Later, our UART output can be fed into IDA, using another IDA Python script, to mark the execution path. When in this mode, the device identifies itself as Qualcomm HS-USB QDLoader 9008 over a USB connection. While the reason of their public availability is unknown, our best guess is that Home EMMC Files All Qualcomm Prog eMMC Firehose Programmer file Download. Gadgets Doctor Provides the best solution to repair any kind of Android or features phones very easily. To know about your device-specific test points, you would need to check up on online communities like XDA. - HWID (if known) - exact filename (in an already uploaded archive) or a URL (if this is a new one) Requirements to the files: 1. bricked citrus dead after restart edl authentication firehose . Some of them will get our coverage throughout this series of blog posts. The following info was from the device that works with the programmer I attached, HWID: 0x009600e100000000 (MSM_ID:0x009600e1,OEM_ID:0x0000,MODEL_ID:0x0000), PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f, prog_emmc_firehose_8909_ddr[d96ada9cc47bec34c3af6a3b54d6a73466660dcb].mbn, Andy, thanks a lot for figuring out the non-standard XML response for Nokias, merged your changes back into the, Also, if you didn't notice, we also already have the 800 Tough firehose in our, https://cloud.disroot.org/s/HzxB6YM2wRFPpWT/download, http://forum.gsmhosting.com/vbb/f296/nokia-8110-4g-full-support-infinity-qlm-1-16-a-2574130/, http://dl1.infinity-box.com/00/pub.php?dir=software/, http://edl.bananahackers.net/loaders/0x000940e100420050.mbn, https://groups.google.com/d/topic/bananahackers/T2RmKKGvGNI/unsubscribe, https://groups.google.com/d/msgid/bananahackers/3c9cf64a-710b-4f36-9090-7a00bded4a99n%40googlegroups.com. Preparation 1. For aarch64 - CurrentEL, for aarch32 - CPSR.M. sahara - ----- HWID: 0x0005f0e100000000 (MSM_ID:0x0005f0e1,OEM_ID:0x0000,MODEL_ID:0x0000) CPU detected: "MSM8996Pro" PK_HASH . You do not have permission to delete messages in this group, Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message. We obtained and reverse-engineered the PBL of various Qualcomm-based chipsets (, We obtained the RPM & Modem PBLs of Nexus 6P (, We managed to unlock & root various Android Bootloaders, such as Xiaomi Note 5A, using a storage-based attack only. If it is in a bootloop or cannot enter the OS, move to the second method. In the case of the Firehose programmer, however, these features are built-in! Further updates on this thread will also be reflected at the special. The figure on the right shows the boot process when EDL mode is executed. ), Oneplus 3T/5/6T/7T/8/8t/9/Nord CE/N10/N100 (Read-Only), BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210, ZTE MF920V, Sierra Wireless EM7455, Netgear MR1100-10EUS, Netgear MR5100. Skipping the first 8 entries, that worked pretty well: Interestingly, the second level page table of 0xfc000000 is as follows: There is a noticeable hole from 0xfc000000 to 0xfc010000 (where the PBL begins), which does not exist in the 64-bit counterpart. Its 16-bit encoding is XXDE. You also wouldnt want your device to turn off while youre flashing the firmware, which could lead to unexpected results. but edl mode is good choice, you should be able to wipe data and frp . This special mode of operation is also commonly used by power users to unbrick their devices. No, that requires knowledge of the private signature keys. For most devices the relevant UART points have already been documented online by fellow researchers/engineerings. Programmers are pieces of low-level software containing raw flash/read-write functionality that allows for reflashing, similar to Samsung's Odin mode or LG's flash. EDL mode is entered by plugging the cable while having * and # pressed at the same time. In the next part we display the cherry on top a complete Secure Boot exploit against Nokia 6 MSM8937. (For debugging during our ROP chain development, we used gadgets that either reboot the device, or cause infinite loops, in order to indicate that our gadgets were indeed executed). For example, on OnePlus 5: Now that we can conveniently receive output from the device, were finally ready for our runtime research. Finding the address of the execution stack. Of course, the credits go to the respective source. My proposed format is the following: - exact filename (in an already uploaded archive) or a URL (if this is a new one). We have finally solved the problem by reading through the ARM Architecture Reference Manual, finding that there is an actual instruction that is guaranteed to be permanently undefined (throw undefined instruction exception), regardless of the following word. To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices. Do you have Nokia 2720 flip mbn Or Nokia 800 tough mbn? MSM-based devices contain a special mode of operation - Emergency Download Mode (EDL). To ensure that we can replace arbitrary instructions and not get hit with data aborts while doing so (due to non-writable pages), we either disable the MMU completely (aarch64), or in aarch32, much conveniently elevate all of the domains to manager, by writing 0xFFFFFFFF to the DACR register. Android phones and tablets equipped with Qualcomm chipset contain a special boot mode which could be used force-flash firmware files for the purpose of unbricking or restoring the stock ROM. 62A1E772932EB33E86EE9A141403B78EF2D00F2C6848FE17213B92FCC7FAD1DF, E0B29ACCFF90D46023B449E071E74B1B0503FE704FD0DEFDE7317797601D9F31, 7E8BF70DFAD30A2C410EE91B301FACA9684677656F29F1E287C84360B149823A, B46518743470D2DF8B7DADE1561C87407D6DCE5CC489B88AC981C63078D82782, B674D3DC099E6D1A43D01055AA6089647594B9D455F32EF2238FB619CF67FF5C, 73A038CD54EB5F36C63555FDED82669D6FA98EF7EDA33417615DF481DD98BCFA, 4EF56F77DF83A006F97C5E4AB2385431F573F4F120C1B452D414F01EDA40F637, C073E07C7444C2A1C6E4BFFDBB0D7ABE8E6CB3AB68B2C5F2FA932AC6BBADF360, BE783DC133326E22D06823A335C1AEA0A3E544B4421A407263C9941DB6EA4E0C. JusttriedonaTA-1071(singleSIM),doesn'tworkeither. We reported this kind of exposure to some vendors, including OnePlus (CVE-2017-5947) and Google (Nexus 6/6P devices) - CVE-2017-13174. One possible explanation for their existence is that they are old entries from the APPS PBL (which indeed sets TTBR0 to 0xFE800000). MSM (Qualcomms SoC)-based devices, contain a special mode of operation - Emergency Download Mode (EDL). Individual loaders must have .mbn or .bin extension, archives should be preferably zip or 7z, no rar; 3. Which, in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard. You can Download and Use this file to remove Screen lock on Qualcomm Supports Devices, and Bypass FRP Google account on all Qualcomm Devices. Seems like CAT is using generic HWID for 8909 devices We got very lucky with this. EDL is implemented by the PBL. Research & Exploitation framework for, A couple of years ago, it is easy to unbrick a Xiaomi device through Emergency Download Mode (, Programming & Flashing. Analyzing several programmers' binaries quickly reveals that commands are passed through XMLs (over USB). Improved streaming stuff, Qualcomm Sahara / Firehose Attack Client / Diag Tools. All Qualcomm "Prog eMMC Firehose" Programmer file Download Qualcomm EMMC Prog Firehose files is a basic part of stock firmware for Qualcomm phones, It comes with .mbm extensions and stores the partition data, and verifies the memory partition size. But if not, then there are a couple of known ways/methods to boot your phone into EDL. As for remediation, vendors with leaked programmers should use Qualcomms Anti-Rollback mechanism, if applicable, in order to prevent them from being loaded by the Boot ROM (PBL), The problem is caused by customizations from OEMsOur Boot ROM supports anti-rollback mechanism for the firehose image., Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Obtain and reverse-engineer the PBL of various Qualcomm-based chipsets (, Obtain the RPM & Modem PBLs of Nexus 6P (, Manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (. This is done inside some_sahara_stuff which gets called if either pbl->bootmode is edl, or the flash initialization has failed: Later, when the PBL actually tries to load the SBL from the flash drive, it will consider the pbl->flash->initialized field and use the Sahara protocol instead: The PBL later jumps to the SBL entry point, with the aforementioned pbl2sbl_data: As mentioned above, modern EDL programmers implement the Qualcomm Firehose protocol. In fact, thats one of the very common mistakes that users make when their device is bricked. Rebooting into EDL can also happen from the Platform OS itself, if implemented, and if adb access is allowed, by running adb reboot edl. This could either be done via ADB, fastboot or by shorting the hardware test points if the former two dont work. Remove libusb1 for windows (libusb0 only), fix reset command, Fix sahara id handling and memory dumping, MDM9x60 support. At this stage of the research, we did not have much understanding of the memory layout of the programmers, and due to the fact that poking an unmapped arbitrary address resulted in a crash (either infinite loop or a reboot), we had to discover a more intelligent way in order to deduce the such memory layout of the programmer. ALEPH-2017029. On Linux or macOS: Launch the Terminal and change its directory to the platform-tools folder using the cd command. Google has patched CVE-2017-13174 in the December 2017 Security Bullet-in. Special care was also needed for Thumb. Looking to work with some programmers on getting some development going on this. r"C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe", r"C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe". 1. So, let's collect the knowledge base of the loaders in this thread. This isn't strictly speaking a Bananahackers question (because it's about Android phones), but this is where I learned about EDL mode. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We end with a The rest of our devices with an aarch32 programmer (Xiaomi Note 5A and Xiaomi Note 4) also had an WX page available, hence code execution on them was immediate as well. You can upload your own or analyze the files already uploaded to the thread, and let everyone know which model has which fitting firehose loader. Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction Exploiting Qualcomm EDL Programmers (4): Runtime Debugger Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot Usage Prerequisites To use this tool you'll need: Peeking at this address gives the following: Our research tool, firehorse can then walk through the page tables: APX=0, AP=0x3, NX=0x0 means a written and executable (WX) page. We then read the leaked register using the peek primitive: Hence TTBR0 = 0x200000! During this process, EDL implements the Firehose/Sahara protocol and acts as a Secondary Bootloader to accept commands for flashing. (a=>{let b=document.getElementById(a.i),c=document.getElementById(a.w);b&&c&&(b.value="",c.style.display="none")})({"w":"a9f0b246da1895c7e","i":"a752a3f59ea684a35"}); Website#a752a3f59ea684a35735e6e1{display:none}. This feature is used by our Nokia 6 exploit, since we need to relocate the debugger during the SBL to ABOOT transition. Amandeep, for the CPH1901 (Oppo A7, right? Executing this chain, we managed to leak the TTBR0 register into a controlled memory address without crashing the device (by reconstructing the stack and returning to the original caller). We must be at any moment prepared for organized resistance against the pressure from anyone trying to take away what's ours. In this part we described our debugging framework, that enabled us to further research the running environment. Here is the Jiophone 2 firehose programmer. https://alephsecurity.com/2018/01/22/qualcomm-edl-1/, https://github.com/alephsecurity/firehorse, [TOOL] Sahara & Firehose Test (Alcatel Flasher oncoming ), [ROM/FIRMWARE][6045X] Android 6.0 Marshmallow for Alcatel Onetouch Idol 3 5.5, [6039] - ***GUIDE*** - How to return the fastboot commands on already upgraded device, [ROM] 6045Y-DCZ - 6.0.1 stock, root, debloat - 2.2 (2016-08-09), [ROM][6045X][7.1.2][Resurrection Remix][5.8.5][Nougat][UNOFFICIAL][FINAL] IDOL 3 5.5, How to fix - cannot boot into system after /vendor changed file system (ext2, ext4), Junsun V1 Pro MTK8259 4GB + 64GB Android 10 headunit, Junsun V1 Pro (MTK8259/MTK8257) - firmware. Finally, enter the following command in the PowerShell window to boot your phone into EDL mode: If you see a prompt on the devices screen to allow USB debugging, press Allow. ignore the access righs completely). the last gadget will return to the original caller, and the device will keep processing Firehose commands. In the previous part we explained how we gained code execution in the context of the Firehose programmer. For some programmers our flashed data did not remain in memory. A natural continuation of this research is gaining arbitrary code execution in the context of the programmer itself. I've discovered a few that are unfused (Orbic Journey, Coolpad Snap, and Schok Classic). In this post, you will learn what EDL mode is, and why and when youd need to use it. I'm using the Qualcomm Sahara/Firehose client on Linux. The init function is in charge of the following: This struct contains the following fields: (The shown symbols are of course our own estimates.). The last gadget will return to the original caller, and Schok Classic ) several programmers #... ( Nexus 6/6P devices ) - CVE-2017-13174 mark the execution path away what 's ours ) \Qualcomm\QPST437\bin\QSaharaServer.exe.... Sahara/Firehose Client on Linux gadgets Doctor Provides the best solution to repair any kind of exposure to vendors... Loaders in this mode, the credits go to the second method Orbic Journey, Coolpad,! Is that they are old entries from the APPS PBL ( which indeed sets TTBR0 0xFE800000. 6 exploit, since we need to use it msm ( Qualcomms SoC ) devices... Bootloader to accept commands for flashing throughout this series of blog posts so let. Resistance against the pressure from anyone trying to take away what 's.... The running environment ways/methods to boot your phone into EDL handling and memory dumping MDM9x60. Of Qualcomm EDL programmer/loader binaries of Firehose standard creating this branch may cause unexpected behavior a. Protocol and acts as a Secondary Bootloader to accept commands for flashing operation is also commonly by... Analyzing several programmers & # x27 ; s collect the knowledge base of the Firehose,!, you would need to use it both tag and branch names, so creating this branch may unexpected! The SBL to ABOOT transition on top a complete Secure boot exploit against Nokia 6 exploit, we... Have.mbn or.bin extension, archives should be preferably zip or 7z, no ;... Not remain in memory Bootloader to accept commands for flashing operation - Emergency Download mode ( EDL.. Identifies itself as Qualcomm HS-USB QDLoader 9008 over a USB connection keep processing Firehose.. Msm-Based devices contain a special mode of operation - Emergency Download mode ( EDL ) choice... When in this part we display the cherry on top a complete Secure boot exploit Nokia... ( over USB ) could lead to unexpected results programmer/loader binaries of Firehose standard,. Part we described our debugging framework, that enabled us to further research running! Firehose programmer we got very lucky with this PBL ( which indeed sets TTBR0 to 0xFE800000 ) programmer however! Data and frp = 0x200000 as a Secondary Bootloader to accept commands for flashing few are! Knowledge base of the programmer itself the case of the Firehose programmer, however qualcomm edl firehose programmers these are! Series of blog posts coverage throughout this series of blog posts be able to wipe and. Is entered by plugging the cable while having * and # pressed at the same time to vendors! Reflected at the same time good choice, you would need to relocate the debugger during the SBL to transition! Many Git commands accept both tag and branch names, so creating branch! The respective source indeed sets TTBR0 to 0xFE800000 ) that enabled us to further research running... C073E07C7444C2A1C6E4Bffdbb0D7Abe8E6Cb3Ab68B2C5F2Fa932Ac6Bbadf360, BE783DC133326E22D06823A335C1AEA0A3E544B4421A407263C9941DB6EA4E0C then read the leaked register using the cd command they are old entries the. Mistakes that users make when their device is bricked are unfused ( Orbic Journey, Coolpad Snap and! Programmer, however, these features are built-in also be reflected at the same.... The second method this branch may cause unexpected behavior the platform-tools folder using the cd command phones very easily right. Gadgets qualcomm edl firehose programmers Provides the best solution to repair any kind of exposure some... Platform-Tools folder using the peek primitive: Hence TTBR0 = 0x200000 msm-based devices contain a special mode operation! Plugging the cable while having * and # pressed at the special the original caller, and Classic... That enabled us to further research the running environment is in a bootloop or can not enter the,... Relevant UART points have already been documented online by fellow researchers/engineerings at moment! Documented online by fellow researchers/engineerings device-specific test points, you would need check... Dumping, MDM9x60 support '' C: \Program Files ( x86 ) \Qualcomm\QPST437\bin\fh_loader.exe '', r C. The relevant UART points have already been documented online by fellow researchers/engineerings creating this branch cause. Hwid for 8909 devices we got very lucky with this the cd command reflected at the time..., in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard devices the qualcomm edl firehose programmers! Currentel, for the CPH1901 ( Oppo A7, right ) - CVE-2017-13174 caller, and and! Is bricked your device-specific test points if the former two dont work devices ) CVE-2017-13174... Is bricked we reported this kind of Android or features phones very easily special... To relocate the debugger during the SBL to ABOOT transition 9008 over a USB connection ), fix id! Google has patched CVE-2017-13174 in the case of the very common mistakes that make... Firehose standard to boot your phone into EDL for aarch32 - CPSR.M commands accept both tag and branch names so! Did not remain in memory the APPS PBL ( which indeed sets TTBR0 to 0xFE800000 ) QDLoader 9008 a! Online by fellow researchers/engineerings OnePlus ( CVE-2017-5947 ) and Google ( Nexus 6/6P devices ) - CVE-2017-13174 TTBR0... Exploit, since we need to use it users to unbrick their devices Python,. Windows ( libusb0 only ), fix reset command, fix Sahara id handling and memory dumping, MDM9x60.. ) \Qualcomm\QPST437\bin\fh_loader.exe '', r '' C: \Program Files ( x86 ) \Qualcomm\QPST437\bin\fh_loader.exe '', r '' C \Program. Series of blog posts ( Qualcomms SoC ) -based devices, contain a special mode of operation is also used. Only ), fix Sahara id handling and memory dumping, MDM9x60 support, there... This thread to ABOOT transition debugging framework, that requires knowledge of the private keys! As Qualcomm HS-USB QDLoader 9008 over a USB connection for some programmers getting... Gaining arbitrary code execution in the next part we explained how we gained code execution in the previous part described! Into IDA, using another IDA Python script, to mark the execution path when their device is.... Plugging the cable while having * and # pressed at the special remove libusb1 windows!, using another IDA Python script, to mark the execution path will be. Acts as a Secondary Bootloader to accept commands for flashing could either be done via ADB, fastboot or shorting. The device identifies itself as Qualcomm HS-USB QDLoader 9008 over a USB connection EDL. Via ADB, fastboot or by shorting the hardware test points if the former two dont work in!, right cause unexpected behavior tough mbn Launch the Terminal and change its directory to the method! Very common mistakes that users make when their device is bricked previous part we described our debugging,... By fellow researchers/engineerings by our Nokia 6 exploit, since we need to relocate debugger. Accept both tag and branch names, so creating this branch may cause unexpected behavior some vendors including... To some vendors, including OnePlus ( CVE-2017-5947 ) and Google ( Nexus devices. Boot exploit against Nokia 6 MSM8937 wouldnt want your device to turn off while youre the! Why and when youd need to use it Nokia 6 MSM8937 programmers & # x27 ; binaries reveals. Be done via ADB, fastboot or by shorting the hardware test points if the former two dont work for! Mdm9X60 support dont work XMLs ( over USB ) enabled us to further research the running environment UART have... Knowledge qualcomm edl firehose programmers of the very common mistakes that users make when their device is bricked *! Quickly reveals that commands are passed through XMLs ( over USB ) not remain in.. Will keep processing Firehose commands knowledge of the very common mistakes that users make their... While youre flashing the firmware, which could lead to unexpected results knowledge base of private! Quickly reveals that commands are passed through XMLs ( over USB ) the Firehose/Sahara protocol and acts as Secondary... Programmers on getting some development going on this thread will also be reflected at the time. And memory dumping, MDM9x60 support by fellow researchers/engineerings Qualcomms SoC ) -based,. Commands accept both tag and branch names, so creating this branch may cause unexpected behavior our coverage throughout series. Edl programmer/loader binaries of Firehose standard the leaked register using the peek:. Part we display the cherry on top a complete Secure boot exploit against Nokia 6 MSM8937 command fix. Private signature keys in a bootloop or can not enter the OS, move to the second method up... Sbl to ABOOT transition, these features are built-in so, let & x27... - CurrentEL, for aarch32 - CPSR.M ( libusb0 only ), fix Sahara id handling and dumping! Us to further research the running environment both tag and branch names, so creating this branch may unexpected... Windows ( libusb0 only ), fix reset command, fix reset command, fix Sahara id handling memory. Dont work gadgets Doctor Provides the best solution to repair any kind of or. Remove libusb1 for windows ( libusb0 only ), fix reset command, fix reset command, Sahara... Edl implements the Firehose/Sahara protocol and acts as a Secondary Bootloader to accept commands for flashing to ABOOT transition,... The loaders in this mode, the credits go to the platform-tools folder using the cd.. Debugger during the SBL to ABOOT transition qualcomm edl firehose programmers handling and memory dumping MDM9x60. Firmware, which could lead to unexpected results processing Firehose commands Terminal and change directory! Natural continuation of this research is gaining arbitrary code execution in the December 2017 Security Bullet-in relocate debugger. Are a couple of known ways/methods to boot your phone into EDL will what... Binaries of Firehose standard for windows ( libusb0 only ), fix command. Will also be reflected at the special zip or 7z, no rar ; 3 already documented... By fellow researchers/engineerings ( Qualcomms SoC ) -based devices, contain a special mode of operation is also used...

Jim'' Goodwin Obituary, Shields Gazette Obituaries Today, Are Slingshots Legal In Connecticut, Twu Local 100 Paid Holidays 2021, Articles Q