EDL Exploit makes Xiomi + Nokia Devices That Much More Easy to Root in Future

Article for Reference: https://www.xda-developers.com/exploit-qualcomm-edl-xiaomi-oneplus-nokia/

IDK how many places are really going to bring this up, but essentially thiri is a large bug in Xiaomi and Nokia devices that lets you take anything from the bootloader to the os and do whatever you want with it with a combination of Fastboot and a deep flash cable. This is kinda cool and might allow for some fun stuff with these phones. If any of them are like the ASUS phones based on X86 we might end up with an HTC HD2 again.

Whitepaper on it: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

Now if only LG would fuck up like this so my V20 can be rooted easier. Then I don’t have to rely on LGUP being a broken peice of shit :stuck_out_tongue:

1 Like

:thinking: This could be very interesting. might know what my next phone will be.

1 Like

Irrelevant and insignificant, EDL has no advantages over ADB.

The point I am trying to make is; Don’t Buy a Locked Phone in the first place! …or one without 3rd party OS support.

The point isn’t any advantage or anything, the point is that theres ring 1 and 0 access with little work needed.

And get a phone thats bugged in the process! No thanks! I’d rather do it myself.

Cannot make any sense of this, there is no ring level classification on android devices. There is a PIT, a Bootloader, a Rom…

I think what your trying to say is; you rather buy a locked phone because an unlocked phone is “a phone thats bugged”…

1

No I’m just paranoid about my personal security and prefer to do the work myself.

And now to cap this off, this exploit is now going to be partially used in the root process for ALL V20’s except the H918. Thats why this is huge news.

From the V20 root XDA Thread:

I am going to go through this with a fine tooth comb before I risk my device, but after decompiling it, and giving it a quick cursory glance, it doesn’t look like ANY calls are made to the fusing functions on init.

If anyone was curious (I was) as to whether you could use a firehose to just write anything you wanted – nope. It checks the signature of the image being written, and if it doesn’t pass – no flash. Well, again, our engineering aboot is signed, or our phone wouldn’t boot

So it looks like the full root procedure will be:

  • Have a FULLY charged phone
  • Dump TZ (just to make sure that you have a copy on hand) - tool will be provided
  • Wipe TZ to get into EDL mode (yes - this is the scary 9008 - doesn’t look like the phone even powers on mode) - tool will be provided
  • Use QFIL to flash TZ that you dumped, and engineering ABOOT
  • You will now have full fastboot so you can fastboot flash recovery twrp.img
  • Profit!

This will work on any model V20 except the H918. You guys can thank T-Mobile for deciding to use their own cert.
I will try to contact the person that provided me this firehose and see if they are willing to provide one for the H918.

Lastly, I will be testing this later tonight once I chew through this decompiled code a bit more…

– Brian

Its not a matter of “Oh superior technology this and that” because thats not a thing.

@wendell Thoughts on what all has happened with the Xiaomi phones?