sarunelis

Seems command E0 (E8) is modified, after unsuccessfully data validation it clears (fills with 0x44) 0x100A00 Buffer :(

ROM:0000F21E FF F7 CB FB BL comdl_get_data_sendcks_sub_E9B8 ROM:0000F222 49 48 LDR R0, =EXPL_unk_100A00 ROM:0000F224 01 21 MOVS R1, #1 ROM:0000F226 F7 F7 55 FB BL Validate_E0_sub_68D4 ROM:0000F22A 04 46 MOV...

Its Ok and have nothing todo with BROM exploit. Maybe you not understoond full picture of BBK flashing process: After DA is loaded, DA need extra authenticaction with BBK server...

https://github.com/daynix/UsbDk

AGM G2 firehose for shure will not work on FP5 because different HWID: 0x001970e100430000 on AGM G2 and 0x001970e100420002 on FP5. Even PK HASH is same.

Must be same: SoC Id Including OEM, Model Id's **and** PK_HASH

And even More, RollBack (RB) in SW_ID must be Higher or same. But unfortunatelly SW_ID is not readable by Sahara

https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/secure-boot-image-authentication_11.30.16.pdf

No, you are wrong, just try it in pratics and you will see. **"The fields contained in HW_ID must match those provisioned in eFuse for the signature to be valid."**

yes from CERT version 6.5 them hide HW id's only can see in firehose/xbl for example IMAGE_VARIANT_STRING: SocLanaiLAA for SM8650 and now qualcomm uses Elyptic Curve certification, not RSA anymore