common/kmod/README.md

# RadioControl Kernel Modules

Out-of-tree kernel modules for enabling hardware features that are
compiled out of production Android kernels.

Target: Pixel 10 Pro Fold (rango), Tensor G5, kernel 6.6.102

## Build Requirements

- Matching kernel headers for target device (kernel 6.6.x)
- ARM64 cross-compiler (aarch64-linux-gnu-gcc)
- Device-specific kernel config (CONFIG_KPROBES=y, CONFIG_MODULES=y)

## Modules

### rc_wifi_mon.ko
Patches the WiFi driver's nl80211 ops table at runtime to allow
monitor mode and packet injection on chipsets that have the capability
but disable it in their cfg80211 change_virtual_intf handler.

Features:
- Uses kprobes-based kallsyms lookup (works on kernel 5.7+)
- Patches wiphy->interface_modes bitmask for monitor + OCB
- Driver-specific firmware iovars for BCM4390 (monitor, promisc, allmulti)
- SCSC/SLSI MIB patching for Maxwell firmware monitor enable
- sysfs status at /sys/kernel/rc_wifi_mon/status
- Clean restore on module unload

Supports:
- Broadcom bcmdhd4390 (BCM4390, primary target)
- Samsung SCSC/SLSI (Exynos WiFi)
- Qualcomm ath11k/ath12k/cnss

### rc_shannon_cmd.ko
Creates /dev/rc_shannon — direct command interface to Samsung Shannon
modem bypassing RIL. Allows raw AT command passthrough and IPC message
injection for band locking, NR mode control, and diagnostic readout.

Features:
- Auto-detects modem path (umts_atc0, nr_atc0, umts_router)
- URC (unsolicited result code) buffering with ring buffer (64 entries)
- Structured ioctl interface (RC_SHANNON_AT_CMD) with configurable timeout
- Simple read/write interface for basic use
- Statistics tracking (cmds sent, bytes tx/rx)
- Modem connectivity test on load
- Kernel 6.4+ class_create compatibility

### rc_diag_bridge.ko
Creates /dev/rc_diag — a simplified userspace interface to the Qualcomm
DIAG subsystem. Handles HDLC framing internally.

Features:
- NV item read/write (DIAG_NV_READ_F / DIAG_NV_WRITE_F)
- FTM commands (Factory Test Mode) via subsystem dispatch
- EFS2 file operations (open, read, write, stat, unlink)
- Full HDLC encode/decode with CRC-16 CCITT validation
- Modem version query
- Raw DIAG passthrough for advanced use
- Graceful inactive mode when no Qualcomm modem present

Note: This module is for Qualcomm-baseband devices. On Tensor G5 with
Shannon 5400, use rc_shannon_cmd instead. rc_diag_bridge will load but
remain inactive.

## Shared Header

`rc_ioctl.h` contains all ioctl definitions for both modules. Include
this from userspace C code to use the structured command interfaces.

## Building

```bash
# Set up cross-compilation
export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
export KERNEL_DIR=/path/to/kernel/source

# Build all modules
make

# Build a single module
make MOD=rc_wifi_mon

# Package .ko files for the module zip
make package

# Clean
make clean
```

## Runtime Loading

Modules are loaded by RadioControl's service.sh based on detected chipset.
The service automatically:
1. Detects SoC type (Tensor/Exynos/Qualcomm)
2. Loads the appropriate modules (rc_wifi_mon + rc_shannon_cmd for Tensor)
3. Skips rc_diag_bridge on non-Qualcomm devices
4. Verifies module load via /proc/modules
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00			`# RadioControl Kernel Modules`

			`Out-of-tree kernel modules for enabling hardware features that are`
			`compiled out of production Android kernels.`

v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`Target: Pixel 10 Pro Fold (rango), Tensor G5, kernel 6.6.102`

RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00			`## Build Requirements`

v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`- Matching kernel headers for target device (kernel 6.6.x)`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00			`- ARM64 cross-compiler (aarch64-linux-gnu-gcc)`
v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`- Device-specific kernel config (CONFIG_KPROBES=y, CONFIG_MODULES=y)`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00
			`## Modules`

			`### rc_wifi_mon.ko`
			`Patches the WiFi driver's nl80211 ops table at runtime to allow`
			`monitor mode and packet injection on chipsets that have the capability`
			`but disable it in their cfg80211 change_virtual_intf handler.`

v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`Features:`
			`- Uses kprobes-based kallsyms lookup (works on kernel 5.7+)`
			`- Patches wiphy->interface_modes bitmask for monitor + OCB`
			`- Driver-specific firmware iovars for BCM4390 (monitor, promisc, allmulti)`
			`- SCSC/SLSI MIB patching for Maxwell firmware monitor enable`
			`- sysfs status at /sys/kernel/rc_wifi_mon/status`
			`- Clean restore on module unload`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00
v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`Supports:`
			`- Broadcom bcmdhd4390 (BCM4390, primary target)`
			`- Samsung SCSC/SLSI (Exynos WiFi)`
			`- Qualcomm ath11k/ath12k/cnss`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00
			`### rc_shannon_cmd.ko`
			`Creates /dev/rc_shannon — direct command interface to Samsung Shannon`
			`modem bypassing RIL. Allows raw AT command passthrough and IPC message`
			`injection for band locking, NR mode control, and diagnostic readout.`

v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`Features:`
			`- Auto-detects modem path (umts_atc0, nr_atc0, umts_router)`
			`- URC (unsolicited result code) buffering with ring buffer (64 entries)`
			`- Structured ioctl interface (RC_SHANNON_AT_CMD) with configurable timeout`
			`- Simple read/write interface for basic use`
			`- Statistics tracking (cmds sent, bytes tx/rx)`
			`- Modem connectivity test on load`
			`- Kernel 6.4+ class_create compatibility`

			`### rc_diag_bridge.ko`
			`Creates /dev/rc_diag — a simplified userspace interface to the Qualcomm`
			`DIAG subsystem. Handles HDLC framing internally.`

			`Features:`
			`- NV item read/write (DIAG_NV_READ_F / DIAG_NV_WRITE_F)`
			`- FTM commands (Factory Test Mode) via subsystem dispatch`
			`- EFS2 file operations (open, read, write, stat, unlink)`
			`- Full HDLC encode/decode with CRC-16 CCITT validation`
			`- Modem version query`
			`- Raw DIAG passthrough for advanced use`
			`- Graceful inactive mode when no Qualcomm modem present`

			`Note: This module is for Qualcomm-baseband devices. On Tensor G5 with`
			`Shannon 5400, use rc_shannon_cmd instead. rc_diag_bridge will load but`
			`remain inactive.`

			`## Shared Header`

			`rc_ioctl.h` contains all ioctl definitions for both modules. Include
			`this from userspace C code to use the structured command interfaces.`

RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00			`## Building`

			```bash
			`# Set up cross-compilation`
			`export ARCH=arm64`
			`export CROSS_COMPILE=aarch64-linux-gnu-`
			`export KERNEL_DIR=/path/to/kernel/source`

			`# Build all modules`
v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`make`

			`# Build a single module`
			`make MOD=rc_wifi_mon`

			`# Package .ko files for the module zip`
			`make package`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00
v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`# Clean`
			`make clean`
RadioControl v1.0.0 — KernelSU-Next module for radio engineering Shannon 5400 AT command terminal, BCM4390 WiFi mode switching, carrier config override, debugfs browser, RF thermal monitoring, CP debug, Thread/Wonder radio, satellite/NTN test support. Verified on Pixel 10 Pro Fold (Tensor G5 / laguna). 2026-03-31 04:27:24 -07:00			```

			`## Runtime Loading`

v1.1.0: Complete kernel modules, fix WebUI bugs Kernel modules fully implemented for kernel 6.6/Tensor G5: - rc_wifi_mon: kprobes kallsyms, bcmdhd iovar monitor/promisc/allmulti, sysfs status at /sys/kernel/rc_wifi_mon/, clean unpatch on unload - rc_shannon_cmd: ioctl interface (AT_CMD, GET_URC, SET_TIMEOUT, GET_STATUS, FLUSH), URC ring buffer (64 entries), modem probe on init - rc_diag_bridge: HDLC decode with CRC-16 validation, FTM ioctl, EFS read/write/stat/unlink, version query, subsystem dispatch - rc_ioctl.h: shared userspace header for all ioctl definitions - All modules handle class_create() API change in kernel 6.4+ WebUI fixes: - Fix malformed WiFi firmware JSON output - Add vonr/vt/apn/nradv to carrier config read endpoint - Fix carrier toggle state loading in frontend - Fix redundant replace in kmod toggle logic Makefile: single-module build (MOD=), make package target uninstall.sh: unload kernel modules before cleanup 2026-03-31 20:25:44 -07:00			`Modules are loaded by RadioControl's service.sh based on detected chipset.`
			`The service automatically:`
			`1. Detects SoC type (Tensor/Exynos/Qualcomm)`
			`2. Loads the appropriate modules (rc_wifi_mon + rc_shannon_cmd for Tensor)`
			`3. Skips rc_diag_bridge on non-Qualcomm devices`
			`4. Verifies module load via /proc/modules`