Post Reply

[R&D][QUALCOMM] Using QDL, EHostDL and DIAG interfaces & features

OP SouL Shadow

13th January 2013, 04:56 PM   |  #11  
saketh91's Avatar
Senior Member
Flag New York
Thanks Meter: 75
 
487 posts
Join Date:Joined: Sep 2011
More
Quote:
Originally Posted by SouL Shadow

Yes. All you need is the image files from an update or ruu. Check your device's forum, I'm sure someone has posted full firmware zip's. Just grab the correct one and wait for instructions.
-SLS-

i don't know exactly which firmware version which i was on before bricking my phone.but i definitely flashed a rooted sense rom. however i have all zips of the roms which i probably should have installed.also will this tool apply for every device(8960) even my at&t htc one x?
18th January 2013, 03:55 PM   |  #12  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,806
 
1,352 posts
Join Date:Joined: Dec 2011
Great work!

Quote:
Originally Posted by SouL Shadow

The PBL does not perform OEM signature checking on the hex file.

How do you know this? (Other sources have claimed the opposite...)

Quote:

...After upload the 'GO' command is used to transfer execution to the flash programmer (the hex file). The phone is supposed to acknowledge the 'GO' command before jumping to the new code. It appears that the 8960 firmware in use by HTC and Samsung has a bug and is not sending that acknowledgement. QPST waits for this acknowledgement before moving on to the next step.

a) This could be an effect of PBL signature check!
b) Even if not checked, they could easily have changed the acknowledgement string to anything else.
c) It could also be an effect of a blown Qfuse...
d) Are you saying that QPST is not connecting to your phone? (What QPST version are you using?)

Quote:

Using the perl script posted above by Darkspr1te, other ppl have shown that the 'GO' command DOES transfer execution to the flash programmer and have used it to write the firmware (msimage.mbn) to emmc flash, ...

What other people? Do they even have the same phone?
18th January 2013, 06:01 PM   |  #13  
SouL Shadow's Avatar
OP Senior Member
Flag Stratford, CT
Thanks Meter: 296
 
460 posts
Join Date:Joined: Jun 2010
More
Re: [R&D][QUALCOMM] Using QDL, EHostDL and DIAG interfaces & features
Quote:
Originally Posted by E:V:A

Great work!



How do you know this? (Other sources have claimed the opposite...)

Qualcomm docs only mention verifying the hex, they say nothing about signature checking. For all we know it's simply verifying the uncorrupted download.

The hex is built by qualcomm and distributed with *other* files to the oem's/licensee's. It only needs to be changed when the actual hardware changes. The msimage.mbn is the oem specific component. There is no oem signature on the hex, however there may be a qualcomm signature or some kind of checksum to ensure it's a valid file.

Quote:
Originally Posted by E:V:A

a) This could be an effect of PBL signature check!
b) Even if not checked, they could easily have changed the acknowledgement string to anything else.

The acknowledgment does not contain any text. It's just a simple ACK reply.

Quote:
Originally Posted by E:V:A

c) It could also be an effect of a blown Qfuse...
d) Are you saying that QPST is not connecting to your phone? (What QPST version are you using?)

QPST hangs waiting for a response from the 8960 phones (htc evita, jewel, and sgs3), but other ppl (I don't know/remember who) using the above mentioned script have uploaded the hex and been able to communicate with the flash programmer. They were even able to upload the msimage.mbm. Although the .mbn used was probably the wrong build because after writing to emmc it did not boot in to the sbl. Either due to wrong files or older versions of firmware (causing a rollback error).

Quote:
Originally Posted by E:V:A

What other people? Do they even have the same phone?

This post: http://forum.xda-developers.com/show...php?p=36578082
Note the code part where it mentions 'openmulti' that command is only in the streaming download protocol which is used exclusively by the flash programmer.


EDIT 2013-01-28:
After a discussion with Ralekdev on IRC and reexamination of posted test results, it seems that the mprg8960.hex is NOT being executed. Will need to check the stored error code to see excatly why. Ralekdev was able to show me evidence of possible signature checking in the PBL. Again, we'll need to check the stored error code to confirm if that is the case. While this is a set back for msm8960 devices, it doesn't diminish the need for a full featured, open source, Linux replacement for QPST/QXDM.

-SLS-
Last edited by SouL Shadow; 28th January 2013 at 02:20 PM.
19th January 2013, 09:10 AM   |  #14  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,806
 
1,352 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by SouL Shadow

Qualcomm docs only mention verifying the hex, they say nothing about signature checking. For all we know it's simply verifying the uncorrupted download.

Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.

Quote:

The acknowledgment does not contain any text. It's just a simple ACK reply.

Well, this is not how the Odin handshake looks like! There there is a short string, like "LOKE" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)

Quote:

QPST hangs waiting for a response from the 8960 phones (htc evita, jewel, and sgs3), but other ppl (I don't know/remember who) using the above mentioned script have uploaded the hex and been able to communicate with the flash programmer. They were even able to upload the msimage.mbm. Although the .mbn used was probably the wrong build because after writing to emmc it did not boot in to the sbl. Either due to wrong files or older versions of firmware (causing a rollback error).

Exactly.
Last edited by E:V:A; 19th January 2013 at 08:29 PM.
19th January 2013, 08:23 PM   |  #15  
Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Jan 2013
Is it possible to access the bootloader output via USB UART for htc 8960 devices? Seems like this might be useful to get PBL/SBL output for a bricked device.
19th January 2013, 08:56 PM   |  #16  
SouL Shadow's Avatar
OP Senior Member
Flag Stratford, CT
Thanks Meter: 296
 
460 posts
Join Date:Joined: Jun 2010
More
Re: [R&D][QUALCOMM] Using QDL, EHostDL and DIAG interfaces & features
Quote:
Originally Posted by E:V:A

Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.

Take a look at the creation date on the hex files in the source archive. They were created in November 2011. But that build is from a later date (I don't have it in front of me, but I think it's from april 2012). That source archive is directly from qualcomm. Why is that important? Because it shows that even with most changes to the source, the hex files don't need to be rebuilt. Besides, the flash programmer is fairly limited in what it can do. It's purpose is to rewrite the bootloaders to blank or corrupted nand/nor/emmc flash. Once written the phone will shut down and attempt to boot normally. Secure Boot only covers the boot process from power on to hardware initialization, security environment setup and finally loading appsbl. Everything after that is up to the oem to do whatever they choose. Although, interestingly enough, team unlimited was able to create a custom hboot (htc's appsbl) which will load normally even with signature checking...

Quote:
Originally Posted by E:V:A

Well, this is not how the Odin handshake looks like! There there is a short string, like "HELLO" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)

I don't think we're in odin anymore toto!
PBL, the good bootloader of the east suddenly appears to tell us that someone dropped a brick on secure boot. Now all these little pdf's are singing, telling us to follow the HDLC road. Along the way we'll meet some interesting new people. There's QDL who lacks a brain. The Hex-man with no heart. And Streaming Download, a protocol in need of a little courage. Together we can follow the HDLC road to reach the great wizard of qualcomm and use the ruby .mbn file to return us to odin. That's when we'll awake to find Auntie ( a || h )boot and uncle recovery. Adb is there and fastboot and android too!

(don't ask, I don't know either ...)

And back in reality:

I've never used odin (in fact the first time I even heard of it was reading the Verizon SGS3 unlocking thread, which is how I discovered your thread, which lead me to here), but it's my understanding that it is a Samsung only feature that is integrated on the appsbl level, providing similar functionality to HTC's RUU mechanism. Although odin appears to be much more advanced. I've seen numerous samsung users with qualcomm hardware mention how they were stuck in qdl mode and no longer able to access odin to recover.

Now if you'll excuse me, I suddenly have the urge to listen to Dark Side of the Moon...

-SLS-
The Following User Says Thank You to SouL Shadow For This Useful Post: [ View ]
19th January 2013, 10:43 PM   |  #17  
SouL Shadow's Avatar
OP Senior Member
Flag Stratford, CT
Thanks Meter: 296
 
460 posts
Join Date:Joined: Jun 2010
More
Re: [R&D][QUALCOMM] Using QDL, EHostDL and DIAG interfaces & features
Quote:
Originally Posted by withRandomPrecision

Is it possible to access the bootloader output via USB UART for htc 8960 devices? Seems like this might be useful to get PBL/SBL output for a bricked device.

Sort of. Only JTAG can access full output. Error and other diagnostic info can be read from memory using the DMSS Download Protocol or through the DIAG interface.

Under Linux all communication is done via usb serial converter kernel module qcserial and device node /dev/ttyUSBn where n = your device number reported by the kernel dmesg. This goes for any modern qualcomm device using a usb port. Older products used a proprietary serial wiring (outlined in the DMSS Serial Data ICD document 80-V1294-1) to access these same protocols.

The pbl/sbl's all share the same qdl code base. They will transmit a "magic" string over usb, waiting only a programmed amount of time for a connection.

If you mount debugfs
Code:
mount -t debugfs none_debugfs /sys/kernel/debug
and load a kernel module usbmon
Code:
modprobe usbmon
then you can access raw usb streams, either per bus or for the entire computer. There's a raw text interface at /sys/kernel/debug/usb/usbmon
There's also raw binary interface through /dev/usbmon[N]

Also, see the kernel source docs:
<kernel source>/Documentation/usb/usbmon.txt

On a bricked phone qcserial will recognise the device and a ttyUSB will become available OR if sbl3 was successfully loaded usb mass storage will provide the enumerated emmc partitions (although using them is still a work in progress, I have an idea how to properly do it. Will post details once I can test it).

To utilize the qdl usb serial interface you need to use the DMMS Download Protocol outlined in document 80-39912-1 Revision E.


On a working phone there is a usb serial interface available as well. However the qcserial kernel module is not programmed with the oem's vid/pid, so it doesn't load. I've been able to connect to it via generic serial converter:
Code:
modprobe usbserial vender=0x<vid> product=<pid>
Then disconnect and reconnect the usb cable to the phone. dmesg will show the new ttyUSB device.
Unfortunately I haven't been able to actually do anything with it yet. On a working phone it should connect you to the modem which you can use AT commands to interact with. There is also an AT command to switch to DIAG mode. From DIAG more you would use the DMSS Serial Data protocol (doc 80-V1294-1 Revision YP), another HDLC based protocol, to interact.


I have a large number of doc's covering all the above mentioned items and much more (just over 100 pdf's). Unfortunately they are all watermarked with the actual username who had access. If someone has or can point me to a program that can remove said watermarks then I would happily share all of them.

-SLS-
The Following User Says Thank You to SouL Shadow For This Useful Post: [ View ]
23rd January 2013, 05:55 PM   |  #18  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,806
 
1,352 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by SouL Shadow

... Unfortunately they are all watermarked with the actual username who had access. If someone has or can point me to a program that can remove said watermarks then I would happily share all of them.

Did you actually try to google that?

http://www.slideshare.net/linsu39/5-...-pdf-watermark
http://download.cnet.com/We-PDF-Wate...-75593137.html

http://online2pdf.com/
http://www.freepdfconvert.com/#
http://foxyutils.com/splitpdf/
Last edited by the_scotsman; 28th September 2013 at 03:22 AM.
23rd January 2013, 07:40 PM   |  #19  
SouL Shadow's Avatar
OP Senior Member
Flag Stratford, CT
Thanks Meter: 296
 
460 posts
Join Date:Joined: Jun 2010
More
Re: [R&D][QUALCOMM] Using QDL, EHostDL and DIAG interfaces & features
Hah, yes I did. These pdf's are encrypted so most tools want a password to edit them. Looking for a Linux command line utility so I can strip about 100 pdf's. Found pdftk but it requires a password to work on encrypted pdf's. I was able to convert an encrypted pdf to a non-encrypted pdf using the pdftocairo tool... but that changes the raw pdf data so finding the watermark data is more difficult. Now I'm searching for a pdf editor since my linux distro didn't come with one. Unfortunately I've spent half my day off working on this when I could have been programming.

EDIT:
found qpdf on sourceforge!
qpdf + grep + sed = fully automated bash script to clean all the pdf's

EDIT2:
I now have a working script to remove the watermarks. Found a few bugs while cleaning my document archive. I will post it as soon as I can work them out.

-SLS-
Last edited by the_scotsman; 28th September 2013 at 03:23 AM.
The Following User Says Thank You to SouL Shadow For This Useful Post: [ View ]
25th January 2013, 08:54 AM   |  #20  
viperbjk's Avatar
Recognized Developer
Flag Munich
Thanks Meter: 45
 
10
391 posts
Join Date:Joined: Nov 2007
More
Wink
Quote:
Originally Posted by E:V:A

Well, you should never trust Qualcomm documentation! By the time they write the documentation, there have been many changes.
Probably what you say is correct, but I'm not conviced since I haven't checked the code. It was a few months ago I was looking at this. Perhaps the HEX not checked for signature, since it's just the downloader. (But this doesn't make sense, since this would break the SecureBoot3 chain of trust.) But whatever is downloaded IS signature checked.

Well, this is not how the Odin handshake looks like! There there is a short string, like "LOKE" / "ODIN" or something like that. (I don't remember it on top of my head.) So AFAIK, Odin is not working with these device, which would be an indication that they have changed the handshake. (What other kind of tools would the mobile operators use?)

Exactly.

Absolutely correct. The download code itself has a mechanism to verify if it is valid. Some vendors check the download code before being executed if they are signed correctly, others leave the downloader as it is, but check the md5 signature within the downloader. However we managed to exploit the md5 verification to rewrite the msm7x bootloader to let us read full flash connected to radio. Not sure if they changed a lot regarding the msm89xx chipsets, but I'm going to have a look at that again, if needed. Regarding the flashing process, the flashed files are signed and checked for validity after uploading, rsa keys are in both amss and oemsbl.

Odin Protocol mainly belongs to samsung's own cpu/bootloader and has nothing to do with the qualcomm msm's/qsd's/qsc's.

What we speak of is the such called "QC Download Mode". Using the tty interface being in QC DM Mode you can just send the "3A" command to enter the "QC Download mode". For some mobiles, even if you have access to the radio download mode (qc) you cannot flash and repair the flash that belongs to the PDA part (most seen for those OMAP / MSM combinations). It's just because both cpu's use their own flash module for their firmware parts (means the flash isn't routed to both cpus, thus technically impossible).

WBR

The Following 2 Users Say Thank You to viperbjk For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
qdl, qualcomm, r&d
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes