FP3 custom rom development based on released source code

You should definitely not try it. A quick whois shows for qptsflash.com:
(Edit: you should at least be careful and aware that it does not come from an official source, see the next post)

Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama

Instead, if you do the very same for qualcomm.com, you get:

Registry Registrant ID:
Registrant Name: Host Master
Registrant Organization: Qualcomm Inc.
Registrant Street: 5775 Morehouse Drive,
Registrant City: San Diego
Registrant State/Province: CA

In other terms, qptflash.com is hiding its identity (and qualcomm.com is not). This is far too quite suspicious.

3 Likes

These tools are usually not released by chipset vendors, at least not outside of a small group of qualified technicians. One of those sometimes leaks the tool, after which it ends up on some vague site on the net (packaged with or without malware). The tool for the MTK chipset in the FP1 also came from a shady source, if I recall correctly.
Rock / hard place.

2 Likes

This looks fishy. That tool, among a number of others are all listed on
https://androidmtk.com/download-qpst-flash-tool (scroll down to section “Alternative Qualcomm Flash Tool”

they all have different names, they all claim to be able to flash firmware for “any qualcomm chipset” - they all call it “download” when really they mean flashing a firmware onto the device, and they are all shady windows programs from shady webpages with zero other content.

I downloaded one of those zip files. automatic virus analysis failed because (what a surprise) the zip its password protected (with the password written on the webpage in cleartext) hindering automatic analysis

I went to the trouble and unzipped it, extracted the files from the msi installer and sent them to virustotal. No known malware was detected, but the heuristics went bonkers:

https://www.virustotal.com/gui/file/c8c5155db91e87434d38185e0baba7868476ccd71b190ef9354739f56d6157de/detection

TL;DR don’t dare installing and executing that stuff unless you do it on a virtual machine running on a RAM disk on a battery powered raspberry in a sealed room with lead walls, and burn it afterwards. Connect your phone at your own risk, especially if its unlocked. If the malware is any good, it might actually install itself on your phone.

Edit: After snooping a bit more in the contents, it looks like there is some actual qualcomm tools in there, but they are from 2015 and likely don’t support the newer chips like the 632, so don’t get your hopes up too high.

Edit2: Since I didn’t want to upload every single file to virustotal for checking i re-zipped the unpacked folder (without password) these are the results:
https://www.virustotal.com/gui/file/0841fc9e1624e376f5a50b5a3096b74d95bbba175dd8526e2ad2c2dae39d1370/detection

while nothing specific has been found, I have to say, this does not look safe

4 Likes

btw if these “qualcomm downloader” tool were to work, then THIS here https://www.96boards.org/documentation/consumer/guides/qdl.md.html would work, too. has anyone checked that?

Edit: This uses edl modem this page describes how edl mode is engaged if available

Edit again: Neither adb nor aboot on the FP3 know anything about the “edl” which is likely because thats qcom msm based chipsets specific (which have that emergency bootloader hardcoded in the main cpu - great for unbricking!)
apparently there is even a special USB cable for these chipsets that shorts a pin to force boot the phone into edl mode - available from some forensic supply shops.

probably wont help us, as this is a USB2 cable and FP3 is USB3/USB-C - its possible that something equivalent exists for the SDM6xx series, but since qcom doesn’t release docu and there is nothing in the wild… the msm series had the advantage that there are dev boards openly sold and tools for download from qcom. while for the newer SDM those are only available for OEMs.

It seems like Fairphone the company isn’t even the OEM. The more I learn about the firmware and the device itself, it looks like Fairphone outsourced parts of phone design and manufacturing to a company in far east - which did the actual hardware design. As such the knowledge and NDA’s are between that company and qualcomm, while Fairphone is out of the loop and doesn’t even have that info about their own phone.

I don’t know that for certain, but there are indications, such as the Service Menu app, (com.arima.servicemenu) - it doesn’t include an “about” info anywhere, but this here might make sense:
http://www.arimacomm.com.tw/en/technology-1.php?index_id=2

another bit of info is the info from customer support that qualcomm NDA related info is not known to fairphone employees even. Which would totally make sense if Arima designed and certified the phone for Fairphone.

6 Likes

FP3 is actually USB2/USB-C

3 Likes

btw, must see easter egg:

adb pull /system/priv-app/ServiceMenu/ServiceMenu.apk
mkdir ServiceMenu
cd ServiceMenu
unzip ../ServiceMenu.apk
vlc res/raw/testvideo2.3gp

enjoy

also,
res/raw/test.mp3 : “I will be” from “Avril Lavigne”, Album “The best damn thing” 2007 (cut off after 27 sec)
res/raw/speaker.mp3: beautiful excerpt from “故乡的云” by “徐美澜” - as listed here

res/raw/test_sound.mp3 – actually a RIFF wav file! 4.8 seconds of spanish music
res/raw/test_sound1.mp3 – an actual audio test file - useful for testing mic and speakers

sm_compass_calibration_manual_icn

2 Likes

that again makes it more likely that there are hidden extra functions on the unused wires (serial, etc…)

1 Like

There is also a free and open source tool for EDL on github:

But to properly use that we need a corresponding loader file which I couldn’t find so far.

The FP3 can be switched to EDL mode by powering it off and then keeping both volume buttons pressed while connecting the cable. (screen will stay black)

It is then detected when running edl.py. It prints some device info and complains about missing loader file. Then any further executions of edl.py result in “unknown sahara mode” until the phone is power cycled. (press the power button very long, power off again and redo the volume keys + cable)

Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.
__main__ - Trying with no loader given ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: sahara
Device is in EDL mode .. continuing.
Library.sahara -HWID: 0x000ba0e100000000
(MSM_ID:0x000ba0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
PK_HASH:
0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial: XXX
SBL Version: 0x00000000

Library.sahara - Couldn't find a loader for given hwid and pkhash :(
7 Likes

This edl prog is a good thing to dig into.

You don’t have any loader in the Loaders dir :

for (dirpath, dirnames, filenames) in os.walk(“Loaders”):
[…]
return self.loaderdb
[…]
if self.hwidstr in self.loaderdb:
[…]
else:
logger.error(“Couldn’t find a loader for given hwid and pkhash :(”)
exit(0)

Install EDL loaders
“mkdir examples”
Copy all your loaders into the examples directory
“./fhloaderparse.py examples” → will autodetect and rename loader structure and copy them to the “Loaders” directory
Or rename Loaders manually as msmid_pkhash[8 bytes].bin

Here is more ressources : Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
(They also reversed a msm-8953 loader)

3 Likes

I’ve uploaded the qpst files to a dynamic malware analysis to see the behavior, and to see if we could get the loaders to inspect it :
https://cuckoo.cert.ee/analysis/1494417/summary/
https://cuckoo.cert.ee/analysis/1494418/summary/

  • I didn’t find any loader, we need to go deeper ;
  • The msi didn’t work on the sandbox ;
  • The exe looks suspicious. Some of the suspicious behaviors are because it is an installer.
2 Likes

Arima (our final assembly partner) in China.

Source

5 Likes

"The final assembly of our Fairphone 3 is done by our partner, Arima. The company’s headquarters are in Taiwan, with Fairphone production taking place at one of their manufacturing facilities in Suzhou, China."

Cool, that means I actually googled up the correct Arima. There’s at least a dozen companies by that name, but this one matched best.
I guess this indeed means any technical questions regarding the phones insides need to be answered - at least indirectly by Arima.

Maybe we should cut out the middleman and ask them nicely - directly. Does anyone here write or speak Mandarin (or Taiwanese)?

4 Likes

also related:

https://forum.xda-developers.com/showpost.php?p=49729779&postcount=7

More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker’s server.

to make sure we speak of the same thing, (as the original post only said “google for QPST” and unfortunately google isn’t giving everyone the same search results.

QPST can be found at “qpsttool dot com” in quite many versions. the zip files there are

  • not password protected
  • include a single .exe which is supposedly an installer, as well as a driver package

some (older) versions can also be found on “qpstflash dot com”.

  • the zip files there are password protected (password is given on the webpage
  • zip includes an msi installer and a setup.exe to supposedly run it
  • the msi can be manually extracted with a tool like “msiextract” to analyse the contents

as such the same version of the tool from both sites differ at least one of these sites is definitely distributing malware, no question about that. but that does not mean the other one is clean.

2 Likes

Hi all, finally, I’ve managed to capture some short uart/whatever transmissions from a booting phone on pin T.
Here is a snapshot:


The data is still raw samples as I recorded them with a Bitscope Micro. I hope to find time to work on postprocessing soon.

Here is the raw data and the analysis script (more to come):


Cheers, Michael

13 Likes

Noice!

if you have your phone already open: can you check if this pad traces to the top or the bottom module? (by just continuity checking the connector pins)
just o see if there is a change of a hidden uart mode in the headphone jack or usb connector

1 Like

Have you soldered anything? Maybe it is time to try the uart console, and if it is one, the built image.

1 Like

To continue with the EDL.


Some commands don’t need the loader. (example: -gpt) I don’t think we’ll have a lot without the loader…

The loader for the device is (probably) on the partition sdl1. Which isn’t entire with the diff updates.

2 Likes

Hi, it is already closed but I will try next time. Good idea to check for connections elsewhere :slight_smile:

1 Like

Hi, yes I soldered thin wires onto the pads and then closed the device. Now can measure without the need of four hands :slight_smile: . Currently I just can measure an analog signal since I do not yet have uart hardware for 1.7v signals yet.

8 Likes

The weird thing about that signal is the inversion. Why is the binary part between 0 and -1.8V but then jumps to +1V ? Is that an artefact of how it was measured? What was your used ground pin?

1 Like