Skip to content

kasnria001/qualcomm_noavb_exploit_common

Repository files navigation

qualcomm_noavb_exploit_common

Unlocking Bootloader via noavb exploit (still in progress)

Update : Another way is discovered by other people. They reload the full uefi chain and then run unlock command without token verification. This method is from WOA-Project.

A vulnerability exists in Qualcomm ABL component.

https://git.codelinaro.org/clo/la/abl/tianocore/edk2/-/commit/07665c08352d0051a627d5b42ae0ad1487f29afc

By renaming/removing vbmeta_a partition from the GPT partition table,the boot process will fall into NOAVB path.

So we can load unsigned images including recovery,kernel,boot...

But the normal boot process always crashes.But we can boot into Recovery like TWRP.

And the milestone is never called.

So we can communicate with Keymaster TA and send unlock command.

https://git.codelinaro.org/clo/la/abl/tianocore/edk2/-/commit/c7af5ee0957aab91e2a8d45a1e48f6d532e04de1

For 8E or some other devices,pvmfw is added.So you can not boot into recovery because of some crashes about pvmfw.

So we need to erase pvmfw_a and pvmfw_b.

But in newer qualcomm devices,qseecom driver is removed.

Instead,we need smcinvoke to communicate.

We need to use libminkdescriptor.so.

However,we meet difficulties about getting the Physical Address of the buffer storing deviceinfo.

TA only accepts PA.

https://github.com/atlas4381/qualcomm_avb_exploit_poc

https://github.com/MSTAT-Lseng/qualcomm_avb_exploit_poc

About

Unlocking Bootloader via noavb exploit (still in progress)

Resources

License

Stars

41 stars

Watchers

3 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages