General EDL Flash Tool Leak

Search This thread

ibbu37

Member
Sep 7, 2022
9
1
But no i havent faced that where it dosent boot to edl mode
Today in new one plus devices after feat with oppo they have created this mess while getting device into locked state and the only way they can get into edl is by short points but earliee one plus devices never gone through this brick state so its bussiness
 
May 12, 2014
5
1
43
Galliano
Whos got a 10 pro here thats in EDL mode lol. Though, worrying that OPPO tech didnt post a flash complete pic.
I have a oneplus 10 pro 5g that when i accidentally hit in magisk manager to install to inactive slot and when it rebooted it went into edl mode and i dont know how to get it out ive tried holding alll buttons and nothing but i have one in edl mode so plz send tool
 

alinc93

Member
Jun 23, 2016
7
9
OnePlus 8 Pro
OnePlus 10 Pro
Waiting good news.in extra pls who have bricked phone pls contact me .i think we could use new edl methot to rise up phone...

Looks promising:
about:blank


2022-10-04_01-27.png
 
  • Like
Reactions: dladz and metrixx02

alinc93

Member
Jun 23, 2016
7
9
OnePlus 8 Pro
OnePlus 10 Pro
Mmm... Let us know if it works. But I'm pretty confident these tools we're tried in the past
I'll use my OP8Pro as a mirror for requests/responses.
The tool is useful but it lacks support for the 10 Pro, which I hope to make possible.
It detects the phone, and interacts with it, but my phone's completely bricked (partitions & sectors are gone).
 
  • Like
Reactions: dladz

mark332

Senior Member
Jul 2, 2017
144
103
Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

I wish you luck bypassing this login and fixing your phones.


View attachment 5713993
'leak' it's a joke, just bypassing login screen using hex editor doesn't mean allow flash, MSM Download tool always included with every ofp file which require 2 step
authentication first using login and second using signature, you can bypass login just by replcing some word using hex editor but you can't bypass signature which is processed via server,
firehose file already available for 7t,6t, 8 pro, that's why repacked version of MSM tool is working
& last time i am telling you it's all processed via firehose/sahara protocol using official QPST binary , my tool already support gt master edition, nord n20 5g, oneplus 9, ce2 lite, 9 pro, GT Neo 2, GT Neo 3T
realme x2, x2, x3 superzoom, reno10x zoom, q3s, q3t, q5 pro, reno 6 pro plus 5g, k9s, 9 5g SE, and many more from oppo, realme, oneplus, & everything is Processed via firehose protocal that's all
so search firehose instead of leak or BLA, BLA, BLA
 
Last edited:
Waiting good news.in extra pls who have bricked phone pls contact me .i think we could use new edl methot to rise up phone...

You can also use the qualcomm flasher from the qualcomm website u have to make a profile but they give all 3 use drivers for phones, which means they're certified they're not made by anyone else so you don't have to shut off secure driver flags
 

Top Liked Posts

  • 1
    I am not trying to be impolite but we are in oneplus 10 pro and not section. Why do we have discussions regarding realme and other devices here?
    1
    I am not trying to be impolite but we are in oneplus 10 pro and not section. Why do we have discussions regarding realme and other devices here?
    Sorry if I offended you by talking about Realme. The only reason I've done that is because both brands are under the same umbrella, BBK and it seems that both brands are taking the same path regarding the user experience policy, witch is not allowing the user to actually own their devices.
    1
    Sorry if I offended you by talking about Realme. The only reason I've done that is because both brands are under the same umbrella, BBK and it seems that both brands are taking the same path regarding the user experience policy, witch is not allowing the user to actually own their devices.
    No need to sorry. I don't feel offended. I understand your intentions.
    1
    I am not trying to be impolite but we are in oneplus 10 pro and not section. Why do we have discussions regarding realme and other devices here?
    We help each other, as we are in similar situation, and not all realme/oppo/OnePlus devices have active community, unfortunately in XDA you cannot publish thread that maybe matter to other devices owners
    1
    We help each other, as we are in similar situation, and not all realme/oppo/OnePlus devices have active community, unfortunately in XDA you cannot publish thread that maybe matter to other devices owners
    Hey I am not a monster :) I don't mind mentioning problems/solutions that are common for both devices here. Nothing wrong about that. However, giving detailed instructions how to fix device b, or complaining over device b while being in thread/section dedicated for device a is slightly too much if you ask me. Such discussions belong to device dedicated forum (or in general section). Otherwise users can get misleading information.0
  • 6
    ENOPTP000224
    M4Sl_j=zp_
    I don't know how long it will expire
    3
    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
    AFAIK having an unlocked bootloader has never been a problem with OnePlus assistance. However, I wouldn't be surprised if they changed their policy about this considering what they did with the MSM Tool.
    3
    100% does not matter dude, your device is still under warranty.
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    2
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    If you need to just contact them. I'm in the UK, I get my phone back in about 4-5 days.

