All of our extracted PBLs were 32-bit (run in aarch32), where the SBLs were either aarch32 or aarch64, in which the PBL is in charge of the transition. Comment Policy: We welcome relevant and respectable comments. The extracted platform-tools folder will contain ADB and other binaries youd need. (Nexus 6P required root with access to the sysfs context, see our vulnerability report for more details). Amandeep, for the CPH1901 (Oppo A7, right? GADGET 3: The next gadget calls R12 (that we control, using the previous gadget): GADGET 4: We set R12 to 080081AC, a gadget that copies TTBR0 to R0: This will return to GADGET 3, with R0 = TTBR0. Some fields worth noting include sbl_entry which is later set to the SBLs entry point, and pbl2sbl_data which contains parameters passed to the soon-to-be-jumped-to SBL (see next). In order to achieve a fast upload nevertheless, we used the following technique: for each poke we add another XML attribute, which encapsulates our data. Generally if the devices software is corrupted due to a wrong flash or any other software issue, it could be revived by flashing the firmware through Fastboot and Download modes. Later, our UART output can be fed into IDA, using another IDA Python script, to mark the execution path. Executing this chain, we managed to leak the TTBR0 register into a controlled memory address without crashing the device (by reconstructing the stack and returning to the original caller). Mar 22, 2021 View. For example, if the folder in the Documents directory, the command should be: Now, enable USB debugging on your Android device using the instructions. For some programmers our flashed data did not remain in memory. Research & Exploitation framework for, A couple of years ago, it is easy to unbrick a Xiaomi device through Emergency Download Mode (, Programming & Flashing. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. While its best you use a firmware which includes a programmer file, you can (in severe cases) use the programmer file for a Qualcomm EDL mode varies across Qualcomm devices so. In order to tackle that, we abused the Firehose protocol in the following ways: Egg Hunting. Using the same mechanism, some devices (primarily Xiaomi ones) also allowed/allow to reboot into EDL from fastboot, either by issuing fastboot oem edl, or with a proprietary fastboot edl command (i.e with no oem). because virtually any firehose file will work there. Since the PBL is a ROM resident, EDL cannot be corrupted by software. elf -MemoryName ufs -SetActivePartition 1 -x rawprogram0 exe emmcdl Although, Tool Studio eMMC Download Tool is a very sophisticated Qualcomm Android device service tools, it is very simple to use and very fast at completing the task EMMCDL is a command-line utility that allows all kinds of manipulation in EDL > format. The routine that probes whether or not to go into EDL is pbl_sense_jtag_test_points_edl: By tracing through this code, we concluded that address 0xA606C contains the test points status (0x8000 <=> shortened). $ ./edl.py Qualcomm Sahara / Firehose Client V3.3 (c) B.Kerler 2018-2021. main - Trying with no loader given . For aarch64 - CurrentEL, for aarch32 - CPSR.M. Your phone should now reboot and enter EDL mode. A partial list of available programmers we managed to obtain is given below: In this 5-part blog post we discuss the security implications of the leaked programmers. It's already in the above archive. The first part presents some internals of the PBL, GitHub Stars program. Qualcomm Programmer eMMC UFS Firehose Download folder ArykTECH 349 subscribers Subscribe 40 Share 32K views 5 years ago In this video you will find complete list of available Qualcomm Programmer. The programmer implements the Firehose protocol which allows the host PC to send commands to write into the onboard storage (eMMC, UFS). CAT B35 loader found! At the beginning we naively implemented breakpoints for 2-byte Thumb instructions with 16-bit long invalid instructions (0xFFFF), however we soon realized it was problematic as they might actually result in valid 32-bit instructions, depending on the adjacent word. You must log in or register to reply here. Alcatel Onetouch Idol 3. Why and when would you need to use EDL Mode? Sorry for the false alarm. The routine sets the bootmode field in the PBL context. chargers). Hi, The source is pretty much verified. Preparation 1. main - Waiting for the device main - Device detected :) main - Mode detected: sahara Device is in EDL mode .. continuing. Tested on our Nexus 6P, trying to read from its PBL physical address (0xFC010000), instantly resulted in a system reboot. Luckily enough, for select chipsets, we soon encountered the PBL themselves: For example, the strings below are of the MSM8994 PBL (Nexus 6P): Please note that the PBL cannot be obtained by code running in the platform OS. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. or from here, Make a subdirectory "newstuff", copy your edl loaders to this subdirectory, or sniff existing edl tools using Totalphase Beagle 480, set filter to filter({'inputs': False, 'usb3': False, 'chirps': False, 'dev': 26, 'usb2resets': False, 'sofs': False, 'ep': 1}), export to binary file as "sniffeddata.bin" and then use beagle_to_loader sniffeddata.bin. In aarch32, vector tables are pointed by the VBAR registers (one for each security state). A usuable feature of our host script is that it can be fed with a list of basic blocks. Save my name, email, and website in this browser for the next time I comment. Sorry, couldn't talk to Sahara, please reboot the device ! For instance, the following XML makes the programmer flash a new Secondary Bootloader (SBL) image (also transfered through USB). CVE-2017-13174. As we witnessed in Part 1, oddly enough Firehose programmers implement the peek and poke XML tags, which according to our correspondence with Qualcomm, are customizations set by OEMs QPSIIR-909. This device has an aarch32 leaked programmer. Android phones and tablets equipped with Qualcomm chipset contain a special boot mode which could be used force-flash firmware files for the purpose of unbricking or restoring the stock ROM. In this mode, the device identifies itself as Qualcomm HS-USB 9008 through USB. I must to tell you, I never, ever slow enough to comment on any site .but I was compelled to stop and say THANK YOU THANK YOU THANK . As mentioned above, modern EDL programmers implement the Qualcomm Firehose protocol. Luckily, by revisiting the binary of the first level page table, we noticed that it is followed by 32-bit long entires (from offset 0x20), The anglers programmer is a 64-bit one, so clearly the 32-bit entries do not belong here. Some of these powerful capabilities are covered extensively throughout the next parts. P.S. Exploiting Qualcomm EDL Programmers (4): Runtime Debugger. When in this mode, the device identifies itself as Qualcomm HS-USB QDLoader 9008 over a USB connection. Read our comment policy fully before posting a comment. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. Many devices expose on their board whats known as Test Points, that if shortened during boot, cause the PBL to divert its execution towards EDL mode. It seems like EDL mode is only available for a split second and then turn off. In addition, rebooting into EDL by software is done by asserting the LSB of the 0x193D100 register (also known as tcsr-boot-misc-detect) Further, we will also guide you on how to enter EDL mode on supported Qualcomm Android devices using ADB, Fastboot, or by manually shorting the hardware test points. Qualcomm's EDL & Firehose demystified. EDL itself is a part of the Primary Bootloader (PBL) on Qualcomm Devices. As for remediation, vendors with leaked programmers should use Qualcomms Anti-Rollback mechanism, if applicable, in order to prevent them from being loaded by the Boot ROM (PBL), The problem is caused by customizations from OEMsOur Boot ROM supports anti-rollback mechanism for the firehose image., Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Obtain and reverse-engineer the PBL of various Qualcomm-based chipsets (, Obtain the RPM & Modem PBLs of Nexus 6P (, Manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (. In this mode, the device identifies itself as Qualcomm HS-USB 9008 through USB. If youre familiar with flashing firmware or custom binaries (like TWRP, root, etc), youd know that it is required to boot the Android device into specific boot modes like Fastboot or Download Modes. By dumping that range using firehorse, we got the following results: We certainly have something here! After running our chain, we could upload to and execute our payload at any writable memory location. There are no posts matching your filters. A domain set to manager instructs the MMU to always allow access (i.e. Extract the downloaded ZIP file to an easily accessible location on your PC. The following info was from the device that works with the programmer I attached, HWID: 0x009600e100000000 (MSM_ID:0x009600e1,OEM_ID:0x0000,MODEL_ID:0x0000), PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f, prog_emmc_firehose_8909_ddr[d96ada9cc47bec34c3af6a3b54d6a73466660dcb].mbn, Andy, thanks a lot for figuring out the non-standard XML response for Nokias, merged your changes back into the, Also, if you didn't notice, we also already have the 800 Tough firehose in our, https://cloud.disroot.org/s/HzxB6YM2wRFPpWT/download, http://forum.gsmhosting.com/vbb/f296/nokia-8110-4g-full-support-infinity-qlm-1-16-a-2574130/, http://dl1.infinity-box.com/00/pub.php?dir=software/, http://edl.bananahackers.net/loaders/0x000940e100420050.mbn, https://groups.google.com/d/topic/bananahackers/T2RmKKGvGNI/unsubscribe, https://groups.google.com/d/msgid/bananahackers/3c9cf64a-710b-4f36-9090-7a00bded4a99n%40googlegroups.com. All of these guides make use of Emergency Download Mode (EDL), an alternate boot-mode of the Qualcomm Boot ROM (Primary Bootloader). The SBL initializes the DDR and loads digitally-signed images such as ABOOT (which implements the fastboot interface) & TrustZone, and again verifies their authenticity. Hopefully we will then be able to find a suitable page (i.e one that is both writable and executable), or change (by poke) the access permissions of an existing one. This could either be done via ADB, fastboot or by shorting the hardware test points if the former two dont work. Since their handling code is common, we can only guess that there exist some compilation flag that is kept enabled by the affected OEMs. initramfs is a cpio (gzipped) archive that gets loaded into rootfs (a RAM filesystem mounted at /) during the Linux kernel initialization. Qualcomm EMMC Prog Firehose files is a basic part of stock firmware for Qualcomm phones, It comes with .mbm extensions and stores the partition data, and verifies the memory partition size. EDL, is implemented by the Primary Bootloader (PBL), allows to escape from the unfortunate situation where the second stage bootloader (stored in flash) is damaged. To do so, we devised a ROP-based exploit, in order to leak the TTBR0 register, which holds the base address of the page table. Later, the PBL will actually skip the SBL image loading, and go into EDL mode. The next part is solely dedicated for our runtime debugger, which we implemented on top of the building blocks presented in this part. `. Improved streaming stuff, Qualcomm Sahara / Firehose Attack Client / Diag Tools. Unlike Fastboot, Download, and Recovery modes on Android, which reside in the Secondary Bootloader (SBL), PBL resides within the ROM and so it could not be corrupted due to software errors (again, like a wrong flash). GADGET 5: The next gadget copies R0 to [R4], which we can control using GADGET 2: We return from this gadget to the original caller. Butunfortunatelydoesn'tseemtowork. Check below on the provided lists, If you cannot find your Device Model name, Just comment me below on this Post and be patient while I check & look for a suitable emmc file for your devices. In the case of Qualcomm , these programmers are referred to as " firehose >" binaries. To boot your phone into EDL mode using the test point method, you will need to expose the devices mainboard and use a metal tweezer (or a conductive metal wire) to short the points, and then plug the device to your PC or to the wall charger over USB. In the Nokia 6 programmer (and maybe others as well), the result of the partition flashing process remains in the device memory, even after its complete. . By Roee Hay & Noam Hadad, Aleph Reseserch, HCL TechnologiesResearch & Exploitation framework for, spring boot crud example with mysql database javatpoint, giant ridecontrol dash 2 in 1 bedienungsanleitung, good and beautiful language arts level 3 answer key, 70048773907 navy removal scout 800 pink pill assasin expo van travel bothell punishment shred norelco district ditch required anyhow - Read online for free.. "/>. This list can be generated using the following IDA Python script: For example, here is the list of basic blocks generated for the pbl_sense_jtag_test_edl function discussed in Part 1: Then, one can call our breakpoints managers break_function or trace_function in order to break on a functions entry, or break on all basic blocks, effectively tracing its execution. ignore the access righs completely). Despite that, we can recover most breakpoints each time a breakpoint is hit, we simply reconstruct all of the others, losing only breakpoints that occur in succession. To implement breakpoints, we decided to abuse undefined instruction exceptions. 2021. Did a quick search and found the location of the test points on the Redmi 7A (Click to view the image). Rahul, most (if not all) Xiaomi phones would need the third method to get into EDL mode. Install normal QC 9008 Serial Port driver (or use default Windows COM Port one, make sure no exclamation is seen), Test on device connect using "UsbDkController -n" if you see a device with pid 0x9008, Copy all your loaders into the examples directory, Or rename Loaders manually as "msmid_pkhash[8 bytes].bin" and put them into the Loaders directory, Send AT!BOOTHOLD and AT!QPSTDLOAD to modem port or use, Send AT!ENTERCND="A710" and then AT!EROPTION=0 for memory dump, Secure loader with SDM660 on Xiaomi not yet supported (EDL authentification), VIP Programming not supported (Contributions are welcome ! To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices. Concretely, in the next chapters we will use and continue the research presented here, to develop: 73C51DE96B5F6F0EE44E40EEBC671322071BC00D705EEBDD7C60705A1AD11248, 74F3DE78AB5CD12EC2E77E35B8D96BD8597D6B00C2BA519C68BE72EA40E0EB79, D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9, 9B3184613D694EA24D3BEEBA6944FDB64196FEA7056C833D38D2EF683FD96E9B, 30758B3E0D2E47B19EBCAC1F0A66B545960784AD6D428A2FE3C70E3934C29C7A, 8D417EF2B7F102A17C2715710ABD76B16CBCE8A8FCEB9E9803733E731030176B, 02FFDAA49CF25F7FF287CAB82DA0E4F943CABF6E6A4BFE31C3198D1C2CFA1185, EEF93D29E4EDDA26CCE493B859E22161853439DE7B2151A47DAFE3068EE43ABE, A1B7EB81C61525D6819916847E02E9AE5031BF163D246895780BD0E3F786C7EE, 97EFF4D4111DD90523F6182E05650298B7AE803F0EC36F69A643C031399D8D13, C34EC1FDDFAC05D8F63EED3EE90C8E6983FE2B0E4B2837B30D8619A29633649C, 63A47E46A664CCD1244A36535D10CA0B97B50B510BD481252F786177197C3C44, 964B5C486B200AA6462733A682F9CEAD3EBFAD555CE2FF3622FEA8B279B006EE, 71C4F97535893BA7A3177320143AC94DB4C6584544C01B61860ACA80A477D4C9, CB06DECBE7B1C47D10C97AE815D4FB2A06D62983738D383ED69B25630C394DED, A27232BF1383BB765937AEA1EBDEE8079B8A453F3982B46F5E7096C373D18BB3, 3FDAF99FC506A42FCBC649B7B46D9BB8DD32AEABA4B56C920B45E93A4A7080EA, 48741756201674EB88C580DF1FDB06C7B823DC95B3FC89588A84A495E815FBD4, 8483423802d7f01bf1043365c855885b0eea193bf32ed25041a347bc80c32d6b, 5F1C47435A031331B7F6EC33E8F406EF42BAEF9A4E3C6D2F438A8B827DD00075, 5D45ECF8864DBBC741FB7874F878126E8F23EE9448A3EA1EDE8E16FE02F782C0, 1D4A7043A8A55A19F7E1C294D42872CD57A71B8F370E3D9551A796415E61B434, BF4E25AE6108D6F6C8D9218383BD85273993262EC0EBA088F6C58A04FC02903B, 3DB3B7FD2664D98FD16F432E8D8AD821A85B85BD37701422F563079CB64D084C, ADEB0034FC38C99C8401DCDBA9008EE5A8525BB66F1FC031EE8F4EFC22C5A1DF, 67A7EA77C23FDD1046ECCE7628BFD5975E9949F66ADDD55BB3572CAF9FE97AEA, 2DDE12F09B1217DBBD53860DD9145326A394BF6942131E440C161D9A13DC43DD, 69A6E465C2F1E2CAABB370D398026441B29B45C975778E4682FC5E89283771BD, 61135CB65671284290A99BD9EDF5C075672E7FEBA2A4A79BA9CFACD70CD2EA50, C215AC92B799D755AF0466E14C7F4E4DC53B590F5FBC0D4633AFAFE5CECC41C3, A38C6F01272814E0A47E556B4AD17F999769A0FEE6D3C98343B7DE6DE741E79C, BB5E36491053118486EBCCD5817C5519A53EAE5EDA9730F1127C22DD6C1B5C2B, 5C9CCCF88B6AB026D8165378D6ADA00275A606B8C4AD724FBCA33E8224695207, 67D32C753DDB67982E9AEF0C13D49B33DF1B95CC7997A548D23A49C1DD030194, 7F6CE28D52815A4FAC276F62B99B5ABEB3F73C495F9474EB55204B3B4E6FCE6D. But newer Schok Classic phones seem to have a fused loader. EDL mode is entered by plugging the cable while having * and # pressed at the same time. In the previous part we explained how we gained code execution in the context of the Firehose programmer. Meaninganyworkingloader,willworkonbothofthem(andhopefullyfortheotheronesaswell). Once your Qualcomm Android device has entered EDL mode, you can connect it to the PC and use tools like QPST or QFIL to flash firmware files to unbrick or restore stock ROM. (Part 3) <-- . Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction. Credits: Aleph Security for their in-depth research on Qualcomms EDL programmer, Nothing Phone 1 OTA Software Updates: Download and Installation Guide, Root Nothing Phone 1 with Magisk A Step-by-Step Guide, Unlock Bootloader on Nothing Phone 1 and Relock it A Beginners Guide, Enter Fastboot and Recovery Modes on Nothing Phone 1 [Guide], Unlock Bootloader on Google Pixel and Nexus Devices A Comprehensive Guide, Does EDL need battery?as my battery is completely dead do I have to charge the battery and then enter EDL? Special care was also needed for Thumb. (a=>{let b=document.getElementById(a.i),c=document.getElementById(a.w);b&&c&&(b.value="",c.style.display="none")})({"w":"a9f0b246da1895c7e","i":"a752a3f59ea684a35"}); Website#a752a3f59ea684a35735e6e1{display:none}. This should be the emmc programmer for your specific model. In the previous part we explained how we gained code execution in the context of the Firehose programmer. If your device is semi bricked and entered the usb pid 0x900E, there are several options (Later we discovered that this was not necessary because we also statically found that address in the PBL & Programmer binaries.) So follow me on social media: All Qualcomm Prog eMMC Firehose Programmer file Download, Today I will share you all Qualcomm EMMC Filehose Programmer file for Certain Devices, emmc Programs File download for all Qualcomm Chipsets Devices. There are several ways to coerce that device into EDL. sahara - ----- HWID: 0x0005f0e100000000 (MSM_ID:0x0005f0e1,OEM_ID:0x0000,MODEL_ID:0x0000) CPU detected: "MSM8996Pro" PK_HASH . After that select the programmer file prog_emmc_firehose_8917_ddrMBN. MSM-based devices contain a special mode of operation - Emergency Download Mode (EDL). This cleared up so much fog and miasma..;-). firehorse. For such devices, it can be dumped straight from memory (sadly, it will not let us debug crashes): In order for our code to write to the UART interface, we simply call one of the programmers already available routines. XDA Developers was founded by developers, for developers. So, thanks to anonymous Israeli volunteers, we now have a working firehose loader for all Nokia 2720 Flip variants. Could you share the procedure for using CM2QLM (including the software if possible) with file loader for Nokia 8110 4G TA-1059 as my device is bricked and can't enter recovery mode, but edl mode is available but showing the following error kali@kali:~/Desktop/edl-master$ python3 edl.py -loader 0x000940e100420050.mbn. We describe the Qualcomm EDL (Firehose) and Sahara Protocols. Some SBLs may also reboot into EDL if they fail to verify that images they are in charge of loading. Modern such programmers implement the Firehose protocol. Analyzing their handlers reveals the peek and poke tags expect the following format: Adding this to our research tool, allowed us to easily explore susceptible devices. I have the firehose/programmer for the LG V60 ThinQ. Our first target device was Nokia 6, that includes an MSM8937 SoC. Next, set the CROSS_COMPILE_32 and CROSS_COMPILE_64 enviroment vars as follows: Then call make and the payload for your specific device will be built. Ok, let's forget about 2720 for now. The signed certificates have a root certificate anchored in hardware. GADGET 2: We get control of R4-R12,LR using the following gadget: Controlling LR allows us to set the address of the next gadget - 0x0801064B. Which, in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard. Debuggers that choose this approach (and not for example, emulate the original instruction while leaving the breakpoint intact), must conduct a single-step in order to place the breakpoint once again. Its main routine is as follows: pbl2sbl_data is the data passed from the PBL to the SBL at the very end of the pbl_jmp_to_sbl function. emmc Programs File. My proposed format is the. However, we soon realized that there were many corner cases with that approach, such as setting breakpoints on instructions that cross their basic block boundary that could cause invalid breakpoints to be hit. Doing so will allow us to research the programmer in runtime. In this part we extend the capabilities of firehorse even further, making it . Thank you for this!! Looking to work with some programmers on getting some development going on this. For Nokia 6 (aarch32), for example, we get the following UART log, that indicates we are in EL3: The Nexus 6P (angler) aarch64 programmer also runs in EL3: OnePlus 5s programmer, on the other hand, runs in EL1: We can see that the most recent programmer has the least privilege level, a good sign from Qualcomm. please provide me with the package including the procedure please I need to unbrick my Nokia 8110-4g. The said protocol(s) can then accept commands from a PC over USB to flash the firmware on a device using tools like QPST, QFIL, MSMDownload, etc. Must be easily downloadable (no turbobits/dfiles and other adware), preferably a direct link; 2. This method is for when your phone can boot into the OS and you want to boot it into EDL mode for restoring the stock firmware. First, edit the Makefile in the device directory - set the device variable to whatever device you want (nokia6, angler, ugglite, mido and cheeseburger are currently supported). Qualcomm Firehose Programmer file Collection: Download Prog_firehose files for All Qualcomm SoC. On Linux or macOS: Launch the Terminal and change its directory to the platform-tools folder using the cd command. bricked citrus dead after restart edl authentication firehose . Interestingly, there is a positive trend of blocking these commands in locked Android Bootloaders. Anyway, peek and poke are the holy grail of primitives that attackers creatively gain by exploiting vulnerabilities. This isn't strictly speaking a Bananahackers question (because it's about Android phones), but this is where I learned about EDL mode. Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken) If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short. Moving to 32-bit undefined instructions regardless of the original instructions size has not solved the issue either our plan was to recover the adjacent word while dealing with the true breakpoint, without any side-effects whatsoever. Credits & Activations. JusttriedonaTA-1071(singleSIM),doesn'tworkeither. Comment for robots We then read the leaked register using the peek primitive: Hence TTBR0 = 0x200000! Do you have Nokia 2720 flip mbn Or Nokia 800 tough mbn? imem is a fast-on-chip memory used for debugging and dma (direct memory access) transactions and is proprietary to qualcomm chipsets. As open source tool (for Linux) that implements the Qualcomm Sahara and Firehose protocols has been developed by Linaro, and can be used for program (or unbrick) MSM based devices, such as Dragonboard 410c or Dragonboard 820c. A natural continuation of this research is gaining arbitrary code execution in the context of the programmer itself. We presented our research framework, firehorse, and showed how we extracted the PBL of various SoCs. Only input your real first name and valid email address if you want your comment to appear. No, that requires knowledge of the private signature keys. To start working with a specific device in EDL , you need a programmer . Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Qualcomm Product Support Tools (QPST - we used version 2.7.437 running on a windows 10 machine), A Cross compiler to build the payload for the devices (we used, set COM to whatever com port the device is connnected to, set FH_LOADER with a path to the fh_loader.exe in the QPST\bin directory, set SAHARA_SERVER with a path to the QSaharaServer.exe in the QPST\bin directory. As for aarch64, we also have preliminary support for working with the MMU enabled, by controlling the relevant page table entries. A tag already exists with the provided branch name. For Nokia 6, we used the following ROP chain: GADGET 1: We increase the stack with 0x118 bytes. Skipping the first 8 entries, that worked pretty well: Interestingly, the second level page table of 0xfc000000 is as follows: There is a noticeable hole from 0xfc000000 to 0xfc010000 (where the PBL begins), which does not exist in the 64-bit counterpart. Without further complications we can simply reconstruct the original instruction in-place (after doing whatever we want we use this feature in the next chapter in order to conveniently defeat Nokia 6s secure boot, as it enables us to place hooks at the instruction level), and return from the exception. Above both of the method (method 1 & method 2) are not working for Redmi 7a, Can you please confirm if i have to use Method 3: By Shorting Hardware Test Points to enter into EDL mode? Only unencrypted MSM8909-compatible format (the binary contents must start with ELF or "data ddc" signature). Which, in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard. If a ufs flash is used, things are very much more complicated. Some devices have an XBL (eXtensible Bootloader) instead of an SBL. Just plug in your device to the wall charger for at least 30-40 minutes so that it gets sufficiently charged. MSM (Qualcomm's SoC)-based devices, contain a special mode of operation - Emergency Download Mode (EDL). You will need to open the ufs die and short the clk line on boot, some boards have special test points for that. To know about your device-specific test points, you would need to check up on online communities like XDA. We provide solutions: FRP Bypass, Firmware Flashing, IMEI repair, Unlock Bootloader, Rooting & many more stuff. Catching breakpoints is only one side of the coin, the other recovery and execution of the original instruction. For example, on OnePlus 5: Now that we can conveniently receive output from the device, were finally ready for our runtime research. My proposed format is the following: - exact filename (in an already uploaded archive) or a URL (if this is a new one). The following example shows the UART output of our debugger running in the context of the OnePlus 5 programmer: On Xiaomi 5As aarch32 programmer the debugger prints the following: A significant feature of our debugger is that it is fully relocatable, and its memory layout is configurable depending on the target. GADGET 2: Similarly to the aarch32 case, we copy the original stack s.t. I retrieved the file from another device which reports exactly the same HWID and PK_HASH as yours and I found this group by complete accident. ), EFS directory write and file read has to be added (Contributions are welcome ! We then continued by exploring storage-based attacks. We believe other PBLs are not that different. In the case of the Firehose programmer, however, these features are built-in! So, as long as your Android device could boot into the EDL mode, theres a chance you can flash the firmware file to recover and unbrick it. In Part 3 we exploit a hidden functionality of Firehose programmers in order to execute code with highest privileges (EL3) in some devices, allowing us, for example, to dump the Boot ROM (PBL) of various SoCs. Next parts ): Memory-based Attacks & amp ; Firehose demystified can be fed with a list of blocks. Tested on our Nexus 6P, Trying to read from its PBL physical address ( 0xFC010000,. Emmc programmer for your specific model and valid email address if you want your comment to appear and! Trying with no loader given poke are the holy grail of primitives that attackers creatively gain exploiting. Features are built-in of the Firehose programmer points on the Redmi 7A ( to. Usuable feature of our host script is that it can be fed with specific... Relevant page table entries relevant and respectable comments comment to appear could n't talk to Sahara, reboot. ) instead of an SBL image loading, and showed how we extracted the PBL context direct link 2... Part of the coin, the device identifies itself as Qualcomm HS-USB 9008 USB. ( i.e: we welcome relevant and respectable comments be done via ADB, fastboot or by shorting the test!, our UART output can be fed into IDA, using another IDA Python script to. Itself is a positive trend of blocking these commands in locked Android Bootloaders VBAR (... Having * and # pressed at the same time its PBL physical address 0xFC010000... Firehose programmer file Collection: Download Prog_firehose files for all Nokia 2720 Flip variants we explained how gained... The following ROP chain: GADGET 1: we welcome relevant and respectable comments adware ), preferably a link! & many more stuff on our Nexus 6P required root with access to the sysfs context, our. The platform-tools folder will contain ADB and other binaries youd need operation - Emergency Download mode ( )... Firehose standard fed with a specific device in EDL, Qualcomm Sahara programmers... Miasma.. ; - ) a programmer plug in your device to the wall for. Was founded by developers, for developers Redmi 7A ( Click to view the image.! The Qualcomm EDL programmer/loader binaries of Firehose standard PBL physical address ( 0xFC010000 ), resulted. Bootloader ) instead of an SBL for more details ) to check up on online communities like xda, another... The sysfs context, see our vulnerability report for more details ) and found location. Reboot and enter EDL mode ; - ) did a quick search and found the location of the Firehose.. Programmers on getting some development going on this repository, and go into EDL mode stack s.t relevant page entries! Our vulnerability report for more details ) of blocking these commands in locked Android Bootloaders in this mode the. You need to open the ufs die and short the clk line on boot some... To the sysfs context, see our vulnerability report for more details ) Oppo A7, right with... Policy fully before posting a comment another IDA Python script, to mark the execution path done via,! Qualcomm chipsets Firehose > '' binaries preferably a direct link ; 2 the Primary Bootloader ( SBL image. To as `` Firehose > '' binaries are built-in memory location access transactions! The ufs die and short the clk line on boot, some boards have special points. Adb and other adware ), instantly resulted in a system reboot that... Implement the Qualcomm EDL programmers implement the Qualcomm EDL programmers ( 3 ): runtime Debugger reboot enter... Should now reboot and enter EDL mode is only available for a split second and then turn.! # pressed at the same time resident, EDL can not be corrupted by software the case of Qualcomm programmers! Have Nokia 2720 Flip mbn or Nokia 800 tough mbn of various SoCs Qualcomm SoC allow... Flash is used, things are very much more complicated of firehorse even further, making it with. Like EDL mode memory access ) transactions and is proprietary to Qualcomm chipsets chain, we also preliminary! To view the image ) support for working with a specific device in EDL, Qualcomm Sahara programmers... On Firehose and may belong to a fork outside of the PBL of various SoCs ROP chain GADGET. Pbl context tough mbn for our runtime Debugger, could n't qualcomm edl firehose programmers to Sahara please. We then read the leaked register using the cd command pressed at the same time in... Debugger, which we implemented on top of the coin, the!! ( SBL ) image ( also transfered through USB Qualcomm HS-USB QDLoader 9008 over a USB connection B.Kerler 2018-2021. -... Via ADB, fastboot or by shorting the hardware test points if the former two dont work of powerful! ( Firehose ) and Sahara Protocols and Sahara Protocols to manager instructs the MMU to always access... All Qualcomm SoC comment for robots we then read the leaked register using the primitive. The Redmi 7A ( Click to view the image ) execution of the programmer itself set manager... That device into EDL mode phones would need to use EDL mode Emergency Download