Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
Find a file
2019-11-15 20:30:18 +01:00
Config New release, more stability, more features 2019-11-15 20:30:18 +01:00
Drivers New release, more stability, more features 2019-11-15 20:30:18 +01:00
Example New release, more stability, more features 2019-11-15 20:30:18 +01:00
Library New release, more stability, more features 2019-11-15 20:30:18 +01:00
Loaders Initial release 2018-11-21 08:21:59 +01:00
.gitignore Initial commit 2018-11-21 08:13:47 +01:00
diag.py New release, more stability, more features 2019-11-15 20:30:18 +01:00
edl.py New release, more stability, more features 2019-11-15 20:30:18 +01:00
fhloaderparse.py New release, more stability, more features 2019-11-15 20:30:18 +01:00
LICENSE Initial commit 2018-11-21 08:13:47 +01:00
README.md New release, more stability, more features 2019-11-15 20:30:18 +01:00
tcpclient.py New release, more stability, more features 2019-11-15 20:30:18 +01:00

Qualcomm Sahara / Firehose Attack Client / Diag Tools

(c) B. Kerler 2018-2019

Why

  • Because we'd like to flexible dump smartphones
  • Because attacking firehose is kewl
  • Because memory dumping helps to find issues :)

Installation

  • Get python >= 3.7 64-Bit

  • Add "blacklist qcserial" as last line to /etc/modprobe.d/blacklist.conf

  • Copy Drivers/51-edl.rules to /etc/udev/rules.d

  • Copy Drivers/50-android.rules to /etc/udev/rules.d

  • sudo apt install adb

  • sudo apt install fastboot

Linux/Windows:

  • "python -m pip install pyusb pyserial"

Windows:

  • Use Filter Installer to install libusb filter driver on Qualcomm 9008 port otherwise we won't detect the device

Run EDL

  • "./edl.py -h" -> to see help with all options
  • "./edl.py -printgpt 0 -memory ufs" -> to print gpt on lun 0 on device with ufs
  • "./edl.py -printgpt 0 -memory emmc" -> to print gpt on device with emmc
  • "./edl.py -rf 0 flash.bin -memory emmc" -> to dump whole flash on lun 0 for device with emmc
  • "./edl.py -footer 0 footer.bin -memory emmc" -> to dump the crypto footer on lun 0 for Androids
  • "./edl.py -w 0 boot boot.img -memory emmc" -> to write boot.img to the "boot" partition on lun 0 on the device with emmc flash
  • "./edl.py -memory emmc -server" -> Run TCP/IP server, see tcpclient.py for an example client

Install EDL loaders

  • "mkdir examples"
  • Copy all your loaders into the examples directory
  • "./fhloaderparse.py examples" -> will autodetect and rename loader structure and copy them to the "Loaders" directory

Run Diag

Allows to send commands to the qc diag port

  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -info" -> Send cmd "00" and return info
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -spc 303030303030" -> Send spc "303030303030"
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -cmd 00" -> Send cmd "00" (hexstring)
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvread 0x55" -> Display nvitem 0x55
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -nvbackup backup.json" -> Backup all nvitems to a json structured file
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efsread efs.bin" -> Dump the EFS Modem partition to file efs.bin
  • "./diag.py -vid 0x1234 -pid 0x5678 -interface 0 -efslistdir /" -> Display / directory listing of EFS

Issues

  • Secure loader with SDM660 on Xiaomi not yet supported

Tested with

  • Oneplus 3T, Oneplus 6T, BQ X, BQ X5, BQ X2, Gigaset ME Pure, ZTE MF210

Published under MIT license Additional license limitations: No use in commercial products without prior permit.

Enjoy !