bkerler
commented
2 years ago Sure, very simple. Just run "mtk brute" in order to dump the brom and upload it here ;)
Open mouseos opened 2 years ago
bkerler
commented
2 years ago Sure, very simple. Just run "mtk brute" in order to dump the brom and upload it here ;)
mouseos
commented
2 years ago The result of running mtk brute is shown below.
C:\Users\yuuma\Downloads\??????\android\tool\mtk\mtkclient>python mtk brute MTK Flash/Exploit Client V1.54 (c) B.Kerler 2018-2021
Main - Kamakiri / DA Bruteforce run PLTools - Kamakiri2 Run Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb . For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb . For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb . For preloader mode, don't press any hw button and connect usb.
.......
mouseos
commented
2 years ago mtk brute does not work at all, but other commands such as mtk logs seem to work halfway.
`yuuma@yuuma-G3-3590:~$ mtk logs MTK Flash/Exploit Client V1.54 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
......Port - Device detected :)
Preloader - CPU: MT8168()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x8168
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x100
Preloader - ME_ID:
Main - Getting target logs...
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/mtkclient-1.55-py3.8.egg/mtkclient/Library/mtk_main.py", line 522, in cmd_log
logs = mtk.preloader.get_brom_log_new()
File "/usr/local/lib/python3.8/dist-packages/mtkclient-1.55-py3.8.egg/mtkclient/Library/mtk_preloader.py", line 487, in get_brom_log_new
length = self.rdword()
File "/usr/local/lib/python3.8/dist-packages/mtkclient-1.55-py3.8.egg/mtkclient/Library/usblib.py", line 464, in rdword
data = unpack(rev + "I" * count, value)
struct.error: unpack requires a buffer of 4 bytes
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/mtk", line 4, in
mouseos
commented
2 years ago Thinking that my settings might be bad, I tried using Re Live DVD V3. The results are as follows
$mtk brute Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
........Port - Device detected :) Preloader - Get Target info Mtk - We're not in bootrom, trying to crash da... PLTools - Crashing da... Preloader Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001) Preloader Preloader - [LIB]: Error on uploading da data Preloader - Jumping to 0x0 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying...
bkerler
commented
2 years ago You need to enter boot rom. This is done by pressing vol up + down on powering up the phone or by shorting meta pin or by grounding emmc dat0 on boot. If you have a amazon device, this is very likely fused and won't work. The brute utility should be fixed now.
mouseos
commented
2 years ago Device name is tab-a05-bd. It is made by sanyo (panasonic),and it used for education in japan. I have tried several key combinations.
1,Volume up + down + power=preloader 2,Volume up + plug in USB=preloader 3,Volume down + plug in USB=preloader 4,plug in USB=preloader 5,Ground some point.=preloader 6,Volume up + power=recovery 7,Volume down + power=Normal boot
mouseos
commented
2 years ago I was able to locate what I thought was dat0 and successfully entered the boot rom. However, mtk brute fails. Here is the log.
MTK Flash/Exploit Client V1.54 (c) B.Kerler 2018-2021
Main - Kamakiri / DA Bruteforce run
PLTools - Kamakiri2 Run
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
.....Port - Device detected :)
Preloader - Get Target info
Preloader - BROM mode detected.
Kamakiri - Bruteforce, testing 0x9900...
Kamakiri - Bruteforce, testing 0x9900...
Kamakiri - Bruteforce, testing 0x9900...
(omitted)
Kamakiri - Bruteforce, testing 0xd298...
Kamakiri - Bruteforce, testing 0xd29c...
Kamakiri - Bruteforce, testing 0xd2a0...
Please dis- and reconnect device to brom mode to continue ...
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
(omitted)
Kamakiri - Bruteforce, testing 0xfffc...
Please dis- and reconnect device to brom mode to continue ...
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
(omitted)
Kamakiri - Bruteforce, testing 0xfffc...
Please dis- and reconnect device to brom mode to continue ...
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
(omitted)
Kamakiri - Bruteforce, testing 0xfffc...
Please dis- and reconnect device to brom mode to continue ...
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
(omitted)
Kamakiri - Bruteforce, testing 0xfffc...
Please dis- and reconnect device to brom mode to continue ...
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
(repeated indefinitely)uart connection is now available. Please let me know if there is anything I can do to help.
mouseos
commented
2 years ago UART log
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒Pll init start...
INFRA_BUS_DCM_CTRL 5F7FE0
mtcmos Start..
before: WDT_SWSYSRST = 0x8000
after: WDT_SWSYSRST = 0x9000
P[PWRAP] si_en_sel = 0, si_ck_sel = 0, si_sample_ctrl = 0, rdata = 96A9
[PWRAP] si_en_sel = 0, si_ck_sel = 1, si_sample_ctrl = 20, rdata = 5AA5, Pass
[PWRAP] InitSiStrobe (6, 6, DA65) Data Boundary Is Found !!
[PWRAP] SI Strobe Calibration For PMIC 0 Done, (40, 6)
[PWRAP] Read Test pass, return_value=0x0
[PWRAP] Write Test pass
[PWRAP] RECORD_CMD0: 0x5C2 (Last one command addr)
[PWRAP] RECORD_WDATA0:0x1 (Last one command wdata)
[PWRAP] RECORD_CMD1: 0x5B4 (Last second command addr)
[PWRAP] RECORD_WDATA1:0x2000 (Last second command wdata)
[PWRAP] RECORD_CMD2: 0x15AA (Last third command addr)
[PWRAP] RECORD_WDATA2:0x30 (Last third command wdata)
[PWRAP] init pass, ret=0.
[PMIC]Preloader Start
[PMIC]MT6357 CHIP Code = 0x57, mrv=1
[PMIC]POWER_HOLD :0x1
[PMIC]TOP_RST_STATUS[0x152]=0x4F
[PMIC]PONSTS[0xC]=0x0
[PMIC]POFFSTS[0xE]=0x400
[PMIC]PGSTATUS0[0x14]=0xFFFE
[PMIC]PSOCSTATUS[0x16]=0x0
[PMIC]BUCK_OC_SDN_STATUS[0x1434]=0x0
[PMIC]BUCK_OC_SDN_EN[0x1444]=0x49F
[PMIC]THERMALSTATUS[0x18]=0x0
[PMIC]STRUP_CON4[0xA1C]=0x0
[PMIC]TOP_RST_MISC[0x14C]=0x204
[PMIC]TOP_CLK_TRIM[0x38E]=0x6AC0
latch VPROC 987500 uV
latch VSRAM_PROC 900000 uV
latch VSRAM_OTHERS 1050000 uV
latch VCORE 800000 uV
latch VMODEM 500000 uV
[pmic_check_rst] AP Watchdog
[PMIC]just_rst = 0
No EFUSE SW Load
[PMIC]pmic_wdt_set Reg[0x14C]=0x225
[rt5738_driver_probe]
[rt5738_hw_component_detect] mt6691_vdd2(0) exist = 1, Chip ID = 0
mt6691_vdd2_hw_init
[0x0]=0xA5 [0x1]=0xA5 [0x2]=0x92 [0x3]=0x0 [0x4]=0x0 [0x5]=0x81 [0x6]=0x63
[rt5738_driver_probe] PL g_rt5738_0_hw_exist=1, g_rt5738_driver_ready=1
register vs1 OK
register vmodem OK
register vcore OK
register vproc OK
register vpa OK
register vsram_others OK
register vsram_proc OK
register vdram OK
register vfe28 OK
[PMIC]Init done
ac 0,usb 1
[PLFM] Init PMIC: OK(0)
[PLFM] chip_ver[1]
[BLDR] Build Time: 20201104-090402
clk_buf_dump_dts_log: PMIC_CLK_BUF?_STATUS=2 1 1 2 0 1 1
clk_buf_dump_dts_log: PMIC_CLK_BUF?_DRV_CURR=-1 -1 -1 -1 -1 -1 -1
clk_buf_dump_clkbuf_log DCXO_CW00/02/11/13/14/15/16/20/top_spi_con1=0x4E1D 3AEE 8000 98E9 82B5 A2AA 9455 11 1
clk_buf_dump_clkbuf_log DCXO_CW00/02/11/13/14/15/16/20/top_spi_con1=0x4E1D 3AEE 8000 98E9 82B5 A2AA 9455 11 0
clk_buf_init_pmic_wrap: DCXO_CONN_ADR0/WDATA0/ADR1/WDATA1=0x44A/0/44A/1
clk_buf_init_pmic_wrap: DCXO_NFC_ADR0/WDATA0/ADR1/WDATA1/EN=0x78C/100/78A/100/3
[RTC] enable_dcxo first con = 0x486, osc32con = 0xDE6E, sec = 0x202A
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=0
[RTC] get_frequency_meter: input=0x0, ouput=0
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=3984
[RTC] rtc_boot_check1 powerkey1 = 0xA357, powerkey2 = 0x67D2, without LPD
[RTC] bbpu = 0x1, con = 0x486, osc32con = 0xDE6E, sec = 0x202A, yea = 0xC502
[RTC] rtc_boot_check2 powerkey1 = 0xA357, powerkey2 = 0x67D2
[RTC] rtc_boot_check Writeif_unlock
[RTC]switch to dcxo
[RTC] EOSC_Cali: RG_FQMTR_CKSEL=0x42
[RTC] get_frequency_meter: input=0xF, ouput=810
[RTC] EOSC_Cali: val=0x32A
[RTC] get_frequency_meter: input=0x7, ouput=700
[RTC] EOSC_Cali: val=0x2BC
[RTC] get_frequency_meter: input=0xB, ouput=756
[RTC] EOSC_Cali: val=0x2F4
[RTC] get_frequency_meter: input=0xD, ouput=783
[RTC] EOSC_Cali: val=0x30F
[RTC] get_frequency_meter: input=0xE, ouput=797
[RTC] EOSC_Cali: val=0x31D
[RTC] get_frequency_meter: input=0xD, ouput=783
[RTC] get_frequency_meter: input=0xE, ouput=797
[RTC] EOSC cali val = 0xDE4E
[RTC] RTC_SPAR0=0x0
[RTC] XO_XMODE_M = 1 , XO_EN32K_M = 1
[RTC] 32k-less mode
[RTC] rtc_2sec_reboot_check 0x202A, without 2sec reboot, type 0x0
[RTC] rtc 2sec reboot is not enabled
[RTC] rtc_lpd_init RTC_CON=0x486
[PMIC] pmic_init_setting end. v180413
[MT6357] 1 6,61
[MT6357] 1 2,45
[MT6357] 1 1,48
[MT6357] get volt 5, 61, 900000
vsram_others = 900000 uV
[MT6357] get volt 3, 45, 800000
vproc = 800000 uV
[MT6357] get volt 6, 61, 900000
vsram_proc = 900000 uV
[MT6357] get volt 2, 45, 800000
vcore = 800000 uV
[MT6357] get volt 1, 48, 800000
vmodem = 800000 uV
[MT6357] 2 6,1
[MT6357] 2 5,1
[MT6357] 2 3,1
[MT6357] 2 2,1
[RGU] EMI_DCS_SUCCESS 0
[RGU] DVFSRC_SUCCESS 0
[RGU] MODE: 0x4
[RGU] STA: 0x40000000
[RGU] LENGTH: 0xFFE0
[RGU] INTERVAL: 0xFFF
[RGU] SWSYSRST: 0x9000
[RGU] LATCH_CTL: 0xB871
[RGU] NONRST_REG2: 0x80000004
[RGU] DEBUG_CTL: 0x200F1
[RGU] g_rgu_status: 2 (0x2)
[RGU] mtk_wdt_mode_config mode value=10, tmp:22000010
[RGU] rst from: lk
[RGU] bypass pwrkey: NOT set
[RGU] mtk_wdt_reset_deglitch_enable: MTK_WDT_RSTDEG_EN1(8000A357), MTK_WDT_RSTDEG_EN2(800067D2)
[RGU] rgu_update_reg: 0, bits: 0xC000, addr: 0x10007040, val: 0x200F1
[RGU] rgu_update_reg: 0, bits: 0x100, addr: 0x100070A0, val: 0x2FF
[RGU] rgu_update_reg: 1, bits: 0x200, addr: 0x100070A0, val: 0x2FF
[RGU] mtk_wdt_init: MTK_WDT_DEBUG_CTL(0x200F1)
[RGU] mtk_wdt_init: MTK_WDT_DEBUG_CTL2(0x2FF)
[RGU] mtk_wdt_init: MTK_WDT_LATCH_CTL(0xB871)
[RGU] mtk_wdt_init: MTK_WDT_REQ_MODE(370032), MTK_WDT_REQ_IRQ_EN(3B0030)
Enter mtk_kpd_gpio_set!
after set KP enable: KP_SEL = 0x0 !