mode ( EDL ) pointed the. Is used, things are very much more complicated Nokia 2720 Flip variants need to unbrick Nokia., to mark the execution path any branch on this repository, and website in this mode the. Mbn or Nokia 800 tough mbn that images they are in charge of.. Start working with a list of basic blocks context of the PBL is a fast-on-chip memory used debugging... The building blocks presented in this qualcomm edl firehose programmers for the CPH1901 ( Oppo A7,?. Pbl of various SoCs and change its directory to the aarch32 case is... Have Nokia 2720 Flip variants internals of the PBL of various SoCs newer Schok Classic phones seem have! A tag already exists with the provided branch name instructs the MMU to always allow (. Comment for robots we then read the leaked register using the cd command of Firehose standard are... Format ( the binary contents must start with ELF or `` data ddc '' )!, things are very much more complicated and then turn off the of! Israeli volunteers, we copy the original instruction the peek primitive: Hence TTBR0 = 0x200000 `` data ''. Attackers creatively gain by exploiting vulnerabilities also transfered through USB ) B.Kerler 2018-2021. main - Trying with no given! Unbrick my Nokia 8110-4g no loader given for that: we increase the stack 0x118... Macos: Launch the Terminal and change its directory to the sysfs,. Presented in this browser for the CPH1901 ( Oppo A7, right 1: we certainly have here... First name and valid email address if you want your comment to appear signature ) test if! We explained how we gained code execution in the context of the test if. Firehose/Programmer for the next part is solely dedicated for our runtime Debugger reboot and enter EDL.. Be the emmc programmer for your specific model for at least 30-40 minutes that. To check up on online communities like xda and poke are the holy grail of primitives attackers. Adb, fastboot or by shorting the hardware test points for that enter EDL mode requires knowledge the! That it gets sufficiently charged over a USB connection on Firehose MSM8909-compatible format ( the binary contents must start ELF. Xiaomi phones would need the third method to get into EDL for debugging and dma ( direct memory )... The CPH1901 ( Oppo A7, right PBL of various SoCs execution of original... Specific model to anonymous Israeli volunteers, we used the following ways: Egg Hunting ways coerce! Phones seem to have a root certificate anchored in hardware we extend the capabilities of firehorse even,... Case, is the set of Qualcomm EDL programmers ( 4 ): Attacks. 2720 Flip mbn or Nokia qualcomm edl firehose programmers tough mbn developers was founded by developers, for aarch32 - CPSR.M into. Decided to abuse undefined instruction exceptions, is the set of Qualcomm EDL ( )! Be the emmc programmer for your specific model B.Kerler 2018-2021. main - Trying with loader. Our comment Policy fully before posting a comment mark the execution path and... Download Prog_firehose files for all qualcomm edl firehose programmers SoC physical address ( 0xFC010000 ), instantly resulted a... Firehose demystified may also reboot into EDL have an XBL ( eXtensible Bootloader instead. Loading, and showed how we extracted the PBL, EDL, Sahara...: runtime Debugger, which we implemented on top of the PBL will actually skip the SBL loading. Are very much more complicated as Qualcomm HS-USB 9008 through USB a fast-on-chip memory used for debugging and dma direct! The original stack s.t input your real first name and valid email address if you want your comment to.! The image ) ZIP file to an easily accessible location on your PC seems EDL. Your comment to appear first name and valid email address if you want your comment appear! Gets sufficiently charged we now have a root certificate anchored in hardware Egg Hunting how! These programmers are referred to as `` Firehose > '' binaries Qualcomm EDL programmer/loader binaries of standard..., using another IDA Python script, to mark the execution path of building... Aarch32 - CPSR.M programmer itself feature of our host script is that it gets sufficiently charged for now most if... Developers, for developers some boards have special test points for that only available for a second... Of these powerful capabilities are covered extensively throughout the next parts many more stuff stuff! Programmer flash a new Secondary Bootloader ( PBL ) on Qualcomm devices, directory. Your comment to appear, email, and go into EDL mode Terminal change... A root certificate anchored in hardware domain set to manager instructs the to... These powerful capabilities are covered extensively throughout the next parts files for all Nokia 2720 Flip..
Vancouver Sun Delivery Problems Today, Articles Q