Weird Situation, Can't flash anything

[ghost]

Hey i got a really bad TCL phone, it is Treble compatible, so i can flash the /system, but the weird thing is, i can only flash the system partition, anything else is blocked, and i get a message from fastboot that only the system partition can be flashed the bootloader is already unlocked, i doubt that TCL used some special RO chip in this generic phone i tried flashing the boot.img patched with magisk, at first i thought magisk wasn't working, but then i dumped the boot partition and it was the same as the stock, so mtkclient didn't flash it really i even tried to flash a modified lk.bin, same thing, no result

is it possible that even at BROM mode it is impossible to flash anything? i have no idea what might be happening here, so i ask for help

[bkerler]

Seems your preloader is blocking to write on some partitions. You will need to patch your preloader.

[ghost]

Seems your preloader is blocking to write on some partitions. You will need to patch your preloader.

with the payload? i'm not sure what you mean by patching the preloader

[bkerler]

When you flash using mtkclient, what error do you get ? Can you try to run with --debugmode ?

[ghost]

i don't get any error message

[ghost]

When you flash using mtkclient, what error do you get ? Can you try to run with --debugmode ?

i tested printgpt with --debugmode listout.txt

[ghost]

i don't know if it is a placebo effect or something the first time i flashed the patched boot i rebooted the phone normally, with the power key, the reset command does not work flashing it now it does not work, i don't know if i'm not waiting long enough to reboot or if flashing the patched boot now makes the phone go directly to download mode

theories, i have 2 boot partitions, boot and boot2, if one is broken the second one boots, as i have flashed both the phone does not reboot i have 2 lk partitions, so i might have flashed one and the other one boots

the flashing of the image might work the phone just does not boot it because some verification

[bkerler]

Does it use legacy or xflash mode ? Yesterday I confirmed the xflash flashing works fine. Sometimes padding might be the issue, make sure you flash the same size as the flash partition if you are unsure.

[ghost]

quite impossible as the patched boot image is smaller because magisk removes the unused space the original image is 24 MB, the patched image is 7 MB i don't know if it is legacy or xflash, i know i don't need a custom kernel or the LiveDVD thing to run it

[bkerler]

just fill the end with zeros so that the 7MB file has the same size as the partition (24MB) and then try to flash and it should work.

[bkerler]

But be aware that magisk has issues on some mtk devices and will fail to boot. Then you need to reflash stock boot , stock vbmeta and wipe metadata and userdata, otherwise the device won't boot due to dm verity failure.

[ghost]

I'm not sure how to add zeros to the end of the file also my phone does not have vbmeta, and i don't think it has dm-verity, if it has i disabled it long ago if just adding zeroes would solve it, then i don't know why the patched lk.bin didn't work

[ghost]

ok i tried adding 000000 at the end of the file with a hex editor until the file had the same size as the original boot i tried fastboot boot boot_patched.img but got nothing should i try flashing it? and are you sure this is safe?

[ghost]

at the end of the boot file (before the 0000000...) there's this line "JRD_MD5_MARK_b96bee10681c7dd98fd3aa1bd1c5048d" this doesn't exist in the patched boot, as i have seen so far

[ghost]

this JRD thing doesn't seem to have anything related i think its a mystery why this doesn't work

[bkerler]

I think the JRD MD5 is related, it could be an additional MD5 hash over the whole boot image. Padding isn't an issue, just confirmed that.

[ghost]

any idea of a solution?

[ghost]

using the gui i got this from the debug page i generated keys too

[11:11:22]: Status: Waiting for PreLoader VCOM, please connect mobile
[11:12:24]:     CPU:            MT6739/MT6731()
[11:12:24]:     HW version:     0x0
[11:12:24]:     WDT:            0x10007000
[11:12:24]:     Uart:           0x11002000
[11:12:24]:     Brom payload addr:  0x100a00
[11:12:24]:     DA payload addr:    0x201000
[11:12:24]:     CQ_DMA addr:        0x10212000
[11:12:24]:     Var1:           0xb4
[11:12:24]: Disabling Watchdog...
[11:12:24]: HW code:            0x699
[11:12:24]: Target config:      0xe7
[11:12:24]:     SBC enabled:        True
[11:12:24]:     SLA enabled:        True
[11:12:24]:     DAA enabled:        True
[11:12:24]:     SWJTAG enabled:     True
[11:12:24]:     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
[11:12:24]:     Root cert required: False
[11:12:24]:     Mem read auth:      True
[11:12:24]:     Mem write auth:     True
[11:12:24]:     Cmd 0xC8 blocked:   True
[11:12:24]: Get Target info
[11:12:24]: BROM mode detected.
[11:12:24]:     HW subcode:     0x8a00
[11:12:24]:     HW Ver:         0xcb00
[11:12:24]:     SW Ver:         0x2
[11:12:24]: ME_ID:          E294B237E786623643B7BEAFA3AEF2EB
[11:12:24]: SOC_ID:         C344C2F5BA09B78E620D227290FE63FF33776B238B061AF2581932A99919A166
[11:12:26]: Loading payload from mt6739_payload.bin, 0x264 bytes
[11:12:26]: Kamakiri / DA Run
[11:12:26]: Trying kamakiri2..
[11:12:26]: Done sending payload...
[11:12:26]: Successfully sent payload: /home/danilo/git/mtkclient/mtkclient/payloads/mt6739_payload.bin
[11:12:26]: Device is protected.
[11:12:26]: Device is in BROM mode. Trying to dump preloader.
[11:12:27]: Jumping to 0x200000
[11:12:27]: Jumping to 0x200000: ok.
[11:12:57]: Generating keys
[11:12:58]: Keys generated!
´´´

[ghost]

at the flash page i get Read, write and erase boot2 does it mean i am using boot?

[bkerler]

Boot2 is a special Partition and has nothing to do with boot image. If you wipe or overwrite boot2 your device will be very much bricked as it contains serials, drm keys, etc. device config.

[bkerler]

If boot fails after writing, it means that the lk does some additional verification.

[ghost]

well, these partitions are the same, i don't know where the verification is

9f35ff14b1896418e369f051a6966d8439badf3e6d9f80c4112a494a156f1d36 lk2.bin 9f35ff14b1896418e369f051a6966d8439badf3e6d9f80c4112a494a156f1d36 lk.bin

b4834959bc889fed1abf3c45d5da0e384134386a4b2786cc5dbb9fe8fa853bbb gz1.bin b4834959bc889fed1abf3c45d5da0e384134386a4b2786cc5dbb9fe8fa853bbb gz2.bin

c60f464c7d2dd194a40c5bb5a15f33d042eaeecb590cdd73a9c192c8243e62f5 boot2.bin c60f464c7d2dd194a40c5bb5a15f33d042eaeecb590cdd73a9c192c8243e62f5 boot.bin

3f9117180051eddfe0a95c39d5f1824674ac48336bba6745b278c1a7104b688a recovery1.bin 3f9117180051eddfe0a95c39d5f1824674ac48336bba6745b278c1a7104b688a recovery.bin

15dae9a0797c1dea9473117fa8432bc05a68b5e7cc1173e8d70ce87a69796529 loader_ext1.bin 15dae9a0797c1dea9473117fa8432bc05a68b5e7cc1173e8d70ce87a69796529 loader_ext2.bin

[ghost]

https://source.android.com/security/verifiedboot/avb

AVB's key features include ... a common footer format for signing partitions ... Maybe the md5 thing?

[ghost]

I found these posts about scripts to patch lk to disable verification i wonder if its possible to make something like that work on my phone https://pythonrepo.com/repo/R0rt1z2-amazon-tethered-unlock-python-miscellaneous https://pythonawesome.com/a-python-script-to-disable-lk-verification-in-amazon-preloader-images-and-boot-recovery-image-verification-in-amazon-lk-images/

[ghost]

i flashed the patched boot.bin with 0000000.. at the end to have the same size as the stock one and still got nothing