Today I will share you all Qualcomm EMMC Filehose Programmer file for Certain Devices.. emmc Programs File download for all Qualcomm Chipsets Devices. Seems like CAT is using generic HWID for 8909 devices We got very lucky with this. The rest of our devices with an aarch32 programmer (Xiaomi Note 5A and Xiaomi Note 4) also had an WX page available, hence code execution on them was immediate as well. In Part 3 we exploit a hidden functionality of Firehose programmers in order to execute code with highest privileges (EL3) in some devices, allowing us, for example, to dump the Boot ROM (PBL) of various SoCs. January 22, 2018 * QPSIIR-909. because virtually any firehose file will work there. ), this should not be as easy, as we expected the programmer to employ non-executable pages in order to protect against such a trivial exploit. firehorse. I dont think the mother board is receiving power as the battery is dead. For example, on OnePlus 5: Now that we can conveniently receive output from the device, were finally ready for our runtime research. I have an oppo made android mobile phone model no CPH1901 and want to put it into EDL mode try above mentioned methods using ADB but get not responding results. After that select the programmer file prog_emmc_firehose_8917_ddrMBN. Now, boot your phone into Fastboot mode by using the buttons combination. I don't think I've ever had a Qualcomm EDL cable work on a single LG phone I have ever had over the past decade. As an example, the figures below show these EDL test points on two different OEM devices Redmi Note 5A (on the left) and Nokia 6 (on the right). Digging into the programmers code (Xiaomi Note 5A ugglite aarch32 programmer in this case) shows that its actually an extended SBL of some sort. The only thing we need to take care of is copying the original stack and relocating absolute stack address. EDL is implemented by the PBL. you can check other tutorialshere to help. Despite that, we can recover most breakpoints each time a breakpoint is hit, we simply reconstruct all of the others, losing only breakpoints that occur in succession. Some SBLs may also reboot into EDL if they fail to verify that images they are in charge of loading. As for remediation, vendors with leaked programmers should use Qualcomms Anti-Rollback mechanism, if applicable, in order to prevent them from being loaded by the Boot ROM (PBL), The problem is caused by customizations from OEMsOur Boot ROM supports anti-rollback mechanism for the firehose image., Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot, Exploiting Qualcomm EDL Programmers (4): Runtime Debugger, Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction, Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting, Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals, Obtain and reverse-engineer the PBL of various Qualcomm-based chipsets (, Obtain the RPM & Modem PBLs of Nexus 6P (, Manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (. To implement breakpoints, we decided to abuse undefined instruction exceptions. Could anyone please test the attached firehose on 8110 4G (TA-1059 or TA-1048) or 2720 Flip? ignore the access righs completely). So breakpoints are simply placed by replacing instructions with undefined ones which cause the undefined instruction handler, that we hooked, to be executed. There are no posts matching your filters. Analyzing their handlers reveals the peek and poke tags expect the following format: Adding this to our research tool, allowed us to easily explore susceptible devices. EDL implements Qualcomms Sahara or Firehose protocol (on modern devices) to accept OEM-digitally-signed programmer in ELF file format (or in MBN file format on older devices). However discovering the point on undocumented devices is an easy task. A usuable feature of our host script is that it can be fed with a list of basic blocks. For example, if the folder in the Documents directory, the command should be: Now, enable USB debugging on your Android device using the instructions. ), EFS directory write and file read has to be added (Contributions are welcome ! Your device needs to have a usb pid of 0x9008 in order to make the edl tool work. Needless to mention, being able to reboot into EDL using software only means or with such USB cables (depict a charger that shortens the pins) enables dangerous attack vectors, such as malicious USB ports (e.g. In this mode, the device identifies itself as Qualcomm HS-USB 9008 through USB. Rebooting into EDL can also happen from the Platform OS itself, if implemented, and if adb access is allowed, by running adb reboot edl. You signed in with another tab or window. So, let's collect the knowledge base of the loaders in this thread. The first part presents some internals of the PBL, GitHub Stars program. very, very useful! This error is often a false-positive and can be ignored as your device will still enter EDL. Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken) If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short. Then select Open PowerShell window here or Open command window here from the contextual menu. Amandeep, for the CPH1901 (Oppo A7, right? As one can see, there are such pages already available for us to abuse. https://alephsecurity.com/2018/01/22/qualcomm-edl-1/, https://github.com/alephsecurity/firehorse, [TOOL] Sahara & Firehose Test (Alcatel Flasher oncoming ), [ROM/FIRMWARE][6045X] Android 6.0 Marshmallow for Alcatel Onetouch Idol 3 5.5, [6039] - ***GUIDE*** - How to return the fastboot commands on already upgraded device, [ROM] 6045Y-DCZ - 6.0.1 stock, root, debloat - 2.2 (2016-08-09), [ROM][6045X][7.1.2][Resurrection Remix][5.8.5][Nougat][UNOFFICIAL][FINAL] IDOL 3 5.5, How to fix - cannot boot into system after /vendor changed file system (ext2, ext4), Junsun V1 Pro MTK8259 4GB + 64GB Android 10 headunit, Junsun V1 Pro (MTK8259/MTK8257) - firmware. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Later, the PBL will actually skip the SBL image loading, and go into EDL mode. Just plug in your device to the wall charger for at least 30-40 minutes so that it gets sufficiently charged. In this part we extend the capabilities of firehorse even further, making it being able to debug Firehose programmers (both aarch32 and aarch64 ones) in runtime. The following info was from the device that works with the programmer I attached, HWID: 0x009600e100000000 (MSM_ID:0x009600e1,OEM_ID:0x0000,MODEL_ID:0x0000), PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f, prog_emmc_firehose_8909_ddr[d96ada9cc47bec34c3af6a3b54d6a73466660dcb].mbn, Andy, thanks a lot for figuring out the non-standard XML response for Nokias, merged your changes back into the, Also, if you didn't notice, we also already have the 800 Tough firehose in our, https://cloud.disroot.org/s/HzxB6YM2wRFPpWT/download, http://forum.gsmhosting.com/vbb/f296/nokia-8110-4g-full-support-infinity-qlm-1-16-a-2574130/, http://dl1.infinity-box.com/00/pub.php?dir=software/, http://edl.bananahackers.net/loaders/0x000940e100420050.mbn, https://groups.google.com/d/topic/bananahackers/T2RmKKGvGNI/unsubscribe, https://groups.google.com/d/msgid/bananahackers/3c9cf64a-710b-4f36-9090-7a00bded4a99n%40googlegroups.com. Anyway, peek and poke are the holy grail of primitives that attackers creatively gain by exploiting vulnerabilities. This cleared up so much fog and miasma..;-). Qualcomm's EDL & Firehose demystified. You can use it for multi-purpose on your Qualcomm powered phone such as Remove Screen lock, Flash Firmware, Remove FRP, Repair IMEI, also fix any type of error by the help of QPST/Qfil tool or any other third party repair tool, So, download basic firmware file or Prog EMMC MBN File from below. Later, in Part 5, we will see that this debugging functionality is essential for breaking Nokia 6s Secure Boot, allowing us to trace and place live patches in every part of its bootloader chain. After running our chain, we could upload to and execute our payload at any writable memory location. Receive the freshest Android & development news right in your inbox! Interestingly, in the actual SBL of ugglite, this series of initialization callbacks looks as follows: Therefore, they only differ in the firehose_main callback! TA-1048, TA-1059 or something else? We could have not dumped everything because then we would risk in device hangs, reboots, etc, since some locations are not of the RAM. If you have any questions regarding this Qualcomms special boot mode or face any problems booting your Android device into it, then please let us know. the Egg). But if not, then there are a couple of known ways/methods to boot your phone into EDL. The extracted platform-tools folder will contain ADB and other binaries youd need. One possible explanation for their existence is that they are old entries from the APPS PBL (which indeed sets TTBR0 to 0xFE800000). As for the other devices we posses, that have aarch64 programmers, ROP-based exploitation was indeed needed, as no writable/executable pages were found, due to probably the employment of SCTLR.WXN, that disables execution on any writable page, regardless of its NX bit. An abstract overview of the boot process of Qualcomm MSM devices is as follows: The PBL kicks-in from ROM after the device is powered-on. Our next goal was to be able to use these primitives in order to execute code within the programmer itself. Some of these powerful capabilities are covered extensively throughout the next parts. Save my name, email, and website in this browser for the next time I comment. I have made a working package for Nokia 8110 for flashing with cm2qlm module. Finding the address of the execution stack. To exploit that, we first flash our data on some bogus / backup partition, and then upload a small, Egg Hunter, that searches the relevant memory for our previously uploaded data (i.e. initramfs is a cpio (gzipped) archive that gets loaded into rootfs (a RAM filesystem mounted at /) during the Linux kernel initialization. In order to further understand the memory layout of our devices, we dumped and parsed their page tables. Luckily enough, for select chipsets, we soon encountered the PBL themselves: For example, the strings below are of the MSM8994 PBL (Nexus 6P): Please note that the PBL cannot be obtained by code running in the platform OS. In addition, OnePlus 5s programmers runs in EL1, so we used SCTLR_EL1 instead of the EL3 counterpart. (Later we discovered that this was not necessary because we also statically found that address in the PBL & Programmer binaries.) Interestingly, there is a positive trend of blocking these commands in locked Android Bootloaders. This isn't strictly speaking a Bananahackers question (because it's about Android phones), but this is where I learned about EDL mode. Some encoding was needed too. I know that some of them must work at least for one 8110 version. Looking to work with some programmers on getting some development going on this. Individual loaders must have .mbn or .bin extension, archives should be preferably zip or 7z, no rar; 3. Butunfortunatelydoesn'tseemtowork. The figure on the left shows a typical boot process of an Android device, wherein the Primary Bootloader triggers the Secondary Bootloader, which in turn boots the complete Android system. Knowing the memory-layout of the programmers, and the running exception level, we started peeking around. (For debugging during our ROP chain development, we used gadgets that either reboot the device, or cause infinite loops, in order to indicate that our gadgets were indeed executed). Many devices expose on their board whats known as Test Points, that if shortened during boot, cause the PBL to divert its execution towards EDL mode. A working 8110 4G firehose found, should be compatible with any version. Without which, booting into modes like Fastboot or Download modes wouldnt be possible. Please take a look at the image posted on this website, it illustrates the correct EDL test points for the Oppo A7. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. Let me start with my own current collection for today -. - HWID (if known) - exact filename (in an already uploaded archive) or a URL (if this is a new one) Requirements to the files: 1. In order to tackle that, we abused the Firehose protocol in the following ways: Egg Hunting. This should be the emmc programmer for your specific model. (, We managed to manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (, It resets the MMU and some other system registers, in a function we named. By dumping that range using firehorse, we got the following results: We certainly have something here! This method has a small price to pay. In that case, youre left with only one option, which is to short the test points on your devices mainboard. For aarch64 - CurrentEL, for aarch32 - CPSR.M. Android phones and tablets equipped with Qualcomm chipset contain a special boot mode which could be used force-flash firmware files for the purpose of unbricking or restoring the stock ROM. Luckily for us, it turns out that most Android devices expose a UART point, that can be fed into a standard FTDI232. To ensure that we can replace arbitrary instructions and not get hit with data aborts while doing so (due to non-writable pages), we either disable the MMU completely (aarch64), or in aarch32, much conveniently elevate all of the domains to manager, by writing 0xFFFFFFFF to the DACR register. It seems the RPM PBL is in the 0xfc000000-0xfc0040000 range, where the MODEM PBL is in the 0xfc004000-0xfc010000 range. Berbagai Masalah Vivo Y51L. There are several ways to coerce that device into EDL. Must be easily downloadable (no turbobits/dfiles and other adware), preferably a direct link; 2. Research & Exploitation framework for Qualcomm EDL Firehose programmers. Comment for robots to get back the 0x9008 mode : Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken). To start working with a specific device in, comment installer mycanal sur smart tv hisense, fire emblem fates fanfiction oc x female corrin, universal crossword puzzle answers today giant, bosch ebike diagnostic software free download, insert or update on table violates foreign key constraint postgresql, how to delete hacked fb account permanently, vsdbg must be running with root permissions, amazon engineering maintains a large number of logs of operations, a uniform thin rod of mass m and length l is supported horizontally by two supports one at each end, at least one other status code is required to identify the missing or invalid information, intel wifi 6 ax201 not working code 10 windows 11, pre release material computer science 2022, my absolute boyfriend ep 1 eng sub bilibili, thompson center hawken replacement barrels, write the definition of a method printgrade, tamilblasters movie download isaimini 2022, internal parts of computer and their functions pdf, describe a time when you missed a deadline or personal commitment retail, harry potter calls in all debts fanfiction, break up with her before she breaks up with you, a value of type const char cannot be assigned to lpcwstr, vs code initialize repository not working, snohomish county superior court law clerks, mega tv online grtis futebol ao vivo download, macmillan english practice book 3 answers pdf, chance of miscarriage after heartbeat but bleeding, import failed due to missing dependencies, explain with suitable example phases of data analytics life cycle, when coding for laboratory procedures and neither automated nor manual are indicated, high school marching band competitions 2022, australian shepherd puppies for sale western cape, what is com samsung android vtcamerasettings, distorted celebrity faces quiz with answers, cannot display the folder microsoftoutlook cannot access the specified folder location shared inbox, third conditional exercises with answers pdf, smith and wesson antique revolvers serial numbers, livewell instafold folding mobility scooter review, refresh token expiration time best practice, amd ryzen 7 5700g with wraith stealth cooler, what will be your main source of funding for your studies ucas, exam az 900 topic 1 question 89 discussion examtopics, renault diagnostic software free download, biofreeze pain relief roll on 3 oz roll on, phantom forces ban appeal 1000 characters, 2003 dodge ram 1500 blend door actuator location, tucker and dale vs evil full movie download, there is a temporary problem please try again your card was not charged gumroad, outbound message in salesforce process builder, veeam unable to install backup agent the network path was not found, word module 3 sam end of module project 2, zigbee2mqtt home assistant 502 bad gateway, range rover evoque auxiliary battery location, fill in the missing words in sentences worksheets, low income senior apartments in macomb county, npm failed with return code 134 azure devops, alice and bob each created one problem for hackerrank, questions to ask a startup founder in an interview, certified recovery specialist practice test, mcgraw hill reading wonders 5th grade pdf, bt 1500 chemistry analyzer service manual, postdoctoral fellowship in south korea 2022, va high risk prostate cancer camp lejeune water contamination, waterfront homes for sale lake martin al zillow, nursing associate course for international students, time of happiness full movie with english subtitles download, microsoft teams administrator interview questions and answers, operation fortune full movie download mp4moviez, driveway finance corporation phone number, war for the planet of the apes full movie in tamil download hd filmywap, source taleworlds mountandblade view object reference not set to an instance of an object, sliquid intimate lubricant h20 glycerine free original. P.S. EDL implements Qualcomm's Sahara or Firehose protocol (on modern devices) to accept OEM-digitally-signed programmer in ELF file format (or in MBN file format on older devices). Without further complications we can simply reconstruct the original instruction in-place (after doing whatever we want we use this feature in the next chapter in order to conveniently defeat Nokia 6s secure boot, as it enables us to place hooks at the instruction level), and return from the exception. please tell me the solution. Some times, flashing the wrong file can also potentially corrupt the Android bootloader itself. By Roee Hay & Noam Hadad. Kindly please update whether it works as I'm on the same boat albeit with a different device (it's a projector with a battery based on android). To boot your phone into EDL mode using the test point method, you will need to expose the devices mainboard and use a metal tweezer (or a conductive metal wire) to short the points, and then plug the device to your PC or to the wall charger over USB. You are using an out of date browser. You do not have permission to delete messages in this group, Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message. Other devices, such as the OnePlus family, test a hardware key combination upon boot to achieve a similar behavior. Connect the phone to your PC while its in Fastboot mode. Its 16-bit encoding is XXDE. or from here, Make a subdirectory "newstuff", copy your edl loaders to this subdirectory, or sniff existing edl tools using Totalphase Beagle 480, set filter to filter({'inputs': False, 'usb3': False, 'chirps': False, 'dev': 26, 'usb2resets': False, 'sofs': False, 'ep': 1}), export to binary file as "sniffeddata.bin" and then use beagle_to_loader sniffeddata.bin. Since the PBL is a ROM resident, EDL cannot be corrupted by software. Some of them will get our coverage throughout this series of blog posts. Luckily enough (otherwise, where is the fun in that? A partial list of available programmers we managed to obtain is given below: In this 5-part blog post we discuss the security implications of the leaked programmers. While its best you use a firmware which includes a programmer file, you can (in severe cases) use the programmer file for a Qualcomm EDL mode varies across Qualcomm devices so. It can be found online fairly easily though. Research & Exploitation of Qualcomm EDL Firehose Programmers: From PBL (Boot ROM) Extraction, Research & Analysis to Secure Boot Bypass in Nokia 6. . Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction Exploiting Qualcomm EDL Programmers (4): Runtime Debugger Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot Usage Prerequisites To use this tool you'll need: bricked citrus dead after restart edl authentication firehose . sahara - ----- HWID: 0x0005f0e100000000 (MSM_ID:0x0005f0e1,OEM_ID:0x0000,MODEL_ID:0x0000) CPU detected: "MSM8996Pro" PK_HASH . Nokia 6/5 and old Xiaomi SBLs), and reboot into EDL if these pins are shortened. The routine sets the bootmode field in the PBL context. The source is pretty much verified. You can Download and Use this file to remove Screen lock on Qualcomm Supports Devices, and Bypass FRP Google account on all Qualcomm Devices, Qualcomm Prog eMMC Firehose Programmer file Download, Lava V62 Benco FRP File Download (Bypass Google) by SPD Research Tool Latest Free, DarkRa1n iCloud Bypass Tool iOS 16 iOS 15 Download Free Latest, VNROM FILE Ramdisk Tool Download Windows Latest Version Free, Mina Ramdisk Bypass Tool V1.3 Download Latest Version for MAC Free, GSM Gaster Tool V4.0 Download Latest Passcode, Hello Screen Disable Device, OMH Mi Blu Relock Fixer Tool V1 Download Latest Version Free, iOS Factory Reset Tool V1 Download latest version Free, CICADA iTools V4.1 Download Latest Version Setup Free, Oppo A11s No Auth Loader Firehose File Download Free, Motorola G Stylus 5G EDL Firehose Programmer File Download Free. As mentioned above, modern EDL programmers implement the Qualcomm Firehose protocol. We guess that the Boot ROM can only be obtained from the secure state (which anglers programmer runs under). Loading the programmer with IDA, quickly revealed that our obtained Firehose programmers also support the peek and poke tags, with the following format: These allow for arbitrary code execution in the context of the programmer, as demonstrated in our blog post. When in this mode, the device identifies itself as Qualcomm HS-USB QDLoader 9008 over a USB connection. At this stage of the research, we did not have much understanding of the memory layout of the programmers, and due to the fact that poking an unmapped arbitrary address resulted in a crash (either infinite loop or a reboot), we had to discover a more intelligent way in order to deduce the such memory layout of the programmer. Here is the Jiophone 2 firehose programmer. Onetouch Idol 3 Android Development . Thats it! emmc Programs File. As open source tool (for Linux) that implements the Qualcomm Sahara and Firehose protocols has been developed by Linaro, and can be used for program (or unbrick) MSM based devices, such as Dragonboard 410c or Dragonboard 820c. ABOOT prepares the kernel command line and initramfs parameters for the Linux kernel in the Device Tree Blob (DTB), and then transfers execution to the Android (Linux) kernel. Later, our UART output can be fed into IDA, using another IDA Python script, to mark the execution path. MSM-based devices contain a special mode of operation - Emergency Download Mode (EDL). MSM (Qualcomms SoC)-based devices, contain a special mode of operation - Emergency Download Mode (EDL). Extract the downloaded ZIP file to an easily accessible location on your PC. noidodroid Senior Member. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. Qualcomm Firehose Programmer file Collection: Download Prog_firehose files for All Qualcomm SoC. You signed in with another tab or window. Phones from Xiaomi and Nokia are more susceptible to this method. Apr 1, 2019 350 106 Innernetz www.noidodroid.com . The EDL mode itself implements the Qualcomm Sahara protocol, which accepts an OEM-digitally-signed programmer (an ELF binary in recent devices, MBN in older ones) over USB, that acts as an SBL. Which version of 8110 do you have? Triedonboth,8110&2720. We showed that such code, may get executed with the highest possible privileges in ARM processors, and can dump Boot ROMs of various such SoCs. In addition, rebooting into EDL by software is done by asserting the LSB of the 0x193D100 register (also known as tcsr-boot-misc-detect) Your phone should now reboot and enter EDL mode. Therefore, this kind of attack requires the following: Finding the memory location of the execution stack is relatively easy, as this is set in the reset interrupt handler of the programmer: Next, we dumped the stack and searched for saved LR candidates for replacement: We chose 0x0802049b the programmer has a main-loop that waits for incoming XMLs through USB (handle_input from Part 1), so our replaced LR value is the return location to that loop from the XML command parser : Poking the corresponding stack location (0x805cfdc) with an arbitrary address should hijack the execution flow. Home EMMC Files All Qualcomm Prog eMMC Firehose Programmer file Download. GADGET 3: The next gadget calls R12 (that we control, using the previous gadget): GADGET 4: We set R12 to 080081AC, a gadget that copies TTBR0 to R0: This will return to GADGET 3, with R0 = TTBR0. My proposed format is the. Since their handling code is common, we can only guess that there exist some compilation flag that is kept enabled by the affected OEMs. HWID: 0x000940e100420050 (MSM_ID:0x000940e1,OEM_ID:0x0042,MODEL_ID:0x0050). CVE-2017 . To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices. Hold the SHIFT key on the keyboard and right-click on an empty space inside the folder. In the previous chapters we presented Qualcomm Sahara, EDL and the problem of the leaked Firehose programmers. Qualcomm Sahara / Firehose Client (c) B.Kerler 2018-2019. Programmer binaries are used by Qualcomm's Sahara protocol, which works in Emergency Download mode, commonly known as EDL, and is responsible for flashing a given device with a specific SoC.As a developer on GitHub claims, programmers are SoC specific but devices only. No, that requires knowledge of the private signature keys. (Nexus 6P required root with access to the sysfs context, see our vulnerability report for more details). Preparation 1. Of course, the credits go to the respective source. Concretely, in the next chapters we will use and continue the research presented here, to develop: 73C51DE96B5F6F0EE44E40EEBC671322071BC00D705EEBDD7C60705A1AD11248, 74F3DE78AB5CD12EC2E77E35B8D96BD8597D6B00C2BA519C68BE72EA40E0EB79, D18EF172D0D45AACC294212A45FBA91D8A8431CC686B164C6F0E522D476735E9, 9B3184613D694EA24D3BEEBA6944FDB64196FEA7056C833D38D2EF683FD96E9B, 30758B3E0D2E47B19EBCAC1F0A66B545960784AD6D428A2FE3C70E3934C29C7A, 8D417EF2B7F102A17C2715710ABD76B16CBCE8A8FCEB9E9803733E731030176B, 02FFDAA49CF25F7FF287CAB82DA0E4F943CABF6E6A4BFE31C3198D1C2CFA1185, EEF93D29E4EDDA26CCE493B859E22161853439DE7B2151A47DAFE3068EE43ABE, A1B7EB81C61525D6819916847E02E9AE5031BF163D246895780BD0E3F786C7EE, 97EFF4D4111DD90523F6182E05650298B7AE803F0EC36F69A643C031399D8D13, C34EC1FDDFAC05D8F63EED3EE90C8E6983FE2B0E4B2837B30D8619A29633649C, 63A47E46A664CCD1244A36535D10CA0B97B50B510BD481252F786177197C3C44, 964B5C486B200AA6462733A682F9CEAD3EBFAD555CE2FF3622FEA8B279B006EE, 71C4F97535893BA7A3177320143AC94DB4C6584544C01B61860ACA80A477D4C9, CB06DECBE7B1C47D10C97AE815D4FB2A06D62983738D383ED69B25630C394DED, A27232BF1383BB765937AEA1EBDEE8079B8A453F3982B46F5E7096C373D18BB3, 3FDAF99FC506A42FCBC649B7B46D9BB8DD32AEABA4B56C920B45E93A4A7080EA, 48741756201674EB88C580DF1FDB06C7B823DC95B3FC89588A84A495E815FBD4, 8483423802d7f01bf1043365c855885b0eea193bf32ed25041a347bc80c32d6b, 5F1C47435A031331B7F6EC33E8F406EF42BAEF9A4E3C6D2F438A8B827DD00075, 5D45ECF8864DBBC741FB7874F878126E8F23EE9448A3EA1EDE8E16FE02F782C0, 1D4A7043A8A55A19F7E1C294D42872CD57A71B8F370E3D9551A796415E61B434, BF4E25AE6108D6F6C8D9218383BD85273993262EC0EBA088F6C58A04FC02903B, 3DB3B7FD2664D98FD16F432E8D8AD821A85B85BD37701422F563079CB64D084C, ADEB0034FC38C99C8401DCDBA9008EE5A8525BB66F1FC031EE8F4EFC22C5A1DF, 67A7EA77C23FDD1046ECCE7628BFD5975E9949F66ADDD55BB3572CAF9FE97AEA, 2DDE12F09B1217DBBD53860DD9145326A394BF6942131E440C161D9A13DC43DD, 69A6E465C2F1E2CAABB370D398026441B29B45C975778E4682FC5E89283771BD, 61135CB65671284290A99BD9EDF5C075672E7FEBA2A4A79BA9CFACD70CD2EA50, C215AC92B799D755AF0466E14C7F4E4DC53B590F5FBC0D4633AFAFE5CECC41C3, A38C6F01272814E0A47E556B4AD17F999769A0FEE6D3C98343B7DE6DE741E79C, BB5E36491053118486EBCCD5817C5519A53EAE5EDA9730F1127C22DD6C1B5C2B, 5C9CCCF88B6AB026D8165378D6ADA00275A606B8C4AD724FBCA33E8224695207, 67D32C753DDB67982E9AEF0C13D49B33DF1B95CC7997A548D23A49C1DD030194, 7F6CE28D52815A4FAC276F62B99B5ABEB3F73C495F9474EB55204B3B4E6FCE6D.