I agree for the signal.
It seems that the flashing program from qualcomm (hXXps://www.qpstflash.com/) (link changed as site is very suspect, see below) is able to do some backup. Someone has a computer with Wind*ws and can check it?
Nobody tried the treble option to have an AOSP with su?? (just be carrefull with the slots -what I wasn’t-, I can give the cmds)
Sure that the site isn’t scam? It has a couple of red flags, like no legal information, bad grammar, encrypted zip files and implausible claims.
I don’t know. Someone gave this link on another thread. Search for qualcomm qpst flash
You should definitely not try it. A quick whois shows for qptsflash.com:
(Edit: you should at least be careful and aware that it does not come from an official source, see the next post)
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
…
Instead, if you do the very same for qualcomm.com, you get:
Registry Registrant ID:
Registrant Name: Host Master
Registrant Organization: Qualcomm Inc.
Registrant Street: 5775 Morehouse Drive,
Registrant City: San Diego
Registrant State/Province: CA
…
In other terms, qptflash.com is hiding its identity (and qualcomm.com is not). This is far too quite suspicious.
These tools are usually not released by chipset vendors, at least not outside of a small group of qualified technicians. One of those sometimes leaks the tool, after which it ends up on some vague site on the net (packaged with or without malware). The tool for the MTK chipset in the FP1 also came from a shady source, if I recall correctly.
Rock / hard place.
This looks fishy. That tool, among a number of others are all listed on
https://androidmtk.com/download-qpst-flash-tool (scroll down to section “Alternative Qualcomm Flash Tool”
they all have different names, they all claim to be able to flash firmware for “any qualcomm chipset” - they all call it “download” when really they mean flashing a firmware onto the device, and they are all shady windows programs from shady webpages with zero other content.
I downloaded one of those zip files. automatic virus analysis failed because (what a surprise) the zip its password protected (with the password written on the webpage in cleartext) hindering automatic analysis
I went to the trouble and unzipped it, extracted the files from the msi installer and sent them to virustotal. No known malware was detected, but the heuristics went bonkers:
TL;DR don’t dare installing and executing that stuff unless you do it on a virtual machine running on a RAM disk on a battery powered raspberry in a sealed room with lead walls, and burn it afterwards. Connect your phone at your own risk, especially if its unlocked. If the malware is any good, it might actually install itself on your phone.
Edit: After snooping a bit more in the contents, it looks like there is some actual qualcomm tools in there, but they are from 2015 and likely don’t support the newer chips like the 632, so don’t get your hopes up too high.
Edit2: Since I didn’t want to upload every single file to virustotal for checking i re-zipped the unpacked folder (without password) these are the results:
https://www.virustotal.com/gui/file/0841fc9e1624e376f5a50b5a3096b74d95bbba175dd8526e2ad2c2dae39d1370/detection
while nothing specific has been found, I have to say, this does not look safe
btw if these “qualcomm downloader” tool were to work, then THIS here https://www.96boards.org/documentation/consumer/guides/qdl.md.html would work, too. has anyone checked that?
Edit: This uses edl modem this page describes how edl mode is engaged if available
Edit again: Neither adb nor aboot on the FP3 know anything about the “edl” which is likely because thats qcom msm based chipsets specific (which have that emergency bootloader hardcoded in the main cpu - great for unbricking!)
apparently there is even a special USB cable for these chipsets that shorts a pin to force boot the phone into edl mode - available from some forensic supply shops.
probably wont help us, as this is a USB2 cable and FP3 is USB3/USB-C - its possible that something equivalent exists for the SDM6xx series, but since qcom doesn’t release docu and there is nothing in the wild… the msm series had the advantage that there are dev boards openly sold and tools for download from qcom. while for the newer SDM those are only available for OEMs.
It seems like Fairphone the company isn’t even the OEM. The more I learn about the firmware and the device itself, it looks like Fairphone outsourced parts of phone design and manufacturing to a company in far east - which did the actual hardware design. As such the knowledge and NDA’s are between that company and qualcomm, while Fairphone is out of the loop and doesn’t even have that info about their own phone.
I don’t know that for certain, but there are indications, such as the Service Menu app, (com.arima.servicemenu) - it doesn’t include an “about” info anywhere, but this here might make sense:
http://www.arimacomm.com.tw/en/technology-1.php?index_id=2
another bit of info is the info from customer support that qualcomm NDA related info is not known to fairphone employees even. Which would totally make sense if Arima designed and certified the phone for Fairphone.
FP3 is actually USB2/USB-C
btw, must see easter egg:
adb pull /system/priv-app/ServiceMenu/ServiceMenu.apk
mkdir ServiceMenu
cd ServiceMenu
unzip ../ServiceMenu.apk
vlc res/raw/testvideo2.3gp
enjoy
also,
res/raw/test.mp3 : “I will be” from “Avril Lavigne”, Album “The best damn thing” 2007 (cut off after 27 sec)
res/raw/speaker.mp3: beautiful excerpt from “故乡的云” by “徐美澜” - as listed here
res/raw/test_sound.mp3 – actually a RIFF wav file! 4.8 seconds of spanish music
res/raw/test_sound1.mp3 – an actual audio test file - useful for testing mic and speakers
that again makes it more likely that there are hidden extra functions on the unused wires (serial, etc…)
There is also a free and open source tool for EDL on github:
But to properly use that we need a corresponding loader file which I couldn’t find so far.
The FP3 can be switched to EDL mode by powering it off and then keeping both volume buttons pressed while connecting the cable. (screen will stay black)
It is then detected when running edl.py. It prints some device info and complains about missing loader file. Then any further executions of edl.py result in “unknown sahara mode” until the phone is power cycled. (press the power button very long, power off again and redo the volume keys + cable)
Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019.
__main__ - Trying with no loader given ...
__main__ - Waiting for the device
__main__ - Device detected :)
__main__ - Mode detected: sahara
Device is in EDL mode .. continuing.
Library.sahara -HWID: 0x000ba0e100000000
(MSM_ID:0x000ba0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
PK_HASH:
0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial: XXX
SBL Version: 0x00000000
Library.sahara - Couldn't find a loader for given hwid and pkhash :(This edl prog is a good thing to dig into.
You don’t have any loader in the Loaders dir :
for (dirpath, dirnames, filenames) in os.walk(“Loaders”):
[…]
return self.loaderdb
[…]
if self.hwidstr in self.loaderdb:
[…]
else:
logger.error(“Couldn’t find a loader for given hwid and pkhash :(”)
exit(0)
Install EDL loaders
“mkdir examples”
Copy all your loaders into the examples directory
“./fhloaderparse.py examples” → will autodetect and rename loader structure and copy them to the “Loaders” directory
Or rename Loaders manually as msmid_pkhash[8 bytes].bin
Here is more ressources : Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
(They also reversed a msm-8953 loader)
I’ve uploaded the qpst files to a dynamic malware analysis to see the behavior, and to see if we could get the loaders to inspect it :
https://cuckoo.cert.ee/analysis/1494417/summary/
https://cuckoo.cert.ee/analysis/1494418/summary/
Arima (our final assembly partner) in China.
"The final assembly of our Fairphone 3 is done by our partner, Arima. The company’s headquarters are in Taiwan, with Fairphone production taking place at one of their manufacturing facilities in Suzhou, China."
Cool, that means I actually googled up the correct Arima. There’s at least a dozen companies by that name, but this one matched best.
I guess this indeed means any technical questions regarding the phones insides need to be answered - at least indirectly by Arima.
Maybe we should cut out the middleman and ask them nicely - directly. Does anyone here write or speak Mandarin (or Taiwanese)?
also related:
https://forum.xda-developers.com/showpost.php?p=49729779&postcount=7
More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker’s server.
to make sure we speak of the same thing, (as the original post only said “google for QPST” and unfortunately google isn’t giving everyone the same search results.
QPST can be found at “qpsttool dot com” in quite many versions. the zip files there are
some (older) versions can also be found on “qpstflash dot com”.
as such the same version of the tool from both sites differ at least one of these sites is definitely distributing malware, no question about that. but that does not mean the other one is clean.
Hi all, finally, I’ve managed to capture some short uart/whatever transmissions from a booting phone on pin T.
Here is a snapshot:
Here is the raw data and the analysis script (more to come):
Cheers, Michael
Noice!
if you have your phone already open: can you check if this pad traces to the top or the bottom module? (by just continuity checking the connector pins)
just o see if there is a change of a hidden uart mode in the headphone jack or usb connector
Have you soldered anything? Maybe it is time to try the uart console, and if it is one, the built image.
To continue with the EDL.
Some commands don’t need the loader. (example: -gpt) I don’t think we’ll have a lot without the loader…
The loader for the device is (probably) on the partition sdl1. Which isn’t entire with the diff updates.
