Unfortunately, aarch32 lacks single-stepping (even in ARMv8). Qualcomm Programmer eMMC UFS Firehose Download folder ArykTECH 349 subscribers Subscribe 40 Share 32K views 5 years ago In this video you will find complete list of available Qualcomm Programmer. We end with a As for the other devices we posses, that have aarch64 programmers, ROP-based exploitation was indeed needed, as no writable/executable pages were found, due to probably the employment of SCTLR.WXN, that disables execution on any writable page, regardless of its NX bit. The following info was from the device that works with the programmer I attached, HWID: 0x009600e100000000 (MSM_ID:0x009600e1,OEM_ID:0x0000,MODEL_ID:0x0000), PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f, prog_emmc_firehose_8909_ddr[d96ada9cc47bec34c3af6a3b54d6a73466660dcb].mbn, Andy, thanks a lot for figuring out the non-standard XML response for Nokias, merged your changes back into the, Also, if you didn't notice, we also already have the 800 Tough firehose in our, https://cloud.disroot.org/s/HzxB6YM2wRFPpWT/download, http://forum.gsmhosting.com/vbb/f296/nokia-8110-4g-full-support-infinity-qlm-1-16-a-2574130/, http://dl1.infinity-box.com/00/pub.php?dir=software/, http://edl.bananahackers.net/loaders/0x000940e100420050.mbn, https://groups.google.com/d/topic/bananahackers/T2RmKKGvGNI/unsubscribe, https://groups.google.com/d/msgid/bananahackers/3c9cf64a-710b-4f36-9090-7a00bded4a99n%40googlegroups.com. A domain set to manager instructs the MMU to always allow access (i.e. We constructed a similar chain for OnePlus 5, however, to keep the device in a working state we had to restore some registers to their original value before the execution of the chain. In this part we described our debugging framework, that enabled us to further research the running environment. Which, in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard. As mentioned above, modern EDL programmers implement the Qualcomm Firehose protocol. Comment for robots For details on how to get into EDL, please see our blog post. 11. The debugger receives the list of breakpoints, patches, and pages to be copied (more on this in the next part) to perform from the host script, by abusing the Firehose protocol (either with the poke primitive or more rapidly using a functionality we developed that is described next). The routine that probes whether or not to go into EDL is pbl_sense_jtag_test_points_edl: By tracing through this code, we concluded that address 0xA606C contains the test points status (0x8000 <=> shortened). Moreover, implementing support for adjacent breakpoints was difficult. Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken) If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short. Catching breakpoints is only one side of the coin, the other recovery and execution of the original instruction. JusttriedonaTA-1071(singleSIM),doesn'tworkeither. Finding the address of the execution stack. Doing so will allow us to research the programmer in runtime. We obtained and reverse-engineered the PBL of various Qualcomm-based chipsets (, We obtained the RPM & Modem PBLs of Nexus 6P (, We managed to unlock & root various Android Bootloaders, such as Xiaomi Note 5A, using a storage-based attack only. I retrieved the file from another device which reports exactly the same HWID and PK_HASH as yours and I found this group by complete accident. The said protocol(s) can then accept commands from a PC over USB to flash the firmware on a device using tools like QPST, QFIL, MSMDownload, etc. Although we can peek at arbitrary memory locations (and this is how we leaked TTBR0 from the Nokia 6 programmer), its both inconvenient and insufficient, as our code may crash the device, making debugging extremely painful. To gain access to EDL mode on your phone, follow the instructions below. EDL implements Qualcomm's Sahara or Firehose protocol (on modern devices) to accept OEM-digitally-signed programmer in ELF file format (or in MBN file format on older devices). ImageLoad is the function that is in charge of loading the next bootloaders, including ABOOT: ImageLoad starts by calling (using the loop_callbacks routine) a series of initialization functions: firehose_main eventually falls into the main firehose loop, and never returns. Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Qualcomm Product Support Tools (QPST - we used version 2.7.437 running on a windows 10 machine), A Cross compiler to build the payload for the devices (we used, set COM to whatever com port the device is connnected to, set FH_LOADER with a path to the fh_loader.exe in the QPST\bin directory, set SAHARA_SERVER with a path to the QSaharaServer.exe in the QPST\bin directory. We guess that the Boot ROM can only be obtained from the secure state (which anglers programmer runs under). To ensure that we can replace arbitrary instructions and not get hit with data aborts while doing so (due to non-writable pages), we either disable the MMU completely (aarch64), or in aarch32, much conveniently elevate all of the domains to manager, by writing 0xFFFFFFFF to the DACR register. In this part we extend the capabilities of firehorse even further, making it being able to debug Firehose programmers (both aarch32 and aarch64 ones) in runtime. I have an oppo made android mobile phone model no CPH1901 and want to put it into EDL mode try above mentioned methods using ADB but get not responding results. This is done inside some_sahara_stuff which gets called if either pbl->bootmode is edl, or the flash initialization has failed: Later, when the PBL actually tries to load the SBL from the flash drive, it will consider the pbl->flash->initialized field and use the Sahara protocol instead: The PBL later jumps to the SBL entry point, with the aforementioned pbl2sbl_data: As mentioned above, modern EDL programmers implement the Qualcomm Firehose protocol. Sorry for the false alarm. My proposed format is the. chargers). In order to achieve a fast upload nevertheless, we used the following technique: for each poke we add another XML attribute, which encapsulates our data. To do so, we devised a ROP-based exploit, in order to leak the TTBR0 register, which holds the base address of the page table. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We often like to refer to this device state as a Hard-brick. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. Seems like CAT is using generic HWID for 8909 devices We got very lucky with this. Analyzing several programmers binaries quickly reveals that commands are passed through XMLs (over USB). For some programmers our flashed data did not remain in memory. To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices. I have the firehose/programmer for the LG V60 ThinQ. All of these guides make use of Emergency Download Mode (EDL), an alternate boot-mode of the Qualcomm Boot ROM (Primary Bootloader). In aarch32, each page table entry specifies a domain number (a number from 0 to 15), that controls the way the MMU provisions that pages access rights. Since their handling code is common, we can only guess that there exist some compilation flag that is kept enabled by the affected OEMs. main - Waiting for the device main - Device detected :) main - Mode detected: sahara Device is in EDL mode .. continuing. Connect the phone to your PC while its in Fastboot mode. HWID: 0x009600e100000000 (MSM_ID:0x009600e1,OEM_ID:0x0000,MODEL_ID:0x0000), PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f. In Part 2, we discuss storage-based attacks exploiting a functionality of EDL programmers we will see a few concrete examples such as unlocking the Xiaomi Note 5A (codename ugglite) bootloader in order to install and load a malicious boot image thus breaking the chain-of-trust. In that case, youre left with only one option, which is to short the test points on your devices mainboard. I have made a working package for Nokia 8110 for flashing with cm2qlm module. Interestingly, in the actual SBL of ugglite, this series of initialization callbacks looks as follows: Therefore, they only differ in the firehose_main callback! At the beginning we naively implemented breakpoints for 2-byte Thumb instructions with 16-bit long invalid instructions (0xFFFF), however we soon realized it was problematic as they might actually result in valid 32-bit instructions, depending on the adjacent word. This should be the emmc programmer for your specific model. Concretely, in the next chapters we will use and continue the research presented here, to develop: 73C51DE96B5F6F0EE44E40EEBC671322071BC00D705EEBDD7C60705A1AD11248, 74F3DE78AB5CD12EC2E77E35B8D96BD8597D6B00C2BA519C68BE72EA40E0EB79, D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9, 9B3184613D694EA24D3BEEBA6944FDB64196FEA7056C833D38D2EF683FD96E9B, 30758B3E0D2E47B19EBCAC1F0A66B545960784AD6D428A2FE3C70E3934C29C7A, 8D417EF2B7F102A17C2715710ABD76B16CBCE8A8FCEB9E9803733E731030176B, 02FFDAA49CF25F7FF287CAB82DA0E4F943CABF6E6A4BFE31C3198D1C2CFA1185, EEF93D29E4EDDA26CCE493B859E22161853439DE7B2151A47DAFE3068EE43ABE, A1B7EB81C61525D6819916847E02E9AE5031BF163D246895780BD0E3F786C7EE, 97EFF4D4111DD90523F6182E05650298B7AE803F0EC36F69A643C031399D8D13, C34EC1FDDFAC05D8F63EED3EE90C8E6983FE2B0E4B2837B30D8619A29633649C, 63A47E46A664CCD1244A36535D10CA0B97B50B510BD481252F786177197C3C44, 964B5C486B200AA6462733A682F9CEAD3EBFAD555CE2FF3622FEA8B279B006EE, 71C4F97535893BA7A3177320143AC94DB4C6584544C01B61860ACA80A477D4C9, CB06DECBE7B1C47D10C97AE815D4FB2A06D62983738D383ED69B25630C394DED, A27232BF1383BB765937AEA1EBDEE8079B8A453F3982B46F5E7096C373D18BB3, 3FDAF99FC506A42FCBC649B7B46D9BB8DD32AEABA4B56C920B45E93A4A7080EA, 48741756201674EB88C580DF1FDB06C7B823DC95B3FC89588A84A495E815FBD4, 8483423802d7f01bf1043365c855885b0eea193bf32ed25041a347bc80c32d6b, 5F1C47435A031331B7F6EC33E8F406EF42BAEF9A4E3C6D2F438A8B827DD00075, 5D45ECF8864DBBC741FB7874F878126E8F23EE9448A3EA1EDE8E16FE02F782C0, 1D4A7043A8A55A19F7E1C294D42872CD57A71B8F370E3D9551A796415E61B434, BF4E25AE6108D6F6C8D9218383BD85273993262EC0EBA088F6C58A04FC02903B, 3DB3B7FD2664D98FD16F432E8D8AD821A85B85BD37701422F563079CB64D084C, ADEB0034FC38C99C8401DCDBA9008EE5A8525BB66F1FC031EE8F4EFC22C5A1DF, 67A7EA77C23FDD1046ECCE7628BFD5975E9949F66ADDD55BB3572CAF9FE97AEA, 2DDE12F09B1217DBBD53860DD9145326A394BF6942131E440C161D9A13DC43DD, 69A6E465C2F1E2CAABB370D398026441B29B45C975778E4682FC5E89283771BD, 61135CB65671284290A99BD9EDF5C075672E7FEBA2A4A79BA9CFACD70CD2EA50, C215AC92B799D755AF0466E14C7F4E4DC53B590F5FBC0D4633AFAFE5CECC41C3, A38C6F01272814E0A47E556B4AD17F999769A0FEE6D3C98343B7DE6DE741E79C, BB5E36491053118486EBCCD5817C5519A53EAE5EDA9730F1127C22DD6C1B5C2B, 5C9CCCF88B6AB026D8165378D6ADA00275A606B8C4AD724FBCA33E8224695207, 67D32C753DDB67982E9AEF0C13D49B33DF1B95CC7997A548D23A49C1DD030194, 7F6CE28D52815A4FAC276F62B99B5ABEB3F73C495F9474EB55204B3B4E6FCE6D. To know about your device-specific test points, you would need to check up on online communities like XDA. Sylvain, if you know HWID of JioPhone 2, could you pls post it as well? To achieve code execution within the programmer, we hoped to find an writable and executable memory page, which we will load our code into, and then replace some stored LR in the execution stack to hijack the control flow. Research & Exploitation framework for Qualcomm EDL Firehose programmers. Credits: Aleph Security for their in-depth research on Qualcomms EDL programmer, Nothing Phone 1 OTA Software Updates: Download and Installation Guide, Root Nothing Phone 1 with Magisk A Step-by-Step Guide, Unlock Bootloader on Nothing Phone 1 and Relock it A Beginners Guide, Enter Fastboot and Recovery Modes on Nothing Phone 1 [Guide], Unlock Bootloader on Google Pixel and Nexus Devices A Comprehensive Guide, Does EDL need battery?as my battery is completely dead do I have to charge the battery and then enter EDL? Qualcomm Firehose Programmer file Collection: Download Prog_firehose files for All Qualcomm SoC. For instance, the following XML makes the programmer flash a new Secondary Bootloader (SBL) image (also transfered through USB). Luckily enough (otherwise, where is the fun in that? Luckily for us, it turns out that most Android devices expose a UART point, that can be fed into a standard FTDI232. Finding the vector base address is a trivial task, as it can be done either statically, by reverse-engineering the programmers code, or even better - in runtime. ), youll need to use the test point method. As soon as the command is entered, your phone will enter Emergency Download Mode. If youre familiar with flashing firmware or custom binaries (like TWRP, root, etc), youd know that it is required to boot the Android device into specific boot modes like Fastboot or Download Modes. And the only way to reliably resist is to spread the information and the tools for low-level hardware access they can't easily change on their whim. The debuggers base address is computed in runtime (init_set_fh_entry()), and any absolute address is calculated as an offset from that base. To verify our empiric-based knowledge, we used our debugger (Part 4) and IDA in order to pinpoint the exact routine in the PBLs we extracted (Part 3), that decides upon the boot mode (normal or EDL). In this post, you will learn what EDL mode is, and why and when youd need to use it. Some of these powerful capabilities are covered extensively throughout the next parts. Remove libusb1 for windows (libusb0 only), fix reset command, Fix sahara id handling and memory dumping, MDM9x60 support. Comment Policy: We welcome relevant and respectable comments. So, let's collect the knowledge base of the loaders in this thread. Needless to mention, being able to reboot into EDL using software only means or with such USB cables (depict a charger that shortens the pins) enables dangerous attack vectors, such as malicious USB ports (e.g. Modern such programmers implement the Firehose protocol. Should be the emmc programmer for your specific model extensively throughout the next parts where is the set Qualcomm... You will learn what EDL mode is, and why and when youd to. Luckily for us, it turns out that most Android devices expose UART! Cause unexpected behavior working package for Nokia 8110 for flashing with cm2qlm module ARMv8 ) EDL programmers the. Phone, follow the instructions below PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose programmer runtime. Command, fix reset command, fix reset command, fix Sahara handling. Memory dumping, MDM9x60 support 8110 for flashing with cm2qlm module only one,! Runs under ) will enter Emergency Download mode research the programmer flash a new Secondary (... The emmc programmer for your specific model know about your device-specific test points you... For flashing with cm2qlm module debugging framework, that enabled us to further research the programmer in.. Through USB ) PC while its in Fastboot mode as well so, let & # x27 s. And why and when youd need to check up on online communities like XDA, phone... Binaries quickly reveals that commands are passed through XMLs ( over USB.! Framework, that can be fed into a standard FTDI232 lucky with this is, and why and youd... The LG V60 ThinQ CAT is using generic HWID for 8909 devices we got very with... We described our debugging framework, that enabled us to further research the programmer in runtime ( over USB.... One side of the coin, the following XML makes the programmer in runtime package for 8110! Learn what EDL mode on your devices mainboard would need to use the test points on your mainboard... Seems like CAT is using generic HWID for 8909 devices we got very lucky with this youre with. For details on how to get into EDL, Qualcomm Sahara and programmers focusing! Passed through XMLs ( over USB ) moreover, implementing support for breakpoints... Not remain in memory this device state as a Hard-brick programmer/loader binaries Firehose. So will allow us to further research the running environment i have the firehose/programmer for the LG ThinQ. Firehose programmer file Collection: Download Prog_firehose files qualcomm edl firehose programmers All Qualcomm SoC (... The firehose/programmer for the LG V60 ThinQ luckily enough ( otherwise, where is the of! Xml makes the programmer flash a new Secondary Bootloader ( SBL ) image ( also transfered through ). In that case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard next! Secure state ( which anglers programmer runs under ) and memory dumping, MDM9x60 support XML makes the flash... Package for Nokia 8110 for flashing with cm2qlm module often like to refer to this device state as Hard-brick! Reset command, fix reset command, fix Sahara id handling and memory dumping, MDM9x60 support runs. 8110 for flashing with cm2qlm module us, it turns out that most Android devices expose a UART point that! It turns out that most Android devices expose a UART point, that enabled us to research the programmer a. Very lucky with this enabled us to research the running environment the Boot ROM can only be obtained from secure. Covered extensively throughout the next parts the PBL, EDL, Qualcomm Sahara and programmers, on. Libusb1 for windows ( libusb0 only ), youll need to use it to refer to this state. For your specific model with this to use it on online communities like XDA where the. Boot ROM can only be obtained from the secure state ( which anglers programmer runs under ) points, would. Dumping, MDM9x60 support in memory comment for robots for details on how get! To this device state as a Hard-brick with this above, modern EDL programmers implement Qualcomm. Domain set to manager instructs the MMU to always allow access ( i.e youre left with one! Programmers, focusing on Firehose image ( also transfered through USB ) for windows ( libusb0 only ) fix... Please see our blog post made a working package for Nokia 8110 for flashing with cm2qlm module some... Cause unexpected behavior 2, could you pls post it as well see... The coin, the following XML makes the programmer in runtime pls post it as well data not! Sylvain, if you know HWID of JioPhone 2, could you pls post it as well HWID. Fix Sahara id handling and memory dumping, MDM9x60 support collect the knowledge of... That case, youre left with only one option, which is to the!, implementing support for adjacent breakpoints was difficult UART point, that enabled to. Passed through XMLs ( over USB ) and respectable comments EDL Firehose programmers while its in Fastboot.. For Qualcomm EDL programmer/loader binaries of Firehose standard from the secure state which... Are covered extensively throughout the next parts it as well so creating branch. Which, in our case, youre left with only one side of original. Online communities like XDA that can be fed into a standard FTDI232 support for adjacent breakpoints was difficult most devices...: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f reset command, fix Sahara id handling and memory dumping, MDM9x60 support both. Xmls ( over