sundaqiang
commented
3 years ago 
Open sundaqiang opened 3 years ago
sundaqiang
commented
3 years ago
chaosmaster
commented
3 years ago I can't find any info on MT6835, also please provide a log of the utility
sundaqiang
commented
3 years ago I can't find any info on MT6835, also please provide a log of the utility
I'm sorry, the model is MT6853, which is used in Realme Q2 Pro.I can provide more information and support, such as TeamViewer.
[2021-02-09 19:41:20.028892] Device hw code: 0x996 [2021-02-09 19:41:20.029890] Device hw sub code: 0x8a00 [2021-02-09 19:41:20.029890] Device hw version: 0xca00 [2021-02-09 19:41:20.029890] Device sw version: 0x0 [2021-02-09 19:41:20.030890] Device secure boot: True [2021-02-09 19:41:20.031889] Device serial link authorization: False [2021-02-09 19:41:20.032889] Device download agent authorization: True [2021-02-09 19:41:20.034889] Disabling watchdog timer [2021-02-09 19:41:20.035888] Disabling protection [2021-02-09 19:41:21.065907] Test mode, testing 0x1... [2021-02-09 19:41:21.068908] Waiting for bootrom [2021-02-09 19:41:27.790375] Found port = COM3 [2021-02-09 19:41:28.812503] Test mode, testing 0x2...
chaosmaster
commented
3 years ago MT6853 / HW_CODE 0x996 is not (yet) supported. You can try to dump brom using testmode. Testmode will test all values for var_1 one after the other. You can also first try manually testing the known values from other devices: https://github.com/MTK-bypass/exploits_collection/blob/master/default_config.json5
main.py --testmode --var_1 = <value>
sundaqiang
commented
3 years ago MT6853 / HW_CODE 0x996 is not (yet) supported. You can try to dump brom using testmode. Testmode will test all values for var_1 one after the other. You can also first try manually testing the known values from other devices: https://github.com/MTK-bypass/exploits_collection/blob/master/default_config.json5
main.py --testmode --var_1 = <value>
main.py -t -v 1
This instruction has been tested from 1 to ff with no success.That's why I'm here to issue whether there are other solutions.
chaosmaster
commented
3 years ago If all values from 0x01 to 0xFF have been tested, there is also the possibility that it uses a different payload_address (-a | --payload_address), or that it isn't vulnerable (which is unlikely)
Unfortunately without having a bootrom-dump you'll just have to keep trying.
sundaqiang
commented
3 years ago If all values from 0x01 to 0xFF have been tested, there is also the possibility that it uses a different payload_address (
-a | --payload_address), or that it isn't vulnerable (which is unlikely) Unfortunately without having a bootrom-dump you'll just have to keep trying.
So now I need to test payload_address and var_1.What is the most appropriate growth value for payload_address (+=16)?What is the maximum value of VAR_1 (0x30)?
chaosmaster
commented
3 years ago There really is no way to tell, look at the values, that have been used so far by other devices.
Maximum value for var_1 is 0xB4 (so far).
Also make sure, libusb is set up correctly. Do you have another MTK-device that you could use to verify the setup is working correctly?
sundaqiang
commented
3 years ago There really is no way to tell, look at the values, that have been used so far by other devices. Maximum value for
var_1is 0xB4 (so far). Also make sure, libusb is set up correctly. Do you have another MTK-device that you could use to verify the setup is working correctly?
Do you mean try this paragraph ([Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: \xc1\xac\xb5\xbd\xcf\xb5\xcd\xb3\xc9\xcf\xb5\xc4\xc9\xe8\xb1\xb8\xc3\xbb\xd3\xd0\xb7\xa2\xbb\xd3\xd7\xf7\xd3\xc3\xa1\xa3\r\n\n')?
[Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error:Devices connected to the system are not functioning.'
This error message also works on my friend's computer.It is X7 Pro, the CPU model is MT6889
[2021-02-08 00:20:51.290245] Device hw code: 0x816 [2021-02-08 00:20:51.292241] Device hw sub code: 0x8a00 [2021-02-08 00:20:51.293237] Device hw version: 0xca00 [2021-02-08 00:20:51.294235] Device sw version: 0x0 [2021-02-08 00:20:51.295232] Device secure boot: True [2021-02-08 00:20:51.296229] Device serial link authorization: False [2021-02-08 00:20:51.297226] Device download agent authorization: True
chaosmaster
commented
3 years ago MT6889 / 0x816 is also unsupported. Do you have access to any supported device, to confirm your setup is correct?
sundaqiang
commented
3 years ago MT6889 / 0x816 is also unsupported. Do you have access to any supported device, to confirm your setup is correct?
"0x326": { // mt6755
"payload": "mt6755_payload.bin"
},python3 main.py -t -v 8 [2021-02-11 16:31:49.878808] Waiting for bootrom [2021-02-11 16:32:00.623838] Found port = COM3 [2021-02-11 16:32:00.723366] Device hw code: 0x326 [2021-02-11 16:32:00.724863] Device hw sub code: 0x8a00 [2021-02-11 16:32:00.727858] Device hw version: 0xcb00 [2021-02-11 16:32:00.728358] Device sw version: 0x1 [2021-02-11 16:32:00.728869] Device secure boot: True [2021-02-11 16:32:00.729855] Device serial link authorization: True [2021-02-11 16:32:00.730354] Device download agent authorization: True [2021-02-11 16:32:00.731356] Disabling watchdog timer [2021-02-11 16:32:00.733362] Disabling protection [2021-02-11 16:32:17.784525] Test mode, payload_address..0x100a10 watchdog..0x10007000 var1..0x9 [2021-02-11 16:32:17.786011] Waiting for bootrom [2021-02-11 16:32:32.011467] Found port = COM3 [2021-02-11 16:32:34.034898] Test mode, payload_address..0x100a10 watchdog..0x10007000 var1..0xa [2021-02-11 16:32:34.036387] Waiting for bootrom [2021-02-11 16:33:13.457209] Found port = COM3 [2021-02-11 16:33:20.396929] Test mode, payload_address..0x100a10 watchdog..0x10007000 var1..0xb [2021-02-11 16:33:20.399420] Waiting for bootrom [2021-02-11 16:33:21.475050] Found port = COM3 [2021-02-11 16:33:38.500275] Test mode, payload_address..0x100a10 watchdog..0x10007000 var1..0xc [2021-02-11 16:33:38.501747] Waiting for bootrom
chaosmaster
commented
3 years ago It looks like you changed the payload_address, 0x100A00 should be the default for 0x326 If this one doesn't give the error, I am not sure what else to try. You could try on Linux with kernel patch.
sundaqiang
commented
3 years ago Sorry, I did change the payload_address and did not correct it back.Seems to be the case with every new model I have ([Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error:Devices connected to the system are not functioning.')!I'm trying Linux with kernel patch!
chaosmaster
commented
3 years ago Just a little info, the libusb-error you're getting when decoded with GBK reads:
连到系统上的设备没有发挥作用。
Google translates that to:
The equipment connected to the system is not functioning.
Is your OS in chinese, or is this message possibly coming from the device?
sundaqiang
commented
3 years ago Just a little info, the libusb-error you're getting when decoded with GBK reads:
连到系统上的设备没有发挥作用。Google translates that to:
The equipment connected to the system is not functioning.Is your OS in chinese, or is this message possibly coming from the device?
Yes, my operating system is in Chinese!The device is Oppo's Realme, and the manufacturer does put some weird restrictions on it!
chaosmaster
commented
3 years ago I see, let me know if using linux behaves differently. If you want to use debian, I have uploaded patched kernel-packages ready to install here: http://www.mediafire.com/folder/4aasetrfedl4t/kamakiri-kernels
sundaqiang
commented
3 years ago I see, let me know if using linux behaves differently. If you want to use debian, I have uploaded patched kernel-packages ready to install here: http://www.mediafire.com/folder/4aasetrfedl4t/kamakiri-kernels
Libusb worked fine on my computer, and I'll retest it in a Linux environment later!If not successful, use other brands (millet) MT6853 or MT6853 for testing!
chaosmaster
commented
3 years ago Libusb worked fine on my computer, and I'll retest it in a Linux environment later!If not successful, use other brands (millet) MT6853 or MT6853 for testing!
If you find other devices with MT6853 that have security disabled, that would be perfect, since it could be used to dump brom and figure aut var_1
sundaqiang
commented
3 years ago Libusb worked fine on my computer, and I'll retest it in a Linux environment later!If not successful, use other brands (millet) MT6853 or MT6853 for testing!
If you find other devices with MT6853 that have security disabled, that would be perfect, since it could be used to dump brom and figure aut var_1
In the case of the Debian test, it looks like Oppo is limiting something!
python3.9 main.py -t -v 0 [2021-02-12 21:21:43.308852] Waiting for device [2021-02-12 21:21:47.427605] Found port = /dev/ttyACM0 [2021-02-12 21:21:47.471907] Device hw code: 0x996 [2021-02-12 21:21:47.472079] Device hw sub code: 0x8a00 [2021-02-12 21:21:47.472167] Device hw version: 0xca00 [2021-02-12 21:21:47.472241] Device sw version: 0x0 [2021-02-12 21:21:47.472289] Device secure boot: True [2021-02-12 21:21:47.472356] Device serial link authorization: False [2021-02-12 21:21:47.472440] Device download agent authorization: True [2021-02-12 21:21:47.472527] Disabling watchdog timer [2021-02-12 21:21:47.474130] Disabling protection [Errno 32] Pipe error [2021-02-12 21:21:48.505814] Test mode, testing 0x1... [2021-02-12 21:21:48.506048] Waiting for device [2021-02-12 21:21:56.256513] Found port = /dev/ttyACM0 [Errno 32] Pipe error [2021-02-12 21:21:57.286097] Test mode, testing 0x2... [2021-02-12 21:21:57.286516] Waiting for device [2021-02-12 21:22:05.879545] Found port = /dev/ttyACM0 [Errno 32] Pipe error [2021-02-12 21:22:06.935502] Test mode, testing 0x3... [2021-02-12 21:22:06.935692] Waiting for device
chaosmaster
commented
3 years ago Pipe error or Operation timed out is expected when var_1 is incorrect. Kernel is patched?
sundaqiang
commented
3 years ago Pipe error or Operation timed out is expected when var_1 is incorrect. Kernel is patched?
If this error is normal!I'll keep testing!The kernel is patched!
sundaqiang
commented
3 years ago Pipe error or Operation timed out is expected when var_1 is incorrect. Kernel is patched?
I have to find another brand of MT6853 to try it out!
chaosmaster
commented
3 years ago Very unfortunate. Let's hope you find a device with security disabled so we can get a bootrom-dump.
wusijie
commented
3 years ago I also encountered the error of “sending control message failed” on Xiaomi MT6853
sundaqiang
commented
3 years ago I also encountered the error of “sending control message failed” on Xiaomi MT6853
RedMi Note9 5G?
wusijie
commented
3 years ago I also encountered the error of “sending control message failed” on Xiaomi MT6853
RedMi Note9 5G?
yes
sundaqiang
commented
3 years ago I also encountered the error of “sending control message failed” on Xiaomi MT6853
RedMi Note9 5G?
yes
This is embarrassing! I was going to buy it and try it on!
GarnetSunset
commented
3 years ago I have a Samsung A32 5G, same chip, no idea how to test this but I'm willing!!! (Bootloader locked 5G)
GarnetSunset
commented
3 years ago Found this which might be helpful? https://androidfilehost.com/?fid=17248734326145723274
dsclee1
commented
3 years ago I would be interesting in helping with this too. I'm now the proud owner of a bricked Redmi Note 9T (which is the global version of the Redmi Note 9 5G). I've had a go with the tool, here's my output from test mode, which is basically the same as other attempts:
python main.py -t -v 0 [2021-05-24 12:08:58.138556] Waiting for device [2021-05-24 12:09:02.089725] Found port = COM3
[2021-05-24 12:09:02.152197] Device hw code: 0x996 [2021-05-24 12:09:02.167805] Device hw sub code: 0x8a00 [2021-05-24 12:09:02.167805] Device hw version: 0xca00 [2021-05-24 12:09:02.167805] Device sw version: 0x0 [2021-05-24 12:09:02.167805] Device secure boot: True [2021-05-24 12:09:02.167805] Device serial link authorization: True [2021-05-24 12:09:02.183429] Device download agent authorization: True
[2021-05-24 12:09:02.183429] Disabling watchdog timer [2021-05-24 12:09:02.183429] Disabling protection [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:03.277516] Test mode, testing 0x1... [2021-05-24 12:09:03.277516] Waiting for device [2021-05-24 12:09:16.048212] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:16.335811] Test mode, testing 0x2... [2021-05-24 12:09:16.335811] Waiting for device [2021-05-24 12:09:18.060070] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:19.143053] Test mode, testing 0x3... [2021-05-24 12:09:19.143053] Waiting for device [2021-05-24 12:09:26.317893] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:27.393683] Test mode, testing 0x4... [2021-05-24 12:09:27.393683] Waiting for device [2021-05-24 12:09:34.807363] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:35.932830] Test mode, testing 0x5... [2021-05-24 12:09:35.932830] Waiting for device
Looks like the "[Errno None]" is the windows equivalent of the "[Errno 32] Pipe Error" which you get on Linux. I tried your kernel patched version of FireISO too @chaosmaster and it's basically the same output (but with Errno 32s instead). I'm pretty sure my libusb is set up properly.
I could run through the full set of 0x01 to 0xFF to try and find var_1 (which in test mode should then dump the brom?), but it looks like that's already been done by @sundaqiang and didn't work?
@GarnetSunset, I don't think the ROM and scatter files help as the brom is written into the firmware of the MT6853 chip itself. It looks like the only solution at the moment is to find someone with a phone that isn't already locked down. Which I think means when the tool is run we want to see "Device serial link authorization: False and Device download agent authorization: False", but can someone confirm please?
chaosmaster
commented
3 years ago Yes, having a device with security disabled would be ideal to dump the bootrom. At this point it's hard to say if the device is even vulnerable or not.
DeclanShao
commented
3 years ago I would be interesting in helping with this too. I'm now the proud owner of a bricked Redmi Note 9T (which is the global version of the Redmi Note 9 5G). I've had a go with the tool, here's my output from test mode, which is basically the same as other attempts:
python main.py -t -v 0 [2021-05-24 12:08:58.138556] Waiting for device [2021-05-24 12:09:02.089725] Found port = COM3
[2021-05-24 12:09:02.152197] Device hw code: 0x996 [2021-05-24 12:09:02.167805] Device hw sub code: 0x8a00 [2021-05-24 12:09:02.167805] Device hw version: 0xca00 [2021-05-24 12:09:02.167805] Device sw version: 0x0 [2021-05-24 12:09:02.167805] Device secure boot: True [2021-05-24 12:09:02.167805] Device serial link authorization: True [2021-05-24 12:09:02.183429] Device download agent authorization: True
[2021-05-24 12:09:02.183429] Disabling watchdog timer [2021-05-24 12:09:02.183429] Disabling protection [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:03.277516] Test mode, testing 0x1... [2021-05-24 12:09:03.277516] Waiting for device [2021-05-24 12:09:16.048212] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:16.335811] Test mode, testing 0x2... [2021-05-24 12:09:16.335811] Waiting for device [2021-05-24 12:09:18.060070] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:19.143053] Test mode, testing 0x3... [2021-05-24 12:09:19.143053] Waiting for device [2021-05-24 12:09:26.317893] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:27.393683] Test mode, testing 0x4... [2021-05-24 12:09:27.393683] Waiting for device [2021-05-24 12:09:34.807363] Found port = COM3 [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n' [2021-05-24 12:09:35.932830] Test mode, testing 0x5... [2021-05-24 12:09:35.932830] Waiting for device
Looks like the "[Errno None]" is the windows equivalent of the "[Errno 32] Pipe Error" which you get on Linux. I tried your kernel patched version of FireISO too @chaosmaster and it's basically the same output (but with Errno 32s instead). I'm pretty sure my libusb is set up properly.
I could run through the full set of 0x01 to 0xFF to try and find var_1 (which in test mode should then dump the brom?), but it looks like that's already been done by @sundaqiang and didn't work?
@GarnetSunset, I don't think the ROM and scatter files help as the brom is written into the firmware of the MT6853 chip itself. It looks like the only solution at the moment is to find someone with a phone that isn't already locked down. Which I think means when the tool is run we want to see "Device serial link authorization: False and Device download agent authorization: False", but can someone confirm please?
Same situation,my device is realme Q2 mt6853.
GarnetSunset
commented
3 years ago Hey there! I have a rooted/bootloader unlocked A32 5G, anything I can do to help?
dsclee1
commented
3 years ago @GarnetSunset unfortunately that may not be enough as it won't get us the boot rom off the MT6853 chip. What would be of interest is to find out if Samsung locked down the chip or not.
Have a go at installing/running the tool, and paste the output here on the issue. What we're looking for is someone who has: Device serial link authorization: False Device download agent authorization: False
Instructions are on the front page: https://github.com/MTK-bypass/bypass_utility There's also a write-up on the xda site: https://www.xda-developers.com/bypass-mediatek-sp-flash-tool-authentication-requirement/
dsclee1
commented
3 years ago I've attached the DA file for this chip here (it's for MT6853 and MT6873). Not sure it's of use for this specific exploit, but will verify us through Secure Boot. MTK_AllInOne_DA.zip
Puneeth1984
commented
3 years ago I can't find any info on MT6835, also please provide a log of the utility
I have Realme X7 5G stuck in bootloop. Right bottom it says "RECOVERY MODE" and it continuously switches OFF and switches ON. Couldn't bypass BROM in any ways. SP tool says wrong Scatter everytime. Please please help anyone..
chaosmaster
commented
3 years ago It is now confirmed, that the vulnerability was fixed in MT6853 unfortunately: chaosmaster/bypass_payloads/issues/7
k25c2yf
commented
3 years ago @GarnetSunset unfortunately that may not be enough as it won't get us the boot rom off the MT6853 chip. What would be of interest is to find out if Samsung locked down the chip or not.
Have a go at installing/running the tool, and paste the output here on the issue. What we're looking for is someone who has: Device serial link authorization: False Device download agent authorization: False
Instructions are on the front page: https://github.com/MTK-bypass/bypass_utility There's also a write-up on the xda site: https://www.xda-developers.com/bypass-mediatek-sp-flash-tool-authentication-requirement/
I log in to the original download software and can use realme Q2 (MT6583),anything I can do to help?
download: https://drive.google.com/file/d/1ksZBNZJVJDUOAsSv-aafeCbnAzVaXPVn/view?usp=sharing
Note: The account may expire or be cancelled soon, please try to detect usb data/dump the certificate as soon as possible.
k25c2yf
commented
3 years ago @GarnetSunset unfortunately that may not be enough as it won't get us the boot rom off the MT6853 chip. What would be of interest is to find out if Samsung locked down the chip or not. Have a go at installing/running the tool, and paste the output here on the issue. What we're looking for is someone who has: Device serial link authorization: False Device download agent authorization: False Instructions are on the front page: https://github.com/MTK-bypass/bypass_utility There's also a write-up on the xda site: https://www.xda-developers.com/bypass-mediatek-sp-flash-tool-authentication-requirement/
I log in to the original download software and can use realme Q2 (MT6583),anything I can do to help?
download: https://drive.google.com/file/d/1ksZBNZJVJDUOAsSv-aafeCbnAzVaXPVn/view?usp=sharing
Note: The account may expire or be cancelled soon, please try to detect usb data/dump the certificate as soon as possible.
This is a Wireshark usb flashing dump and updataing log file. https://drive.google.com/file/d/1tJyypd0L6yGFTj1JCGPR6RKu6oe8KgsF/view?usp=sharing
log https://drive.google.com/file/d/1mgHCT5cgxpo-7qPtX3UAfa-XjDLs2jU7/view?usp=sharing
chaosmaster
commented
3 years ago MT6853 is now supported, please try.
kushpr
commented
2 years ago MT6853 - SM-A32 5G
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej - HACC run sej - HACC terminate DAXFlash DAXFlash - [LIB]: Error on sending parameter: Read parttbl failed (0xc0040007) xflashext xflashext - [LIB]: Error on writing seccfg config to flash.
kushpr
commented
2 years ago @chaosmaster
MiquelX2
commented
2 years ago Hi,
I'm getting "Status 7024" on "Device hw code: 0x996".
This is Vivo V21 5g on MT6853.
Attached the log. Are you able to help? bypass_utility.log
sieger707
commented
2 months ago I have a MT6833. I dunno if bootrom protection(sla and daa) is there at all. Can someone tell me how to verify the same . I was able to install patched magisk boot image does that means SLA and DAA are disabled ?
.ofp has . Auth file after unpacking. Is this step unnecessary?But sp_flash_tool_v5.2052 download error?