Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sahara v3 firehose support device list #95

Open
soralis0912 opened this issue Apr 27, 2024 · 7 comments
Open

Add sahara v3 firehose support device list #95

soralis0912 opened this issue Apr 27, 2024 · 7 comments

Comments

@soralis0912
Copy link
Contributor

Sahara v3 is no show PKHASH
need --loader option
But now filename is difficulty

So I think add support device list file
@soralis0912
Copy link
Contributor Author

like this format

filename,manufacturer,devicename,pkhash

@RenateUSB
Copy link

If you can pull one of the system files (xbl, abl, cmnlib, modem...) off your device (or an update) you can get the PK hash that way.

@RenateUSB
Copy link

I think it's worse than that, possibly.
I think that the format for Secure Boot files has changed and that they are now compressed/encrypted.
I'm looking at a Motorola Firehose loader and it's nothing like the ones we know.
It's in ELF format, but the giveaway is the CPU field is zero and it's a 32 bit ELF.

32 bit ELF
CPU:    AT&T WE 32100

@RenateUSB
Copy link

There are a dozen of these CPU=0 files elsewhere, but here are 4 on this repo:

https://github.com/bkerler/Loaders/blob/main/lenovo_motorola/0000000002e80000_467f3020c4cc788d_fhprg.bin
https://github.com/bkerler/Loaders/blob/main/lenovo_motorola/001870e102e80000_467f3020c4cc788d_fhprg.bin
https://github.com/bkerler/Loaders/blob/main/nothing/000b80e100020000_467f3020c4cc788d_fhprg.bin
https://github.com/bkerler/Loaders/blob/main/oneplus/0000000000020000_467f3020c4cc788d_fhprg_op10pro.bin

@RenateUSB
Copy link

RenateUSB commented Sep 6, 2024
edited
Loading

Ok, it's simply 5 stacked ELF files.
The signing isn't even the same as the normal single ELFs.
The 4 ELFs on the end use an incompatible Version 7 header for the signing.
Two are signed by Qualcomm, two are signed by the OEM.

@hoplik
Copy link

hoplik commented Nov 2, 2024

Hi, all! RenateUSB respect!
You're right, as always, Hawkeye! These new programmers come with version number 7 (address 1004). These are five elf files assembled into one elf. There are 18-30 certificates and choosing the hash of one root of them will not solve the problem completely, because the file name can be generated, but it is not possible to request a hash from the device. It is necessary to understand the specification of the Sahara v3.0 protocol and the operation of the device according to it.
Here I tried to disassemble the fifth elf to get the device tree. Apparently, these are the first steps towards a new algorithm for analyzing programmers.
https://4pda.to/forum/index.php?showtopic=643084&view=findpost&p=128019877
A couple of pages earlier there is a link to a new programer for analysis from Huawei Mate. And here's another one I recently got together with the guys from India for Motorola.
https://xdaforums.com/t/moto-g-stylus-xt2315-5g-firehose.4699293/

@RenateUSB
Copy link

Oh, qcomview.exe has handled the "stacked" ELFs for a while now. I just uploaded the latest version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@soralis0912 @RenateUSB @hoplik