Exploit Targets Qualcomm’s EDL Mode, Affects Some Xiaomi, OnePlus, Nokia and other Devices

Devices with Qualcomm chipsets have a Primary Bootloader (PBL) which typically boots the Android system, but also houses an alternative boot mode known as EDL mode. EDL mode is Qualcomm’s Emergency Download Mode and allows an Original Equipment Manufacturer (OEM) to force flash software on a device. This cannot be modified (read-only mode) and has full control over the device’s storage. Many OEMs including OnePlus and Xiaomi have released tools (known as programmers) which utilize EDL mode and a protocol known as Firehose to unbrick a device, while other tools from companies such as Nokia have leaked. Firehose can utilize a number of commands to flash devices, along with the ability to examine the data within a device’s memory. Security researchers Roee Hay (@roeehay) and Noam Hadad from Aleph Research have discovered critical device vulnerabilities using this mode, which effectively grants an attacker full device access.

It’s important to note that this exploit requires physical access to the device, but it’s still incredibly dangerous and likely cannot be patched. The attackers utilized the level of access granted to the EDL mode to bypass secure-boot on a Nokia 6, defeating the chain of trust and gaining full code execution across every part of the boot sequence including the Android OS itself. It is theorized to work the same way on other devices, and the researchers also managed to unlock and root multiple Xiaomi devices without any data loss.

What devices are affected by this exploit?

Firstly, the devices which are affected.

List of devices affected.

Exploiting an Android Phone

The Boot Sequence of a Typical Android Qualcomm Phone

It is important to first understand the boot sequence of a typical Android device before explaining how it can be exploited. The Software Bootloader (SBL) is a digitally signed bootloader which is checked for authenticity before being loaded into imem. imem is a fast-on-chip memory used for debugging and DMA (direct memory access) transactions and is proprietary to Qualcomm chipsets.

Some devices have an eXtensible Bootloader (XBL) instead of an SBL, but the boot process is pretty much the same. The SBL or XBL then launches ABOOT, which implements fastboot.  Following this, TrustZone (hardware-based security) is also loaded. TrustZone checks the authenticity of ABOOT by way of a hardware-based root certificate. The SBL (or XBL, in some cases) is designed to reject an incorrectly signed (or unsigned) ABOOT.

Once authenticated, ABOOT then checks /boot and /recovery for authenticity before launching the Linux kernel. Some system preparations are done, and then code execution is transferred over to the kernel. ABOOT is commonly known as the “Android Bootloader,” and when we unlock the bootloader of a device, we are disabling this authenticity check in ABOOT.

Boot sequence of a standard Android device visualised. // Source: Aleph Research

Accessing EDL Mode

While some devices have a simple hardware combination (or worse, a simple proprietary fastboot command present in many Xiaomi devices), others, such as Nokia devices, need to short pins known as “test points” present on the device’s main board. It also used to be possible, before the December 2017 security patch, to simply run “adb reboot edl” on many devices (including the Nexus 6 and 6P) and enter EDL mode. This has since been fixed.

Test points are shown in a drawn-on yellow box at the bottom of the device’s mainboard. // Source: Aleph Research

Other devices can also use what’s known as a “deep flash” cable, which is a special cable with certain pins shorted to tell the system to instead boot into EDL mode. Old Xiaomi devices can utilize this method, along with the Nokia 5 and Nokia 6. Other devices will also boot into EDL mode when they fail to verify the SBL.

A deep flash cable

Utilizing EDL Mode to Gain Full Access on a OnePlus 3/3T

EDL Mode can be utilized in a number of ways on a device, mostly for unbricking devices by force flashing them. As explained above, it should theoretically be safe for anybody to access this mode, as the worse case scenario is that ABOOT will reject software that isn’t officially signed by the manufacturer. While this is true, it’s actually possible to gain complete control over a OnePlus 3 or 3T and its files in a proof of concept exploit shown by the researchers.

This will be done through two very dangerous commands which OnePlus left accessible in an older version of ABOOT (the Android bootloader), in order to unlock the device’s bootloader (without a warning being shown to the user on boot) and disable dm_verity. dm_verity is also known as verified boot and is part of a safe boot-up sequence on an Android device.  The two commands are as follows.

fastboot oem disable_dm_verity
fastboot oem 4F500301/2

Observe the simple, 4 step process below which utilises the Firehose protocol.

  1. First, boot the device into EDL mode. This can either be done through adb on OxygenOS 5.0 or lower or by using a simple hardware key combination.
  2. Download an old system image of below OxygenOS 4.0.2.
  3. Flash aboot.bin through firehose (remember that aboot.bin implements fastboot, as we mentioned earlier)
  4. You will now be able to disable secure boot and unlock the bootloader without wiping the device simply by using the two fastboot commands above.

If you remember, OnePlus was previously found to have left two dangerous fastboot commands nearly a year ago, one which unlocked the bootloader and one which disabled secure boot. While it’s true that an attacker can not install malicious software on the device, they can downgrade the device to have older, vulnerable to attack software. Simply by running the above fastboot commands, an attacker can have full access to the device.

And that’s it, the bootloader is unlocked, secure boot is switched off and there is absolutely no data loss. If an attacker wished to take this a step further, they could flash a malicious custom kernel which enables root access to the device which the user would never know about.

Firehose works through the Qualcomm Sahara protocol, which accepts an OEM-signed programmer and is how the above attack would be carried out. When connected to a device, it acts as an SBL over USB. Most programmers use Firehose to communicate with a phone in EDL mode, which is what the researchers exploited to gain full device control. The researchers also used this to unlock a Xiaomi device simply by flashing a modified image which unlocked the bootloader. They then flashed a custom kernel which gave root access and launched SELinux in permissive and also extracted the encrypted userdata image from the device.


It is unknown why OEMs release these programmers from Qualcomm. Nokia, LG, Motorola, and Google programmers leaked rather than being released, yet the researchers managed to break the entire chain of trust on the Nokia 6 and gain full device access through similar methods of exploitation. They are confident the attack can be ported to any device which supports these programmers. If possible, OEMs should make use of hardware qFuses which prevent software rollbacks, by blowing when the device hardware is rolled back and can warn a user that it has taken place. Those interested can take a look at the full research paper below and can read the full Nokia exploitation too.

Source: Aleph Research

OnePlus 3/3T Open Beta Update Fixes Bugs and the OnePlus 2 Receives a Security Update

OnePlus has just announced two new updates for three of their devices. Surprisingly, one of these updates is for the OnePlus 2 and the biggest thing to note here is that it has received a fix for the KRACK vulnerability that we previously reported on. The Open Beta for the OnePlus 3 and the OnePlus 3T also received a new update that focuses on bug fixes and some performance optimizations that the company has been working on lately.

As we mentioned in our previous report about the WPA2 vulnerability known as KRACK, this attack was possible on around 41% of all Android devices. The OnePlus 2 doesn’t generally receive OTA updates anymore but OnePlus did just announce a new update for it that brings its version of OxygenOS up to 3.6.1. This update has some general bug fixes and improvements to it but the big thing to note here is its security patch level has been brought up to October 2017 (which includes the patches for KRACK).

On the same day, the company also announced an update to their Oreo Open Beta program that is now available for the OnePlus 3 and the OnePlus 3T. This brings the Open Beta up to version 26 for the OnePlus 3 and to version 17 for the OnePlus 3T and both updates include the same changes since they have been unified. As you should expect in all beta updates, the first one released with a number of bugs and issues that this update aims to fix.

The User Feedback application is back with this update and the team also says it improves both WiFi and data connectivity. The performance of NFC is said to be improved as well and some people had reported the picture-in-picture mode was causing apps to crash but this should be less likely to happen now. There were reports of the device heating up under certain circumstances (which has been fixed), and the voicemail tab within the dialer application is now back.

You’ll find the full changelog (including known issues) down below.

OnePlus 2 OxygenOS 3.6.1 Changelog


  • Updated Android security patch level to October 2017
  • Fixed WPA2 security issue
  • General bug fixes and improvements

OnePlus 3/3T Open Beta 26/17 Changelog


  • User Feedback app is back
    • You can continue sending bug reports via the app again
  • Improved Wifi and Data connectivity
    • Please let us know if you see a change in the behavior of your network connections
  • Improved the performance of NFC
  • Improved stability of Picture in Picture
    • Apps that are supported by PiP are less likely to cause a reboot
  • Reduced likelihood of device heating up in certain circumstances
  • Fixed issue of missing voicemail tab in dialer
    • Sorry about that.. :oops:
  • Other general bug fixes
    • This includes things like the Notification dot issue, ambient display issues, random reboots, available storage calibration, and many other smaller issues.

Known issues:

  • Fingerprint actions may still be slower than you are used to
  • Performance and compatibility of 3rd party apps are still being optimized

Source: OnePlus Source: OnePlus

OnePlus collecting significant amounts of identifiable data

All smartphones collect analytics data. This data is important for the manufacturer to improve both software and hardware. However, this data is usually anonymous and hopefully limited in scope.

However, OnePlus was found to be collecting large amounts of data from the OnePlus 2 by Christopher Moore. By checking the network traffic, he found that the device was sending data to OnePlus that probably shouldn’t leave the phone.

The data included basic things like unexpected reboots, but also when the device was locked, unlocked, and when apps were opened. Then there was the identifiable info like the IMEI number, phone number, phone serial number, WiFi info, MAC addresses, and more.

While part of this data collection can be turned off (Settings > Advanced > Join user experience program), much of it can not. The OnePlus Device Manager app is sending the data and can be disabled with ADB and no root (send ADB command “pm uninstall -k –user 0 net.oneplus.odm”) but it’s unknown if this could affect device functionality.

If you don’t like your data being collected to this extent, maybe OnePlus devices aren’t for you. It just seems excessive. Thankfully the data is encrypted so there isn’t a security risk, but your data is still stored somewhere and who knows for how long.

OxygenOS is Allegedly Data-mining Personally Identifiable Information for Analytics

While the OnePlus phones have a good reputation for their price and openness to development, the company itself has made some questionable decisions in the past with regards to how they handle user data. At the time, we discovered that OxygenOS would leak your device’s IMEI onto the network while your device checks for an update. Now, OnePlus is accused of collecting even more sensitive, personally identifiable information according to security researcher Christopher Moore.

During a Hack Challenge he was participating in last year, Moore decided to probe the internet traffic from his OnePlus 2. He discovered that his phone was sending HTTPS requests to the domain open.oneplus.net. He decrypted the data using the on-device key and was able to see all of the data being sent back to OnePlus’ AWS servers.

He then analyzed what information was being sent to this domain and found that OnePlus was collecting screen on, screen off, device unlock events, abnormal reboots, serial number, IMEI, phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, and wireless network ESSID and BSSID.

But the data-mining doesn’t stop there, as Moore found that OxygenOS was also collecting time stamps of when he opened and closed applications and even which activities were being opened.

Moore did some digging and discovered that the code responsible for this data collection is part of the OnePlus Device Manager and the OnePlus Device Manager Provider, which is contained in the system application OPDeviceManager.apk.

If your device isn’t rooted, then you can run the following ADB command to disable this system application on your OnePlus device:

pm uninstall -k --user 0 net.oneplus.odm

A tutorial on how to set up ADB and run this command can be found here. Alternatively, if your device is rooted you can install this Magisk module.

All of this information is, again, sent over HTTPS so it can’t be intercepted by anyone else (provided you are on a secure network). Though, one wonders what OnePlus is doing with this kind of information. In a statement, OnePlus offered the following explanation behind the analytics they are collecting:

We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine tune our software according to user behavior. This transmission of usage activity can be turned off by navigating to ‘Settings’ -> ‘Advanced’ -> ‘Join user experience program’. The second stream is device information, which we collect to provide better after-sales support.

Keep in mind that this data-collection is only occurring on OxygenOS, so if you have a custom AOSP-based ROM installed such as LineageOS then your phone is safe from data-mining. For a more technical breakdown, we recommend you read the original blog post that Mr. Moore made linked below.

Source: Chris’s Security and Tech Blog

OnePlus 2 Receives Android 8.0 Oreo Unofficially via LineageOS 15

A lot of OnePlus 2 owners have felt burned due to the lack of OTA updates that OnePlus has pushed out. For a while, owners of these devices were told that the OnePlus 2 was eventually going to be receiving an official update to Android 7.0 Nougat. That unfortunately turned out not to be the case, thus making the last official build of OxygenOS for the device to be based on Android 6.0 Marshmallow. Thankfully, the device still has quite the developer support on our forums, and developers have just released an early build of LineageOS 15 based on Android 8.0 Oreo for the device.

OnePlus promises they’ll have better long-term software support for the OnePlus 3 and the OnePlus 3T since they have organized their software development division. We’ll have to wait and see how that turns out, but users of those devices should take solace in the fact that the OnePlus custom development community has always been strong, so even if OnePlus is unable to continue providing support, members of the XDA forums will be there to fill the gaps. Though we don’t yet have official builds of LineageOS 15 for any device right now, community developers are building ROMs based on what’s already there in the gerrit for a number of devices.

The latest to get its first taste of Android Oreo via LineageOS 15 is the OnePlus 2, and this build is possible thanks to XDA Recognized Contributor Shreesha.Murthy (as well as the entire LineageOS team). This initial release was made available yesterday and it has already been updated to revision 3. As usual with these early builds, this is to be considered an alpha and there are some bugs you should be aware of. A lot of stuff does work though, including RIL, WiFi, Bluetooth, hotspot, fingerprint scanner, VoLTE, and the sensors (GPS etc.).

However, there are some things that currently do not work and are still being debugged at this time. As of writing this, that includes the camera, alert slider, offline gestures, and possibly more. With an early build like this, it’s impossible for one developer to know all of the bugs which are present. So if you come across any then please be sure to report it (and include logs) in the thread linked below.

Get Android Oreo (Unofficial) from our OnePlus 2 forum