Introduction

I’m gonna share some details from a little project that I did for fun from half a year ago, since I think no one has ever done this before. Meta Quest 2 is a VR headset running Android as it’s base OS. It features a Qualcomm Snapdragon XR2 SoC (or in other words, just a rebranded Snapdragon SM8150), 6GB LPDDR5 RAM, Adreno 650 GPU and the headset ships with Android 10.

Bootloader unlocking

This is very tricky, unfortunately Quest 2 headset has it’s bootloader locked without any way to unlock it. Okay, but how did Windows run on it? If you run a really old firmware (Latest vulnerable version is 29.0.0.65.370.289987413 from May 9 2021) on your headset, you can unlock your bootloader by using a buffer overflow exploit in fastboot, allowing the bootloader to be unlocked: Bootloader exploit.

Unfortunately I don’t have a Quest 2 running this firmware, so I have found a person on the internet who does, and has an unlocked bootloader, big thanks to him for testing UEFI images.

UEFI bootloader

I have used Mu-Silicium project for porting UEFI to Quest 2. Porting process wasn’t really difficult considering that Snapdragon 855 SoC is pretty well supported in these types of projects and has various XBL binary patches from other devices and ACPI tables.

I won’t go into too much detail of how I ported everything, to put it simply, I got all the information from official Quest 2 firmware downloaded on the internet. Stuff like device memory map, binaries, flashing definitions and other parameters were extracted from a downloadable firmware package.

You can look through my repository here: https://github.com/arminask/Mu-Qcom

Loading an OS

To make most of the stuff work, it requires different binary patches to different components, other community members helped and patched the binary for USB, allowing for the Quest 2’s Type-C port role to be in host mode and also provide PD (Power Delivery) to external devices.

With USB patch done, now we have a way to boot an OS from USB. Installing full Windows is quite a long process because then you would probably have to install it on the device storage, however UFS binary needs to be patched for it to work, but is risky because a wrong patch can damage the device and I don’t want to be responsible for another person’s broken hardware. I’m also not considering that you would have to create partitions for Windows to boot from, meaning you would have to edit the device GPT partition table, this is dangerous because no one has ever run this type of custom firmware on a device, so it is undocumented and unexpected things can happen.

Another option is to run Windows PE (Windows Preinstallation Environment). WinPE is a small bootable operating system, it is basically a really stripped down Windows version, you can use ADK tool from Microsoft to create a custom WinPE environment and include your wanted functionality.

After creating bootable WinPE media on a USB flash drive, it was connected to Quest 2 and here are the results: placeholder

placeholder

placeholder

Conclusion

Overall that was a very fun project for me, I’m not planning on continuing it because I don’t have access to a bootloader unlocked Quest 2, this was more of a proof of concept project. This is possibly the first ever Meta Quest 2 VR headset running Windows PE natively and I think that’s very cool. Thanks for reading!