Identifying EDL (Firehose) loaders

Search This thread

Renate

Recognized Contributor / Inactive Recognized Dev
Maybe you already have a loader for Qualcomm "Emergency DownLoad" (EDL) mode.
Maybe you're looking for one.
You know what? A single loader is for more than one device. But it gets hairy with signing and manufacturers and stuff.

So, I've got a beta release utility here. It can (in most cases) identify which model Qualcomm processors a "Firehose" loader is designed for.
First, it's currently a Windows release.
Second, it doesn't work with the older .mbn style loader (since they don't include that information).

So, just go to My EDL page and go to the bottom and download qcomview.exe
Code:
C:\>qcomview.exe poke3.bin
APQ8096
APQ8098
MDM9250
MDM9255
MDM9350
MDM9650
MDM9655
MSM8996
MSM8997
MSM8998
QDF2432
SDA630
SDA636
SDA658
SDA660
SDM636
SDM658
SDM660
You can see the SDM 636 (which is the actual processor on a Poke3.
Obviously, you have to select your own loader.

I've scanned through 200 loaders and I recognize all the processors.
If you see a "???" please quote it.

Edit: Maybe you're saying, "That ain't nothing but a "string" script!" Eh, mostly, but it is more clever and it sorts things.
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
It would be useful if you add a way to check if xbl and programmer are compatible...
It would be.
On your device you already have a ton of ELF images that have compatible signing.
The problem is, the certs are not identical since the lowest level (farthest away from the root authority) has things like dates and annotations and the bit fields are not the same.
I've not yet figured out how to generate from an ELF file the 256 bit "Hash" that EDL gets out of the device.


To those who don't know yet, I've added more things to this utility. It can check the regular hashes in the ELF files. If your device is not SecureBoot this can be handy if you want to patch. The hashes on the program segments in an ELF file are always checked, the signing is only checked if SecureBoot is on. So, if your SecureBoot is off, you can patch a file, run qcomview /h whatever.elf. As of now it won't correct wrong hashes but you can simply hexedit in the bigendian values and then double-check with the same command.
Code:
C:\>qcomview /h xbl
64 bit ELF, SHA384
 0  00000000  000003f8  8a46a864b9bec352 69b1dadfcac64bfa a388f7bea37d855e 50f55170277c043c 87c862e23709fd96 34bb545ac49a3d64  OK
 1  00001000  00001cd8
 2  0005cd10  00002ab0  3d2e7c505458e1e7 9070b1957a8f2520 3bbcf288674548f1 7db146a86b314499 5890e1432dbac635 2bad53bfd2960908  OK
 3  0005f7c0  00000d64  ac556708059a1315 41e774e34310b89f 3c3f13183b43fda9 9e3a34bd0899da4b bb43c1080a43925f fd8d6a2ecd864e29  OK
 4  00076d70  00000000
 5  0005cd10  00000000
 6  00003000  0004cd04  a81ab8ec59e2dfb1 f2f98e3ac0a9a396 1cd9f0dfb5a5daa5 2cda2f52d4df97c8 bc398b24528fd10f cd47ced08596f61c  OK
 7  0004fd10  00000000
 8  0004fd10  0000d000  e7d03abb34361774 e030039e096b3e25 64519024c5c15666 efecbd8006deaaae b87884e2bdab52cb e06a4a7a4873e1c5  OK
 9  0005cd10  00000000
10  00060530  00016838  2ca0423b6e745b5f c69544b947556ff1 9d04792c579d2f53 d480d2fa738cac82 1674ddaab8078071 648cc10f384ec25a  OK
11  00376d70  00022000  18bdbbdeac3e92c0 6f3e5f06f5aa91ae d0daa757a375bab6 5e90d4e2a52d8e95 2255d80c76637316 b24736223e0a0bd2  OK
12  0005cd10  00000000
13  00398d70  00048ded  794528234b46757a 3017481198fa8fd6 c9578e6565ec301a f0ab28fbe105c460 c7cc855f93576767 29302c26357a00bb  OK
14  003e8490  00000000
15  003e1b60  0000692d  1354b9b55447ffb8 54ea17d1d9f1ea88 c84bd1045a6bd106 3b38df93fa049fa9 c1b245dc6106098a 0450a75bf7e5ce3f  OK
16  00076d70  00300000  7341f2cde09d6a5f 53bcb90714f779a5 53c3ffeeff1824e5 437464f4bfcc545f 6719370d5d6c656d df96e81382315405  OK
For you Motorola users running into "range restricted" you can dump the ranges by:
Code:
C:\>qcomview /r motog.bin
 Addr   LUN     Start     Count
------  ---  --------  --------
008220   0          0        32
008238   0         -5         5
008250   1          0        32
008268   1         -5         5
008280   2          0        32
008298   2         -5         5
0082b0   3          0        32
0082c8   3         -5         5
0082e0   4          0        32
0082f8   4         -5         5
008310   5          0        32
008328   5         -5         5
008340   1          0      2048
008358   2          0      2048
008370   3          0      2356
008388   5          0      2356
0083a0   0       2080       512

0083b8   0          0       256
0083d0   0        -33        33
0083e8   0     131072    284992
008400   0     416064      2048
008418   1          1         1
The UFS table is on top, followed my the eMMC table.
 
Last edited:
  • Like
Reactions: HemanthJabalpuri

Renate

Recognized Contributor / Inactive Recognized Dev
It would be useful if you add a way to check if xbl and programmer are compatible (by comparing cert hashes?).
I've just added SHA256 fingerprint of the root CA to qcomview.
Code:
C:\>qcomview /f loader.bin
5adc6039 dcb297d4 0c55df73 1580248d a9e18b31 ccc43b45 36795313 f82fd430
If SecureBoot is enabled xbl/abl/Firehose must all have the same fingerprint.
(This also goes for the other two dozen ELF files in flash.)

For most devices this SHA256 will be the same that your EDL client prints out as "Hash".
There appears to sometimes be (on newer devices?) a discrepancy between root CA fingerprint and EDL "Hash".
Possibly the EDL "Hash" is the encrypted version?
In any case, all the fingerprints should agree.
 
  • Like
Reactions: HemanthJabalpuri

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    It would be useful if you add a way to check if xbl and programmer are compatible...
    It would be.
    On your device you already have a ton of ELF images that have compatible signing.
    The problem is, the certs are not identical since the lowest level (farthest away from the root authority) has things like dates and annotations and the bit fields are not the same.
    I've not yet figured out how to generate from an ELF file the 256 bit "Hash" that EDL gets out of the device.


    To those who don't know yet, I've added more things to this utility. It can check the regular hashes in the ELF files. If your device is not SecureBoot this can be handy if you want to patch. The hashes on the program segments in an ELF file are always checked, the signing is only checked if SecureBoot is on. So, if your SecureBoot is off, you can patch a file, run qcomview /h whatever.elf. As of now it won't correct wrong hashes but you can simply hexedit in the bigendian values and then double-check with the same command.
    Code:
    C:\>qcomview /h xbl
    64 bit ELF, SHA384
     0  00000000  000003f8  8a46a864b9bec352 69b1dadfcac64bfa a388f7bea37d855e 50f55170277c043c 87c862e23709fd96 34bb545ac49a3d64  OK
     1  00001000  00001cd8
     2  0005cd10  00002ab0  3d2e7c505458e1e7 9070b1957a8f2520 3bbcf288674548f1 7db146a86b314499 5890e1432dbac635 2bad53bfd2960908  OK
     3  0005f7c0  00000d64  ac556708059a1315 41e774e34310b89f 3c3f13183b43fda9 9e3a34bd0899da4b bb43c1080a43925f fd8d6a2ecd864e29  OK
     4  00076d70  00000000
     5  0005cd10  00000000
     6  00003000  0004cd04  a81ab8ec59e2dfb1 f2f98e3ac0a9a396 1cd9f0dfb5a5daa5 2cda2f52d4df97c8 bc398b24528fd10f cd47ced08596f61c  OK
     7  0004fd10  00000000
     8  0004fd10  0000d000  e7d03abb34361774 e030039e096b3e25 64519024c5c15666 efecbd8006deaaae b87884e2bdab52cb e06a4a7a4873e1c5  OK
     9  0005cd10  00000000
    10  00060530  00016838  2ca0423b6e745b5f c69544b947556ff1 9d04792c579d2f53 d480d2fa738cac82 1674ddaab8078071 648cc10f384ec25a  OK
    11  00376d70  00022000  18bdbbdeac3e92c0 6f3e5f06f5aa91ae d0daa757a375bab6 5e90d4e2a52d8e95 2255d80c76637316 b24736223e0a0bd2  OK
    12  0005cd10  00000000
    13  00398d70  00048ded  794528234b46757a 3017481198fa8fd6 c9578e6565ec301a f0ab28fbe105c460 c7cc855f93576767 29302c26357a00bb  OK
    14  003e8490  00000000
    15  003e1b60  0000692d  1354b9b55447ffb8 54ea17d1d9f1ea88 c84bd1045a6bd106 3b38df93fa049fa9 c1b245dc6106098a 0450a75bf7e5ce3f  OK
    16  00076d70  00300000  7341f2cde09d6a5f 53bcb90714f779a5 53c3ffeeff1824e5 437464f4bfcc545f 6719370d5d6c656d df96e81382315405  OK
    For you Motorola users running into "range restricted" you can dump the ranges by:
    Code:
    C:\>qcomview /r motog.bin
     Addr   LUN     Start     Count
    ------  ---  --------  --------
    008220   0          0        32
    008238   0         -5         5
    008250   1          0        32
    008268   1         -5         5
    008280   2          0        32
    008298   2         -5         5
    0082b0   3          0        32
    0082c8   3         -5         5
    0082e0   4          0        32
    0082f8   4         -5         5
    008310   5          0        32
    008328   5         -5         5
    008340   1          0      2048
    008358   2          0      2048
    008370   3          0      2356
    008388   5          0      2356
    0083a0   0       2080       512
    
    0083b8   0          0       256
    0083d0   0        -33        33
    0083e8   0     131072    284992
    008400   0     416064      2048
    008418   1          1         1
    The UFS table is on top, followed my the eMMC table.
    1
    It would be useful if you add a way to check if xbl and programmer are compatible (by comparing cert hashes?).
    I've just added SHA256 fingerprint of the root CA to qcomview.
    Code:
    C:\>qcomview /f loader.bin
    5adc6039 dcb297d4 0c55df73 1580248d a9e18b31 ccc43b45 36795313 f82fd430
    If SecureBoot is enabled xbl/abl/Firehose must all have the same fingerprint.
    (This also goes for the other two dozen ELF files in flash.)

    For most devices this SHA256 will be the same that your EDL client prints out as "Hash".
    There appears to sometimes be (on newer devices?) a discrepancy between root CA fingerprint and EDL "Hash".
    Possibly the EDL "Hash" is the encrypted version?
    In any case, all the fingerprints should agree.
  • 2
    Maybe you already have a loader for Qualcomm "Emergency DownLoad" (EDL) mode.
    Maybe you're looking for one.
    You know what? A single loader is for more than one device. But it gets hairy with signing and manufacturers and stuff.

    So, I've got a beta release utility here. It can (in most cases) identify which model Qualcomm processors a "Firehose" loader is designed for.
    First, it's currently a Windows release.
    Second, it doesn't work with the older .mbn style loader (since they don't include that information).

    So, just go to My EDL page and go to the bottom and download qcomview.exe
    Code:
    C:\>qcomview.exe poke3.bin
    APQ8096
    APQ8098
    MDM9250
    MDM9255
    MDM9350
    MDM9650
    MDM9655
    MSM8996
    MSM8997
    MSM8998
    QDF2432
    SDA630
    SDA636
    SDA658
    SDA660
    SDM636
    SDM658
    SDM660
    You can see the SDM 636 (which is the actual processor on a Poke3.
    Obviously, you have to select your own loader.

    I've scanned through 200 loaders and I recognize all the processors.
    If you see a "???" please quote it.

    Edit: Maybe you're saying, "That ain't nothing but a "string" script!" Eh, mostly, but it is more clever and it sorts things.
    1
    It would be useful if you add a way to check if xbl and programmer are compatible...
    It would be.
    On your device you already have a ton of ELF images that have compatible signing.
    The problem is, the certs are not identical since the lowest level (farthest away from the root authority) has things like dates and annotations and the bit fields are not the same.
    I've not yet figured out how to generate from an ELF file the 256 bit "Hash" that EDL gets out of the device.


    To those who don't know yet, I've added more things to this utility. It can check the regular hashes in the ELF files. If your device is not SecureBoot this can be handy if you want to patch. The hashes on the program segments in an ELF file are always checked, the signing is only checked if SecureBoot is on. So, if your SecureBoot is off, you can patch a file, run qcomview /h whatever.elf. As of now it won't correct wrong hashes but you can simply hexedit in the bigendian values and then double-check with the same command.
    Code:
    C:\>qcomview /h xbl
    64 bit ELF, SHA384
     0  00000000  000003f8  8a46a864b9bec352 69b1dadfcac64bfa a388f7bea37d855e 50f55170277c043c 87c862e23709fd96 34bb545ac49a3d64  OK
     1  00001000  00001cd8
     2  0005cd10  00002ab0  3d2e7c505458e1e7 9070b1957a8f2520 3bbcf288674548f1 7db146a86b314499 5890e1432dbac635 2bad53bfd2960908  OK
     3  0005f7c0  00000d64  ac556708059a1315 41e774e34310b89f 3c3f13183b43fda9 9e3a34bd0899da4b bb43c1080a43925f fd8d6a2ecd864e29  OK
     4  00076d70  00000000
     5  0005cd10  00000000
     6  00003000  0004cd04  a81ab8ec59e2dfb1 f2f98e3ac0a9a396 1cd9f0dfb5a5daa5 2cda2f52d4df97c8 bc398b24528fd10f cd47ced08596f61c  OK
     7  0004fd10  00000000
     8  0004fd10  0000d000  e7d03abb34361774 e030039e096b3e25 64519024c5c15666 efecbd8006deaaae b87884e2bdab52cb e06a4a7a4873e1c5  OK
     9  0005cd10  00000000
    10  00060530  00016838  2ca0423b6e745b5f c69544b947556ff1 9d04792c579d2f53 d480d2fa738cac82 1674ddaab8078071 648cc10f384ec25a  OK
    11  00376d70  00022000  18bdbbdeac3e92c0 6f3e5f06f5aa91ae d0daa757a375bab6 5e90d4e2a52d8e95 2255d80c76637316 b24736223e0a0bd2  OK
    12  0005cd10  00000000
    13  00398d70  00048ded  794528234b46757a 3017481198fa8fd6 c9578e6565ec301a f0ab28fbe105c460 c7cc855f93576767 29302c26357a00bb  OK
    14  003e8490  00000000
    15  003e1b60  0000692d  1354b9b55447ffb8 54ea17d1d9f1ea88 c84bd1045a6bd106 3b38df93fa049fa9 c1b245dc6106098a 0450a75bf7e5ce3f  OK
    16  00076d70  00300000  7341f2cde09d6a5f 53bcb90714f779a5 53c3ffeeff1824e5 437464f4bfcc545f 6719370d5d6c656d df96e81382315405  OK
    For you Motorola users running into "range restricted" you can dump the ranges by:
    Code:
    C:\>qcomview /r motog.bin
     Addr   LUN     Start     Count
    ------  ---  --------  --------
    008220   0          0        32
    008238   0         -5         5
    008250   1          0        32
    008268   1         -5         5
    008280   2          0        32
    008298   2         -5         5
    0082b0   3          0        32
    0082c8   3         -5         5
    0082e0   4          0        32
    0082f8   4         -5         5
    008310   5          0        32
    008328   5         -5         5
    008340   1          0      2048
    008358   2          0      2048
    008370   3          0      2356
    008388   5          0      2356
    0083a0   0       2080       512
    
    0083b8   0          0       256
    0083d0   0        -33        33
    0083e8   0     131072    284992
    008400   0     416064      2048
    008418   1          1         1
    The UFS table is on top, followed my the eMMC table.
    1
    It would be useful if you add a way to check if xbl and programmer are compatible (by comparing cert hashes?).
    I've just added SHA256 fingerprint of the root CA to qcomview.
    Code:
    C:\>qcomview /f loader.bin
    5adc6039 dcb297d4 0c55df73 1580248d a9e18b31 ccc43b45 36795313 f82fd430
    If SecureBoot is enabled xbl/abl/Firehose must all have the same fingerprint.
    (This also goes for the other two dozen ELF files in flash.)

    For most devices this SHA256 will be the same that your EDL client prints out as "Hash".
    There appears to sometimes be (on newer devices?) a discrepancy between root CA fingerprint and EDL "Hash".
    Possibly the EDL "Hash" is the encrypted version?
    In any case, all the fingerprints should agree.