[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1416":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":15,"starSnapshotCount":15,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},1416,"qualcomm_avb_exploit_poc","atlas4381\u002Fqualcomm_avb_exploit_poc","atlas4381","Unlocking qualcomm bootloader",null,"C",262,55,7,1,0,3,24,9,55.14,"Apache License 2.0",false,"main",true,[],"2026-06-12 04:00:09","[![oosmetrics](https:\u002F\u002Fapi.oosmetrics.com\u002Fapi\u002Fv1\u002Fbadge\u002Fachievement\u002F775d2dc4-b8fd-4ab4-9621-733b03fea04f.svg)](https:\u002F\u002Foosmetrics.com\u002Frepo\u002Fatlas4381\u002Fqualcomm_avb_exploit_poc)\n\n# qualcomm_avb_exploit_poc\n\nPoC for a Qualcomm ABL bootloader unlock via Keymaster TA unauthenticated `READ\u002FWRITE_KM_DEVICE_STATE`.\n\nTested on Redmi 14R (flame, Snapdragon 4 Gen 2). Expected to affect other Qualcomm devices with vulnerable ABL builds.\n\n> [!CAUTION]\n> **Disclaimer**: This PoC is for **educational and technical research purposes only**. Modifying the RPMB device state or partition table carries a high risk of **permanently bricking** your device. **The author** shall not be held responsible for any damage, data loss, or legal consequences resulting from the use of this PoC. **Proceed at your own risk**.\n\n## Background\n\n`Is_VERIFIED_BOOT_2()` in `QcommModulePkg\u002FLibrary\u002Favb\u002FVerifiedBoot.c` determined the verified boot path at **runtime** by checking whether a `vbmeta_a` or `vbmeta` partition exists in the GPT. If neither partition is found, the function returns `FALSE`, and the bootloader takes the `NO_AVB` path.\n\nThe `NO_AVB` path does not call `KEYMASTER_MILESTONE_CALL`. Once the milestone is set (in the normal AVB2 path), the Keymaster TA refuses to execute `READ_KM_DEVICE_STATE` and `WRITE_KM_DEVICE_STATE`.  Without the milestone, these commands execute without restriction.\n\n## Vulnerability\n\nBy renaming the `vbmeta` partition to any other name (e.g. `xbmeta`), `Is_VERIFIED_BOOT_2()` finds no vbmeta partition and returns `FALSE`. This forces the `NO_AVB` path, the milestone is never set, and the Keymaster TA does not block device state operations.\n\nAn attacker can then load the Keymaster TA, read the `DeviceInfo` structure from RPMB, set `is_unlocked` and `is_unlock_critical` to `1`, and write it back — effectively unlocking the bootloader without going through `fastboot oem unlock`.\n\n```\n\nvbmeta renamed → Is_VERIFIED_BOOT_2() returns FALSE\n\n→ NO_AVB → KEYMASTER_MILESTONE_CALL skipped\n\n→ Keymaster TA READ\u002FWRITE_KM_DEVICE_STATE not blocked\n\n→ DeviceInfo in RPMB writable → bootloader unlocked\n\n```\n\n## Fix\n\n[edk2: Set VB2 status at compile time](https:\u002F\u002Fgit.codelinaro.org\u002Fclo\u002Fla\u002Fabl\u002Ftianocore\u002Fedk2\u002F-\u002Fcommit\u002F1b2e5f9c4e95db4c74570b828d047e45f9f426d1)\n\n`Is_VERIFIED_BOOT_2()` now returns a compile-time constant based on the `VERIFIED_BOOT_ENABLED` macro, making the result immune to GPT partition table modifications.\n\n## Prerequisites\n\n1. Write access to partition table and partitions (e.g. via EDL or existing exploit)\n\n2. Rename `vbmeta` partition to anything else (e.g. `xbmeta`) via `sgdisk` or similar\n\n3. Flash and Boot to TWRP\n\n4. Start `qseecomd` daemon\n\n## Usage\n\n```sh\n\n# Read current DeviceInfo state\n\n.\u002Fpoc\n\n# Write unlock flags (triggers confirmation prompt)\n\n.\u002Fpoc -w\n\n```\n\nAfter successful write, reboot to fastboot and run:\n\n```sh\n\nfastboot -w\n\n```\n\n## Build\n\n```sh\n\n$NDK\u002Ftoolchains\u002Fllvm\u002Fprebuilt\u002Flinux-x86_64\u002Fbin\u002Faarch64-linux-android28-clang -fPIE -pie poc.c -ldl -o poc \n\n```\n\n## Notes\n\n- `TA_IMG_LEN` is hardcoded to the keymaster partition size (512 KB). Adjust if your device differs.\n- This PoC uses `_Static_assert` to ensure the structure size is `0xCA8`. However, even if the size matches, field offsets can vary between SoC models or Android versions.\n","该项目提供了通过Keymaster TA未认证的`READ\u002FWRITE_KM_DEVICE_STATE`命令解锁Qualcomm ABL引导加载程序的概念验证（PoC）。其核心功能是利用`Is_VERIFIED_BOOT_2()`函数在运行时检查GPT分区表中的`vbmeta`或`vbmeta_a`分区是否存在，如果不存在则走`NO_AVB`路径，从而绕过安全检查实现设备解锁。技术上，项目采用C语言编写，并针对特定条件下（如重命名`vbmeta`分区）的漏洞进行了探索。适合于对Qualcomm设备进行安全性研究和教育目的使用，但需谨慎操作以避免永久性损坏设备。",2,"2026-06-11 02:43:37","CREATED_QUERY"]