Question OnePlus 10 Pro - QDLoader HS-USB - EDL Test Point [9008] MSM

Search This thread

MsuatafaKhatab

Senior Member
Sep 15, 2013
552
23
Xiaomi Poco F3
OnePlus 10 Pro
Hello
The test point on this phone was shared by me for the first time on the internet. But there is no software available to install it. So my phone is still dead.

9008 usb Requirements to establish a connection:
- Disconnect the battery
- Plug your cable into the phone
- Connect the other end of the cable to the computer when short-circuiting the marked area.
- If the drivers are installed, the connection will be successful.

View attachment 5649009

View attachment 5684793

Thanks bro , you saved my day
 
  • Like
Reactions: Metromas
No valid MSM application, could flash via fastboot or recovery but not when in EDL, so if you're stuck in crashdump mode then you're screwed, for now at least.

RMA would be your only option.
So I've been working on this problem for a while with my OnePlus 8 pro I got Qualcomm licenses so if you use the qualcomm package manager it has more than just the normal set of drivers and a flash tool for Qualcomm devices however you need to know your devices information and a lot of it actually get this thing to pick your phone up if it doesn't even turn on I haven't got my phone to flash however I have got it to get picked up finally My phone will not turn on does not vibrate has no boot modes of any kind but when I plug it into him my computer I can get it to read, The only problem I'm facing right now is the MSM tool isn't picking it up because it's saying that if ice is not able to be used in that mode but the Qualcomm flasher doesn't pick it up just yet but I haven't messed with it all that much if I have time to if you want to message me I can take a couple screenshots of my setup on my computer I just got my OnePlus 10 t. Anyways My whole point with this is according to Qualcomm No matter how bad you brick a device including to the point where it won't boot they will still be able to reflash it The problem is you need the correct info which I'm slowly but surely getting off the phone cuz I never made a backup like an idiot but it literally has a USB analyzer two different types of flashers three USB drivers packages which have Qualcomm drivers I've never seen One that even says ADB testing interface and it is signed and that was the one that actually got my phone to get picked up so I think I'm almost there but I haven't had time to work on it in a week or so and by the way you can make a free employee license with them and you can get the licenses however they will expire in like 3 years for most of them and you do have to have some type of experience.
 

dladz

Senior Member
Aug 24, 2010
14,985
5,340
Liverpool
Huawei Watch 2
OnePlus 10 Pro
So I've been working on this problem for a while with my OnePlus 8 pro I got Qualcomm licenses so if you use the qualcomm package manager it has more than just the normal set of drivers and a flash tool for Qualcomm devices however you need to know your devices information and a lot of it actually get this thing to pick your phone up if it doesn't even turn on I haven't got my phone to flash however I have got it to get picked up finally My phone will not turn on does not vibrate has no boot modes of any kind but when I plug it into him my computer I can get it to read, The only problem I'm facing right now is the MSM tool isn't picking it up because it's saying that if ice is not able to be used in that mode but the Qualcomm flasher doesn't pick it up just yet but I haven't messed with it all that much if I have time to if you want to message me I can take a couple screenshots of my setup on my computer I just got my OnePlus 10 t. Anyways My whole point with this is according to Qualcomm No matter how bad you brick a device including to the point where it won't boot they will still be able to reflash it The problem is you need the correct info which I'm slowly but surely getting off the phone cuz I never made a backup like an idiot but it literally has a USB analyzer two different types of flashers three USB drivers packages which have Qualcomm drivers I've never seen One that even says ADB testing interface and it is signed and that was the one that actually got my phone to get picked up so I think I'm almost there but I haven't had time to work on it in a week or so and by the way you can make a free employee license with them and you can get the licenses however they will expire in like 3 years for most of them and you do have to have some type of experience.
Sorry buddy, no idea why I posted that here.

😔 My bad man, wasn't directed at you..
 
Last edited:
  • Sad
Reactions: Metromas

beatbreakee

Senior Member
Aug 10, 2015
276
344
Frisco
Samsung Galaxy S10
It just seems to me that qfil would be able to do the same thing but I really don't know
You are 100% correct that QFIL COULD do it... But the problem is that there are 2 different versions of the Firehose programmer.... One is an Elf file, and that one is what comes in all these fw bundles we can access. This one is the one that requires "VIP authentication" in order for it to allow the flash to proceed. BUT there is also a 2nd Firehose programmer, and although everyone refers to them as "patched" loaders, they are not really patched by some hacker so to say... They are in fact patched by Qualcomm as programmers for Offline flashing of a device. This was confirmed to me by a Qualcomm tech who revealed too much during a chat. The Firehose I'm talking about is not an Elf, but a hex/bin file ... It is able to be used not with QFIL, but instead the "software download" feature in qpst. It's just very rare that we can get our hands on one of these firehoses.

On a side note it was also explained that "The msmtool is not designed nor controlled by Oppo/BBK, and instead it is a created tool made by Qualcomm for flashing devices on certain chipsets. It's just a lucky ordeal that BBK manufactures most of the devices with those chipsets...". But Realme, Xiaomi, Redmi, Oppo, OnePlus, and some other devices ALL have at least one device that uses an MSM tool, and all of those companies were not originally Shenzhen corps...

This info throws a slight curve ball into the mix with breaking the authentication algorithm... Cuz if it's designed by Qualcomm I can 100% guarantee that it is an unbreakable algorithm! Qualcomm unfortunately has 100's of millions of dollars invested into the research and design of their security! Remember they design chips for a huge number of companies across many spectrums, so cracking their code would literally upend several of their major buyers.... Let's hope that is not the reality, cuz if it is we are in for some super disappointment.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    It just seems to me that qfil would be able to do the same thing but I really don't know
    You are 100% correct that QFIL COULD do it... But the problem is that there are 2 different versions of the Firehose programmer.... One is an Elf file, and that one is what comes in all these fw bundles we can access. This one is the one that requires "VIP authentication" in order for it to allow the flash to proceed. BUT there is also a 2nd Firehose programmer, and although everyone refers to them as "patched" loaders, they are not really patched by some hacker so to say... They are in fact patched by Qualcomm as programmers for Offline flashing of a device. This was confirmed to me by a Qualcomm tech who revealed too much during a chat. The Firehose I'm talking about is not an Elf, but a hex/bin file ... It is able to be used not with QFIL, but instead the "software download" feature in qpst. It's just very rare that we can get our hands on one of these firehoses.

    On a side note it was also explained that "The msmtool is not designed nor controlled by Oppo/BBK, and instead it is a created tool made by Qualcomm for flashing devices on certain chipsets. It's just a lucky ordeal that BBK manufactures most of the devices with those chipsets...". But Realme, Xiaomi, Redmi, Oppo, OnePlus, and some other devices ALL have at least one device that uses an MSM tool, and all of those companies were not originally Shenzhen corps...

    This info throws a slight curve ball into the mix with breaking the authentication algorithm... Cuz if it's designed by Qualcomm I can 100% guarantee that it is an unbreakable algorithm! Qualcomm unfortunately has 100's of millions of dollars invested into the research and design of their security! Remember they design chips for a huge number of companies across many spectrums, so cracking their code would literally upend several of their major buyers.... Let's hope that is not the reality, cuz if it is we are in for some super disappointment.
  • 6
    Best way to extract would be to c$ into the computer you'll be using over the network from a secondary machine.

    Whitelist a keylogger (there are tonnes of them out there) make sure to test this first.

    Start the keylogger and c$ into the target machine from the second device.

    Once OnePlus has the files copied for use by the tech, using the remote computer, pull the files they've used and then finish the call.

    You'll then have the files on the secondary device and the log in details from the keylogger.

    It's not hard, just ridiculous anyone has to do this.

    I was resigned to the fact that this device wasn't going to get any love at all and nothing has changed on that front.

    I genuinely hope that im wrong, but I'm doubting it. Could very well spark the end of OnePlus, sick and tired of OEMs turning their backs on the very people who made them popular in the first place.
    5
    Unfortunately, all options require log in except company option (although those seem to check network you're on and I'm assuming some type of hardware key as it fails with a network issue error when trying that option). Also, MSM is encrypted so it's not a straightforward method to decompile and crack it. Unfortunately, that leads me to believe we're more likely to get credentials and hope OnePlus just doesn't care enough to delete the credentials from their database than to crack the program itself.
    AFAIK, there's no need to crack the EXE. All you need is a one-time Oneplus password(if you're able to get one) and a transparent proxy. Once you capture the network data via log-in the first time, you can create an EXE to set up a localhost server and respond to the MSM Tool with the data captured during the last login via windivert. Launching a MITM attack is the answer. If the communication is encrypted by SSL, the encryption can be forced removed by SSL-Strip. Once we see what the client and server are talking about, then we encrypt the data again with our self-generated Root CA certificate and we add our self-generated Root CA certificate to the trusted certificate storge.
    3
    Mod Edit: Quoted Post Deleted

    You're referring to the MSM tool and a techs log in? If you're a OnePlus tech you're going to get fired, if you're not then what exactly are you selling??? It's a free tool, you've just keylogger stolen the details, nothing more.. trying to make money off people ?? That's shocking behaviour, genuinely awful..
    2
    Got a random reply from OnePlus stating that "There's nothing that can be done" and I must send them the device.

    Don't get why they are conveniently forgetting about Msm tool. Are they not supposed to remote flash phones anymore?
    2
    It just seems to me that qfil would be able to do the same thing but I really don't know
    You are 100% correct that QFIL COULD do it... But the problem is that there are 2 different versions of the Firehose programmer.... One is an Elf file, and that one is what comes in all these fw bundles we can access. This one is the one that requires "VIP authentication" in order for it to allow the flash to proceed. BUT there is also a 2nd Firehose programmer, and although everyone refers to them as "patched" loaders, they are not really patched by some hacker so to say... They are in fact patched by Qualcomm as programmers for Offline flashing of a device. This was confirmed to me by a Qualcomm tech who revealed too much during a chat. The Firehose I'm talking about is not an Elf, but a hex/bin file ... It is able to be used not with QFIL, but instead the "software download" feature in qpst. It's just very rare that we can get our hands on one of these firehoses.

    On a side note it was also explained that "The msmtool is not designed nor controlled by Oppo/BBK, and instead it is a created tool made by Qualcomm for flashing devices on certain chipsets. It's just a lucky ordeal that BBK manufactures most of the devices with those chipsets...". But Realme, Xiaomi, Redmi, Oppo, OnePlus, and some other devices ALL have at least one device that uses an MSM tool, and all of those companies were not originally Shenzhen corps...

    This info throws a slight curve ball into the mix with breaking the authentication algorithm... Cuz if it's designed by Qualcomm I can 100% guarantee that it is an unbreakable algorithm! Qualcomm unfortunately has 100's of millions of dollars invested into the research and design of their security! Remember they design chips for a huge number of companies across many spectrums, so cracking their code would literally upend several of their major buyers.... Let's hope that is not the reality, cuz if it is we are in for some super disappointment.