search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.55k stars 509 forks source link

Can't unlock mt6737 tablet. #1218

Open halt-spesn opened 2 hours ago

halt-spesn commented 2 hours ago

I'm trying to unlock lenovo-tb7304i, i've done this earlier, tried to port lineage os, then abandoned it. now i flashed stock firmware on tablet and trying to unlock, but getting this: `....Port - Device detected :) Preloader - CPU: MT6737M/MT6735G() Preloader - HW version: 0x0 Preloader - WDT: 0x10212000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10217c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x335 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x0 Mtk - We're not in bootrom, trying to crash da... Exploitation - Crashing da... Preloader Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001) Preloader Preloader - [LIB]: Error on uploading da data Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode DeviceClass DeviceClass - [LIB]: Couldn't get device configuration. Port - Device detected :) Preloader - CPU: MT6737M/MT6735G() Preloader - HW version: 0x0 Preloader - WDT: 0x10212000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10217c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x335 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 6D722AF8F0702E2A88BA943F19969E7E Preloader Preloader - [LIB]: Auth file is required. Use --auth option. PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: /home/hallt/trash/mtkclient-main/mtkclient/payloads/mt6737_payload.bin Port - Device detected :) DaHandler - Device was protected. Successfully bypassed security. DaHandler - Device is in BROM mode. Trying to dump preloader. Successfully extracted preloader for this device to: preloader_hq8735b_tb_n.bin DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin LegacyExt - Legacy DA2 is patched. LegacyExt - Legacy DA2 CMD F0 is patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04029b DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 484a0190613447414a09a532593aeb94 DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... EMI-Version 0x14 DALegacy - RAM-Length: 0xbc DALegacy - Checksum: 5740 DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0x80000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DALegacy - Connected to stage2 DALegacy - Reconnecting to stage2 with higher speed DeviceClass - [Errno 2] Entity not found DALegacy - Connected to stage2 with higher speed DALegacy - m_int_sram_ret = 0x0 m_int_sram_size = 0x20000 m_ext_ram_ret = 0x0 m_ext_ram_type = 0x2 m_ext_ram_chip_select = 0x0 m_int_sram_ret = 0x0 m_ext_ram_size = 0x80000000 randomid = 0x5FA5627D657C704FA7F185ACD97E1517

m_emmc_ret = 0x0 m_emmc_boot1_size = 0x400000 m_emmc_boot2_size = 0x400000 m_emmc_rpmb_size = 0x400000 m_emmc_gp_size[0] = 0x0 m_emmc_gp_size[1] = 0x0 m_emmc_gp_size[2] = 0x0 m_emmc_gp_size[3] = 0x0 m_emmc_ua_size = 0x3ab400000 m_emmc_cid = 4147346190014a4894eba55932a5094a m_emmc_fwver = a500000000000000

LegacyExt - Detected V3 Lockstate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate Traceback (most recent call last): File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1021, in main() File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1017, in main mtk = Main(args).run(parser) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/mtk_main.py", line 684, in run da_handler.handle_da_cmds(mtk, cmd, self.args) File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_da_handler.py", line 877, in handle_da_cmds v = mtk.daloader.seccfg(args.flag) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_daloader.py", line 394, in seccfg return self.lft.seccfg(lockflag) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/extension/legacy.py", line 196, in seccfg if self.legacy.writeflash(addr=partition.sector * self.mtk.daloader.daconfig.pagesize, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 951, in writeflash return self.sdmmc_write_data(addr=addr, length=length, filename=filename, offset=offset, parttype=parttype, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 853, in sdmmc_write_data fh = open(filename, "rb") ^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '' hallt@localhost ~/t/mtkclient-main [1]> ./mtk.py da seccfg unlock MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

LegacyExt - Detected V3 Lockstate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate SecCfgV3 SecCfgV3 - [LIB]: Unknown V3 seccfg encryption ! DaHandler DaHandler - [LIB]: Device has is either already unlocked or algo is unknown. Aborting. hallt@localhost ~/t/mtkclient-main> ' with earlier versions of mtkclient i getting this: legacyext - Detected V3 Lockstate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. sej - HACC run sej - HACC terminate Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xD of 0xD, ) 47.37 MB/s DA_handler - Successfully wrote seccfg. but device falling to red state and refuses to boot. any ideas?

ferouzkassim commented 1 hour ago

But which unlock is it if it's bootloader unlock it clear the tool hasn't surpased the stage where it gets access to seccfg partition responsible for bootloader unlock consider getting Auth file to enable full booting of the device first also prior knowledge if device properties and names would help us more tackle on the issue

On Sat, 21 Sept 2024, 16:04 HALt, @.***> wrote:

I'm trying to unlock lenovo-tb7304i, i've done this earlier, tried to port lineage os, then abandoned it. now i flashed stock firmware on tablet and trying to unlock, but getting this: `....Port - Device detected :) Preloader - CPU: MT6737M/MT6735G() Preloader - HW version: 0x0 Preloader - WDT: 0x10212000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10217c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x335 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x0 Mtk - We're not in bootrom, trying to crash da... Exploitation - Crashing da... Preloader Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001) Preloader Preloader - [LIB]: Error on uploading da data Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode DeviceClass DeviceClass - [LIB]: Couldn't get device configuration. Port - Device detected :) Preloader - CPU: MT6737M/MT6735G() Preloader - HW version: 0x0 Preloader - WDT: 0x10212000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10217c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x335 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 6D722AF8F0702E2A88BA943F19969E7E Preloader Preloader - [LIB]: Auth file is required. Use --auth option. PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: /home/hallt/trash/mtkclient-main/mtkclient/payloads/mt6737_payload.bin Port - Device detected :) DaHandler - Device was protected. Successfully bypassed security. DaHandler - Device is in BROM mode. Trying to dump preloader. Successfully extracted preloader for this device to: preloader_hq8735b_tb_n.bin DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin LegacyExt - Legacy DA2 is patched. LegacyExt - Legacy DA2 CMD F0 is patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04029b DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 484a0190613447414a09a532593aeb94 DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... EMI-Version 0x14 DALegacy - RAM-Length: 0xbc DALegacy - Checksum: 5740 DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0x80000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DALegacy - Connected to stage2 DALegacy - Reconnecting to stage2 with higher speed DeviceClass - [Errno 2] Entity not found DALegacy - Connected to stage2 with higher speed DALegacy - m_int_sram_ret = 0x0 m_int_sram_size = 0x20000 m_ext_ram_ret = 0x0 m_ext_ram_type = 0x2 m_ext_ram_chip_select = 0x0 m_int_sram_ret = 0x0 m_ext_ram_size = 0x80000000 randomid = 0x5FA5627D657C704FA7F185ACD97E1517

m_emmc_ret = 0x0 m_emmc_boot1_size = 0x400000 m_emmc_boot2_size = 0x400000 m_emmc_rpmb_size = 0x400000 m_emmc_gp_size[0] = 0x0 m_emmc_gp_size[1] = 0x0 m_emmc_gp_size[2] = 0x0 m_emmc_gp_size[3] = 0x0 m_emmc_ua_size = 0x3ab400000 m_emmc_cid = 4147346190014a4894eba55932a5094a m_emmc_fwver = a500000000000000

LegacyExt - Detected V3 Lockstate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate Traceback (most recent call last): File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1021, in main() File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1017, in main mtk = Main(args).run(parser) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/mtk_main.py", line 684, in run da_handler.handle_da_cmds(mtk, cmd, self.args) File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_da_handler.py", line 877, in handle_da_cmds v = mtk.daloader.seccfg(args.flag) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_daloader.py", line 394, in seccfg return self.lft.seccfg(lockflag) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/extension/legacy.py", line 196, in seccfg if self.legacy.writeflash(addr=partition.sector * self.mtk.daloader.daconfig.pagesize,

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 951, in writeflash return self.sdmmc_write_data(addr=addr, length=length, filename=filename, offset=offset, parttype=parttype,

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 853, in sdmmc_write_data fh = open(filename, "rb") ^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '' @.*** ~/t/mtkclient-main [1]> ./mtk.py da seccfg unlock MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

LegacyExt - Detected V3 Lockstate Sej - HACC init Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate Sej - HACC init Sej Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. Sej - HACC run Sej - HACC terminate SecCfgV3 SecCfgV3 - [LIB]: Unknown V3 seccfg encryption ! DaHandler DaHandler - [LIB]: Device has is either already unlocked or algo is unknown. Aborting. @.*** ~/t/mtkclient-main> with earlier versions of mtkclient i getting this:legacyext - Detected V3 Lockstate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. sej - HACC run sej - HACC terminate Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xD of 0xD, ) 47.37 MB/s DA_handler - Successfully wrote seccfg.` but device falling to red state and refuses to boot. any ideas?

— Reply to this email directly, view it on GitHub https://github.com/bkerler/mtkclient/issues/1218, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFRDI3BBTB67HDH4BUVRTP3ZXVVEHAVCNFSM6AAAAABOTSPBASVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU2DAMRUGQ4TGNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

halt-spesn commented 1 hour ago

But which unlock is it if it's bootloader unlock it clear the tool hasn't surpased the stage where it gets access to seccfg partition responsible for bootloader unlock consider getting Auth file to enable full booting of the device first also prior knowledge if device properties and names would help us more tackle on the issue

i tried to use --auth with .auth file when unlocking bootloader, it didn't helped.