13 KiB
Executable File
Qualcomm Sahara / Firehose Attack Client / Diag Tools
(c) B. Kerler 2018-2024 Licensed under GPLv3 license.
Be aware that if you use anything from this repository in any (including) compiled form, you need to opensource your code as well !
Violating against the GPLv3 license will enforce me to stop developing these opensource tools.
Why
- Because we'd like to flexible dump smartphones
- Because attacking firehose is kewl
- Because memory dumping helps to find issues :)
QC Sahara V3 additional information for newer QC devices
- For newer qc phones, loader autodetection doesn't work anymore as the sahara loader doesn't offer a way to read the pkhash anymore
- Thus, for Sahara V3, you need to give a valid loader via --loader option !
Use LiveDVD (everything ready to go, based on Ubuntu):
User: user, Password:user (based on Ubuntu 22.04 LTS)
Installation
Grab files and install
git clone https://github.com/bkerler/edl
cd edl
git submodule update --init --recursive
pip3 install -r requirements.txt
Linux (Debian/Ubuntu/Mint/etc):
# Debian/Ubuntu/Mint/etc
sudo apt install adb fastboot python3-dev python3-pip liblzma-dev git
sudo apt purge modemmanager
# Fedora/CentOS/etc
sudo dnf install adb fastboot python3-devel python3-pip xz-devel git
# Arch/Manjaro/etc
sudo pacman -S android-tools python python-pip git xz
sudo pacman -R modemmanager
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
sudo apt purge ModemManager
git clone https://github.com/bkerler/edl.git
cd edl
git submodule update --init --recursive
chmod +x ./install-linux-edl-drivers.sh
bash ./install-linux-edl-drivers.sh
python3 setup.py build
sudo python3 setup.py install
If you have SELinux enabled, you may need to set it to permissive mode temporarily to prevent permission issues. SELinux is commonly used by RedHat-like distros (for example, RHEL, Fedora, and CentOS). You can set it to permissive run-time until next boot with sudo setenforce 0
.
macOS:
brew install libusb git
git clone https://github.com/bkerler/edl.git
cd edl
git submodule update --init --recursive
python3 setup.py build
sudo python3 setup.py install
Windows:
Install python + git
- Install python 3.9 and git
- If you install python from microsoft store, "python setup.py install" will fail, but that step isn't required.
- WIN+R
cmd
Get latest UsbDk 64-Bit
- Install normal QC 9008 Serial Port driver (or use default Windows COM Port one, make sure no exclamation is seen)
- Get usbdk installer (.msi) from here and install it
- Test on device connect using "UsbDkController -n" if you see a device with pid 0x9008
- Works fine under Windows 10 and 11 :D
Using serial port instead of usb
With Port autodetection
edl --serial
or Port name
edl --portname \\.\COM1
Get Loaders
You should get these automatically if you do a git submodule update --init --recursive
or from here
Convert own EDL loaders for automatic usage
-
Make a subdirectory "newstuff", copy your edl loaders to this subdirectory
-
fhloaderparse newstuff Loaders
-
or sniff existing edl tools using Totalphase Beagle 480, set filter to
filter({'inputs': False, 'usb3': False, 'chirps': False, 'dev': 26, 'usb2resets': False, 'sofs': False, 'ep': 1})
, export to binary file as "sniffeddata.bin" and then usebeagle_to_loader sniffeddata.bin
Install EDL loaders
mkdir examples
- Copy all your loaders into the examples directory
fhloaderparse examples Loaders
-> will autodetect and rename loader structure and copy them to the "Loaders" directory- Or rename Loaders manually as "msmid_pkhash[8 bytes].bin" and put them into the Loaders directory
Run EDL (examples)
Your device needs to have a usb pid of 0x9008 in order to make the edl tool work. If your device is semi bricked and entered the usb pid 0x900E, there are several options to get back the 0x9008 mode :
-
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
-
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
-
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
-
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
Generic
edl -h
-> to see help with all optionsedl server --memory=ufs --tcpport=1340
-> Run TCP/IP server on port 1340, see tcpclient.py for an example clientedl xml run.xml
-> To send a xml file run.xml via firehoseedl reset
-> To reboot the phoneedl rawxml <xmlstring>
-> To send own xml string, example :edl rawxml "<?xml version=\"1.0\" encoding=\"UTF-8\" ?><data><response value=\"ACK\" /></data>
edl [anycommand] --debugmode
-> enables Verbose. Do that only when REALLY needed as it will print out everything happening!
