search

MTK-bypass / bypass_utility

MIT License
488 stars 118 forks source link

MT6765 Secure boot not being disabled #97

Closed sandorex closed 1 year ago

sandorex commented 1 year ago

It says it disabled protection but it still asks for verified partitions and cant flash using SP Flash tool

[2022-12-24 11:20:42.189062] Waiting for device
[2022-12-24 11:20:42.691073] Found device = 0e8d:0003

[2022-12-24 11:20:42.916074] Device hw code: 0x766
[2022-12-24 11:20:42.917074] Device hw sub code: 0x8a00
[2022-12-24 11:20:42.918073] Device hw version: 0xca00
[2022-12-24 11:20:42.918073] Device sw version: 0x0
[2022-12-24 11:20:42.918073] Device secure boot: True
[2022-12-24 11:20:42.919087] Device serial link authorization: False
[2022-12-24 11:20:42.919087] Device download agent authorization: True

[2022-12-24 11:20:42.919087] Disabling watchdog timer
[2022-12-24 11:20:42.920074] Disabling protection
[2022-12-24 11:20:43.078073] Protection disabled

image

Here's bootrom that i extracted while fiddling with the device if that helps at all bootrom_766.zip preloader_ot8.zip

sandorex commented 1 year ago

Running test mode gives this

PS > python main.py -t
[2022-12-24 11:31:31.022762] Waiting for device
[2022-12-24 11:31:44.582554] Found device = 0e8d:2000

[2022-12-24 11:31:53.955695] Device hw code: 0x766
[2022-12-24 11:31:53.955695] Device hw sub code: 0x8a00
[2022-12-24 11:31:53.955695] Device hw version: 0xca00
[2022-12-24 11:31:53.956700] Device sw version: 0x0
[2022-12-24 11:31:53.956700] Device secure boot: True
[2022-12-24 11:31:53.956700] Device serial link authorization: False
[2022-12-24 11:31:53.956700] Device download agent authorization: True

[2022-12-24 11:31:53.957697] Found device in preloader mode, trying to crash...

[2022-12-24 11:31:53.958695] status is 7024

[2022-12-24 11:31:54.959344] Waiting for device
[2022-12-24 11:31:54.959344] Found device = 0e8d:0003

[2022-12-24 11:31:55.185883] Device hw code: 0x766
[2022-12-24 11:31:55.185883] Device hw sub code: 0x8a00
[2022-12-24 11:31:55.186888] Device hw version: 0xca00
[2022-12-24 11:31:55.186888] Device sw version: 0x0
[2022-12-24 11:31:55.186888] Device secure boot: True
[2022-12-24 11:31:55.186888] Device serial link authorization: False
[2022-12-24 11:31:55.186888] Device download agent authorization: True

[2022-12-24 11:31:55.186888] Disabling watchdog timer
[2022-12-24 11:31:55.187887] Test mode, testing 0x9900...

Please reconnect device in bootrom mode

[2022-12-24 11:32:41.844683] Waiting for device
javashin commented 1 year ago

It says it disabled protection but it still asks for verified partitions and cant flash using SP Flash tool

[2022-12-24 11:20:42.189062] Waiting for device
[2022-12-24 11:20:42.691073] Found device = 0e8d:0003

[2022-12-24 11:20:42.916074] Device hw code: 0x766
[2022-12-24 11:20:42.917074] Device hw sub code: 0x8a00
[2022-12-24 11:20:42.918073] Device hw version: 0xca00
[2022-12-24 11:20:42.918073] Device sw version: 0x0
[2022-12-24 11:20:42.918073] Device secure boot: True
[2022-12-24 11:20:42.919087] Device serial link authorization: False
[2022-12-24 11:20:42.919087] Device download agent authorization: True

[2022-12-24 11:20:42.919087] Disabling watchdog timer
[2022-12-24 11:20:42.920074] Disabling protection
[2022-12-24 11:20:43.078073] Protection disabled

image

Here's bootrom that i extracted while fiddling with the device if that helps at all bootrom_766.zip preloader_ot8.zip

After This don't Disconnected the tablet

then select UART and point to the COM number of the tablet on Sp Flash Tool and not USB

also try the same ^ after using mtkclient "mtk payload" without disconnect and then go to sp flash tool and select uart

javashin commented 1 year ago

https://www.youtube.com/watch?v=0ii9cLxhTQA

check out this video and tell me if works i bricked my galaxy tab a7 lite too but not being able to restore i flashed a11 bootloader with the rest of a12 stock rom by mistake on odin

sandorex commented 1 year ago

Did not help same, i've been able to flash things using mtkclient but its like it did not help and i dont know if it actually flashed it or not as it still wont do anything but preloader / brom mode looping

javashin commented 1 year ago

same , looks like we are out of luck , im ozmage on xda i was happy making new kernel for my SM-T220 now dead after bootloader fiasco

javashin commented 1 year ago

[root@igloo bypass_utility]# ./main.py [2022-12-25 20:34:36.983914] Waiting for device [2022-12-25 20:34:59.700534] Found device = 0e8d:2000

[2022-12-25 20:35:00.023700] Device hw code: 0x766 [2022-12-25 20:35:00.023969] Device hw sub code: 0x8a00 [2022-12-25 20:35:00.024102] Device hw version: 0xca00 [2022-12-25 20:35:00.024229] Device sw version: 0x0 [2022-12-25 20:35:00.024360] Device secure boot: True [2022-12-25 20:35:00.024484] Device serial link authorization: False [2022-12-25 20:35:00.024611] Device download agent authorization: True

[2022-12-25 20:35:00.024771] Found device in preloader mode, trying to crash...

[2022-12-25 20:35:00.026882] status is 7024

[2022-12-25 20:35:01.987212] Waiting for device [2022-12-25 20:35:01.989150] Found device = 0e8d:0003

[2022-12-25 20:35:02.302421] Device hw code: 0x766 [2022-12-25 20:35:02.302661] Device hw sub code: 0x8a00 [2022-12-25 20:35:02.302788] Device hw version: 0xca00 [2022-12-25 20:35:02.302909] Device sw version: 0x0 [2022-12-25 20:35:02.303116] Device secure boot: True [2022-12-25 20:35:02.303258] Device serial link authorization: False [2022-12-25 20:35:02.303398] Device download agent authorization: True

[2022-12-25 20:35:02.303555] Disabling watchdog timer [2022-12-25 20:35:02.305023] Disabling protection [2022-12-25 20:35:02.330996] Protection disabled

PROGRESS

[root@igloo mtkclient]# lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 006: ID 5986:0367 Acer, Inc Integrated Camera Bus 001 Device 005: ID 8087:07dc Intel Corp. Bluetooth wireless interface Bus 001 Device 004: ID 05e3:0610 Genesys Logic, Inc. Hub Bus 001 Device 003: ID 0bda:0177 Realtek Semiconductor Corp. USB2.0-CRW Bus 001 Device 002: ID 10c4:8108 Silicon Labs USB OPTICAL MOUSE Bus 001 Device 008: ID 0e8d:0003 MediaTek Inc. MT6227 phone Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

FINALLY Bus 001 Device 008: ID 0e8d:0003 MediaTek Inc. MT6227 phone and not preloader

javashin commented 1 year ago

OMG Screenshot_2022-12-25_20-45-01

javashin commented 1 year ago

Connecting to BROM... BROM connected Downloading & Connecting to DA... connect DA end stage: 2, enable DRAM in 1st DA: 0 DA Connected executing DADownloadAll... Stage: SGPT Stage: PGPT Stage: [0] WRITE TO PARTITION [ preloader ]

Stage: [9] WRITE TO PARTITION [ grd_fw ]

Stage: [15] WRITE TO PARTITION [ vbmeta ]

Stage: [36] WRITE TO PARTITION [ param ]

Stage: [37] WRITE TO PARTITION [ up_param ]

Stage: [43] WRITE TO PARTITION [ efuse ]

Stage: [47] WRITE TO PARTITION [ prism ]

Stage: [48] WRITE TO PARTITION [ optics ]

Stage: [49] WRITE TO PARTITION [ cache ]

Stage: [50] WRITE TO PARTITION [ omr ]

download speed: 26.85MB/s. Download Succeeded. Disconnect!

