Is it possible to "capture/intercept" and download the stock firmware file during an OTA update?

Question

My Goal: Extract my phones stock firmware (specifically boot/recovery image) during an OTA update from manufacturer.

Why I Want To: I've been trying to get root access or flash a custom recovery on another phone I recently got. Its a UMX Model U693CL phone provided through assurance wireless (Obama-Phone). I've done almost all the troubleshooting and researching within my skill set to figure this out. After no luck with calling the company to find out how/where to download the firmware and finding nothing available on the internet, I've hit a dead end.

Steps I've Taken:

Called Assurance Wireless asking for stock firmware downloads or where to get them...no help. Despite this phone being shipped with bootloader unlocked...they seem very eager to prevent the end-user from utilizing the feature.

Searched personally online to see if anyone has done this before, as well as any forums for Android development...XDA does have threads however it's regarding the previous UMX model U683CL phone (I have U693CL)

I've done some of my own troubleshooting and "trial and error" investigating using ADB/Fastboot via my laptop and a secondary Android.

I did read online about using recovery software on a PC to extract firmware... However the programs mentioned seem to have a high affinity for malicious clones and/or seem too outdated. The most common ones mentioned are "QPST" or some sort of "Qualcomm Recovery Software" After having to restore my laptop multiple times from getting viruses for downloading/installing a few of those programs I switched my approach.

What I'm REALLY asking:

I'm not asking you to solve this for me. I use these situations as a way to learn. While I do know SOME things, I do like to keep a beginner's mindset/attitude. When you stop learning, you stop growing...the worst attitude to have is one where you've got nothing left to learn.

That said I'd like to first have these questions answered:

1. While I know packets can be monitored/intercepted/injected/etc...is it possible do the same for a file that's being uploaded/downloaded?

2. In that case, could I simply replicate an equivalent MITM attack scenario and adjust some things? For example, identify the file and either "redirect" to be downloaded elsewhere? Or if I proxy traffic through another device...can I "duplicate" the download onto the device hosting the proxy traffic while still sending everything to the original device? And if so...can it be detected? Or noticed?

3. Do OTA updates actually send the file directly to the device like I'm pulling a file from my Google Drive? Is there encryption involved or tunneling used to prevent someone from altering anything during transit?

4. Maybe I'm complicating this and overthinking...is there software already that allows me to extract the stock firmware via USB on a PC? Outside of the Qualcomm programs I mentioned, I'm not familiar with any software that's universal. Unfortunately this phone has little support from my research...

I know I could have gotten the same results using 1/4 of the words... I'm hoping to come across as someone who appreciates "the journey" asking for expertise/knowledge and not someone who's lazy and just cares about the result. Thanks #nuc13us

Answer 1

In short what you are trying to do is not possible. Even if you were able to capture an OTA update, you are not getting the entire firmware and you certainly won't be able to get what you need which is boot and recovery partition data. This might be achievable on the new A/B partitioning where OTA updates are downloaded to an "empty" partition but I haven't personally tested this.

QPST (Qualcomm Product Support Tool) is legitimate if you download from qpsttool.com. Within QPST is QFIL and its QFIL that is used to flash firmware unto Qualcomm devices. This phone is treble compatible so a stock GSI rom should work to get recovery.img and boot.img. However, to get TWRP recovery you'll need to port in a version from a similar device using the same or similar specs: SoC=MSM8937 | CPU=QM215 | GPU=Adreno 308. Currently, there is no official nor unofficial twrp recoveries available.

To get GSI firmware [or any other firmware] unto this phone you'll use QFIL within QPST. Plug in the correct EDL programmer (likely prog_emmc_firehose_8937_lite.mbn or prog_emmc_firehose 8937_alc.mbn) and suitable firmware and that's pretty much it.

If you successfully flashed firmware unto the phone with custom recovery then you have root access, otherwise if you flashed firmware with stock recovery you need to use magisk manager to patch boot.img for root. With root you can start flashing diffent twrp recoveries that you ported in, and you'll use su commands in adb shell to do this.

Follow the discussion on XDA to add to, or follow for current information as there are not too many developers actively working on rooting this phone.

Answer 2

Some relevant keypoints (not following your questions numbering):

First, you need to determine which type of OTA is implemented in your phone: A/B, non-A/B. Because the process and corresponding software are different for these 2 ways. So the next research steps should follow a certain OTA type. By the way, key source files are available through AOSP repository. However, the app that delivers update.zip from server to phone is usually developed by OEM.

recovery image is optional for the A/B (seamless updates) type of Android FW.

Unlike A/B devices that repurpose /boot as the recovery partition, non-A/B devices must keep the /recovery partition separate as they don't have the fallback slot partition (for example, from boot_a to boot_b). 2

Second, OTA can arrive in form of full or delta image. Delta is applied on top of FW the device currently stores on a flash.

Third, update.zip includes images only for partitions that OEM configured for a particular update. This means it may even never include images for boot and recovery if OEM doesn't have reasons to update them.

---

For further suggestions please clarify OTA type implemented in your phone.