General EDL Flash Tool Leak

Search This thread

alate lee

Member
Sep 21, 2022
9
6
Although we can't find out ourselves flash rom form edl mode and nor msm tools and no customer
service that oppo or oneplus , hard working
. now I can't successful crack or bypass it .
Finally hope people who to bypass or crack it .
 
Last edited:
  • Like
Reactions: metrixx02

gonetask

Member
Jul 27, 2022
27
12
I got another tool for Realme devices to flash .OFP file in EDL 9008 Mode, can anyone check and say that it will work with OnePlus and Oppo devices with .OFP firmware, I have tested on Realme GT Series. It is working without issues.

Give it a try NO Auth No Password, Direct Flash, it moght brick other devices... can anyone give detail to this tool.

Tool Attached.
 

Attachments

  • Realme EDL.rar
    3.7 MB · Views: 293
  • Like
Reactions: metrixx02

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
I got another tool for Realme devices to flash .OFP file in EDL 9008 Mode, can anyone check and say that it will work with OnePlus and Oppo devices with .OFP firmware, I have tested on Realme GT Series. It is working without issues.

Give it a try NO Auth No Password, Direct Flash, it moght brick other devices... can anyone give detail to this tool.

Tool Attached.
Bro but rom already have loader
The prob is its need vip(server based verification to start flash otherwise in the same thread ppls already bypass login
So login is not the issue need to patch loader or remove the server verification
 
  • Like
Reactions: metrixx02

Ph0nysk1nk

Senior Member
Jul 28, 2016
195
75
I got another tool for Realme devices to flash .OFP file in EDL 9008 Mode, can anyone check and say that it will work with OnePlus and Oppo devices with .OFP firmware, I have tested on Realme GT Series. It is working without issues.

Give it a try NO Auth No Password, Direct Flash, it moght brick other devices... can anyone give detail to this tool.

Tool Attached.
This tool is for a specfic phone
 

dladz

Senior Member
Aug 24, 2010
14,986
5,316
Liverpool
Huawei Watch 2
OnePlus 10 Pro
baffled as to where we're up to with this atm, sounds like it's not working obiously, but from what i can gather we've got a log in, but theres a file missing or not present, is that right? is this fixable?

would a bounty make more sense at this point? Get some wider exposure and attract the potential help that's needed? Although i'm disappointed in Oneplus i do think that the 10 pro is a device with massive potential.

What do you think?
 

Relsich

Member
Jun 13, 2022
8
2
OnePlus 9RT
baffled as to where we're up to with this atm, sounds like it's not working obiously, but from what i can gather we've got a log in, but theres a file missing or not present, is that right? is this fixable?

would a bounty make more sense at this point? Get some wider exposure and attract the potential help that's needed? Although i'm disappointed in Oneplus i do think that the 10 pro is a device with massive potential.

What do you think?
Need to delete authorization in firehose file, who crypted in ofp. And after delete authorization crypt to ofp. Uncrypt ofp is possible, but crypt back not yet possbile.
 
  • Like
Reactions: dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,286
1,564
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
baffled as to where we're up to with this atm, sounds like it's not working obiously, but from what i can gather we've got a log in, but theres a file missing or not present, is that right? is this fixable?

would a bounty make more sense at this point? Get some wider exposure and attract the potential help that's needed? Although i'm disappointed in Oneplus i do think that the 10 pro is a device with massive potential.

What do you think?
Well we had an account. I used it to snitch the authorization token. The token still works, since it successfully queries the OPPO API Endpoints for device list, etc. However, when the flash starts the tool calls /sign endpoint to receive another signed token. Since we were unable to find anyone who could boot his device to EDL mode, we lost the chance to snitch that token.
 
  • Like
Reactions: dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,286
1,564
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
1664037021503.png
1664037065855.png


And yes, the download works fine. Changing the Region information also changes the Package files available and other things.
However, I haven't checked if Signature Validation works with his tool. Only checked with OPLUS one, and it didn't.
 

evilhawk00

Senior Member
Feb 22, 2014
140
134
Taipei
play.google.com
OnePlus 8T
View attachment 5719429View attachment 5719431

And yes, the download works fine. Changing the Region information also changes the Package files available and other things.
However, I haven't checked if Signature Validation works with his tool. Only checked with OPLUS one, and it didn't.
An idea came to my mind.

I've checked the after-sale package of 10T, which can be downloaded from https://yun.daxiaamu.com/OnePlus_Roms/一加OnePlus Ace Pro/原厂包 氧OS 12.1 A.05/CPH2415GDPR_11_A.05_2022080401330000.zip?preview

If you extract the zip file you'll even find out it's not a .ofp file but a zip file containing many little files. It is completely different from the previous known after-sale packages. Looking at the file name format plus the screenshot you've shown, I'm pretty sure the zip file is the same as the one that can be downloaded from the tool. The weirdest part is that I found no way to import the zip package to the tool because it's not even a .ofp file. ?????

Plus, looking at this https://www.droidwin.com/leaked-edl-flash-tool-for-oneplus-realme-oppo-is-here/ I'm pretty sure it can only import .ofp file because I found no way to import a zip file like that.

However, if I simply change the file type part of the file name from "firmware*.zip" to "firmware*.ofp", it can import the .ofp file. So my question is, why is it downloading non-encrypted .zip files?

I'm guessing:
What if the flash tool actually encrypts the downloaded zip file to .ofp after downloading? Maybe it encrypts the zip to .ofp and adds the token of the downloader to the .ofp file and signs the .ofp file as a VIP signature? So the .ofp can only be flashed by the downloader? Maybe there's some kind of watermark technics to the .ofp file? The flash tool file size is small so it can be easily shared but the .ofp file size is big, so it is definitely the best place to put a watermark. Then during flashing, the flash tool reads the signature from .ofp again and checks if the current user is the signer(creator) of the .ofp? People used the .ofp from somewhere else and imported it to the tool, maybe that's why it failed with "flash_sign_error". ????? I really think connecting to the server during flashing makes no sense because the user has already logged in to the account, so why bother again? IMO, putting a watermark on the .ofp file is enough to protect it from flash tool Hex editing bypass. What if the .ofp has to be downloaded by the same login user token?


Above is my guess, because I still have no clue how to import a non-encrypted zip file. If this is the case, someone may need to flash the firmware downloaded by the tool, not just import external .ofp files.
 
Last edited:
  • Like
Reactions: hackslash and dladz

EtherealRemnant

Senior Member
Sep 15, 2007
4,429
1,745
38
Denver, CO
Google Pixel 7 Pro
An idea came to my mind.

I've checked the after-sale package of 10T, which can be downloaded from https://yun.daxiaamu.com/OnePlus_Roms/一加OnePlus Ace Pro/原厂包 氧OS 12.1 A.05/CPH2415GDPR_11_A.05_2022080401330000.zip?preview

If you extract the zip file you'll even find out it's not a .ofp file but a zip file containing many little files. It is completely different from the previous known after-sale packages. Looking at the file name format plus the screenshot you've shown, I'm pretty sure the zip file is the same as the one that can be downloaded from the tool. The weirdest part is that I found no way to import the zip package to the tool because it's not even a .ofp file. ?????

Plus, looking at this https://www.droidwin.com/leaked-edl-flash-tool-for-oneplus-realme-oppo-is-here/ I'm pretty sure it can only import .ofp file because I found no way to import a zip file like that.

However, if I simply change the file type part of the file name from "firmware*.zip" to "firmware*.ofp", it can import the .ofp file. So my question is, why is it downloading non-encrypted .zip files?

I'm guessing:
What if the flash tool actually encrypts the downloaded zip file to .ofp after downloading? Maybe it encrypts the zip to .ofp and adds the token of the downloader to the .ofp file and signs the .ofp file as a VIP signature? So the .ofp can only be flashed by the downloader? Maybe there's some kind of watermark technics to the .ofp file? The flash tool file size is small so it can be easily shared but the .ofp file size is big, so it is definitely the best place to put a watermark. Then during flashing, the flash tool reads the signature from .ofp again and checks if the current user is the signer(creator) of the .ofp? People used the .ofp from somewhere else and imported it to the tool, maybe that's why it failed with "flash_sign_error". ????? I really think connecting to the server during flashing makes no sense because the user has already logged in to the account, so why bother again? IMO, putting a watermark on the .ofp file is enough to protect it from flash tool Hex editing bypass. What if the .ofp has to be downloaded by the same login user token?



Above is my guess, because I still have no clue how to import a non-encrypted zip file. If this is the case, someone may need to flash the firmware downloaded by the tool, not just import external .ofp files.
That file is an OTA, not an MSM, that's why it has a smaller file size and isn't encrypted. There is no posted OOS MSM there.
 
  • Like
Reactions: dladz

Mr Hassan

Account currently disabled
Feb 14, 2016
935
57
OnePlus 10 Pro
No idea. If someone wants to try it out, setup Fiddler and Proxifier on your PC. I've posted the tokens in this thread. Use them to auto respond to login request.
Feel free to PM me too, but only if you can go to EDL mode and test it out.
Have you id pw? I can manage Chinese device which is 2220 something
But if its totally secure becoz device is brand new without any issue
I'll install anything which you want
If have you have user account then I'll try manytime for your but the terms & conditions on device must be on same stat after all testing
 
  • Like
Reactions: dladz

evilhawk00

Senior Member
Feb 22, 2014
140
134
Taipei
play.google.com
OnePlus 8T
That file is an OTA, not an MSM, that's why it has a smaller file size and isn't encrypted. There is no posted OOS MSM there.
At first I thought it was OTA. But Then I figured out it is the same file downloaded from the flash tool, it's the only available 10T file that can be downloaded from the flashtool. So I took a deep digging in the zip. I didn't see any updater-script or payload inside zip? And I check the directory /image inside zip, there's even firehose loader inside. Additionally, according to the screenshot, all the available 10pro zips from flash tool download list are all in the same format, no ofp available. It makes no sense for a EDL tool to download a OTA file. Even if it's a OTA file, there may have a way to convert it to a ofp. The file contents looks very different in comparison to the old oxygenOS 11 OTA file.


This is the official A05 10T OTA link:

The official 10T A.05 OTA file is only 4.3GB. But the one from download tool, CPH2415GDPR_11_A.05_2022080401330000.zip is 5.43GB
 
Last edited:

EtherealRemnant

Senior Member
Sep 15, 2007
4,429
1,745
38
Denver, CO
Google Pixel 7 Pro
At first I thought it was OTA. But Then I figured out it is the same file downloaded from the flash tool, it's the only available 10T file that can be downloaded from the flashtool. So I took a deep digging in the zip. I didn't see any updater-script or payload inside zip? And I check the directory /image inside zip, there's even firehose loader inside. Additionally, according to the screenshot, all the available 10pro zips from flash tool download list are all in the same format, no ofp available. It makes no sense for a EDL tool to download a OTA file. Even if it's a OTA file, there may have a way to convert it to a ofp. The file contents looks very different in comparison to the old oxygenOS 11 OTA file.


This is the official A05 10T OTA link:

The official 10T A.05 OTA file is only 4.3GB. But the one from download tool, CPH2415GDPR_11_A.05_2022080401330000.zip is 5.43GB
Interesting. I just went ahead and downloaded it on my phone (I'm not near my computer). I assumed like everything else it was only OTAs and MSMs that got posted there. This is indeed something I haven't seen before, complete with engineering files marked confidential.

It will be interesting if/when a 10T MSM leaks to see if that firehose is special or not.
 
  • Like
Reactions: Ph0nysk1nk

Ph0nysk1nk

Senior Member
Jul 28, 2016
195
75

Top Liked Posts

  • 3
    hello, i've just get an msm account from guest. Did your phone fix and can i test it ?
    yoo guys shout out to this man for helping me unbricking me my phone. 5 months no reply for oneplus, he just solved it in one night only! thanks alot bro. 💯 @xuanhoang1811
  • 6
    ENOPTP000224
    M4Sl_j=zp_
    I don't know how long it will expire
    3
    its december and yet still no MSM tools to work around. my phone been dead for 5 month.
    3
    Maybe we should just give up, anyone that bought an OnePlus 10 Pro or 10T, and wants the freedom of a ROM scene.. OnePlus clearly doesn't want such a scene to exist as all of their steps (locking it down, and leaving devs in the dark.. no outreach that acknownledge how serious the situation they shaped is, etc) are indicative of that.

    Imagine creating such heavy security/anti cracking technologies, that to this day no one managed to fully reverse, understand and crack, just to stop the ROM development scene or at least heavily obstruct it. In essence it really is a fully aware, conscious, attack against the scene. OnePlus hereby chooses to lose the loyality of advanced users, even though in earlier years they had won their trust by profiling their brand as 'developer friendly, with active outreach and OSS promotion'. I wonder what motivates such strategy.. they dont want a ROM scene, for what.. maybe there is some next level China spying/data collection **** going on, or the chinese government may require them to implement that in the future? If people wipe out all traces of OxygenOS and install ROMs like LineageOS, taking back control of their devices (then just a piece of hardware that runs whatever they wish) to the fullest possible extent, they would no longer have the ability to keep collecting user data for commercial and/or nefarious purposes. Maybe they are not happy with being less in power of deploying such schemes, hence the attack against the development scene, and so much efforts to high-tech lock it down. Really, a huge budget and high level security developers/researchers/pentesting teams must have been allocated to lock it down as they did.

