qtestsign is a simple, open-source tool to sign ELF Qualcomm firmware images using test keys. It implements the image format described in Secure Boot and Image Authentication - Technical Overview v1.0. It is not meant to provide any security, only to pack the images into a format accepted by the Qualcomm firmware loaders.
Note: Most Qualcomm devices have a certain root CA "burned" into fuses and refuse to boot firmware signed with other certificates. This tool works only for devices with disabled secure boot. Currently, it does not even generate an actual signature because it does not seem to be verified at least on MSM8916/APQ8016 devices with disabled secure boot.
qtestsign requires Python 3.7+ and cryptography 3.1+, a Python module used to generate new CA certificates. On many distributions this will likely be already installed by default (but perhaps outdated). Alternatively you can install it with pip:
$ pip install -r requirements.txt
Then, just use ./qtestsign.py --help
to figure out how the tool works. You need to specify the firmware type
and the ELF image to sign, e.g. for U-Boot:
$ ./qtestsign.py aboot u-boot
And the tool will produce u-boot-test-signed.mbn
, signed with automatically generated test certificates.
Note that this will also automatically strip the binary, so there is no need to do that manually first.
So far qtestsign is only tested to work for signing firmware for the MSM8916/APQ8016 SoC. It can successfully sign aboot/hyp/tz/rpm/sbl1 (tested by re-signing official firmware). It is likely that it works for many other SoCs that use the v1.0 image format.
This tool was created to sign (open-source) firmware for the DragonBoard 410c (APQ8016) and other MSM8916 devices, e.g.:
aboot
: LK (Little Kernel) bootloaderaboot
: U-Boot bootloaderhyp
: qhypstub, tfalkstubtz
: Trusted Firmware-ARM (TF-A)
qtestsign is licensed under the GNU General Public License, version 2. It is mostly based on the specification
of the v1.0 image format, but some implementation details (e.g. the exact hash segment header format) are adapted
from signlk. Unlike signlk it can also successfully sign other firmware types, like hyp
.