Join Us!

Huawei HiSilicon ac...
 
Notifications
Clear all

Huawei HiSilicon access and manipulation  

  RSS
mshibo
(@mshibo)
Junior Member

So, straight to the point.
In Qualcomm based devices, we can enter EDL mode and with the right firehose programmer, we can do so much in the device such as access the storage and flash custom binaries or inject some commands.
The question is, what can we do with Hisilicon based devices?
Hisilicon based devices have some boot mode that equals to EDL from Qualcomm and I believe that we can achieve so much from there but how it works and to make a real use of it.

Quote
Posted : 24/07/2019 2:50 pm
passcodeunlock
(@passcodeunlock)
Senior Member

First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!

ReplyQuote
Posted : 25/07/2019 8:16 am
the_Grinch
(@the_grinch)
Active Member

First step would be to identify the eMMC generation. Generally CLK+GND shorting would get you in faulty mode for eMMC up to version 4.x. For 5.x generations CLK+DAT+GND might do the trick, but I've only read about this and I didn't experiment myself.

If anybody got some dummy HiSilicon based devices and gets results, please keep this post updated!

Any tips on how one could go about learning to short CLK+GND and other electronic theory based on mobile devices?

ReplyQuote
Posted : 25/07/2019 3:07 pm
passcodeunlock
(@passcodeunlock)
Senior Member

There are pretty many docs about JTAG and ISP techniques for forensic procedures. Those are the base. Decryption on-the-fly while acquisition is the next step, usually way harder then the first step )

ReplyQuote
Posted : 25/07/2019 8:52 pm
arcaine2
(@arcaine2)
Active Member

No need to look for eMMC faults most of the time, at least up to P20/Mate 20 series. Many HiSilicon based Huawei phones have testpoints to access their "service" mode, with phone being recognized as "Huawei USB COM 1.0". This mode is often used for firmware downgrade or FRP bypass on "new bootloader" phones, where the process seems to push and execute older bootloader version (they're unique per the CPU variant, not per the phone itself), then boot into fastboot mode and use an exploit to temprarily partially unlock bootloader.

ReplyQuote
Posted : 26/07/2019 5:46 pm
passcodeunlock
(@passcodeunlock)
Senior Member

The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.

ReplyQuote
Posted : 28/07/2019 7:25 pm
arcaine2
(@arcaine2)
Active Member

The "partially unlock the bootloader" leads to data wipe on the very first normal boot. Be sure you get everything in the "cracked" session, or your userdata is gone forever.

As far as i tested - no, at least not on every device. The recent one i tested was P20 Lite that i needed to downgrade using testpoint method. It's an "exploit" used to write any signed Huawei firmware used by many flasher boxes. Even if flashing fails at some early stage, or in case you deselect userdata, phone will boot fine with data intact.

This doesn't allow to write any unsigned image, like custom recovery, custom boot image, at least as far as i tested. I haven't tried to enable "OEM Unlock" in settings and then using this method to write TWRP without actually unlocking bootloader.

ReplyQuote
Posted : 28/07/2019 7:54 pm
trewmte
(@trewmte)
Community Legend

So, straight to the point.
In Qualcomm based devices, we can enter EDL mode and with the right firehose programmer, we can do so much in the device such as access the storage and flash custom binaries or inject some commands.
The question is, what can we do with Hisilicon based devices?
Hisilicon based devices have some boot mode that equals to EDL from Qualcomm and I believe that we can achieve so much from there but how it works and to make a real use of it.

Cellebrite's UFED4PC/Touch has a profile using Search//Generic//Huawei Generic//Physical//xxxxxxxxx

ReplyQuote
Posted : 30/07/2019 8:17 am
passcodeunlock
(@passcodeunlock)
Senior Member

UFED4PC/Touch 2 isn't working with newer firmwares even if you match the Kirin version profile.

ReplyQuote
Posted : 30/07/2019 1:37 pm
trewmte
(@trewmte)
Community Legend

UFED4PC/Touch 2 isn't working with newer firmwares even if you match the Kirin version profile.

Ohh, that's interesting. I was reading from Cellebrite's own material ( https://www.cellebrite.com/en/blog/industry-first-access-to-huawei-devices-for-digital-evidence/ ). Thank you passcodeunlock for the heads up.

ReplyQuote
Posted : 30/07/2019 2:48 pm
passcodeunlock
(@passcodeunlock)
Senior Member

CAS is supporting a wider range of devices then they got implemented using bootloader in the UFED4PC/Touch 2. If anybody needs the service, please approach Cellebrite.

On the other hand, I got some solutions for physical dumping (decrypted filesystem dump) mostly any open Huawei device, up to the current date of this post (2019-07-30).

ReplyQuote
Posted : 30/07/2019 3:28 pm
bjornbroeckx
(@bjornbroeckx)
New Member

CAS is supporting a wider range of devices then they got implemented using bootloader in the UFED4PC/Touch 2. If anybody needs the service, please approach Cellebrite.

On the other hand, I got some solutions for physical dumping (decrypted filesystem dump) mostly any open Huawei device, up to the current date of this post (2019-07-30).

Hey @passcodeunlock, got a solution to access a P20 (EML-L29) for creating a physical dump?
Can't access the device and need data out of it.

ReplyQuote
Posted : 05/12/2019 9:09 am
tek3195
(@tek3195)
New Member

No need to look for eMMC faults most of the time, at least up to P20/Mate 20 series. Many HiSilicon based Huawei phones have testpoints to access their "service" mode, with phone being recognized as "Huawei USB COM 1.0". This mode is often used for firmware downgrade or FRP bypass on "new bootloader" phones, where the process seems to push and execute older bootloader version (they're unique per the CPU variant, not per the phone itself), then boot into fastboot mode and use an exploit to temprarily partially unlock bootloader.

Hi, do you have a way of finding correct test point for factory mode ? I have a MediaPad M3 BTV-W09 I bought as a brick super cheap. I was thinking I would fix it with a fairly recently purchased SigmaKey Huawei Edition. Worked great on a few others but this one is not recognized by PC. I have searched a multitude of forums to no avail. I don't really know enough yet to find them on my own and haven't been able to find them anywhere yet. Another part of my question is the significance of the markings on the test points. I'm assuming they would indicate a numeric value as they have dots from 1 in the center and up to 9 with one dot surounded by a circle of eight more. I never knew they had markings until a microscope went across them at just the right angle. I haven't read anything that had reference to any marks on the test point itself, although I've only been reading about test points for a little over a week and the internet is a huge place. May have been close to an answer several times and not even know it. Any help with finding a way into factory mode would be greatly appreciated. I have attached link to pic of marks if wanted.

https://drive.google.com/file/d/1mHj54IDgSATDf_Tjzx3x1acgZDa_gJj0/view?usp=sharing

ReplyQuote
Posted : 08/01/2020 6:13 am
Share: