±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Qualcomm Download Mode 9006

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

arcaine2
Senior Member
 

Re: Qualcomm Download Mode 9006

Post Posted: Jun 11, 18 17:14

- Thomass30

arcaine2 the problem isnt getting physical dump itself. All I want is to test the method of using Qualcomm Download Mode 9006.


I get it and i've been trying the same last year. That documentation is not universal and each brand often changes combination or often disable it completely. I can tell you that snapdragon based Alcatel phones can often be booted into 9006 mode by keeping both volume buttons pressed when connected to PC, and to 9008 mode with vol+. Lumia devices with unlocked bootloader also have working 9006 mode. Some chinese brands have it like ZTE or Lenovo, LYF etc. Major brands have this locked. I've only seen some damaged LG devices that stuck in MMC Storage due to corrupted bootloader.  
 
  

Thomass30
Senior Member
 

Re: Qualcomm Download Mode 9006

Post Posted: Jun 11, 18 18:00

Thanks arcaine2 it could be useful

I know that LG uses something called LG Download Mode (LAF).

But I was surprised about Samsung - I've just read at elcomsoft blog this

"Many smartphones equipped with Qualcomm chip sets (except Samsung and LG) are equipped with a so-called Emergency Download Mode"
....
"Samsung does not use the Qualcomm EDL mode even in its Qualcomm-equipped handsets (such as those Galaxy Sx models sold in the United States). Instead, Samsung implemented its own proprietary programming protocol called Odin. Odin can be used to read the (encrypted) content of the device. It can be also used to write data on the device"

So my testing model - Galaxy S4 is useless at this point Smile  
 
  

arcaine2
Senior Member
 

Re: Qualcomm Download Mode 9006

Post Posted: Jun 11, 18 18:24

Yes, LG has LAF mode (download mode) which allows dumping data. LAF mode is also being limited with each firmware version and phones that came with 7.0 (like Q6) have some useful commands cut out.

"Many smartphones equipped with Qualcomm chip sets (except Samsung and LG) are equipped with a so-called Emergency Download Mode" - this is not entirely true. Both Samsung and LG have EDL mode. They do not have a simple key combination and so called EDL cable doesn't force this mode as well for most models, but it does work on G357 for example. In general, you can always reach it using testpoint (described by @passcodeunlock) as this is a mode implemented by CPU itself. What's missing are the correct loaders to utilize this mode to dump data. I haven't seen anything public for Samsung. You can find loaders for some LG devices at least up to G6/Q6 series as this method was used to remove FRP by Octoplus.  
 
  

passcodeunlock
Senior Member
 

Re: Qualcomm Download Mode 9006

Post Posted: Jun 11, 18 20:09

Don't rely on unknown loaders Smile The vendor service software is always right!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

arcaine2
Senior Member
 

Re: Qualcomm Download Mode 9006

Post Posted: Jun 11, 18 21:22

I'm thinking about firehose/sahara loaders. You can't always get vendor firmware with those, especially not for Samsung or LG devices as they're for internal use only Wink  
 
  

legija
Newbie
 

Re: Qualcomm Download Mode 9006

Post Posted: Sep 26, 18 18:56

- arcaine2
To actually make a dump from this mode a correct loader is required, nowhere to be found publicly.

Available since model is released, sadly it's DMSS streaming download and it's very slow.

But, since these phones even now come up for extraction, I may up put those loaders for rest of the "public".

drive.google.com/file/...sp=sharing

This will work only with i9505, not with the US/CA counterparts.
I have also some other S4 models loaders, can provide on request.

On how to use it, simplest way I can think of now is:

1. Enter EDL by shorting CMD or CLK to GND
2. QPST->emmcswdownload ->qfuses -> select hex file ->send image
3. Close QPST from taskbar to release port
4. RIFF JTAG Manager -> USB TAB -> set "Streaming download protocol" (other irrelevant as phone is booted)
5. Click "Check Memory" - tick auto fullflash, click read memory.

Edit:

I had one working board here and after testing this method wont work, for simple reason that reading is not compiled into loader. So, it's just good for writes, and building and uploading msimage didnt resulted with success, phone didnt entered 9006 mass storage mode.  
 
  

aslez
Newbie
 

Re: Qualcomm Download Mode 9006

Post Posted: Mar 08, 19 17:14

So we have an LG Rebel 4 from Tracfone (same as LG Aristo 2, LG Aristo 2 Plus, LG Phoenix 4, etc. all the x210 models and x212).
We found the test point to short to get the phone into 9008 mode.
We cannot find any programmer (mbn/firehose) publicly, but there are FRP unlocks and various code unlock exploits for the various other models.
Any idea how to get one of these into 9006 mode? I created an 8917_msimage.mbn but cannot flash it without a programmer (hex or firehose). I don't see a JTAG interface anywhere even though we do have a test point.


Motherboard photos: slickdeals.net/f/12870...t125854501
9008 test point (see area circled in the next post #229)

Any help would be appreciated in locating the JTAG port, or giving ideas on how to either flash or download the current image.  
 

Page 2 of 2
Page Previous  1, 2