search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.51k stars 504 forks source link

[Meizu M5s / MT6753] Attempt to unlock bootloader causes brick/bootloop #1098

Open DouglasMartins1999 opened 2 months ago

DouglasMartins1999 commented 2 months ago

I'm trying to unlock my Meizu M5s' bootloader (M612H vendor model - with MT6753), but whenever I run python mtk.py da seccfg unlock I get the error SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. After that, the device won't boot or goes into bootloop. MTKClient functions like flash, dump, printgpt work perfectly. Looking at issue #634, perhaps it's also the case this seccfg structure is not yet supported.

MTKClient execution logs - running on Debian 12, Kernel 6.5.0 (no patches), Python 3.11.2, from master branch, commit f9b5b:

MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...Port - Device detected :)
Preloader -     CPU:            MT6753()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10212000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10217c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x337
Preloader - Target config:      0x7
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        True
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Mtk - We're not in bootrom, trying to crash da...
Exploitation - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
DeviceClass - USBError(19, 'No such device (it may have been disconnected)')
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Device detected :)
Preloader -     CPU:            MT6753()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10212000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10217c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x337
Preloader - Target config:      0x7
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        True
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          78E10A7C4FAD5D76438D8FB7312959CD
Preloader
Preloader - [LIB]: Auth file is required. Use --auth option.
PLTools - Loading payload from mt6753_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/douglas/Documentos/Projects/Containers/Meizu/mtkclient/mtkclient/payloads/mt6753_payload.bin
Port - Device detected :)
DaHandler - Device was protected. Successfully bypassed security.
DaHandler - Device is in BROM mode. Trying to dump preloader.
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt - Legacy DA2 is patched.
LegacyExt - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04029b
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 520001154d423158f984074251e79cd3
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x14
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: D2B3
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0xc0000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0xc0000000
randomid = 0x892367C19A171C5EA3CB65EBB8EA34DD

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x747c00000
m_emmc_cid = 5831424d15010052d39c1451420784f9
m_emmc_fwver = 0700000000000000

LegacyExt - Detected V3 Lockstate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xD of 0xD, ) 98.24 MB/s
DaHandler - Successfully wrote seccfg.

If it helps, there is a stock preloader copy and seccfg dump:

Any help is welcome! Thanks

bkerler commented 1 month ago

This sounds like your device is in red state, which means unlocking isn't supported or you need to mod additional files such as boot and vbmeta (at least these).