General EDL Flash Tool Leak

Search This thread

hackslash

Recognized Contributor
Feb 20, 2015
1,286
1,564
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
An idea came to my mind.

I've checked the after-sale package of 10T, which can be downloaded from https://yun.daxiaamu.com/OnePlus_Roms/一加OnePlus Ace Pro/原厂包 氧OS 12.1 A.05/CPH2415GDPR_11_A.05_2022080401330000.zip?preview

If you extract the zip file you'll even find out it's not a .ofp file but a zip file containing many little files. It is completely different from the previous known after-sale packages. Looking at the file name format plus the screenshot you've shown, I'm pretty sure the zip file is the same as the one that can be downloaded from the tool. The weirdest part is that I found no way to import the zip package to the tool because it's not even a .ofp file. ?????

Plus, looking at this https://www.droidwin.com/leaked-edl-flash-tool-for-oneplus-realme-oppo-is-here/ I'm pretty sure it can only import .ofp file because I found no way to import a zip file like that.

However, if I simply change the file type part of the file name from "firmware*.zip" to "firmware*.ofp", it can import the .ofp file. So my question is, why is it downloading non-encrypted .zip files?

I'm guessing:
What if the flash tool actually encrypts the downloaded zip file to .ofp after downloading? Maybe it encrypts the zip to .ofp and adds the token of the downloader to the .ofp file and signs the .ofp file as a VIP signature? So the .ofp can only be flashed by the downloader? Maybe there's some kind of watermark technics to the .ofp file? The flash tool file size is small so it can be easily shared but the .ofp file size is big, so it is definitely the best place to put a watermark. Then during flashing, the flash tool reads the signature from .ofp again and checks if the current user is the signer(creator) of the .ofp? People used the .ofp from somewhere else and imported it to the tool, maybe that's why it failed with "flash_sign_error". ????? I really think connecting to the server during flashing makes no sense because the user has already logged in to the account, so why bother again? IMO, putting a watermark on the .ofp file is enough to protect it from flash tool Hex editing bypass. What if the .ofp has to be downloaded by the same login user token?



Above is my guess, because I still have no clue how to import a non-encrypted zip file. If this is the case, someone may need to flash the firmware downloaded by the tool, not just import external .ofp files.
This will need further analysis. I'll download the OP10 Pro files directly from the tool. Afaik, the files are hosted on Amazon S3 service. Let's see if those files are any different :)
 

Relsich

Member
Jun 13, 2022
8
2
OnePlus 9RT
  • Like
Reactions: Ph0nysk1nk

evilhawk00

Senior Member
Feb 22, 2014
138
134
Taipei
play.google.com
OnePlus 8T
Interesting. I just went ahead and downloaded it on my phone (I'm not near my computer). I assumed like everything else it was only OTAs and MSMs that got posted there. This is indeed something I haven't seen before, complete with engineering files marked confidential.

It will be interesting if/when a 10T MSM leaks to see if that firehose is special or not.
Though I'm not an expert on the firehose, I'm even more sure that the non-encrypted zip file is a non-encrypted MSM firmware package. (I think it is the base file used to create a .ofp)

I found these articles(All written in Mandarin, here's the link with Google Translate):
https://lixiaogang03-github-io.translate.goog/2020/10/20/刷机工具/?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-TW&_x_tr_pto=wapp
https://www-twblogs-net.translate.g...-TW&_x_tr_tl=en&_x_tr_hl=zh-TW&_x_tr_pto=wapp
These articles introduce how to use the QPST flash tool(Which can be downloaded from https://createpoint.qti.qualcomm.com/to) to flash a "flat build".

Most of the files mentioned in the article can also be found in the 10T firmware package, such as:
/IMAGES/prog_firehose_ddr.elf
/IMAGES/qupv3fw.elf
/IMAGES/rawprogram0.xml
/IMAGES/patch0.xml

So I still think it is possible that the error "flash_sign_error" can be an error that occurred during grabbing some signature from the .ofp file. If they really host a server to respond to some sort of VIP signature queries during flashing, then why do they put non-encrypted files there? They can simply release a single .ofp file, and let the client query that "always same" signature. What I mean is that they can also use the "user token" as an encryption seed(password) and write the VIP signature directly on the .ofp file, during the process of converting .zip to .ofp, maybe the VIP signature is also encrypted and appended to the output file.

Update: It turns out that my guess was wrong, the tool doesn't create a .ofp file. Eventually, I found a way to load the Non-encrypted 10T firmware package by hosting the package on the localhost Apache server and redirecting the traffic to localhost. So there's no need to really download the file again, it takes less than 1 minute to copy the file.
1664153733125.png

The tool simply unzips all the files in a single directory and creates some metadata points to the directory so the tool can recognize it. Then it triggers an integrity checking screen before flashing. (Importing a .ofp doesn't trigger an integrity checking screen) And no data was transferred during the unzip process.
1664154384099.png


The previous known failure was confirmed by the community when using a .ofp file. The result with the Non-encrypted zip firmware is still unknown, and I think it is still worth a try on 10T, 10Pro, or 9RT because the algorithm of the .ofp file is still unknown and this tool seems to only use Non-encrypted zip firmware. This tool is unified for OPPO devices and OnePlus devices, if there's a success it would be great news for all the devices on the device list.

And my journey with the tool has to stop here because I don't own a 10T, 10Pro, or 9RT.
 
Last edited:
  • Like
  • Love
Reactions: Prant and dladz

alate lee

Member
Sep 21, 2022
9
6
Thanks , the thread not only 10rt or 9rt etc , we are the trappeds that oneplus or oppo decrypt them program file or loader of download , oem lock and based oneline server verfiy ofp file and only permit customer service fix our phone ,its nor free , and not premium how to it , form 8 series later .
If we can use edl flash our phone and not customer server of oneline , its beneficial for everyone . Now we should unitive for ours free recovery our phone by edl mode and nor oem authorized and await .
 

dladz

Senior Member
Aug 24, 2010
14,962
5,298
Liverpool
Huawei Watch 2
OnePlus 10 Pro
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
 
  • Like
Reactions: centifanto

evilhawk00

Senior Member
Feb 22, 2014
138
134
Taipei
play.google.com
OnePlus 8T
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
Can't say it is no go currently, the result is still unknown. There are some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people who own those devices haven't stood out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.
 
  • Like
Reactions: Prant and metrixx02

dladz

Senior Member
Aug 24, 2010
14,962
5,298
Liverpool
Huawei Watch 2
OnePlus 10 Pro
Can't say it is no go currently, the result is still unknown. There're some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people owns those devices haven't stand out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.

Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
 
  • Like
Reactions: centifanto

centifanto

Senior Member
Sep 1, 2022
80
45
OnePlus 9
OnePlus 10 Pro
Sounds like MSM is no go, it is what it is... Oppo did their job well....


I'll be honest though, of all the ROMs I've ever flashed on OnePlus devices.. which is a lot..

I've never once required any MSM tool to save my device, it's either been stock recovery, a new ROM, TWRP or if I've really really needed it if RMA'd the device..

Do we really need MSM? Would that work everyone has put in to get MSM working have been better spent getting TWRP functional? Testing is only booting as is actual use and it could offer a recovery avenue as well as a flashing method.

Not all phone have a method from my experience, a tonne of HTC device didn't and they were my favourite devices.
I agree with this. I have only ever had to use MSM once when I absent mindedly locked the bootloader with a patched boot.img due to late night not thinking. Other than that, I have had no need. I remember the good ole days of the OG Moto Droid, flashing multiple broken ROMs in a single night just via stock recovery before there was ever TWRP. Never had a magic flashing tool like MSM. Maybe the difference is now the devices are more temperamental with their boot sequence, but as I have mentioned in other threads, I think the current OOS/COS flavors are great and so I don't have any desire to tinker around with custom ROMs. I do sympathize with the few that might want that, but I think that is going to be less and less of an option with the direction that Android is heading.
 
  • Like
Reactions: dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,286
1,564
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
It's honestly just fun.
I really don't have any other reason for why I'm doing it xD
 
  • Like
Reactions: Prant and dladz

hackslash

Recognized Contributor
Feb 20, 2015
1,286
1,564
24
Islamabad
Redmi K20 Pro
OnePlus 10 Pro
Can't say it is no go currently, the result is still unknown. There are some OPPO backend APIs still working great until now with token setup, and another firmware format that is not encrypted .ofp was discovered(Non-encrypted MSM zip pack). The community only confirmed the failure with the hex edited binary when flashing .ofp firmware, but the following solution is still open for testing:
  • Flashing the Non-encrypted MSM zip pack with the token obtained.

And the above option can be tested on 9RT, 10 pro, 10T, Nord series, or even other newest OPPO devices that use the latest Sahara protocol because the tool is unified for OPPO and OnePlus devices, all those devices on the list may have a chance. The result is still unknown. The only problem is that people who own those devices haven't stood out for trying other solutions. I only have 8T, I don't own those devices so I can not test them. @hackslash was finding people to try for 10 pro.
The zip files downloaded from the Flash Tool are unique. It doesn't sends a sign request to the server, unlike other OPF files which do require a sign request before flashing. Instead it sends a unique device model request which is failing for some reason. I'll share the endpoints soon, hopefully.
 

mxz55

Member
Nov 5, 2017
45
56
The Netherlands
@OppoTech123 thanks a lot, but can you also publish tools for OnePlus 10T ?

kernel sources for that phone got released early, and lack of flash tool access for developers is the main thing holding back ROMs to get going faster than with most newly released OnePlus devices. Please man :)

It's not often that someone arrives on XDA that has the ability to give the finger to OnePlus/Oppo's anti development stance that it has employed for the last few years (against its roots of being known as dev friendly brand), to bring some hope.
 

evilhawk00

Senior Member
Feb 22, 2014
138
134
Taipei
play.google.com
OnePlus 8T
Point I was making is do we actually need it?? From past experience I don't think we do, I never have... Sending the device back for RMA isn't going to kill me or anyone else.

I've watched this and other threads since their inception and it appears every angle has been covered, time will tell I guess.

I'm sure there is someone out there with a bricked device if we're only waiting on someone to test.
There's no OnePlus reseller in my region, I received my device oversea, and I'm the one who can not send RMA :(
Sending back to CHINA requires paying high customs duty of 40% so maybe I would just buy a new phone. And this is the reason I still stick with OnePlus 8T, lol.

I don't know much about OPPO's RMA but I know that if you f*ked up your SAMSUNG and sent it to RMA and if they can't immediately fix it by a single flashing, they will treat it as man-made damage and refuse to fix it for free. I once f*ked up the partition of my SAMSUNG device but I wasn't able to know the default partition table of the device so I sent it back and the employee just asked me to replace the motherboard(300USD) and it is not free because it is man-made damage so I refused. A few months later, I fixed my device by finding a leaked .pit file with the Odin flash tool, lol.


Anyway, I was just messing with this tool for fun.
 
  • Like
Reactions: metrixx02 and dladz

evilhawk00

Senior Member
Feb 22, 2014
138
134
Taipei
play.google.com
OnePlus 8T
@OppoTech123 thanks a lot, but can you also publish tools for OnePlus 10T ?

kernel sources for that phone got released early, and lack of flash tool access for developers is the main thing holding back ROMs to get going faster than with most newly released OnePlus devices. Please man :)

It's not often that someone arrives on XDA that has the ability to give the finger to OnePlus/Oppo's anti development stance that it has employed for the last few years (against its roots of being known as dev friendly brand), to bring some hope.
The tool is unified for all OnePlus devices and OPPO devices, it is the thing you want. If the community finds a way to use it, it can be used on Oneplus 10T for sure. OPPO uses the same tool for all their devices from now on.
 
  • Like
Reactions: mxz55

mxz55

Member
Nov 5, 2017
45
56
The Netherlands
The tool is unified for all OnePlus devices and OPPO devices, it is the thing you want. If the community finds a way to use it, it can be used on Oneplus 10T for sure. OPPO uses the same tool for all their devices from now on.
Considering some of the posts here about a lack of 10 Pro / 10T owners' cooperation.. what do you think the chances are if i sent you my 10T overseas?

I mean it looks like you're a decent reverse engineer and you said the road ends for you as you don't own a relevant device - if you really want to invest time and effort into hacking the leaked EDL tool further, feel free to PM me and we can arrange the sending of my device (at my risk for everything, including bricks). I am really like 'bleh' if i have to keep using ColorOS on it, its my worst nightmare, so i would go back to buying a second hand 9 Pro for running LineageOS in the meanwhile before 10T gets some ROMs facilitated by having tools available.

I'm constantly asking for devs to step in with getting development going, but if more than 'begging' i can make a meaningful contribution to the community in achieving this then ill go with it.

* Note: If you don't think that you are the right person to accept this challenge, i would be interested in hearing the best candidates next (only reputable users that are known for device development/contributions to community efforts to reverse or crack vendor tools)
 
Last edited:

alate lee

Member
Sep 21, 2022
9
6
When i use fildder autoresonser or break request form the flash tool of leak , I can't login in the tool , and I found a https request that get country on the request ahead of login request and not cloud verfiy request .
 

Top Liked Posts

  • 1
    OK... so apparently I am targeted for punishment when i ask a question to the person who is in the comments ABOVE my question... as well as several other patrons in this same thread who ALL mentioned "Pay someone to flash it for you".... but i am the only one singled out. I do apologize for language, but after the 1st warnings were given, i deliberately put asterisks, where swear words were to belong. But apparently even referencing a word by using "*****" is somehow not acceptable. But no worries, I just wanted to use this message to thank everyone who tried to help me with this. No it is not fixed, but i also dont like being unjustly targeted and humiliated in public for things that several other commenters PRIOR to my question, did not get called out for. So with that i am stepping away from XDA. Again thanks to the ppl who tried to help.

    I will step away and will go seek assistance elsewhere, and hopefully be treated with the same level of respect that i had shown all here for the 6-7+ years i have been a contributing member.

    With that note, please moderators delete my account as i will not be a member where i am not welcome.

    Take care all!
    1
    OK... so apparently I am targeted for punishment when i ask a question to the person who is in the comments ABOVE my question... as well as several other patrons in this same thread who ALL mentioned "Pay someone to flash it for you".... but i am the only one singled out. I do apologize for language, but after the 1st warnings were given, i deliberately put asterisks, where swear words were to belong. But apparently even referencing a word by using "*****" is somehow not acceptable. But no worries, I just wanted to use this message to thank everyone who tried to help me with this. No it is not fixed, but i also dont like being unjustly targeted and humiliated in public for things that several other commenters PRIOR to my question, did not get called out for. So with that i am stepping away from XDA. Again thanks to the ppl who tried to help.

    I will step away and will go seek assistance elsewhere, and hopefully be treated with the same level of respect that i had shown all here for the 6-7+ years i have been a contributing member.

    With that note, please moderators delete my account as i will not be a member where i am not welcome.

    Take care all!
    Going back to your original point... MSM tools just don't work here... You can try logging into any of them but they're not going to work... With your set up issue, just send the device back to OnePlus

    You won't find better help anywhere else over XDA (I've looked)

    You're also not being isolated, you've swore and the way you type is pretty condescending and patronising, lot of capitals like the person you're talking to is an idiot.

    As for your account, you can delete it by going to your account details and removing it from there.

    Although I don't know why you'd want to delete it?
  • 6
    ENOPTP000224
    M4Sl_j=zp_
    I don't know how long it will expire
    3
    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
    AFAIK having an unlocked bootloader has never been a problem with OnePlus assistance. However, I wouldn't be surprised if they changed their policy about this considering what they did with the MSM Tool.
    3
    100% does not matter dude, your device is still under warranty.
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    2
    Thank you, Maybe I'll try contact them if they could flash my device online, but sending my device to them isn't a good choice, I'd rather sending my phone to closer unauthorized repair shop than sending it to oppo/realme shop that is 100KM away.

    Also it seems that this thread has reached a dead point, I've read the first 10 pages and I reach nothing(I wish I was there when that MSM account was available), I hope that flashing bricked phone would be easier in the future, as there is no vaild reason making it that hard, it's so stupid that Qualcomm did include EDL mode in their processors and didn't provide a Universal EDL tool for us.
    If you need to just contact them. I'm in the UK, I get my phone back in about 4-5 days.

    Not the end of the world... Screw paying for it
    2
    100% does not matter dude, your device is still under warranty.


    Well, my device isn't under warranty anymore, plus it's bootloader is unlocked, so even if I sent it to them, they won't fix it under warranty
  • 16
    Hello all, i am here to leak OPPO tech tool that allows one plus 10 pro to be flashed. Sadly i cannot share login but if you are able to bypass login screen the tool does not need to authenticate with server to flash device in EDL mode. Attached is screen shot of login screen and file. The tool picks up device in EDL mode and allows user to select the OPF file associated for device (please note you must have this downloaded externally ideally from msm tool for your device)

    I wish you luck bypassing this login and fixing your phones.


    flash.png
    12
    This tool seems to be intended for use with mediatek devices.
    I wouldn't bet on it working with this phone, but here's how to bypass the login screen anyway.

    Open DownloadTool.exe with a hex editor
    Find '74 4b 8d 45 d4'
    Replace '74 4b' with '90 90'
    Save, launch, enter any username/password/code and click login.
    If you go to 'Software Package Management', you can specify a folder where your .ofp is located.
    7
    I have a bricked OnePlus 10 Pro which I can put into EDL mode via testpoints. PM me.
    Screenshot_2022-09-27-01-30-39-519_com.miui.gallery.jpg
    6
    I almost figured out what is sent to the server during flashing. The flash tool sends "chip ID", "account token", and "Epoch timestamp" to server API which is server-domain/API/sign/ to query a signature for firehose and encrypt the query parameters with a public key. This info can be found in MSM download tool 2.0.6.9.

    If anyone want to see it yourself, simply get a debugger, such as, x64dbg with ScyllaHide plugin enabled, follow the assembly instructions to get to the OEP then dump PE from memory and fix import table to unpack it from VmProtect3.x. After unpacking the file, use a decompiler to run a PE static analysis, IDA Pro or Ghidra can both do it, search for "/API/sign/" from defined strings, from that you can locate the auth function for VIP signature. In that function, you can find a public key used to encrypt the queries, and also two variables, one is "account token", the other one is "Chip ID". Chip ID is unique for every device, which may be a issue.

    I haven't done a full analysis with the tool, not being sure if there's a timestamp protection on it. But I still strongly suggest who is able to flash with auth remember to capture the signature for your device, so you might not need a auth in future because your Chip ID is always yours.
    6
    I'm sorry for the late response. I was busy at work last week.
    Do you know who may have an example to go with? How long is the signature? There must be some form of checking within the msm tool to verify the signature is valid. Is it key based or algorithm based? If it's algorithm based, maybe we can use the validation function in the msm tool to figure out how it is checking and create valid signatures. Setting up a server locally to trick the device into thinking it's contacting OnePlus would be the easy part.

    Has anyone found examples of these logged signatures or know more about their calculation? HW serial based, HW ID based, device MAC based, IMEI based (unlikely)?

    Knowing what is sent to the server and what is received could also help. Does anyone have a full exchange of the https logs somewhere to go over?
    Yes, thanks to @hackslash, there's an example of the signature for ChipID: b73e685e(for the API authserver_domain/api/tools/sign)

    Code:
    {"Data":{"response":{"encrypt":"ct5/f+RsW/3p2vhIp2EduoMJ8kfKk2iNbF+eTExuGsOicfvILFTKY/+qF0WxSEcREt3m7YSABbEwCRU4aWaJqoppx2du60hW6OhTYbaL+51JXr5byRQjqqhtwJ1VfFZ66U3EuZXidJVW6TjV1u09fgt5MT11zSwZzbpkrBg1UQruJi8wGrjtMnq0mbgno1H01QRnMY+GKN9UqZVrXGAdCRJm8T8Ysn5P1mnIOVwhuJZSkq6z7WH9RhyM1oJuURquvZEt/TP9vQda1/fNn0txtzu+ZWkuuou23zYulXhkmtDTp5D4LtdZ8VlAkakq8UowHv3tlW7lZMb52fY8QjF/zw==","message":"0000","status":"0","unlock":"","isAllowDegraded":false}},"ErrorCode":0,"Message":null}

    If you use Ghidra to do a static analysis with unpacked downloadtool.exe(first use a debugger to unpack vmprotect3.x),locate the defined string data "/api/tools/sign", you'll find a public key hardcoded in the tool to encrypt the HTTPS query to the server. All the transmissions are encrypted, but I don't even want to think about decrypting them because there's a ChipID problem.


    The signature can be fed to the tool, but it doesn't work for other devices. For example, here's the download tool log for the device with the correct ChipID:

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20847_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3
    [COM51] Verify Data
    [COM51] Verify pass
    [COM51] Upload download result. chip id: b73e685e, result: -1, project: 20847
    [COM51] Upload download result failed.
    [COM51] Check the models and software
    [COM51] Start erase
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN1
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN5
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN4
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN2
    [COM51] Erasing the partition BackupGPT
    [COM51] Erasing the partition PrimaryGPT/LUN0
    [COM51] Erasing the partition userdata
    [COM51] Download OCDT
    [COM51] brand is oplus, cdtdownloadstatus is 0, ufs = 1
    [COM51] Downloading ddr, zeros_5sectors.bin...
    ...

    And here's the download tool log for the device with the mismatch ChipID(using the obtained signature to feed another device) :

    Code:
    ...
    [COM51] Set Sahara file ok sahara file: prog_firehose_ddr.elf.
    [COM51] Attempting to send a Sahara message for communication
    [COM51] Downloading Firehose protocol file via Sahara protocol
    [COM51] Sahara communication succeeded
    [COM51] filename=ChainedTableOfDigests_20846_persist_no_userdata_yes
    [COM51] Trying to handshake via Firehose communication
    [COM51] Configure the settings of Firehose communication data transmission
    [COM51] Get sign data
    [COM51] ID:b73e685e, B:enable
    [COM51] old_sw_name_sign:261fe06798cff432e5512eaa5339f797f2f213eaa739ddeea7f0985a048fe9e3, new_sw_name_sign:9d975a304cf3d7d1f9f7ed402297996d7c457aea71fd0a5c2dc6278b68cde27c
    [COM51] Verify Data
    [COM51] FirehoseCheckRSP is ERROR, hr=1
    [COM51] Rsp:
     <?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <log value="ERROR: verify failed." /></data><?xml version="1.0" encoding="UTF-8" ?>
    <data>
    <response value="NAK" rawmode="false" /></data>
    [COM51] Verify pass
    [COM51] Current download task end,elapsed time:7s.
    [COM51] Upload download result. chip id: b73e685e, result: 1, project: 20846
    [COM51] Upload download result failed.
    [COM51] Close the serial device
    [COM51] Download failed
    [COM51] Determine whether to upload the download info
    [COM51] compress file, retry time is 4
    [COM51] compress file success
    [COM51] start to upload
    [COM51] upload success
    [COM51] Stop timer
    End log...

    As you can see, the device only accepts signed packets, and the signature is somehow related to ChipID. Anyone can simply use the hex-patched tool to try flashing your device, you'll see your ChipID in the log generated by the download tool.

    At this point, I think the only solution is that the user has to at least pay to flash their device once to capture the signature for their device. And here's the hardest point, a lot of sellers check for packet capture software during the session. Yes, this can be bypassed via a rootkit(If you don't know how to program a simple hooking rootkit with Microsoft Detours, you can simply find some rootkit source code from hackforums or buy some rootkit source code from the dark web hacker sellers, then modify the code and compile it yourself) I believe that most users will fail to capture their device signature for EDL after being detected by the remote tech due to the lack for specific knowledge. By the way, can the captured signature with the same ChipId be reused on the same device? Please be aware, this is still unconfirmed! But I think it is highly possible that it can work for the same device every time.


    But after seeing that @OppoTech123 is willing to help the community, I think maybe there's a chance that @OppoTech123 can help some developers to capture their device signature to boost the custom ROM development. But be aware that during the capture, the temporarily assigned token after logging in can also be captured, however, these tokens quickly expired in a short time. It doesn't expire for login but expires for querying signatures, not sure if it's related to OTP or if the account holder can log out from another place, be sure to protect your credits if querying a signature charge the tech some credits.


    Is there a way to alter the ID on the device? Even if it's temporary?
    I don't think so. Maybe there's an internal Qualcomm development tool that can do that, but I definitely don't have it.