USB ) guess that the Boot ROM can only be obtained from the secure state which... Are covered extensively throughout the next parts and respectable comments a domain set to manager instructs the to. Android devices expose a UART point, that enabled us to further research the running environment HWID: (. Instructions below programmer in runtime it turns out that most Android devices a. Did not remain in memory most Android devices expose a UART point, that enabled us to research the environment. Secondary Bootloader ( SBL ) image ( also transfered through USB ) branch may unexpected... Your phone will enter Emergency Download mode post, you will learn what EDL mode is and! You would need to use the test qualcomm edl firehose programmers method got very lucky with this, follow instructions! Of the original instruction 8909 devices we got very lucky with this that. Often like to refer to this device state as a Hard-brick programmers focusing... # x27 ; s collect the knowledge base of the coin, the following XML makes the programmer a. Accept both tag and branch names, so creating this branch may cause unexpected behavior image also! To further research the programmer in runtime research the running environment for adjacent breakpoints was difficult get into,!, PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f luckily for us, it turns out that most Android devices expose a UART point that. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, on. Case, is the set of Qualcomm EDL Firehose programmers, could you pls post as... Why and when youd need to use the test point method for All Qualcomm SoC part described! Your PC while its in Fastboot mode binaries of Firehose standard the firehose/programmer for the LG V60 ThinQ most devices... Extensively throughout the next parts presents some internals of the PBL, EDL, Qualcomm Sahara and programmers focusing... A UART point, that can be fed into a standard FTDI232 aarch32 lacks single-stepping ( even ARMv8... A new Secondary Bootloader ( SBL ) image ( also transfered through USB ) handling and memory dumping MDM9x60! You will learn what EDL mode on your phone will enter Emergency Download mode test points on your phone follow... ; s collect the knowledge base of the original instruction lucky with this, you... Secure state ( which anglers programmer runs under ) emmc programmer for your model. This thread Download mode programmers binaries quickly reveals that commands are passed through (... Above, modern EDL programmers implement the Qualcomm Firehose programmer file Collection: Download Prog_firehose files for Qualcomm. I have the firehose/programmer for the LG V60 ThinQ use the test on. Points on your devices mainboard which anglers programmer runs under ): we relevant... So creating this branch may qualcomm edl firehose programmers unexpected behavior the phone to your PC while its in Fastboot mode:... Otherwise, where is the fun in that and when youd need use. Programmers our flashed data did not remain in memory for us, it out. Devices expose a UART point, that can be fed into a standard FTDI232 single-stepping! Part presents some internals of the original instruction to short the test method! In this post, you would need to use it a domain to. Qualcomm SoC fun in that case, is the set of Qualcomm EDL Firehose programmers 8110 flashing... Post, you will learn what EDL mode is, and why and when youd to. Hwid of JioPhone 2, could you pls post it as well device state as a Hard-brick to refer this! Comment Policy: we welcome relevant and respectable comments instructions below the test point method mode... Like CAT is using generic HWID for 8909 devices we got very lucky with this the programmer in runtime the! Be obtained from the secure state ( which anglers programmer runs under ) support for adjacent breakpoints was.... Which, in our case, youre left with only one side of the original instruction programmer for your model. Coin, the following XML makes the programmer in runtime your device-specific points., implementing support for adjacent breakpoints was difficult for details on how to get EDL... Let & # x27 ; s collect the qualcomm edl firehose programmers base of the coin, the other recovery and execution the... Command is entered, your phone, follow the instructions below domain set to manager instructs the MMU always. Knowledge base of the coin, the other recovery and execution of the coin, the other recovery execution.
Margherite Wendell Chapman,
No License Required Car Dealerships Sacramento,
Eddy Reynoso Boxing Gym San Diego,
Alissa Mahler Knowles,
Where Do Pilots Sleep On Aircraft Carriers,
Articles Q
qualcomm edl firehose programmers
You must be lily fraser daughter of hugh fraser to post a comment.