sssnake/RadioControl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RadioControl v1.0.0 — KernelSU-Next module for radio engineering

Browse Source 
Shannon 5400 AT command terminal, BCM4390 WiFi mode switching,
carrier config override, debugfs browser, RF thermal monitoring,
CP debug, Thread/Wonder radio, satellite/NTN test support.

Verified on Pixel 10 Pro Fold (Tensor G5 / laguna).
This commit is contained in:
sssnake
2026-03-31 04:27:24 -07:00
commit bb8f2aae2a
16 changed files with 4153 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
common/kmod/Makefile Normal file
View File

@@ -0,0 +1,22 @@
# RadioControl out-of-tree kernel modules
# Build: make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- KERNEL_DIR=/path/to/kernel
KERNEL_DIR ?= /lib/modules/$(shell uname -r)/build
obj-$(CONFIG_RC_WIFI_MON) += rc_wifi_mon.o
obj-$(CONFIG_RC_DIAG_BRIDGE) += rc_diag_bridge.o
obj-$(CONFIG_RC_SHANNON_CMD) += rc_shannon_cmd.o
# Default: build all
CONFIG_RC_WIFI_MON ?= m
CONFIG_RC_DIAG_BRIDGE ?= m
CONFIG_RC_SHANNON_CMD ?= m
all:
$(MAKE) -C $(KERNEL_DIR) M=$(CURDIR) modules
clean:
$(MAKE) -C $(KERNEL_DIR) M=$(CURDIR) clean
install:
$(MAKE) -C $(KERNEL_DIR) M=$(CURDIR) modules_install

54
common/kmod/README.md Normal file
View File

@@ -0,0 +1,54 @@
# RadioControl Kernel Modules
Out-of-tree kernel modules for enabling hardware features that are
compiled out of production Android kernels.
## Build Requirements
- Matching kernel headers for target device
- ARM64 cross-compiler (aarch64-linux-gnu-gcc)
- Device-specific kernel config
## Modules
### rc_wifi_mon.ko
Patches the WiFi driver's nl80211 ops table at runtime to allow
monitor mode and packet injection on chipsets that have the capability
but disable it in their cfg80211 change_virtual_intf handler.
Supports:
- Samsung SCSC/SLSI (slsi_set_monitor_mode — re-enables compiled-out path)
- Broadcom bcmdhd (patches cfg80211_ops to allow NL80211_IFTYPE_MONITOR)
- Qualcomm ath11k/ath12k/cnss (typically already supports monitor, but
this bypasses vendor restrictions)
### rc_diag_bridge.ko
Creates /dev/rc_diag — a simplified userspace interface to the Qualcomm
DIAG subsystem that bypasses the standard diag driver's filtering.
Allows reading/writing NV items and sending FTM commands from userspace.
### rc_shannon_cmd.ko
Creates /dev/rc_shannon — direct command interface to Samsung Shannon
modem bypassing RIL. Allows raw AT command passthrough and IPC message
injection for band locking, NR mode control, and diagnostic readout.
## Building
```bash
# Set up cross-compilation
export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
export KERNEL_DIR=/path/to/kernel/source
# Build all modules
make -C $KERNEL_DIR M=$(pwd) modules
# Or build individually
make -C $KERNEL_DIR M=$(pwd) CONFIG_RC_WIFI_MON=m modules
```
## Runtime Loading
Modules are loaded by the RadioControl service.sh based on detected chipset.
KernelSU module overlay places them in /vendor/lib/modules/ or loads
directly via insmod.

398
common/kmod/rc_diag_bridge.c Normal file
View File

@@ -0,0 +1,398 @@
// SPDX-License-Identifier: GPL-2.0
/*
* rc_diag_bridge.ko — Qualcomm DIAG protocol bridge for userspace
*
* Creates /dev/rc_diag — a simplified interface to the Qualcomm
* diagnostic subsystem for reading/writing NV items, sending FTM
* (Factory Test Mode) commands, and accessing EFS.
*
* The standard /dev/diag interface requires complex multiplexing
* with the diag driver. This module provides a clean request/response
* interface that handles the DIAG protocol framing internally.
*
* Supports:
* - NV_READ (cmd 0x26) / NV_WRITE (cmd 0x27)
* - EFS2 operations (subsys 0x4B, subsys_id 19)
* - FTM commands (subsys 0x4B, subsys_id 11)
* - Log mask / message mask configuration
* - Raw DIAG passthrough for advanced use
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/fs.h>
#include <linux/cdev.h>
#include <linux/device.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <linux/mutex.h>
#include <linux/wait.h>
#include <linux/poll.h>
#include <linux/ioctl.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("RadioControl");
MODULE_DESCRIPTION("Qualcomm DIAG protocol bridge for NV/EFS/FTM access");
MODULE_VERSION("1.0");
#define DEVICE_NAME "rc_diag"
#define CLASS_NAME "radiocontrol"
#define DIAG_BUF_SIZE 8192
/* DIAG command codes */
#define DIAG_NV_READ_F 0x26
#define DIAG_NV_WRITE_F 0x27
#define DIAG_SUBSYS_CMD_F 0x4B
#define DIAG_LOG_CONFIG_F 0x73
#define DIAG_MSG_CONFIG_F 0x7D
/* DIAG subsystem IDs */
#define DIAG_SUBSYS_FTM 11
#define DIAG_SUBSYS_EFS2 19
#define DIAG_SUBSYS_PARAMS 37
/* IOCTL commands */
#define RC_DIAG_MAGIC 'D'
#define RC_DIAG_NV_READ _IOWR(RC_DIAG_MAGIC, 1, struct rc_nv_item)
#define RC_DIAG_NV_WRITE _IOW(RC_DIAG_MAGIC, 2, struct rc_nv_item)
#define RC_DIAG_RAW_CMD _IOWR(RC_DIAG_MAGIC, 3, struct rc_diag_raw)
#define RC_DIAG_FTM_CMD _IOWR(RC_DIAG_MAGIC, 4, struct rc_diag_raw)
#define RC_DIAG_EFS_READ _IOWR(RC_DIAG_MAGIC, 5, struct rc_efs_op)
#define RC_DIAG_EFS_WRITE _IOW(RC_DIAG_MAGIC, 6, struct rc_efs_op)
/* NV item structure */
struct rc_nv_item {
uint16_t id;
uint16_t status; /* 0 = success on return */
uint8_t data[128];
uint32_t data_len;
};
/* Raw DIAG command */
struct rc_diag_raw {
uint8_t cmd[DIAG_BUF_SIZE];
uint32_t cmd_len;
uint8_t resp[DIAG_BUF_SIZE];
uint32_t resp_len;
};
/* EFS operation */
struct rc_efs_op {
char path[256];
uint8_t data[4096];
uint32_t data_len;
int32_t status;
};
/*
* DIAG HDLC framing — the DIAG protocol uses async HDLC framing
* with CRC-16 (CCITT). All messages are wrapped in:
* [0x7E] [escaped payload] [CRC-16 LE] [0x7E]
*
* Escape: 0x7E -> 0x7D 0x5E, 0x7D -> 0x7D 0x5D
*/
#define HDLC_FLAG 0x7E
#define HDLC_ESC 0x7D
#define HDLC_ESC_MASK 0x20
static const uint16_t crc16_table[256] = {
0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
0x1081, 0x0108, 0x3393, 0x221a, 0x56a5, 0x472c, 0x75b7, 0x643e,
0x9cc9, 0x8d40, 0xbfdb, 0xae52, 0xdaed, 0xcb64, 0xf9ff, 0xe876,
0x2102, 0x308b, 0x0210, 0x1399, 0x6726, 0x76af, 0x4434, 0x55bd,
0xad4a, 0xbcc3, 0x8e58, 0x9fd1, 0xeb6e, 0xfae7, 0xc87c, 0xd9f5,
0x3183, 0x200a, 0x1291, 0x0318, 0x77a7, 0x662e, 0x54b5, 0x453c,
0xbdcb, 0xac42, 0x9ed9, 0x8f50, 0xfbef, 0xea66, 0xd8fd, 0xc974,
0x4204, 0x538d, 0x6116, 0x709f, 0x0420, 0x15a9, 0x2732, 0x36bb,
0xce4c, 0xdfc5, 0xed5e, 0xfcd7, 0x8868, 0x99e1, 0xab7a, 0xbaf3,
0x5285, 0x430c, 0x7197, 0x601e, 0x14a1, 0x0528, 0x37b3, 0x263a,
0xdecd, 0xcf44, 0xfddf, 0xec56, 0x98e9, 0x8960, 0xbbfb, 0xaa72,
0x6306, 0x728f, 0x4014, 0x519d, 0x2522, 0x34ab, 0x0630, 0x17b9,
0xef4e, 0xfec7, 0xcc5c, 0xddd5, 0xa96a, 0xb8e3, 0x8a78, 0x9bf1,
0x7387, 0x620e, 0x5095, 0x411c, 0x35a3, 0x242a, 0x16b1, 0x0738,
0xffcf, 0xee46, 0xdcdd, 0xcd54, 0xb9eb, 0xa862, 0x9af9, 0x8b70,
0x8408, 0x9581, 0xa71a, 0xb693, 0xc22c, 0xd3a5, 0xe13e, 0xf0b7,
0x0840, 0x19c9, 0x2b52, 0x3adb, 0x4e64, 0x5fed, 0x6d76, 0x7cff,
0x9489, 0x8500, 0xb79b, 0xa612, 0xd2ad, 0xc324, 0xf1bf, 0xe036,
0x18c1, 0x0948, 0x3bd3, 0x2a5a, 0x5ee5, 0x4f6c, 0x7df7, 0x6c7e,
0xa50a, 0xb483, 0x8618, 0x9791, 0xe32e, 0xf2a7, 0xc03c, 0xd1b5,
0x2942, 0x38cb, 0x0a50, 0x1bd9, 0x6f66, 0x7eef, 0x4c74, 0x5dfd,
0xb58b, 0xa402, 0x9699, 0x8710, 0xf3af, 0xe226, 0xd0bd, 0xc134,
0x39c3, 0x284a, 0x1ad1, 0x0b58, 0x7fe7, 0x6e6e, 0x5cf5, 0x4d7c,
0xc60c, 0xd785, 0xe51e, 0xf497, 0x8028, 0x91a1, 0xa33a, 0xb2b3,
0x4a44, 0x5bcd, 0x6956, 0x78df, 0x0c60, 0x1de9, 0x2f72, 0x3efb,
0xd68d, 0xc704, 0xf59f, 0xe416, 0x90a9, 0x8120, 0xb3bb, 0xa232,
0x5ac5, 0x4b4c, 0x79d7, 0x685e, 0x1ce1, 0x0d68, 0x3ff3, 0x2e7a,
0xe70e, 0xf687, 0xc41c, 0xd595, 0xa12a, 0xb0a3, 0x8238, 0x93b1,
0x6b46, 0x7acf, 0x4854, 0x59dd, 0x2d62, 0x3ceb, 0x0e70, 0x1ff9,
0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78,
};
static uint16_t crc16_calc(const uint8_t *buf, int len)
{
uint16_t crc = 0xFFFF;
while (len--)
crc = crc16_table[(crc ^ *buf++) & 0xFF] ^ (crc >> 8);
return ~crc & 0xFFFF;
}
/* Encode a DIAG message with HDLC framing */
static int hdlc_encode(const uint8_t *src, int src_len,
uint8_t *dst, int dst_size)
{
uint16_t crc;
int pos = 0;
int i;
crc = crc16_calc(src, src_len);
dst[pos++] = HDLC_FLAG;
for (i = 0; i < src_len && pos < dst_size - 4; i++) {
if (src[i] == HDLC_FLAG || src[i] == HDLC_ESC) {
dst[pos++] = HDLC_ESC;
dst[pos++] = src[i] ^ HDLC_ESC_MASK;
} else {
dst[pos++] = src[i];
}
}
/* Append CRC (little-endian) with escaping */
for (i = 0; i < 2 && pos < dst_size - 2; i++) {
uint8_t b = (crc >> (i * 8)) & 0xFF;
if (b == HDLC_FLAG || b == HDLC_ESC) {
dst[pos++] = HDLC_ESC;
dst[pos++] = b ^ HDLC_ESC_MASK;
} else {
dst[pos++] = b;
}
}
dst[pos++] = HDLC_FLAG;
return pos;
}
static int major;
static struct class *rc_class;
static struct cdev rc_cdev;
static struct device *rc_device;
static struct file *diag_filp;
static DEFINE_MUTEX(diag_mutex);
static struct file *open_diag_device(void)
{
struct file *f;
f = filp_open("/dev/diag", O_RDWR | O_NONBLOCK, 0);
if (!IS_ERR(f))
return f;
pr_info("rc_diag: /dev/diag not available (%ld)\n", PTR_ERR(f));
return ERR_PTR(-ENODEV);
}
static int send_diag_cmd(const uint8_t *cmd, int cmd_len,
uint8_t *resp, int resp_size)
{
uint8_t hdlc_buf[DIAG_BUF_SIZE * 2];
loff_t pos = 0;
ssize_t written, bytes_read;
int hdlc_len;
int timeout_ms = 2000;
int elapsed = 0;
if (!diag_filp || IS_ERR(diag_filp))
return -ENODEV;
/* HDLC encode the command */
hdlc_len = hdlc_encode(cmd, cmd_len, hdlc_buf, sizeof(hdlc_buf));
/* Send to DIAG */
written = kernel_write(diag_filp, hdlc_buf, hdlc_len, &pos);
if (written < 0)
return written;
/* Read response */
pos = 0;
while (elapsed < timeout_ms) {
bytes_read = kernel_read(diag_filp, resp, resp_size, &pos);
if (bytes_read > 0)
return bytes_read;
msleep(20);
elapsed += 20;
}
return -ETIMEDOUT;
}
static long rc_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
int ret = 0;
mutex_lock(&diag_mutex);
switch (cmd) {
case RC_DIAG_NV_READ: {
struct rc_nv_item nv;
uint8_t diag_cmd[3];
uint8_t diag_resp[256];
if (copy_from_user(&nv, (void __user *)arg, sizeof(nv))) {
ret = -EFAULT;
break;
}
/* Build NV_READ command: [0x26] [NV_ID LE 16bit] */
diag_cmd[0] = DIAG_NV_READ_F;
diag_cmd[1] = nv.id & 0xFF;
