Open spgohome opened 3 months ago
spgohome
commented
3 months ago And I forgot to mention that besides installing the drivers, you have to follow these also Run Set-ExecutionPolicy unrestricted Search for "Manage app execution aliases", scroll down till you see 2 entries called "App Installer" - python/python3.exe, disable these.
Before running .\r1.ps1
handyfreak
commented
3 months ago IMPORTANT: Use the system.img from XDA (3,16GB) NOT from the dumps!!
Thanks!!! This worked also for me after unsuccess unlock with verity issue bootloop.
Now its unlocked, and working!
spgohome
commented
3 months ago Glad I could help!!!
Now your Rabbit just escaped :-)
spgohome
commented
3 months ago I assume your camera is also working?
handyfreak
commented
3 months ago No, it's not. Actually I'm trying to activate adb again, to read out the ID to get it certified. Then i was planing to root it, and set the cam manually.
Or do you have a solution? BT Wifi, cel works fine.
spgohome
commented
3 months ago Even by flashing boot.img/vendor.img from the dumps? Because that's the only thing that made my camera app stop crashing. Confirmed by others also. According to some, there were somekind of missmatch between the original flashed boot/vendor. Maybe you should redo the hole things all over again...?
So you have BT working, Camera not working. And by "cell working", can you make phone calls? Me, I have BT not working, Camera working, Wifi working, phone call...not working
This is very weird!!! I hope it's not a device manufacturer issue...
And for the Android ID, check my other post (listed at the end) https://github.com/RabbitHoleEscapeR1/r1_escape/issues/19
Took me a while to get the right sequences, but it worked
Good luck
cottonbarbie
commented
3 months ago Trying to run the "fastboot -w" and receiving "fastboot: error: Cannot generate image for userdata"
how should i proceed?
spgohome
commented
3 months ago Yes...got the same thing. Keep on typing the rest
cottonbarbie
commented
3 months ago I kept going , but during the "fastboot reboot-fastboot" i get another error for "failed to boot into userspace fastboot; one or more components might be unbootable"
not looking too good
Edit: also get the issue during this phase where the Rabbit just keeps rebooting over and over but never into fastbootd
only way to get it out of boot loop after that command it to run ".\r1.ps1" again and start over.. not sure what to do
cottonbarbie
commented
3 months ago So looks like my big issue is getting into Fastbootd mode to be able to flash everything
spgohome
commented
3 months ago Hum...let me try the hole process again tomorrow.... As far as I know, these steps., worked very fine. at least for me... Today I've installed things... I shouldn't have (I have 2 Rabbits...one for testing(#1), one for keeping(#2).... And again I've bricked my #1 Rabbit...shame on me :-)
If I get my Rabbit(#1) Up and running again tomorrow with the same steps, I'll let you know.
Keep you posted.
Good night!
cottonbarbie
commented
3 months ago Thank you! let me know if you find a trick to kick it into Fastbootd mode during the fastboot boot loop.
Goodnight!
spgohome
commented
3 months ago If you cannot get into the FlashbootD boot mode...My suggestion is to retry the hole thing. No FlashbootD..no flashing possible!
Again, as I said before, I will retry the hole process/steps tomorrow with my "again" bricked device. I think I'm beginning to like the challenge :-) At least my #2 is still working :-)
spgohome
commented
3 months ago Hi cottonbarbie, First thing, did you manage to redo the hole thing again...did it work? If not: do you have access to ADB while your device is in the fastboot loop (don't think so, but I have to ask)
cottonbarbie
commented
3 months ago I have redone it many times, and still no luck getting to fastbootd mode. So far it is recognized in device manager as "MediaTek PreLoader USB VCOM"... when i get it loaded into fastboot its recognized as "Android ADB interface."
so it seems like the drivers are fine. but whenever i follow your instructions, i get to "fastboot reboot-fastboot" and i fall back into a bootloop on the rabbit screen, and it keeps connecting & disconnecting from my computer
rttgnck
commented
3 months ago For those who fallback after fastboot reboot fastboot, try checking your active slot with "fastboot getvar all" I've seen the device switch slots after being manually changed with the fastboot reboot. It is possible the slot is being switched, I have found "fastboot set_active a_or_b" and then a "fastboot reboot" let it stick. Although it seems maybe "fastboot reboot fastboot" later forced a slot switch again. Either way, it's possible the slot if being switched and booting on the other boot image that was not flashed and won't boot the new system img.
cottonbarbie
commented
3 months ago (bootloader) off-mode-charge: 1 (bootloader) warranty: no (bootloader) unlocked: yes (bootloader) secure: no (bootloader) kernel: lk (bootloader) product: k65v1_64_bsp (bootloader) is-userspace: no (bootloader) slot-retry-count:b: 7 (bootloader) slot-retry-count:a: 7 (bootloader) slot-unbootable:b: no (bootloader) slot-unbootable:a: no (bootloader) slot-successful:b: no (bootloader) slot-successful:a: yes (bootloader) slot-count: 2 (bootloader) current-slot: a
here is a little snippit. looks like im still in slot a, and still no luck with getting into fastbootd mode :(
cottonbarbie
commented
3 months ago NEED HELP. JUST GOT TO FASTBOOTD SCREEN.
not sure how. But, cannot run fastboot commands and device is listed in "other devices" under r1 and says no compatible drivers. what do i do???
cottonbarbie
commented
3 months ago NEED HELP. JUST GOT TO FASTBOOTD SCREEN.
not sure how. But, cannot run fastboot commands and device is listed in "other devices" under r1 and says no compatible drivers. what do i do???
i installed the google drivers to the r1 slot, and it worked to allow me to push the boot.img and system.img into slot b.
booted from slot b. AND IT WORKED! thank goodness
cottonbarbie
commented
3 months ago any info on the "This device isnt play protect certified"?
spgohome
commented
3 months ago Yeah!!!!!!!!!!!!!!!!!! Getting into fastbootd, whatever how, is really THE key to make all the rest works. So glad you've made you Rabbit... "Escaped". Don't let it run too far :-)
Thanks rttgnck for the tip! Really!!!
Next I'm sure you will get bugged with "your device is not certified...sh..." Check my instructions there: https://github.com/RabbitHoleEscapeR1/r1_escape/issues/19 Took me a while to figure out the right sequences..but it's working!
Just read you're last reply...before I've had the chance to finish writing mine...you're too fast for me...check above Let me know if that work for you...:-)
Good luck
spgohome
commented
3 months ago And rttgnck, this switching between a and b...is that normal or a "bug"?
When I flashed boot,vendor,system they all went into a and reboot went right into a.
A bit weird!
spgohome
commented
3 months ago So cottonbarbie, please let me know you've unbrickered your device and got the ID working...that will make my day :-)
rttgnck
commented
3 months ago And rttgnck, this switching between a and b...is that normal or a "bug"?
When I flashed boot,vendor,system they all went into a and reboot went right into a.
A bit weird!
Not sure. Just what I've noticed.
cottonbarbie
commented
3 months ago So cottonbarbie, please let me know you've unbrickered your device and got the ID working...that will make my day :-)
having issues getting "adb devices" to show my device. still working that one through so i can get the ID and ill drop a whole walkthrough on what i did!
spgohome
commented
3 months ago BTW, if you want an easier way to see your screen and type WiFi psw or anything else... Use this: adb shell wm density 180. Otherwise, the keyboard will take all the place and you won't be able to see what you are typing...
spgohome
commented
3 months ago Did you reboot the device? Take a little time for ADB to kit back on
spgohome
commented
3 months ago But, from where you are right now, getting the Android ID is the last piece you're gonna need to get Android Play Store working and download anything you want. I've already downloaded a lot of stuff and EVERYTHING is working A1!
I really like this "pocket" size device. Gemini...WOW! Super fast
cottonbarbie
commented
3 months ago cant seem to get the device to be seen by adb though, device is listing in Portable Devices in the device manager, so its being read by the PC but not by ADB
spgohome
commented
3 months ago Did you install this: https://sourceforge.net/projects/quickadb/ and/or maybe this (I did the installation manually): https://www.thecustomdroid.com/mediatek-preloader-usb-vcom-drivers/
Rabbit should be listed like this in your Device Manager
If not...ADB won't work unless someone else has a better solution...
cottonbarbie
commented
3 months ago Seems like i found a way!
https://www.xda-developers.com/how-to-fix-device-not-certified-by-google-error/
Use this to download the mirror apk to find your GSF id and Android ID, enter that into the website for google registering (https://www.google.com/android/uncertified) and then restart the device. and boom bam, good to go
cottonbarbie
commented
3 months ago thank you all for your help!! you've been amazing
spgohome
commented
3 months ago VERY glad I/we(big thanks for rttgnck) could be of any help!
Enjoy your new Android Rabbit..but don't let it run aways...just kidding...:-) Just one more thing...is your camera app working? BT? Phone calls? Mine, camera app working, BT...nahhh, Phone calls...nahhh!
Take care. Good night!
cottonbarbie
commented
3 months ago VERY glad I/we(big thanks for rttgnck) could be of any help!
Enjoy your new Android Rabbit..but don't let it run aways...just kidding...:-)
Just one more thing...is your camera app working? BT? Phone calls?
Mine, camera app working, BT...nahhh, Phone calls...nahhh!
Take care. Good night!
Camera is working, but won't rotate forward or back (not sure how to fix that)
Can't check phone calls since I don't have a SIM card, but maybe one day
I'll check Bluetooth tomorrow!
Goodnight!
spgohome
commented
3 months ago I'll get back to you about the rotating camera thing tomorrow, very easy to fix...but now I'm very tired...take care. BT...I don't think it will work unless you are one of the lucky one with the right hardware(?). For some it worked, some it won't
Good night
spgohome
commented
3 months ago Just access the quick tiles menu, look for a tile named "Privacy" and drag it near the top. Reopen the quick tiles menu, click on Privacy, should get the camera moving rear/front/privacy
cottonbarbie
commented
3 months ago Just access the quick tiles menu, look for a tile named "Privacy" and drag it near the top.
Reopen the quick tiles menu, click on Privacy, should get the camera moving rear/front/privacy
Actually much easier than I thought! Got it set up, thank you!
jonmarkwilcox
commented
3 months ago So it looks like the camera fix bricked my r1 too. Does anyone know how to unbrick it on Linux?
WillSink
commented
3 months ago
I am at a complete loss and really could use some guidance. I hit almost every snag described here and then I thought I was cooking but now my rabbit it stuck on the =>FASTBOOT mode... screen.
I am not sure if I am taking steps forwards or backwards. At different times, its shown its in fastboot mode. I am getting an error saying "fastboot: error: Cannot generate image for userdata"
I dont know if these are two different errors or the same. I have been on these forums for a while and spent hours on this now. Happy to tip someone who can walk me through it! Thank you!
cottonbarbie
commented
3 months ago i had the same issue with userdata. just keep pressing along.
next you should be "fastboot reboot" and should kick you into fastbootd mode..
once you're in fastbootd mode, you're almost home free.
jaguarnac
commented
3 months ago Just access the quick tiles menu, look for a tile named "Privacy" and drag it near the top. Reopen the quick tiles menu, click on Privacy, should get the camera moving rear/front/privacy
Thanks for the tip!
I had hard time locating the tile. Before dragging it to the top, it had different text, something about camera positioning. After moving it to the top of the tiles, it changed to "Privacy". For anyone else in similar situation, look for a tile with an android icon with ambiguous text :)
SHMAUS-Carter
commented
3 months ago I'm tempted to try the camera fix as well but don't want a brick I backed up my post OTA partitions all of them. But I'm not sure if it is safe to restore boot.img and vendor.img from them. Using fastboot. Currently wifi working Camara doesn't
Anton33455
commented
2 months ago didn't work for me, I am still where I started. same error msg.
DAXFlash - EMMC USER Size: 0x1d1ec00000 DAXFlash - HW-CODE : 0x766 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA00 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x800 of 0x800, ) 0.08 MB/s Wrote frp.bin to sector 44096 with sector count 2048. [*] Unplug the device, press ENTER, and then plug the device in:
[*] Waiting for fastboot... (bootloader) Start unlock flow
OKAY [ 3.033s] Finished. Total time: 3.035s Erasing 'userdata' OKAY [ 0.317s] CreateProcess failed: The system cannot find the file specified. (2) fastboot: error: Cannot generate image for userdata Rebooting into fastboot OKAY [ 0.002s] < waiting for any device >
and device is boot looping with the same error.
WillSink
commented
2 months ago I feel like I am soooo close!! I think I am having the issue with the slots. I can start it in fastboot mode.
NEED HELP. JUST GOT TO FASTBOOTD SCREEN. not sure how. But, cannot run fastboot commands and device is listed in "other devices" under r1 and says no compatible drivers. what do i do???
i installed the google drivers to the r1 slot, and it worked to allow me to push the boot.img and system.img into slot b.
booted from slot b. AND IT WORKED! thank goodness
How did you do this? I think this is the step I am stuck on. How did you install the google drivers to the R1 slot? and then push the others to slot b? Any help is greatly appreciated. I keep getting two steps forward and one back. THANK YOU!
cottonbarbie
commented
2 months ago I did 'fastboot set_active b'
This brought me to fastbootd mode.. (You might have to go to Device Manager to update the driver with the usb_google drivers)
And then ran through the steps again to push the Boot, vendor and System img's.
Then 'fastboot reboot' to start it up
P.s. using 'fastboot reboot fastboot' swaps it back to the default slot
cyb3rzest
commented
1 month ago After trying your script, my device went in ==> Fastboot Mode
now I am unable to do anything, neither I am able to flash the r1 backup.zip from @jadentha
Kindly help
spgohome
commented
1 month ago If you are in Fastboot mode it's good.
Did you try the following steps also?
Now for the fun part, make sure you see the device. Some of the steps are probably not necessary....but that's what worked for me.
(venv) PS D:\work\rabbit\r1_escape-main> fastboot devices 919109A5P1600512124D fastboot <-- good
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot bootloader "This should show that you are in Fastboot mode>>" Rebooting into bootloader OKAY [ 0.000s] Finished. Total time: 0.002s (venv) PS D:\work\rabbit\r1_escape-main> python mtkbootcmd.py FASTBOOT Listening for ports! Found COM4 with description: PreLoader USB VCOM (Android) (COM4) HWID: USB VID:PID=0E8D:2000 SER= LOCATION=1-14.1.4:x.2 Got port: COM4 Initializing port COM4 b'FASTBOOT' cmd sent (venv) PS D:\work\rabbit\r1_escape-main> fastboot flashing unlock (bootloader) Start unlock flow
OKAY [ 3.044s] Finished. Total time: 3.045s (venv) PS D:\work\rabbit\r1_escape-main> fastboot -w Erasing 'userdata' OKAY [ 0.346s] mke2fs 1.46.6 (1-Feb-2023) Creating filesystem with 28164344 4k blocks and 7045120 inodes Filesystem UUID: 46e53968-3179-11ef-8588-89c5f773d0a1 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done Writing inode tables: done Creating journal (131072 blocks): done Writing superblocks and filesystem accounting information: done
Warning: skip copying userdata image avb footer due to sparse image. Sending 'userdata' (544 KB) OKAY [ 0.019s] Writing 'userdata' OKAY [ 0.070s] wipe task partition not found: cache Erasing 'metadata' OKAY [ 0.008s] Erase successful, but not automatically formatting. File system type raw data not supported. Finished. Total time: 0.638s (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img Rewriting vbmeta struct at offset: 0 Sending 'vbmeta_a' (4 KB) OKAY [ 0.006s] Writing 'vbmeta_a' OKAY [ 0.003s] Finished. Total time: 0.017s (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash --disable-verity --disable-verification boot boot.img "I think this was THE thing that allowed me to reboot in Fastbootd mode..." Sending 'boot_a' (32768 KB) OKAY [ 0.906s] Writing 'boot_a' OKAY [ 0.430s]
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot-fastboot Rebooting into fastboot OKAY [ 0.002s] < waiting for any device > Finished. Total time: 32.289s
Now you should be in Fastbootd mode (Fastboot info on top with options to Power off/Reboot/Reboot in recovery...). Do not touch anything there
(venv) PS D:\work\rabbit\r1_escape-main> fastboot flash boot boot.img Sending 'boot_a' (32768 KB) OKAY [ 1.281s] Writing 'boot_a' OKAY [ 0.317s] Finished. Total time: 1.617s <-- good (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash vendor vendor.img Resizing 'vendor_a' OKAY [ 0.010s] Sending sparse 'vendor_a' 1/2 (242568 KB) OKAY [ 8.824s] Writing 'vendor_a' OKAY [ 1.892s] Sending sparse 'vendor_a' 2/2 (117428 KB) OKAY [ 5.750s] Writing 'vendor_a' OKAY [ 1.018s] Finished. Total time: 17.814s <-- good (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash system system.img Resizing 'system_a' OKAY [ 0.008s] Sending sparse 'system_a' 1/13 (262112 KB) OKAY [ 12.788s] Writing 'system_a' OKAY [ 2.048s] Sending sparse 'system_a' 2/13 (262116 KB) OKAY [ 10.931s] Writing 'system_a' OKAY [ 2.045s] Sending sparse 'system_a' 3/13 (262108 KB) OKAY [ 9.575s] Writing 'system_a' OKAY [ 1.979s] Sending sparse 'system_a' 4/13 (262124 KB) OKAY [ 10.220s] Writing 'system_a' OKAY [ 2.022s] Sending sparse 'system_a' 5/13 (262128 KB) OKAY [ 12.366s] Writing 'system_a' OKAY [ 2.048s] Sending sparse 'system_a' 6/13 (262128 KB) OKAY [ 10.318s] Writing 'system_a' OKAY [ 2.001s] Sending sparse 'system_a' 7/13 (262128 KB) OKAY [ 12.584s] Writing 'system_a' OKAY [ 2.007s] Sending sparse 'system_a' 8/13 (262124 KB) OKAY [ 9.506s] Writing 'system_a' OKAY [ 1.990s] Sending sparse 'system_a' 9/13 (262120 KB) OKAY [ 11.579s] Writing 'system_a' OKAY [ 1.995s] Sending sparse 'system_a' 10/13 (262124 KB) OKAY [ 11.818s] Writing 'system_a' OKAY [ 1.923s] Sending sparse 'system_a' 11/13 (262084 KB) OKAY [ 13.278s] Writing 'system_a' OKAY [ 1.955s] Sending sparse 'system_a' 12/13 (262140 KB) OKAY [ 13.165s] Writing 'system_a' OKAY [ 1.965s] Sending sparse 'system_a' 13/13 (103396 KB) OKAY [ 5.019s] Writing 'system_a' OKAY [ 1.270s] Finished. Total time: 171.083s <-- good
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot Rebooting OKAY [ 0.001s]
**Now it should be loading/running Android 13
cyb3rzest
commented
1 month ago It's not going in fastboot mode... it's just before that... as if it went to fastboot, then using the fastboot command I could have flashed it's system.
But, when I ran fastboot devices or adb devices, it shows no devices and when using script, it's stuck on waiting for devices
cyb3rzest
commented
1 month ago After below part, on my rabbit.. on left bottom corner, it's shows only => FASTBOOT mode
(venv) PS D:\work\rabbit\r1_escape-main> python mtkbootcmd.py FASTBOOT Listening for ports! Found COM4 with description: PreLoader USB VCOM (Android) (COM4) HWID: USB VID:PID=0E8D:2000 SER= LOCATION=1-14.1.4:x.2 Got port: COM4 Initializing port COM4 b'FASTBOOT' cmd sent
cyb3rzest
commented
1 month ago See, stuck at this point. No matter how i try. @spgohome
I finaly managed to bring my bricked Rabbit R1 back to life.
It was stuck on the "Your Device has been unlocked and can't be trusted..." endless loop. Could not do anything and I mean ANYTHING! The reset button was not working either :-(
First you will need to download boot.img and vendor.img from https://firmburrow.rabbitu.de/rabbitude/dumps/src/commit/a966826ff9d5236d05f1eeae456dae70e2a4ffbc
And of course, the R1 Escape package from https://github.com/RabbitHoleEscapeR1/r1_escape
Download/install the required drivers
In the r1.ps1, remove these 3 lines
fastboot flashing unlock fastboot -w fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img **#fastboot reboot-fastboot <--
fastboot flash system system.img <--
fastboot reboot <--**
Now, run r1.ps1 in Windows Powershell as Admin (ignore the errors/warnings but follow the unplug/plug prompts). You may have to quit the procedure and retry because it changes some rights and paths that you need access too.
(venv) PS D:\work\rabbit\r1_escape-main> .\r1.ps1 WARNING: 'choco' was found at 'C:\ProgramData\chocoportable\bin\choco.exe'. WARNING: An existing Chocolatey installation was detected. Installation will not continue. This script will not overwrite existing installations. If there is no Chocolatey installation at 'C:\ProgramData\chocoportable', delete the folder and attempt the installation again.
Please use choco upgrade chocolatey to handle upgrades of Chocolatey itself. If the existing installation is not functional or a prior installation did not complete, follow these steps:
Once installation is completed, the backup folder is no longer needed and can be deleted. Error: [Errno 13] Permission denied: 'D:\work\rabbit\r1_escape-main\venv\Scripts\python.exe' fatal: destination path 'mtkclient' already exists and is not an empty directory. Requirement already satisfied: wheel>=0.37.1 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 1)) (0.43.0) Requirement already satisfied: pyusb>=1.2.1 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 2)) (1.2.1) Requirement already satisfied: pycryptodome>=3.15.0 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 3)) (3.20.0) Requirement already satisfied: pycryptodomex in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 4)) (3.20.0) Requirement already satisfied: colorama>=0.4.4 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 5)) (0.4.6) Requirement already satisfied: shiboken6>=6.4.0.1 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 6)) (6.7.2) Requirement already satisfied: pyside6>=6.4.0.1 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 7)) (6.7.2) Requirement already satisfied: mock>=4.0.3 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 8)) (5.1.0) Requirement already satisfied: pyserial>=3.5 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 9)) (3.5) Requirement already satisfied: flake8 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 10)) (7.1.0) Requirement already satisfied: keystone-engine in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 11)) (0.9.2) Requirement already satisfied: capstone in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 12)) (5.0.1) Requirement already satisfied: unicorn in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 13)) (2.0.1.post1) Requirement already satisfied: fusepy in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from -r requirements.txt (line 14)) (3.0.1) Requirement already satisfied: PySide6-Essentials==6.7.2 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from pyside6>=6.4.0.1->-r requirements.txt (line 7)) (6.7.2) Requirement already satisfied: PySide6-Addons==6.7.2 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from pyside6>=6.4.0.1->-r requirements.txt (line 7)) (6.7.2) Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from flake8->-r requirements.txt (line 10)) (0.7.0) Requirement already satisfied: pycodestyle<2.13.0,>=2.12.0 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from flake8->-r requirements.txt (line 10)) (2.12.0) Requirement already satisfied: pyflakes<3.3.0,>=3.2.0 in d:\work\rabbit\r1_escape-main\venv\lib\site-packages (from flake8->-r requirements.txt (line 10)) (3.2.0)
[notice] A new release of pip is available: 24.0 -> 24.1 [notice] To update, run: python.exe -m pip install --upgrade pip *[] Power off the device, press ENTER, and then plug the device in:**
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
If you get this, you're in business :-) .........DeviceClass - Warning ! Port - Device detected :) Port - Handshake successful. Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 5A69113B2F46C127579824B6B0CBCDA7 Preloader - SOC_ID: 15252E7D5A0AFFCD46CB8B1F0CBC4F7E9A11139F2F4C43EB5230CA2EDC17FCA3 DA_handler - Device is unprotected. DA_handler - Device is in Preloader-Mode. DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader xflashext xflashext - [LIB]: â†[33mError on patching da1 version check...â†[0m Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... xflashext - DA version anti-rollback patched DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: DV6DAB DAXFlash - EMMC CID: 15010044563644414202d6cb6a79496d DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x1000000 DAXFlash - EMMC USER Size: 0x1d1ec00000 DAXFlash - HW-CODE : 0x766 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA00 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added DA_handler - Requesting available partitions .... Traceback (most recent call last): File "D:\work\rabbit\r1_escape-main\mtkclient\mtk", line 946, in
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\mtk_main.py", line 655, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 657, in handle_da_cmds
self.da_read(partitionname=partitionname, parttype=parttype, filename=filename)
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 184, in da_read
gpttable = self.mtk.daloader.get_partition_data(parttype=parttype)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_daloader.py", line 260, in get_partition_data
data, guid_gpt = self.da.partition.get_gpt(self.mtk.config.gpt_settings, parttype)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\partition.py", line 111, in get_gpt
data = self.readflash(addr=0, length=sectors * self.config.pagesize, filename="",
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 797, in readflash
if self.cmd_read_data(addr=addr, size=length, storage=storage, parttype=parttype):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 775, in cmd_read_data
param = pack("<IIQQ", storage, parttype, addr, size)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: 'Q' format requires 0 <= number <= 18446744073709551615
Exception calling "ReadAllBytes" with "1" argument(s): "Could not find file
'D:\work\rabbit\r1_escape-main\mtkclient\frp.bin'."
At D:\work\rabbit\r1_escape-main\r1.ps1:50 char:1
Cannot index into a null array. At D:\work\rabbit\r1_escape-main\r1.ps1:51 char:5
*[] Unplug the device, press ENTER, and then plug the device in:**
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
.....DeviceClass - Warning ! Port - Device detected :) Port - Handshake successful. Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 5A69113B2F46C127579824B6B0CBCDA7 Preloader - SOC_ID: 15252E7D5A0AFFCD46CB8B1F0CBC4F7E9A11139F2F4C43EB5230CA2EDC17FCA3 DA_handler - Device is unprotected. DA_handler - Device is in Preloader-Mode. DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader xflashext xflashext - [LIB]: â†[33mError on patching da1 version check...â†[0m Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... xflashext - DA version anti-rollback patched DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: DV6DAB DAXFlash - EMMC CID: 15010044563644414202d6cb6a79496d DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x1000000 DAXFlash - EMMC USER Size: 0x1d1ec00000 DAXFlash - HW-CODE : 0x766 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA00 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added Traceback (most recent call last): File "D:\work\rabbit\r1_escape-main\mtkclient\mtk", line 946, in
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\mtk_main.py", line 655, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 705, in handle_da_cmds
self.da_write(parttype=parttype, filenames=filenames, partitions=partitions)
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 352, in da_write
res = self.mtk.daloader.detect_partition(partition, parttype)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\mtk_daloader.py", line 244, in detect_partition
data, guid_gpt = self.da.partition.get_gpt(self.mtk.config.gpt_settings, parttype)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\partition.py", line 111, in get_gpt
data = self.readflash(addr=0, length=sectors * self.config.pagesize, filename="",
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 797, in readflash
if self.cmd_read_data(addr=addr, size=length, storage=storage, parttype=parttype):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\work\rabbit\r1_escape-main\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 775, in cmd_read_data
param = pack("<IIQQ", storage, parttype, addr, size)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: 'Q' format requires 0 <= number <= 18446744073709551615
*[] Unplug the device, press ENTER, and then plug the device in:**
[*] Waiting for fastboot... (bootloader) Start unlock flow
OKAY [ 3.044s] Finished. Total time: 3.045s Erasing 'userdata' OKAY [ 0.348s] mke2fs 1.46.6 (1-Feb-2023) Creating filesystem with 28164344 4k blocks and 7045120 inodes Filesystem UUID: 99f9617a-3178-11ef-bd90-913dac7ebb3a Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done Writing inode tables: done Creating journal (131072 blocks): done Writing superblocks and filesystem accounting information: done
Warning: skip copying userdata image avb footer due to sparse image. Sending 'userdata' (544 KB) OKAY [ 0.020s] Writing 'userdata' OKAY [ 0.070s] wipe task partition not found: cache Erasing 'metadata' OKAY [ 0.009s] Erase successful, but not automatically formatting. File system type raw data not supported. Finished. Total time: 0.647s Rewriting vbmeta struct at offset: 0 Sending 'vbmeta_a' (4 KB) OKAY [ 0.005s] Writing 'vbmeta_a' OKAY [ 0.003s] Finished. Total time: 0.025s
Now for the fun part, make sure you see the device. Some of the steps are probably not necessary....but that's what worked for me.
