EDL is a feature of devices having Qualcomm processors and is known as Emergency Download Mode (a.k.a. QDLoader 9008) and allows low-level access to the chipset for device analysis, repair or re-flashing.
Qualcomm chipset on many boot failures by default goes into EDL mode (to allow repair). Using this technique forensics examiners can intentionally introduce faults into the boot process and trigger EDL to get physical extraction of a device. Extraction using EDL is generally easier and faster than most ISP, JTAG or Chip-off which are advanced methods of data extraction from mobiles.
Not all Qualcomm processors and older phones running Qualcomm processors can be placed (forced) into EDL Mode.
EDL is typically identifiable by a USB device with hardware IDs VID/PID [05C6/9008] , observable in the device properties on Windows or lsusb on Linux. On Windows machines with the right driver installed, you may detect a “Qualcomm HS-USB QDLoader 9008” device or similar in the Device Manager. In the absence of a matching driver the device may appear as “QHSUSB_ Bulk”.
Known Software Techniques to Enter EDL
Key combinations: Manufacturers can choose any button combination that makes sense on their device. The most common option to try from a powered off state is: Hold Vol Up + Vol Down while connecting USB Although other combinations may apply (Vol Up, Vol Up + Vol Down + Power, etc). Some vendors have added early boot menus that allow the user to explicitly enter a mode (recovery, fastboot, download).
ADB: A nearly ubiquitous method to enter EDL resides in a command available from an authorized ADB session (you can simply try: adb reboot edl). This is mostly interesting and useful for obtaining a physical extraction of an unlocked device. This is what UFED attempts when trying ‘Generic Qualcomm ADB’.
fastboot: An alternative vendor-specific method exists from the fastboot mode, which is sometimes reachable by other key combinations (usually Vol Down + Power). Try fastboot oem edl or sending the reboot:edl command using a custom fastboot client.
FTM: Some vendors have implemented the FTM mode (hold Vol Down while connecting the USB) which in fact exposes an ADB interface. UFED can usually detect this mode and continue to extract normally using ‘Generic Qualcomm ADB’.
Known Hardware Techniques to enter EDL
EDL Cable: Some devices will detect a special cable that will signal the device to enter EDL. Such cables can be obtained in various stores, and will be supplied by Cellebrite to all customers.
Test points: Some vendors have added test points that, when shorted to ground, will put a device into EDL. Depending on the board, they may be easily reachable, even without significant disassembly.
eMMC faults: The advanced examiner (skilled with ISP/Chip-Off techniques) can utilize any non-destructive method to introduce faults to the eMMC chip reading on boot. Given a pinout chart for the specific board, you may short either of the CMD, CLK, D0 lines to ground temporarily during power on. Shorting the power lines is not recommended, although accurately timed VCC glitching may achieve similar results as experimented in Cellebrite labs.
UFED supports dozens of confirmed and tested devices, but may support hundreds more in a generic fashion2. Extended generic support is provided (but not strictly limited) to these chipsets: MSM8909, MSM8916, MSM8936, MSM8939, MSM8952.
- Shahar Tal’s “Practical Guide for Qualcomm EDL Physical Extractions”.
- Mastering EDL Mode By Scott Lorenz – Chief Forensic Analyst at Centex Technologies