Open Shahi-Paneer opened 3 years ago
0x8176 is not supported.
You can try running in testmode (-t
) to dump the bootrom.
I have a device with a similar chip, MT8168. Does it mean that the chip is not vulnerable or it is just a question of implementation?
$ sudo python3 main.py -t
[2021-07-14 08:49:21.703606] Waiting for device
[2021-07-14 08:49:31.685518] Found port = /dev/ttyACM0
[2021-07-14 08:49:31.794236] Can't find 0x8168 hw_code in config
[2021-07-14 08:49:31.794683] Device hw code: 0x8168
[2021-07-14 08:49:31.794733] Device hw sub code: 0x8a00
[2021-07-14 08:49:31.794769] Device hw version: 0xca01
[2021-07-14 08:49:31.794802] Device sw version: 0x100
[2021-07-14 08:49:31.794836] Device secure boot: True
[2021-07-14 08:49:31.794869] Device serial link authorization: False
[2021-07-14 08:49:31.794902] Device download agent authorization: False
[2021-07-14 08:49:31.794975] Found device in preloader mode, trying to crash...
[2021-07-14 08:49:31.796374] status is 2001
It just means you'll have to find another way to enter bootrom, since your device is currently in preloader and it cannot be crashed. So either find a button combination or a suitable testpoint for shorting (EMMC).
@chaosmaster Thanks for your reply. I will continue my investigations to enter into bootrom.
I got this now:
sudo python3 main.py -t
[2021-07-16 11:49:48.112624] Waiting for device
[2021-07-16 11:50:15.588105] Found port = /dev/ttyACM0
[2021-07-16 11:50:15.609776] Device hw code: 0x8168
[2021-07-16 11:50:15.609906] Device hw sub code: 0x8a00
[2021-07-16 11:50:15.609939] Device hw version: 0xca01
[2021-07-16 11:50:15.609964] Device sw version: 0x100
[2021-07-16 11:50:15.609996] Device secure boot: True
[2021-07-16 11:50:15.610017] Device serial link authorization: False
[2021-07-16 11:50:15.610046] Device download agent authorization: False
[2021-07-16 11:50:15.610069] Disabling watchdog timer
[2021-07-16 11:50:15.610649] Insecure device, sending payload using send_da
Traceback (most recent call last):
File "main.py", line 213, in <module>
main()
File "main.py", line 86, in main
result = device.read(4)
File "/home/samuel/Downloads/bypass_utility/src/device.py", line 117, in read
return self.dev.read(size)
File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
PS: I have installed the prebuilt patches on a Ubuntu computer
Can you try different USB-cables, connectors or different PC?
I have tried with another PC/cables and the fireISO, without success. I got always the same error message.
Did you do any modifications to the script? How did you enter bootrom mode?
@chaosmaster Thanks for your response. I am using the Volume Up button when powering up the device.
I am trying on another computer and I got the following:
python3.7.exe .\main.py -t
[2021-07-22 13:31:55.717213] Waiting for device
[2021-07-22 13:32:27.077467] Found port = COM9
[2021-07-22 13:32:27.180882] Can't find 0x8168 hw_code in config
[2021-07-22 13:32:27.182881] Device hw code: 0x8168
[2021-07-22 13:32:27.183881] Device hw sub code: 0x8a00
[2021-07-22 13:32:27.184883] Device hw version: 0xca01
[2021-07-22 13:32:27.185883] Device sw version: 0x100
[2021-07-22 13:32:27.186883] Device secure boot: True
[2021-07-22 13:32:27.187883] Device serial link authorization: False
[2021-07-22 13:32:27.187883] Device download agent authorization: False
[2021-07-22 13:32:27.188881] Disabling watchdog timer
[2021-07-22 13:32:27.191881] Insecure device, sending payload using send_da
[2021-07-22 13:32:27.975490] Payload did not reply
No more python error, but the payload has no effect on the MT8168.
That's interesting. You're sure the device is in bootrom-mode, not in preloader mode? PID: 0003 Please try the attached payloads: dump_payloads.zip
Also please try using the following payload_addresses:
--payload_address 0x1fd00
--payload_address 0x20000
--payload_address 0x20300
--payload_address 0xc0000
--payload_address 0xc0300
--payload_address 0xbfd00
Thanks for your fast reply. I tried both binaries with your provided addresses.
With generic_dump_payload.bin --payload_address 0x1fd00 -> status is 1d12 --payload_address 0x20000 --payload_address 0x20300 --payload_address 0xc0000 --> status is 1d12 --payload_address 0xc0300 --> status is 1d12 --payload_address 0xbfd00
With generic_dump_send_data_payload.bin --payload_address 0x1fd00 -> status is 1d12 --payload_address 0x20000 --payload_address 0x20300 --payload_address 0xc0000 --> status is 1d12 --payload_address 0xc0300 --> status is 1d12 --payload_address 0xbfd00
No reply for the other addresses.
python3.7.exe .\main.py -t -a 0xc0000 -p .\generic_dump_payload.bin
[2021-07-22 14:50:14.256259] Waiting for device
[2021-07-22 14:50:28.656300] Found port = COM9
[2021-07-22 14:50:28.727297] Can't find 0x8168 hw_code in config
[2021-07-22 14:50:28.728294] Device hw code: 0x8168
[2021-07-22 14:50:28.729296] Device hw sub code: 0x8a00
[2021-07-22 14:50:28.730300] Device hw version: 0xca01
[2021-07-22 14:50:28.730300] Device sw version: 0x100
[2021-07-22 14:50:28.731298] Device secure boot: True
[2021-07-22 14:50:28.731298] Device serial link authorization: False
[2021-07-22 14:50:28.732305] Device download agent authorization: False
[2021-07-22 14:50:28.732305] Disabling watchdog timer
[2021-07-22 14:50:28.735309] Insecure device, sending payload using send_da
Traceback (most recent call last):
File ".\main.py", line 213, in <module>
main()
File ".\main.py", line 83, in main
device.send_da(config.payload_address, len(payload), 0x100, payload)
File "C:\Users\Samuel\Desktop\bypass_utility-master\src\device.py", line 215, in send_da
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d12
OK, here's one more payload to try: new-dump.zip
Also please try with the _generic_rebootpayload.bin (It's included in the collection) It should make the device reboot instantly.
I have got the same results. Note that the device takes some time to reply "No reply" with two addresses.
With generic_dump_payload.bin --payload_address 0x1fd00 -> status is 1d12 --payload_address 0x20000 --payload_address 0x20300 --> no reply but takes long time to answer --payload_address 0xc0000 --> status is 1d12 --payload_address 0xc0300 --> status is 1d12 --payload_address 0xbfd00 --> no reply but takes long time to answer
With generic_reboot_payload.bin --payload_address 0x1fd00 -> status is 1d12 --payload_address 0x20000 --payload_address 0x20300 --> no reply but takes long time to answer --payload_address 0xc0000 --> status is 1d12 --payload_address 0xc0300 --> status is 1d12 --payload_address 0xbfd00 --> no reply but takes long time to answer
python3.7.exe .\main.py -t -a 0x1fd00 -p .\generic_dump_payload.bin
[2021-07-22 15:14:26.762471] Waiting for device
[2021-07-22 15:14:35.711592] Found port = COM9
[2021-07-22 15:14:35.774610] Can't find 0x8168 hw_code in config
[2021-07-22 15:14:35.775611] Device hw code: 0x8168
[2021-07-22 15:14:35.776615] Device hw sub code: 0x8a00
[2021-07-22 15:14:35.777615] Device hw version: 0xca01
[2021-07-22 15:14:35.777615] Device sw version: 0x100
[2021-07-22 15:14:35.778609] Device secure boot: True
[2021-07-22 15:14:35.778609] Device serial link authorization: False
[2021-07-22 15:14:35.779609] Device download agent authorization: False
[2021-07-22 15:14:35.779609] Disabling watchdog timer
[2021-07-22 15:14:35.782609] Insecure device, sending payload using send_da
Traceback (most recent call last):
File ".\main.py", line 213, in <module>
main()
File ".\main.py", line 83, in main
device.send_da(config.payload_address, len(payload), 0x100, payload)
File "C:\Users\Samuel\Desktop\bypass_utility-master\src\device.py", line 215, in send_da
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d12
And device didn't reboot with generic_reboot_payload.bin ?
You can try running in forced testmode to try and bruteforce var_1.
You'll have to reconnect the device multiple times into bootrom mode in between tries:
./main.py -t -f
The device does not reboot
Can you tell, what device this is?
@chaosmaster Thanks for your help and your time. The device is not on the market yet ;-).
After my vacation, I will try with ./main.py -t -f
.
I own a MT8168 Amazon Fire HD 8 (2020). Interestingly, the Preloader announces itself in dmesg as idVendor=1949, idProduct=0580, Product: MT65xx Preloader
I did not yet manage to enter bootrom with any key combination, and I also did not find any emmc shorting points I could use. The device seems to be quite locked down, fastboot quits every command with the command you input is restricted on locked hw
while somebody told me the bootrom would be disabled (whatever that is supposed to mean).
Executing main.py -t
results in test and gold not matching every time and throws Unexpected output, expected {} got {}
with varying numbers. I tried all the different crash methods.
Any ideas how to go on from here?
The Preloader crashing seems to have some effect, though. After crashing the tablet becomes unresponsive and has to be reset by holding VolDown + Power for 15 sec
how can i fix the bypass tool error can't find 0x989 hw_code in config, please reply if you have any answers, I accidentally bricked my phone after flash vbmeta img(the disable verification thing) command while trying to flash a gsi.. thank you for respnding
0x8176 is not supported. You can try running in testmode (
-t
) to dump the bootrom.
how to do that, I desperately need help right
Hi there, when I try to unlock my device I get this error. I have tried doing this one on two separate machines and the error has remained the same.
I noticed when I install a device filter on my device in Device manager it shows a little yellow triangle around it and my device won't get detected by the utility. But if I right click and update drivers to the MTK Signed drivers it detects my device and I get the error above.
All help would be greatly apricated as I'm trying to unbrick my device.
Thanks !