Success - use testpoints to access EDL on a stubborn KaiOS phone (Alcatel A405DL and possibly others)
1,463 views
Skip to first unread message
Victor Chukalovskiy
Oct 23, 2020, 11:15:29 AM10/23/20
to comp.mobile.nokia.8110
Hi folks, wanted to share a quick write-up on accessing EDL where
button combinations / USB cable don't work.
@IvanHC perhaps this could be useful at bananahackers page since "access ELD mode" is not always simple.
I have here a Canadian carrier-branded Alcatel Go Flip2 A405DL. It's not exactly the same as US unlocked A405DL so none of other methods worked for EDL. And for me EDL was required to do "userdata" partition read / write with CAT B35 firehose like others have successfully done before.
I highly suspect this method will work for most Qualcomm chipsets that support EDL.... as long as manufacturer wired EDL pin somewhere on the board. I'm sure most of them have it since this undocumented feature helps should "forensics" be needed.
TL;DR version of the method: remove back cover, find ground, keep shortening different test-points to the ground until you find the one that triggers EDL mode. There is a slight risk of damaging the phone.
Detailed steps:
1) Remove battery and rear cover of the phone exposing various test points. Connect phone to the computer with USB cable. Run a repetitive probe of usb devices list. In linux it can be infinte bash loop: "while true; do lsusb; sleep 1; done"
2) Find a ground point which is any large piece of metal e.g. sim card socket, sd card socket, RF shielding etc. Prepare two probes shorted to each other or a stiff thin wire. Multimeter with leads connected to a 10A socket of the multimeter is the best option as it's also allowing you to see when you short some wrong pins.
3) The phone will be rebooting on it's own while plugged into USB (if yours doesn't then you need to boot it by hand each time you try a new test-point). Go ahead and short different test-points to the ground one-by-one and observe boot behavior. Depending on which test point you short to the ground you can see:
a) Multimeter shows nothing, "lsusb" shows nothing, phone keeps rebooting - move to the next test-point
b) Multimeter shows nothing, "lsusb" shows nothing, phone does not boot - move to the next test point
c) Multi meter shows current of a few 100's mA, phone does not boot - remove your leads ASAP, as you a shorting a power line and risk damaging the phone. Move to the next test-point
d) Multimeter shows nothing, "lsusb" starts showing device ID "05c6:9008" - congratulations you are in EDL mode
....
z) something else happens and you phone no longer boots - sorry, for the next KaiOS phone you may want something that supports apps side-loading
4) Once you determine correct test-point for edl, you may want to drill a small hole in the back cover around the same place so you can keep it accessible with cover on the phone.
5) Once you know how to get into edl, use a matching firehose, edl.py to read / write "userdata" partition. This is well-documented in other posts.
Pictures illustrating EDL testpoints on A405DL (no cover and modified cover):
Cheers!
@IvanHC perhaps this could be useful at bananahackers page since "access ELD mode" is not always simple.
I have here a Canadian carrier-branded Alcatel Go Flip2 A405DL. It's not exactly the same as US unlocked A405DL so none of other methods worked for EDL. And for me EDL was required to do "userdata" partition read / write with CAT B35 firehose like others have successfully done before.
I highly suspect this method will work for most Qualcomm chipsets that support EDL.... as long as manufacturer wired EDL pin somewhere on the board. I'm sure most of them have it since this undocumented feature helps should "forensics" be needed.
TL;DR version of the method: remove back cover, find ground, keep shortening different test-points to the ground until you find the one that triggers EDL mode. There is a slight risk of damaging the phone.
Detailed steps:
1) Remove battery and rear cover of the phone exposing various test points. Connect phone to the computer with USB cable. Run a repetitive probe of usb devices list. In linux it can be infinte bash loop: "while true; do lsusb; sleep 1; done"
2) Find a ground point which is any large piece of metal e.g. sim card socket, sd card socket, RF shielding etc. Prepare two probes shorted to each other or a stiff thin wire. Multimeter with leads connected to a 10A socket of the multimeter is the best option as it's also allowing you to see when you short some wrong pins.
3) The phone will be rebooting on it's own while plugged into USB (if yours doesn't then you need to boot it by hand each time you try a new test-point). Go ahead and short different test-points to the ground one-by-one and observe boot behavior. Depending on which test point you short to the ground you can see:
a) Multimeter shows nothing, "lsusb" shows nothing, phone keeps rebooting - move to the next test-point
b) Multimeter shows nothing, "lsusb" shows nothing, phone does not boot - move to the next test point
c) Multi meter shows current of a few 100's mA, phone does not boot - remove your leads ASAP, as you a shorting a power line and risk damaging the phone. Move to the next test-point
d) Multimeter shows nothing, "lsusb" starts showing device ID "05c6:9008" - congratulations you are in EDL mode
....
z) something else happens and you phone no longer boots - sorry, for the next KaiOS phone you may want something that supports apps side-loading
4) Once you determine correct test-point for edl, you may want to drill a small hole in the back cover around the same place so you can keep it accessible with cover on the phone.
5) Once you know how to get into edl, use a matching firehose, edl.py to read / write "userdata" partition. This is well-documented in other posts.
Pictures illustrating EDL testpoints on A405DL (no cover and modified cover):
Cheers!
Ivan Alex HC
Oct 23, 2020, 12:36:43 PM10/23/20
to comp.mobile.nokia.8110
Thank you, I've uploaded the guide right now https://sites.google.com/view/bananahackers/development/edl
Reply all
Reply to author
Forward
0 new messages