Patch uefi to enable Logfs on secboot off qcom devices

本文最后更新于 2025年11月15日 晚上

This blog is written for uefi firmware close-source but secure boot is off device.

Introduction

Nowadays, many qualcomm devcies are shipped with a UEFI bootloader. Though it supports printing logs throught serial, qcom also add a feature to print logs into a fat partition which labeled logfs.
The logfs partition has a 8mB size and was formatted to “FAT12”. It generally contains files named UEFILogN.txt[0<=N<=4] if the UEFI is compiled as “DEBUG” mode, like this:

1
2
~/mnt $ ls
UefiLog2.txt  UefiLog3.txt

Sometimes you may also find UefiLogN.txt on Retail device like Xiaomi or Nubia phones. Xiaomi devices even mount the logfs partition to /dev/logfs/ by default. The UefiLogN.txt starts with:

1
2
3
4
5
6
7
8
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.MXF.2.1-01933-LANAI-1.99912.4
S - IMAGE_VARIANT_STRING=SocLanaiLAA
S - OEM_IMAGE_VERSION_STRING=ip-10-195-203-54
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x221c8600 = 0x00000001

It contains logs from PBL to ABL which is very helpful when debugging XBL, UEFI, ABL or secure hole research. So what controls the switch that determines whether logbuf flush to logfs or not?
The uefi debug mode is a very immportant factor. Refering to opensource xbl leaked codes on github:

1
2
3
4
5
6
7
ReadUefiPlatVar("EnableLogFsSyncInRetail");
...
if (RETAIL && IsLogfsDebugEnable())
  return INVALID_PARA;
...
mount("logfs")
...
1
2
3
4
5
MountFat(LogFS)
  => If Retail && IsRetailSyncEnabled
    Yes => Execute Mount
  => If uefivar EnableFileLogging == 1
    Yes => ULog flush to LogFS

From the above pseudocode we can know: the log function will only be enabled if the UEFI is compiled with a RETAIL macro OR a config in uefiplat.cfg which named EnableLogFsSyncInRetail is 1. Otherwise the mount_logfs function will return invalid code directly.

So if a device is secboot-off and uefi firmware was compiled as RETAIL, we may need to patch the uefi to enable logfs log record. One way is replacing the uefiplat.cfg which compiled in UEFI/XBL parition. The other is patching codes and modify the RETAIL value above. The first way is very simple and easy to implement with a uefi modification tool like UEFITool so this page i’ll only introduce the first one. If you are a expert of reverse engineering or you want something challenge, the second one will be suitable for you.

Prepare

The tested device is a oem device powered by sm8550. On this platform qcom split uefi from xbl partition to a standalone partition. Dumped uefi with the following command:

1
2
3
4
adb shell
cp /dev/block/by-name/uefi_a /sdcard/uefi_a
[CTRL-D]
adb pull /sdcard/uefi_a .

Download a tool which supports customize uefi binary. Here i choose UEFITool ver 0.25.0.
Cloone qtestsign and install pip modules.

Modify and replace

Drag uefi_a into UEFITool. Expand the uefi tabs and you can see uefiplat.cfg is very in a prominent place.
UEFI in UEFITool

Right click Raw Section under uefiplat.cfg, select extract body and save to a file named what you want. Then open it with a text modify tool like notepad or vscode and replace 0 with 1 after ***EnableLogFsSyncInRetail = ***.
Set EnableLogFsSyncInRetail to 1

Now save the file and close editor. In the UEFITool windows, right click Raw Section under uefiplat.cfg again then click Replace Body. Select the file you just edited in the pop-up windows.
Replace uefiplat.cfg and save

After that, click Save image file to save to a file and the modification will be done. It’s much simpler than patching binaries and replace dxes.

Sign

Qualcomm devices signs all the firmware in bootchain. A test sign is still need for a unfused/secboot-off device. To sign the image we just created we need to use qtestsign, which is a famous tool to sign qualcomm secboot-off device firmwares.

SM8550 uses version 7 signature. If you are sign other platforms firmware please check the version. Most platforms below sm8450 uses V6 signature and sm8450 to the newest(sm8850) are using v7 signature.

1
python qtestsign/qtestsign.py -v7 uefi -o signed_patched_uefi.elf patched_uefi.rom

Sign with qtestsign

Flash signed file to uefi in fastboot mode:

1
2
fastboot flash uefi signed_patched_uefi.elf
fastboot reboot

Verify

Mount the logfs block and there should be logfs in it.

1
2
3
4
su
mkdir /dev/logfs_mnt
mount /dev/block/by-name/logfs /dev/logfs_mnt
ls /dev/logfs_mnt

Result:

1
UefiLog0.txt  UefiLog1.txt  UefiLog2.txt  UefiLog3.txt

Variable

If you did not get any result above, perhaps var EnableFileLogging is disabled on your devices.
We can try edit abl to enable this value.
The set variable codes are edited from opensource ABL:

1
2
3
UINT8 Value = 1;
Status = gRT->SetVariable (L"EnableFileLogging", &gQcomTokenSpaceGuid,
    EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, sizeof(Value), &Value);

Add a Fastboot command to set this var value:

1
2
3
4
5
6
7
8
9
10
11
12
// FastbootLib/FastbootCmds.c
struct FastbootCmdDesc cmd_list[] = {
    ...
      {"oem set-gpu-preemption", CmdOemSetGpuPreemptionValue},
      {"oem device-info", CmdOemDevinfo},
      {"oem set-filelog", CmdSetFileLog},

#if HIBERNATION_SUPPORT_NO_AES
      {"oem golden-snapshot", CmdGoldenSnapshot},
#endif
}

Add handler for oem set-filelog cmd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/*Function to set EnableFileLogging var value
 *Arg: variable value
 */
VOID
CmdSetFileLog (CONST CHAR8 *Arg, VOID *Data, UINT32 Size)
{
  UINT8 Value = 0;
  EFI_STATUS Status = EFI_SUCCESS;

  if (!Arg) {
    FastbootFail ("Invalid Input Parameters");
    return;
  }

  for (UINT32 Pos = 0; Pos < AsciiStrLen (Arg); Pos++) {
    if (Arg[Pos] == ' ') {
      Arg++;
      Pos--;
    } else {
      break;
    }
  }

  if (AsciiStrLen (Arg) >= 3) {
    FastbootFail ("Invalid value");
    return;
  }

  switch(Arg[0]) {
    case '0':
      Value = 0;
      break;
    case '1':
      Value = 1;
      break;
    default:
      Value = 0;
      FastbootFail("Invalid value");
  }

  Status = gRT->SetVariable (L"EnableFileLogging", &gQcomTokenSpaceGuid,
        EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
        sizeof(Value),
        &Value);

  if(EFI_ERROR(Status)){
    FastbootFail ("Set variable failed");
    return;
  }

  FastbootOkay ("");
}

If patching abl still not work… Replace QcomBDS.efi with one compiled in DEBUG mode.

END

#Reverse
Patch uefi to enable Logfs on secboot off qcom devices
https://kancy.life/2025/11/14/LogfsEnable/
作者
Kancy Joe
发布于
2025年11月14日
许可协议