I hate the modern smartphone form factor, because of issues that I have with my hands. Touch gestures and touchscreen typing are incredibly frustrating for me, so I try to avoid them. In looking at modern flip phones out of curiosity, I discovered that many modern flip phones use a rebadged variant of a decade old 64-bit Qualcomm SoC, one that is decently well supported by mainline Linux (though not this particular variant). I fell down a bit of a rabbit hole and came out the other side with information that people might find useful.

Many thanks to the KaiOS “Bananahackers” community for having a surprisingly solid base of documentation for how small of a niche KaiOS is. It was really appreciated as a little bit of a taste for how viable running custom code on these devices is, while not getting too bogged down in KaiOS itself. I haven’t dug around much in KaiOS because that is not my end goal, I would like to get Linux running on these. I don’t even care about the cellular hardware, I just want a portable low-power computer, but in the end their work on rooting & sideloading apps onto these devices is the basis for what I hope to do.

EDL mode is generally activated by holding both volume buttons while powering on the phone. Any exceptions to that which are non obvious will be noted.

Consumer Cellular “Iris Flip” SH3320CR (Rebadged generic hardware)

Started out here. The KaiOS Bananahackers wiki page for this device contains a good collection of info - most immediately useful, you can activate an ADB interface by dialing *#*#9527#*#*. The page says that it shows up as “unauthorized”, but I saw no such thing. In an attempt to get more of a foothold, I tried the documented FirefoxOS/KaiOS debugging tools, but I was not able to get any of the tools to connect to it - I tried multiple computers running different vintages/forks of Firefox on different OSes and wasn’t able to get anything to connect. This doesn’t seem to be a problem limited to me, though, it seems like other people have these issues with KaiOS 3 devices as well.

I found a working EDL loader, it is fortunately very obviously labeled as “prog_emmc_firehose_QM215.mbn”, though it is not in the main archive for EDL loaders for bkerler’s EDL utility, it’s in a secondary one, here. The most recent version of EDL as of this post works fine for storage reading/writing. Recovery mode and fastboot are accessible via volume up/down as is discussed on that page, though fastboot isn’t good for much, since they seem to have stripped out most potentially interesting or useful commands from the bootloader.

I’ve also seen this phone available in an unbranded generic context, both on Alibaba and on Amazon, where they have a SIM slot rather than being bound to eSIM. It’s definitely the same ‘SH3320’ phone, because you can see that on a sticker on the inside in the Alibaba listing. I would imagine the prog_emmc_firehose_QM215.mbn loader will work on these. It’d kinda rock to do a group buy of these branded for PostmarketOS, but I need to get over the hump of actually getting PMOS running on there in the first place. It’s quite a bit cheaper to just buy one of these Consumer Cellular ones, but I imagine that the generic version is a little bit more ‘unlocked’, so I may want to get one for just what’s on the eMMC.

TCL “Flip 3” T435S (and other T435)

This one is pretty well locked down, and I had to spend a pretty good amount of time scouring the internet for sketchy bullshit in order to get a foothold. Fortunately, I got there in the end, with no viruses to speak of. Ground basics: I have only been able to access EDL mode and recovery mode (hold vol-up while booting), though the recovery is edited to be significantly cut down in functionality so as to be basically useless except for factory resetting KaiOS.. Good place to stash a custom boot-chain? I haven’t been able to access fastboot at all - basically, the only way in is EDL.

TCL seems to be pretty thorough regarding signing their Qualcomm EDL loaders differently across different phone models (or whatever makes a loader work). I’ll spare you the dead ends in the journey; I located a working EDL loader for the TCL Flip 3 and successfully dumped the EMMC. It ultimately came from this ’tcl_da-auth-firehose.zip’ archive, which seems to stem from this individual and their reddit post. I later determined that this collection of files was made for some version of TCL’s “TPST” (TCL Product Service Tool) utility, which doesn’t seem to be freely available, but can be found online. It’s not useful in my context, though, it’s the support files that we’re more concerned with - there’s all kinds of goodies for tons of different models of phone in this archive, not just limited to Qualcomm.

The core problem is, the format which this software uses for Qualcomm device EDL loaders is different from the ‘raw ELF loader’ format that open source Qualcomm EDL utilities use - they package them into DLLs, for whatever reason. Not sure what the rest of the DLL is, but it’s got the expected ‘raw ELF’ EDL loader embedded as a resource. I found references to the good old ’extract it like an archive’ trick being able to extract the loader, but I was getting it in many pieces when I tried. The installer I was able to find for the TCL TPST utility also didn’t include any loaders, and though I had one example packaged into a separate MSI installer that successfully installed itself into the utility and which confirmed that this software indeed used this EDL-loader-in-DLL format, I wasn’t able to get it to load in the DLLs by trying to throw them in the directory where those files were dropped by the MSI manually. I was hoping it’d maybe extract them for me in some way, but that was a dead end. What worked in the end was manually opening the DLL in Ghidra, finding a resource section in the DLL with an ELF header that was approximately the right size to be an EDL loader (~512kb, it may vary), and exporting that as a raw file from Ghidra.

1. Open a new project in Ghidra and import the ‘ModelDownloader.dll’ file. The default settings are fine.
2. Under ‘Symbol Tree’, find ‘Labels’, expand it, and look for a label of “Rsrc_BIN_66_409”. If this doesn’t exist, click on ‘.rsrc’ under Program Trees and scroll down until you see the first “Rsrc_BIN” section, which should have a size of approximately ~0x60000-0x80000 bytes.
3. Select that resource section, right click, click “Extract and Import”. The default settings are fine.
4. File -> Export, choose “Original File”. If you must give it a specific extension, .elf, .mbn and .bin should all work. It doesn’t matter much. This is our target file.

I am nearly certain this extraction can be automated, because the loaders are located at quite a consistent location in the DLL, with all the ones I’ve seen having the exact same “Rsrc_BIN_66_409” label in Ghidra, I just included some more general directions on finding the loader just in case it’s different amongst these files, I’ve only looked at a few. I don’t know how to automate this, since disassembly tools are pretty foreign to me, so I’m going to stop here for now and upload what I’ve got for my devices since I’ve got what I need and more. I may come back to this later, since TCL makes many cheap carrier-locked devices where EDL may be the best or only way in, in terms of rooting or running an alternative OS. Or we can say that it’s “an exercise left to the reader”.

Though having this loader got me further than before using bkerler’s EDL utility, I was not able to get the EMMC dumped at this point, I got dumped out with a Python error message of TypeError: a bytes-like object is required, not 'str' in firehose.py. Fortunately, the error lead me immediately to this issue, which is exactly how my issue presented itself. This lead to me trying out a fork of the EDL utility that is meant to work around issues with KaiOS devices, along with one minor patch to work around another problem, as recommended by this comment, and that worked. This fork of EDL is pretty ancient and doesn’t act the same, so be careful and use the help prompt. :) (P.S.: “agrecascino”, if you’re reading this, hit me up. Discord, Mastodon, e-mail, whatever. We’re trying to do the same thing, let’s compare notes. I was almost going to start cyber-stalking you for that loader file, if opening the files in Ghidra didn’t help me get what I needed.)

Here are the loader files I managed to extract for this phone. The unsuffixed “T435” is the one that worked for me, with the Verizon-compatible T435S version of the TCL Flip 3. If you look inside the loader with a tool like strings, you can see the string “Gflip7_VZW Attestation Cert”, so I assume that these loaders are signed not just by specific model, but by carrier. I’ve included the ones that don’t work for me but are labeled as other T435 variants, you might need to use those if yours is a Tracfone one, for example, as they are considered different hardware with different board IDs.

There is also a bonus in here for the intrepid - a potential EDL loader for the TCL “Flip 4 5G” T440W, which is a newer KaiOS 4.0 5G-compatible flip phone with a mildly respectable but low-end modern Qualcomm SoC. If you have one, try to dump the EMMC with this loader and report back - I’d love to hear. I’d love to add these to the ‘canonical’ EDL loaders repository knowing that they actually work.

For the purposes of search engines, the name of these loaders, using the usual scheme from bkerler’s EDL loader repository, would be:

001060e10042006d_e9ee614fcc592b18_fhprg_peek.bin (T435) - works with Verizon network locked variant

001060e10042006f_3bafcb3d71529e2a_fhprg_peek.bin (T435WS) - Tracfone?

001060e100420070_5e7249c40c100b12_fhprg_peek.bin (T435X) - EU model?

0000000000420071_b43d6b7d3b1e5362_fhprg.bin (T440W)

Information on Blu “Flex” B300V coming soon, maybe - watch this space

–

I wish I had a working Linux installation to show all of this stuff off with, I wanted to wait until I had a port of weeknd-toolbox running on one of these, since that is actually useful and a practical example of lk2nd and Linux running on a QM215 flip phone, but a lot of this lower-level work is contextualization for other hardware, so it’s been a bit slow going, as I’m going back and filling in blanks of some of my other back-burner hardware while I’m exploring these. Still, though, this is useful enough information that I wanted to get it on the open internet, since other people may be able to make something from it. From what I gather, this information & TCL vendor utility dataset might be usable to root a whole new batch of KaiOS and Android phones, including KaiOS 3 phones which are usually more locked down. Have fun, hopefully more to come :)