bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.71k stars 528 forks source link

redmi 6a unlock succees but remain lock #110

Closed chandarakk closed 5 months ago

chandarakk commented 3 years ago

Microsoft Windows [Version 10.0.19042.1237] (c) Microsoft Corporation. All rights reserved.

C:\Users\Vuthy>cd C:\Users\Vuthy\Desktop\mtkclient-main

C:\Users\Vuthy\Desktop\mtkclient-main>python mtk xflash seccfg unlock MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

Port - Device detected :) Preloader - CPU: MT6765(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 0F63E63CFDBF60902A47C817DE33BB22 Preloader - SOC_ID: 4690DA922D55E7663064F47A12F3A83635A445E2DA5D1FB4F459705972C42C2D PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Vuthy\Desktop\mtkclient-main\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.1824.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100514536334d DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: QE63MB DAXFlash - EMMC CID: 150100514536334d420361ef073d554f DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0x3a3e00000 DAXFlash - DA-CODE : 0x666D0 DAXFlash - DA Extensions successfully added sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej - HACC run sej - HACC terminate Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.03 MB/s xflashext - Successfully wrote seccfg.

C:\Users\Vuthy\Desktop\mtkclient-main>

here dump preloader

https://drive.google.com/file/d/1D4VpA5LnLNNwXMCMmV0e6PhTOJts_gtu/view?usp=sharing

bkerler commented 3 years ago

That means it worked successfully. Now you need to go to fastboot and unlock it.

chandarakk commented 3 years ago

That means it worked successfully. Now you need to go to fastboot and unlock it.

how to ? fastboot oem unlock?

chandarakk commented 3 years ago

That means it worked successfully. Now you need to go to fastboot and unlock it.

C:\Users\chand>fastboot devices a534c6ad7d24 fastboot

C:\Users\chand>fastboot oem unlock ... FAILED (status read failed (Too many links)) finished. total time: 19.404s

C:\Users\chand>

lpxx50117 commented 3 years ago

@bkerler I also tested the Redmi 6(Helio P22),same as Redmi 6a.It said success,but fastboot mode still cannot flash anything and said the phone is in lock status.If I'm using "fastboot oem unlock",the fastboot command will stuck there and it will reboot automatically with "Too many links"error. The Redmi Pro and Redmi Note4(MTK) can be unlocked directly.Some of the tools on Internet also cannot support these two devices,but some of the paid tools are support.

bkerler commented 3 years ago

Some oppo devices have locked fastboot (shitty oppo patches). You need to replace it either with debug aboot or use the right magisk as stated in the readme together with a valid vbmeta file. On my redmi 6a unlocking works fine after I flash the appropriate files - magisk and empty vbmeta (not via fastboot, but using my mtkclient).

bkerler commented 3 years ago

for some devices, it's not "fastboot oem unlock" but "fastboot flashing unlock", btw.

bkerler commented 3 years ago

See more details here : https://source.android.com/devices/bootloader/locking_unlocking

chandarakk commented 3 years ago

On my redmi 6a unlocking works fine after I flash the appropriate files - magisk and empty vbmeta (not via fastboot, but using my mtkclient).

can u shard ur work magisk and empty vbmeta for ur work fine redmi 6a

lpxx50117 commented 3 years ago

Some oppo devices have locked fastboot (shitty oppo patches). You need to replace it either with debug aboot or use the right magisk as stated in the readme together with a valid vbmeta file. On my redmi 6a unlocking works fine after I flash the appropriate files - magisk and empty vbmeta (not via fastboot, but using my mtkclient).

@bkerler I tested it in MIUI9.6(Android 8.1)and MIUI10(Android 9),both of them got "The system has been destroyed"and cannot boot.So which version are you testing?

chandarakk commented 3 years ago

Some oppo devices have locked fastboot (shitty oppo patches). You need to replace it either with debug aboot or use the right magisk as stated in the readme together with a valid vbmeta file. On my redmi 6a unlocking works fine after I flash the appropriate files - magisk and empty vbmeta (not via fastboot, but using my mtkclient).

@bkerler I tested it in MIUI9.6(Android 8.1)and MIUI10(Android 9),both of them got "The system has been destroyed"and cannot boot.So which version are you testing?

i notice the system has been destroyed after u use mtk client unlocl bootloader then remain lock then u try with unlock tool for redo unlock bl right?

bkerler commented 3 years ago

I've been using the official magisk and lineageos 17 on the redmi 6a, which works just fine.

cprogiopoulos commented 3 years ago

Some oppo devices have locked fastboot (shitty oppo patches). You need to replace it either with debug aboot or use the right magisk as stated in the readme together with a valid vbmeta file. On my redmi 6a unlocking works fine after I flash the appropriate files - magisk and empty vbmeta (not via fastboot, but using my mtkclient).

I own a oppo device. I have followed the instructions in the readme and I have managed to root my phone. But I do not have access to fastboot. Are there any instructions how to work around this issue?

wulan17 commented 3 years ago

On redmi 6/6a bootloader status stored on devinfo thats why it doesn't unlocked

long36708 commented 3 years ago

On redmi 6/6a bootloader status stored on devinfo thats why it doesn't unlocked

@bkerler it's the same as Redmi note 11 pro

cprogiopoulos commented 3 years ago

@wulan17 @long36708 is there a way to modify the devinfo to access fastboot?

Alephgsm commented 3 years ago

also i have this problem on redmi 6a @bkerler any solution for this?

bkerler commented 2 years ago

Can someone who is affected upload the devinfo partition ?

cprogiopoulos commented 2 years ago

@bkerler kindly requesting info to how to pull and how to upload devinfo partition

Alephgsm commented 2 years ago

devinfo length is 8,388,608 and All index of array is 0x0 but i upload my redmi 6a devinfo file in here devinfo.zip thanks

ghost commented 2 years ago

@bkerler Bro, any plans of reverse engineering OPPO Deep Test? Some Chinese guy here has done it. Some work has been done here. ThankYou!

revenger2000 commented 2 years ago

Devinfo.img file from Redmi 6A with lock bootloader is empty, here is example of this file devinfo_BL_lock.zip. Devinfo.img file from Redmi 6A with official bootloader unlock has unlock code, that located at the end of this file (you can see it with any hexcode editor), but it is too difficult devinfo_BL_unlock.zip. Some payed tools, such as UnlockTool, can make "permanent" bootloader unlock on Redmi 6/6A. I don't know, how this tools make it, but such unlock has two attributes. First of all, the bootloader unlocked in this way cannot be locked again. And, secondly, even if you format all internal memory (EMMC), the bootloader remains unlocked. This is most likely the only unofficial way to unlock the bootloader on these models. It would be very interesting to know how this is done. P.S. I try to copy unlock code from seccfg.img to devinfo.img and than flash second file to the phone, but it was unsuccessful, bootloader remained locked.

Alephgsm commented 2 years ago

@bkerler @revenger2000 so i think locked bootloader devinfo is empty but this value exist on unlocked bootloader devinfo 0CC1F0421C90A5FF897AF4BA0B253C85C718FDFDDF4C87932EC244A552D74ED675DC857863D179105799C5959B6509CB9F29BF0167E635D2B92FC0095AA2B1A92FC248CBC3DD0F0EF7BC0E270F6704D155F2656E1D900175F7F4FD0ECA907A67D9D5B7E82AAD2EA1C12C821AAD9572972C7F8F269D28C2BC3EEA091F6EF3422F07005340A986C705E8475BEC2B443FB34A5AE9C334A4B9160AE4287B4963B2A1B087E3F09026088F656AE7C33B10C2DAC166380ABC8BAED570680F44691BA2A9CCA2391C5B1129325C3112138CE9E3C34D076C063301535251B6F038FC200CD69EA8D245D30D1877497F91613308808C0443878684C439C591B570670213B294

i flashed this file on my device and cannot unlocked (with unlock bootloader operation and without it) i think this values is diffrent on diffrent devices

Alephgsm commented 2 years ago

@bkerler Any news for this?

bkerler commented 2 years ago

In order to support that, and efuse needs to be set that could permanently brick devices. Thus I decided NOT to add this right now.

anymeofu commented 2 years ago

I faced the same problem, After doing all steps the phone Bootloader is still locked, no errors

Thegsmwork commented 2 years ago

Can u tell me How should i unlock redmi 6/6a bootloader ?

revenger2000 commented 2 years ago

In order to support that, and efuse needs to be set that could permanently brick devices. Thus I decided NOT to add this right now.

