Qualcomm’s Signed Firehose Images and Why They’re Dangerous

Published on September 2nd, 2016
by Dylanger Daly

Hey Guys,

I’ve been noticing quite a lot of ‘Unlocking without bootloader’ threads on the XDA Forums, I think this is quite a bad Security Risk and I’ll explain why.

Woah, what is this, firehose?

Usually when you think of unlocking the bootloader, the first thing that comes to mind is fastboot right? The old oem unlock and it wipes all userdata then you can load any software/ROM you want. The crucial part being it wipes userdata before allowing you to load unsigned firmware onto the device.

A signed firehose however. Allows you to do the same, but not wipe anything.

The firehose image allows you to replace any partition on your device, so just think this through for a moment, anyone, any Government, any Private Organisation, with a signed firehose image can say, replace recovery with TWRP (An open source recovery usually used to load custom ROMs onto devices) and use dd to copy your entire flash content/user data.

Do People Need Qualcomm EMMC Debugging Tools?

No, the answer is no, at least not for newer model phones. If someone has damaged their device, this is the specific reason customer support exists, if you have an issue with your device, most vendors will be happy to exchange the device.

Signed diagnostic tools should only be provided to OEM Engineers, there’s literally no need for people to have these sort of tools as they potentially compromise every other phone.

I prefer repair it myself and by that learn a bit more about android and hardware.
manu7irl – XDA Forums

I have a problem with this statement, these signed tools compromise literally every phone in the line. Lets take the ZTE Axon 7 for example, ZTE’s flagship device (2016), a signed copy of firehose has already been leaked on the forums.

Just because some people want to ‘learn a bit more about android and hardware.’ should not come at the expense of crippling the entire Security Protections of Android’s Ecosystem.

However, the only reason for customer accessible signed firehose images is for hardware hacking, a market OnePlus has fully realised with the release of the OnePlus One (Developer Accessible Phone).

Until vendors start supporting Customer Singable firmware, signed firehose images should not be in the wild as they put millions of people at risk.

So, what can be done?

Awareness from OEMs, these tools can’t be frivolously thrown around the internet due to the risks outlined above, if these tools are not available to anyone, it makes us all safer and that’s a step in the right direction if you ask me.


Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top