chaosmaster
commented
3 years ago Try running the utility in testmode (-t) to try and dump the bootrom.
Closed lukadj996 closed 3 years ago
chaosmaster
commented
3 years ago Try running the utility in testmode (-t) to try and dump the bootrom.
lukadj996
commented
3 years ago Thank you, I added -t but still no go. This is what I get: [2021-05-16 10:09:59.554399] Waiting for device [2021-05-16 10:10:08.402436] Found port = COM7 [2021-05-16 10:10:08.827438] Can't find 0x8176 hw_code in config
[2021-05-16 10:10:08.853436] Device hw code: 0x8176 [2021-05-16 10:10:08.857442] Device hw sub code: 0x8a00 [2021-05-16 10:10:08.878439] Device hw version: 0xcb00 [2021-05-16 10:10:08.882446] Device sw version: 0x101 [2021-05-16 10:10:08.887441] Device secure boot: True [2021-05-16 10:10:08.891440] Device serial link authorization: False [2021-05-16 10:10:08.895442] Device download agent authorization: True
[2021-05-16 10:10:08.901437] Found device in preloader mode, trying to crash...
[2021-05-16 10:10:08.968440] status is 2001
[2021-05-16 10:10:08.995202] Waiting for device
R0rt1z2
commented
3 years ago Thank you, I added -t but still no go. This is what I get: [2021-05-16 10:09:59.554399] Waiting for device [2021-05-16 10:10:08.402436] Found port = COM7 [2021-05-16 10:10:08.827438] Can't find 0x8176 hw_code in config
[2021-05-16 10:10:08.853436] Device hw code: 0x8176 [2021-05-16 10:10:08.857442] Device hw sub code: 0x8a00 [2021-05-16 10:10:08.878439] Device hw version: 0xcb00 [2021-05-16 10:10:08.882446] Device sw version: 0x101 [2021-05-16 10:10:08.887441] Device secure boot: True [2021-05-16 10:10:08.891440] Device serial link authorization: False [2021-05-16 10:10:08.895442] Device download agent authorization: True
[2021-05-16 10:10:08.901437] Found device in preloader mode, trying to crash...
[2021-05-16 10:10:08.968440] status is 2001
[2021-05-16 10:10:08.995202] Waiting for device
Since the device was plugged in Preloader Mode, the tool is trying to crash PL in order to "reboot" to bootrom. However, the default crash method doesn't seems to be working (notice the 2001 status). You can try to trigger bottom by pressing volume + (try with - as well) key while you plug in the device and you run the utility in test mode. If that doesn't work, try all the different crash modes with the --crash_mode option. If none of the crash method work you'll need to open the device and short the eMMC.
lukadj996
commented
3 years ago I tested it with different crash_modes, and nothing, this is what I get:
for -t -m 1 [2021-05-16 11:41:50.972966] Found device in preloader mode, trying to crash...
Traceback (most recent call last):
File "main.py", line 213, in <module>
main()
File "main.py", line 47, in main
device = crash_preloader(device, config)
File "main.py", line 200, in crash_preloader
device.send_da(0, len(payload), 0x100, payload)
File "F:\Asus zenpad 3s\SPFLASH_TOOL_ALL\bypass_auth\bypass_utility-v.1.4.2\src\device.py", line 223, in send_da
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 2001for -t -m 2 [2021-05-16 11:43:18.855987] Found device in preloader mode, trying to crash...
Traceback (most recent call last):
File "main.py", line 213, in <module>
main()
File "main.py", line 47, in main
device = crash_preloader(device, config)
File "main.py", line 203, in crash_preloader
device.read32(0)
File "F:\Asus zenpad 3s\SPFLASH_TOOL_ALL\bypass_auth\bypass_utility-v.1.4.2\src\device.py", line 126, in read32
assert from_bytes(self.dev.read(2), 2) <= 0xff
File "F:\Asus zenpad 3s\SPFLASH_TOOL_ALL\bypass_auth\bypass_utility-v.1.4.2\src\common.py", line 17, in from_bytes
return {
File "F:\Asus zenpad 3s\SPFLASH_TOOL_ALL\bypass_auth\bypass_utility-v.1.4.2\src\common.py", line 19, in <lambda>
2: lambda: struct.unpack(endian + 'H', value)[0],
struct.error: unpack requires a buffer of 2 bytesTried different key combination plus plugging USB and with vol+ I get the same result, with vol- sometimes reboot to bootloader...
So if I open the device and somehow short emmc?? What does that mean in terms of flashing partitions? Do I need to short emmc every time I want to flash or just this one time? Plus how do I find correct pins to short (I am guessing emmc VDD to GND? ) but still it's some BGA chip it's very finicky.
chaosmaster
commented
3 years ago So if I open the device and somehow short emmc?? What does that mean in terms of flashing partitions? Do I need to short emmc every time I want to flash or just this one time?
You'd need to do that every time you need access to bootrom unless there is another method to reboot into bootrom for your device. If you have other means of flashing, such as unlocked fastboot or via preloader, then obviously you don't.
Plus how do I find correct pins to short (I am guessing emmc VDD to GND? ) but still it's some BGA chip it's very finicky.
You'd probably want to short either of CMD, CLK or DAT0 which may be accessible via testpoints, resistors or capacitors in the vicinity of the EMMC or the SOC itself. The goal is to make the bootrom fail to load the preloader from EMMC and fallback into dl-mode.
lukadj996
commented
3 years ago Thank you very much for clearing things for me, I think I will do a little research on how does this exploit actually works.
In the meantime, I managed to find a special version of SPFT (v5.1532) that allowed me to flash my device so I don't really need to use this bootrom exploit but it would be nice if I could somehow contribute to this project and make it work. Or am I missing a point of this project, because obviously, this special SPFT is working just fine for this device...
Shahi-Paneer
commented
2 years ago Thank you very much for clearing things for me, I think I will do a little research on how does this exploit actually works.
In the meantime, I managed to find a special version of SPFT (v5.1532) that allowed me to flash my device so I don't really need to use this bootrom exploit but it would be nice if I could somehow contribute to this project and make it work. Or am I missing a point of this project, because obviously, this special SPFT is working just fine for this device...
Hey,
I have a Z500M that im trying to flash but unable to do so, due an Auth file needed... would you happen to still have that special version of SPFT that allowed you to flash your device?
Kind regards,
Jaiden
lukadj996
commented
2 years ago @Shahi-Paneer I really don't remember how and what to do, but I can send you this specific SPFT version, just give me some email
Shahi-Paneer
commented
2 years ago My email is jaiden@jshahi.ca … if you could send it that would be great. Also by any chance do you remember what you did after flashing the device… did you just boot it up normally or hold power + volume down?
Thanks,
Jaiden
On Fri, Jul 8, 2022 at 1:34 AM lukadj996 @.***> wrote:
@Shahi-Paneer https://github.com/Shahi-Paneer I really don't remember how and what to do, but I can send you this specific SPFT version, just give me some email
— Reply to this email directly, view it on GitHub https://github.com/MTK-bypass/exploits_collection/issues/22#issuecomment-1178711806, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATODMXOJIZHLVMPENNOR26DVS7RXTANCNFSM446H2LSQ . You are receiving this because you were mentioned.Message ID: @.***>
Can someone tell me what I need to do to make a payload for this device? I have Asus z500m and somehow with SPFT using z300m DA I was able to readback full emmc content, but when I tried to flash system.img it was asking me for some authentication...
So this is what I have: full emmc content preloader.bin scatter file kernel-source for 13.6.10.15 but my firmware is 13.6.10.16
This is what I need: -to be able to flash sys, rec, boot, etc...