MT8127 - Unlocking Huawei MediaPad T3 7 - Unknown lockstate or no lockstate

[psolyca]

I'm trying to unlock this device but have the same error no matter what I try on different computer with or without LiveCD (updated repo).

MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
........

Port - Device detected :)
Preloader -     CPU:            MT8127/MT3367()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x8127
Preloader - Target config:      0x5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca04
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          40469DD35A8A1CB40DEAB82C715B4A5E
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt8127_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /opt/mtkclient/mtkclient/payloads/mt8127_payload.bin
Port - Device detected :)
DaHandler
DaHandler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
Successfully extracted preloader for this device to: preloader_huawei8127_tb_m.bin
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt
LegacyExt - [LIB]: Legacy address check not patched.
LegacyExt
LegacyExt - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028d
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 45010053454d30384722f8c71e0f849f
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x10
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 1396
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x40000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x40000000
randomid = 0xC7729F1FF69153AB3DEEE3B399DBEDA3

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x200000
m_emmc_boot2_size = 0x200000
m_emmc_rpmb_size = 0x200000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x1d2000000
m_emmc_cid = 454d3038450100531e0f849f4722f8c7
m_emmc_fwver = 2200000000000000

DaHandler
DaHandler - [LIB]: Unknown lockstate or no lockstate```

[seccfg.zip](https://github.com/user-attachments/files/15994412/seccfg.zip)

[bkerler]

Your seccfg is empty, thus it won't work

[psolyca]

Cooool So is it usual or bad command to get it? Is there some protection or something?

[R0rt1z2]

Cooool So is it usual or bad command to get it? Is there some protection or something?

Definitely not usual. Huawei probably uses something else to store the lock state of the device.

Considering the device uses MTK, you could give a try to this this method which seems to edit proinfo.

[psolyca]

Thanks I will have a try. It's just that there is no TWRP for my board...

[github-actions[bot]]

Stale issue message