[RTC] irqsta = 0x0, pdn1 = 0x2000, pdn2 = 0x201, spar0 = 0x80, spar1 = 0x800
[RTC] new_spare0 = 0x4000, new_spare1 = 0x5001, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0x1, con = 0x486, cali = 0x202A, osc32con = 0xDE6E
[RTC] RTC_REBOOT_BOOTLOADER
[PLFM] WDT SW reboot (BOOTLOADER)!
[PMIC]POWER_HOLD :0x1
[RTC]rtc_lpsd_solution
[RTC]1st RTC_AL_MASK= 0x10
[RTC]2nd RTC_AL_MASK= 0x7F
[RTC]rtc_bbpu_power_on done
[PLFM] Init Boot Device: OK(0)
EMI_MPU_CTRL=0 1st
EMI_MPU_CTRL=0 2nd
[RGU] rgu_update_reg: 0, bits: 0x400, addr: 0x10007040, val: 0x200F1
[RGU] WDT DDR reserve mode FAIL! 200F1
[RGU] DDR RESERVE Success 0
[RGU] rgu_update_reg: 0, bits: 0x200, addr: 0x10007040, val: 0x200F1
[RGU] rgu_update_reg: 0, bits: 0x100, addr: 0x10007040, val: 0x200F1
[GPT_PL] startsec:0000000000001C00, partattr:0023785C1D062024..
[dramc] init partition address is 0x0000000000380000
init_dram:1660: init_dram Starting
[MT6357] 2 8,0
[MT6357] 2 7,0
[set_dram_voltage]set dram voltage done!!!
[MT6357] 1 2,25
[dramc]wdt_dbg_signal[0]=0x333F
[dramc]wdt_dbg_signal[1]=0x333F
[dramc] read off[2] = 6 1024
[FAST_K] DramcSave_Time_For_Cal_Init SHU2, femmc_Ready=1
[FAST_K] Bypass_RDDQC 1, Bypass_RXWINDOW=1, Bypass_TXWINDOW=1
[CH0][RK0][1600][CBT] Best CA Vref 18, Window Min 57 at CA4, Window Sum 348
[CH0][RK1][1600][CBT] Best CA Vref 18, Window Min 58 at CA4, Window Sum 356
[CH0][RK0][1600][TX] Best Vref 13, Window Min 25 at DQ6, Window Sum 420
[CH0][RK0][1600][RX] Best Vref 30, Window Min 49 at DQ8, Window Sum 850
[CH0][RK1][1600][TX] Best Vref 15, Window Min 25 at DQ14, Window Sum 426
[CH1][RK0][1600][CBT] Best CA Vref 18, Window Min 56 at CA4, Window Sum 349
[CH1][RK1][1600][CBT] Best CA Vref 18, Window Min 56 at CA4, Window Sum 349
[CH1][RK0][1600][TX] Best Vref 13, Window Min 25 at DQ13, Window Sum 429
[CH1][RK0][1600][RX] Best Vref 29, Window Min 52 at DQ10, Window Sum 883
[CH1][RK1][1600][TX] Best Vref 8, Window Min 25 at DQ14, Window Sum 426 [FAST_K] Bypass saving calibration result to emmc
[MT6357] 1 2,37
[dramc] read off[1] = 4 1024
[FAST_K] DramcSave_Time_For_Cal_Init SHU1, femmc_Ready=1
[FAST_K] Bypass_RDDQC 0, Bypass_RXWINDOW=0, Bypass_TXWINDOW=0
[CH0][RK0][2666][CBT] Best CA Vref 18, Window Min 52 at CA4, Window Sum 331
[CH0][RK1][2666][CBT] Best CA Vref 16, Window Min 53 at CA4, Window Sum 337
[CH0][RK0][2666][TX] Best Vref 12, Window Min 25 at DQ12, Window Sum 427
[CH0][RK0][2666][RX] Best Vref 14, Window Min 33 at DQ7, Window Sum 563
[CH0][RK1][2666][TX] Best Vref 12, Window Min 21 at DQ14, Window Sum 393
[CH1][RK0][2666][CBT] Best CA Vref 18, Window Min 52 at CA4, Window Sum 340
[CH1][RK1][2666][CBT] Best CA Vref 16, Window Min 51 at CA4, Window Sum 333
[CH1][RK0][2666][TX] Best Vref 10, Window Min 24 at DQ14, Window Sum 429
[CH1][RK0][2666][RX] Best Vref 14, Window Min 34 at DQ4, Window Sum 591
[CH1][RK1][2666][TX] Best Vref 10, Window Min 21 at DQ6, Window Sum 403 [FAST_K] Bypass saving calibration result to emmc
[MT6357] 1 2,45
[dramc] read off[0] = 2 1024
[FAST_K] DramcSave_Time_For_Cal_Init SHU0, femmc_Ready=1
[FAST_K] Bypass_RDDQC 0, Bypass_RXWINDOW=0, Bypass_TXWINDOW=0
[CH0][RK0][3200][CBT] Best CA Vref 18, Window Min 51 at CA4, Window Sum 327
[CH0][RK1][3200][CBT] Best CA Vref 16, Window Min 52 at CA4, Window Sum 328
[CH0][RK0][3200][TX] Best Vref 12, Window Min 19 at DQ14, Window Sum 352
[CH0][RK0][3200][RX] Best Vref 14, Window Min 29 at DQ1, Window Sum 490
[CH0][RK1][3200][TX] Best Vref 14, Window Min 19 at DQ14, Window Sum 357
[CH1][RK0][3200][CBT] Best CA Vref 18, Window Min 51 at CA4, Window Sum 331
[CH1][RK1][3200][CBT] Best CA Vref 16, Window Min 51 at CA4, Window Sum 329
[CH1][RK0][3200][TX] Best Vref 12, Window Min 20 at DQ3, Window Sum 364
[CH1][RK0][3200][RX] Best Vref 14, Window Min 31 at DQ4, Window Sum 524
[CH1][RK1][3200][TX] Best Vref 10, Window Min 19 at DQ6, Window Sum 363 [FAST_K] Bypass saving calibration result to emmc
[dramc_run_time_config]
TX_TRACKING: ON
RX_TRACKING: ON
HW_GATING: ON
HW_GATING DBG: OFF
DUMMY_READ_FOR_TRACKING: ON
ZQCS_ENABLE_LP4: ON
LOWPOWER_GOLDEN_SETTINGS(DCM): ON
DUMMY_READ_FOR_DQS_GATING_RETRY: OFF
IMPEDANCE_TRACKING: ON
TEMP_SENSOR: ON
PER_BANK_REFRESH: ON
HW_SAVE_FOR_SR: ON
SET_CKE_2_RANK_INDEPENDENT_RUN_TIME: ON
CLK_FREE_FUN_FOR_DRAMC_PSEL: ON
PA_IMPROVEMENT_FOR_DRAMC_ACTIVE_POWER: ON
Read ODT Tracking: ON
DQS Precalculation for DVFS: ON
Step1: Set DVFS HW enable
Step2: Set jump ratio
Step1: Set DVFS HW enable
Step2: Set jump ratio
=========================
[switch_dramc_voltage_to_auto_mode]switch dram voltage to auto mode done!!!
