search

bkerler / edl

Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
GNU General Public License v3.0
1.66k stars 385 forks source link

Is this an edl loader for 001970E1 / QCM6490? #477

Open codiflow opened 11 months ago

codiflow commented 11 months ago

While looking for an edl loader which can be used to unbrick a Fairphone 5 / AGM G2 Guardian I stumbled upon these files: https://privatebin.io/?4695438c4fd49b2c#7D5sKyfxzNb8TiBrjL2Dqf5QomXyFebi31mFJs4nHQVG (there's a tar.gz attached)

The origin of the files seems to be here: https://xdaforums.com/t/agm-g2-guardian-5g-unlocked-qualcomm-qcm6490-long-range-thermal-monocular-android-12-108mp-7000-mah.4571873/page-5

Unfortunately none of the three files was working with my FP5 – but as I'm not really into this "edl thing" I thought maybe some of you is able to see if those files are real loaders and what device they are for.

While I tried to use them with a FP5 I always got this error:

Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2023.
main - Using loader /home/USER/FP5/EDL/prog_firehose_lite_001970E1.elf ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2, Version supported: 1
main - Mode detected: sahara
sahara - 
Version 0x2
------------------------
HWID:              0x001970e100420002 (MSM_ID:0x001970e1,OEM_ID:0x0042,MODEL_ID:0x0002)
CPU detected:      "qcm6490"
PK_HASH:           0x<REDACTED>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Serial:            0x<REDACTED>

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader /home/USER/FP5/EDL/prog_firehose_lite_001970E1.elf ...
sahara - 64-Bit mode detected.
sahara - Firehose mode detected, uploading...
DeviceClass - USBError(5, 'Input/Output Error')
sahara

sahara - [LIB]: Unknown response received on uploading loader.

Maybe someone of you has a hint? The USB cable is fine – I tried the whole process with a OP3 and it was all fine 😎

RenateUSB commented 11 months ago

You don't need to redact the PK_HASH. There is nothing secret about it. Also, it's probably 4352b3bfeac440ca b3fc0a181be897f5 7ceed6cfe7729d61 752add407fa6e1be e86fe4a27eaed96a 83f9972f707af1d8

sarunelis commented 11 months ago

AGM G2 firehose for shure will not work on FP5 because different HWID: 0x001970e100430000 on AGM G2 and 0x001970e100420002 on FP5. Even PK HASH is same.

RenateUSB commented 11 months ago

The Qualcomm SoCs are the same. The OEMs are different, but the fact that they are using the same PK_HASH indicates that they are not dissimilar.

sarunelis commented 11 months ago

Must be same: SoC Id Including OEM, Model Id's and PK_HASH

sarunelis commented 11 months ago

And even More, RollBack (RB) in SW_ID must be Higher or same. But unfortunatelly SW_ID is not readable by Sahara

sarunelis commented 11 months ago

https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/secure-boot-image-authentication_11.30.16.pdf

RenateUSB commented 11 months ago

OEM and model are just footnotes as far as Sahara and Firehose are concerned. Authentication for Secure Boot only cares about PK_HASH and certs.

sarunelis commented 11 months ago

No, you are wrong, just try it in pratics and you will see. "The fields contained in HW_ID must match those provisioned in eFuse for the signature to be valid."

RenateUSB commented 11 months ago

Yup, you are right. It's just most of the loaders I've run into haven't had those fields set in the last cert. Heck, in Sahara 3.1 you can't even read HW_ID.

sarunelis commented 11 months ago

yes from CERT version 6.5 them hide HW id's only can see in firehose/xbl for example IMAGE_VARIANT_STRING: SocLanaiLAA for SM8650 and now qualcomm uses Elyptic Curve certification, not RSA anymore

yssreddy1961 commented 11 months ago

while using edl with OnePlus 10T india i am getting firehose - [LIB]: ERROR: VIP img authentication failed with smc_status = 0xfffffffe, rsp_0 = 0x40000b . when is edl program getting vip authentication in SAHARA protocal version 3.i am ready to do any testing regarding this

bkerler commented 11 months ago

No, you are wrong, just try it in pratics and you will see. "The fields contained in HW_ID must match those provisioned in eFuse for the signature to be valid."

Actually there are devices that aren't fused. For these, the oem id doesn't really matter as long as the firehose loader supports it. Not everything that's in the documentation is right btw. With Sahara 3 a lot of things have changed in a very bad and user unfriendly way.

yssreddy1961 commented 11 months ago

The screenshot attached Screenshot_2023-12-21_11-59-02

codiflow commented 10 months ago

Just for the record and because the FP5 got bricked AGAIN by a faulty flashing process I share the full hashes here – hopefully the elf file will be publicly available soon so people can unbrick their phone without sending this piece of hardware to a repair center... What a waste of resources :/

Fairphone 5 (FP5)

HWID:              0x001970e100420002 (MSM_ID:0x001970e1,OEM_ID:0x0042,MODEL_ID:0x0002)
CPU detected:      "qcm6490"
PK_HASH:           0xefb7ddf8b67771822fdc8d94ab20ae6df17c466f25e6ed33bc8c5e52edfb28574bc420db7b42654fd755f92c74860a8f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RenateUSB commented 10 months ago

@codiflow Thanks for the hash. It's incompatible with the 3 loaders you had in your first post.

prog_firehose_lite.elf- Qualcomm factory signed
d9357db88795b5a8 afaebfd9ab08a569 cc8e519f6c689723 759f4e6915ca3466 e98b5a3282678bdf 63673d8517bb0c5b

prog_firehose_ddr_001970E1.elf - Hisense signed
4352b3bfeac440ca b3fc0a181be897f5 7ceed6cfe7729d61 752add407fa6e1be e86fe4a27eaed96a 83f9972f707af1d8

prog_firehose_lite_001970E1.elf  - Hisense signed
4352b3bfeac440ca b3fc0a181be897f5 7ceed6cfe7729d61 752add407fa6e1be e86fe4a27eaed96a 83f9972f707af1d8

Your hash
efb7ddf8b6777182 2fdc8d94ab20ae6d f17c466f25e6ed33 bc8c5e52edfb2857 4bc420db7b42654f d755f92c74860a8f
andreas5232 commented 8 months ago

I've also been running into a bricked FP5 recently. Unfortunately I couldn't find any matching EDL/QFIL file on the internet by now. FP3 seems to work without firehose signatures, FP4 seems to require signatures and there also doesn't seem to be any public EDL files.

Just found this curated list: http://www.temblast.com/ref/loaders.htm

As there have been several cases with bricked Fairphone 5 devices during the last weeks it would be awesome to have an option to recover them by ourselves.

codiflow commented 8 months ago

I can say that currently (and as long as we don't get the EDL loader) there's NO other way to unbrick a FP5 apart from sending it back to the Fairphone repair center in France and let them swap / unbrick the phone.

maximus-sallam commented 7 months ago

@codiflow Thanks for the hash. It's incompatible with the 3 loaders you had in your first post.

prog_firehose_lite.elf- Qualcomm factory signed
d9357db88795b5a8 afaebfd9ab08a569 cc8e519f6c689723 759f4e6915ca3466 e98b5a3282678bdf 63673d8517bb0c5b

prog_firehose_ddr_001970E1.elf - Hisense signed
4352b3bfeac440ca b3fc0a181be897f5 7ceed6cfe7729d61 752add407fa6e1be e86fe4a27eaed96a 83f9972f707af1d8

prog_firehose_lite_001970E1.elf  - Hisense signed
4352b3bfeac440ca b3fc0a181be897f5 7ceed6cfe7729d61 752add407fa6e1be e86fe4a27eaed96a 83f9972f707af1d8

Your hash
efb7ddf8b6777182 2fdc8d94ab20ae6d f17c466f25e6ed33 bc8c5e52edfb2857 4bc420db7b42654f d755f92c74860a8f

How are you calculating these hashes?

RenateUSB commented 7 months ago

How are you calculating these hashes?

http://www.temblast.com/qcomview.htm