Dragon863 / EchoCLI

A python command line tool for rooting your Amazon Echo dot 2nd generation
101 stars 13 forks source link

Almost worked #11

Closed Billybangleballs closed 1 year ago

Billybangleballs commented 1 year ago

python3 main.py

[23:14:43] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 1
[23:14:56] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[23:14:56] INFO: To open the device, you will need a torx 8 screwdriver.
[23:14:56] Waiting for bootrom
[23:17:56] Found port = /dev/ttyACM0
[23:17:56] Handshake
[23:17:56] Disable watchdog
[23:17:56] handshake success!

 * * * Remove the short and press Enter * * *

[23:18:01] Init crypto engine
[23:18:01] Disable caches
[23:18:01] Disable bootrom range checks
[23:18:01] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[23:18:01] Send payload
[23:18:02] Let's rock
[23:18:02] Wait for the payload to come online...
[23:18:03] all good
[23:18:03] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[23:18:21] INFO: Fetching misc partition...
[23:18:21] SUCCESS: Dumped misc.bin from device.
[23:18:21] INFO: Detected that device is using slot B.
[23:18:21] INFO:
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[23:18:28] INFO: Backing up preloader...
[23:18:51] SUCCESS: Dumped preloader.bin from device.
[23:18:51] INFO: Clearing preloader header
[8 / 8]
[23:18:52] INFO: 6.x preloader detected, applying unlock patch
[23:18:52] INFO: Downgrading rpmb header
[23:18:52] INFO: rpmb downgrade ok
[23:18:53] INFO: Backing up lk_b...
[23:19:39] SUCCESS: Dumped lk_b.bin from device.
[23:19:39] SUCCESS: Modified Little Kernel! Flashing back to device now.
[23:19:39] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[23:20:23] SUCCESS: Done! To finalise the process, return to the previous menu and use fos_flags to gain root via ADB.
Select an option: >
1: Root or restore
2: Calculate and set fos_flags
3: Exit
Select an option: > 2
[23:20:51] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[23:21:00] INFO: Setting fos_flags to 0xa3 using fastboot...
[23:21:00] INFO: Please replug your device now, holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
sh: 1: fastboot: not found
[23:24:54] SUCCESS: Successfully set fos_flags! Rebooting...
sh: 1: fastboot: not found
Select an option: >
1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit
[23:30:18] FAIL: Invalid option: Exit. Please ensure option is an integer.
Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 2
[23:31:22] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[23:31:27] INFO: Setting fos_flags to 0xa3 using fastboot...
[23:31:27] INFO: Please replug your device now, holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
sh: 1: fastboot: not found
[23:32:36] SUCCESS: Successfully set fos_flags! Rebooting...
sh: 1: fastboot: not found
Select an option: >

My original problem was the usb lead, it seems to be a 'charge only' type lead. ;)

I replugged the device with my finger on the uber (dot) button, but a green light never appeared. I tried this twice, but still didn't manage a light of any colour...

Bedtime now anyway, will try and find time next week to continue.

viraniac commented 1 year ago

Good news is your device is rooted.

You have two separate issues there in your setup 1) You don't have fastboot installed. So assuming you are on debian or ubuntu or some derived variant, apt-get install android-tools or apt-get install android-tools-fastboot should do the job. Google on how to install fastboot for your specific distribution

2) As you have rooted your device, it will never boot on its own unless you restore or update it which obviously means no more root. To boot the device while keeping the rooted status, you have to use mtkclient as mentioned in the readme. This includes when trying to setup fos_flags.

So open a new terminal and run mtkclient as mentioned in the readme, keep the dot button pressed and plug the device. Don't leave the dot button until the ring becomes green. Then go back to EchoCLI and choose to setup fos_flags

viraniac commented 1 year ago

@Dragon863 You need to update that readme, I am tired of answering the same thing.

Dragon863 commented 1 year ago

@viraniac I've only just had a chance to read through everything on this thread, thank you SO much for everything. I will definitely update the readme, but unfortunately I'm not in not in a great location to push commits from, I should be able to make the changes on next Monday.

viraniac commented 1 year ago

@Billybangleballs once you get past setting fos_flags and getting into a rooted adb shell, could you please share the output of

strings /dev/block/platform/bootdevice/by-name/userdata | grep http | grep biscuit | sort -u

Billybangleballs commented 1 year ago

@viraniac I will indeed, but it will not be for a few days, as I have a lot to do atm.

Billybangleballs commented 1 year ago

@viraniac I installed android-tools, but I have no clue what to do with them. fastboot requires parameters, as does adb.

I have not managed to build mtkclient as yet, it requires 'unavailable' packages to be present before it will compile. ERROR: Could not find a version that satisfies the requirement shiboken6>=6.4.0.1 ERROR: No matching distribution found for shiboken6>=6.4.0.1

viraniac commented 1 year ago

I installed android-tools, but I have no clue what to do with them.

For setting fos_flags, nothing you have to do with android tools, just they need to be installed on the system. Once you enable fos_flags, you should be able to connect to the device using adb shell to get into a rooted prompt. Then its upto you what you want to do on the echo dot

I have not managed to build mtkclient as yet, it requires 'unavailable' packages to be present before it will compile. ERROR: Could not find a version that satisfies the requirement shiboken6>=6.4.0.1 ERROR: No matching distribution found for shiboken6>=6.4.0.1

Well there is too little information to help you with that. you can try installing the equivalent packages from your distributions package repository. For example apt-get install shiboken2

Billybangleballs commented 1 year ago

I borrowed a computer to run mtkclient on.


[18:17:17]: Kamakiri / DA Run
[18:17:17]: Trying kamakiri2..
[18:17:18]: Done sending payload...
[18:17:18]: Successfully sent payload: /opt/mtkclient/mtkclient/payloads/mt8163_payload.bin
[18:17:18]: Device is protected.
[18:17:18]: Device is in BROM mode. Trying to dump preloader.
[18:17:18]: Uploading legacy da...
[18:17:18]: Uploading legacy stage 1 from MTK_AllInOne_DA_5.2152.bin
[18:17:19]: Got loader sync !
[18:17:19]: Reading nand info
[18:17:19]: NAND_INFO: 0xbc4
[18:17:19]: Reading emmc info
[18:17:19]: EMMC_INFO: 0x0
[18:17:19]: ACK: 0402a1
[18:17:19]: Setting stage 2 config ...
[18:17:19]: DRAM config needed for : 150100464a3235414202e6619040349b
[18:17:19]: Reading dram nand info ...
[18:17:19]: EMI Config not accepted :(```

It has really improved things. A whole new fail for me to not understand.

I still have no green lights, or  fos_flags or fastboots...

Has anyone managed to follow the instructions with success?
viraniac commented 1 year ago

Device is in BROM mode. Trying to dump preloader.

what command did you use? you were suppose to run the following command as mentioned in the readme

mtk plstage --preloader=preloader_no_hdr.bin
Billybangleballs commented 1 year ago

You say these things like you understand what is happening, unfortunately not everyone (me) is that clued up. I wish there was a step by step set of instructions that actually made sense to me and more importantly, just worked. ;)

$ python mtk plstage --preloader=preloader_no_hdr.bin
MTK Flash/Exploit Client V1.57 (c) B.Kerler 2018-2022

Mtk
Mtk - [LIB]: Failed to patch preloader security
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