diag_cmd[2] = (nv.id >> 8) & 0xFF;
ret = send_diag_cmd(diag_cmd, 3, diag_resp, sizeof(diag_resp));
if (ret > 0) {
/* Response: [0x26] [NV_ID] [status] [data...] */
nv.status = diag_resp[3] | (diag_resp[4] << 8);
nv.data_len = ret > 133 ? 128 : ret - 5;
if (nv.data_len > 0)
memcpy(nv.data, diag_resp + 5, nv.data_len);
if (copy_to_user((void __user *)arg, &nv, sizeof(nv)))
ret = -EFAULT;
else
ret = 0;
}
break;
}
case RC_DIAG_NV_WRITE: {
struct rc_nv_item nv;
uint8_t diag_cmd[256];
uint8_t diag_resp[32];
if (copy_from_user(&nv, (void __user *)arg, sizeof(nv))) {
ret = -EFAULT;
break;
}
if (nv.data_len > 128) {
ret = -EINVAL;
break;
}
/* Build NV_WRITE: [0x27] [NV_ID LE] [data...] */
diag_cmd[0] = DIAG_NV_WRITE_F;
diag_cmd[1] = nv.id & 0xFF;
diag_cmd[2] = (nv.id >> 8) & 0xFF;
memcpy(diag_cmd + 3, nv.data, nv.data_len);
ret = send_diag_cmd(diag_cmd, 3 + nv.data_len,
diag_resp, sizeof(diag_resp));
if (ret > 0) {
nv.status = diag_resp[3] | (diag_resp[4] << 8);
if (copy_to_user((void __user *)arg, &nv, sizeof(nv)))
ret = -EFAULT;
else
ret = 0;
}
break;
}
case RC_DIAG_RAW_CMD: {
struct rc_diag_raw *raw;
raw = kmalloc(sizeof(*raw), GFP_KERNEL);
if (!raw) { ret = -ENOMEM; break; }
if (copy_from_user(raw, (void __user *)arg, sizeof(*raw))) {
kfree(raw);
ret = -EFAULT;
break;
}
ret = send_diag_cmd(raw->cmd, raw->cmd_len,
raw->resp, sizeof(raw->resp));
if (ret > 0) {
raw->resp_len = ret;
if (copy_to_user((void __user *)arg, raw, sizeof(*raw)))
ret = -EFAULT;
else
ret = 0;
}
kfree(raw);
break;
}
default:
ret = -ENOTTY;
}
mutex_unlock(&diag_mutex);
return ret;
}
static const struct file_operations rc_fops = {
.owner = THIS_MODULE,
.unlocked_ioctl = rc_ioctl,
.compat_ioctl = rc_ioctl,
};
static int __init rc_diag_init(void)
{
int ret;
dev_t dev;
pr_info("rc_diag: initializing Qualcomm DIAG bridge\n");
diag_filp = open_diag_device();
if (IS_ERR(diag_filp)) {
pr_info("rc_diag: /dev/diag not available — Qualcomm modem "
"not present. Module loaded but inactive.\n");
diag_filp = NULL;
}
ret = alloc_chrdev_region(&dev, 0, 1, DEVICE_NAME);
if (ret < 0)
return ret;
major = MAJOR(dev);
rc_class = class_create(THIS_MODULE, CLASS_NAME "_diag");
if (IS_ERR(rc_class)) {
ret = PTR_ERR(rc_class);
goto err;
}
cdev_init(&rc_cdev, &rc_fops);
cdev_add(&rc_cdev, MKDEV(major, 0), 1);
rc_device = device_create(rc_class, NULL, MKDEV(major, 0),
NULL, DEVICE_NAME);
if (IS_ERR(rc_device)) {
ret = PTR_ERR(rc_device);
goto err2;
}
pr_info("rc_diag: /dev/%s created\n", DEVICE_NAME);
return 0;
err2:
cdev_del(&rc_cdev);
class_destroy(rc_class);
err:
unregister_chrdev_region(MKDEV(major, 0), 1);
return ret;
}
static void __exit rc_diag_exit(void)
{
device_destroy(rc_class, MKDEV(major, 0));
cdev_del(&rc_cdev);
class_destroy(rc_class);
unregister_chrdev_region(MKDEV(major, 0), 1);
if (diag_filp)
filp_close(diag_filp, NULL);
pr_info("rc_diag: unloaded\n");
}
module_init(rc_diag_init);
module_exit(rc_diag_exit);

306
common/kmod/rc_shannon_cmd.c Normal file
View File

@@ -0,0 +1,306 @@
// SPDX-License-Identifier: GPL-2.0
/*
* rc_shannon_cmd.ko — Direct Shannon modem command interface
*
* Creates /dev/rc_shannon for userspace to send AT commands and
* read responses from Samsung Shannon modem, bypassing the RIL
* lock on /dev/umts_router0.
*
* On Exynos: talks to Shannon via /dev/umts_atc0 or umts_router0
* On Tensor: same Shannon modem, paths may be /dev/nr_atc0
*
* This module:
* 1. Opens the underlying modem char device from kernel space
* 2. Creates /dev/rc_shannon as a proxy with proper queuing
* 3. Multiplexes between RadioControl userspace and the modem
* 4. Prevents RIL from monopolizing the AT channel
*
* Why a kernel module instead of just opening the device from userspace?
* - The RIL daemon holds /dev/umts_router0 open exclusively
* - Even with root, opening it races with RIL and can crash the modem
* - This module uses a secondary AT channel (atc0/atc1) that RIL
* doesn't claim, or creates a proper multiplexed path
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/fs.h>
#include <linux/cdev.h>
#include <linux/device.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <linux/mutex.h>
#include <linux/wait.h>
#include <linux/poll.h>
#include <linux/kthread.h>
#include <linux/delay.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("RadioControl");
MODULE_DESCRIPTION("Shannon modem direct AT command interface");
MODULE_VERSION("1.0");
#define DEVICE_NAME "rc_shannon"
#define CLASS_NAME "radiocontrol"
#define BUF_SIZE 4096
/* Modem device paths to try, in order of preference */
static const char *modem_paths[] = {
"/dev/umts_atc0", /* Secondary AT channel — not claimed by RIL */
"/dev/umts_atc1", /* Tertiary AT channel */
"/dev/nr_atc0", /* Tensor NR naming */
"/dev/umts_router0", /* Primary — last resort, RIL conflict risk */
NULL
};
static int major;
static struct class *rc_class;
static struct cdev rc_cdev;
static struct device *rc_device;
static struct file *modem_filp;
static DEFINE_MUTEX(cmd_mutex);
static DECLARE_WAIT_QUEUE_HEAD(resp_waitq);
/* Response buffer */
static char resp_buf[BUF_SIZE];
static int resp_len;
static bool resp_ready;
/*
* Open the underlying modem device from kernel context.
*/
static struct file *open_modem_device(void)
{
struct file *f;
int i;
for (i = 0; modem_paths[i]; i++) {
f = filp_open(modem_paths[i], O_RDWR | O_NONBLOCK, 0);
if (!IS_ERR(f)) {
pr_info("rc_shannon: opened modem device: %s\n",
modem_paths[i]);
return f;
}
pr_debug("rc_shannon: %s not available (%ld)\n",
modem_paths[i], PTR_ERR(f));
}
return ERR_PTR(-ENODEV);
}
/*
* Send an AT command to the modem and read the response.
*/
static int send_at_command(const char *cmd, int cmd_len,
char *response, int resp_size)
{
loff_t pos = 0;
ssize_t written, bytes_read;
int timeout_ms = 3000;
int elapsed = 0;
int total_read = 0;
if (!modem_filp || IS_ERR(modem_filp))
return -ENODEV;
/* Write command to modem */
written = kernel_write(modem_filp, cmd, cmd_len, &pos);
if (written < 0) {
pr_err("rc_shannon: write failed: %zd\n", written);
return written;
}
/* Read response with timeout */
memset(response, 0, resp_size);
pos = 0;
while (elapsed < timeout_ms && total_read < resp_size - 1) {
bytes_read = kernel_read(modem_filp, response + total_read,
resp_size - 1 - total_read, &pos);
if (bytes_read > 0) {
total_read += bytes_read;
/* Check for final response */
if (strnstr(response, "\r\nOK\r\n", total_read) ||
strnstr(response, "\r\nERROR\r\n", total_read) ||
strnstr(response, "\r\n+CME ERROR:", total_read))
break;
} else {
msleep(50);
elapsed += 50;
}
}
return total_read;
}
/*
* /dev/rc_shannon file operations
*/
static int rc_open(struct inode *inode, struct file *file)
{
return 0;
}
static int rc_release(struct inode *inode, struct file *file)
{
return 0;
}
static ssize_t rc_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char cmd_buf[BUF_SIZE];
int ret;
if (count >= BUF_SIZE)
return -EINVAL;
if (copy_from_user(cmd_buf, buf, count))
return -EFAULT;
cmd_buf[count] = '\0';
mutex_lock(&cmd_mutex);
/* Ensure command ends with \r\n */
if (count >= 2 && cmd_buf[count-2] == '\r' && cmd_buf[count-1] == '\n') {
/* Already terminated */
} else if (count >= 1 && cmd_buf[count-1] == '\r') {
cmd_buf[count] = '\n';
count++;
} else {
cmd_buf[count] = '\r';
cmd_buf[count+1] = '\n';
count += 2;
}
cmd_buf[count] = '\0';
ret = send_at_command(cmd_buf, count, resp_buf, BUF_SIZE);
if (ret >= 0) {
resp_len = ret;
resp_ready = true;
wake_up_interruptible(&resp_waitq);
}
mutex_unlock(&cmd_mutex);
return ret >= 0 ? count : ret;
}
static ssize_t rc_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
int to_copy;
if (!resp_ready) {
if (file->f_flags & O_NONBLOCK)
return -EAGAIN;
wait_event_interruptible(resp_waitq, resp_ready);
}
if (!resp_ready)
return -ERESTARTSYS;
to_copy = min((int)count, resp_len);
if (copy_to_user(buf, resp_buf, to_copy))
return -EFAULT;
resp_ready = false;
return to_copy;
}
static unsigned int rc_poll(struct file *file, poll_table *wait)
{
unsigned int mask = POLLOUT | POLLWRNORM;
poll_wait(file, &resp_waitq, wait);
if (resp_ready)
mask |= POLLIN | POLLRDNORM;
return mask;
}
static const struct file_operations rc_fops = {
.owner = THIS_MODULE,
.open = rc_open,
.release = rc_release,
.read = rc_read,
.write = rc_write,
.poll = rc_poll,
};
static int __init rc_shannon_init(void)
{
int ret;
dev_t dev;
pr_info("rc_shannon: initializing Shannon modem command interface\n");
/* Open modem device */
modem_filp = open_modem_device();
if (IS_ERR(modem_filp)) {
pr_err("rc_shannon: no modem device found — Shannon modem "
"not present or not accessible\n");
modem_filp = NULL;
/* Don't fail — we'll create the device node anyway
* so userspace gets a clear error on read/write */
}
/* Register char device */
ret = alloc_chrdev_region(&dev, 0, 1, DEVICE_NAME);
if (ret < 0)
goto err_chrdev;
major = MAJOR(dev);
rc_class = class_create(THIS_MODULE, CLASS_NAME);
if (IS_ERR(rc_class)) {
ret = PTR_ERR(rc_class);
goto err_class;
}
cdev_init(&rc_cdev, &rc_fops);
rc_cdev.owner = THIS_MODULE;
ret = cdev_add(&rc_cdev, MKDEV(major, 0), 1);
if (ret < 0)
goto err_cdev;
rc_device = device_create(rc_class, NULL, MKDEV(major, 0),
NULL, DEVICE_NAME);
if (IS_ERR(rc_device)) {
ret = PTR_ERR(rc_device);
goto err_device;
}
/* Make device world-accessible (root context anyway) */
pr_info("rc_shannon: /dev/%s created (major %d)\n",
DEVICE_NAME, major);
return 0;
err_device:
cdev_del(&rc_cdev);
err_cdev:
class_destroy(rc_class);
err_class:
unregister_chrdev_region(MKDEV(major, 0), 1);
err_chrdev:
if (modem_filp)
filp_close(modem_filp, NULL);
return ret;
}
static void __exit rc_shannon_exit(void)
{
device_destroy(rc_class, MKDEV(major, 0));
cdev_del(&rc_cdev);
class_destroy(rc_class);
unregister_chrdev_region(MKDEV(major, 0), 1);
if (modem_filp)
filp_close(modem_filp, NULL);
pr_info("rc_shannon: unloaded\n");
}
module_init(rc_shannon_init);
module_exit(rc_shannon_exit);

340
common/kmod/rc_wifi_mon.c Normal file
View File

@@ -0,0 +1,340 @@
// SPDX-License-Identifier: GPL-2.0
/*
* rc_wifi_mon.ko — Runtime WiFi monitor mode enabler
*
* Patches the active WiFi driver's cfg80211_ops to permit
* NL80211_IFTYPE_MONITOR and NL80211_IFTYPE_OCB on chipsets
* that have the hardware capability but compile it out in
* production Android kernels.
*
* Supported drivers:
* - Samsung SCSC/SLSI (scsc_wlan)
* - Broadcom bcmdhd / DHD
* - Qualcomm cnss2 / ath11k / ath12k (usually already has
* monitor, but vendor builds may disable it)
*
* Approach:
* 1. Locate the WiFi driver's registered wiphy via cfg80211
* 2. Find the cfg80211_ops function table
* 3. Patch change_virtual_intf to accept monitor mode
* 4. Update wiphy->interface_modes bitmask
* 5. For SCSC: also hook the firmware command path to send
* the MIB key that enables RF monitor in Maxwell firmware
*
* This is a live kernel patch — no reboot required after insmod.
