Dumping of Xiaomi X04G Mi Smart Clock fails with newest mtkclient

[z3ntu]

This device: https://github.com/Informatic/xiaomi-x04g-research

With mtkclient master (commit f338168) this is the log and it just hangs at the end:

``` sudo _venv/bin/python mtk.py rl dump za 17 aug 2024 20:16:44 CEST MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024 Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode Port - Hint: Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset. ........... Port - Device detected :) Preloader - CPU: MT8167/MT8516/MT8362() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11005000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xcc Preloader - Disabling Watchdog... Preloader - HW code: 0x8167 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: EBFE181A3208261CF03E25B6A05E343A Preloader - SOC_ID: 0000000000000000000000000000000000000000000000000000000000000000 Preloader Preloader - [LIB]: Auth file is required. Use --auth option. DaHandler - Device is protected. DaHandler - Device is in BROM-Mode. Bypassing security. DaHandler - Preloader is not supplied. Acquiring it through BROM exploit. PLTools - Loading payload from mt8167_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: /home/luca/tools/mtkclient/mtkclient/payloads/mt8167_payload.bin Port - Device detected :) DaHandler DaHandler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. Successfully extracted preloader for this device to: preloader_mico_x04g.bin DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin XFlashExt - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader XFlashExt - Patching da2 ... XFlashExt - Security check patched XFlashExt - SBC patched to be disabled XFlashExt - Register read/write not allowed patched DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Boot to succeeded. DAXFlash - Successfully uploaded stage 2 DAXFlash - DA SLA is disabled DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: 4FTE4R DAXFlash - EMMC CID: 15010034465445345201f2aa8f6f47f5 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - HW-CODE : 0x8167 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCB00 DAXFlash - SW-VERSION : 0x1 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Reconnecting to stage2 with higher speed DeviceClass - [Errno 2] Entity not found DAXFlash - Connected to stage2 with higher speed DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - Boot to succeeded. ```

With mtkclient 1.63 (semi-random version, didn't bisect it)

``` MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Port - Hint: Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset. ........... Port - Device detected :) Preloader - CPU: MT8167/MT8516/MT8362() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11005000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xcc Preloader - Disabling Watchdog... Preloader - HW code: 0x8167 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: EBFE181A3208261CF03E25B6A05E343A Preloader - SOC_ID: 0000000000000000000000000000000000000000000000000000000000000000 PLTools - Loading payload from mt8167_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: /home/luca/tools/mtkclient/mtkclient/payloads/mt8167_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2228.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: 4FTE4R DAXFlash - EMMC CID: 15010034465445345201f2aa8f6f47f5 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - HW-CODE : 0x8167 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCB00 DAXFlash - SW-VERSION : 0x1 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Reconnecting to stage2 with higher speed DeviceClass - [Errno 2] Entity not found DAXFlash - Connected to stage2 with higher speed DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added DA_handler - Dumping partition proinfo with sector count 6144 as dump/proinfo.bin. Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x1800 of 0x1800, ) 3.56 MB/s DA_handler - Dumped partition proinfo as dump/proinfo.bin. DA_handler - Dumping partition nvram with sector count 10240 as dump/nvram.bin. Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x2800 of 0x2800, ) 3.68 MB/s6 MB/s ``` and much more like this, where it works

CC @gelbpunkt

[cabe1214]

Just came here to say that this solved the problem on my side! I used version 1.63 as well and could make it run

[bkerler]

Duplicate of #1152

[Gelbpunkt]

Thanks, as of 57c0ea0165240829bb4ad36bb4ff6f230e8dd954 mtkclient works fine with x04g again.