Closed dsborets closed 3 years ago
Did you reboot or unplug the device before running SP Flash Tool? Can you please run the bypass utility twice in a row and post the output?
No, I didn't reboot or unplug the device. I keep it connected to the same USB port.
I can't run a bypass utility twice without a power cycle. BTW is it expected?
First time output is the same that I posted already, when I try to runt it again it just output:
Waiting for device
With power cycle the outputs are the same.
Please also take into account that bypass utility is not working correctly without these changes
diff --git a/src/device.py b/src/device.py
index cd75939..a1a49c9 100644
--- a/src/device.py
+++ b/src/device.py
@@ -123,13 +123,16 @@ class Device:
self.echo(addr, 4)
self.echo(size, 4)
- self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+# self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
for _ in range(size):
data = from_bytes(self.dev.read(4), 4)
result.append(data)
- self.check(self.dev.read(2), to_bytes(0, 2)) # status
+# self.check(self.dev.read(2), to_bytes(0, 2)) # status
+
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
# support scalar
if len(result) == 1:
otherwise it's throwing an exception:
[2021-04-22 10:49:08.729440] Disabling protection
Traceback (most recent call last):
File "C:\bypass_utility\main.py", line 213, in <module>
main()
File "C:\bypass_utility\main.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:\bypass_utility\src\exploit.py", line 17, in exploit
device.read32(addr - (cnt - i) * 4, cnt - i + 1)
File "C:\bypass_utility\src\device.py", line 126, in read32
self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
File "C:\bypass_utility\src\device.py", line 88, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x0000 got 0x0003
Check this comment from the original issue https://github.com/MTK-bypass/bypass_utility/issues/25#issuecomment-815102264
No, on a second run, it should show that security is disabled and dump the brom.
It seems there may be an issue with the payload, though it's not clear what. @bkerler is looking into it. In the meantime can you try the attached payload? It WILL NOT disable security, but hopefully when running the utility the second time, it should not be stuck "Waiting for device".
I'll look into updating the code in order to allow the different response produced by your device.
Also can you maybe give some more details, what device this is?
Are you able to attach a serial console (UART) to it? mt8167_payload.zip
It's a noname Chinese smart speaker. The only test pads for communication I found it's a usb.
The new payload doesn't work as well. It stuck with "Waiting for device" when running utility for the second time. But it does say that "Protection disabled" after the first run.
I also tried to run the utility second time main.py --serial-port=COM5
with new payload:
[2021-04-23 10:27:18.436998] Disabling watchdog timer
[2021-04-23 10:27:18.438996] Disabling protection
Traceback (most recent call last):
File "C:\bypass_utility\main.py", line 213, in <module>
main()
File "C:s\bypass_utility\main.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:\bypass_utility\src\exploit.py", line 25, in exploit
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d0c
It worked with the old payload and dumped bootrom
Ah yes, i forgot to mention that you need to supply --serial-port
with the second run.
Can you please run the utility twice with the old payload (supplying --serial-port
on the second run).
And post the complete output.
>py -3 main.py --serial_port=COM5 [2021-04-23 11:01:59.084724] Device hw code: 0x8167
[2021-04-23 11:01:59.084724] Device hw sub code: 0x8a00
[2021-04-23 11:01:59.085723] Device hw version: 0xcb00
[2021-04-23 11:01:59.085723] Device sw version: 0x1
[2021-04-23 11:01:59.086722] Device secure boot: False
[2021-04-23 11:01:59.087721] Device serial link authorization: False
[2021-04-23 11:01:59.087721] Device download agent authorization: False
[2021-04-23 11:01:59.088720] Disabling watchdog timer
[2021-04-23 11:01:59.090718] Insecure device, sending payload using send_da
[2021-04-23 11:01:59.119691] Found send_dword, dumping bootrom to bootrom_8167.bin
but after that the device seems like automatically rebooted in the normal mode
Update. When I keep pressing a button and run the utility second time I see that the original COM port (COM5 in my case) disappeared and new port COM6 MediaTek PreLoader USB VCOM Port (COM6)
appeared. I also tried to run SP Flash Tool on that port - same error (C0010001)
Yes, running it twice is just to confirm the payload is working as expected. After the second run the device will reboot normally with security enabled. However it confirms that security is disabled successfully as can be seen from the output of the second run. So to use SP just run it once, make sure the device isn't rebooted or unplugged and use the default Download Agent.
Yeah, this is what I tried. Interesting situation now. SPFT now doesn't show a COM port in dropdown, so I cannot select any. In the win device manager I do see a com port MTK USB Port (COM5)
and this utility also can work with this port (in case of second run). What could be wrong? I tried to re-run SPFT and reboot a PC, same thing. When I tried to read back it shows me the same error C0010001. It doesn't complain about inability to open a port. In the bottom status bar I see UART: , 115200
SPFT log:
...
)((APCore::Connection::ConnectBROM,..\..\flashtool\Conn\Connection.cpp,103))(..\..\flashtool\UI\src\BackgroundWorker.cpp,107)
04/23/2021 13:01:59.820 FlashTool[4832][5400][D]: APCore::DLHandle::GetScatterInfo(): Scatter version(V1.1.2)(..\..\flashtool\Resource\Handle\DLHandle.cpp,133)
04/23/2021 13:01:59.827 FlashTool[4832][5400][D]: ISetting::set_stop_flag(): dummpy stop_flag(0x05926928) set.(d:\home\mtk14060\dailyautobuild\project\wcp2_cleanroom\da\download_agent_main\flashtool\setting\ISetting.h,45)
04/23/2021 13:01:59.828 FlashTool[4832][8580][D]: APCore::RBHandle::GetCount(): RB_GetCount(1)(..\..\flashtool\Resource\Handle\RBHandle.cpp,98)
04/23/2021 13:01:59.828 FlashTool[4832][8580][D]: APCore::Connection::ConnectBROM(): Connecting to BROM...(..\..\flashtool\Conn\Connection.cpp,75)
04/23/2021 13:02:03.633 FlashTool[4832][8580][D]: APCore::Connection::ConnectBROM(): Connect BROM failed: STATUS_ERR(-1073676287)(..\..\flashtool\Conn\Connection.cpp,102)
04/23/2021 13:02:03.633 FlashTool[4832][8580][D]: APCore::Connection::Disconnect(): Disconnect!(..\..\flashtool\Conn\Connection.cpp,186)
04/23/2021 13:02:03.692 FlashTool[4832][8580][D]: BackgroundWorker::run(): BROM Exception! ( ERROR : STATUS_ERR (0xC0010001)
[HINT]:
)((APCore::Connection::ConnectBROM,..\..\flashtool\Conn\Connection.cpp,103))(..\..\flashtool\UI\src\BackgroundWorker.cpp,107)
If you're on windows use USB mode, not UART in SP Flash
Ok, I moved forward while using USB mode. Thank you! But now when I tried to read back, I see:
BackgroundWorker::run(): BROM Exception! ( ERROR : STATUS_PRELOADER_INVALID (0xC0030004)
The Preloader file format is invalid!
[HINT]:
Please retry another official load.
Ok, it's no longer related to the bypass utility, but maybe you know what could be wrong?
Make sure you're using the correct scatter file and preloader for your device. As this is an issue with SP Flash configuration, I am closing this issue.
Ok, Thank you
@dsborets Did you ever find a solution? Currently working on the same platform - MT8167 (also a speaker) and getting the same issue with SPFT even with scatter file and preloader from a valid factory image.
You're getting the STATUS_PRELOADER_INVALID
?
Does your preloader have the EMMC_BOOT
header?
Can you share preloader + scatter?
Yes on both counts. boot0.img from factory image does have EMMC_BOOT header:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Mediatek EMMC Flash Image Version 1
512 0x200 Mediatek Boot Header Version 1
532 0x214 Boot section Start 0x800 End 0x29200 Load-by-Bootrom
162976 0x27CA0 SHA256 hash constants, little endian
I did extract the boot section at 0x4d4d4d magic and try that as the preloader too. (preloader_mt8167s_ref.bin)
mt8167s_som_scatter.txt preloader_mt8167s_ref.bin.zip boot0.img.zip
Yeah, it needs to be without the EMMC_BOOT
header for SPFT.
Your preloader_mt8167s_ref.bin
does look fine though.
It's definitely sending me a little crazy :tired_face:
I have the brom dump and having thrown it through ghidra it does match up with the 8167 payload for mtk-bypass perfectly. (Despite my initial 1AM blindness)
I have the full factory images which I have flashed and works fine so the preloader from it has to be good. and the scatter file I made by hand from the partition-table.img from the factory images.
I don't have any real background with MTK devices prior to this one so am at a bit of a loss as to what to try next.
I guess you could try different versions of SPFT and different DAs. Also please send me the GPT.
Tried a couple of versions of SPFT (all 5.x because I don't think 8167 is supported before?) And tried a few different DAs from Hovatek forum and no joy there either.
Here is the scatter my script produces, it is just for comparision and would need manual adjustment. scatter-new.zip
2 major differences, PRELOADER size is 0x400000 vs 0x40000 and pgpt size is 0x80000 vs 0x5000
But I can't see how pgpt size is correct because both scatter files still has next partition starting at 0x5000 (which would be right if pgpt is 0x0 on EMMC_USER)
Yeah, 0x80000 is probably wrong for pgpt
Tried a 3rd PC and it works with everything I had - same drivers, spft, scatter and preloader.
Is it usual that SPFT is so finicky? Just feels like one of those things that should work - or not, not just obscure errors.
Anyway, clearly something with my setup...again.
Appreciate your help and fast replies :bow:
Help me i am having the same error idk why
I disabled a protection by using this utility and than tried to readback using SP Flash Tool (UART mode) but constantly getting
ERROR: STATUS_ERR (0xC0010001)
According to this https://forum.hovatek.com/thread-439.htmlDoes it mean that the device is still protected even this tool showed it's successfully disabled?