Qualcomm Download M...
 
Notifications
Clear all

Qualcomm Download Mode 9006

14 Posts
6 Users
0 Likes
5,518 Views
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Hello,
Im trying to test the method when I get physical dump via Qualcomm Download Mode 9006.

I have testing model of Samsung galaxy S4 i9505 with Qualcomm Snapdragon 600 Processor so I assume it will qualify to my test .
I downloaded eMMC RAW Tool in order to image the device.

I have installed Qualcomm drivers into Win10 https://imgur.com/a/vdh4Zni

And here is my problem
I was trying to Switch S4 i9505 into Qualcomm Download Mode 9006 by pressing and holding the volume down key and connecting the device to computer via a USB and all I get is that my device goes into Download Mode https://imgur.com/a/GChbXvk

Then when I start eMMC RAW Tool I dont see any device.
https://imgur.com/a/reEzybA

Is Qualcomm Download Mode 9006 looks the same as Download mode like link above or am I doing something wrong ?

What should I do in order to get physical dump using Qualcomm Download Mode 9006 feature ? roll

 
Posted : 08/06/2018 8:19 pm
(@the_grinch)
Posts: 136
Estimable Member
 

Might be wrong, but if you're attempting to get the device into EDL mode you'd need the proper cable. My experience has been to use the EDL cable and that puts the device in the proper mode (screen remains blank) and then you might be able to use this tool.

 
Posted : 08/06/2018 11:28 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Depending on the device the EDL mode might be available by running "fastboot reboot edl".

If the software way is not available, there could be EDL hardware pins which you need to shorten and the device goes into EDL mode at the next startup.

If EDL pins aren't available, you can try using an EDL cable.

If nothing above works, shorten the eMMC CLK or DAT pins with GND, this will always work, since the manufacturers implement emergency mode for cases of hardware failure. Be sure you remove the short before you connect the device for physical acquisition at the next run.

 
Posted : 09/06/2018 6:51 am
(@arcaine2)
Posts: 235
Estimable Member
 

Samsung phones in general have a software way to enter EDL mode blocked. EDL cable works for some (like G357) but now for i9505 as far i as i tried. There are no testpoints on the board so the only way CLK pin with ground and this will put phone in 9008 mode. To actually make a dump from this mode a correct loader is required, nowhere to be found publicly. As far as i know, reaching 9006 (MMC Storage) mode on Samsung is out of the question, at least directly. It may be possible to switch from 9008 to 9006 if you had a correct, signed loader.

If your phone is semi-working you can always flash TWRP and make physical eMMC dump that way.

 
Posted : 09/06/2018 10:29 am
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Thanks for answers.

arcaine2 the problem isnt getting physical dump itself. All I want is to test the method of using Qualcomm Download Mode 9006.

Miki I would rather not to disassemble the phone right now I thought there is some easiest way.

I was reading Mobile Forensics – Advanced Investigative Strategies book and there was section about Entering Qualcomm Download Mode 9006. It was said

"Switch your device into Qualcomm Download Mode 9006. To do this, you may attempt the following sequence
1. Switch the device off (wait while it shuts down completely).
2. Press and hold the hardware volume down key
3. While holding the key, connect the device to your computer via a USB cable.
4. Wait until the device displays Download mode or Updating firmware 0%.
5. Release the key and wait while the drivers are installed. "

This is why I thought I can use standard USB cable.

 
Posted : 10/06/2018 6:42 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

You just read an outdated manual, it happens sometimes - or most of the times )

For shortening the CLK+GND you don't need to totally dismantle the device, I won't post here, but there are sime-public resources for TAP for this device ) It's enough to shorten those…

In forensics always use the easiest method possible, which at this point is flashing a custom recovery and create a dd image of the userdata (not encrypted by default) partition to an SD card.

Use EDL method when nothing else works ) - right before chip-off.

Somebody (who has time for it) should write and publish a suggested workflow for acquiring mobile devices.

 
Posted : 10/06/2018 8:52 pm
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Yes i know, I always try the simplest possible method.
I just want to try this Qualcomm 9006 Method in future cases when any other method fails

 
Posted : 10/06/2018 9:47 pm
(@arcaine2)
Posts: 235
Estimable Member
 

arcaine2 the problem isnt getting physical dump itself. All I want is to test the method of using Qualcomm Download Mode 9006.

I get it and i've been trying the same last year. That documentation is not universal and each brand often changes combination or often disable it completely. I can tell you that snapdragon based Alcatel phones can often be booted into 9006 mode by keeping both volume buttons pressed when connected to PC, and to 9008 mode with vol+. Lumia devices with unlocked bootloader also have working 9006 mode. Some chinese brands have it like ZTE or Lenovo, LYF etc. Major brands have this locked. I've only seen some damaged LG devices that stuck in MMC Storage due to corrupted bootloader.

 
Posted : 11/06/2018 5:14 pm
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Thanks arcaine2 it could be useful

I know that LG uses something called LG Download Mode (LAF).

But I was surprised about Samsung - I've just read at elcomsoft blog this

"Many smartphones equipped with Qualcomm chip sets (except Samsung and LG) are equipped with a so-called Emergency Download Mode"
….
"Samsung does not use the Qualcomm EDL mode even in its Qualcomm-equipped handsets (such as those Galaxy Sx models sold in the United States). Instead, Samsung implemented its own proprietary programming protocol called Odin. Odin can be used to read the (encrypted) content of the device. It can be also used to write data on the device"

So my testing model - Galaxy S4 is useless at this point )

 
Posted : 11/06/2018 6:00 pm
(@arcaine2)
Posts: 235
Estimable Member
 

Yes, LG has LAF mode (download mode) which allows dumping data. LAF mode is also being limited with each firmware version and phones that came with 7.0 (like Q6) have some useful commands cut out.

"Many smartphones equipped with Qualcomm chip sets (except Samsung and LG) are equipped with a so-called Emergency Download Mode" - this is not entirely true. Both Samsung and LG have EDL mode. They do not have a simple key combination and so called EDL cable doesn't force this mode as well for most models, but it does work on G357 for example. In general, you can always reach it using testpoint (described by @passcodeunlock) as this is a mode implemented by CPU itself. What's missing are the correct loaders to utilize this mode to dump data. I haven't seen anything public for Samsung. You can find loaders for some LG devices at least up to G6/Q6 series as this method was used to remove FRP by Octoplus.

 
Posted : 11/06/2018 6:24 pm
Page 1 / 2
Share: