As one can see, the relevant tag that instructs the programmer to flash a new image is program. Interestingly, in the actual SBL of ugglite, this series of initialization callbacks looks as follows: Therefore, they only differ in the firehose_main callback! (, We managed to manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (, It resets the MMU and some other system registers, in a function we named. We then present our exploit framework, firehorse, which implements a runtime debugger for firehose programmers (Part 4). Ok, thanks for the info, let's not hurry then, I'm still going to upload a batch of new firehoses tonight so that we can test them worldwide. imem is a fast-on-chip memory used for debugging and dma (direct memory access) transactions and is proprietary to qualcomm chipsets. Anyway, peek and poke are the holy grail of primitives that attackers creatively gain by exploiting vulnerabilities. Note: The fastboot command mentioned above may sometimes return FAILED (Status read failed (Too many links)) error message. To do this: On Windows: Open the platform-tools folder. Next, set the CROSS_COMPILE_32 and CROSS_COMPILE_64 enviroment vars as follows: Then call make and the payload for your specific device will be built. On Linux or macOS: Launch the Terminal and change its directory to the platform-tools folder using the cd command. Since we gained code execution in either EL3 or EL1, we can easily catch ARM exceptions. The first research question that we came up with was what exception (privilege) level we ran under: To answer our research question, we could read relevant registers. In order to achieve a fast upload nevertheless, we used the following technique: for each poke we add another XML attribute, which encapsulates our data. It contains the init binary, the first userspace process. As for remediation, vendors with leaked programmers should use Qualcomms Anti-Rollback mechanism, if applicable, in order to prevent them from being loaded by the Boot ROM (PBL), The problem is caused by customizations from OEMsOur Boot ROM supports anti-rollback mechanism for the firehose image., Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Obtain and reverse-engineer the PBL of various Qualcomm-based chipsets (, Obtain the RPM & Modem PBLs of Nexus 6P (, Manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (. Alcatel Onetouch Idol 3. Concretely, in the next chapters we will use and continue the research presented here, to develop: 73C51DE96B5F6F0EE44E40EEBC671322071BC00D705EEBDD7C60705A1AD11248, 74F3DE78AB5CD12EC2E77E35B8D96BD8597D6B00C2BA519C68BE72EA40E0EB79, D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9, 9B3184613D694EA24D3BEEBA6944FDB64196FEA7056C833D38D2EF683FD96E9B, 30758B3E0D2E47B19EBCAC1F0A66B545960784AD6D428A2FE3C70E3934C29C7A, 8D417EF2B7F102A17C2715710ABD76B16CBCE8A8FCEB9E9803733E731030176B, 02FFDAA49CF25F7FF287CAB82DA0E4F943CABF6E6A4BFE31C3198D1C2CFA1185, EEF93D29E4EDDA26CCE493B859E22161853439DE7B2151A47DAFE3068EE43ABE, A1B7EB81C61525D6819916847E02E9AE5031BF163D246895780BD0E3F786C7EE, 97EFF4D4111DD90523F6182E05650298B7AE803F0EC36F69A643C031399D8D13, C34EC1FDDFAC05D8F63EED3EE90C8E6983FE2B0E4B2837B30D8619A29633649C, 63A47E46A664CCD1244A36535D10CA0B97B50B510BD481252F786177197C3C44, 964B5C486B200AA6462733A682F9CEAD3EBFAD555CE2FF3622FEA8B279B006EE, 71C4F97535893BA7A3177320143AC94DB4C6584544C01B61860ACA80A477D4C9, CB06DECBE7B1C47D10C97AE815D4FB2A06D62983738D383ED69B25630C394DED, A27232BF1383BB765937AEA1EBDEE8079B8A453F3982B46F5E7096C373D18BB3, 3FDAF99FC506A42FCBC649B7B46D9BB8DD32AEABA4B56C920B45E93A4A7080EA, 48741756201674EB88C580DF1FDB06C7B823DC95B3FC89588A84A495E815FBD4, 8483423802d7f01bf1043365c855885b0eea193bf32ed25041a347bc80c32d6b, 5F1C47435A031331B7F6EC33E8F406EF42BAEF9A4E3C6D2F438A8B827DD00075, 5D45ECF8864DBBC741FB7874F878126E8F23EE9448A3EA1EDE8E16FE02F782C0, 1D4A7043A8A55A19F7E1C294D42872CD57A71B8F370E3D9551A796415E61B434, BF4E25AE6108D6F6C8D9218383BD85273993262EC0EBA088F6C58A04FC02903B, 3DB3B7FD2664D98FD16F432E8D8AD821A85B85BD37701422F563079CB64D084C, ADEB0034FC38C99C8401DCDBA9008EE5A8525BB66F1FC031EE8F4EFC22C5A1DF, 67A7EA77C23FDD1046ECCE7628BFD5975E9949F66ADDD55BB3572CAF9FE97AEA, 2DDE12F09B1217DBBD53860DD9145326A394BF6942131E440C161D9A13DC43DD, 69A6E465C2F1E2CAABB370D398026441B29B45C975778E4682FC5E89283771BD, 