Notifications
Clear all

HTC EDL Mode

11 Posts
4 Users
0 Likes
4,128 Views
(@somekindapie)
Posts: 6
Active Member
Topic starter
 

Hi All!

I'm new here, but was hoping for some advice!

I have a HTC Desire 610 (OP90200), this is locked with a pattern code. I need to bypass this, the only option I have is to try a EDL dumper as it has a Qualcomm chip set. For the life of me I cant get it into EDL mode (I have a lovely cable EDL that doesn't assist). I'm advised that the Boot loader is locked when I place it in to recovery mode.

Anyone have any Ideas?

As normal Google and youtube were next to useless!

Thanks in advance for the assistance!

 
Posted : 23/02/2020 10:09 am
(@somekindapie)
Posts: 6
Active Member
Topic starter
 

FYI - I'm trying everything before trying to short the board, but any input on this side would also be helpful! lol

 
Posted : 23/02/2020 10:22 am
(@arcaine2)
Posts: 235
Estimable Member
 

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

 
Posted : 23/02/2020 8:16 pm
(@mshibo)
Posts: 34
Eminent Member
 

Yes, as mr arcaine2 suggested, your best option to go with HTC devices is XTC2clip which offers not only setting S flag to OFF but also to unlock bl for some devices without data lose.
After you accomplish that, you can just flash TWRP and continue as arcaine2 said.

 
Posted : 01/03/2020 10:45 pm
(@somekindapie)
Posts: 6
Active Member
Topic starter
 

Thank you!!!

 
Posted : 09/03/2020 7:36 am
(@botnet)
Posts: 3
New Member
 
Posted by: @arcaine2

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

Trying the above on an HTC10 (2PS620000), using XTC2Clip and PowerAdapter. 

Am I understanding correctly that, to install TWRP, bootloader must be unlocked?  Doesn't this cause a data wipe?

This post was modified 4 years ago by botnet
 
Posted : 12/09/2020 7:48 pm
(@arcaine2)
Posts: 235
Estimable Member
 
Posted by: @botnet
Posted by: @arcaine2

There are no firehose loaders for most of HTC devices. What you should do instead is to use XTC2Clip to switch phone into S-OFF mode and then either create full dump or boot into TWRP, dump pattern.key and crack it, or just delete it.

Trying the above on an HTC10 (2PS620000), using XTC2Clip and PowerAdapter. 

Am I understanding correctly that, to install TWRP, bootloader must be unlocked?  Doesn't this cause a data wipe?

HTC 10 is factory encrypted so this method won't work.

 

In general, if you switch HTC phone into S-OFF mode (security off), it most cases it allows you to write or boot unsigned images without actually unlocking bootloader. Can't say about HTC10, but on older HTC (up to and including One M9) doing this (S-OFF) with XTC2Clip doesn't wipe the phone.

 
Posted : 14/09/2020 9:04 pm
(@botnet)
Posts: 3
New Member
 

@arcaine2

my thinking for HTC 10 is:

XTC2Clip s-off, flash twrp, and once in twrp use ‘adb pull’ to gather encrypted images of each partition.  I’m hoping these can be loaded directly into magnet or cellebrite, if not then possibly hashcat can crack them.

Could the above work?

 

 

 
Posted : 14/09/2020 9:34 pm
(@arcaine2)
Posts: 235
Estimable Member
 

@botnet HTC 10 uses FDE (Full Disk Encryption) so you won't see any encrypted files. The whole userdata partion won't be mounted in TWRP without a proper passcode and encryption support within TWRP. It's also hw-backed encryption so Axiom, UFED or Hashcat are unable to work with it directly. You need a decrypting method, essentially allowing the phone to boot and decrypt itself with access to ADB and root. That's more or less what UFED does with their "decrypting qualcomm" profiles, but HTC phones are poorly supported here.

 
Posted : 21/09/2020 8:35 pm
(@botnet)
Posts: 3
New Member
 

@arcaine2

 

Thank you, yes you're right, full disk is encrypted.  I can't find any method to decrypt on the phone itself using forensic tools.  However I think I have an idea.

Here's where I'm at:

-XTC2Clip -> S-Off: enable flashing TWRP

-TWRP installed: now I have full adb access

-adb pull /dev/block/mmcblk0: full encrypted dump of the device on my PC

Now the question is how to decrypt the dump.   I understand the encryption key is a combination of the crypto footer (available in my dump), and the hardware SHK key. 

This blog post details how to extract Qualcomm's KeyMaster Key.   

 

So my thinking now, is to wipe the phone, install the early vulnerable versions of firmware, boot into the phone, and run laginimaineb's exploit to dump the SHK key.

 

And then I have the two pieces needed to brute force find the decryption passphrase. 

 

Could it work?

 

 
Posted : 27/09/2020 9:28 am
Page 1 / 2
Share: