mtkclient won't read or write to the eMMC on an MT8512 / MT8113 / MT8110

[enthdegree]

Hello, mtkclient won't unlock or read the flash of an MT8512-type device (Kobo Clara BW, package label is an MT8113, some logs say it is an MT8110). Without preloader DRAM most mtkclient functionality is inaccessible.

• mtk.py will dump brom, sram and print efuses, but printgpt and flash read commands fail.
• stage2.py succeeds with memread and reboot but doesn't read any of the emmc sections. It will also generate an unlocked seccfg.bin but can't write it.
• I copied off mmcblk0, mmcblk0boot0, mmcblk0boot1 through the device's Linux. There's a 16 MB RPMB segment mmcblk0rpmb I can't copy this way. mmcblk0boot0 has header EMMC_BOOT and a few printf format strings like for a console. mmcblk0boot1 is empty. All the dumps I could get available on request.
  • Have some logs printed to UART during various actions. uart_logs.zip

Some other command outputs below. gpt partition table via device's linux:

[root@spaBW ~]# fdisk -l
Found valid GPT with protective MBR; using GPT

Disk /dev/mmcblk0: 30597120 sectors, 2652M
Logical sector size: 512
Disk identifier (GUID): 5c863772-96ad-4a8c-9841-83c998f2f820
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 30597086

Number  Start (sector)    End (sector)  Size Name
     1            1024            2047  512K bl2
     2            2048            4095 1024K UBOOT
     3           36864           38911 1024K nvram
     4           38912          137215 48.0M boot_a
     5          137216          145407 4096K tee_a
     6          145408          147455 1024K hwcfg
     7          147456          149503 1024K ntxfw
     8          149504          169983 10.0M waveform
     9          169984          268287 48.0M vendor
    10          288768         2385919 1024M system_a
    11         2385920         4483071 1024M recovery
    12         4483072        30596991 12.4G userdata
Disk /dev/mmcblk0boot1: 4 MB, 4194304 bytes, 8192 sectors
128 cylinders, 4 heads, 16 sectors/track
Units: sectors of 1 * 512 = 512 bytes

Disk /dev/mmcblk0boot1 doesn't contain a valid partition table
Disk /dev/mmcblk0boot0: 4 MB, 4194304 bytes, 8192 sectors
128 cylinders, 4 heads, 16 sectors/track
Units: sectors of 1 * 512 = 512 bytes

Disk /dev/mmcblk0boot0 doesn't contain a valid partition table

Result of trying to dump the preloader via mtkclient. Many mtk.py commands fail in a similar way:

# python3 mtk.py r preloader preloader.bin --parttype boot1                                                                               

MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024                                                                                                                                              

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode                     

[...]

...Port - Device detected :)                                                                                   
Preloader -     CPU:                    MT8512()                                                               
Preloader -     HW version:             0x0                                                                    
Preloader -     WDT:                    0x10007000                                                   
Preloader -     Uart:                   0x11002000                 
Preloader -     Brom payload addr:      0x100a00                                                                                                        
Preloader -     DA payload addr:        0x111000                                                                                                                                                           
Preloader -     CQ_DMA addr:            0x10214000                                                                                                      
Preloader -     Var1:                   0xa                        
Preloader - Disabling Watchdog...                                                                                                                                                                          
Preloader - HW code:                    0x8512                                                                                                          
Preloader - Target config:              0xe0                                                                                                                                                               
Preloader -     SBC enabled:            False                                                                                                           
Preloader -     SLA enabled:            False                                                                                                                                                              
Preloader -     DAA enabled:            False                                          
Preloader -     SWJTAG enabled:         False                                          
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False                                                                                                                                      
Preloader -     Root cert required:     False                                                                                                           
Preloader -     Mem read auth:          True                                                                                                            
Preloader -     Mem write auth:         True                                                                                                            
Preloader -     Cmd 0xC8 blocked:       True                                                                                                                                                               
Preloader - Get Target info                                                                          
Preloader - BROM mode detected.                                                                      
Preloader -     HW subcode:             0x8a00                                                                                                                                                             
Preloader -     HW Ver:                 0xca02                                                       
Preloader -     SW Ver:                 0x100                                                                                                                                                              
Preloader - ME_ID:                      0F0116AA8D765E0C4273306B005532BB                                                                                                                                   
Preloader - SOC_ID:                     0000000000000000000000000000000000000000000000000000000000000000                                                                                                   
DaHandler - Device is unprotected.                                                                                                                      
DaHandler - Device is in BROM-Mode. Bypassing security.                                                   
Exploitation - Kamakiri Run                                                                                    
Exploitation - Done sending payload...                                                                         
PLTools - Successfully sent payload: /home/user/Projects/kobo/mtkclient/mtkclient/payloads/mt8512_payload.bin  
Port - Device detected :)                                                                                      
DaHandler                                                                                                      
DaHandler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.              
Preloader                                                                                                      
Preloader - [LIB]: Unknown: 0x1d08                                                                        
DaHandler                                                                                                      
DaHandler - [LIB]: Failed to dump preloader from ram, provide a valid one via --preloader option               
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin                                                         
XFlashExt - Patching da1 ...                                                                                   
Mtk - Patched "Patched loader msg" in preloader                                                                
Mtk - Patched "hash_check" in preloader                                                                        
Mtk - Patched "Patched loader msg" in preloader                                                                
Mtk - Patched "get_vfy_policy" in preloader                                                                    
XFlashExt - Patching da2 ...                                                                                   
XFlashExt - Security check patched                                                                             
XFlashExt - SBC patched to be disabled                                                                         
XFlashExt - Register read/write not allowed patched                                                            
DAXFlash - Successfully uploaded stage 1, jumping ..                                                           
Preloader - Jumping to 0x110000                                                                                
Preloader - Jumping to 0x110000: ok.                                                                           
DAXFlash - Successfully received DA sync                                                                       
DAXFlash - No preloader given. Searching for preloader                                                         
DAXFlash                                                                                                       
DAXFlash - [LIB]: No emmc info, can't parse existing preloaders.             

[... many repetitions ...]

DAXFlash - [LIB]: No emmc info, can't parse existing preloaders.
DAXFlash
DAXFlash - [LIB]: No preloader given. Operation may fail due to missing dram setup.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash
DAXFlash - [LIB]: Stage was't executed. Maybe dram issue ?.
DAXFlash
DAXFlash - [LIB]: Error on booting to da (xflash)

Result of trying to use stage2:

# python3 ./mtk.py stage 

[ ...]

Main - Uploading stage 1                                                                                       
PLTools - Loading payload from generic_stage1_payload.bin, 0x3e8 bytes                                         
Exploitation - Kamakiri Run                                                                                    
Exploitation - Done sending payload...                                                                         
PLTools - Successfully sent payload: /home/user/Projects/kobo/mtkclient/mtkclient/payloads/generic_stage1_payload.bin                                                                                                         
Main - Successfully uploaded stage 1, sending stage 2                                                          
Main - Done sending stage2, size 0x4000.                                                                       
Main - Done jumping stage2 at 00111000                                                                         
Main - Successfully loaded stage2

# python3 ./stage2.py preloader
Stage2 - Reading preloader...                                                                                  
Stage2                                                                                                         
Stage2 - [LIB]: Error on getting data                  
Traceback (most recent call last):                                                                             
  File "/home/user/Projects/kobo/mtkclient/./stage2.py", line 731, in <module>                                 
    main()                                                                                                     
  File "/home/user/Projects/kobo/mtkclient/./stage2.py", line 621, in main                                         
    st2.preloader(start, length, filename=filename)                                                            
  File "/home/user/Projects/kobo/mtkclient/./stage2.py", line 205, in preloader
    if len(buffer) != 0x4000:                                                                                  
       ^^^^^^^^^^^                                                                                             
TypeError: object of type 'NoneType' has no len() 

[enthdegree]

Is it obvious to anyone whether the bad reads and inability to reconfigure are due to addressing the device wrong or it being a security thing