Skip to content

Home

Jump to bottom
Sharif Muhaymin edited this page May 30, 2026 · 2 revisions

How QSLCL Works: Technical Deep Dive

Overview

QSLCL (Quantum Silicon Core Loader) executes at the silicon boundary - the layer below all operating system security. It targets low-level hardware interfaces (DFU, EDL, BROM, Preloader) that operate before Secure Boot locks down the device.

The Security Stack QSLCL Targets

QSLCL does NOT run in normal OS environments. It targets specific low-level modes where security is minimal by design.

┌─────────────────────────────────────────────────────────────────────┐
│  NORMAL OPERATING SYSTEM (iOS / Android / Linux)                    │
│  → Full security: Sandbox, SEP, KPP/KTRR, PAC, APRR, SELinux       │
│  → QSLCL CANNOT RUN HERE ❌                                          │
├─────────────────────────────────────────────────────────────────────┤
│  KERNEL SPACE                                                        │
│  → Signature enforcement, integrity checks, lockdown kernel         │
│  → QSLCL CANNOT LOAD HERE ❌                                         │
├─────────────────────────────────────────────────────────────────────┤
│  BOOTLOADER (iBoot, SBL, U-Boot, ABOOT)                             │
│  → Verified Boot, Chain of Trust, rollback protection               │
│  → Only signed vendor images allowed ❌                              │
├─────────────────────────────────────────────────────────────────────┤
│  LOW-LEVEL HARDWARE MODES ◄─── QSLCL TARGETS HERE ✅                 │
│  → DFU (Apple): USB Class 0xFE/0x01                                 │
│  → EDL (Qualcomm): Sahara / Firehose protocol                       │
│  → BROM (MediaTek): Preloader mode / 0xA0 handshake                 │
│  → Preloader (Unisoc/Spreadtrum): Engineering USB mode              │
│  → META / Diagnostic modes (Various vendors)                        │
│  → Serial UART boot modes (115200 baud)                             │
└─────────────────────────────────────────────────────────────────────┘

Why These Modes?

Mode Vendor USB Class / Protocol Security Level Why QSLCL Works
DFU Apple, Google, Samsung 0xFE/0x01 (USB DFU Class) Minimal Factory restore protocol accepts arbitrary uploads
EDL Qualcomm Sahara protocol Low Emergency download mode trusts host
BROM MediaTek 0xA0 preloader handshake Low Boot ROM serial protocol
Preloader Unisoc/Spreadtrum USB CDC + vendor Low Factory flashing mode
META Various Vendor-specific Low Engineering diagnostic access
Serial Any SoC UART 115200 8N1 Minimal Raw byte stream, no authentication

The Device Layers QSLCL Targets

Layer 1: USB Communication Layer

QSLCL uses standard USB bulk transfers - no vendor-specific tricks:

# QSLCL discovers endpoints dynamically
for ep in intf.endpoints():
    if direction == OUT and type == BULK:
        handle.write(ep.bEndpointAddress, data)

This works on any USB device with bulk endpoints.

Layer 2: Protocol Adaptation Layer

QSLCL auto-detects which low-level mode the device is in:

Detection Method Mode Identified
USB Class 0xFE/0x01 DFU Mode (Apple/Google/Samsung)
Sahara handshake response Qualcomm EDL
0xA0 preloader ping response MediaTek BROM
Vendor-specific USB descriptors Engineering/META modes
Serial port activity UART boot mode

Layer 3: QSLCL Binary Upload

Once connected, QSLCL uploads qslcl.bin (72KB) into device RAM:

[QSLCL Host] ──USB/Serial──> [Device in DFU/EDL/BROM]
                              ↓
                    ┌─────────────────────┐
                    │  Device RAM          │
                    │  ┌───────────────┐   │
                    │  │ qslcl.bin     │   │
                    │  │ (72KB loader) │   │
                    │  └───────────────┘   │
                    └─────────────────────┘

Layer 4: RAM-Only Execution (Critical for A12+)

On Apple A12 and newer (A12, A13, A14, A15, A16, A17, A18):

  • No flash persistence is possible
  • Secure Boot is unbroken
  • QSLCL executes entirely from RAM
  • Everything resets on reboot - device returns to stock

This is intentional. QSLCL works with Apple's security model, not against it.

What QSLCL Does NOT Do

Action Supported? Why
Persist after reboot (A12+) ❌ No Secure Boot prevents it
Write to iBoot/BootROM ❌ No Hardware protected
Bypass SEP ❌ No Not possible from DFU
Jailbreak iOS ❌ No Not the goal
Install permanent backdoors ❌ No RAM-only execution

What QSLCL DOES Do

Action Supported? How
Read memory ✅ Yes Via READ command
Write memory (RAM) ✅ Yes Via WRITE command
Disable watchdogs ✅ Yes Auto-detects offsets per SoC
Execute custom code in RAM ✅ Yes The entire loader
Encrypt communication (A18+) ✅ Yes ChaCha20/AES-GCM
USB4 v2.0 80Gbps ✅ Yes PAM4 encoding, 4-lane aggregation

The Watchdog Problem QSLCL Solves

Modern SoCs have watchdogs that reboot the device if the OS doesn't respond. QSLCL auto-detects and disables them:

SoC Family Watchdog Offsets Detection Method
Apple A-series 0x20E00000, 0x20E01000+ VID 0x05AC
Qualcomm 0x02000000, 0x02000004+ VID 0x05C6
MediaTek 0x10000000, 0x1C000000+ VID 0x0E8D
Samsung Exynos 0x10060000+ VID 0x04E8
Broadcom 0x18000000+ VID 0x14E4
Rockchip 0x20000000+ VID 0x2207
Allwinner 0x01C20000+ VID 0x1F3A
NVIDIA Tegra 0x60005000+ VID 0x10DE

The A18+ Encryption Requirement

Starting with A18 devices, Apple requires DFU communication to be encrypted:

Generation Encryption Required QSLCL Support
A12-A17 ❌ No N/A
A18+ ✅ Yes (ChaCha20/AES-GCM) --encrypt flag

This was discovered through reverse engineering - it's not in public documentation.

Complete Device Layer Target Map

QSLCL TARGET LAYERS
│
├── USB Layer
│   ├── Bulk Endpoints (auto-discovered)
│   ├── Control Transfers (setup packets)
│   └── Isochronous (USB4 v2.0)
│
├── Protocol Layer  
│   ├── DFU Class 0xFE/0x01 (Apple, Google, Samsung)
│   ├── Sahara / Firehose (Qualcomm)
│   ├── 0xA0 Preloader (MediaTek)
│   └── Vendor-specific (META, diagnostic)
│
├── Hardware Layer
│   ├── Watchdog Registers (auto-disabled)
│   ├── Memory Controllers (read/write)
│   └── USB4 v2.0 Controllers (80Gbps)
│
└── Execution Layer
    ├── RAM-only (A12+)
    ├── Micro-VM bytecode (QSLCLVM5)
    └── Command handlers (28 commands)

Why This Works

The fundamental truth:

Security is a chain. Low-level modes (DFU/EDL/BROM) are the first links - they can't have strong security because they must work when everything else is broken.

QSLCL doesn't break security. It enters below it.

Supported SoCs (Complete List)

Vendor Modes Detection QSLCL Status
Apple DFU (A12-A18+) USB Class 0xFE/0x01 ✅ Full
Qualcomm EDL, Firehose VID 0x05C6 + Sahara ✅ Full
MediaTek BROM, Preloader VID 0x0E8D + 0xA0 ✅ Full
Unisoc/Spreadtrum Preloader USB CDC + vendor ✅ Full
Samsung DFU, EUB USB Class 0xFE/0x01 ✅ Full
Broadcom BCM Boot VID 0x14E4 ✅ Full
Rockchip Mask ROM VID 0x2207 ✅ Full
Allwinner FEL VID 0x1F3A ✅ Full
NVIDIA Tegra RCM VID 0x10DE ✅ Full
Generic USB/Serial Endpoint discovery ⚠️ Limited

Technical Specifications

Metric Value
Binary size 72KB (v0.7.3)
RAM usage ~72KB
Commands 28
USB speed Up to 80Gbps (USB4 v2.0)
Encryption ChaCha20-Poly1305, AES-256-GCM
Watchdog support 8+ SoC families
Platforms Windows, Linux, macOS

Source Code

  • Builder: build.py - Creates qslcl.bin
  • Controller: qslcl.py - Host tool
  • Modules: modules/ - Command implementations

Legal & Ethics

  • RAM-only execution (A12+) means no permanent changes
  • User must own the device or have explicit permission
  • Research, repair, and education are intended uses
  • Brick risk exists - you are warned

Built by Sharif, 19, Philippines

QSLCL: Executes at the silicon boundary

Clone this wiki locally