Can't debrick - DAA_Security_Error (0x7017)

[ESurge]

Hi there, great project!

I've been successful at rooting my Echo and currently it's not bricked. However, I wanted to see if I could run the de-brick in case I do something dumb. Maybe trying to de-brick without being bricked is the problem?

Here's where I'm stuck at:

• Command:

  python3 /home/user/mtkclient/mtkclient/mtk.py wl /home/user/EchoOTA/. --preloader /home/user/mtkclient/mtkclient/Loader/Preloader/preloader_biscuit.bin

• Error:

  
  MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

ArgHandler - O:Var1: 0x0 Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

........Port - Device detected :) Preloader - CPU: MT8163() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xb1 Preloader - Disabling Watchdog... Preloader - HW code: 0x8163 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 07752144D4C0F6EA6638D8B0E735EAD0 Preloader Preloader - [LIB]: Auth file is required. Use --auth option. DaHandler - Device is protected. DaHandler - Device is in BROM-Mode. Bypassing security. DaHandler - Using supplied preloader. Skipping exploitation! DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin LegacyExt - Legacy DA2 is patched. LegacyExt - Legacy DA2 CMD F0 is patched. Preloader Preloader - [LIB]: upload_data failed with error: DAA_Security_Error (0x7017) Preloader Preloader - [LIB]: Error on uploading da data

---------
I've looked at other issues on this repo, as well as on the mtkclient repo. I've tried USB 2.0/3.0 ports.

I've also tried flashing the OTA package's preloader.img (renamed to preloader.bin) using the EchoCLI restore function. Afterwards doing the `mtkclient wl` command without luck.

---------
Lastly, I've tried using the Re LiveDVD v4 iso from the mtkclient repo. This got me a bit further in the process, but resulted in a different error (same command as above, but paths are slightly different):

MTK Flash/Exploit Client V1.57 (c) B.Kerler 2018-2022

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

........... Port - Device detected :) Preloader - CPU: MT8163() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xb1 Preloader - Disabling Watchdog... Preloader - HW code: 0x8163 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 07752144D4C0F6EA6638D8B0E735EAD0 PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: /opt/mtkclient/mtkclient/payloads/mt8163_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.2152.bin legacyext - Legacy DA2 is patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 0402a1 DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 00000000000000000000000000000000 DALegacy - Uploading stage 2... DeviceClass DeviceClass - [LIB]: USB Overflow DALegacy DALegacy - [LIB]: Error on sending brom stage 2 :

---------
My Echo Dot Gen 2 uname is:

Linux localhost 3.18.19-gbc74824-dirty #1 SMP PREEMPT Sat Jun 15 01:55:52 UTC 2024 armv7l

OS version is `Fire OS 6.5.6.3 (NS6563/5295)` based on output of the `adb shell` command:

grep version.name /system/*.prop

---------
Please let me know if any additional information is required.

Any help/pointers would be appreciated!

[Dragon863]

I've never seen this before - maybe an OTA update has fixed the vulnerability in the preloader that mtkclient uses? You are on quite a new version of FireOS, I'd have to do some investigation to see exactly what's causing the issue, and unfortunately I'm away at the moment so I can't currently help you, but thanks for all the info! My initial thoughts are that downgrading the preloader might fix this, but it is possible that anti-rollback would make that problematic

[ESurge]

I'm not too worried about the debrick but it's definitely something that might happen to others. Thanks again for the project!

---

Kind of unrelated but interesting: So something strange has happened. I decided to give another go at the rollback of preloader from the 6.5.5.9 archive listed in the debrick instructions. After restoring, the Echo loaded up normally as expected.

Here's where it gets weird. mtkclient was giving me the Disable Watchdog issue like #23 and l was having issues at the handshake point when attempting to re-root. I didn't have this issue yesterday, and now suddenly it's happening?

I decided to do a factory wipe, and restored my account on the Echo. Afterwards, I attempted to root again; nope, stuck at disable watchdog, wrong handshake.

Ok, I lost root, great. However, I still had ADB on the Echo for some reason (non-root access).

I was determined to not give up, and I changed my ground source. I have a soldered enameled wire with a DuPont connector sticking out of the Echo for easier bootrom triggering. Also, I'm using an OTG cable to give dedicated power to the Echo. Yesterday I was sourcing ground from the power cable, but today I was sourcing ground from the same cable plugged into the Echo. This shouldn't have made a difference, but suddenly the handshake/disable watchdog went through and the rooting process was successful.

Unfortunately the debrick still doesn't process but at least I'm back to being rooted. :)

[Dragon863]

That's at least better news. I wonder if an even older preloader would work? I've not touched this project for a while but I think I falsely assumed that this wasn't patchable. I don't have access to a computer or an echo for at least a week so I'm afraid I can't test anything, but when I get back fixing the debrick is a priority. That is very interesting about the ground source changing the behavior, I've never seen that before. I still use an open echo to create the short, mostly because I don't trust my soldering skills enough! If you did want to try with an even older preloader (the last I used was 6.5.5.5), previous issues should include some OTA links

[ESurge]

I'll give it a shot and update here on how it goes.

[ESurge]

No dice. I tried 6.5.5.5, 6.5.5.8, 6.5.5.9, 6.5.6.3 (current version), and even tried risking going up to 6.5.6.4.

Afterwards, I had a crazy thought: Why not try letting the Echo update to the newest 6.5.6.4? The Echo has been waiting for an update. So I turned off the cloudfront domain block and prompted to start the update.

A few minutes later, error updating. A reboot, and a second attempt; error again.

The Echo is non-rooted when trying all of this. It looks like my Echo can't be updated in the regular way either.

[Dragon863]

Is this even with the stock preloader? If so, I have no idea what would be preventing an update. Maybe a factory reset first would help?

[ESurge]

So I rooted, and restored again (just in case). Proceeded with a factory reset (holding the Vol - and Mute buttons for 20 seconds), and set up the device in my account once again.

After all that, I tried to update 2 more times. It worked the 2nd (4th) time.

---

Good news is, I can still root this version (6.5.6.4).

Semi-bad news, the mtk wl process still returns a DAA_Security_Error when attempting to debrick.

[Dragon863]

Hi @ESurge ! Sorry for the delayed response. I've just been informed that the issue stems from mtkclient changing the default exploit, you simply need to switch it back by adding --ptype=kamakiri2 to the mtkclient command. Let me know how it goes!

[ESurge]

I fresh cloned MTKClient and checked that the python pip requirements were installed.

I'm running Python 3.10.10 on Windows and Python 3.10.14 on Ubuntu.

Once things were ready to go, I added the --ptype=kamakiri2 parameter and ran mtk wl.

I don't get a DAA_Security_Error error anymore, but instead, I get a [LIB]: USB Overflow error on Ubuntu, and a USBError(5, 'Input/Output Error') on Windows. Both occur after Successfully uploaded stage 2. I tried changing from USB 2.0 to USB 3.0, and I tried with the devices rooted, and also non-rooted by shorting the emmc just enough to start the mtk wl but not long enough that mtkclient doesn't detect the emmc. Additionally, I've tried different computers and different USB cables.

Note: The USB Overflow error now occurs without --ptype=kamakiri2 added as well.

Here is the log:

C:\Echo\OTA_6564>python c:\echo\mtkclient\mtk.py wl . --ptype=kamakiri2 --preloader=c:\echo\mtkclient\mtkclient\Loader\Preloader\preloader_biscuit.bin
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

ArgHandler - O:Var1:            0x0
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

...Port - Device detected :)
Preloader -     CPU:                    MT8163()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212c00
Preloader -     Var1:                   0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x8163
Preloader - Target config:              0x5
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xcb00
Preloader -     SW Ver:                 0x1
Preloader - ME_ID:                      07752144D4C0F6EA6638D8B0E735EAD0
Preloader
Preloader - [LIB]: Auth file is required. Use --auth option.
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: C:\Echo\mtkclient\mtkclient\payloads\mt8163_payload.bin
Port - Device detected :)
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt - Legacy DA2 is patched.
LegacyExt - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 0402a1
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : fe014e50314a39344d1292f280f8843f
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x10
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 1371
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x20000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DeviceClass - USBError(5, 'Input/Output Error')
Traceback (most recent call last):
  File "C:\Echo\mtkclient\mtk.py", line 1016, in <module>
    main()
  File "C:\Echo\mtkclient\mtk.py", line 1012, in main
    mtk = Main(args).run(parser)
  File "C:\Echo\mtkclient\mtkclient\Library\mtk_main.py", line 662, in run
    mtk = da_handler.configure_da(mtk, preloader)
  File "C:\Echo\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 161, in configure_da
    if not mtk.daloader.upload_da(preloader=preloader):
  File "C:\Echo\mtkclient\mtkclient\Library\DA\mtk_daloader.py", line 297, in upload_da
    return self.da.upload_da()
  File "C:\Echo\mtkclient\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 755, in upload_da
    if self.upload_da1():
  File "C:\Echo\mtkclient\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 613, in upload_da1
    if self.read_flash_info():
  File "C:\Echo\mtkclient\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 524, in read_flash_info
    pi = PassInfo(self.usbread(0xA))
  File "C:\Echo\mtkclient\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 37, in __init__
    self.ack = sh.bytes()
  File "C:\Echo\mtkclient\mtkclient\Library\utils.py", line 280, in bytes
    return dat[0]
IndexError: index out of range

Side note: I found a used Echo Dot Gen 2, and it was on 5.5.4.8. I managed to update it to 6.5.5.5 (4315) which wasn't listed on the OTA URLs in the XDA thread. The next queued update is the latest 6.5.6.4 so I won't be updating anymore.

The OTA package for 6.5.5.5 is structured differently than the 6.5.5.9 package as described in the debrick instructions. I attempted to do the debrick on this device anyways using the OTA 6.5.5.9 files and I get blocked at the same spot as described above.

Speculation: With the 6.5.5.5 package being a "newer" version, this one is listed as 6.5.5.5 (4315). The two other versions, listed in the XDA thread, are 4310, and 4313. I can't help but wonder if they've blocked the debricking with this "new" version as well. Of course, I can't confirm anything as I haven't had a successful debrick ever.

[Dragon863]

Thanks for all the info. Honestly I can't imagine Amazon would have intentionally blocked debricking only, and mtkclient's outputs with device info match exactly with working outputs from about a year ago (DAA has always been enabled, but mtkclient used to find no problems with bypassing it). I don't think we can rule out a breaking change in mtkclient, so when I get a chance I'll try to clone an older version and see if that helps. If that doesn't work, then you could well be right about 6.5.5.5, in which case I'll test downgrading the preloader to see if that helps