This is a much better experience than the previous Qualcomm debug experience, which was a hand-rolled set of read/write/execute primitives exposed over USB. It was hilariously undersecured, allowing a few of us to continually get root on various Qualcomm models.
In seriousness, these debug ports are seriously lacking in most mobile chipsets. MediaTek still has the old-style approach in many of their devices, requiring some incantations which expose serial over USB, but not in the way you think -- it's serial over USB pins!
I've done tonnes of work with mobile chipsets and security and this seems like they've finally started down the road to making this functionality accessible. Don't be surprised if you don't see this supported out of the box in most places, though. Most OEMs will certainly disable this once they've adapted their bootloaders to it. The big G doesn't like debuggability in end user devices.
It will be really interesting to see what production devices this is enabled on - It mentions the OnePlus 6 at least which has it fused out but is still accessible.
Edit: How are they reading the eFuses on a production OnePlus 6? Do they have a Qualcomm-signed EL3 EDL loader?
It seems to exist as qcom,msm-eud in the device tree of a (unfortunately production) SM4350 device I have along with an eud_enable_reg. Time to recompile the kernel with `/dev/mem`.
heya, author of the blog post here. the op6 happens to work but it's limited to debugging in el1, if you do manage to trap in el2 all the registers read 0
the reason this works at all on this production device is because oneplus screwed up and shipped a "debug profile" in production. this is a vendor signed elf (flashed to the dpdb partition or something like that) containing configuration to enable certain debugging features.
the one we already know about is crashdump mode, the op6 will crashdump when you trigger an XPU violation or some kinds of bus abort, then you can dump the entire RAM and you dont even need to authenticate (no firehose just run bkerlers edl.py)
this has come in handy for mainline development a few times heh
but it seems that this profile also enables EUD which is super nice, that said i didnt manage to get breakpoints working at all yet....
Oh hey, really cool article. Do you know if I'm correct in my attempt at enabling EUD? Also I was unsure how you determined that it was disabled in the OnePlus 6? I thought only EL3 can read qfuses in general?
And you mean the apdp partition, right? That's a weird ELF file, contains almost nothing obvious (test key sig? DEBUG mention) and doesn't seem to be any executable code which I guess makes sense, but I wonder why they made it an ELF. Is there any info on interpreting these profiles?
So that profile gives you the unauthenticated ramdump as well? Seems to be a common theme with OnePlus, messing up security features.
The Debug Policy apdp partition is flashed with an ELF “mbn” file. It is possible that sections are encrypted. At the very least it is likely signed. From a security perspective, hopefully the vendor signed with a prod key and not a test key.
In my experience, it is possible read to the fuses with a TrustZone TA, at least on a non-secure device.
So just to get this straight, Qualcomm has a piece of custom silicon, as a peripheral controlled by registers, that when enabled reroutes the ARMs USB pins through it (adding a USB hub in the middle), and on that hub it adds a SWD programmer and a serial port that connect back to the ARM core's IOs? Amazing!
Different topic, but I was crazy impressed to see Qualcomm's dedication on getting USB audio offload going, having the audio device forward data to the USB host controller, for it to send it to the USB audio device.
> This feature offers major power savings on embedded devices where a USB audio stream can continue to flow while the rest of the system is sleeping, something that devices running on battery power really care about.
How many shipping devices use USB for audio? I was under the impression that most phones/tablets/laptops support usb audio, but it is a niche/power user feature, and not the way the main device speakers are connected.
Do these same systems have bluetooth audio offload so the system can sleep for multiple minutes while a song is playing via bluetooth? (which seems to be a far more common usecase)
On some SoCs we could get to the ETM port and it was even parallel (what a nice waste of pins ;)), little down-clocking and you can get a full program trace out, i.e. with a Lauterbach. Can debug application together with the OS and all drivers down to single assembler instruction level.
12 comments
[ 5.4 ms ] story [ 42.8 ms ] threadIn seriousness, these debug ports are seriously lacking in most mobile chipsets. MediaTek still has the old-style approach in many of their devices, requiring some incantations which expose serial over USB, but not in the way you think -- it's serial over USB pins!
I've done tonnes of work with mobile chipsets and security and this seems like they've finally started down the road to making this functionality accessible. Don't be surprised if you don't see this supported out of the box in most places, though. Most OEMs will certainly disable this once they've adapted their bootloaders to it. The big G doesn't like debuggability in end user devices.
Edit: How are they reading the eFuses on a production OnePlus 6? Do they have a Qualcomm-signed EL3 EDL loader?
It seems to exist as qcom,msm-eud in the device tree of a (unfortunately production) SM4350 device I have along with an eud_enable_reg. Time to recompile the kernel with `/dev/mem`.
the reason this works at all on this production device is because oneplus screwed up and shipped a "debug profile" in production. this is a vendor signed elf (flashed to the dpdb partition or something like that) containing configuration to enable certain debugging features.
the one we already know about is crashdump mode, the op6 will crashdump when you trigger an XPU violation or some kinds of bus abort, then you can dump the entire RAM and you dont even need to authenticate (no firehose just run bkerlers edl.py)
this has come in handy for mainline development a few times heh
but it seems that this profile also enables EUD which is super nice, that said i didnt manage to get breakpoints working at all yet....
And you mean the apdp partition, right? That's a weird ELF file, contains almost nothing obvious (test key sig? DEBUG mention) and doesn't seem to be any executable code which I guess makes sense, but I wonder why they made it an ELF. Is there any info on interpreting these profiles?
So that profile gives you the unauthenticated ramdump as well? Seems to be a common theme with OnePlus, messing up security features.
In my experience, it is possible read to the fuses with a TrustZone TA, at least on a non-secure device.
Feels like a weird thing to spend so much effort optimizing but neat as heck to see. https://www.phoronix.com/news/Linux-6.16-USB-Audio-Offload
How many shipping devices use USB for audio? I was under the impression that most phones/tablets/laptops support usb audio, but it is a niche/power user feature, and not the way the main device speakers are connected.
Do these same systems have bluetooth audio offload so the system can sleep for multiple minutes while a song is playing via bluetooth? (which seems to be a far more common usecase)