    My point is - OnePlus doesn't want us. How about we accept that, no longer want them, and leave. Sell our devices and pick a brand that's still development friendly and for which we can expect a newly released device to quickly be introduced within the ROM scene. I also don't want to be an user that's fully accustomed to all performance, privacy and usability benefits custom ROM's offered me in the past, now stuck with the pile of ** that is OxygenOS, for an indefinite amount of time. Using it hurts my feelings every day it takes more. It's also an insult to the powerful hardware of said device.

    Give up, move on. I am looking for Google Pixel, or maybe "Nothing" turns out to be as developer friendly as it seems to be looking to appear.
    3
    NOTE for god sake/or anyone you love if this time if anyone Share account then NOT CHANGE THE PW if you think you'll change PW and using only for your self OFCOURSE NOT THE ACCOUNT WILL BE BAN IN 10 MINUTES.
    Now i have one account and I'm using without changing it but its only for ENABLE ENGINEERING MODE for 24 HOURS.
    3
    We help each other, as we are in similar situation, and not all realme/oppo/OnePlus devices have active community, unfortunately in XDA you cannot publish thread that maybe matter to other devices owners
    Hey I am not a monster :) I don't mind mentioning problems/solutions that are common for both devices here. Nothing wrong about that. However, giving detailed instructions how to fix device b, or complaining over device b while being in thread/section dedicated for device a is slightly too much if you ask me. Such discussions belong to device dedicated forum (or in general section). Otherwise users can get misleading information.0
  • 16
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.


    flash.png
    12
    This tool seems to be intended for use with mediatek devices.
    I wouldn't bet on it working with this phone, but here's how to bypass the login screen anyway.

    Open DownloadTool.exe with a hex editor
    Find '74 4b 8d 45 d4'
    Replace '74 4b' with '90 90'
    Save, launch, enter any username/password/code and click login.
    If you go to 'Software Package Management', you can specify a folder where your .ofp is located.
    7
    I have a bricked OnePlus 10 Pro which I can put into EDL mode via testpoints. PM me.
    Screenshot_2022-09-27-01-30-39-519_com.miui.gallery.jpg
    6
    I almost figured out what is sent to the server during flashing. The flash tool sends "chip ID", "account token", and "Epoch timestamp" to server API which is server-domain/API/sign/ to query a signature for firehose and encrypt the query parameters with a public key. This info can be found in MSM download tool 2.0.6.9.

    If anyone want to see it yourself, simply get a debugger, such as, x64dbg with ScyllaHide plugin enabled, follow the assembly instructions to get to the OEP then dump PE from memory and fix import table to unpack it from VmProtect3.x. After unpacking the file, use a decompiler to run a PE static analysis, IDA Pro or Ghidra can both do it, search for "/API/sign/" from defined strings, from that you can locate the auth function for VIP signature. In that function, you can find a public key used to encrypt the queries, and also two variables, one is "account token", the other one is "Chip ID". Chip ID is unique for every device, which may be a issue.

    I haven't done a full analysis with the tool, not being sure if there's a timestamp protection on it. But I still strongly suggest who is able to flash with auth remember to capture the signature for your device, so you might not need a auth in future because your Chip ID is always yours.
    6
    I'm sorry for the late response. I was busy at work last week.
    Do you know who may have an example to go with? How long is the signature? There must be some form of checking within the msm tool to verify the signature is valid. Is it key based or algorithm based? If it's algorithm based, maybe we can use the validation function in the msm tool to figure out how it is checking and create valid signatures. Setting up a server locally to trick the device into thinking it's contacting OnePlus would be the easy part.

    Has anyone found examples of these logged signatures or know more about their calculation? HW serial based, HW ID based, device MAC based, IMEI based (unlikely)?

    Knowing what is sent to the server and what is received could also help. Does anyone have a full exchange of the https logs somewhere to go over?
    Yes, thanks to @hackslash, there's an example of the signature for ChipID: b73e685e(for the API authserver_domain/api/tools/sign)

    Code:
    {"Data":{"response":{"encrypt":"ct5/f+RsW/3p2vhIp2EduoMJ8kfKk2iNbF+eTExuGsOicfvILFTKY/+qF0WxSEcREt3m7YSABbEwCRU4aWaJqoppx2du60hW6OhTYbaL+51JXr5byRQjqqhtwJ1VfFZ66U3EuZXidJVW6TjV1u09fgt5MT11zSwZzbpkrBg1UQruJi8wGrjtMnq0mbgno1H01QRnMY+GKN9UqZVrXGAdCRJm8T8Ysn5P1mnIOVwhuJZSkq6z7WH9RhyM1oJuURquvZEt/TP9vQda1/fNn0txtzu+ZWkuuou23zYulXhkmtDTp5D4LtdZ8VlAkakq8UowHv3tlW7lZMb52fY8QjF/zw==","message":"0000","status":"0","unlock":"","isAllowDegraded":false}},"ErrorCode":0,"Message":null}

    If you use Ghidra to do a static analysis with unpacked downloadtool.exe(first use a debugger to unpack vmprotect3.x),locate the defined string data "/api/tools/sign", you'll find a public key hardcoded in the tool to encrypt the HTTPS query to the server. All the transmissions are encrypted, but I don't even want to think about decrypting them because there's a ChipID problem.


    The signature can be fed to the tool, but it doesn't work for other devices. For example, here's the download tool log for the device with the correct ChipID:

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20847_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3
    [COM51] Verify Data
    [COM51] Verify pass
    [COM51] Upload download result. chip id: b73e685e, result: -1, project: 20847
    [COM51] Upload download result failed.
    [COM51] Check the models and software
    [COM51] Start erase
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN1
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN5
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN4
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN2
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN0
    [COM51] Erasing the partition userdata
    [COM51] Download OCDT
    [COM51] brand is oplus, cdtdownloadstatus is 0, ufs = 1
    [COM51] Downloading ddr, zeros_5sectors.bin...
    ...

    And here's the download tool log for the device with the mismatch ChipID(using the obtained signature to feed another device) :

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20846_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:9d975a304cf3d7d1f9f7ed402297996d7c457aea71fd0a5c2dc6278b68cde27c
    [COM51] Verify Data
    [COM51] FirehoseCheckRSP is ERROR, hr=1
    [COM51] Rsp:
     <?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <log value="ERROR: verify failed." /></data><?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <response value="NAK" rawmode="false" /></data>
    [COM51] Verify pass
    [COM51] Current download task end,elapsed time:7s.
    [COM51] Upload download result. chip id: b73e685e, result: 1, project: 20846
    [COM51] Upload download result failed.
    [COM51] Close the serial device
    [COM51] Download failed
    [COM51] Determine whether to upload the download info
    [COM51] compress file, retry time is 4
    [COM51] compress file success
    [COM51] start to upload
    [COM51] upload success
    [COM51] Stop timer
    End log...

    As you can see, the device only accepts signed packets, and the signature is somehow related to ChipID. Anyone can simply use the hex-patched tool to try flashing your device, you'll see your ChipID in the log generated by the download tool.

    At this point, I think the only solution is that the user has to at least pay to flash their device once to capture the signature for their device. And here's the hardest point, a lot of sellers check for packet capture software during the session. Yes, this can be bypassed via a rootkit(If you don't know how to program a simple hooking rootkit with Microsoft Detours, you can simply find some rootkit source code from hackforums or buy some rootkit source code from the dark web hacker sellers, then modify the code and compile it yourself) I believe that most users will fail to capture their device signature for EDL after being detected by the remote tech due to the lack for specific knowledge. By the way, can the captured signature with the same ChipId be reused on the same device? Please be aware, this is still unconfirmed! But I think it is highly possible that it can work for the same device every time.


    But after seeing that @OppoTech123 is willing to help the community, I think maybe there's a chance that @OppoTech123 can help some developers to capture their device signature to boost the custom ROM development. But be aware that during the capture, the temporarily assigned token after logging in can also be captured, however, these tokens quickly expired in a short time. It doesn't expire for login but expires for querying signatures, not sure if it's related to OTP or if the account holder can log out from another place, be sure to protect your credits if querying a signature charge the tech some credits.


    Is there a way to alter the ID on the device? Even if it's temporary?
    I don't think so. Maybe there's an internal Qualcomm development tool that can do that, but I definitely don't have it.