General EDL Flash Tool Leak

Search This thread

hackslash

Recognized Contributor
Feb 20, 2015
1,288
1,568
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
An idea came to my mind.

I've checked the after-sale package of 10T, which can be downloaded from https://yun.daxiaamu.com/OnePlus_Roms/一加OnePlus Ace Pro/原厂包 氧OS 12.1 A.05/CPH2415GDPR_11_A.05_2022080401330000.zip?preview

If you extract the zip file you'll even find out it's not a .ofp file but a zip file containing many little files. It is completely different from the previous known after-sale packages. Looking at the file name format plus the screenshot you've shown, I'm pretty sure the zip file is the same as the one that can be downloaded from the tool. The weirdest part is that I found no way to import the zip package to the tool because it's not even a .ofp file. ?????

Plus, looking at this https://www.droidwin.com/leaked-edl-flash-tool-for-oneplus-realme-oppo-is-here/ I'm pretty sure it can only import .ofp file because I found no way to import a zip file like that.

However, if I simply change the file type part of the file name from "firmware*.zip" to "firmware*.ofp", it can import the .ofp file. So my question is, why is it downloading non-encrypted .zip files?

I'm guessing:
What if the flash tool actually encrypts the downloaded zip file to .ofp after downloading? Maybe it encrypts the zip to .ofp and adds the token of the downloader to the .ofp file and signs the .ofp file as a VIP signature? So the .ofp can only be flashed by the downloader? Maybe there's some kind of watermark technics to the .ofp file? The flash tool file size is small so it can be easily shared but the .ofp file size is big, so it is definitely the best place to put a watermark. Then during flashing, the flash tool reads the signature from .ofp again and checks if the current user is the signer(creator) of the .ofp? People used the .ofp from somewhere else and imported it to the tool, maybe that's why it failed with "flash_sign_error". ????? I really think connecting to the server during flashing makes no sense because the user has already logged in to the account, so why bother again? IMO, putting a watermark on the .ofp file is enough to protect it from flash tool Hex editing bypass. What if the .ofp has to be downloaded by the same login user token?



Above is my guess, because I still have no clue how to import a non-encrypted zip file. If this is the case, someone may need to flash the firmware downloaded by the tool, not just import external .ofp files.
This will need further analysis. I'll download the OP10 Pro files directly from the tool. Afaik, the files are hosted on Amazon S3 service. Let's see if those files are any different :)
 

Relsich

Member
Jun 13, 2022
8
2
OnePlus 9RT
  • Like
Reactions: Ph0nysk1nk

evilhawk00

Senior Member
Feb 22, 2014
140
136
Taipei
play.google.com
OnePlus 8T
Interesting. I just went ahead and downloaded it on my phone (I'm not near my computer). I assumed like everything else it was only OTAs and MSMs that got posted there. This is indeed something I haven't seen before, complete with engineering files marked confidential.

It will be interesting if/when a 10T MSM leaks to see if that firehose is special or not.
Though I'm not an expert on the firehose, I'm even more sure that the non-encrypted zip file is a non-encrypted MSM firmware package. (I think it is the base file used to create a .ofp)

I found these articles(All written in Mandarin, here's the link with Google Translate):
https://lixiaogang03-github-io.translate.goog/2020/10/20/刷机工具/?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-TW&_x_tr_pto=wapp
https://www-twblogs-net.translate.g...-TW&_x_tr_tl=en&_x_tr_hl=zh-TW&_x_tr_pto=wapp
These articles introduce how to use the QPST flash tool(Which can be downloaded from https://createpoint.qti.qualcomm.com/to) to flash a "flat build".

Most of the files mentioned in the article can also be found in the 10T firmware package, such as:
/IMAGES/prog_firehose_ddr.elf
/IMAGES/qupv3fw.elf
/IMAGES/rawprogram0.xml
/IMAGES/patch0.xml

So I still think it is possible that the error "flash_sign_error" can be an error that occurred during grabbing some signature from the .ofp file. If they really host a server to respond to some sort of VIP signature queries during flashing, then why do they put non-encrypted files there? They can simply release a single .ofp file, and let the client query that "always same" signature. What I mean is that they can also use the "user token" as an encryption seed(password) and write the VIP signature directly on the .ofp file, during the process of converting .zip to .ofp, maybe the VIP signature is also encrypted and appended to the output file.

Update: It turns out that my guess was wrong, the tool doesn't create a .ofp file. Eventually, I found a way to load the Non-encrypted 10T firmware package by hosting the package on the localhost Apache server and redirecting the traffic to localhost. So there's no need to really download the file again, it takes less than 1 minute to copy the file.
1664153733125.png

The tool simply unzips all the files in a single directory and creates some metadata points to the directory so the tool can recognize it. Then it triggers an integrity checking screen before flashing. (Importing a .ofp doesn't trigger an integrity checking screen) And no data was transferred during the unzip process.
1664154384099.png


The previous known failure was confirmed by the community when using a .ofp file. The result with the Non-encrypted zip firmware is still unknown, and I think it is still worth a try on 10T, 10Pro, or 9RT because the algorithm of the .ofp file is still unknown and this tool seems to only use Non-encrypted zip firmware. This tool is unified for OPPO devices and OnePlus devices, if there's a success it would be great news for all the devices on the device list.

And my journey with the tool has to stop here because I don't own a 10T, 10Pro, or 9RT.
 
Last edited:
  • Like
  • Love
Reactions: Prant and dladz

alate lee

Member
Sep 21, 2022
9
6
Thanks , the thread not only 10rt or 9rt etc , we are the trappeds that oneplus or oppo decrypt them program file or loader of download , oem lock and based oneline server verfiy ofp file and only permit customer service fix our phone ,its nor free , and not premium how to it , form 8 series later .
If we can use edl flash our phone and not customer server of oneline , its beneficial for everyone . Now we should unitive for ours free recovery our phone by edl mode and nor oem authorized and await .
 

dladz

Senior Member
Aug 24, 2010
14,985
5,340
Liverpool
Huawei Watch 2
OnePlus 10 Pro
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
 
  • Like
Reactions: centifanto

evilhawk00

Senior Member
Feb 22, 2014
140
136
Taipei
play.google.com
OnePlus 8T
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
Can't say it is no go currently, the result is still unknown. There are some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people who own those devices haven't stood out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.
 
  • Like
Reactions: Prant and metrixx02

dladz

Senior Member
Aug 24, 2010
14,985
5,340
Liverpool
Huawei Watch 2
OnePlus 10 Pro
Can't say it is no go currently, the result is still unknown. There're some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people owns those devices haven't stand out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.

Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
 
  • Like
Reactions: centifanto

centifanto

Senior Member
Sep 1, 2022
81
45
OnePlus 9
OnePlus 10 Pro
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
I agree with this. I have only ever had to use MSM once when I absent mindedly locked the bootloader with a patched boot.img due to late night not thinking. Other than that, I have had no need. I remember the good ole days of the OG Moto Droid, flashing multiple broken ROMs in a single night just via stock recovery before there was ever TWRP. Never had a magic flashing tool like MSM. Maybe the difference is now the devices are more temperamental with their boot sequence, but as I have mentioned in other threads, I think the current OOS/COS flavors are great and so I don't have any desire to tinker around with custom ROMs. I do sympathize with the few that might want that, but I think that is going to be less and less of an option with the direction that Android is heading.
 
  • Like
Reactions: dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,288
1,568
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
It's honestly just fun.
I really don't have any other reason for why I'm doing it xD
 
  • Like
Reactions: Prant and dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,288
1,568
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
Can't say it is no go currently, the result is still unknown. There are some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people who own those devices haven't stood out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.
The zip files downloaded from the Flash Tool are unique. It doesn't sends a sign request to the server, unlike other OPF files which do require a sign request before flashing. Instead it sends a unique device model request which is failing for some reason. I'll share the endpoints soon, hopefully.
 

mxz55

Senior Member
Nov 5, 2017
52
68
The Netherlands
@OppoTech123 thanks a lot, but can you also publish tools for OnePlus 10T ?

kernel sources for that phone got released early, and lack of flash tool access for developers is the main thing holding back ROMs to get going faster than with most newly released OnePlus devices. Please man :)

It's not often that someone arrives on XDA that has the ability to give the finger to OnePlus/Oppo's anti development stance that it has employed for the last few years (against its roots of being known as dev friendly brand), to bring some hope.
 

evilhawk00

Senior Member
Feb 22, 2014
140
136
Taipei
play.google.com
OnePlus 8T
Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
There's no OnePlus reseller in my region, I received my device oversea, and I'm the one who can not send RMA :(
Sending back to CHINA requires paying high customs duty of 40% so maybe I would just buy a new phone. And this is the reason I still stick with OnePlus 8T, lol.

I don't know much about OPPO's RMA but I know that if you f*ked up your SAMSUNG and sent it to RMA and if they can't immediately fix it by a single flashing, they will treat it as man-made damage and refuse to fix it for free. I once f*ked up the partition of my SAMSUNG device but I wasn't able to know the default partition table of the device so I sent it back and the employee just asked me to replace the motherboard(300USD) and it is not free because it is man-made damage so I refused. A few months later, I fixed my device by finding a leaked .pit file with the Odin flash tool, lol.


Anyway, I was just messing with this tool for fun.
 
  • Like
Reactions: metrixx02 and dladz

evilhawk00

Senior Member
Feb 22, 2014
140
136
Taipei
play.google.com
OnePlus 8T
@OppoTech123 thanks a lot, but can you also publish tools for OnePlus 10T ?

kernel sources for that phone got released early, and lack of flash tool access for developers is the main thing holding back ROMs to get going faster than with most newly released OnePlus devices. Please man :)

It's not often that someone arrives on XDA that has the ability to give the finger to OnePlus/Oppo's anti development stance that it has employed for the last few years (against its roots of being known as dev friendly brand), to bring some hope.
The tool is unified for all OnePlus devices and OPPO devices, it is the thing you want. If the community finds a way to use it, it can be used on Oneplus 10T for sure. OPPO uses the same tool for all their devices from now on.
 
  • Like
Reactions: mxz55

mxz55

Senior Member
Nov 5, 2017
52
68
The Netherlands
The tool is unified for all OnePlus devices and OPPO devices, it is the thing you want. If the community finds a way to use it, it can be used on Oneplus 10T for sure. OPPO uses the same tool for all their devices from now on.
Considering some of the posts here about a lack of 10 Pro / 10T owners' cooperation.. what do you think the chances are if i sent you my 10T overseas?

I mean it looks like you're a decent reverse engineer and you said the road ends for you as you don't own a relevant device - if you really want to invest time and effort into hacking the leaked EDL tool further, feel free to PM me and we can arrange the sending of my device (at my risk for everything, including bricks). I am really like 'bleh' if i have to keep using ColorOS on it, its my worst nightmare, so i would go back to buying a second hand 9 Pro for running LineageOS in the meanwhile before 10T gets some ROMs facilitated by having tools available.

I'm constantly asking for devs to step in with getting development going, but if more than 'begging' i can make a meaningful contribution to the community in achieving this then ill go with it.

* Note: If you don't think that you are the right person to accept this challenge, i would be interested in hearing the best candidates next (only reputable users that are known for device development/contributions to community efforts to reverse or crack vendor tools)
 
Last edited:

alate lee

Member
Sep 21, 2022
9
6
When i use fildder autoresonser or break request form the flash tool of leak , I can't login in the tool , and I found a https request that get country on the request ahead of login request and not cloud verfiy request .
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    I'm going to find a way to root oppo device, if I can skip the login is it possible to use this tool for flash a magisk patched image?

    Thank you
    NO... thats is not what the EDL mode is for. EDL is short for Emergency Download, and what it is used for recovering your device from a catastrophic failure such as a bootloop without the ability to enter the normal recovery or bootloader modes. It is designed to be a method for "Deep - Low level flashingg", or think of it as kind of an alternative method of jump-starting your car, when you dont have a spare battery or another car to use. EDL is only capable of that... It does not allow you to pick and choose the exact files you wish to load, and from what you're describing, it sounds like you simply need a way to load a patched boot.img. Look in one of the top posts of this forum, and you will find the links and steps to root the 10 Pro.
    2
    Man honestly I don't have any truly awesome suggestions... Currently with the state of things , safety of your devices is priority 1. Because as you said, 1 misstep can take you from functional to disabled and needing repair! Then there is no "free" ... I'm happy you rescued your device.

    One thing is I heard about something called a "deep sleep cable" ... Another member brought his phone back from the dead, AND said through the cable and something called QuadComs... He unbricked his phone with no MSM tool. And his phone was DEAD ... UNRESPONSIVE.

    Obviously I need more data before I can make specific claims, but he is reliable so I tend to believe it was as good/easy as he made it sound!
    1
    would this tool work on xiaomi/redmi/poco phones?
    Yes... I believe.. as long as the device has a Qualcomm chipset, then yes, that's what EDL is built for.... If it's a MTK device, you would use SpFlash tool...
    1
    so
    Man honestly I don't have any truly awesome suggestions... Currently with the state of things , safety of your devices is priority 1. Because as you said, 1 misstep can take you from functional to disabled and needing repair! Then there is no "free" ... I'm happy you rescued your device.

    One thing is I heard about something called a "deep sleep cable" ... Another member brought his phone back from the dead, AND said through the cable and something called QuadComs... He unbricked his phone with no MSM tool. And his phone was DEAD ... UNRESPONSIVE.

    Obviously I need more data before I can make specific claims, but he is reliable so I tend to believe it was as good/easy as he made it sound!
    sounds promising hopefully its legit and would get out to the public
    btw whats your phone i found out that you're trying to root it?
    also you might be interested in patching firehose files that alone would solve everything
  • 16
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.


    flash.png
    15
    But, doesn't OPPO actually approve of the selling of MSM accounts/flashes?

    Remember, OPPO tech said OPPO makes him buy credits from OPPO to use MSM. Unreleated but, I was thinking it was designed as a second revenue source. Since there devices)dub brands can be really cheap.
    Ok .. just putting this out there... I MAY have pulled together a script that will automate the whole flash process .. including the auth, and sign verifications... But I truly do not know if it is going to be device specific, or if I can fandangle a slightly wider base from the data. Now 1st. Don't start asking me to drop the code into public chat. I worked my butt off and bricked my own devices SEVERAL times in order to test/work out the kinks ... (Proxifier/Fiddler were not friendly and butted heads a lot, so alternate avenues were taken) but before I could compile the whole script and run in one sweep, the Oppo account I was using expired. (Temp accounts ARE device specific). If you want ANY further development on this, I NEED someone to DM me, an active Oppo acct. I don't care if you want to change the password , 24hrs after you give me the info .. that's completely fine. If everything works properly, 24 hrs is about 23 hrs too much! But I need an ACTIVE , WORKING account that I can login to the msmtool, or the miflash server with, (preferred MSM so I don't gotta rewrite anything). And if I can perform a successful EDL unbrick without any errors, then I can strip parts of the Online MSM tool.exe , and with luck, force the Frankenstein'd version I pieced together, to package back up into a simple "Click, Select, Start, Wait, Celebrate" , exe file. With everything that you need, all put into portable container mode, and require no installation. (Or at bare minimum you can run it all inside a windows sandbox, cuz that's what I've been doing, so there's 0 chance of any persistent tracker left behind after each flash, and at the same time you can feel safe running it, cuz in a sandbox it cant harm you !).

    So again... If anyone still cares, and has any resources to obtain a login/pw that works, DM me , and WAIT FOR ME TO REPLY before you send the login, so you know exactly WHEN I got it, and you can change whatever .... Let's say .... 6-12 hrs after you grant me access!

    Otherwise it seems like this topic has died and no one cares anymore... Which rly don't bother me, cuz after this bunch of Diseased Unicorn Poo 💩 that Oppo/OnePlus pulled with literally going from "Developer Friendly" to "We'll eat your soul before we allow consumer modifications !" 👹 I am officially done with this company, and I truly hope a good 20% of their customer base feels the same, because the only way they will reverse their ignorant position , rivaling Apple IOS level lunacy, is if their yearly bonus checks are a few zeros short, and sales drop. (Shouldn't be a problem because T-Mobile just loosened the reigns and allowed Verizon to begin pre ordering the 10R for next year... So NA will at least have 2 major carriers .... But I don't think it will help sales ... Verizon is the Hitler Regime of Bootloader and device unlocking... They might go as far as to request an official Red/Black design with little bands around the top! Lol.

    Anyways ... Login/pw ... Oppo account... DM....

    Let's see if I can rain on the MSMTool Mafia's day just a lil bit. This tool should be provided FREE ... We're at over 1 year since released, and NO PUBLIC MASS CONSUMER UNBRICK , yet they throw the FW around on the main website, with official tags and signatures .... And even then .. one wrong action, and youre doin the "1-Ploo-Salloop!" (Infinite boot loop!) ... So if you can brick, using the files THEY provide, without knowing your current device setup!, They need to provide a method out! (And yes this can happen, because if you had previously done ANY modifications, such as rooting, forgetting to unhide magisk app, disable modules, or making any alterations to your initrc file , or had successfully swapped regions, then tried to flash the STOCK rollback, in order to bring your device back to factory spec, YOU WILL BOOTLOOP!)

    ((I have further details regarding what is one factor causing this to happen... It's the Baseband/Modem/Build.prop versioning that is putting your device out of spec. Each different Rollback/Upgrade package specifies an EXACT build # and patch date that each region has a slightly different variation of, and while you THINK you're fooling your device, You are ABSOLUTELY NOT! Part of the downloaded FW verification that happens before your phone reboots to complete the changes, is a quick matchup of some key files which your phone FAILS to notify you, when they do not match the requested info... And therefore those files are NOT replaced by your phone during the update/rollback.... So for anyone who knows Android.... This is a very big NO NO... you cannot update parts of a boot script... Parts of the system ... Parts of the recovery partition, but not also make the Android security patch, Kernel, modem, and other pertinent variables match their new counterparts. WHY? Can you use Android 13's Kernel, to run Android 12's security requirements, load 12's lower boot.img, but keep 13's modem, and flip a coin as to which recovery part will stay, then smash that all together under a security patch that is lower than your device was on! This is exactly what creates the "unresponsive device" brick. Cuz NOTHING is the right version necessary for secure boot and trust zone to approve/verify each other. Aka BRICK.

    Ok rant over....

    login/pw active Oppo acct.. DM..

    Ty
    15
    This tool seems to be intended for use with mediatek devices.
    I wouldn't bet on it working with this phone, but here's how to bypass the login screen anyway.

    Open DownloadTool.exe with a hex editor
    Find '74 4b 8d 45 d4'
    Replace '74 4b' with '90 90'
    Save, launch, enter any username/password/code and click login.
    If you go to 'Software Package Management', you can specify a folder where your .ofp is located.
    8
    hello, i've just get an msm account from guest. Did your phone fix and can i test it ?
    yoo guys shout out to this man for helping me unbricking me my phone. 5 months no reply for oneplus, he just solved it in one night only! thanks alot bro. 💯 @xuanhoang1811
    7
    I have a bricked OnePlus 10 Pro which I can put into EDL mode via testpoints. PM me.
    Screenshot_2022-09-27-01-30-39-519_com.miui.gallery.jpg