search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.69k stars 527 forks source link

Mtk Oppo a16s #1169

Closed Hertrix147 closed 11 hours ago

Hertrix147 commented 2 months ago

hi i was trying to root oppo A16S and end up with mobile not booting anymore (more like corrupted flashing) but when trying to do anything in mtk client i always get error: .Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: AC3BE6B9AF513F3657DE236CC783B15D Preloader - SOC_ID: 2CAC3CBCC1B478D3A3180B5FBA3E5A0A6A21A1F734CCE25BAB99C0F73364AA79 Preloader Preloader - [LIB]: ←[33mAuth file is required. Use --auth option.←[0m DaHandler - Device is protected. DaHandler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: C:\Users\tazbe\Počítač\oppo\mtkclient\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) DaHandler DaHandler - [LIB]: ←[33mDevice is in BROM mode. No preloader given, trying to dump preloader from ram.←[0m DaHandler DaHandler - [LIB]: ←[31mFailed to dump preloader from ram, provide a valid one via --preloader option←[0m DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash DAXFlash - [LIB]: ←[31mxread error: unpack requires a buffer of 12 bytes←[0m DAXFlash DAXFlash - [LIB]: ←[31mError jumping to DA: -1←[0m

AlexCoursi commented 2 months ago

Hello I sent several days on m'y a16s. I can't bypass auth or unlock bootloader with Linux or Windows. Which plateform do you use? Which drivers?

Hertrix147 commented 2 months ago

Hello I sent several days on m'y a16s. I can't bypass auth or unlock bootloader with Linux or Windows. Which plateform do you use? Which drivers?

i used a lot of drivers for mediatek devices and with bypass first time i must made testpoint

AlexCoursi commented 2 months ago

Thanks How do you do that? You need to open the Phone?

Hertrix147 commented 2 months ago

Thanks How do you do that? You need to open the Phone?

yes there are youtube videos oppo a16s testpoint

AlexCoursi commented 2 months ago

The same on the a16 model? You need to solder ? Or you can just touch for 5 seconds ?

Hertrix147 commented 2 months ago

The same on the a16 model? You need to solder ? Or you can just touch for 5 seconds ?

i tried to solder but dont reccommend it just set that circiut board like that ,that u can have it connected with usb to pc and touch with something metalic testpoint and that CPU protection

AlexCoursi commented 2 months ago

I entered in BROM Mode (thank you fot the Test Point !), and now, I get the same error (even with a preloader):

Port - Device detected :)
Preloader -     CPU:            MT6765/MT8768t(Helio P35/G35)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x25
Preloader - Disabling Watchdog...
Preloader - HW code:            0x766
Preloader - Target config:      0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          7438B1BAD202BAD332E725722503630D
Preloader - SOC_ID:         F914FAA09901A868A4F0A611A6E2C014EAAC3F49D965C9F840EA43EFE6F15AA7
Preloader
Preloader - [LIB]: Auth file is required. Use --auth option.
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/alex/Documents/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1

Anyone has a solution?

AlexCoursi commented 2 months ago

By the way, I think my phone is bricked. I can't turn it on; the screen is black, and there's no vibration. I can enter BROM mode, but I can't flash it with SP Flash Tool (I get an error after downloading the DA at 100%). I have to hold the Volume Up + Power buttons for 10 seconds, then the Power button for another 10 seconds before entering BROM mode by holding Volume Up + Volume Down + USB.

I think MTKClient is not working for this chipset (MT6765) or model (A16s - CPH2271).

Hertrix147 commented 2 months ago

I got black screen too but it respond when connected to pc , mt client stops to jumping to 0x20000 ok Then 12 bytes buffer error

github-actions[bot] commented 1 week ago

Stale issue message