MT6765 Brute Success

[DavidBuchanan314]

mtk dumppreloader worked as-is

mtk dumpbrom failed with the following backtrace:

Exploitation - [LIB]: Error on opening brom_MT6765_MT8768t_766.bin for writing: unsupported operand type(s) for -: 'NoneType' and 'int'
Traceback (most recent call last):
  File "/home/david/repos/mtkclient/mtk.py", line 980, in <module>
    mtk = Main(args).run(parser)
  File "/home/david/repos/mtkclient/mtkclient/Library/mtk_main.py", line 423, in run
    plt.run_dump_brom(filename, self.args.ptype)
  File "/home/david/repos/mtkclient/mtkclient/Library/pltools.py", line 141, in run_dump_brom
    if self.exploit.dump_brom(filename):
  File "/home/david/repos/mtkclient/mtkclient/Library/Exploit/kamakiri2.py", line 163, in dump_brom
    raise e
  File "/home/david/repos/mtkclient/mtkclient/Library/Exploit/kamakiri2.py", line 158, in dump_brom
    wf.write(self.newbrute(dump_ptr, True))
  File "/home/david/repos/mtkclient/mtkclient/Library/Exploit/kamakiri2.py", line 124, in newbrute
    self.kamakiri2(dump_ptr - 6 + (4 - i))
TypeError: unsupported operand type(s) for -: 'NoneType' and 'int'

(note, I patched kamakiri2.py to add in a raise e to actually get the backtrace instead of just logging the error)

So, I tried mtk brute, which succeeded with Found 0xc28c, dumping bootrom to brom_766.bin (attached)

brom_766.bin.zip

[Reset816]

same for me

[Reset816]

and similar to https://github.com/bkerler/mtkclient/issues/947

[Reset816]

It seems that the issue is caused by the self.da_write(ptr_send, 4, pack("<I", payloadaddr), False) line in the exploit() function of kamakiri2.py.

[bkerler]

Fixed by commit 586d86e