[clfdev]

heya, author of the blog post here. the op6 happens to work but it's limited to debugging in el1, if you do manage to trap in el2 all the registers read 0

the reason this works at all on this production device is because oneplus screwed up and shipped a "debug profile" in production. this is a vendor signed elf (flashed to the dpdb partition or something like that) containing configuration to enable certain debugging features.

the one we already know about is crashdump mode, the op6 will crashdump when you trigger an XPU violation or some kinds of bus abort, then you can dump the entire RAM and you dont even need to authenticate (no firehose just run bkerlers edl.py)

this has come in handy for mainline development a few times heh

but it seems that this profile also enables EUD which is super nice, that said i didnt manage to get breakpoints working at all yet....

[tripdout]

Oh hey, really cool article. Do you know if I'm correct in my attempt at enabling EUD? Also I was unsure how you determined that it was disabled in the OnePlus 6? I thought only EL3 can read qfuses in general?

And you mean the apdp partition, right? That's a weird ELF file, contains almost nothing obvious (test key sig? DEBUG mention) and doesn't seem to be any executable code which I guess makes sense, but I wonder why they made it an ELF. Is there any info on interpreting these profiles?

So that profile gives you the unauthenticated ramdump as well? Seems to be a common theme with OnePlus, messing up security features.

[ARob109]

The Debug Policy apdp partition is flashed with an ELF “mbn” file. It is possible that sections are encrypted. At the very least it is likely signed. From a security perspective, hopefully the vendor signed with a prod key and not a test key.

In my experience, it is possible read to the fuses with a TrustZone TA, at least on a non-secure device.