search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.56k stars 510 forks source link

[MT6797] Latest mtkclient cannot dump preloader, but the old version can #1033

Closed mouzei closed 3 months ago

mouzei commented 3 months ago

cannot dump preloader: https://github.com/bkerler/mtkclient/commit/27982d47ba4f05fef219a388718554072a9e550b version that can be used normally: https://github.com/bkerler/mtkclient/commit/8e46df657c5dbed0d657ac0643da06b1151a5797

output:

.....Port - Device detected :) Preloader - CPU: MT6797/MT6767(Helio X23/X25/X27) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x279 Preloader - Target config: 0x7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x0 Preloader - ME_ID: xxx DA_handler - Device is protected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6797_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\payloads\mt6797_payload.bin DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DA_handler DA_handler - [LIB]: Failed to dump preloader from ram, provide a valid one via --preloader option Traceback (most recent call last): File "C:\Users\Administrator\Desktop\mtkclient-main\mtk", line 943, in mtk = Main(args).run(parser) File "C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\Library\mtk_main.py", line 653, in run mtk = da_handler.configure_da(mtk, preloader) File "C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\Library\DA\mtk_da_handler.py", line 149, in configure_da if not mtk.daloader.upload_da(preloader=preloader): File "C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\Library\DA\mtk_daloader.py", line 295, in upload_da return self.da.upload_da() File "C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\Library\DA\xflash\xflash_lib.py", line 1107, in upload_da self.kamakiri_pl.initbrom() File "C:\Users\Administrator\Desktop\mtkclient-main\mtkclient\Library\Exploit\kamakiri_pl.py", line 22, in initbrom getVal = self.mtk.port.cdc.device.ctrl_transfer(bmRequestType=0xa1, File "D:\xxx\python\lib\site-packages\usb\core.py", line 1082, in ctrl_transfer ret = self._ctx.backend.ctrl_transfer( File "D:\xxx\python\lib\site-packages\usb\backend\libusb1.py", line 893, in ctrl_transfer ret = _check(self.lib.libusb_control_transfer( File "D:\xxx\python\lib\site-packages\usb\backend\libusb1.py", line 602, in _check raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret]) usb.core.USBTimeoutError: [Errno 10060] Operation timed out

mouzei commented 3 months ago

The problem starts from https://github.com/bkerler/mtkclient/tree/9e54803fb5b6cb34842bcf95aaeb5d4a2e7df5ea

pewterbrass commented 3 months ago

The problem starts from https://github.com/bkerler/mtkclient/tree/9e54803fb5b6cb34842bcf95aaeb5d4a2e7df5ea

I found the issue, thanks for pinpointing the erroneous commit. Let's hope the devs can fix it soon.

This is a duplicate of #1034. I've written some info there if you want to patch it yourself.

mouzei commented 3 months ago

The problem starts from https://github.com/bkerler/mtkclient/tree/9e54803fb5b6cb34842bcf95aaeb5d4a2e7df5ea

I found the issue, thanks for pinpointing the erroneous commit. Let's hope the devs can fix it soon.

This is a duplicate of #1034. I've written some info there if you want to patch it yourself.

I changed if mtk.serialportname: mtk.port.serial_handshake() else: mtk.port.handshake() into mtk.port.run_handshake() in mtkclient/Library/mtk_class.py, then it can run normally.

bkerler commented 3 months ago

it's fixed by now.

Yangp0626 commented 3 months ago

The latest version still has this issue, the old version can. I am using a mobile phone with MTK6771CPU.

DA_handler - Device is protected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6771_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6771_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DA_handler DA_handler - [LIB]: Failed to dump preloader from ram, provide a valid one via --preloader option Traceback (most recent call last): File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtk", line 946, in mtk = Main(args).run(parser) ^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_main.py", line 653, in run mtk = da_handler.configure_da(mtk, preloader) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\Library\DA\mtk_da_handler.py", line 149, in configure_da if not mtk.daloader.upload_da(preloader=preloader): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\Library\DA\mtk_daloader.py", line 295, in upload_da return self.da.upload_da() ^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\Library\DA\xflash\xflash_lib.py", line 1116, in upload_da self.kamakiri_pl.initbrom() File "C:\Users\y\Downloads\mtkclient-main\mtkclient-main\mtkclient\Library\Exploit\kamakiri_pl.py", line 22, in initbrom getVal = self.mtk.port.cdc.device.ctrl_transfer(bmRequestType=0xa1, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\AppData\Local\Programs\Python\Python312\Lib\site-packages\usb\core.py", line 1082, in ctrl_transfer ret = self._ctx.backend.ctrl_transfer( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\AppData\Local\Programs\Python\Python312\Lib\site-packages\usb\backend\libusb1.py", line 893, in ctrl_transfer ret = _check(self.lib.libusb_control_transfer( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\y\AppData\Local\Programs\Python\Python312\Lib\site-packages\usb\backend\libusb1.py", line 602, in _check raise USBTimeoutError(_strerror(ret), ret, _libusb_errno[ret]) usb.core.USBTimeoutError: [Errno 10060] Operation timed out

bkerler commented 3 months ago

@Yangp0626 please create a new issue and refer to mt6771 as it is a different issue.