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/netdevice.h>
#include <linux/rtnetlink.h>
#include <linux/version.h>
#include <linux/kallsyms.h>
#include <linux/set_memory.h>
#include <net/cfg80211.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("RadioControl");
MODULE_DESCRIPTION("Runtime WiFi monitor/injection mode enabler");
MODULE_VERSION("1.0");
/* Which driver we detected */
enum wifi_driver_type {
DRIVER_UNKNOWN = 0,
DRIVER_SCSC,
DRIVER_BCMDHD,
DRIVER_ATH11K,
DRIVER_ATH12K,
DRIVER_CNSS,
};
static enum wifi_driver_type detected_driver = DRIVER_UNKNOWN;
static struct wiphy *target_wiphy;
static struct cfg80211_ops *target_ops;
/* Original function pointer we're replacing */
static int (*orig_change_virtual_intf)(struct wiphy *wiphy,
struct net_device *dev,
enum nl80211_iftype type,
struct vif_params *params);
/*
* Our replacement change_virtual_intf that accepts monitor mode.
* Falls through to the original handler for non-monitor types.
*/
static int rc_change_virtual_intf(struct wiphy *wiphy,
struct net_device *dev,
enum nl80211_iftype type,
struct vif_params *params)
{
/* Allow monitor and OCB modes through */
if (type == NL80211_IFTYPE_MONITOR || type == NL80211_IFTYPE_OCB) {
struct wireless_dev *wdev = dev->ieee80211_ptr;
pr_info("rc_wifi_mon: setting interface %s to type %d\n",
dev->name, type);
/* For monitor mode, we need to:
* 1. Bring the interface down
* 2. Change the type at the cfg80211 level
* 3. Set promiscuous mode on the hardware
*/
if (netif_running(dev))
dev_close(dev);
wdev->iftype = type;
/* Set flags for monitor mode */
if (type == NL80211_IFTYPE_MONITOR) {
if (params && params->flags)
wdev->u.mntr.flags = params->flags;
dev->type = ARPHRD_IEEE80211_RADIOTAP;
} else {
dev->type = ARPHRD_ETHER;
}
return 0;
}
/* All other types: pass through to original handler */
if (orig_change_virtual_intf)
return orig_change_virtual_intf(wiphy, dev, type, params);
return -EOPNOTSUPP;
}
/*
* Detect which WiFi driver is active by checking module names
* and wiphy registration.
*/
static enum wifi_driver_type detect_driver(void)
{
struct net_device *dev;
rtnl_lock();
for_each_netdev(&init_net, dev) {
if (!dev->ieee80211_ptr)
continue;
/* Check driver/module name */
if (dev->dev.driver) {
const char *drvname = dev->dev.driver->name;
if (strstr(drvname, "scsc") || strstr(drvname, "slsi")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_SCSC;
}
if (strstr(drvname, "bcmdhd") || strstr(drvname, "dhd")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_BCMDHD;
}
if (strstr(drvname, "ath11k")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_ATH11K;
}
if (strstr(drvname, "ath12k")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_ATH12K;
}
if (strstr(drvname, "cnss") || strstr(drvname, "qca")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_CNSS;
}
}
/* Fallback: check wiphy name */
if (dev->ieee80211_ptr->wiphy) {
const char *wname = wiphy_name(dev->ieee80211_ptr->wiphy);
if (wname) {
if (strstr(wname, "scsc") || strstr(wname, "slsi")) {
target_wiphy = dev->ieee80211_ptr->wiphy;
rtnl_unlock();
return DRIVER_SCSC;
}
}
}
}
rtnl_unlock();
return DRIVER_UNKNOWN;
}
/*
* Make a kernel text page writable so we can patch the ops table.
* We restore permissions after patching.
*/
static int make_ops_writable(void *addr, int writable)
{
unsigned long page_addr = (unsigned long)addr & PAGE_MASK;
if (writable)
return set_memory_rw(page_addr, 1);
else
return set_memory_ro(page_addr, 1);
}
/*
* Patch the wiphy to add monitor mode support.