It has been six months since your post. Maybe it's time to add this feature to mtkclient?

jerinphilip commented 1 year ago

Hi, please find logs of a boot after an unlock here.

The phone (this is a Redmi 6) initially boots with:

[618] [SEC_POLICY] reached the end, use default policy
[619] [SEC_POLICY] sboot_state = 0x1
[619] [SEC_POLICY] lock_state = 0x3
[SBC] sbc_en = 1
[SBC] sbc_en = 1
[625] [SEC_POLICY] reached the end, use default policy
[631] [SBC] image dtbo auth init pass
[634] [SBC] img dtbo auth pass.
[634] [PROFILE] ::: lvl(2) dtbo vfy takes 16 ms

Then later the following happens:

[925] [secure] pl_flag=8d ,lk_flag=8d 
[925] Serial #: "xxxxxxxxxxxx"
[926] RSA_padding_check_PKCS1_type_1 failed ret:-1
[926] token sig decrypt failed:-2
...
[933] [SEC_POLICY] sboot_state = 0x1
[933] [SEC_POLICY] lock_state = 0x4
[933] [avb] img_auth_required = 1
[934] avb_slot_verify.c[934] :[934] 637[934] : ERROR: [934] vbmeta[934] : Error verifying vbmeta image: [935] OK_NOT_SIGNED[935] 
[935] [avb] boot/recovery vfy time = 6 ms
[935] mblock_create mblock start b9b70000 size: 6400000
[935] [avb] avb_ret = 3
[935] [LK] check_ota_result = 0
[935] [LK] ota-fail
[936] fb dump: 0xff000000, 0xff000000, 0xff000000, 0xff000000
dm-verity error

Android system on your device is corrupted.

Device will boot in %ds

[5937] boot state: red
[5938] fb dump: 0xff000000, 0xff000000, 0xff000000, 0xff000000
Red State

Your device has failed verification and may not

work properly.

Your device will shutdown in 5 seconds.

I don't really have any Android on my phone, I'm trying to boot PostmarketOS, but bootloader unlock is in the way. I have already flashed an empty vbmeta.img (via mtkclient).

In order to support that, and efuse needs to be set that could permanently brick devices.

Could you provide the possibilities and some details on this method here? Thanks.

revenger2000 commented 1 year ago

In order to support that, and efuse needs to be set that could permanently brick devices.

Could you provide the possibilities and some details on this method here? Thanks.

You can unlock bootloader on Redmi 6 and 6A with Android Utility v116.00.1644 non dongl edition. It is a free tool, serch in Google.

jerinphilip commented 1 year ago

Devinfo.img file from Redmi 6A with lock bootloader is empty, here is example of this file devinfo_BL_lock.zip. Devinfo.img file from Redmi 6A with official bootloader unlock has unlock code, that located at the end of this file (you can see it with any hexcode editor), but it is too difficult devinfo_BL_unlock.zip. Some payed tools, such as UnlockTool, can make "permanent" bootloader unlock on Redmi 6/6A. I don't know, how this tools make it, but such unlock has two attributes.

FWIW, my

fastboot stage token.bin
fastboot oem unlock

kept failing. I used RohitVerma882/termux-miunlock to get the official token, which also happened to be of same length as the ones posted here above. Following this information, I was able to simply write the token to devinfo to workaround the failing fastboot and allow booting PostmarketOS.

I think my case was probably a bit extreme.

I am nonetheless curious how this locking mechanism works - assuming the token is a key of some sort, how would I be able to skip the read-only boot process with signature checks? Some additional information on the efuses methods, anyone?

StarkGang commented 1 year ago

Android Utility v116.00.1644 non dongl edition

could you explain more please?