edl icon indicating copy to clipboard operation
edl copied to clipboard
verified publisher icon bkerler

Oneplus 10 Pro - unpack requires a buffer of 4 bytes in get_serial_num()

Open 0xBAADF0OD opened this issue 4 years ago • 9 comments

Macbook Pro, Intel, OSX 12.2.1 Python 3.8.9 edl 3.6.0 (git pulled 4/14/2022) Multiple data cables / ports tried

Attempted with OnePlus loader from MSM, as well as no loader, same error.

Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Using loader 1.elf ...
main - Waiting for the device
......
main - Hint:   Press and hold vol up+dwn, connect usb. For some, only use vol up.
main - Xiaomi: Press and hold vol dwn + pwr, in fastboot mode connect usb.
        Run "./fastpwn oem edl".
main - Other:  Run "adb reboot edl".

...............
..............
..............
.........main - Device detected :)
sahara - Protocol version: 3.1
main - Mode detected: sahara
Traceback (most recent call last):
  File "/usr/local/bin/edl", line 4, in <module>
    __import__('pkg_resources').run_script('edlclient==3.60', 'edl')
  File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/site-packages/pkg_resources/__init__.py", line 665, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/site-packages/pkg_resources/__init__.py", line 1463, in run_script
    exec(code, namespace, namespace)
  File "/Library/Python/3.8/site-packages/edlclient-3.60-py3.8.egg/EGG-INFO/scripts/edl", line 380, in <module>
    base.run()
  File "/Library/Python/3.8/site-packages/edlclient-3.60-py3.8.egg/EGG-INFO/scripts/edl", line 328, in run
    sahara_info = self.sahara.cmd_info()
  File "/Library/Python/3.8/site-packages/edlclient-3.60-py3.8.egg/edlclient/Library/sahara.py", line 210, in cmd_info
    self.serial = self.cmdexec_get_serial_num()
  File "/Library/Python/3.8/site-packages/edlclient-3.60-py3.8.egg/edlclient/Library/sahara.py", line 174, in cmdexec_get_serial_num
    return unpack("<I", res)[0]
struct.error: unpack requires a buffer of 4 bytes

Update: The contents of res that's causing the error is 00000000: AE F5 45 31 32 04 00 00 ..E12...

0xBAADF0OD avatar Apr 14 '22 19:04 0xBAADF0OD

Have your tried redownloading the package?

convolutionary avatar Apr 15 '22 15:04 convolutionary

Yes, I also tried in a debian vm, exact same results.

A few findings:

Protocol version 3.1 seem to completely different (?), none of the other cmd_t or exec_cmd_t seems to work to get hwid, pkhash, etc.

Bypassing all of that and just trying to upload a loader appears to work, but the loader does not respond to the b"\x01QCOM fast download protocol host\x03\x23\x23\x23\x20" magic. Unsure if the loader is bad or the magic has changed.

0xBAADF0OD avatar Apr 15 '22 15:04 0xBAADF0OD

Just another note, I started looking at FTLibQCom.dll, the HELLO response seems to be 0x30. image

And reset_sahara_state_machine now appears to be 0x08 image

Compared to the old 0x02 for HELLO_RSP and 0x07 for RESET_REQ

0xBAADF0OD avatar Apr 18 '22 03:04 0xBAADF0OD

@0xBAADF0OD were you able to get the edl tool working with the OnePlus 10 Pro? I see there was a new loader uploaded for the phone 8 days ago, but I'm getting an unpack error as well.

freetink3r avatar Jun 24 '22 20:06 freetink3r

@0xBAADF0OD were you able to get the edl tool working with the OnePlus 10 Pro? I see there was a new loader uploaded for the phone 8 days ago, but I'm getting an unpack error as well.

Unfortunately no, the loader existing doesn't change the fact that the protocol implemented in the project is not compatible with the new version, and until that's done it wouldn't work.

0xBAADF0OD avatar Jun 24 '22 21:06 0xBAADF0OD

Can you please use usbcap to record the communication and upload the pcap ? I'm aware of the new version and I'd like to add support.

bkerler avatar Jun 26 '22 10:06 bkerler

Hey @bkerler , sorry but afaik the community didn't get a user-accessible version of the MSM tool, so I wasn't able to run it or record a pcap, at least for the OnePlus 10 series. Maybe there is another phone on Sahara 3.x out there with a leaked unbrick tool.

0xBAADF0OD avatar Jun 26 '22 19:06 0xBAADF0OD

the serial number issues has been fixed with commit 5584cdc

bkerler avatar Jun 28 '22 17:06 bkerler

The protocol 3.1 means that the protocol version is 3 and the min supported version is 1. So normally version 1 should stll work. But oneplus is now owned by oppo and oppo usually uses VIP Programming, which means that every packet has to be signed before execution .

bkerler avatar Jun 28 '22 18:06 bkerler

The protocol 3.1 means that the protocol version is 3 and the min supported version is 1. So normally version 1 should stll work. But oneplus is now owned by oppo and oppo usually uses VIP Programming, which means that every packet has to be signed before execution .

1662374448427 That's just the way it is prog_firehose_ddr.elf from OnePlus 10 Pro

P-D-A avatar Sep 07 '22 08:09 P-D-A

Can you please use usbcap to record the communication and upload the pcap ? I'm aware of the new version and I'd like to add support.

@bkerler if helpful: https://drive.google.com/file/d/1cODW4L-OZUnHTkbKSrMIynQFO4rYu_6P/view?usp=sharing

hackslashX avatar Oct 06 '22 17:10 hackslashX

Yes, indeed very helpful. Thx !

bkerler avatar Oct 07 '22 12:10 bkerler