Devices with Qualcomm chipsets have a Primary Bootloader (PBL) which typically boots the Android system, but also houses an alternative boot mode known as EDL mode. EDL mode is Qualcomm’s Emergency Download Mode and allows an Original Equipment Manufacturer (OEM) to force flash software on a device. This cannot be modified (read-only mode) and has full control over the device’s storage. Many OEMs including OnePlus and Xiaomi have released tools (known as programmers) which utilize EDL mode and a protocol known as Firehose to unbrick a device, while other tools from companies such as Nokia have leaked. Firehose can utilize a number of commands to flash devices, along with the ability to examine the data within a device’s memory. Security researchers Roee Hay (@roeehay) and Noam Hadad from Aleph Research have discovered critical device vulnerabilities using this mode, which effectively grants an attacker full device access.
It’s important to note that this exploit requires physical access to the device, but it’s still incredibly dangerous and likely cannot be patched. The attackers utilized the level of access granted to the EDL mode to bypass secure-boot on a Nokia 6, defeating the chain of trust and gaining full code execution across every part of the boot sequence including the Android OS itself. It is theorized to work the same way on other devices, and the researchers also managed to unlock and root multiple Xiaomi devices without any data loss.
What devices are affected by this exploit?
Firstly, the devices which are affected.
List of devices affected.
Exploiting an Android Phone
The Boot Sequence of a Typical Android Qualcomm Phone
It is important to first understand the boot sequence of a typical Android device before explaining how it can be exploited. The Software Bootloader (SBL) is a digitally signed bootloader which is checked for authenticity before being loaded into imem. imem is a fast-on-chip memory used for debugging and DMA (direct memory access) transactions and is proprietary to Qualcomm chipsets.
Some devices have an eXtensible Bootloader (XBL) instead of an SBL, but the boot process is pretty much the same. The SBL or XBL then launches ABOOT, which implements fastboot. Following this, TrustZone (hardware-based security) is also loaded. TrustZone checks the authenticity of ABOOT by way of a hardware-based root certificate. The SBL (or XBL, in some cases) is designed to reject an incorrectly signed (or unsigned) ABOOT.
Once authenticated, ABOOT then checks /boot and /recovery for authenticity before launching the Linux kernel. Some system preparations are done, and then code execution is transferred over to the kernel. ABOOT is commonly known as the “Android Bootloader,” and when we unlock the bootloader of a device, we are disabling this authenticity check in ABOOT.
Boot sequence of a standard Android device visualised. // Source: Aleph Research
Accessing EDL Mode
While some devices have a simple hardware combination (or worse, a simple proprietary fastboot command present in many Xiaomi devices), others, such as Nokia devices, need to short pins known as “test points” present on the device’s main board. It also used to be possible, before the December 2017 security patch, to simply run “adb reboot edl” on many devices (including the Nexus 6 and 6P) and enter EDL mode. This has since been fixed.
Test points are shown in a drawn-on yellow box at the bottom of the device’s mainboard. // Source: Aleph Research
Other devices can also use what’s known as a “deep flash” cable, which is a special cable with certain pins shorted to tell the system to instead boot into EDL mode. Old Xiaomi devices can utilize this method, along with the Nokia 5 and Nokia 6. Other devices will also boot into EDL mode when they fail to verify the SBL.
A deep flash cable
Utilizing EDL Mode to Gain Full Access on a OnePlus 3/3T
EDL Mode can be utilized in a number of ways on a device, mostly for unbricking devices by force flashing them. As explained above, it should theoretically be safe for anybody to access this mode, as the worse case scenario is that ABOOT will reject software that isn’t officially signed by the manufacturer. While this is true, it’s actually possible to gain complete control over a OnePlus 3 or 3T and its files in a proof of concept exploit shown by the researchers.
This will be done through two very dangerous commands which OnePlus left accessible in an older version of ABOOT (the Android bootloader), in order to unlock the device’s bootloader (without a warning being shown to the user on boot) and disable dm_verity. dm_verity is also known as verified boot and is part of a safe boot-up sequence on an Android device. The two commands are as follows.
fastboot oem disable_dm_verity
fastboot oem 4F500301/2
Observe the simple, 4 step process below which utilises the Firehose protocol.
- First, boot the device into EDL mode. This can either be done through adb on OxygenOS 5.0 or lower or by using a simple hardware key combination.
- Download an old system image of below OxygenOS 4.0.2.
- Flash aboot.bin through firehose (remember that aboot.bin implements fastboot, as we mentioned earlier)
- You will now be able to disable secure boot and unlock the bootloader without wiping the device simply by using the two fastboot commands above.
If you remember, OnePlus was previously found to have left two dangerous fastboot commands nearly a year ago, one which unlocked the bootloader and one which disabled secure boot. While it’s true that an attacker can not install malicious software on the device, they can downgrade the device to have older, vulnerable to attack software. Simply by running the above fastboot commands, an attacker can have full access to the device.
And that’s it, the bootloader is unlocked, secure boot is switched off and there is absolutely no data loss. If an attacker wished to take this a step further, they could flash a malicious custom kernel which enables root access to the device which the user would never know about.
Firehose works through the Qualcomm Sahara protocol, which accepts an OEM-signed programmer and is how the above attack would be carried out. When connected to a device, it acts as an SBL over USB. Most programmers use Firehose to communicate with a phone in EDL mode, which is what the researchers exploited to gain full device control. The researchers also used this to unlock a Xiaomi device simply by flashing a modified image which unlocked the bootloader. They then flashed a custom kernel which gave root access and launched SELinux in permissive and also extracted the encrypted userdata image from the device.
It is unknown why OEMs release these programmers from Qualcomm. Nokia, LG, Motorola, and Google programmers leaked rather than being released, yet the researchers managed to break the entire chain of trust on the Nokia 6 and gain full device access through similar methods of exploitation. They are confident the attack can be ported to any device which supports these programmers. If possible, OEMs should make use of hardware qFuses which prevent software rollbacks, by blowing when the device hardware is rolled back and can warn a user that it has taken place. Those interested can take a look at the full research paper below and can read the full Nokia exploitation too.
Source: Aleph Research