±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36121
New Yesterday: 2 Visitors: 175

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Huawei HiSilicon access and manipulation

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

mshibo
Member
 

Huawei HiSilicon access and manipulation

Post Posted: Jul 24, 19 13:50

So, straight to the point.
In Qualcomm based devices, we can enter EDL mode and with the right firehose programmer, we can do so much in the device such as access the storage and flash custom binaries or inject some commands.
The question is, what can we do with Hisilicon based devices?
Hisilicon based devices have some boot mode that equals to EDL from Qualcomm and I believe that we can achieve so much from there but how it works and to make a real use of it.  
 
  

passcodeunlock
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 25, 19 07:16

First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

the_Grinch
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 25, 19 14:07

- passcodeunlock
First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!


Any tips on how one could go about learning to short CLK+GND and other electronic theory based on mobile devices?  
 
  

passcodeunlock
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 25, 19 19:52

There are pretty many docs about JTAG and ISP techniques for forensic procedures. Those are the base. Decryption on-the-fly while acquisition is the next step, usually way harder then the first step Smile
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

arcaine2
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 26, 19 16:46

No need to look for eMMC faults most of the time, at least up to P20/Mate 20 series. Many HiSilicon based Huawei phones have testpoints to access their "service" mode, with phone being recognized as "Huawei USB COM 1.0". This mode is often used for firmware downgrade or FRP bypass on "new bootloader" phones, where the process seems to push and execute older bootloader version (they're unique per the CPU variant, not per the phone itself), then boot into fastboot mode and use an exploit to temprarily partially unlock bootloader.  
 
  

passcodeunlock
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 28, 19 18:25

The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

arcaine2
Senior Member
 

Re: Huawei HiSilicon access and manipulation

Post Posted: Jul 28, 19 18:54

- passcodeunlock
The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.


As far as i tested - no, at least not on every device. The recent one i tested was P20 Lite that i needed to downgrade using testpoint method. It's an "exploit" used to write any signed Huawei firmware used by many flasher boxes. Even if flashing fails at some early stage, or in case you deselect userdata, phone will boot fine with data intact.

This doesn't allow to write any unsigned image, like custom recovery, custom boot image, at least as far as i tested. I haven't tried to enable "OEM Unlock" in settings and then using this method to write TWRP without actually unlocking bootloader.  
 

Page 1 of 2
Page 1, 2  Next