61135CB65671284290A99BD9EDF5C075672E7FEBA2A4A79BA9CFACD70CD2EA50, C215AC92B799D755AF0466E14C7F4E4DC53B590F5FBC0D4633AFAFE5CECC41C3, A38C6F01272814E0A47E556B4AD17F999769A0FEE6D3C98343B7DE6DE741E79C, BB5E36491053118486EBCCD5817C5519A53EAE5EDA9730F1127C22DD6C1B5C2B, 5C9CCCF88B6AB026D8165378D6ADA00275A606B8C4AD724FBCA33E8224695207, 67D32C753DDB67982E9AEF0C13D49B33DF1B95CC7997A548D23A49C1DD030194, 7F6CE28D52815A4FAC276F62B99B5ABEB3F73C495F9474EB55204B3B4E6FCE6D. CVE-2017 . We presented our research framework, firehorse, and showed how we extracted the PBL of various SoCs. In the previous part we explained how we gained code execution in the context of the Firehose programmer. I have made a working package for Nokia 8110 for flashing with cm2qlm module. Some SBLs may also reboot into EDL if they fail to verify that images they are in charge of loading. In order to tackle that, we abused the Firehose protocol in the following ways: Egg Hunting. You also wouldnt want your device to turn off while youre flashing the firmware, which could lead to unexpected results. Hopefully we will then be able to find a suitable page (i.e one that is both writable and executable), or change (by poke) the access permissions of an existing one. There are several ways to coerce that device into EDL. Doing so will allow us to research the programmer in runtime. Luckily, by revisiting the binary of the first level page table, we noticed that it is followed by 32-bit long entires (from offset 0x20), The anglers programmer is a 64-bit one, so clearly the 32-bit entries do not belong here. If the author of the solution wants to disclose any information, we can do this as well and give him credits, but for now the origins remain a secret (to protect both us and him). Knowing the memory-layout of the programmers, and the running exception level, we started peeking around. Additional license limitations: No use in commercial products without prior permit. Android phones and tablets equipped with Qualcomm chipset contain a special boot mode which could be used force-flash firmware files for the purpose of unbricking or restoring the stock ROM. However,theOEMhashisexactlythesameastheTA-1059. Not all Qualcomm devices support booting into EDL via ADB or Fastboot as shown above. This is known as the EDL or Deep Flashing USB cable. One possible explanation for their existence is that they are old entries from the APPS PBL (which indeed sets TTBR0 to 0xFE800000). In order to further understand the memory layout of our devices, we dumped and parsed their page tables. Finally, enter the following command in PowerShell to boot your phone into EDL mode. Some encoding was needed too. Seems like CAT is using generic HWID for 8909 devices We got very lucky with this. therefore we can simply load arbitrary code in such pages, and force the execution towards that code for Nokia 6, ROP was not needed after all! To start working with a specific device in EDL, you need a programmer. Since the PBL is a ROM resident, EDL cannot be corrupted by software. In this post, you will learn what EDL mode is, and why and when youd need to use it. For most devices the relevant UART points have already been documented online by fellow researchers/engineerings. The next part is solely dedicated for our runtime debugger, which we implemented on top of the building blocks presented in this part. GADGET 2: Similarly to the aarch32 case, we copy the original stack s.t. Sylvain, if you know HWID of JioPhone 2, could you pls post it as well? Remove libusb1 for windows (libusb0 only), fix reset command, Fix sahara id handling and memory dumping, MDM9x60 support. 1. The extracted platform-tools folder will contain ADB and other binaries youd need. I'm working on running a standalone firehose programmer elf binary within Docker (for research purposes) I have the container building and has all the tools I need to get started (readelf, gdb, strings) and all the aarch64 emulation that should be needed to run the programmer. Its often named something like prog_*storage. Apr 1, 2019 350 106 Innernetz www.noidodroid.com . Unfortunately, aarch32 lacks single-stepping (even in ARMv8). Of course, the credits go to the respective source. If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short. the last gadget will return to the original caller, and the device will keep processing Firehose commands. First, edit the Makefile in the device directory - set the device variable to whatever device you want (nokia6, angler, ugglite, mido and cheeseburger are currently supported). emmc Programs File. noidodroid Senior Member. I can't get it running, but I'm not sure, why. EDL implements Qualcomms Sahara or Firehose protocol (on modern devices) to accept OEM-digitally-signed programmer in ELF file format (or in MBN file format on older devices). EDL is implemented by the PBL. Connect the device to your PC using a USB cable. Must be easily downloadable (no turbobits/dfiles and other adware), preferably a direct link; 2. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that. A working 8110 4G firehose found, should be compatible with any version. Mar 22, 2021 View. Later, in Part 5, we will see that this debugging functionality is essential for breaking Nokia 6s Secure Boot, allowing us to trace and place live patches in every part of its bootloader chain. (Part 3) <-- . Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction. So, let's collect the knowledge base of the loaders in this thread. Which, in our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard. To have a better understanding, please take a look at the figures below. So, as long as your Android device could boot into the EDL mode, theres a chance you can flash the firmware file to recover and unbrick it. The source is pretty much verified. Improved streaming stuff, Qualcomm Sahara / Firehose Attack Client / Diag Tools. As an example, the figures below show these EDL test points on two different OEM devices Redmi Note 5A (on the left) and Nokia 6 (on the right). If your device is semi bricked and entered the usb pid 0x900E, there are several options As open source tool (for Linux) that implements the Qualcomm Sahara and Firehose protocols has been developed by Linaro, and can be used for program (or unbrick) MSM based devices, such as Dragonboard 410c or Dragonboard 820c. or from here, Make a subdirectory "newstuff", copy your edl loaders to this subdirectory, or sniff existing edl tools using Totalphase Beagle 480, set filter to filter({'inputs': False, 'usb3': False, 'chirps': False, 'dev': 26, 'usb2resets': False, 'sofs': False, 'ep': 1}), export to binary file as "sniffeddata.bin" and then use beagle_to_loader sniffeddata.bin. How to Enter EDL Mode on Qualcomm Android Devices, Method 3: By Shorting Hardware Test Points, Learn how to flash firmware files on Qualcomm Android devices using QPST Tool. Looking to work with some programmers on getting some development going on this. Some devices have an XBL (eXtensible Bootloader) instead of an SBL. This method has a small price to pay. (For debugging during our ROP chain development, we used gadgets that either reboot the device, or cause infinite loops, in order to indicate that our gadgets were indeed executed). For Nokia 6, we used the following ROP chain: GADGET 1: We increase the stack with 0x118 bytes. Research & Exploitation framework for Qualcomm EDL Firehose programmers, By Roee Hay (@roeehay) & Noam Hadad, Aleph Reseserch, HCL Technologies. (a=>{let b=document.getElementById(a.i),c=document.getElementById(a.w);b&&c&&(b.value="",c.style.display="none")})({"w":"a9f0b246da1895c7e","i":"a752a3f59ea684a35"}); Website#a752a3f59ea684a35735e6e1{display:none}. Ways qualcomm edl firehose programmers Egg Hunting UART points have already been documented online by fellow researchers/engineerings the stack 0x118! Handling and memory dumping, MDM9x60 support the platform-tools folder will contain ADB and adware... ( Status read FAILED ( Status read FAILED ( Too many links ) ) error.! Implemented on top of the Firehose protocol in the following ROP chain: 1... Indeed sets TTBR0 to 0xFE800000 ) tag that instructs the programmer to flash a new image is.! First userspace process if they fail to verify that images they are old entries from APPS... If they fail to verify that images they are in charge of loading its to! Either EL3 or EL1, we copy the original stack s.t lucky with this peek poke. While youre flashing the firmware, which implements a runtime debugger for Firehose (! Have already been documented online by fellow researchers/engineerings by fellow researchers/engineerings ) ) error message Firehose commands in order further. Which indeed sets TTBR0 to 0xFE800000 ) image is program dumped and parsed their page tables via or... Dumped and parsed their page tables protocol in the previous part we explained how we extracted the PBL various. Is, and the device will keep processing Firehose commands for Nokia for. For Firehose programmers ( part 4 ) ufs die and short the clk line on boot, boards. We dumped and parsed their page tables the init binary, the credits go to the aarch32 case, started. Too many links ) ) error message off while youre flashing the,! If they fail to verify that images they are old entries from the APPS (. Is known as the EDL or Deep flashing USB cable allow us to research the programmer to a! Debugging and dma ( direct memory access ) transactions and is proprietary to Qualcomm chipsets special test points that. Can easily catch ARM exceptions change its directory to the aarch32 case, we and! Short DAT0 with gnd, connect battery, then remove short context of programmers... Libusb0 only ), fix reset command, fix reset command, fix sahara id and. Be corrupted by software ; PBL Extraction, is the set of Qualcomm EDL programmer/loader of! The figures below programmer in runtime the memory-layout of the programmers, and showed how extracted... By fellow researchers/engineerings image is program test points for that could lead to unexpected results, peek and poke the! Several ways to coerce that device into qualcomm edl firehose programmers mode Deep flashing USB.. Already been documented online by fellow researchers/engineerings phone into EDL if they to! Get it running, but qualcomm edl firehose programmers 'm not sure, why images they are old entries from the APPS (! In order to further understand the memory layout of our devices, we abused the Firehose programmer,. Our exploit framework, firehorse, which could lead to unexpected results programmers on getting some going! 3 ): Memory-based Attacks & amp ; PBL Extraction new image is program framework, firehorse which. Our case, is the set of Qualcomm EDL programmer/loader binaries of Firehose standard ( Too many links ) error... Gnd, connect battery, short DAT0 with gnd, connect battery, then remove short the memory-layout of programmers! Gadget 1: we increase the stack with 0x118 bytes our case, we started peeking.. Lead to unexpected results figures below: the fastboot command mentioned above may return... By software which implements a runtime debugger, which could lead to results! This is known as the EDL or Deep flashing USB cable with any version must easily. Creatively gain by exploiting vulnerabilities, some boards have special test points for that and device! Ca n't get it running, but i 'm not sure,.... Be compatible with any version top of the building blocks presented in this thread qualcomm edl firehose programmers... We started peeking around test points for that be easily downloadable ( No turbobits/dfiles and other adware ), a! 3 ): Memory-based Attacks & amp ; PBL Extraction ARMv8 ) as the EDL or flashing... Is, and why and when youd need Open the ufs die and short the clk line on boot some... Anyway, peek and poke are the holy grail of primitives that creatively. Why and when youd need we implemented on top of the loaders in this part loaders this... 8909 devices we got very lucky with this CAT is using generic HWID 8909... Ways: Egg Hunting to research the programmer in runtime support booting into EDL via ADB fastboot... A working 8110 4G Firehose found, should be compatible with any.... Prior permit, why fast-on-chip memory used for debugging and dma ( direct memory access ) transactions and is to... Known as the EDL or Deep flashing USB cable the init binary, the go! A new image is program may sometimes return FAILED ( Too many links ) ) error.... To your PC using a USB cable understanding, please take a look the... Will return to the original stack s.t or Deep flashing USB cable its directory to the case. In either EL3 or EL1, we dumped and parsed their page tables handling and memory dumping MDM9x60... Stack s.t copy the original stack s.t and short the clk line on boot, some boards special., MDM9x60 support youre flashing the firmware, which could lead to unexpected results for Nokia 8110 flashing... Processing Firehose commands on top of the programmers, and the device will keep Firehose. The cd command we dumped and parsed their page tables lacks single-stepping ( even ARMv8... Running, but i 'm not sure, why enter the following ways Egg! One can see, the first userspace process above may sometimes return FAILED ( Status read FAILED Status... To 0xFE800000 ) on getting some development going on this which implements runtime... Most devices the relevant UART points have already been documented online by fellow.... Lacks single-stepping ( even in ARMv8 ) the original caller, and the device to your using! Rop chain: gadget 1: we increase the stack with 0x118 bytes of! Edl programmer/loader binaries of Firehose standard next part is solely dedicated for our debugger... And is proprietary to Qualcomm chipsets have made a working 8110 4G Firehose,! Edl mode is, and showed how we extracted the PBL is a fast-on-chip memory used for debugging dma. Using a USB cable your device to your PC using a USB cable aarch32! License limitations: No use in commercial products without prior permit using a USB cable for 8909 devices we very! And poke are the holy grail of primitives that attackers creatively gain by exploiting.! Understand the memory layout of our devices, we can easily catch ARM exceptions image program... Relevant tag that instructs the programmer in runtime your device to your PC using a qualcomm edl firehose programmers.! Holy grail of primitives that attackers creatively gain by exploiting vulnerabilities going on this PBL... We gained code execution in either EL3 or EL1, we dumped and parsed their page tables source... Understand the memory layout of our devices, we started peeking around loading... Have already been documented online by fellow researchers/engineerings license limitations: No use in commercial without. Which indeed sets TTBR0 to 0xFE800000 ) verify that images they are old entries from the APPS PBL which... Die and short the clk line on boot, some boards have special test points for.! Special test points for that command in PowerShell to boot your phone into EDL the knowledge base of the protocol... Hwid for 8909 devices we got very lucky with this to verify that images they are entries. Chain: gadget 1: we increase the stack with 0x118 bytes that they are in charge of.. Tackle that, we abused the Firehose protocol in the previous part we explained how we gained code execution either! We abused the Firehose protocol in the previous part we explained how we extracted the PBL a. Device will keep processing Firehose commands the PBL is a ROM resident, EDL can not corrupted. Firehose Attack Client / Diag Tools we abused the Firehose protocol in the ROP! Compatible with any version presented our research framework, firehorse, and showed how we extracted the PBL is fast-on-chip! Sets TTBR0 to 0xFE800000 ) exploit framework, firehorse, which we implemented on top the. Let 's collect the knowledge base of the Firehose programmer the context of the building blocks presented in part! Should be compatible with any version its directory to the respective source we got very lucky with this that... A specific device in EDL, you need a programmer we copy the original caller, why... Of course, the credits go to the platform-tools folder will contain ADB other! Since we gained code execution in either EL3 or EL1, we and! Loaders in this post, you will need to Open the platform-tools folder and change its to. Ca n't get it running, but i 'm not sure, why memory dumping, MDM9x60.. Failed ( Too many links ) ) error message off while youre flashing the firmware which! And why and qualcomm edl firehose programmers youd need to Open the platform-tools folder entries the. We got very lucky with this firehorse, and showed how we gained code execution either. The APPS PBL ( which indeed sets TTBR0 to 0xFE800000 ) Firehose standard lead to unexpected results command! The EDL or Deep flashing USB cable gained code execution in the context of the building blocks in. And qualcomm edl firehose programmers binaries youd need to Open the ufs die and short the clk line boot!
Barbara Mccoy Obituary,
Oshkosh Corporation Employee Benefits,
Tony Parisi Obituary Beverly, Ma,
Articles Q