But Still Broken I think I have to Re-Flash The Whole ROM

sandorex commented 1 year ago

Where did you get the stock rom? As i always got them from samfw, also how did you make the android scatter? I used the MTK Utility Im trying to see if something is causing problems

javashin commented 1 year ago

Yes to all , but now bootloader locked happens the same as you i have lost the only window to flash the whole rom and wasted flashing only those partitions but the parts that cannot be flashed on sp flash tool can on mtkclient don't know if is truth yet

javashin commented 1 year ago

Connecting to BROM... BROM connected Downloading & Connecting to DA... connect DA end stage: 2, enable DRAM in 1st DA: 0 DA Connected executing DADownloadAll... Stage: SGPT Stage: PGPT Stage: [0] WRITE TO PARTITION [ preloader ]

Stage: [9] WRITE TO PARTITION [ grd_fw ]

Stage: [15] WRITE TO PARTITION [ vbmeta ]

Stage: [36] WRITE TO PARTITION [ param ]

Stage: [37] WRITE TO PARTITION [ up_param ]

Stage: [43] WRITE TO PARTITION [ efuse ]

Stage: [47] WRITE TO PARTITION [ prism ]

Stage: [48] WRITE TO PARTITION [ optics ]

Stage: [49] WRITE TO PARTITION [ cache ]

Stage: [50] WRITE TO PARTITION [ omr ]

download speed: 26.85MB/s. Download Succeeded. Disconnect!

But Still Broken I think I have to Re-Flash The Whole ROM

none of this can be flashed anymore

sandorex commented 1 year ago

Can't get to download mode either right? Cause i fucked that up if i did just restore everything using odin i would not have bricked it

javashin commented 1 year ago

Can't get to download mode either right? Cause i fucked that up if i did just restore everything using odin i would not have bricked it

i recommend you to use linux , with battery put on download mode can be accessed here the bypass tool does the job then SELECT uart and com port number but sp flash tool cannot flash those partitions anymore others like boot recovery vbmeta etc can be flashed

sandorex commented 1 year ago

If you can get to download mode then just run odin and reflash everything and you fixed it probably Ill try using linux machine later

javashin commented 1 year ago

If you can get to download mode then just run odin and reflash everything and you fixed it probably Ill try using linux machine later

no way to get into download odin mode

i flashed fully this util works for real but my tab still dead im changing FW now to retry this process CHECK >

https://gist.github.com/javashin/e3d3d38f1ed96d9df3423469b0fc36cd#file-gistfile1-txt

sandorex commented 1 year ago

Ah you gave me false hope 😞

javashin commented 1 year ago

Ah you gave me false hope 😞

FIXED making a guide soon

javashin commented 1 year ago

Ah you gave me false hope 😞

FIXED making a guide soon

yours is SM-t220 right ? have you click on Format All or Format on SP flash tool Tab ? If you did then you broke sec_efs keydata and keyrefuge If you have not can you please make a dump of those three first run bypass_utiility main.py then disconnect and then use mtkclient :

mtk r sec_efs,keydata,keyrefuge sec_efs.img,keydata.img,keyrefuge.img

then zip or rar them and send it to me here or my email javashin1986@gmail.com then im gonna give you step by step to what you need to do to bring up Odin mode you help me i help you .....

Do one dump of efs too

mtk r efs efs.img

NVDATA & NVCFG too

mtk r nvdata nvdata.img mtk r nvcfg nvcfg.img

and don't worry thinking these partitions going to have critical info or whatever because you not giving any no imei or else cuz our device is wifi only :)

why i need them is because are empty after format and re-partition make sure you never do if you want to make ur tablet fully working again

javashin commented 1 year ago

Restored And Installed A13 Screenshot_20221213_061622_Settings

sandorex commented 1 year ago

Pretty sure i formatted all of the partitions at least once

sandorex commented 1 year ago

Im closing this as the issue is not caused by the bypass utility