    Not the end of the world... Screw paying for it
    2
    100% does not matter dude, your device is still under warranty.


    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
  • 16
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.


    flash.png
    12
    This tool seems to be intended for use with mediatek devices.
    I wouldn't bet on it working with this phone, but here's how to bypass the login screen anyway.

    Open DownloadTool.exe with a hex editor
    Find '74 4b 8d 45 d4'
    Replace '74 4b' with '90 90'
    Save, launch, enter any username/password/code and click login.
    If you go to 'Software Package Management', you can specify a folder where your .ofp is located.
    7
    I have a bricked OnePlus 10 Pro which I can put into EDL mode via testpoints. PM me.
    Screenshot_2022-09-27-01-30-39-519_com.miui.gallery.jpg
    6
    I almost figured out what is sent to the server during flashing. The flash tool sends "chip ID", "account token", and "Epoch timestamp" to server API which is server-domain/API/sign/ to query a signature for firehose and encrypt the query parameters with a public key. This info can be found in MSM download tool 2.0.6.9.

    If anyone want to see it yourself, simply get a debugger, such as, x64dbg with ScyllaHide plugin enabled, follow the assembly instructions to get to the OEP then dump PE from memory and fix import table to unpack it from VmProtect3.x. After unpacking the file, use a decompiler to run a PE static analysis, IDA Pro or Ghidra can both do it, search for "/API/sign/" from defined strings, from that you can locate the auth function for VIP signature. In that function, you can find a public key used to encrypt the queries, and also two variables, one is "account token", the other one is "Chip ID". Chip ID is unique for every device, which may be a issue.

    I haven't done a full analysis with the tool, not being sure if there's a timestamp protection on it. But I still strongly suggest who is able to flash with auth remember to capture the signature for your device, so you might not need a auth in future because your Chip ID is always yours.
    6
    I'm sorry for the late response. I was busy at work last week.
    Do you know who may have an example to go with? How long is the signature? There must be some form of checking within the msm tool to verify the signature is valid. Is it key based or algorithm based? If it's algorithm based, maybe we can use the validation function in the msm tool to figure out how it is checking and create valid signatures. Setting up a server locally to trick the device into thinking it's contacting OnePlus would be the easy part.

    Has anyone found examples of these logged signatures or know more about their calculation? HW serial based, HW ID based, device MAC based, IMEI based (unlikely)?

    Knowing what is sent to the server and what is received could also help. Does anyone have a full exchange of the https logs somewhere to go over?
    Yes, thanks to @hackslash, there's an example of the signature for ChipID: b73e685e(for the API authserver_domain/api/tools/sign)

    Code:
    {"Data":{"response":{"encrypt":"ct5/f+RsW/3p2vhIp2EduoMJ8kfKk2iNbF+eTExuGsOicfvILFTKY/+qF0WxSEcREt3m7YSABbEwCRU4aWaJqoppx2du60hW6OhTYbaL+51JXr5byRQjqqhtwJ1VfFZ66U3EuZXidJVW6TjV1u09fgt5MT11zSwZzbpkrBg1UQruJi8wGrjtMnq0mbgno1H01QRnMY+GKN9UqZVrXGAdCRJm8T8Ysn5P1mnIOVwhuJZSkq6z7WH9RhyM1oJuURquvZEt/TP9vQda1/fNn0txtzu+ZWkuuou23zYulXhkmtDTp5D4LtdZ8VlAkakq8UowHv3tlW7lZMb52fY8QjF/zw==","message":"0000","status":"0","unlock":"","isAllowDegraded":false}},"ErrorCode":0,"Message":null}

    If you use Ghidra to do a static analysis with unpacked downloadtool.exe(first use a debugger to unpack vmprotect3.x),locate the defined string data "/api/tools/sign", you'll find a public key hardcoded in the tool to encrypt the HTTPS query to the server. All the transmissions are encrypted, but I don't even want to think about decrypting them because there's a ChipID problem.


    The signature can be fed to the tool, but it doesn't work for other devices. For example, here's the download tool log for the device with the correct ChipID:

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20847_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3
    [COM51] Verify Data
    [COM51] Verify pass
    [COM51] Upload download result. chip id: b73e685e, result: -1, project: 20847
    [COM51] Upload download result failed.
    [COM51] Check the models and software
    [COM51] Start erase
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN1
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN5
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN4
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN2
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN0
    [COM51] Erasing the partition userdata
    [COM51] Download OCDT
    [COM51] brand is oplus, cdtdownloadstatus is 0, ufs = 1
    [COM51] Downloading ddr, zeros_5sectors.bin...
    ...

    And here's the download tool log for the device with the mismatch ChipID(using the obtained signature to feed another device) :

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20846_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:9d975a304cf3d7d1f9f7ed402297996d7c457aea71fd0a5c2dc6278b68cde27c
    [COM51] Verify Data
    [COM51] FirehoseCheckRSP is ERROR, hr=1
    [COM51] Rsp:
     <?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <log value="ERROR: verify failed." /></data><?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <response value="NAK" rawmode="false" /></data>
    [COM51] Verify pass
    [COM51] Current download task end,elapsed time:7s.
    [COM51] Upload download result. chip id: b73e685e, result: 1, project: 20846
    [COM51] Upload download result failed.
    [COM51] Close the serial device
    [COM51] Download failed
    [COM51] Determine whether to upload the download info
    [COM51] compress file, retry time is 4
    [COM51] compress file success
    [COM51] start to upload
    [COM51] upload success
    [COM51] Stop timer
    End log...

    As you can see, the device only accepts signed packets, and the signature is somehow related to ChipID. Anyone can simply use the hex-patched tool to try flashing your device, you'll see your ChipID in the log generated by the download tool.

    At this point, I think the only solution is that the user has to at least pay to flash their device once to capture the signature for their device. And here's the hardest point, a lot of sellers check for packet capture software during the session. Yes, this can be bypassed via a rootkit(If you don't know how to program a simple hooking rootkit with Microsoft Detours, you can simply find some rootkit source code from hackforums or buy some rootkit source code from the dark web hacker sellers, then modify the code and compile it yourself) I believe that most users will fail to capture their device signature for EDL after being detected by the remote tech due to the lack for specific knowledge. By the way, can the captured signature with the same ChipId be reused on the same device? Please be aware, this is still unconfirmed! But I think it is highly possible that it can work for the same device every time.


    But after seeing that @OppoTech123 is willing to help the community, I think maybe there's a chance that @OppoTech123 can help some developers to capture their device signature to boost the custom ROM development. But be aware that during the capture, the temporarily assigned token after logging in can also be captured, however, these tokens quickly expired in a short time. It doesn't expire for login but expires for querying signatures, not sure if it's related to OTP or if the account holder can log out from another place, be sure to protect your credits if querying a signature charge the tech some credits.


    Is there a way to alter the ID on the device? Even if it's temporary?
    I don't think so. Maybe there's an internal Qualcomm development tool that can do that, but I definitely don't have it.