edl/README.md

# Qualcomm Sahara / Firehose Attack Client / Diag Tools
(c) B. Kerler 2018-2019

Why
===
- Because we'd like to flexible dump smartphones
- Because attacking firehose is kewl
- Because memory dumping helps to find issues :)
  
Installation
=============
- Get python >= 3.7 64-Bit

- Add "blacklist qcserial" as last line to /etc/modprobe.d/blacklist.conf
- Copy Drivers/51-edl.rules to /etc/udev/rules.d
- Copy Drivers/50-android.rules to /etc/udev/rules.d
- sudo apt install adb
- sudo apt install fastboot

Linux/Windows: 
- "python -m pip install pyusb pyserial"

Windows:
- Use Filter Installer to install libusb filter driver 
  on Qualcomm 9008 port otherwise we won't detect the device

Run EDL
=======
- "./edl.py -h" -> to see help with all options
- "./edl.py -printgpt 0 -memory ufs" -> to print gpt on lun 0 on device with ufs
- "./edl.py -printgpt 0 -memory emmc" -> to print gpt on device with emmc
- "./edl.py -rf 0 flash.bin -memory emmc" -> to dump whole flash on lun 0 for device with emmc
- "./edl.py -footer 0 footer.bin -memory emmc" -> to dump the crypto footer on lun 0 for Androids
- "./edl.py -w 0 boot boot.img -memory emmc" -> to write boot.img to the "boot" partition on lun 0 on the device with emmc flash
- "./edl.py -memory emmc -server" -> Run TCP/IP server, see tcpclient.py for an example client

Install EDL loaders
===============
- "mkdir examples"
- Copy all your loaders into the examples directory
- "./fhloaderparse.py examples" -> will autodetect and rename loader structure and copy them to the "Loaders" directory

Run Diag
========
Allows to send commands to the qc diag port
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -info" -> Send cmd "00" and return info
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -spc 303030303030" -> Send spc "303030303030"
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -cmd 00" -> Send cmd "00" (hexstring)
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvread 0x55" -> Display nvitem 0x55
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvbackup backup.json" -> Backup all nvitems to a json structured file
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efsread efs.bin" -> Dump the EFS Modem partition to file efs.bin
- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efslistdir /" -> Display / directory listing of EFS


Issues
======
- Secure loader with SDM660 on Xiaomi not yet supported
- EFS directory write and file read has to be added

Tested with
===========
- Oneplus 3T, Oneplus 6T, BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210

Published under MIT license
Additional license limitations: No use in commercial products without prior permit.

Enjoy !
New release, more stability, more features 2019-11-15 14:30:18 -05:00			`# Qualcomm Sahara / Firehose Attack Client / Diag Tools`
			`(c) B. Kerler 2018-2019`

			`Why`
			`===`
			`- Because we'd like to flexible dump smartphones`
			`- Because attacking firehose is kewl`
			`- Because memory dumping helps to find issues :)`

			`Installation`
			`=============`
			`- Get python >= 3.7 64-Bit`

			`- Add "blacklist qcserial" as last line to /etc/modprobe.d/blacklist.conf`
			`- Copy Drivers/51-edl.rules to /etc/udev/rules.d`
			`- Copy Drivers/50-android.rules to /etc/udev/rules.d`
			`- sudo apt install adb`
			`- sudo apt install fastboot`

			`Linux/Windows:`
			`- "python -m pip install pyusb pyserial"`

			`Windows:`
			`- Use Filter Installer to install libusb filter driver`
			`on Qualcomm 9008 port otherwise we won't detect the device`

			`Run EDL`
			`=======`
			`- "./edl.py -h" -> to see help with all options`
			`- "./edl.py -printgpt 0 -memory ufs" -> to print gpt on lun 0 on device with ufs`
			`- "./edl.py -printgpt 0 -memory emmc" -> to print gpt on device with emmc`
			`- "./edl.py -rf 0 flash.bin -memory emmc" -> to dump whole flash on lun 0 for device with emmc`
			`- "./edl.py -footer 0 footer.bin -memory emmc" -> to dump the crypto footer on lun 0 for Androids`
			`- "./edl.py -w 0 boot boot.img -memory emmc" -> to write boot.img to the "boot" partition on lun 0 on the device with emmc flash`
			`- "./edl.py -memory emmc -server" -> Run TCP/IP server, see tcpclient.py for an example client`

			`Install EDL loaders`
			`===============`
			`- "mkdir examples"`
			`- Copy all your loaders into the examples directory`
			`- "./fhloaderparse.py examples" -> will autodetect and rename loader structure and copy them to the "Loaders" directory`

			`Run Diag`
			`========`
			`Allows to send commands to the qc diag port`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -info" -> Send cmd "00" and return info`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -spc 303030303030" -> Send spc "303030303030"`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -cmd 00" -> Send cmd "00" (hexstring)`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvread 0x55" -> Display nvitem 0x55`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvbackup backup.json" -> Backup all nvitems to a json structured file`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efsread efs.bin" -> Dump the EFS Modem partition to file efs.bin`
			`- "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efslistdir /" -> Display / directory listing of EFS`


			`Issues`
			`======`
			`- Secure loader with SDM660 on Xiaomi not yet supported`
Update README.md 2019-11-15 14:39:00 -05:00			`- EFS directory write and file read has to be added`
New release, more stability, more features 2019-11-15 14:30:18 -05:00
			`Tested with`
			`===========`
			`- Oneplus 3T, Oneplus 6T, BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210`

			`Published under MIT license`
			`Additional license limitations: No use in commercial products without prior permit.`

			`Enjoy !`