Notifications
Clear all

HTC EDL Mode  

  RSS
Somekindapie
(@somekindapie)
New Member

Hi All!

I'm new here, but was hoping for some advice!

I have a HTC Desire 610 (OP90200), this is locked with a pattern code. I need to bypass this, the only option I have is to try a EDL dumper as it has a Qualcomm chip set. For the life of me I cant get it into EDL mode (I have a lovely cable EDL that doesn't assist). I'm advised that the Boot loader is locked when I place it in to recovery mode.

Anyone have any Ideas?

As normal Google and youtube were next to useless!

Thanks in advance for the assistance!

Quote
Posted : 23/02/2020 10:09 am
Somekindapie
(@somekindapie)
New Member

FYI - I'm trying everything before trying to short the board, but any input on this side would also be helpful! lol

ReplyQuote
Posted : 23/02/2020 10:22 am
arcaine2
(@arcaine2)
Active Member

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

ReplyQuote
Posted : 23/02/2020 8:16 pm
mshibo
(@mshibo)
Junior Member

Yes, as mr arcaine2 suggested, your best option to go with HTC devices is XTC2clip which offers not only setting S flag to OFF but also to unlock bl for some devices without data lose.
After you accomplish that, you can just flash TWRP and continue as arcaine2 said.

ReplyQuote
Posted : 01/03/2020 10:45 pm
Somekindapie
(@somekindapie)
New Member

Thank you!!!

ReplyQuote
Posted : 09/03/2020 7:36 am
botnet
(@botnet)
New Member
Posted by: @arcaine2

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

Trying the above on an HTC10 (2PS620000), using XTC2Clip and PowerAdapter. 

Am I understanding correctly that, to install TWRP, bootloader must be unlocked?  Doesn't this cause a data wipe?

This post was modified 1 month ago by botnet
ReplyQuote
Posted : 12/09/2020 8:48 pm
arcaine2
(@arcaine2)
Active Member
Posted by: @botnet
Posted by: @arcaine2

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

Trying the above on an HTC10 (2PS620000), using XTC2Clip and PowerAdapter. 

Am I understanding correctly that, to install TWRP, bootloader must be unlocked?  Doesn't this cause a data wipe?

HTC 10 is factory encrypted so this method won't work.

 

In general, if you switch HTC phone into S-OFF mode (security off), it most cases it allows you to write or boot unsigned images without actually unlocking bootloader. Can't say about HTC10, but on older HTC (up to and including One M9) doing this (S-OFF) with XTC2Clip doesn't wipe the phone.

ReplyQuote
Posted : 14/09/2020 10:04 pm
botnet
(@botnet)
New Member

@arcaine2

my thinking for HTC 10 is:

XTC2Clip s-off, flash twrp, and once in twrp use ‘adb pull’ to gather encrypted images of each partition.  I’m hoping these can be loaded directly into magnet or cellebrite, if not then possibly hashcat can crack them.

Could the above work?

 

 

ReplyQuote
Posted : 14/09/2020 10:34 pm
arcaine2
(@arcaine2)
Active Member

@botnet HTC 10 uses FDE (Full Disk Encryption) so you won't see any encrypted files. The whole userdata partion won't be mounted in TWRP without a proper passcode and encryption support within TWRP. It's also hw-backed encryption so Axiom, UFED or Hashcat are unable to work with it directly. You need a decrypting method, essentially allowing the phone to boot and decrypt itself with access to ADB and root. That's more or less what UFED does with their "decrypting qualcomm" profiles, but HTC phones are poorly supported here.

ReplyQuote
Posted : 21/09/2020 9:35 pm
botnet
(@botnet)
New Member

@arcaine2

 

Thank you, yes you're right, full disk is encrypted.  I can't find any method to decrypt on the phone itself using forensic tools.  However I think I have an idea.

Here's where I'm at:

-XTC2Clip -> S-Off: enable flashing TWRP

-TWRP installed: now I have full adb access

-adb pull /dev/block/mmcblk0: full encrypted dump of the device on my PC

Now the question is how to decrypt the dump.   I understand the encryption key is a combination of the crypto footer (available in my dump), and the hardware SHK key. 

This blog post details how to extract Qualcomm's KeyMaster Key.   

 

So my thinking now, is to wipe the phone, install the early vulnerable versions of firmware, boot into the phone, and run laginimaineb's exploit to dump the SHK key.

 

And then I have the two pieces needed to brute force find the decryption passphrase. 

 

Could it work?

 

ReplyQuote
Posted : 27/09/2020 10:28 am
arcaine2
(@arcaine2)
Active Member

Not sure to be honest. It may, assuming the exploit to extract keymaster key will work on this device. Testing it on a spare device would be a good idea first.

 

Other than that, you could at this point try to create yourself a boot image with insecure adb running as root. This way, assuming it won't throw an encryption error, you would get a phone booted into Android, with ADB enabled and running as root. You could also take a look at "android universal" project (it's on github) that would make similar boot image, signed with fake key, enabled adb (with your key so it's paired) and hidden root shell.

ReplyQuote
Posted : 27/09/2020 9:57 pm
Share: