OnePlus EDL triggering through ADB or Hardware Key Combination

Aleph Research Advisory





  1. OnePlus One

  2. OnePlus X

  3. OnePlus 2

  4. OnePlus 3

  5. OnePlus 3T

  6. OnePlus 5

Vulnerable Version

OxygenOS 5.0 and below

Technical Details

OxygenOS running in OnePlus devices allows rebooting into the Qualcomm Emergency Download (EDL) Mode through ADB, by issuing the adb reboot edl command, or by using a hardware key (Volume-UP) when the device is connected to USB. Since Firehose programmers of various OnePlus devices have been leaked, one could exploit them in order to downgrade critical partitions such as the Android Bootloader, which enables exploitation of old vulnerabilities.

Device SoC Programmer Tested SHA256
OnePlus 5 (cheeseburger) MSM8998 <embedded in an archive> yes 02ffdaa49cf25f7ff287cab82da0e4f943cabf6e6a4bfe31c3198d1c2cfa1185
OnePlus 3T MSM8996 prog_ufs_firehose_8996_lite.elf yes eef93d29e4edda26cce493b859e22161853439de7b2151a47dafe3068ee43abe
    prog_ufs_firehose_8996_ddr.elf yes a1b7eb81c61525d6819916847e02e9ae5031bf163d246895780bd0e3f786c7ee
OnePlus 3 MSM8996 prog_ufs_firehose_8996_lite.elf yes 97eff4d4111dd90523f6182e05650298b7ae803f0ec36f69a643c031399d8d13
    prog_ufs_firehose_8996_ddr.elf yes c34ec1fddfac05d8f63eed3ee90c8e6983fe2b0e4b2837b30d8619a29633649c
OnePlus 2 MSM8994 prog_emmc_firehose_8994_lite.mbn yes 63a47e46a664ccd1244a36535d10ca0b97b50b510bd481252f786177197c3c44
OnePlus X MSM8974 prog_emmc_firehose_8974.mbn yes 964b5c486b200aa6462733a682f9cead3ebfad555ce2ff3622fea8b279b006ee
OnePlus One MSM8974 prog_emmc_firehose_8974.mbn no 71c4f97535893ba7a3177320143ac94db4c6584544c01b61860aca80a477d4c9


  • 22-Jan-18
    : Public disclosure.
  • 01-Mar-17
    : Added as ALEPH-2017007.
  • 10-Feb-17
    : CVE-2017-5947 assigned.
  • 09-Feb-17
    : CVE ID requested.
  • 19-Jan-17
    : Reported.