(venv) PS D:\work\rabbit\r1_escape-main> fastboot devices 919109A5P1600512124D fastboot <-- good
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot bootloader "This should show that you are in Fastboot mode>>" Rebooting into bootloader OKAY [ 0.000s] Finished. Total time: 0.002s (venv) PS D:\work\rabbit\r1_escape-main> python mtkbootcmd.py FASTBOOT Listening for ports! Found COM4 with description: PreLoader USB VCOM (Android) (COM4) HWID: USB VID:PID=0E8D:2000 SER= LOCATION=1-14.1.4:x.2 Got port: COM4 Initializing port COM4 b'FASTBOOT' cmd sent (venv) PS D:\work\rabbit\r1_escape-main> fastboot flashing unlock (bootloader) Start unlock flow
OKAY [ 3.044s] Finished. Total time: 3.045s (venv) PS D:\work\rabbit\r1_escape-main> fastboot -w Erasing 'userdata' OKAY [ 0.346s] mke2fs 1.46.6 (1-Feb-2023) Creating filesystem with 28164344 4k blocks and 7045120 inodes Filesystem UUID: 46e53968-3179-11ef-8588-89c5f773d0a1 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done Writing inode tables: done Creating journal (131072 blocks): done Writing superblocks and filesystem accounting information: done
Warning: skip copying userdata image avb footer due to sparse image. Sending 'userdata' (544 KB) OKAY [ 0.019s] Writing 'userdata' OKAY [ 0.070s] wipe task partition not found: cache Erasing 'metadata' OKAY [ 0.008s] Erase successful, but not automatically formatting. File system type raw data not supported. Finished. Total time: 0.638s (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img Rewriting vbmeta struct at offset: 0 Sending 'vbmeta_a' (4 KB) OKAY [ 0.006s] Writing 'vbmeta_a' OKAY [ 0.003s] Finished. Total time: 0.017s (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash --disable-verity --disable-verification boot boot.img "I think this was THE thing that allowed me to reboot in Fastbootd mode..." Sending 'boot_a' (32768 KB) OKAY [ 0.906s] Writing 'boot_a' OKAY [ 0.430s]
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot-fastboot Rebooting into fastboot OKAY [ 0.002s] < waiting for any device > Finished. Total time: 32.289s
Now you should be in Fastbootd mode (Fastboot info on top with options to Power off/Reboot/Reboot in recovery...). Do not touch anything there
(venv) PS D:\work\rabbit\r1_escape-main> fastboot flash boot boot.img Sending 'boot_a' (32768 KB) OKAY [ 1.281s] Writing 'boot_a' OKAY [ 0.317s] Finished. Total time: 1.617s <-- good (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash vendor vendor.img Resizing 'vendor_a' OKAY [ 0.010s] Sending sparse 'vendor_a' 1/2 (242568 KB) OKAY [ 8.824s] Writing 'vendor_a' OKAY [ 1.892s] Sending sparse 'vendor_a' 2/2 (117428 KB) OKAY [ 5.750s] Writing 'vendor_a' OKAY [ 1.018s] Finished. Total time: 17.814s <-- good (venv) PS D:\work\rabbit\r1_escape-main> fastboot flash system system.img Resizing 'system_a' OKAY [ 0.008s] Sending sparse 'system_a' 1/13 (262112 KB) OKAY [ 12.788s] Writing 'system_a' OKAY [ 2.048s] Sending sparse 'system_a' 2/13 (262116 KB) OKAY [ 10.931s] Writing 'system_a' OKAY [ 2.045s] Sending sparse 'system_a' 3/13 (262108 KB) OKAY [ 9.575s] Writing 'system_a' OKAY [ 1.979s] Sending sparse 'system_a' 4/13 (262124 KB) OKAY [ 10.220s] Writing 'system_a' OKAY [ 2.022s] Sending sparse 'system_a' 5/13 (262128 KB) OKAY [ 12.366s] Writing 'system_a' OKAY [ 2.048s] Sending sparse 'system_a' 6/13 (262128 KB) OKAY [ 10.318s] Writing 'system_a' OKAY [ 2.001s] Sending sparse 'system_a' 7/13 (262128 KB) OKAY [ 12.584s] Writing 'system_a' OKAY [ 2.007s] Sending sparse 'system_a' 8/13 (262124 KB) OKAY [ 9.506s] Writing 'system_a' OKAY [ 1.990s] Sending sparse 'system_a' 9/13 (262120 KB) OKAY [ 11.579s] Writing 'system_a' OKAY [ 1.995s] Sending sparse 'system_a' 10/13 (262124 KB) OKAY [ 11.818s] Writing 'system_a' OKAY [ 1.923s] Sending sparse 'system_a' 11/13 (262084 KB) OKAY [ 13.278s] Writing 'system_a' OKAY [ 1.955s] Sending sparse 'system_a' 12/13 (262140 KB) OKAY [ 13.165s] Writing 'system_a' OKAY [ 1.965s] Sending sparse 'system_a' 13/13 (103396 KB) OKAY [ 5.019s] Writing 'system_a' OKAY [ 1.270s] Finished. Total time: 171.083s <-- good
(venv) PS D:\work\rabbit\r1_escape-main> fastboot reboot Rebooting OKAY [ 0.001s]
**Now it should be loading/running Android 13
This saved my bricked Rabbit.
Good luck!**