The EDL, emergency download mode, approach remains one of the successful physical approaches.
The challenges that investigators typically face is the data protection on Android devices makes it difficult to access. For this reason, it is almost impossible to develop a single method of extraction and decryption from an Android device. Of course, in many cases data extraction is possible, but often the data is still encrypted.
There has been a lot of buzz about EDL mode from forensic software companies as well as investigators. Let’s take a look at what EDL is and how it can be used in mobile forensics.
What is EDL?
SoC (System on Chip) mobile phone manufacturers usually provide special modes designed for debugging, diagnostics, or recovery. In this instance, Qualcomm-based devices have an EDL (Emergency Download) mode.
In this built in testing interface it is possible to obtain access to low level memory read-write functions. This access applies to both ROM and RAM.
The approach supports the following chipsets (with certain limitations for each): MSM8909, MSM8916, MSM8917, MSM8929, MSM8936,MSM8937, MSM8939, MSM8940, MSM8952, MSM8953, MSM8974, MSM8976, MSM8992,MSM8994, MSM8996, MSM8x10, MSM8x26
To place a device into EDL mode there is not a one-size fits all approach.
With several ways to switch the device into emergency download (EDL) mode, investigators often have to search for the various methods because EDL mode may be different for each device.
The two EDL modes used are the software approach and the hardware approach.
- Software approaches
- Key combination method
- Hardware approaches
- EDL cable
- Shorting the pins
ADB (Android Debug Bridge)
If the device is unlocked and adb mode is on, you can issue the command “adb reboot edl” from a command line.
Switch the device to fastboot mode by holding Power and Vol- at the same time (the key combination can be different for each device) and run the command “fastboot oem edl”.
Key combination method
The key combination mode depends on the device model. You need to turn the device off, and plug the USB cable into the PC, but not the device.
Push and hold Vol- and Vol+ at the same time and, while holding them, plug the other end of the USB cable into the device.
Hold the keys for 3-5 seconds, and the device should enter into EDL mode. Additionally, holding down the “#” button and connecting the device via USB is enough to switch many Qualcomm push-button phones to EDL mode.
This method works on many KaiOS Qualcomm devices, including Jio Phone 1.
Shorting the pins
This method, also known as “shorting test points”, requires technical experience, and often phone disassembly.
To switch the phone to EDL, metal tweezers for mobile phone repair or a piece of wire are often used to short/connect the test points.
This is not advised unless the investigator has electrical component assembly/disassembly experience.
It is possible to find advice on shorting test points on the internet. To do so, type the following into the search field:
<device name>, test points, testpoint, 9008, EDL
Extraction in EDL Mode
After putting the device in EDL mode, a special programmer has to be uploaded to the device.
Only after uploading it into the device RAM, will it be possible to start extracting data using the Firehose protocol.
Most Qualcomm-based devices check the programmer’s electronic signature. That’s why a file for another device, even if it is based on the same processor, typically will be of little use.
Some forensic software manufacturers typically don’t share these files with software providers. Offering the most up-to-date profiles in Oxygen Forensic® Detective, we now have over 500 files for different Qualcomm devices.
Common Questions about the EDL Method
If I found a programmer for model X myself, would it be of use?
The good news is that programmers depend only on the device model, and, if such a file is found, investigators can use it in any software that offers support for extraction via EDL mode. This is one of the reasons Oxygen Forensic® Detective allows an investigator to upload any programmer file.
Does this mean that all forensic software tools offer the same solution and the only difference between them is in the set of those programmers?
In most cases, when the software manufacturer claims they support EDL extraction, it only means that the software can upload the corresponding programmer into the device and use it to extract a physical dump. This functionality does not cover other tricks and exploits discussed below.
What if there is no programmer available?
Some Qualcomm SoCs have a critical vulnerability in the PBL (Primary Boot Loader) that allows an unsigned programmer to be loaded into the device. Oxygen Forensic® Detective uses a specially designed exploit that is based on this vulnerability.
Our software offers the ability to upload to the devices with MSM8909, MSM8916, MSM8939, and MSM8952 chipsets a corresponding generic programmer and start the extraction.
Is a unique one-for-all exploit for EDL extraction possible?
Most of the solutions, claiming support or simply the possibility of it, rely on the above mentioned vulnerability. This is evidenced by the list of processors for which EDL mode is supported, regardless of the presence of the programmer.
What if the phone is encrypted?
The memory of the most modern devices is encrypted, and an encrypted dump is often useless by itself.
Starting with Android 7.0, device memory is encrypted by default, using a hardware key, when SoC allows it.
Qualcomm was one of the first to include hardware key encryption in its SoCs, and since 2014 all Qualcomm SoCs for Android devices support it.
On some devices that have not passed Google certification, an outdated encryption scheme without a hardware key can be used, but those are mainly no name devices from Chinese manufactures. Thus, the vast majority of modern Qualcomm devices are encrypted using a hardware key.
To decrypt the data, a hardware key and password from the device lock screen (if one has been set) are needed.
Currently, two fundamentally different approaches are used to decrypt data from these devices. However, both approaches are based on the same vulnerability that bypasses the integrity checks when booting Qualcomm-based devices.
The first option involves modification of the bootloader (a function which loads the Android OS), so that the device switches on seemingly normal, but with the extra communication ability (e.g. root-privileged, adb on). Since the system is fully loaded, the user partition is mounted in decrypted form as dm-0. In this instance, the decryption is performed automatically by the operating system itself. This is a universal approach, but it does not work if ‘Secure startup’ mode is enabled.
If this mode is on, entering the lock screen password is needed to boot the system. If it is unknown, there will be no passing through the locked screen and the system will not load. If the files do not load, the files will not be decrypted and transferred.
It is worth mentioning that the initial approach covered still operates if the device is password-protected, but Secure Startup mode is off. The reasoning behind this is, if Secure startup is off, the phrase ‘default_password’ is used as the default password, allowing the system to fully boot and mount the dm-0 before the user password is entered.
If Secure startup is on, the user-created password is used for encryption and the system does not boot unless it’s entered. Utilizing Secure startup still remains at the discretion of the user and some manufacturers for some reason hide it in the settings, and complicate the procedure of switching it on in various ways.
The EDL, emergency download, the approach remains one of the successful physical approaches. At Oxygen Forensics we want to help investigators by providing them with the tools to be able to access difficult Android devices and extract data.
Interested in what Oxygen Forensic® Detective can do for your investigations using the EDL mode? Contact us for a free demo trial.