edl
edl copied to clipboard
bkerler
Help with sdx65 modem (quectel)
CONTEXT:
Hi, so i am working with an second hand isp modem (5g nr CPE). I was able to get edl mode on this via shorting usb_boot to 1.8v....also managed to get firmware from the modem manufacturer (* not from the isp, but rather the manufacturer of the modem; quectel). It contained
Files : firehose.zip
PROBLEM:
I have tried your tool with specifying both the .mbn and the .elf file; both resulting in different sort of error. Now, from the uart boot logs, the device seems to have secure boot on but also has device_unlocked= 1 , unlock_critical= 1 , and it says
VB: DeviceInit: Device is unlocked! Skipping verification! so i am guessing the bootloader is unlocked ?!?
Full boot log from uart: https://hst.sh/ijayabetak.yaml
HWID: 0x001610e100000000 (MSM_ID:0x001610e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected: "olympic"
PK_HASH: 0xf82748229437ec51dfed5864eb080349047e02ed5a8ac83e68653abb1d615a78
Serial: 0xa1b785f0
debug mode edl using partition_complete_p4K_b256K.mbn : https://hst.sh/usanosobul.sql
debug mode edl using prog_firehose_lite.elf : https://hst.sh/tibokexufu.sql
What i want to know is whether the device is accepting my loader and then failing , or does it not even take upload? ik the logs says that it uploaded but, i thought better ask the devs. Is there any hope for this device, i really dont wanna throw this away.
THANK YOU :)
The prog_firehose_lite.elf you posted in firehose.zip is not the right one for your device.
f82748229437ec51 dfed5864eb080349 047e02ed5a8ac83e 68653abb1d615a78 <-- device
959b8d0549ef41be fabc24f51efe84fe e366ac169ab04a0d b30c799b324fd798 <-- Firehose
The Firehose is signed as Qualcomm test. I have no idea who signed your device.
The prog_firehose_lite.elf you posted in firehose.zip is not the right one for your device.
f82748229437ec51 dfed5864eb080349 047e02ed5a8ac83e 68653abb1d615a78 <-- device 959b8d0549ef41be fabc24f51efe84fe e366ac169ab04a0d b30c799b324fd798 <-- FirehoseThe Firehose is signed as Qualcomm test. I have no idea who signed your device.
The manufacturer of this module was quectel, the one who developed the board was LUXSHARE and Neolync. The firmware partitions are signed by an indian isp. Put simply.. its a mess..
So no hope now ? The root console is password locked and the edl was my only viable option left.
You need to get this into fastboot. You can try with buttons while booting. You can try typing to the UART during boot.
BootMode:0, BootReason:0
Fastboot=0, Recovery:0
Try space, backspace, delete, arrow keys.
I have tried every combination of button pressed and powerup. it just doesnt want to go into either fastboot , recovery or anything else. I am thinking there isnt a way to get this into fastboot and they disabled it. As the gpio button on the board calls a reboot action script. keeping the button pressed during power up (yes i have tried every variation like keeping the button pressed and then powering it on, pressing the button just after powerup,etc) does not trigger any special mode.
For now there seems to be no way for this thing to go into fastboot or recovery mode, guess the manufacturer believes edl was all they gonna need. now either i guess the root pass or get the signed loader by some miracle or find some fishy exploit in the webUI, all of which are by no means easy.
Any further insights would be helpful.
JST XH-4?
It's a debug uart port connected directly to the module.
What is the "switch" on the 5 pin?
couldn't figure out honestly, those 5 lead to the realtek bt chipset used in the board.