...........
Port - Device detected :)
Preloader -     CPU:            MT8163()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:           0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:            0x8163
Preloader - Target config:      0x5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xcb00
Preloader -     SW Ver:         0x1
Preloader - ME_ID:          7BFA006445C2F06AFE6B40D6E95AF701
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /opt/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
Main - Connected to device, loading
Main - Using custom preloader : preloader_no_hdr.bin
Mtk - Valid preloader detected.
Mtk
Mtk - [LIB]: Failed to patch preloader security
Main - Sent preloader to 0x201000, length 0x22408
Preloader - Jumping to 0x201000
Preloader - Jumping to 0x201000: ok.
Main - PL Jumped to daaddr 0x201000.
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Port - Device detected :)
Preloader -     CPU:            MT8163()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:           0xb1
Preloader - Disabling Watchdog...
Traceback (most recent call last):
  File "/opt/mtkclient/mtk", line 740, in <module>
    mtk = Main(args).run()
  File "/opt/mtkclient/mtkclient/Library/mtk_main.py", line 448, in run
    res = mtk.preloader.init()
  File "/opt/mtkclient/mtkclient/Library/mtk_preloader.py", line 192, in init
    self.setreg_disablewatchdogtimer(self.config.hwcode)  # D4
  File "/opt/mtkclient/mtkclient/Library/mtk_preloader.py", line 379, in setreg_disablewatchdogtimer
    res = self.write32(addr, value)
  File "/opt/mtkclient/mtkclient/Library/mtk_preloader.py", line 282, in write32
    return self.write(addr, dwords, 32)
  File "/opt/mtkclient/mtkclient/Library/mtk_preloader.py", line 260, in write
    if status > 0xFF:
TypeError: '>' not supported between instances of 'list' and 'int'
viraniac commented 1 year ago

You say these things like you understand what is happening, unfortunately not everyone (me) is that clued up.

I do and I understand that you probably don't. But trust me I am not trying to be rude, just am not a native english speaker. Also I am not getting paid to do this, I am doing it because I want to help you. Documentation written by developers generally are not that good. There can be a wide gap between what the developer considers to be common knowledge, what a common person understands. But then the project is opensource and same things were answered to other users. None of those users came back to update the documentation. Writing or updating documentation is the most boring job for a developer and even if its done, it will still have gap with a common person understanding. Whats needed is for a common person to raise a pull request with the updated documentation.

So lets ride this out and may be in return of getting your device unlocked, may be you can open a PR with the README updated to how you see it should have been.

File "/opt/mtkclient/mtkclient/Library/mtk_preloader.py", line 260, in write if status > 0xFF:

This is interesting. The line number reported here is different than what I see on mtkclient repository

Could you please make sure you are using the updated version of the same. Either do a git clone, or use the download zip option present in the green code dropdown.

Billybangleballs commented 1 year ago

There is a problem. I have borrowed a computer, which I do not have access to the underlying operating system to. I downloaded the https://www.androidfilehost.com/?fid=15664248565197184488 which is linked to on the page https://github.com/bkerler/mtkclient So I have a 'live' os with mtkclient on a thumb drive, that I can run on this borrowed computer without breaking anything. Once they issue an updated version of this 'live' os, I will be sure to download it.

I have five computers, all of which use less power than a normal light bulb because they have an arm cpu. Like all the phones and amazon echos. What I don't have is a pc or a mac, or other power hungry, last century, type computer. This is why I have had to borrow one. I'm also very old and have my original sinclair spectrum, and my first ibm pc with cassette tape interface, stashed under my bed in case I need them. I think the whole project should start with a 'hardware requirements' list. I saw the write up on hackaday and dived right in, not realising that I would need extra hardware above my amazon dot and my raspberry pi4. I am really grateful for the assistance you have provided, but I wish you would assume zero knowledge on my part when dispensing your help. You are obviously way ahead of me in your comprehension of these new fangled android things, because I don't even have a telephone.

So has anyone got as far as the green lights, using the documentation and software in this repository? Is there a way of rewinding what I have already done, so that Alexa can tell me she is having trouble connecting to the Internet? Then I could start again and follow the instructions to the letter and see if my result changes.

Billybangleballs commented 1 year ago

To anyone like me attempting this project, the first thing you need is a DATA cable to the Echo Dot. The one it comes with is POWER only, and you can spend all day trying to short out a capacitor and still get nowhere. You also require a PC or a MAC because mtkclient is not available on modern low power hardware.

viraniac commented 1 year ago

I'm also very old and have my original sinclair spectrum, and my first ibm pc with cassette tape interface, stashed under my bed in case I need them.

Thats so cool.

I would need extra hardware above my amazon dot and my raspberry pi4.

I think you should be able to install mtkclient on rpi4 as well. IIRC last time you tried you had issues installing dependencies for mtkclient on your pi4.

Could you please try using pip install --no-binary -r requirements.txt to install the dependencies?

Is there a way of rewinding what I have already done, so that Alexa can tell me she is having trouble connecting to the Internet?

You can use the restore option i.e. run EchoCli then press 1 to choose rooting tools, press 1 again and then when prompted enter restore instead of root. That will bring back your echo dot assuming the files that were backed up is present in EchoCli directory. I am saying this as I think you have done this on multiple computers. So I am not sure which computer has your files. You can run git status and if it shows files in some backup directory then thats where you can run restore

viraniac commented 1 year ago

So has anyone got as far as the green lights, using the documentation and software in this repository?

Yeah, one user found a lot of bugs, raised PRs to fix them and also had his echo rooted. Can't tell about others as I am not aware about how many people actually tried this tool

Billybangleballs commented 1 year ago

That didn't work either ;)

:~/mtkclient $ pip install --no-binary -r requirements.txt
Traceback (most recent call last):
  File "/usr/bin/pip", line 33, in <module>
    sys.exit(load_entry_point('pip==20.3.4', 'console_scripts', 'pip')())
  File "/usr/lib/python3/dist-packages/pip/_internal/cli/main.py", line 75, in main
    return command.main(cmd_args)
  File "/usr/lib/python3/dist-packages/pip/_internal/cli/base_command.py", line 116, in main
    return self._main(args)
  File "/usr/lib/python3/dist-packages/pip/_internal/cli/base_command.py", line 130, in _main
    options, args = self.parse_args(args)
  File "/usr/lib/python3/dist-packages/pip/_internal/cli/base_command.py", line 110, in parse_args
    return self.parser.parse_args(args)
  File "/usr/lib/python3.9/optparse.py", line 1387, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/usr/lib/python3.9/optparse.py", line 1427, in _process_args
    self._process_long_opt(rargs, values)
  File "/usr/lib/python3.9/optparse.py", line 1501, in _process_long_opt
    option.process(opt, value, values, self)
  File "/usr/lib/python3.9/optparse.py", line 784, in process
    return self.take_action(
  File "/usr/lib/python3.9/optparse.py", line 805, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/pip/_internal/cli/cmdoptions.py", line 456, in _handle_no_binary
    FormatControl.handle_mutual_excludes(
  File "/usr/lib/python3/dist-packages/pip/_internal/models/format_control.py", line 55, in handle_mutual_excludes
    raise CommandError(
pip._internal.exceptions.CommandError: --no-binary / --only-binary option requires 1 argument.
viraniac commented 1 year ago

ok, let me give that a try and come back to you

viraniac commented 1 year ago

Alright, Tried on vim1s (arm cortex a35). The command is still running, but you should be able to install dependencies using

pip install --no-binary ":all:" -r requirements.txt

if it complains about system being externally managed run

pip install --no-binary ":all:" --break-system-packages -r requirements.txt

It can take a lot of time as it has to compile a lot of c code.

viraniac commented 1 year ago

It failed for shiboken6, let me find an alternative for that

viraniac commented 1 year ago

Steps to make mtkclient working on Arm 1) Edit requirements.txt file and remove shiboken6 and pyside6. I can;t find shiboken6 used anywhere and pyside6 is only used for generating translations for documentation from some shell scripts. 2) Run pip install -r requirements.txt or pip install --break-system-packages -r requirements.txt depending on whether first command complains about it being externally managed or not

Nothing to do any more. Now you can run mtkcient from where you cloned it.

Billybangleballs commented 1 year ago

You are correct, it ran with the missing requirements, but it was less successful than the 'live' version in the results obtained. Anyway I have more things to play with now, but it is already bedtime. I will take this up again at a later date.

@viraniac Thanks very much for your valuable assistance.

:~/EchoCLI $ python ../mtkclient/mtk plstage --preloader=preloader_no_hdr.bin
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

..........DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
....

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
.....

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

^CTraceback (most recent call last):
  File "/home/wonko/EchoCLI/../mtkclient/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
  File "/home/wonko/mtkclient/mtkclient/Library/mtk_main.py", line 471, in run
    if mtk.preloader.init():
  File "/home/wonko/mtkclient/mtkclient/Library/mtk_preloader.py", line 153, in init
    res = self.mtk.port.handshake(maxtries=maxtries)
  File "/home/wonko/mtkclient/mtkclient/Library/Port.py", line 99, in handshake
    time.sleep(0.3)
KeyboardInterrupt
viraniac commented 1 year ago

try running with sudo

Billybangleballs commented 1 year ago

That improved things, but I must go to bed now. I'll take another look tomorrow if I get time.

:~/EchoCLI $ sudo python3 ../mtkclient/mtk plstage --preloader=preloader_no_hdr.bin
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

.Port - Device detected :)
Preloader -     CPU:                    MT8163()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212c00
Preloader -     Var1:                   0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x8163
Preloader - Target config:              0x5
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xcb00
Preloader -     SW Ver:                 0x1
Preloader - ME_ID:                      7BFA006445C2F06AFE6B40D6E95AF701
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/wonko/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
Main - Connected to device, loading
Main - Using custom preloader : preloader_no_hdr.bin
Mtk - Valid preloader detected.
Mtk - Patched "Patched loader msg" in preloader
Main - Sent preloader to 0x201000, length 0x22408
Preloader - Jumping to 0x201000
Preloader - Jumping to 0x201000: ok.
Main - PL Jumped to daaddr 0x201000.
Main - Keep pressed power button to boot.
:~/EchoCLI $
viraniac commented 1 year ago

Thats exactly the output you were looking for. Your echo dot would now have been booted completely. If you had kept the dot button pressed while running this command and even after its finished, echo dot will eventually turn its ring to green. Once that happens, you can let go of the dot button. You can then set fos_flags using EchoCli > Option1 > Option2> probably just go ahead with default combination. Once that is done, you will be able to connect to echo dot and will be greeted by a root shell by running adb shell

Billybangleballs commented 1 year ago

Well I held that button until my finger went numb and it didn't boot, nor did I get a green light. I then tried to undo all that had been done, to see if I could get it back to the way it was. So I figured out which computer held the dump backups and ran EchoCLI, but this time selected restore. A few seconds later I had a working Echo Dot again. :) I am going to start from scratch at the weekend and work through the readme files, to make sure I do everything as documented, this time I hope to get a root shell.

One comment I do have, is the menuing system in EchoCLI, 'Select an option:', should immediately follow the list of options every time, and not require scrolling back 4 or 5 pages looking for the list of options you have to select from sometimes.

Until the weekend ;)

viraniac commented 1 year ago

Well I held that button until my finger went numb and it didn't boot, nor did I get a green light.

did you ran mtk command while you were keeping it pressed?

viraniac commented 1 year ago

Also next time when you will try rooting again, could you please share the output of EchoCli?

Dragon863 commented 1 year ago

@Billybangleballs did you make any progress on this issue? I have also updated the menus with your suggested improvement, thank you for the suggestion

Billybangleballs commented 1 year ago

@Dragon863 I've not had time Daniel, I'll see if I can find time to try it this evening or tomorrow.

Billybangleballs commented 1 year ago

I started afresh, and after almost getting there last week, I had 'restored' it to working normally. This week, it refuses to play ball, my suspicion is that the restored echo dot is somehow different now, because it complains of a wrong handshake response.

I tried several times with identical results.

[11:18:02] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[11:18:02] INFO: To open the device, you will need a torx 8 screwdriver.
[11:18:02] Waiting for bootrom
[11:18:12] Found port = /dev/ttyACM0
[11:18:12] Handshake
[11:18:12] Disable watchdog
[11:18:17] wrong handshake response, probably in preloader
[11:18:17] Waiting for bootrom

Additionally, the echo dot no is no longer working normally and I cannot 'restore' it.

Dragon863 commented 1 year ago

I'm not sure if I'm understanding correctly, but I don't see why it would go from working normally to not functioning without you rooting it. If you restored the echo, it would be back in an unmodified state and would boot without a computer, the output you are showing is the usual result if you have not shorted the flash chip and are trying to root it from that unmodified state. At what point did it stop working normally?

Billybangleballs commented 1 year ago

It did boot without a computer after I restored it, now, after attempting to root it and getting "wrong handshake", it will not boot at all. (Update: it now appears to be booting normally again. I will attempt to root it again.)

Billybangleballs commented 1 year ago

I tried again with a different pi, this time I got this far.


wonko@pitwo:~/EchoCLI $ python main.py
[13:38:53] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 1
[13:39:12] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[13:39:12] INFO: To open the device, you will need a torx 8 screwdriver.
[13:39:12] Waiting for bootrom
[13:39:22] Found port = /dev/ttyACM0
[13:39:22] Handshake
[13:39:22] Disable watchdog
[13:39:22] handshake success!

 * * * Remove the short and press Enter * * *

[13:39:25] Init crypto engine
[13:39:25] Disable caches
[13:39:25] Disable bootrom range checks
[13:39:25] Load payload from brom-payload/build/payload.bin = 0x48A0 bytes
[13:39:25] Send payload
[13:39:32] Let's rock
[13:39:32] Wait for the payload to come online...
[13:39:32] all good
[13:39:32] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[13:39:40] INFO: Fetching misc partition...
[13:39:40] SUCCESS: Dumped misc.bin from device.
[13:39:40] INFO: Detected that device is using slot B.
[13:39:41] INFO:
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[13:39:49] INFO: Backing up preloader...
[13:40:20] SUCCESS: Dumped preloader.bin from device.
[13:40:20] INFO: Clearing preloader header
[8 / 8]
[13:40:21] INFO: 6.x preloader detected, applying unlock patch
[13:40:21] INFO: Downgrading rpmb header
[13:40:22] INFO: rpmb downgrade ok
[13:40:22] INFO: Backing up lk_b...
[13:41:26] SUCCESS: Dumped lk_b.bin from device.
[13:41:26] SUCCESS: Modified Little Kernel! Flashing back to device now.
[13:41:26] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[13:42:15] SUCCESS: Done! To finalise the process, return to the previous menu and use fos_flags to gain root via ADB.
Select an option: >
1: Root or restore
2: Calculate and set fos_flags
3: Exit
[13:42:35] FAIL: Invalid option: Exit. Please ensure option is an integer.
Select an option: > 2
[13:42:42] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[13:42:46] INFO: Setting fos_flags to 0xa3 using fastboot...
[13:42:46] INFO: Please replug your device now and run the mtkclient command in the README in another terminal whilst holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >

I then ran python ../mtkclient/mtk plstage --preloader=preloader_no_hdr.bin and it all went pear shaped again.

root@pitwo:/home/wonko/mtkclient# python mtk plstage --preloader=preloader_no_hdr.bin
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

Port - Device detected :)
Preloader -     CPU:                    MT8163()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212c00
Preloader -     Var1:                   0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x8163
Preloader - Target config:              0x5
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xcb00
Preloader -     SW Ver:                 0x1
Preloader - ME_ID:                      7BFA006445C2F06AFE6B40D6E95AF701
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/wonko/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
Main - Connected to device, loading
Main - Using custom preloader : preloader_no_hdr.bin
Mtk - Valid preloader detected.
Mtk - Patched "Patched loader msg" in preloader
Main - Sent preloader to 0x201000, length 0x22408
Preloader - Jumping to 0x201000
Preloader - Jumping to 0x201000: ok.
Main - PL Jumped to daaddr 0x201000.
Main - Keep pressed power button to boot.
root@pitwo:/home/wonko/mtkclient#

For some reason mtk doesn't work unless I run it as root.

sh: 1: fastboot: not found
[14:06:40] SUCCESS: Successfully set fos_flags, your device is now rooted! Your echo will shut down, and you will be able to boot it using the mtkclient command in the README
sh: 1: fastboot: not found

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: >

No green light. What the readme says, and reality diverge at this point, and it is where I got to last week. I am missing an important, undocumented step somewhere.

Dragon863 commented 1 year ago

The process you described seems correct, and there shouldn't be any extra steps. When you held the dot/uber button whilst running the mtkclient command, what happened? The output of your mtkclient command is what I would have expected. Did you get a light of any colour (there should be a blue ring if it doesn't go green)? I'm also confused by the sh: 1: fastboot: not found message, do you definitely have android-tools installed on that computer?

Billybangleballs commented 1 year ago

do you definitely have android-tools installed on that computer? I do now, although I cannot find the bit where it says to install android tools in the readme. I tried to restart the process after I had installed android tools, and although the mtk command ran OK, the EchoCLI didn't see what it needed.

root@pitwo:/home/wonko/mtkclient# python mtk plstage --preloader=preloader_no_hdr.bin
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

.Port - Device detected :)
Preloader -     CPU:                    MT8163()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212c00
Preloader -     Var1:                   0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x8163
Preloader - Target config:              0x5
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xcb00
Preloader -     SW Ver:                 0x1
Preloader - ME_ID:                      7BFA006445C2F06AFE6B40D6E95AF701
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/wonko/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
Main - Connected to device, loading
Main - Using custom preloader : preloader_no_hdr.bin
Mtk - Valid preloader detected.
Mtk - Patched "Patched loader msg" in preloader
Main - Sent preloader to 0x201000, length 0x22408
Preloader - Jumping to 0x201000
Preloader - Jumping to 0x201000: ok.
Main - PL Jumped to daaddr 0x201000.
Main - Keep pressed power button to boot.
root@pitwo:/home/wonko/mtkclient#
wonko@pitwo:~/EchoCLI $ python main.py
[14:17:54] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 2
[14:18:03] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[14:18:06] INFO: Setting fos_flags to 0xa3 using fastboot...
[14:18:06] INFO: Please replug your device now and run the mtkclient command in the README in another terminal whilst holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
< waiting for any device >
Dragon863 commented 1 year ago

Sorry to ask the same question, but what do you see after running the mtkclient command? Does the LED ring turn on?

Billybangleballs commented 1 year ago

No, the led ring does not turn on

Dragon863 commented 1 year ago

If the echo works correctly when restored but won't boot with mtkclient, my best guess is that this is an issue with how the LK is being patched, and I'm afraid I can't give you an exact answer without the UART output. Would you mind taking a look at the patcher @viraniac ? I had a read through your modified code and I couldn't see any potential issues, and considering that it has worked for someone else I don't see why it wouldn't work, but I might be missing something. Could it be the modified preloader that is the problem?

Billybangleballs commented 1 year ago

I have just bought another echo dot off ebay, so I can have two to compare.

Also, I found the bit of menu that was confusing. After "SUCCESS: Done! To finalise the process, return to the previous menu and use fos_flags to gain root via ADB.", it then says, "Select an option: >" , but the only way to see the options is to scroll up and look for them, and none of the options are, "return to the previous menu", when you've scrolled back to find them.

I'm going to 'restore' when I've had tea, and see if I can get Alexa back!

I think you should have a step by step for idiots like me, so then there is no excuse for not having adb and fastboot installed for when they are needed. It's probably obvious when you play android hacking everyday, but some of us are just n00bs and need it spelling out blow by blow.

Thanks for your time.

viraniac commented 1 year ago

@Billybangleballs Would you be able to share a video of you booting echodot with mtkclient while keeping the dot button pressed? Make sure your screen and echo dot is visible

viraniac commented 1 year ago

@Dragon863 Probably you can create a video tutorial showing all the steps and post on youtube.

Billybangleballs commented 1 year ago

@viraniac I have no way of making videos, but there are no leds, my finger never leaves the 'uber' button, and the output of mtk is documented above.

viraniac commented 1 year ago

@Billybangleballs I asked for the video to see when you press the button and how long you keep it pressed while running mtkclient. Sadly we have reached a point where atleast I can not help you further without seeing the process that you are following with my own eyes.

Do you or someone in your family have a mobile with a camera? if yes, then they can help record a video while you try to boot the echo dot gen2. You don't need to be in the frame. All we need to see is screen, echo dot and your finger pressing the uber button

Dragon863 commented 1 year ago

@Dragon863 Probably you can create a video tutorial showing all the steps and post on youtube.

Thanks for the suggestion, but I'd rather not make a video. I will probably make a separate markdown guide on this repository to walk people through the process and link it in the readme. It might not be today that I upload it, but I will try to get one out soon.

@Billybangleballs sorry for the confusion on adb and fastboot, I completely forgot to mention that in the readme. I'm quite new to a lot of this myself, so having people give feedback is very useful to me. I will try to improve the menu as you said.

viraniac commented 1 year ago

@Dragon863 BTW, Do you remember from our conversation on xda about potential of untethered exploit for echo dot and how it was not possible because of boot image header verification? I mentioned then that firetvstick 3rd gen also does the same yet still it got cracked and if we can get the source code for it we will be able to probably crack echo dot.

Well, I was able to get hold of Chaosmaster and he has uploaded the source code for the same. You can try porting it to Echo dot. I am busy with some other things at the moment, and might not be able to give this a try for couple of weeks myself.

Dragon863 commented 1 year ago

That is great news, thank you! I will take a look. I'm quite busy myself, but I really appreciate that, and I'll definitely try to look at porting it

Billybangleballs commented 1 year ago

@viraniac I run python mtk plstage --preloader=preloader_no_hdr.bin

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Then I press the button before I replug the echo dot. The mtkclient sees the echo dot and outputs

Port - Device detected :)
Preloader -     CPU:                    MT8163()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212c00
Preloader -     Var1:                   0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x8163
Preloader - Target config:              0x5
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xcb00
Preloader -     SW Ver:                 0x1
Preloader - ME_ID:                      7BFA006445C2F06AFE6B40D6E95AF701
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/wonko/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
Main - Connected to device, loading
Main - Using custom preloader : preloader_no_hdr.bin
Mtk - Valid preloader detected.
Mtk - Patched "Patched loader msg" in preloader
Main - Sent preloader to 0x201000, length 0x22408
Preloader - Jumping to 0x201000
Preloader - Jumping to 0x201000: ok.
Main - PL Jumped to daaddr 0x201000.
Main - Keep pressed power button to boot.

At this point I am still pressing the button, and no lights appear of any colour. Eventually I get bored of holding the button, but I'm pretty sure if something was going to happen, it had plenty of time in which to happen.

I wish I could make a video for you, but I don't have a mobile phone, or any phone for that matter. I live alone and keep all of my gold under my bed, rather than spend it on a telephone that would only get calls from scammers and telemarketers. ;)

Billybangleballs commented 1 year ago

@viraniac It occurs to me that mtkclient might actually need PySide6 and shiboken6 to work correctly. I am working on the assumption that you know what you are doing, because I certainly don't have a clue, I'm just following instructions.

Dragon863 commented 1 year ago

Those requirements are only for running mtk_gui, a separate part of mtkclient that we don't require here as we are using the command line part.

Billybangleballs commented 1 year ago

@Dragon863 I defer to your greater knowledge on this matter.

[13:39:12] Waiting for bootrom
[13:39:22] Found port = /dev/ttyACM0
[13:39:22] Handshake
[13:39:22] Disable watchdog
[13:39:22] handshake success!
[13:39:25] Init crypto engine
[13:39:25] Disable caches
[13:39:25] Disable bootrom range checks
[13:39:25] Load payload from brom-payload/build/payload.bin = 0x48A0 bytes
[13:39:25] Send payload
[13:39:32] Let's rock
[13:39:32] Wait for the payload to come online...
[13:39:32] all good
[13:39:32] Check GPT

You can have more verbose logging if that will help.

Also,

cd lk-payload
make
cd ..

cd microloader
make
cd ..

cd brom-payload
make
cd ..

in EchoCLI/internal/amonet/setup.sh

I only have a brom-payload, the other make targets are nowhere to be found.