Huawei HiSilicon ac...
 
Notifications
Clear all

Huawei HiSilicon access and manipulation

13 Posts
7 Users
0 Likes
3,126 Views
(@mshibo)
Posts: 34
Eminent Member
Topic starter
 

So, straight to the point.
In Qualcomm based devices, we can enter EDL mode and with the right firehose programmer, we can do so much in the device such as access the storage and flash custom binaries or inject some commands.
The question is, what can we do with Hisilicon based devices?
Hisilicon based devices have some boot mode that equals to EDL from Qualcomm and I believe that we can achieve so much from there but how it works and to make a real use of it.

 
Posted : 24/07/2019 1:50 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!

 
Posted : 25/07/2019 7:16 am
(@the_grinch)
Posts: 136
Estimable Member
 

First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!

Any tips on how one could go about learning to short CLK+GND and other electronic theory based on mobile devices?

 
Posted : 25/07/2019 2:07 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

There are pretty many docs about JTAG and ISP techniques for forensic procedures. Those are the base. Decryption on-the-fly while acquisition is the next step, usually way harder then the first step )

 
Posted : 25/07/2019 7:52 pm
(@arcaine2)
Posts: 235
Estimable Member
 

No need to look for eMMC faults most of the time, at least up to P20/Mate 20 series. Many HiSilicon based Huawei phones have testpoints to access their "service" mode, with phone being recognized as "Huawei USB COM 1.0". This mode is often used for firmware downgrade or FRP bypass on "new bootloader" phones, where the process seems to push and execute older bootloader version (they're unique per the CPU variant, not per the phone itself), then boot into fastboot mode and use an exploit to temprarily partially unlock bootloader.

 
Posted : 26/07/2019 4:46 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.

 
Posted : 28/07/2019 6:25 pm
(@arcaine2)
Posts: 235
Estimable Member
 

The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.

As far as i tested - no, at least not on every device. The recent one i tested was P20 Lite that i needed to downgrade using testpoint method. It's an "exploit" used to write any signed Huawei firmware used by many flasher boxes. Even if flashing fails at some early stage, or in case you deselect userdata, phone will boot fine with data intact.

This doesn't allow to write any unsigned image, like custom recovery, custom boot image, at least as far as i tested. I haven't tried to enable "OEM Unlock" in settings and then using this method to write TWRP without actually unlocking bootloader.

 
Posted : 28/07/2019 6:54 pm
(@trewmte)
Posts: 1877
Noble Member
 

So, straight to the point.
In Qualcomm based devices, we can enter EDL mode and with the right firehose programmer, we can do so much in the device such as access the storage and flash custom binaries or inject some commands.
The question is, what can we do with Hisilicon based devices?
Hisilicon based devices have some boot mode that equals to EDL from Qualcomm and I believe that we can achieve so much from there but how it works and to make a real use of it.

Cellebrite's UFED4PC/Touch has a profile using Search//Generic//Huawei Generic//Physical//xxxxxxxxx

 
Posted : 30/07/2019 7:17 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

UFED4PC/Touch 2 isn't working with newer firmwares even if you match the Kirin version profile.

 
Posted : 30/07/2019 12:37 pm
(@trewmte)
Posts: 1877
Noble Member
 

UFED4PC/Touch 2 isn't working with newer firmwares even if you match the Kirin version profile.

Ohh, that's interesting. I was reading from Cellebrite's own material ( https://www.cellebrite.com/en/blog/industry-first-access-to-huawei-devices-for-digital-evidence/ ). Thank you passcodeunlock for the heads up.

 
Posted : 30/07/2019 1:48 pm
Page 1 / 2
Share: