Skip to content

kasnria001/qualcomm_gbl_exploit_poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
VbRwStateApp.c
VbRwStateApp.c
 
 
VbRwStateApp.inf
VbRwStateApp.inf
 
 
gbl_efi_relock.efi
gbl_efi_relock.efi
 
 
gbl_efi_unlock.efi
gbl_efi_unlock.efi
 
 

Repository files navigation

qualcomm_gbl_exploit_poc

Unlocking qualcomm bootloader via gbl exploit.

Qualcomm adds a gbl boot stage in its ABL because it wants to limit OEM's ability.

gbl is loaded as an uefi app.

it stores in efisp partition

you need to flash the efi file into the partition.

Qualcomm uses its own verification instead of UEFI secure boot.

But GBL is unsigned.

So we can load unsigned uefi app

This way,we can achieve arbitary code execution.

So we can overwrite the lock state storing in RPMB.

Because the ABL it self reads/writes devinfo via a special function.

Before milestone,we can call the function to overwrite the lock state.

WARNING

This is just a POC

Please be careful to use it.

There are some tee issues.

I will not be responsible for any corruption!

Something

Statement on the GBL Vulnerability

First, I discovered the GBL vulnerability around January 15–17 (I don't recall the exact date) while unpacking the ABL. I did draw on Gus's idea that "GBL is only signed by Google"—but can a single sentence like that really justify accusing me of plagiarism? Gus mentioned this in a public group (with no additional access restrictions). At the time, I didn't have the time to implement it, so I put it off until February. To be clear, this vulnerability itself isn't particularly significant.

The delay to February was because I was collaborating with others on it. However, one of the collaborators dropped out midway, so we stepped back. Those collaborators had nothing to do with Littlenine or Mlgm, and there was no issue of borrowing ideas.

Around the end of February, I mentioned the vulnerability in my own KT group (a group I run) to stimulate discussion and encourage people to look into it—but the goal was to explore follow-up vulnerabilities. At that point, Littlenine approached me proactively to work on it, and we agreed that neither of us would disclose anything to others.

Then Littlenine turned around and forwarded my messages from the KT group to other people, and accused me of plagiarism—note that I hadn't even made anything public at that time.

Since he didn't keep his word, I had no choice but to release it in March (I heard the patch had been applied, but admittedly I misread the timing by a few days).

Throughout this whole process, I did discuss it in some groups to liven up the conversation, but there was never any plagiarism, let alone theft.

I now demand that Littlenine and Mlgm remove any content accusing me of being a thief. We can acknowledge that there may be a subtle timing overlap between our GBL findings and those of others, but that does not constitute plagiarism or theft.

I did ask about it in the Aloha discussion group, but I never received a clear answer.

Theft is a serious accusation. Making such a claim without sufficient evidence constitutes a potential infringement of my reputation rights. All of our files are our own.

In this process, I never attempted any private communication with Sunf or Mlgm themselves regarding the vulnerability. All conversations took place in public group chats and were meant purely for discussion—I asked about unlock-related vulnerabilities, but they never gave a definitive response.

If anyone wants evidence, feel free to message me privately.

About

Unlocking qualcomm bootloader via gbl exploit.

Resources

Readme

License

MIT license
Activity

Stars

952 stars

Watchers

10 watching

Forks

288 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages