TWRP port for MC Smart

[ihrapsa]

Hey, I'm working on the MC3 (Monsieur Cuisine Smart) version but I'm having trouble porting a fully working twrp recovery file. I managed to create one, it boots into it but the touchscreen is 90deg rotated, partition table is messed up (showing 0MB everywhere) AND adb does not work (even though the log shows that MTP is enabled)

I was curious how you managed to port the twrp to the MCC.

Thank you!!

[EliasKotlyar]

hello @ihrapsa ,

I cannot tell you the exact process, as it has been 5 years. I remember that the TWRP is pretty easy to build as long as you have the Scatter-File. Most of informations (devices, partitions) can be found there. I would suggest starting with that. If you dont have the scatter file, you should get one using WWR-Tool. One important thing which i remember: To run correctly, the TWRP should be build with the exact same Android Version as on the device. With other Android Versions, the build went trough but it had a lot of bugs.

[ihrapsa]

hello @ihrapsa ,

I cannot tell you the exact process, as it has been 5 years. I remember that the TWRP is pretty easy to build as long as you have the Scatter-File. Most of informations (devices, partitions) can be found there. I would suggest starting with that. If you dont have the scatter file, you should get one using WWR-Tool. One important thing which i remember: To run correctly, the TWRP should be build with the exact same Android Version as on the device. With other Android Versions, the build went trough but it had a lot of bugs.

Hey, thanks for the quick reply! I do have a scatter file created thanks to your guide/links to WWR-Tool! I managed to get a partially working twrp by using an automated script from Hovatek (v1.4). The MC3 shows to be on Android 8.1 but only the 8.1 go version worked. I'm trying to learn how to manually port twrp but the guides online are everywhere and nowhere 😅 and this chip the MC3 is running on (MT8167) is pretty rare.

Any clue on why adb might not work once in twrp? I managed to get it in fastboot somehow and that works, but can't do much with that (need volume buttons to confirm bootloader unlock).

[EliasKotlyar]

You can try sending some key events using ADB. Something like "adb shell input keyevent 123" should work.

ADB needs working USB-Drivers, else it wont work. You might need to reconfigure them. I would suggest trying to different configurations on your device and compare the results. Usually try and error works best, as there is no perfect recipe available for every custom problem.

[ihrapsa]

I'm using linux and I have no issue using adb on my other android device. The dmesg log only shows the preloader connection and then disconnection messages, but once in twrp it stays disconnected. I just managed to fix the fstab issue, but the adb problem persists. Editing the prop.default file doesn't seem to have any effect.

This is the dmesg log when booting the device:

[16960.970017] usb 3-3: new high-speed USB device number 84 using xhci_hcd
[16961.118941] usb 3-3: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[16961.118956] usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[16961.118961] usb 3-3: Product: MT65xx Preloader
[16961.118964] usb 3-3: Manufacturer: MediaTek
[16961.141245] cdc_acm 3-3:1.0: Zero length descriptor references
[16961.141255] cdc_acm: probe of 3-3:1.0 failed with error -22
[16961.221523] cdc_acm 3-3:1.1: ttyACM0: USB ACM device
[16963.770238] usb 3-3: USB disconnect, device number 84

Here is the stock prop.default file unedited: prop.default.zip

I've tried adding/changing the following:

ro.secure=0
security.perf_harden=0
ro.adb.secure=0
ro.debuggable=1
persist.sys.usb.config=adb,mtp
sys.usb.config=adb,mtp

Tried also commenting some other lines related to "charge only function" but still no result.

Here is the prop.default file with the abot changes: edited_prop.default.zip

[majki09]

Hi @ihrapsa. I also have MC Smart and trying to do what @EliasKotlyar achieved on his MC Connect. The thing is we have different MTK processors in both devices. And this is only first difference. Anyway, I'm still trying.

Can you please share your scatter file for MTK8167? I have generated mine with WWR-Tool, but to be more safe I want to compare it with yours and, in the end we could choose one that is 100% correct and working. I've generated TWRP according to Hovatek's script, but when I want to flash it SPFT says that "PMT changed..." and tells me to format whole memory... Which I want to avoid, even if I have already dumped all 16GB. Also, if it would not be a problem, please share also your TWRP image.

We can join efforts to hack MC Smart if you don't mind.

@EliasKotlyar do you want to have also "Smart" variant in this repo or you want us to have separate repo for Smart?

Thanks!

[ihrapsa]

Hi, @majki09! Here are the scatter file and the partially working twrp image:

MT8167_Android_scatter_MC3_jonah1024.txt twrp_MC3_no_adb.zip

Make sure you back up the boot partition before flashing the twrp recovery image on it!!! I've currently reached a dead end so any help from more experienced people would really be apreciated.

Jonah

[depau]

Hi! Using @ihrapsa's TWRP I was able to root the device. While ADB doesn't work, it's entirely possible to flash the cache partition from the bootloader, then using TWRP copy the files from there to /sdcard. You can then access the settings by following these instructions, go to storage then tap files to open the file manager and install any app.

I recommend installing this app first (it adds a floating back button, which is very handy) - download it on another device and extract the APK from there, then this one to make it easier to upload files over wi-fi, and Kitsune Mask (magisk fork) to install magisk, as well as a launcher of your choice.

To install Magisk I pushed the app and the boot.img file to the device, I patched it on the device, then I downloaded the patched boot image using the HTTP server app and flashed it with SPFlashTool.

I'm trying to find a way to enable the system UI via a magisk module.

[depau]

I haven't managed to enable the system navbar since anything I try makes the system bootloop. However, this app seems to work very well! I also haven't managed to enable ADB, but SSH in Termux+root works just as well.

So these are my full steps, which require a Linux system in order to mount an ext4 filesystem:

1. Download the scatter file and TWRP from https://github.com/EliasKotlyar/Monsieur-Cuisine-Connect-Hack/issues/38#issuecomment-1605329093
2. Using SPFlashTool v5, backup all partitions; to do that:
   1. Open the scatter file in a text editor to be able to copy the parameters
   2. In the SPFlashTool in the download tab, select the scatter file
   3. Go to the "Readback" tab
   4. For each of (at least) the following partitions listed in the scatter file: boot, recovery, cache (optional but also recommended to backup: system, vendor, lk, lk2, nvram)
      1. Press "Add"
      2. Save as the filename as reported in the scatter file in the file_name field, or the partition name if not specified
      3. Enter the value of linear_start_addr as the start address and the value of partition_size in the length field
   5. Connect the USB cable with the bot powered off; press "Read Back" and power it on; it should start dumping the partitions
3. Create a backup of cache.img in case you need it later: cp cache.img cache.img.bak
4. Using another Android device, download the following apps and send them over to your PC using, for instance, SuperBeam:
   • Nav bar: https://play.google.com/store/apps/details?id=nu.nav.bar
   • HTTP server (recommended): https://play.google.com/store/apps/details?id=slowscript.httpfileserver
5. Additionally download:
   • Magisk: https://github.com/HuskyDG/magisk-files
   • Lawnchair or another launcher of choice: https://lawnchair.app/
   • F-Droid (recommended): https://f-droid.org/
   • F-Droid privileged extension for Magisk (recommended): https://github.com/entr0pia/Fdroid-Priv/releases
6. Mount the cache partition: sudo mount cache.img /mnt
7. Copy all the downloaded apps, as well as boot.img to /mnt
8. sudo umount /mnt
9. In SPFlashTool, flash the cache partition as well as TWRP
   1. Go back to the Download tab
   2. Double click boot and select the TWRP image, after extracting the ZIP
   3. Double click cache and select cache.img
   4. Hit download and power-cycle the bot
10. When done, power cycle the bot to boot into TWRP. You'll know it's working if the Monsieur Cuisine logo shows up for ~1s, then the screen goes black for some time. It will take a roughly minute to start. If it doesn't start within two minutes, try power cycling or reflashing TWRP.
11. When TWRP starts, the screen will appear rotated 90° (portrait, sideways) but the touch screen will work in the normal orientation (landscape). It's gonna be fun
12. Figure out how to unlock the screen; select Advanced > File manager > Cache
13. Select each file and copy it to /sdcard
14. In SPFlashTool, uncheck cache, then double click boot and select the boot.img you backed up. Hit "Download".
15. In TWRP, go back home and tap Reboot > System
16. The tool should flash back the original kernel; when done, power cycle and wait for it to boot.
17. Follow these instructions to open the settings app
18. Go to "Storage" then press "Files"; the file manager should open
19. Install the "Nav Bar" app first, open it and configure it. If you get stuck before the navbar is functional, power cycle
20. Install all the other apps. It's safe (and recommended) to set the launcher as the default home app if the system asks you.
21. Open Kitsune Mask Manager and click Install. Enable the checkbox to keep AVB/dm-verity, then choose the "select and patch file" method and open the boot.img you copied earlier.
22. When done it should create a new file in the Downloads folder. Use the HTTP server app to download it to your computer.
23. In SPFlashTool, double click boot and select the file you just downloaded. Power cycle the device to flash it and, after a few reboots, Magisk should be installed and root should be available. You can use F-Droid to install other apps, and the Aurora Store (available in F-Droid) to install Play Store apps.

[depau]

About ADB: it doesn't look like it wants to work over USB. However, using this magisk module + a patch, you can permanently enable it over Wi-Fi: https://github.com/Mygod/debuggable.prop

This is my patched module: debuggable-prop.zip

This enables using scrcpy among all other things.

[ihrapsa]

Wow, this is great 😮 ! Thank you very much for the thorough guide. I'll definitely get back to this soon.

[baldarn]

@depau great work! whit this mod, is the original software running?

If everything is working fine, I would like to write an integration for home assistant and get info of the robot ;)

[depau]

@baldarn yes: https://youtu.be/w7_CfsKm3gA

If everything is working fine, I would like to write an integration for home assistant and get info of the robot ;)

Let me know if you do! If you could make it compatible with other platforms as well, such as publishing the info to an MQTT broker using a sane structure such as what the Homie convention recommends, that'd be great!

---

By the way, an update: an acquaintance of mine tried this on his MCS and found his robot has a locked bootloader. You can figure it out with https://github.com/bkerler/mtkclient/ by running python mtk gettargetconfig.

Mine looks like this, secure boot (SBC) and download agent authentication (DAA) are not enabled therefore the bootloader is unlocked:

Port - Device detected :)
Preloader -   CPU:      MT8167/MT8516/MT8362()
Preloader -   HW version:    0x0
Preloader -   WDT:      0x10007000
Preloader -   Uart:      0x11005000
Preloader -   Brom payload addr:  0x100a00
Preloader -   DA payload addr:  0x201000
Preloader -   CQ_DMA addr:    0x10212c00
Preloader -   Var1:      0xcc
Preloader - Disabling Watchdog...
Preloader - HW code:      0x8167
Preloader - Target config:    0x0
Preloader -   SBC enabled:    False
Preloader -   SLA enabled:    False
Preloader -   DAA enabled:    False
Preloader -   SWJTAG enabled:    False
Preloader -   EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -   Root cert required:  False
Preloader -   Mem read auth:    False
Preloader -   Mem write auth:    False
Preloader -   Cmd 0xC8 blocked:  False
Preloader - Get Target info
Preloader -   HW subcode:    0x8a00
Preloader -   HW Ver:      0xcb00
Preloader -   SW Ver:      0x1
Main - Getting target info...
Preloader - Target config:    0x0
Preloader -   SBC enabled:    False
Preloader -   SLA enabled:    False
Preloader -   DAA enabled:    False
Preloader -   SWJTAG enabled:    False
Preloader -   EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -   Root cert required:  False
Preloader -   Mem read auth:    False
Preloader -   Mem write auth:    False
Preloader -   Cmd 0xC8 blocked:  False

It should be possible to bypass it via https://github.com/MTK-bypass/bypass_utility/ + the Live ISO from mtkclient but he hasn't tried yet.

[rabbitITA]

Hello, just registered to reply here, trying hack of my MC Smart Trying readback with sp flashtool give me immediately STATUS_BROM_CMD_SEND_DA_FAIL Using bypass utility give me this

C:\Users\Rabbit\Desktop\MC3>cd bypass_utility-v.1.4.2

C:\Users\Rabbit\Desktop\MC3\bypass_utility-v.1.4.2>python main.py
[2024-02-24 17:49:47.488854] Waiting for device
[2024-02-24 17:49:53.772678] Found port = COM9

[2024-02-24 17:49:54.087555] Device hw code: 0x8167
[2024-02-24 17:49:54.087555] Device hw sub code: 0x8a00
[2024-02-24 17:49:54.087555] Device hw version: 0xcb00
[2024-02-24 17:49:54.087555] Device sw version: 0x1
[2024-02-24 17:49:54.087555] Device secure boot: True
[2024-02-24 17:49:54.087555] Device serial link authorization: False
[2024-02-24 17:49:54.087555] Device download agent authorization: True

[2024-02-24 17:49:54.087555] Found device in preloader mode, trying to crash...

[2024-02-24 17:49:54.092150] status is 2001

[2024-02-24 17:49:54.113497] Waiting for device

Stuck there even with previous bypass utility version (1.4.1) Secure Boot is active I wanna try mtkclient live ISO but can't find it, unless is "Re LiveDVD" from https://github.com/mfdl/mtkclient-1 Should I try this?

With "Android Utility" I have this log

Waiting for mtk usb device... ok
BootMode : Preloader[COM9]
DriverDesc : MediaTek PreLoader USB VCOM (Android)
DriverPath : usb\vid_0e8d&pid_2000\5&1eb22a&0&2
DriverSRV : wdm_usb
DriverVersion : 3.0.1511.0
DriverDate : 7-22-2022
DriverCFG : oem6.inf
DriverOEM : MediaTek Inc.
Connecting to BootROM......
● Chipset 0x8167
● Info 8A00_CB00_0001_
Force preloader to BootROM(0)...crash succeed!
Waiting for mtk brom usb device... 

Stuck there

Let's try to hack this :)

[depau]

@rabbitITA

The ISO is here: https://github.com/bkerler/mtkclient/blob/f9fe6ca65c93c2eb05adef7787069103c0d79763/README.md#use-re-livedvd-everything-ready-to-go-based-on-ubuntu

But as far as I understand it should work out of the box on Windows. I'm not sure though, so it's worth to give it a shot.

You can try mtkclient as well, you want to do this then use SPFlashTool 5 without disconnecting the robot.

If the first step works but SPFlashTool doesn't work, you can try going to option and setting the connection mode to UART (the COM port on Linux will be something like /dev/ttyUSB0, you can see it if you monitor the kernel log with sudo dmesg -w while you power on the robot)

I haven't tested any of this though - as I said my robot came fully unlocked from the factory.

[depau]

Is this the "Android Utility" you talk about? https://bypassfrpfiles.com/2021/05/mtk-secure-boot-disable-tool/

[rabbitITA]

I should try what you just write and will report, probably sunday as it's my free day without wife and son. Downloaded mtkclient (Windows - Python) but not tried yet Yes the Android Utility I used is the one you linked

[rabbitITA]

Even with the ISO I can't even pass the 1st passage. I had little time so couldn't even save logs or try something. Will retry soon or remain locked

[lauris-nl]

I'm stuck at step 18 Go to "Storage" then press "Files"; the file manager should open

I don't see no files button to press :-(

[lauris-nl]

From the “Further test” screen you can access Android settings by clicking on the version number in the bottom right corner for about 2 seconds, from which you can enable developer mode

[rabbitITA]

So you managed to flash TWRP I'm still stuck probably because of locked bootloader

[rabbitITA]

I found a way to access google web settings, but still need testing, here are the passages: Open a recipe Share with twitter Register Privacy informative Scroll down until the end Click on "Download X app" on the bottom left Download for Android. Will open play store "web" Login google account, top right icon, under big X button Reclick the same icon, that now have your profile image Manage your google account On the left of this icon you may click on the "9 squares icon" that allow access to google services, included Drive and almost everything else I can see files and try to download them, but seems not working. Download files doesn't work at all, and opening some pages will lead to an error that can be solved only by resetting or closing browser app. After Google login, if you power off then on the MCS when still in browser mode, login will be still active. If you close the browser, login data will be lost. I've run out of ideas about how to hack this.