The hidden JTAG in a Qualcomm/Snapdragon device’s USB port

It will be really interesting to see what production devices this is enabled on - It mentions the OnePlus 6 at least which has it fused out but is still accessible.

Edit: How are they reading the eFuses on a production OnePlus 6? Do they have a Qualcomm-signed EL3 EDL loader?

It seems to exist as qcom,msm-eud in the device tree of a (unfortunately production) SM4350 device I have along with an eud_enable_reg. Time to recompile the kernel with `/dev/mem`.

yeah EDL loaders for a bunch of production devices exist here [0] also more on various XDA Forum posts for stuff like unbricking guides. It is worth noting for people who don't

[0]: https://github.com/bkerler/Loaders

But reading QFUSES specifically requires an EL3 loader "edl qfp qfp.bin -> To dump qfprom fuses (only on EL3 loaders)" and I don't believe most devices programmers (especially as relatively new as the OnePlus 6) run under that privilege level.

Well, no luck.

In the device tree I see (snippet):

  qcom,msm-eud@1628000 {
   compatible = "qcom,msm-eud";
   interrupt-names = "eud_irq";
   interrupts = <0x00 0xbd 0x04>;
   reg = <0x1628000 0x2000 0x162a000 0x1000 0x3e5018 0x04>;
   reg-names = "eud_base", "eud_mode_mgr2", "eud_tcsr_check_reg";
   qcom,secure-eud-en;
   qcom,eud-tcsr-check-enable;
   status = "ok";
  };

  qusb@162b000 {
   compatible = "qcom,qusb2phy-v2";
   reg = <0x162b000 0x400 0x1b40268 0x04 0x162f014 0x04 0x162a000 0x04>;
   reg-names = "qusb_phy_base", "efuse_addr", "refgen_north_bg_reg_addr", "eud_enable_reg";
   qcom,efuse-bit-pos = <0x19>;
   qcom,efuse-num-bits = <0x03>;

but `devmem 0x162A000 4 0x1` causes the system to lock up and I see the following in ramoops:

    [  433.720232] msm_watchdog f410000.qcom,wdt: Causing a QCOM Apps Watchdog bite!
    [  433.727381] msm_watchdog f410000.qcom,wdt: Wdog - STS: 0xb01a6, CTL: 0x3, BARK TIME: 0x57fdf, BITE TIME: 0x6ffd6

I'm not at all sure on the interpretation of this, but the reading at the efuse_addr (so I guess certain ones can be read from EL0?) is 0x0e000000 which has bits 25-27 set and QFPROM fuses seem to have a blown value of 1 according to Qualcomm docs, so it might be fused out?

A better resource is https://www.temblast.com/ref/loaders.htm

I know it works on the quectel rm520 module

heya, author of the blog post here. the op6 happens to work but it's limited to debugging in el1, if you do manage to trap in el2 all the registers read 0

the reason this works at all on this production device is because oneplus screwed up and shipped a "debug profile" in production. this is a vendor signed elf (flashed to the dpdb partition or something like that) containing configuration to enable certain debugging features.

the one we already know about is crashdump mode, the op6 will crashdump when you trigger an XPU violation or some kinds of bus abort, then you can dump the entire RAM and you dont even need to authenticate (no firehose just run bkerlers edl.py)

this has come in handy for mainline development a few times heh

but it seems that this profile also enables EUD which is super nice, that said i didnt manage to get breakpoints working at all yet....

Oh hey, really cool article. Do you know if I'm correct in my attempt at enabling EUD? Also I was unsure how you determined that it was disabled in the OnePlus 6? I thought only EL3 can read qfuses in general?

And you mean the apdp partition, right? That's a weird ELF file, contains almost nothing obvious (test key sig? DEBUG mention) and doesn't seem to be any executable code which I guess makes sense, but I wonder why they made it an ELF. Is there any info on interpreting these profiles?

So that profile gives you the unauthenticated ramdump as well? Seems to be a common theme with OnePlus, messing up security features.