Research & Exploitation framework for Qualcomm EDL Firehose programmers with dynamic custom target configuration
Project description
firehorse
By Roee Hay (@roeehay) & Noam Hadad, Aleph Reseserch, HCL Technologies
Research & Exploitation framework for Qualcomm EDL Firehose programmers.
Blog posts:
- Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
- Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting
- Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction
- Exploiting Qualcomm EDL Programmers (4): Runtime Debugger
- Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot
Installation
Option 1: Install from PyPI (Recommended)
pip install firehorse
Option 2: Install from Source
git clone https://github.com/alephsecurity/firehorse.git
cd firehorse
pip install -e .
Usage
Prerequisites
To use this tool you'll need:
- Qualcomm Product Support Tools (QPST - we used version 2.7.437 running on a windows 10 machine)
- A Cross compiler to build the payload for the devices (we used arm-eabi-4.6 toolchain for aarch32 and aarch64-linux-android-4.8 toolchain for aarch64, both running on ubuntu 16.04 machine)
- Acquire the relevant programmers and copy them to the firehorse/target/device directory
Building the payloads
First, edit the Makefile in the device directory - set the device variable to whatever device you want (nokia6, angler, ugglite, mido and cheeseburger are currently supported).
Next, set the CROSS_COMPILE_32 and CROSS_COMPILE_64 enviroment vars as follows:
export CROSS_COMPILE_32=<path-to-arm-eabi-4.6-toolchain>/bin/arm-eabi-
export CROSS_COMPILE_64=<path-to-aarch64-linux-android-4.8-toolchain>/bin/aarch64-linux-android-
Then call make and the payload for your specific device will be built
Configure the tool
Before we start, we need to configure some stuff. The tool now requires command line arguments for configuration:
🆕 Custom Target Configuration (NEW)
This enhanced version includes a dynamic custom target configuration system that allows you to create fully customizable target definitions using environment variables.
Quick Start:
# Use default custom target
firehorse -t custom -c COM17 --fh-loader "path/to/fh_loader.exe" --sahara-server "path/to/QSaharaServer.exe" target magic
# Configure custom device via environment variables
export FIREHORSE_CUSTOM_NAME="my_device"
export FIREHORSE_CUSTOM_ARCH=32
export FIREHORSE_CUSTOM_PROGRAMMER_PATH="target/mydevice/prog.elf"
firehorse -t my_device -c COM17 --fh-loader "path/to/fh_loader.exe" --sahara-server "path/to/QSaharaServer.exe" target magic
Key Features:
- ✅ All 26 Target parameters customizable via environment variables
- ✅ No need to create separate target files
- ✅ Rapid prototyping and testing
- ✅ Backward compatible with existing targets
- ✅ Cross-platform support (Windows/Linux/macOS)
Platform Examples:
# Windows (CMD)
set FIREHORSE_CUSTOM_NAME=my_device
set FIREHORSE_CUSTOM_ARCH=32
firehorse -t my_device -c COM17 --fh-loader "path/fh_loader.exe" --sahara-server "path/QSaharaServer.exe" target magic
# Windows (PowerShell)
$env:FIREHORSE_CUSTOM_NAME="my_device"
$env:FIREHORSE_CUSTOM_ARCH="32"
firehorse -t my_device -c COM17 --fh-loader "path/fh_loader.exe" --sahara-server "path/QSaharaServer.exe" target magic
# Linux/macOS
export FIREHORSE_CUSTOM_NAME="my_device"
export FIREHORSE_CUSTOM_ARCH=32
firehorse -t my_device -c COM17 --fh-loader "path/fh_loader.exe" --sahara-server "path/QSaharaServer.exe" target magic
For complete documentation, see:
- README_CUSTOM_TARGET.md - Comprehensive guide
- CUSTOM_TARGET_USAGE.md - Direct command usage examples
Required Arguments:
-c COM: COM port where the device is connected--fh-loader PATH: Path to fh_loader.exe in QPST\bin directory--sahara-server PATH: Path to QSaharaServer.exe in QPST\bin directory-t TARGET_NAME: Target device name
Example Configuration:
firehorse -c COM17 \
--fh-loader "C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe" \
--sahara-server "C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe" \
-t nokia6 target magic
Usage examples
firehorse -s -c COM17 \
--fh-loader "C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe" \
--sahara-server "C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe" \
-t nokia6 target magic
firehorse -c COM17 \
--fh-loader "C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe" \
--sahara-server "C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe" \
-t nokia6 fw hello
firehorse -c COM17 \
--fh-loader "C:\Program Files (x86)\Qualcomm\QPST437\bin\fh_loader.exe" \
--sahara-server "C:\Program Files (x86)\Qualcomm\QPST437\bin\QSaharaServer.exe" \
-t nokia6 fw peek 0x100000 0x10
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file firehorse-1.0.0-py3-none-any.whl.
File metadata
- Download URL: firehorse-1.0.0-py3-none-any.whl
- Upload date:
- Size: 39.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9ab9da163f451ccc36571c7d2eb48e7fe22f18bdc82284609c7ee3992b5fb8cb
|
|
| MD5 |
021dd30110d1a923fbe3b4bede01417f
|
|
| BLAKE2b-256 |
64a23df189749d1bc8e718859f7802468ebf2e591f45e50de2a9042c7fa32ecb
|
