NasiGorengBurung
commented
1 month ago Do you saw "this device is unlocked" during booting phone
Closed Ryssiaczrk closed 1 month ago
NasiGorengBurung
commented
1 month ago Do you saw "this device is unlocked" during booting phone
bkerler
commented
1 month ago this does only unlock the MTK critical lock, not vendor specific locks.
Ryssiaczrk
commented
1 month ago can you please help how to find the vendor specific lock?
I ran: "python mtk.py e metadata,userdata,md_udc python mtk.py da seccfg unlock" like a good boy, then ..........Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: C9DC7C5E8794B496347A1E5E36F95BC4 Preloader - SOC_ID: 2E0BAC905FF68B865C83413D07D032AE75172F99507B934FB25AEAB0C99B4F8F Mtk - We're not in bootrom, trying to crash da... Exploitation - Crashing da... Preloader Preloader - [LIB]: ←[31mupload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)←[0m Preloader Preloader - [LIB]: ←[31mError on uploading da data←[0m Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode DeviceClass DeviceClass - [LIB]: ←[31mCouldn't get device configuration.←[0m Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: C9DC7C5E8794B496347A1E5E36F95BC4 Preloader - SOC_ID: 2E0BAC905FF68B865C83413D07D032AE75172F99507B934FB25AEAB0C99B4F8F Preloader Preloader - [LIB]: ←[33mAuth file is required. Use --auth option.←[0m PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: C:\Users\Rysiu\Desktop\mtkclient-main\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) DaHandler - Device was protected. Successfully bypassed security. DaHandler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin XFlashExt - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader XFlashExt - Patching da2 ... XFlashExt - Security check patched XFlashExt - DA version anti-rollback patched XFlashExt - SBC patched to be disabled XFlashExt - Register read/write not allowed patched DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Boot to succeeded. DAXFlash - Successfully uploaded stage 2 DAXFlash - DA SLA is disabled DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: G1J9S9 DAXFlash - EMMC CID: 13014e47314a395339101535e18b884f DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x1000000 DAXFlash - EMMC USER Size: 0x1d1f000000 DAXFlash - HW-CODE : 0x766 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA00 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - Boot to succeeded. DAXFlash - DA Extensions successfully added XFlashExt - Detected V4 Lockstate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej - HACC run Sej - HACC terminate Progress: |██████████| 100.0% Write (0x1/0x1, ) 0.02 MB/s DaHandler - Successfully wrote seccfg.
C:\Users\Rysiu\Desktop\mtkclient-main>
my eyes saw a "Successfully", shit did not go "Successfully" the bootloader is still locked, the phone is a OPPO A54s (Mediatek MT6765G Helio G35) is it just not possible to unlock the bootloader on this phone?