It will be really interesting to see what production devices this is enabled on - It mentions the OnePlus 6 at least which has it fused out but is still accessible.
Edit: How are they reading the eFuses on a production OnePlus 6? Do they have a Qualcomm-signed EL3 EDL loader?
It seems to exist as qcom,msm-eud in the device tree of a (unfortunately production) SM4350 device I have along with an eud_enable_reg. Time to recompile the kernel with `/dev/mem`.
I'm not at all sure on the interpretation of this, but the reading at the efuse_addr (so I guess certain ones can be read from EL0?) is 0x0e000000 which has bits 25-27 set and QFPROM fuses seem to have a blown value of 1 according to Qualcomm docs, so it might be fused out?
heya, author of the blog post here. the op6 happens to work but it's limited to debugging in el1, if you do manage to trap in el2 all the registers read 0
the reason this works at all on this production device is because oneplus screwed up and shipped a "debug profile" in production. this is a vendor signed elf (flashed to the dpdb partition or something like that) containing configuration to enable certain debugging features.
the one we already know about is crashdump mode, the op6 will crashdump when you trigger an XPU violation or some kinds of bus abort, then you can dump the entire RAM and you dont even need to authenticate (no firehose just run bkerlers edl.py)
this has come in handy for mainline development a few times heh
but it seems that this profile also enables EUD which is super nice, that said i didnt manage to get breakpoints working at all yet....
Oh hey, really cool article. Do you know if I'm correct in my attempt at enabling EUD? Also I was unsure how you determined that it was disabled in the OnePlus 6? I thought only EL3 can read qfuses in general?
And you mean the apdp partition, right? That's a weird ELF file, contains almost nothing obvious (test key sig? DEBUG mention) and doesn't seem to be any executable code which I guess makes sense, but I wonder why they made it an ELF. Is there any info on interpreting these profiles?
So that profile gives you the unauthenticated ramdump as well? Seems to be a common theme with OnePlus, messing up security features.
The Debug Policy apdp partition is flashed with an ELF “mbn” file. It is possible that sections are encrypted. At the very least it is likely signed. From a security perspective, hopefully the vendor signed with a prod key and not a test key.
In my experience, it is possible read to the fuses with a TrustZone TA, at least on a non-secure device.
yeah EDL loaders for a bunch of production devices exist here [0] also more on various XDA Forum posts for stuff like unbricking guides. It is worth noting for people who don't
But reading QFUSES specifically requires an EL3 loader "edl qfp qfp.bin -> To dump qfprom fuses (only on EL3 loaders)" and I don't believe most devices programmers (especially as relatively new as the OnePlus 6) run under that privilege level.
Edit: How are they reading the eFuses on a production OnePlus 6? Do they have a Qualcomm-signed EL3 EDL loader?
It seems to exist as qcom,msm-eud in the device tree of a (unfortunately production) SM4350 device I have along with an eud_enable_reg. Time to recompile the kernel with `/dev/mem`.