Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download Mode Commands #1

Open
giantpune opened this issue Aug 30, 2012 · 4 comments
Open

Download Mode Commands #1

giantpune opened this issue Aug 30, 2012 · 4 comments

Comments

@giantpune
Copy link

Hi,
I was trying to contact you and I didn't know of anything was except to create an issue here, sorry about that. I own a qualcomm-snapdragon based phone and in the bootloader is support for their diag/download mode. I have been working on reverse engineering their protocol lately and I see that it is list as something you are/were working on.

I think it might help both of us if we work together or at least share notes on this. Where I am now, I have my bootloader disassembled in IDA and have found the section that implements to download mode. There is a switch statement that handles about 25 different commands. Using code written with libusb, I am able to talk with the phone myself and send these commands and get back responses.

I have not finished disassembling this binary, and I am fairly certain there are commands that allow writing/erasing the internal rom, so I have not sent any of the commands that look like they might do that. Would you mind sharing what you know about this download mode?

giantpuneatgmaildotcom
@tmzt
Copy link
Owner

tmzt commented Aug 30, 2012

Well, there are other groups working on Qualcomm downloader research.
If you want to add the data to the msmb wiki I can give you access.
Basically msmb became moboot which is a replacement bootloader for the
Touchpad.
On Aug 29, 2012 11:38 PM, "giantpune" [email protected] wrote:

Hi,
I was trying to contact you and I didn't know of anything was except to
create an issue here, sorry about that. I own a qualcomm-snapdragon based
phone and in the bootloader is support for their diag/download mode. I have
been working on reverse engineering their protocol lately and I see that it
is list as something you are/were working on.

I think it might help both of us if we work together or at least share
notes on this. Where I am now, I have my bootloader disassembled in IDA and
have found the section that implements to download mode. There is a switch
statement that handles about 25 different commands. Using code written with
libusb, I am able to talk with the phone myself and send these commands and
get back responses.

I have not finished disassembling this binary, and I am fairly certain
there are commands that allow writing/erasing the internal rom, so I have
not sent any of the commands that look like they might do that. Would you
mind sharing what you know about this download mode?

giantpuneatgmaildotcom


Reply to this email directly or view it on GitHubhttps://github.com//issues/1.

@giantpune
Copy link
Author

Yeah, if you could point me to the wiki, that would be great. It looks
like you guys are farther along that I am in that you actually have a
functional bootloader. If it turns out that I have some stuff that you
don't, I would rather run it by somebody before adding it to the wiki. I
am using a phone from LG and you are using a thinkpad. I think there are
manufacturer-specific commands as well as different commands for different
versions of the download mode protocol. I would want to avoid putting
wrong information up there if I can help it.

@tmzt
Copy link
Owner

tmzt commented Aug 30, 2012

We were looking for undocumented stuff to recover the device if the entire
flash was wiped, hoping that we could fall back on the rom loader. This was
actually for other devices, such as the HTC G2, more than the TP. We are
looking for information on QDL and the ROM loader.
On Aug 30, 2012 3:02 AM, "giantpune" [email protected] wrote:

Yeah, if you could point me to the wiki, that would be great. It looks
like you guys are farther along that I am in that you actually have a
functional bootloader. If it turns out that I have some stuff that you
don't, I would rather run it by somebody before adding it to the wiki. I
am using a phone from LG and you are using a thinkpad. I think there are
manufacturer-specific commands as well as different commands for different
versions of the download mode protocol. I would want to avoid putting
wrong information up there if I can help it.


Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-8150958.

@giantpune
Copy link
Author

Heres some of what I have from looking at the osbl.mbn bootloader for the
LG Optimus Elite. The download mode protocol used in the bootloader works
almost identically to the diag implementation they added to the android
kernel. They create several USB endpoints. At a very low level, you send
in a USB request and on one endpoint, then you form a diag request and send
it to the phone with the second endpoint. Then your first second one will
return and finally your first request will return carrying the phone's
response. The requests are HDLC format with the first byte being 0x7e,
then a command ID byte followed by a variable length set of command
parameters, then a crc16 of the packet and a 0x7e terminator.

There is a switch statement in the code for the download mode that checks
the command code and dispatches the request packet out to several other
functions based on what command it is. On the Optimus Elite, there are 25
commands handled in this switch statement that do stuff like allowing you
to write to memory, dump memory, reboot the phone, send an unlock code,
execute an address, and a handful of other one I havent figured out yet.
The unlock code is a bit stupid as it is hardcoded into the binary at
compile time (not hidden away in some secure on-die storage). If the
manufacturer left it as all 0xffffffff... then the phone will always be
unlocked. Otherwise, you can get that code just by looking at the binary.
It looks like about half of the commands in this function need you to first
unlock the phone before they will work.

After that big switch statement, there is another similar function that
checks for 18 different commands. The phone needs to be unlocked before
any of these extra 18 commands will be accessible. I just started looking
at them tonight, so I can't say what most of them do. There is one that
returns you a list of hardcoded address which look like memory ranges. One
of them performs a crc30 on a user-readable/writable memory range. Theres
one or two more that let you write and read ram. One of them looks like it
pokes some hardware registers and then resets the processor, so it may be
for booting a kernel from memory.

Of the commands in both the first and second functions that I haven't
figured out yet, several of them look like they are for reading and writing
to flash memory. I'm just not really gung-ho about testing those ones out
like I have been with the other ones. As far as keys and signed stuff is
concerned, there are several places where they are decrypting stuff with
more hardcoded keys. It looks like symetric crypto stuff, so one could
probably use those keys and encrypt their own data and replace what the
phone is using.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tmzt @giantpune