bkerler / edl

Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
GNU General Public License v3.0
1.64k stars 381 forks source link

loader for msm8216 #525

Open Minha-D opened 7 months ago

Minha-D commented 7 months ago

Please Can any one provide loader for following : 22:43:59: Sahara protocol completed

Received S/N CPU - 11AB51FC HWID - 007070E100000000 OEM_PK_HASH (64) - 996C7888282743ACED72ACC73D3228DBF4938C291AC05931A79E45BC0BCE268A SBL SW Ver. - 00000001

ElectroBoy404NotFound commented 7 months ago

Which mobile is it? What CPU does it use?

Minha-D commented 7 months ago

Which mobile is it? What CPU does it use?

Samsung Galaxy grand prime. Snapdragon 410

RenateUSB commented 7 months ago

I don't see that hash anywhere, but a Snapdragon 410 is a bit older. Might it not have Secure Boot enabled? Many of the qualcomm/factory/msm???? seem to support the MSM8216 If you have a partition like xbl/abl/cmnlib or something, post it so we can check the hashing on that.

Minha-D commented 6 months ago

I don't see that hash anywhere, but a Snapdragon 410 is a bit older. Might it not have Secure Boot enabled? Many of the qualcomm/factory/msm???? seem to support the MSM8216 If you have a partition like xbl/abl/cmnlib or something, post it so we can check the hashing on that.

I have tried loaders from qualcomm/factory/msmxxxx none of them support MSM_ID:0x007070E1. And I have checked it's factory firmware there is no partition image as xbl/abl/cmnlib. But it has sbl.img

RenateUSB commented 6 months ago

Many of the loaders refer to MSM8216. Post the sbl.img, please.

Minha-D commented 6 months ago

Sorry it's not sbl.img. it's sbl1.mbn Here is the file sbl1.zip

RenateUSB commented 6 months ago

That sbl1.mbn is actually an ELF file and signed by Samsung so:

d282db63 7345f047 7b6026de 54061686 c6db4dfe 6ff2a4ff 54d142cf e67f97bd

There are actually 18 certificates in this file! I have no idea why that is. The last one (root) has the PK hash above, but none of the other 17 are 996C7...

Maybe this device does not have Secure Boot enabled? OTOH, it could be enforcing the HW_ID. I don't know.

Minha-D commented 6 months ago

That sbl1.mbn is actually an ELF file and signed by Samsung so:

d282db63 7345f047 7b6026de 54061686 c6db4dfe 6ff2a4ff 54d142cf e67f97bd

There are actually 18 certificates in this file! I have no idea why that is. The last one (root) has the PK hash above, but none of the other 17 are 996C7...

Maybe this device does not have Secure Boot enabled? OTOH, it could be enforcing the HW_ID. I don't know.

It might be enforcing HW_ID. And this device might have secure boot enabled, because when i used "lk2nd" secondary bootloader by postmarketOS to boot Linux in thik device it said secure boot enabled. I have found loaders for (0x007050E1) which is for msm8916 and also found loaders for (0x007060E1) but couldn't found any for msm8216 hw_id:(0x007070E1).

Minha-D commented 6 months ago

@RenateUSB Could you check this partitions partitions.zip

RenateUSB commented 6 months ago

emmc_appsboot.mbn is a 32 bit ELF file signed with 18 Samsung certs. The other two are some sort of raw binary data files.

Minha-D commented 6 months ago

@RenateUSB thanks for your help. I have a tz.img , I think which is trust zone. Can it help?

RenateUSB commented 6 months ago

The emmc_appsboot.mbn has the same hash as the sbl1 and different from what Sahara said. So, either your device is not Secure Boot or else there are more PK hashes than what Sahara quoted. I do not have any faith that this EDL client prints out all the PK hashes when there are multiples.

In any case, it's pointless to check the other ~40 other partitions with ELF files for hashes.

Minha-D commented 6 months ago

@RenateUSB thanks for your help

RenateUSB commented 6 months ago

If you run that with full debug you can see when the PK hash comes over. You can see that it's 32 bytes (64 hexits, 256 bits), but there are usually 3 copies sent (96 bytes). We don't know if these 3 copies are the same or empty.