search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.56k stars 510 forks source link

DAA_SIG_VERIFY_FAILED (0x7024) on MT6765/MT8768t(Helio P35/G35) #1161

Closed maumaghr closed 1 month ago

maumaghr commented 1 month ago

I try to unlock bootloader, when i execute this command

python mtk.py e metadata,userdata,md_udc

this happen:

Couldn't detect the device. Is it connected ? Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? Couldn't detect the device. Is it connected ? CONFIGURATION 1: 500 mA ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x2 Configuration wTotalLength : 0x46 (70 bytes) bNumInterfaces : 0x2 bConfigurationValue : 0x1 iConfiguration : 0x3 USB CDC ACM for preloader bmAttributes : 0xc0 Self Powered bMaxPower : 0xfa (500 mA) INTERFACE 1: CDC Data ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x1 bAlternateSetting : 0x0 bNumEndpoints : 0x2 bInterfaceClass : 0xa CDC Data bInterfaceSubClass : 0x0 bInterfaceProtocol : 0x0 iInterface : 0x4 CDC ACM Data Interface ENDPOINT 0x1: Bulk OUT =============================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x1 OUT bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 ENDPOINT 0x81: Bulk IN =============================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x81 IN bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 INTERFACE 0: CDC Communication ========================= bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x0 bAlternateSetting : 0x0 bNumEndpoints : 0x1 bInterfaceClass : 0x2 CDC Communication bInterfaceSubClass : 0x2 bInterfaceProtocol : 0x1 iInterface : 0x5 CDC ACM Communication Interface ENDPOINT 0x83: Interrupt IN ========================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x83 IN bmAttributes : 0x3 Interrupt wMaxPacketSize : 0x40 (64 bytes) bInterval : 0x10 Detaching kernel driver CONFIGURATION 1: 500 mA ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x2 Configuration wTotalLength : 0x46 (70 bytes) bNumInterfaces : 0x2 bConfigurationValue : 0x1 iConfiguration : 0x3 USB CDC ACM for preloader bmAttributes : 0xc0 Self Powered bMaxPower : 0xfa (500 mA) INTERFACE 1: CDC Data ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x1 bAlternateSetting : 0x0 bNumEndpoints : 0x2 bInterfaceClass : 0xa CDC Data bInterfaceSubClass : 0x0 bInterfaceProtocol : 0x0 iInterface : 0x4 CDC ACM Data Interface ENDPOINT 0x1: Bulk OUT =============================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x1 OUT bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 ENDPOINT 0x81: Bulk IN =============================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x81 IN bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 INTERFACE 0: CDC Communication ========================= bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x0 bAlternateSetting : 0x0 bNumEndpoints : 0x1 bInterfaceClass : 0x2 CDC Communication bInterfaceSubClass : 0x2 bInterfaceProtocol : 0x1 iInterface : 0x5 CDC ACM Communication Interface ENDPOINT 0x83: Interrupt IN ========================== bLength : 0x8 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x83 IN bmAttributes : 0x3 Interrupt wMaxPacketSize : 0x40 (64 bytes) bInterval : 0x10 Device detected :) Device detected :) TX:fd echo:0x1 RX:fd rdword:0x4 RX:07660000 CPU: MT6765/MT8768t(Helio P35/G35) HW version: 0x0 WDT: 0x10007000 Uart: 0x11002000 Brom payload addr: 0x100a00 DA payload addr: 0x201000 CQ_DMA addr: 0x10212000 Var1: 0x25 Disabling Watchdog... TX:d4 echo:0x1 RX:d4 TX:10007000 echo:0x4 RX:10007000 TX:00000001 echo:0x4 RX:00000001 rword:0x2 RX:0000 TX:22000064 echo:0x4 RX:22000064 rword:0x2 RX:0000 HW code: 0x766 TX:d8 echo:0x1 RX:d8 rbyte:0x6 RX:000000050000 Target config: 0x5 SBC enabled: True SLA enabled: False DAA enabled: True SWJTAG enabled: True EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Root cert required: False Mem read auth: False Mem write auth: False Cmd 0xC8 blocked: False Get Target info TX:fe get_blver:0x1 RX:03 TX:ff get_bromver:0x1 RX:ff TX:fc mtk_cmd:0x1 RX:fc mtk_cmd:0x8 RX:8a00ca0000000000 HW subcode: 0x8a00 HW Ver: 0xca00 SW Ver: 0x0 TX:fe get_meid:0x1 RX:03 TX:e1 get_meid:0x1 RX:e1 get_meid:0x4 RX:00000010 get_meid:0x10 RX:6dae9e881e6f107248cb1fdb549859fb get_meid:0x2 RX:0000 ME_ID: 6DAE9E881E6F107248CB1FDB549859FB TX:fe get_socid:0x1 RX:03 TX:e7 get_socid:0x1 RX:e7 get_socid:0x4 RX:00000020 get_socid:0x20 RX:a0e51b02bb20fa2eab47af7a289e842c2626819755d8a44fac43d0dc315d8f24 get_socid:0x2 RX:0000 SOC_ID: A0E51B02BB20FA2EAB47AF7A289E842C2626819755D8A44FAC43D0DC315D8F24 We're not in bootrom, trying to crash da... Crashing da... TX:d7 echo:0x1 RX:d7 TX:00000000 echo:0x4 RX:00000000 TX:00000118 echo:0x4 RX:00000118 TX:00000000 echo:0x4 RX:00000000 rword:0x2 RX:0000 TX:00019fe510ff2fe10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TX:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TX:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TX:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TX:000000000000000000000000000000000000000000000000 TX: rword:0x2 RX:faa0 rword:0x2 RX:7024 upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024) Error on uploading da data Jumping to 0x0 TX:d5 USBError(5, 'Input/Output Error') Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

bkerler commented 1 month ago

Pretty simple: You are in preloader and not BROM mode.