EDL Utility

The EDL Utility is a Win32 utility for accessing the Qualcomm Emergency Download interface on Qualcomm processors.

Usage: edl [flags] [output] [start-sector] [sector-count] /l loader file /p partition name or number /g print GPT partition table, sort: N(umber), A(lpha), D(isk order), S(ize) /r read /e erase /w write /t truncate reading of partitions to active size /z reboot /m eMMC memory (default) /n NAND memory /u UFS memory [lun] /s start block /c count of blocks /b block size override /v verbose

Note: The usage has changed and now requires an explicit /r to read blocks from the device.

Qualcomm processors support two different protocols, "Sahara" and "Firehose". Sahara is supported in ROM and is always present. Firehose is implemented in downloadable loaders in ELF format.

EDL Mode

The usual procedure is to first get your device in EDL mode, i.e. where it is presenting USB VID/PID 05c6/9008. This can be achieved by:

Windows Drivers

Everything under Windows needs some kind of driver. Zadig is a simple generic driver generator. Do NOT use any Windows drivers from Qualcomm. They will try to present your device as a serial port.

Loaders

Next, you must use the Sahara protocol to load a loader for the Firehose protocol. Loaders are specific to processor, device manufacturer and possibly flash memory type. To decide which one you need you need to collect basic info:

C:\>edl.exe /l Found EDL 9008 HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000 Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09

Loaders may be found (thank you!) at https://github.com/bkerler/Loaders/. These files often use .bin or .mbn as the extension despite it actually being a normal ELF file. The file names are based on the 16 hexit HWID and the first 16 hexits of the Hash. As the filenames tend to be cumbersome, you might rename them something short and mnemonic.

C:\>edl.exe /lpoke3.bin Found EDL 9008 Sending poke3.bin 100% Ok Waiting for Firehose... Ok

From this point on the processor is using the Firehose protocol and you need not (can not) reload the loader unless you reboot.

A device might be using eMMC storage (older devices), NAND storage or UFS storage (newer devices). The /u flag must be used for all operation in Firehose on devices with UFS.

Specifying Blocks

The flags /u (LUN), /p (partition), /s (start block), /c (count of blocks) and /b (block size) are used to specify the range of operation. If the partition is specified then the start block is relative to the start of the partition. If partition is not specified, then the start block is absolute. Zero is the default for both start block and count of blocks. Partition operations often do not specify either start block or count of blocks. Operations on raw devices (i.e. not a partition) require an explicit /s and /c to prevent accidents like edl /e.

StartCountPartition
UnspecifiedSpecified
00Whole deviceWhole partition
0+Start of deviceStart of partition
++Middle of deviceMiddle of partition
+0End of deviceEnd of partition
0End of deviceEnd of partition
+Part of end of devicePart of end of partition

Operations

The major operations are /r (read), /e (erase), /w (write). The erase and write operations can be combined which yields the non-optimized operations of full erase and (possibly) partial write (depending on the size of the input file). Be very careful when you specify /e (erase), /w (write) as not specifying a partition means the whole device!

Truncation

Partitions are sized for the maximum anticipated size of the contents. Often the fraction of a partition that is actively being used is as low as 20%. (There are often many partitons with all zeroes in them also.) There is no particular need to transfer a whole partition when 20% will do. Of course, if you still want to transfer another 50MB of zeroes, just don't use the /t flag. Also note that some images have signing or other (sometimes) necessary things after the end of the normal image.

Currently the EDL utility has the capability to recognize the actual size of:

Android images are naturally aligned to pagesize (normally 4096 bytes) but ELF files can be any size. Therefore, when they are read, even when truncated, they are rounded up to the current device blocksize (normally 512 or 4096 bytes). This simplifies matters when/if they are written back to the device.

Examples

Show usage:

C:\>edl.exe /?

Query basic info:

C:\>edl.exe /l

Load a loader (needs to be done only once after a fresh start):

C:\>edl.exe /lmy_loader.bin

List the partitions:

C:\>edl.exe /g

Download the MBR of a UFS LUN:

C:\>edl.exe /r /u3 mbr.img /s0 /c1

Download the boot partition (and truncate to its actual size):

C:\>edl.exe /r /pboot_a boota.img /t

Erase the the last 4096 bytes of /vendor (removes FEC correction):

C:\>edl.exe /e /pvendor /s-8

Flash the recovery partition:

C:\>edl.exe /w /precovery rec.img

Reboot to normal system:

C:\>edl.exe /z

Download edl.exe, the EDL utiliy.

See also: QcomView – a utility for analyzing Qualcomm xbl/abl/Firehose loaders

Updated January 24, 2023