Loader V1.0 ~upd~ | Qualcomm Flash

Qualcomm Flash Loader V1.0: Technical Reference 1. Overview Qualcomm Flash Loader V1.0 (also known as QFL V1.0 or simply Sahara / Firehose Loader ) is a low-level boot and protocol utility embedded in the boot ROM (PBL - Primary Boot Loader) of Qualcomm Snapdragon SoCs. Its primary function is to initialize the device's storage interfaces (eMMC, UFS, NAND) and load a secondary programmable boot loader (SBL) or a full firmware image into RAM for flashing, recovery, or debugging. 1.1 Key Characteristics

ROM-based : Resides in write-protected boot ROM. Protocol-driven : Uses a request-response protocol over USB (or UART). Vulnerable to Firehose : Later versions (1.1+) introduced authenticated "Firehose" loaders; V1.0 is typically unauthenticated or minimally authenticated. Emergency Download (EDL) Mode : Activated by specific hardware sequences (e.g., holding volume keys while connecting USB, or shorting test points).

2. Architecture & Boot Flow Power On │ ▼ PBL (ROM) ──► Check boot signature (if secure boot enabled) │ ├── Normal Boot: Load SBL from eMMC/UFS │ └── EDL Mode: Activate Flash Loader V1.0 │ ▼ Wait for host to send Hello/Handshake │ ▼ Receive and execute commands (read/write/erase)

2.1 Activation Methods | Method | Description | |--------|-------------| | Forced EDL | Shorting test points (e.g., FORCE_USB_BOOT ) on PCB. | | Software Reboot | adb reboot edl or fastboot oem edl . | | Empty Boot Image | Corrupted boot partition triggers fallback to EDL. | 3. Communication Protocol Flash Loader V1.0 uses a simple packet-based protocol over bulk USB endpoints (typically endpoint 1 OUT, endpoint 1 IN). Packets are little-endian. 3.1 Packet Structure (32-byte header + variable data) | Offset | Size | Field | Description | |--------|------|-------|-------------| | 0 | 4 | Magic | Constant 0x84434D51 ("QDCM" in ASCII) | | 4 | 4 | Command | Operation code (see table) | | 8 | 4 | Length | Length of data payload | | 12 | 4 | CRC32 | Checksum of data payload (or 0 if none) | | 16 | 4 | Status | Response status (0 = success, non-zero = error) | | 20 | 12 | Reserved | Set to 0 | 3.2 Supported Commands (V1.0) | Command Name | Opcode | Description | |--------------|--------|-------------| | HELLO | 0x01 | Handshake; exchange protocol version. | | READ | 0x02 | Read from storage (LBA-based). | | WRITE | 0x03 | Write to storage. | | ERASE | 0x04 | Erase sectors/blocks. | | EXECUTE | 0x05 | Execute code in RAM (unsigned — security risk). | | RESET | 0x06 | Reset device. | | GET_INFO | 0x07 | Retrieve storage parameters (size, block count). | | CLOSE | 0x08 | Exit loader gracefully. | 3.3 Example Command Flow (Write Operation) Host Device (Flash Loader V1.0) | | |--- HELLO --------------> | |<--- ACK (status=0) ----- | | | |--- WRITE (LBA, count) -->| |<--- Ready (status=0) --- | | | |--- Data packets -------->| |<--- Write confirm -------| | | |--- CLOSE --------------->| |<--- Reset ---------------| Qualcomm Flash Loader V1.0

4. Security Model (V1.0 Weaknesses) Unlike later versions (Firehose 2.0+), Flash Loader V1.0 has minimal security:

No digital signature verification for EXECUTE command – allows arbitrary code injection. No authentication required to send commands – any USB host can issue READ/WRITE. Unencrypted data – all transfers are plaintext.

4.1 Implications

Unbricking : Enables recovery from corrupted bootloaders. Forensic acquisition : Allows full physical memory dump. Vulnerability : Malicious host can overwrite bootloaders or install rootkits.

5. Practical Usage & Tools 5.1 Qualcomm Official Tools

QPST (Qualcomm Product Support Tool) – QFIL (Flash Image Loader) utility. QDL (Qualcomm Downloader) – Command-line interface. Qualcomm Flash Loader V1

5.2 Open Source / Reverse-Engineered Tools | Tool | Description | |------|-------------| | edl.py (by bkerler) | Python library/CLI for EDL protocol. | | QCOM_FlashUtil | Multi-platform flasher. | | qdl (LineageOS) | Minimal C implementation for Linux. | 5.3 Sample Session using edl.py # Enter EDL mode (device must be connected) adb reboot edl List connected devices edl.py --list Read partition table edl.py --print-gpt Read entire userdata partition edl.py --read userdata userdata.img Flash a new boot image edl.py --write boot boot.img Reset device after flashing edl.py --reset

6. Identifying Flash Loader V1.0 on a Device Check the USB descriptors after entering EDL mode: Bus 001 Device 009: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)