2019-11-15 14:30:18 -05:00
# Qualcomm Sahara / Firehose Attack Client / Diag Tools
2020-12-26 16:09:15 -05:00
(c) B. Kerler 2018-2021
2019-11-15 14:30:18 -05:00
2019-11-26 15:47:49 -05:00
## Why
2019-11-26 15:56:32 -05:00
2019-11-15 14:30:18 -05:00
- Because we'd like to flexible dump smartphones
- Because attacking firehose is kewl
- Because memory dumping helps to find issues :)
2021-01-16 16:27:08 -05:00
2019-11-26 15:47:49 -05:00
## Installation
2019-11-15 14:30:18 -05:00
2019-11-26 15:56:32 -05:00
- Get python >= 3.7 64-Bit
2019-11-15 14:30:18 -05:00
2021-03-29 17:02:37 -04:00
Linux/Windows:
```bash
cp Drivers/51-edl.rules /etc/udev/rules.d
cp Drivers/50-android.rules /etc/udev/rules.d
sudo apt install adb fastboot python3-dev python3-pip
sudo sudo apt install liblzma-dev
sudo apt purge ModemManager
python3 -m pip install -r requirements.txt
```
2021-01-10 15:58:40 -05:00
2021-01-16 16:27:08 -05:00
Mac:
2021-03-29 17:02:37 -04:00
```bash
brew install libusb
sudo python3 -m pip install -r requirements.txt```
```
2019-11-15 14:30:18 -05:00
Windows:
2021-01-10 15:58:40 -05:00
- Boot device into 9008 mode, install Qualcomm_Diag_QD_Loader_2016_driver.exe from Drivers\Windows
2021-01-07 08:42:49 -05:00
- Use Zadig 2.5 or higher, list all devices, select QUSB_BULK device and replace
2021-01-10 15:58:40 -05:00
driver with libusb >= 1.2.6.0 one (will replace original driver)
2021-01-07 08:42:49 -05:00
- Get latest Zadig release [here] (https://zadig.akeo.ie/)
2019-11-15 14:30:18 -05:00
2020-09-23 05:29:37 -04:00
## Convert EDL loaders for automatic usage
- Make a subdirectory "newstuff", copy your edl loaders to this subdirectory
2021-01-12 17:43:34 -05:00
- ```./Loaders/fhloaderparse.py newstuff Loaders```
- or sniff existing edl tools using Totalphase Beagle 480, set filter to ```filter({'inputs': False, 'usb3': False, 'chirps': False, 'dev': 26, 'usb2resets': False, 'sofs': False, 'ep': 1})```, export to binary file as "sniffeddata.bin" and then use ```beagle_to_loader.py sniffeddata.bin```
2020-09-23 05:29:37 -04:00
2019-11-26 15:47:49 -05:00
## Run EDL (examples)
### Generic
2019-11-26 15:56:32 -05:00
2020-12-26 16:09:15 -05:00
- ```./edl.py -h``` -> to see help with all options
- ```./edl.py server --memory=ufs --tcpport=1340``` -> Run TCP/IP server on port 1340, see tcpclient.py for an example client
- ```./edl.py xml run.xml``` -> To send a xml file run.xml via firehose
- ```./edl.py reset``` -> To reboot the phone
2021-01-16 16:27:08 -05:00
- ```./edl.py rawxml < xmlstring > ``` -> To send own xml string, example :
2020-12-26 16:09:15 -05:00
```./edl.py rawxml "<?xml version= \"1.0 \" encoding= \"UTF-8 \" ?> < data >< response value = \"ACK \" /></ data > ```
- ```./edl.py [anycommand] --debugmode``` -> enables Verbose. Only do that is REALLY needed as it will print out everything happening !
2019-11-26 15:47:49 -05:00
### For EMMC Flash
2019-11-26 15:56:32 -05:00
2020-12-26 16:09:15 -05:00
- ```./edl.py printgpt``` -> to print gpt on device with emmc
- ```./edl.py rf flash.bin``` -> to dump whole flash for device with emmc
- ```./edl.py rl dumps --skip=userdata --genxml``` -> to dump all partitions to directory dumps for device with emmc and skipping userdata partition, write rawprogram0.xml
- ```./edl.py rs 0 15 data.bin``` -> to dump 15 sectors from starting sector 0 to file data.bin for device with emmc
- ```./edl.py rs 0 15 data.bin --skipresponse``` -> to dump 15 sectors from starting sector 0 to file data.bin for device with emmc, ignores missing ACK from phones
- ```./edl.py r boot_a boot.img``` -> to dump the partition "boot_a" to the filename boot.img for device with emmc
- ```./edl.py r boot_a,boot_b boot_a.img,boot_b.img``` -> to dump multiple partitions to multiple filenames
- ```./edl.py footer footer.bin``` -> to dump the crypto footer for Androids with emmc flash
- ```./edl.py w boot_a boot.img``` -> to write boot.img to the "boot" partition on lun 0 on the device with emmc flash
2021-01-22 12:32:20 -05:00
- ```./edl.py w gpt gpt.img``` -> to write gpt partition table from gpt.img to the first sector on the device with emmc flash
2020-12-26 16:09:15 -05:00
- ```./edl.py wl dumps``` -> to write all files from "dumps" folder to according partitions to flash
- ```./edl.py wf dump.bin``` -> to write the rawimage dump.bin to flash
- ```./edl.py e misc``` -> to erase the partition misc on emmc flash
- ```./edl.py gpt . --genxml``` -> dump gpt_main0.bin/gpt_backup0.bin and write rawpartition0.xml to current directory (".")
2019-11-26 15:47:49 -05:00
### For UFS Flash
2019-11-26 15:56:32 -05:00
2020-12-26 16:09:15 -05:00
- ```./edl.py printgpt --memory=ufs --lun=0``` -> to print gpt on lun 0
- ```./edl.py printgpt --memory=ufs``` -> to print gpt of all lun
- ```./edl.py rf lun0.bin --memory=ufs --lun=0``` -> to dump whole lun 0
- ```./edl.py rf flash.bin --memory=ufs``` -> to dump all luns as lun0_flash.bin, lun1_flash.bin, ...
- ```./edl.py rl dumps --memory=ufs --lun=0 --skip=userdata,vendor_a``` -> to dump all partitions from lun0 to directory dumps for device with ufs and skip userdata and vendor_a partition
- ```./edl.py rl dumps --memory=ufs --genxml``` -> to dump all partitions from all lun to directory dumps and write rawprogram[lun].xml
- ```./edl.py rs 0 15 data.bin --memory=ufs --lun=0``` -> to dump 15 sectors from starting sector 0 from lun 0 to file data.bin
- ```./edl.py r boot_a boot.img --memory=ufs --lun=4``` -> to dump the partition "boot_a" from lun 4 to the filename boot.img
- ```./edl.py r boot_a boot.img --memory=ufs``` -> to dump the partition "boot_a" to the filename boot.img using lun autodetection
- ```./edl.py r boot_a,boot_b boot_a.img,boot_b.img --memory=ufs``` -> to dump multiple partitions to multiple filenames
- ```./edl.py footer footer.bin --memory=ufs``` -> to dump the crypto footer
- ```./edl.py w boot boot.img --memory=ufs --lun=4``` -> to write boot.img to the "boot" partition on lun 4 on the device with ufs flash
2021-01-22 12:32:20 -05:00
- ```./edl.py w gpt gpt.img --memory=ufs --lun=4``` -> to write gpt partition table from gpt.img to the lun 4 on the device with ufs flash
2020-12-26 16:09:15 -05:00
- ```./edl.py wl dumps --memory=ufs --lun=0``` -> to write all files from "dumps" folder to according partitions to flash lun 0
- ```./edl.py wl dumps --memory=ufs``` -> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun
- ```./edl.py wf dump.bin --memory=ufs --lun=0``` -> to write the rawimage dump.bin to flash lun 0
- ```./edl.py e misc --memory=ufs --lun=0``` -> to erase the partition misc on lun 0
- ```./edl.py gpt . --genxml --memory=ufs``` -> dump gpt_main[lun].bin/gpt_backup[lun].bin and write rawpartition[lun].xml to current directory (".")
2019-11-26 15:47:49 -05:00
### For devices with peek/poke command
2019-11-26 15:56:32 -05:00
2020-12-26 16:09:15 -05:00
- ```./edl.py peek 0x200000 0x10 mem.bin``` -> To dump 0x10 bytes from offset 0x200000 to file mem.bin from memory
- ```./edl.py peekhex 0x200000 0x10``` -> To dump 0x10 bytes from offset 0x200000 as hex string from memory
- ```./edl.py peekqword 0x200000``` -> To display a qword (8-bytes) at offset 0x200000 from memory
- ```./edl.py pokeqword 0x200000 0x400000``` -> To write the q-word value 0x400000 to offset 0x200000 in memory
- ```./edl.py poke 0x200000 mem.bin``` -> To write the binary file mem.bin to offset 0x200000 in memory
- ```./edl.py secureboot``` -> To display secureboot fuses (only on EL3 loaders)
- ```./edl.py pbl pbl.bin``` -> To dump pbl (only on EL3 loaders)
- ```./edl.py qfp qfp.bin``` -> To dump qfprom fuses (only on EL3 loaders)
2019-11-23 13:06:21 -05:00
2020-12-26 15:55:59 -05:00
2020-12-22 16:35:59 -05:00
### For generic unlocking
2020-12-26 16:09:15 -05:00
- ```./edl.py modules oemunlock enable``` -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2020-12-22 16:35:59 -05:00
2020-12-22 16:19:37 -05:00
#### Dump memory (0x900E mode)
2021-01-07 08:42:49 -05:00
- ```./edl.py memorydump```
### Streaming mode (credits to forth32)
2020-12-22 16:19:37 -05:00
2021-01-16 16:27:08 -05:00
#### Sierra Wireless Modem
2021-01-07 08:42:49 -05:00
- Send AT!BOOTHOLD and AT!QPSTDLOAD to modem port or use ```modem/boottodwnload.py``` script
2020-12-22 16:19:37 -05:00
- Send AT!ENTERCND="A710" and then AT!EROPTION=0 for memory dump
2020-12-26 16:09:15 -05:00
- ```./edl.py --vid 1199 --pid 9070 --loader=loaders/NPRG9x35p.bin printgpt``` -> To show the partition table
2020-12-26 15:55:59 -05:00
#### Netgear MR1100
2021-01-07 08:42:49 -05:00
- run ```modem/boottodownload.py```, device will enter download mode (0x900E pid)
2020-12-26 16:09:15 -05:00
- ```./edl.py printgpt --loader=Loaders/qualcomm/patched/mdm9x5x/NPRG9x55p.bin```, device will reboot to 0x9008
- now use ./edl.py regulary such as ```./edl.py printgpt``` (do not use loader option)
2020-12-22 16:19:37 -05:00
2021-01-07 08:42:49 -05:00
#### ZTE MF920V, Quectel, Telit, etc.. Modem
2021-01-16 17:22:37 -05:00
- run ```modem/enableadb.sh```, or send to at port "AT+ZCDRUN=E", or send via ```./modem/diag.py -sahara```
2020-12-26 16:09:15 -05:00
- ```adb reboot edl```
- ```./edl.py printgpt``` -> To show the partition table
2020-11-14 08:59:03 -05:00
2020-09-23 05:20:41 -04:00
### QFIL in linux console (credits to LyuOnLine):
- For flashing full image:
```
2021-01-15 11:34:22 -05:00
./edl.py qfil rawprogram0.xml patch0.xml image_dir
2020-09-23 05:20:41 -04:00
```
2019-11-15 14:30:18 -05:00
2019-11-26 15:47:49 -05:00
## Install EDL loaders
2019-11-26 15:56:32 -05:00
2020-12-26 16:09:15 -05:00
- ```mkdir examples```
2019-11-15 14:30:18 -05:00
- Copy all your loaders into the examples directory
2020-12-26 16:09:15 -05:00
- ```./fhloaderparse.py examples Loaders``` -> will autodetect and rename loader structure and copy them to the "Loaders" directory
- Or rename Loaders manually as "msmid_pkhash[8 bytes].bin" and put them into the Loaders directory
2019-11-15 14:30:18 -05:00
2019-11-26 15:47:49 -05:00
## Run Diag port tools (examples)
2019-11-26 15:56:32 -05:00
2019-11-23 13:06:21 -05:00
For Oneplus 6T, enter *#801#* on dialpad, set Engineer Mode and Serial to on and try :
2019-11-26 15:56:32 -05:00
2021-01-16 17:22:37 -05:00
- ```./modem/diag.py -vid 0x05c6 -pid 0x676c -interface 0 -info```
2019-11-23 13:06:21 -05:00
2019-11-26 15:56:32 -05:00
### Usage
2021-01-16 17:22:37 -05:00
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -info``` -> Send cmd "00" and return info
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -spc 303030303030``` -> Send spc "303030303030"
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -cmd 00``` -> Send cmd "00" (hexstring)
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvread 0x55``` -> Display nvitem 0x55
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvbackup backup.json``` -> Backup all nvitems to a json structured file
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efsread efs.bin``` -> Dump the EFS Modem partition to file efs.bin
- ```./modem/diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efslistdir /``` -> Display / directory listing of EFS
2019-11-15 14:30:18 -05:00
2019-11-26 15:47:49 -05:00
## Issues
2019-11-26 15:56:32 -05:00
2020-12-26 15:55:59 -05:00
- Secure loader with SDM660 on Xiaomi not yet supported (EDL authentification)
- VIP Programming not supported (Contributions are welcome !)
- EFS directory write and file read has to be added (Contributions are welcome !)
2019-11-15 14:30:18 -05:00
2021-03-04 03:19:24 -05:00
## Loaders
https://github.com/bkerler/Loaders
2019-11-26 15:47:49 -05:00
## Tested with
2019-11-26 15:56:32 -05:00
2020-12-26 15:55:59 -05:00
- Oneplus 3T/5/6T/7T/8/8t/N10/N100 (Read-Only), BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210, ZTE MF920V, Sierra Wireless EM7455, Netgear MR1100-10EUS, Netgear MR5100
2020-11-14 09:00:08 -05:00
2019-11-15 14:30:18 -05:00
Published under MIT license
Additional license limitations: No use in commercial products without prior permit.
Enjoy !