search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.56k stars 510 forks source link

Cannot send DA on Redmi Note 13 [MT6833], though connected #1034

Closed xqneko closed 3 months ago

xqneko commented 3 months ago

Here's the output of mtkclient running run.example. Please help. If further information is needed, please let me know. Thank you so much!

.....Port - Device detected :)
Preloader -     CPU:                    MT6833(Dimensity 700 5G k6833)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0x73
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x989
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      04E6335BCAAF41C2D534EDEE45E2AC44
Preloader - SOC_ID:                     B27AAF364C9E46267CCBC680337B132AAE51FF86F07CD0AD0FF03BF98C8B044F
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: D:\tools\mtkclient\mtkclient\payloads\mt6833_payload.bin
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
xflashext - DA version anti-rollback patched
Preloader
Preloader - [LIB]: Error on DA_Send cmd
DAXFlash
DAXFlash - [LIB]: Error on sending DA.
pewterbrass commented 3 months ago

I have the same issue on a Redmi Note 13R 5G.

The ACK is received correctly, but then no response. The offsets in the payload are correct, I've checked.

It seems the device stops responding right after the ACK. Maybe something is wrong with the handshake?

pewterbrass commented 3 months ago

I found the issue. There was a regression with the following commit:

https://github.com/bkerler/mtkclient/commit/9e54803fb5b6cb34842bcf95aaeb5d4a2e7df5ea

Specifically, run_handshake was mistakenly replaced with handshake.

Fixing that will make it work again, I verified it.

Ping @bkerler @AgentFabulous

bkerler commented 3 months ago

thx @pewterbrass. I just wrote a patch, can you test it ?

pewterbrass commented 3 months ago

@bkerler This is exactly what I tested yesterday, and all works fine now. The payload got stuck at the handshake and the DA seemed to stop responding before this, since calling handshake only runs run_handshake once, and this is already done just at the start of execution.

AgentFabulous commented 3 months ago

My bad, it’s fixed as of https://github.com/bkerler/mtkclient/commit/54cd6583523e6983bcb53034ca6d25365c472b3c

bkerler commented 3 months ago

Ok, then I assume we can close the issue now.