-27 14:38:56 +03:00

Owner

Copy link

Originally created by @reconnectrus on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/iamromulan/quectel-rgmii-toolkit/issues/212

Hello, i was reading through your issues @iamromulan @1alessandro1 and I saw discussion of changing the PCIe VID/PID on the RM520n

https://github.com/fwupd/fwupd/issues/8382#issuecomment-3239201651

Is this possible? I tried reading the rawdata partition and found only USB VID/PID configuration and also decompiled all the binaries of the sysfs and didn't find any strings relating to setting the PCIe VID/PID. But when flashing different firmware(HP to Generic or back), the vid/pid changes. Any help?

I can access both the PCIe EDL from Windows and Linux and the PBL EDL (usb) by shorting two pins.

Originally created by @reconnectrus on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/iamromulan/quectel-rgmii-toolkit/issues/212 Hello, i was reading through your issues @iamromulan @1alessandro1 and I saw discussion of changing the PCIe VID/PID on the RM520n https://github.com/fwupd/fwupd/issues/8382#issuecomment-3239201651 Is this possible? I tried reading the rawdata partition and found only USB VID/PID configuration and also decompiled all the binaries of the sysfs and didn't find any strings relating to setting the PCIe VID/PID. But when flashing different firmware(HP to Generic or back), the vid/pid changes. Any help? I can access both the PCIe EDL from Windows and Linux and the PBL EDL (usb) by shorting two pins.

kerem commented 2026-02-27 14:38:56 +03:00

Author

Owner

Copy link

@iamromulan commented on GitHub (Feb 12, 2026):

The PCIe endpoint initialization ( when mhi BHI appears) happens in SBL so it's probably in the sbl image.

How'd you read rawdata?

Also you might be interested in my qdl fork qfenix. Static binaries available under releases. Its still a work in progress but a lot of things are already working. Hadn't had a chance to fully test on PCIe modems yet though.
https://github.com/iamromulan/qfenix/releases

<!-- gh-comment-id:3891887564 --> @iamromulan commented on GitHub (Feb 12, 2026): The PCIe endpoint initialization ( when mhi BHI appears) happens in SBL so it's probably in the sbl image. How'd you read rawdata? Also you might be interested in my qdl fork qfenix. Static binaries available under releases. Its still a work in progress but a lot of things are already working. Hadn't had a chance to fully test on PCIe modems yet though. https://github.com/iamromulan/qfenix/releases

kerem commented 2026-02-27 14:38:56 +03:00

Author

Owner

Copy link

@reconnectrus commented on GitHub (Feb 12, 2026):

I made a little tool to dump rawdata with correct sizes and rawdata IDs.

#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <errno.h>

#define QUEC_DEVICE        "/proc/quec_rawdata"
#define QUEC_IOCTL_CMD     0x50001
#define QUEC_MAX_DATA      512
#define MAX_ITEM_ID        1024
#define MAX_CONSEC_FAIL    512

#pragma pack(push, 1)
struct quec_rawdata_req {
    uint32_t item;
    uint32_t length;              /* MUST be 32-bit for armhf */
    uint8_t  data[QUEC_MAX_DATA];
};
#pragma pack(pop)

static void hex_dump(const uint8_t *buf, uint32_t len)
{
    for (uint32_t i = 0; i < len; i++) {

        if (i % 16 == 0)
            printf("%04x: ", i);

        printf("%02x ", buf[i]);

        if ((i % 16 == 15) || (i == len - 1))
            printf("\n");
    }
}

int main(void)
{
    int fd;
    struct quec_rawdata_req req;
    int consecutive_fail = 0;

    fd = open(QUEC_DEVICE, O_RDONLY);
    if (fd < 0) {
        perror("open");
        return 1;
    }

    printf("Dumping %s\n\n", QUEC_DEVICE);

    for (uint32_t item = 0; item < MAX_ITEM_ID; item++) {

        memset(&req, 0, sizeof(req));
        req.item = item;

        if (ioctl(fd, QUEC_IOCTL_CMD, &req) == 0 &&
            req.length > 0 &&
            req.length <= QUEC_MAX_DATA)
        {
            printf("Item %u: %u bytes\n", item, req.length);
            hex_dump(req.data, req.length);
            printf("\n");

            consecutive_fail = 0;
        }
        else {
            consecutive_fail++;

            if (consecutive_fail >= MAX_CONSEC_FAIL) {
                printf("Stopping after %d consecutive failures\n",
                       MAX_CONSEC_FAIL);
                break;
            }
        }
    }

    close(fd);
    return 0;
}

Or you can just dd /dev/mtd3

<!-- gh-comment-id:3892613092 --> @reconnectrus commented on GitHub (Feb 12, 2026): I made a little tool to dump rawdata with correct sizes and rawdata IDs. ```#include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> #define QUEC_DEVICE "/proc/quec_rawdata" #define QUEC_IOCTL_CMD 0x50001 #define QUEC_MAX_DATA 512 #define MAX_ITEM_ID 1024 #define MAX_CONSEC_FAIL 512 #pragma pack(push, 1) struct quec_rawdata_req { uint32_t item; uint32_t length; /* MUST be 32-bit for armhf */ uint8_t data[QUEC_MAX_DATA]; }; #pragma pack(pop) static void hex_dump(const uint8_t *buf, uint32_t len) { for (uint32_t i = 0; i < len; i++) { if (i % 16 == 0) printf("%04x: ", i); printf("%02x ", buf[i]); if ((i % 16 == 15) || (i == len - 1)) printf("\n"); } } int main(void) { int fd; struct quec_rawdata_req req; int consecutive_fail = 0; fd = open(QUEC_DEVICE, O_RDONLY); if (fd < 0) { perror("open"); return 1; } printf("Dumping %s\n\n", QUEC_DEVICE); for (uint32_t item = 0; item < MAX_ITEM_ID; item++) { memset(&req, 0, sizeof(req)); req.item = item; if (ioctl(fd, QUEC_IOCTL_CMD, &req) == 0 && req.length > 0 && req.length <= QUEC_MAX_DATA) { printf("Item %u: %u bytes\n", item, req.length); hex_dump(req.data, req.length); printf("\n"); consecutive_fail = 0; } else { consecutive_fail++; if (consecutive_fail >= MAX_CONSEC_FAIL) { printf("Stopping after %d consecutive failures\n", MAX_CONSEC_FAIL); break; } } } close(fd); return 0; } ``` Or you can just dd /dev/mtd3

kerem commented 2026-02-27 14:38:56 +03:00

Author

Owner

Copy link

@1alessandro1 commented on GitHub (Feb 13, 2026):

#include <stdio.h> was missing

I would also check a python equivalent for those who don't want to deal with cross compiling and have the rawdata.bin file dumped from 9008.

Just in case
arm-linux-gnueabihf-gcc -static rawdata_tool.c -o rawdata_tool

<!-- gh-comment-id:3894300503 --> @1alessandro1 commented on GitHub (Feb 13, 2026): `#include <stdio.h>` was missing I would also check a python equivalent for those who don't want to deal with cross compiling and have the rawdata.bin file dumped from 9008. Just in case `arm-linux-gnueabihf-gcc -static rawdata_tool.c -o rawdata_tool`

kerem commented 2026-02-27 14:38:56 +03:00

Author

Owner

Copy link

@reconnectrus commented on GitHub (Feb 13, 2026):

@1alessandro1 This needs to be ran on the device itself with adb.
You could also just dd /dev/mtd3
But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.

<!-- gh-comment-id:3895360564 --> @reconnectrus commented on GitHub (Feb 13, 2026): @1alessandro1 This needs to be ran on the device itself with adb. You could also just dd /dev/mtd3 But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.

kerem commented 2026-02-27 14:38:56 +03:00

Author

Owner

Copy link

@iamromulan commented on GitHub (Feb 13, 2026):

@1alessandro1 This needs to be ran on the device itself with adb.
You could also just dd /dev/mtd3
But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash.

Can either use dd save to usrdata as rawdata.bin then ADB pull your rawdata.bin

Or

Use my new tool qfenix. Yep the 520 programer works for reading :)

Usage for my tool would be:
cd to dir with programer
(sudo) qfenix read -s nand rawdata -o ./

Or if you want it all:
(sudo) qfenix readall -s nand -o ./

As an added bonus if you want to generate a read and erase+program XML for the entirety of the modules flash:
(sudo) qfenix printgpt -s nand --make-xml=read --make-xml=program

<!-- gh-comment-id:3897361348 --> @iamromulan commented on GitHub (Feb 13, 2026): > @1alessandro1 This needs to be ran on the device itself with adb. > You could also just dd /dev/mtd3 > But I haven't figured out how to dump it in EDL 9008 mode because I'm not sure the RM520N firehose programmer(prog-firehose-lite) supports reading from the flash. > Can either use dd save to usrdata as rawdata.bin then ADB pull your rawdata.bin Or Use my new tool qfenix. Yep the 520 programer works for reading :) Usage for my tool would be: cd to dir with programer (sudo) `qfenix read -s nand rawdata -o ./` Or if you want it all: (sudo) `qfenix readall -s nand -o ./` As an added bonus if you want to generate a read and erase+program XML for the entirety of the modules flash: (sudo) `qfenix printgpt -s nand --make-xml=read --make-xml=program`

kerem referenced this issue 2026-02-27 14:39:06 +03:00

[PR #68] [MERGED] Hot fix and band locking improvement and 502 support #111

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

development-SDXLEMUR

SDXPINN

development-SDXPINN

SDXLEMUR

overhaul-SDXLEMUR

No results found.

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/quectel-rgmii-toolkit#68

No description provided.