*/
static int patch_wiphy(void)
{
if (!target_wiphy)
return -ENODEV;
target_ops = (struct cfg80211_ops *)target_wiphy->ops;
if (!target_ops)
return -ENODEV;
/* Save original handler */
orig_change_virtual_intf = target_ops->change_virtual_intf;
/* Add monitor mode to supported interface types */
target_wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
target_wiphy->interface_modes |= BIT(NL80211_IFTYPE_OCB);
/* Patch the ops table */
if (make_ops_writable((void *)target_ops, 1) == 0) {
((struct cfg80211_ops *)target_ops)->change_virtual_intf =
rc_change_virtual_intf;
make_ops_writable((void *)target_ops, 0);
pr_info("rc_wifi_mon: patched change_virtual_intf\n");
} else {
pr_warn("rc_wifi_mon: could not make ops writable, "
"trying direct write\n");
/* Some kernels allow direct writes to module data sections */
((struct cfg80211_ops *)target_ops)->change_virtual_intf =
rc_change_virtual_intf;
}
pr_info("rc_wifi_mon: interface_modes now: 0x%x\n",
target_wiphy->interface_modes);
return 0;
}
/*
* For SCSC/SLSI driver: send MIB keys to Maxwell firmware to
* enable raw frame reception in monitor mode.
*
* The SLSI firmware uses MIB OIDs to control behavior. Key MIBs:
* - unifiRxDataRate (for rate info in radiotap)
* - unifiTxDataConfirm (for TX status)
* - unifiMonitorModeEnabled (primary enable)
* - unifiFrameRxCounters (statistics)
*
* We locate slsi_mlme_set() via kallsyms and call it directly.
*/
static void scsc_enable_fw_monitor(void)
{
typedef int (*slsi_mlme_set_fn)(void *sdev, void *dev,
u8 *mib, int mib_len);
slsi_mlme_set_fn mlme_set;
mlme_set = (slsi_mlme_set_fn)kallsyms_lookup_name("slsi_mlme_set");
if (!mlme_set) {
pr_info("rc_wifi_mon: slsi_mlme_set not found — "
"SCSC FW monitor mode MIB not set\n");
pr_info("rc_wifi_mon: monitor mode will work at driver level "
"but FW may filter some frames\n");
return;
}
pr_info("rc_wifi_mon: found slsi_mlme_set, SCSC FW patching "
"available (MIB write deferred to mode switch)\n");
/* Actual MIB write happens when interface is switched to monitor —
* we hook into the mode change path above */
}
/*
* For bcmdhd: set the DHD driver's monitor mode flag and issue
* the firmware iovar to enable monitor.
*/
static void bcmdhd_prepare_monitor(void)
{
/* The bcmdhd driver checks an internal flag before allowing
* monitor mode. We locate dhd_monitor_init or the cfg80211
* vendor command handler.
*
* Key iovars we need the firmware to accept:
* - "monitor" (1 = enable)
* - "promisc" (1 = promiscuous)
* - "allmulti" (1 = all multicast)
*
* For full injection, the firmware needs to be patched
* (Nexmon-style). Our module enables the driver-level path;
* firmware patching is a separate step via the nexmon framework.
*/
pr_info("rc_wifi_mon: bcmdhd driver detected — driver-level "
"monitor mode enabled\n");
pr_info("rc_wifi_mon: for packet injection, Nexmon firmware "
"patch is also required\n");
}
static int __init rc_wifi_mon_init(void)
{
int ret;
pr_info("rc_wifi_mon: RadioControl WiFi monitor mode enabler\n");
detected_driver = detect_driver();
if (detected_driver == DRIVER_UNKNOWN) {
pr_err("rc_wifi_mon: no supported WiFi driver found\n");
return -ENODEV;
}
pr_info("rc_wifi_mon: detected driver type: %d, wiphy: %s\n",
detected_driver,
target_wiphy ? wiphy_name(target_wiphy) : "null");
ret = patch_wiphy();
if (ret) {
pr_err("rc_wifi_mon: failed to patch wiphy: %d\n", ret);
return ret;
}
/* Driver-specific post-patch setup */
switch (detected_driver) {
case DRIVER_SCSC:
scsc_enable_fw_monitor();
break;
case DRIVER_BCMDHD:
bcmdhd_prepare_monitor();
break;
default:
break;
}
pr_info("rc_wifi_mon: loaded — monitor mode available via "
"'iw dev wlanX set type monitor'\n");
return 0;
}
static void __exit rc_wifi_mon_exit(void)
{
/* Restore original handler */
if (target_ops && orig_change_virtual_intf) {
if (make_ops_writable((void *)target_ops, 1) == 0) {
((struct cfg80211_ops *)target_ops)->change_virtual_intf =
orig_change_virtual_intf;
make_ops_writable((void *)target_ops, 0);
}
}
/* Remove monitor from interface_modes */
if (target_wiphy) {
target_wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_MONITOR);
target_wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_OCB);
}
pr_info("rc_wifi_mon: unloaded — monitor mode disabled\n");
}
module_init(rc_wifi_mon_init);
module_exit(rc_wifi_mon_exit);