For EMMC Flash
edl printgpt
-> to print gpt on device with emmcedl rf flash.bin
-> to dump whole flash for device with emmcedl rl dumps --skip=userdata --genxml
-> to dump all partitions to directory dumps for device with emmc and skipping userdata partition, write rawprogram0.xmledl rs 0 15 data.bin
-> to dump 15 sectors from starting sector 0 to file data.bin for device with emmcedl rs 0 15 data.bin --skipresponse
-> to dump 15 sectors from starting sector 0 to file data.bin for device with emmc, ignores missing ACK from phonesedl r boot_a boot.img
-> to dump the partition "boot_a" to the filename boot.img for device with emmcedl r boot_a,boot_b boot_a.img,boot_b.img
-> to dump multiple partitions to multiple filenamesedl footer footer.bin
-> to dump the crypto footer for Androids with emmc flashedl w boot_a boot.img
-> to write boot.img to the "boot" partition on lun 0 on the device with emmc flashedl w gpt gpt.img
-> to write gpt partition table from gpt.img to the first sector on the device with emmc flashedl wl dumps
-> to write all files from "dumps" folder to according partitions to flashedl wf dump.bin
-> to write the rawimage dump.bin to flashedl e misc
-> to erase the partition misc on emmc flashedl gpt . --genxml
-> dump gpt_main0.bin/gpt_backup0.bin and write rawprogram0.xml to current directory (".")
For UFS Flash
edl printgpt --memory=ufs --lun=0
-> to print gpt on lun 0edl printgpt --memory=ufs
-> to print gpt of all lunedl rf lun0.bin --memory=ufs --lun=0
-> to dump whole lun 0edl rf flash.bin --memory=ufs
-> to dump all luns as lun0_flash.bin, lun1_flash.bin, ...edl rl dumps --memory=ufs --lun=0 --skip=userdata,vendor_a
-> to dump all partitions from lun0 to directory dumps for device with ufs and skip userdata and vendor_a partitionedl rl dumps --memory=ufs --genxml
-> to dump all partitions from all lun to directory dumps and write rawprogram[lun].xmledl rs 0 15 data.bin --memory=ufs --lun=0
-> to dump 15 sectors from starting sector 0 from lun 0 to file data.binedl r boot_a boot.img --memory=ufs --lun=4
-> to dump the partition "boot_a" from lun 4 to the filename boot.imgedl r boot_a boot.img --memory=ufs
-> to dump the partition "boot_a" to the filename boot.img using lun autodetectionedl r boot_a,boot_b boot_a.img,boot_b.img --memory=ufs
-> to dump multiple partitions to multiple filenamesedl footer footer.bin --memory=ufs
-> to dump the crypto footeredl w boot boot.img --memory=ufs --lun=4
-> to write boot.img to the "boot" partition on lun 4 on the device with ufs flashedl w gpt gpt.img --memory=ufs --lun=4
-> to write gpt partition table from gpt.img to the lun 4 on the device with ufs flashedl wl dumps --memory=ufs --lun=0
-> to write all files from "dumps" folder to according partitions to flash lun 0edl wl dumps --memory=ufs
-> to write all files from "dumps" folder to according partitions to flash and try to autodetect lunedl wf dump.bin --memory=ufs --lun=0
-> to write the rawimage dump.bin to flash lun 0edl e misc --memory=ufs --lun=0
-> to erase the partition misc on lun 0edl gpt . --genxml --memory=ufs
-> dump gpt_main[lun].bin/gpt_backup[lun].bin and write rawprogram[lun].xml to current directory (".")
QFIL emulation (credits to LyuOnLine):
- For flashing full image:
edl qfil rawprogram0.xml patch0.xml image_dir
For devices with peek/poke command
edl peek 0x200000 0x10 mem.bin
-> To dump 0x10 bytes from offset 0x200000 to file mem.bin from memoryedl peekhex 0x200000 0x10
-> To dump 0x10 bytes from offset 0x200000 as hex string from memoryedl peekqword 0x200000
-> To display a qword (8-bytes) at offset 0x200000 from memoryedl pokeqword 0x200000 0x400000
-> To write the q-word value 0x400000 to offset 0x200000 in memoryedl poke 0x200000 mem.bin
-> To write the binary file mem.bin to offset 0x200000 in memoryedl secureboot
-> To display secureboot fuses (only on EL3 loaders)edl pbl pbl.bin
-> To dump pbl (only on EL3 loaders)edl qfp qfp.bin
-> To dump qfprom fuses (only on EL3 loaders)
For generic unlocking
edl modules oemunlock enable
-> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
Dump memory (0x900E mode)
edl memorydump
Streaming mode (credits to forth32)
Enter streaming mode
Sierra Wireless Modem
- Send AT!BOOTHOLD and AT!QPSTDLOAD to modem port or use
modem/boottodwnload.py
script - Send AT!ENTERCND="A710" and then AT!EROPTION=0 for memory dump
edl --vid 1199 --pid 9070 --loader=loaders/NPRG9x35p.bin printgpt
-> To show the partition table
Netgear MR1100
- run
boottodownload
, device will enter download mode (0x900E pid) edl printgpt --loader=Loaders/qualcomm/patched/mdm9x5x/NPRG9x55p.bin
, device will reboot to 0x9008- now use edl regulary such as
edl printgpt
(do not use loader option)
ZTE MF920V, Quectel, Telit, etc.. Modem
- run
enableadb
, or send to at port "AT+ZCDRUN=E", or send viaqc_diag -sahara
adb reboot edl
edl printgpt
-> To show the partition table
Run Diag port tools (examples)
For Oneplus 6T, enter #801# on dialpad, set Engineer Mode and Serial to on and try :
qc_diag -vid 0x05c6 -pid 0x676c -interface 0 -info
Usage
qc_diag -vid 0x1234 -pid 0x5678 -interface 0 -info
-> Send cmd "00" and return infoqc_diag -vid 0x1234 -pid 0x5678 -interface 0 -spc 303030303030
-> Send spc "303030303030"qc_diag -vid 0x1234 -pid 0x5678 -interface 0 -cmd 00
-> Send cmd "00" (hexstring)qc_diag -vid 0x1234 -pid 0x5678 -interface 0 -nvread 0x55
-> Display nvitem 0x55qc_diag -vid 0x1234 -pid 0x5678 -interface 0 -nvbackup backup.json
-> Backup all nvitems to a json structured fileqc_diag -vid 0x1234 -pid 0x5678 -interface 0 -efsread efs.bin
-> Dump the EFS Modem partition to file efs.binqc_diag -vid 0x1234 -pid 0x5678 -interface 0 -efslistdir /
-> Display / directory listing of EFS
Issues
- Secure loader with SDM660 on Xiaomi not yet supported (EDL authentification)
- VIP Programming not supported (Contributions are welcome !)
- EFS directory write and file read has to be added (Contributions are welcome !)
Tested with
- Oneplus 3T/5/6T/7T/8/8t/9/Nord CE/N10/N100 (Read-Only), BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210, ZTE MF920V, Sierra Wireless EM7455, Netgear MR1100-10EUS, Netgear MR5100
- SIMCOM SIM8905E
Published under GPLv3 license Additional license limitations: No use in commercial products without prior permit.
Enjoy !