[Dram_Buffer] dram size: 0x0
[Dram_Buffer] dram_buf_t size: 0x180FC0
[Dram_Buffer] part_hdr_t size: 0x200
[Dram_Buffer] g_dram_buf start addr: 0x42000000
[Dram_Buffer] g_dram_buf->msdc_gpd_pool start addr: 0x42180E00
[Dram_Buffer] g_dram_buf->msdc_bd_pool start addr: 0x42180EC0
RAM_CONSOLE using DRAM
RAM_CONSOLE start: 0x54400000, size: 0x10000, sig: 0x43474244
RAM_CONSOLE preloader last status: 0x0 0x0 0x0
RAM_CONSOLE wdt status (0x2)=0x2
orig_dram_info[0] start: 0x0000000040000000, size: 0x0000000080000000
orig_dram_info[1] start: 0x00000000C0000000, size: 0x0000000080000000
CUSTOM_CONFIG_MAX_DRAM_SIZE: 0x0000000100000000
total_dram_size: 0x0000000100000000, max_dram_size: 0x0000000100000000
[GPT_PL]Parsing Primary GPT now...
[GPT_PL][0]name=proinfo, part_id=8, start_sect=0x400, nr_sects=0x1800
[GPT_PL][1]name=boot_para, part_id=8, start_sect=0x1C00, nr_sects=0x800
[GPT_PL][2]name=cam_vpu1, part_id=8, start_sect=0x2400, nr_sects=0x7800
[GPT_PL][3]name=cam_vpu2, part_id=8, start_sect=0x9C00, nr_sects=0x7800
[GPT_PL][4]name=cam_vpu3, part_id=8, start_sect=0x11400, nr_sects=0x7800
[GPT_PL][5]name=nvram, part_id=8, start_sect=0x18C00, nr_sects=0x2800
[GPT_PL][6]name=protect1, part_id=8, start_sect=0x1B400, nr_sects=0x5000
[GPT_PL][7]name=protect2, part_id=8, start_sect=0x20400, nr_sects=0x5000
[GPT_PL][8]name=persist, part_id=8, start_sect=0x25400, nr_sects=0x18000
[GPT_PL][9]name=nvcfg, part_id=8, start_sect=0x3D400, nr_sects=0x4000
[GPT_PL][10]name=seccfg, part_id=8, start_sect=0x41400, nr_sects=0x200
[GPT_PL][11]name=lk, part_id=8, start_sect=0x41600, nr_sects=0x800
[GPT_PL][12]name=lk2, part_id=8, start_sect=0x41E00, nr_sects=0x800
[GPT_PL][13]name=boot, part_id=8, start_sect=0x42600, nr_sects=0x8000
[GPT_PL][14]name=recovery, part_id=8, start_sect=0x4A600, nr_sects=0x8000
[GPT_PL][15]name=para, part_id=8, start_sect=0x52600, nr_sects=0x400
[GPT_PL][16]name=logo, part_id=8, start_sect=0x52A00, nr_sects=0x4000
[GPT_PL][17]name=dtbo, part_id=8, start_sect=0x56A00, nr_sects=0x4000
[GPT_PL][18]name=expdb, part_id=8, start_sect=0x5AA00, nr_sects=0x5000
[GPT_PL][19]name=frp, part_id=8, start_sect=0x5FA00, nr_sects=0x800
[GPT_PL][20]name=nvdata, part_id=8, start_sect=0x60200, nr_sects=0x10000
[GPT_PL][21]name=tee1, part_id=8, start_sect=0x70200, nr_sects=0x2800
[GPT_PL][22]name=tee2, part_id=8, start_sect=0x72A00, nr_sects=0x2800
[GPT_PL][23]name=kb, part_id=8, start_sect=0x75200, nr_sects=0x1000
[GPT_PL][24]name=dkb, part_id=8, start_sect=0x76200, nr_sects=0x1000
[GPT_PL][25]name=metadata, part_id=8, start_sect=0x77200, nr_sects=0x10000
[GPT_PL][26]name=vbmeta, part_id=8, start_sect=0x87200, nr_sects=0x5A00
[GPT_PL][27]name=system, part_id=8, start_sect=0x8CC00, nr_sects=0x2A2000
[GPT_PL][28]name=vendor, part_id=8, start_sect=0x32EC00, nr_sects=0xC8000
[GPT_PL][29]name=factory, part_id=8, start_sect=0x3F6C00, nr_sects=0x8000
[GPT_PL][30]name=cache, part_id=8, start_sect=0x3FEC00, nr_sects=0x200000
[GPT_PL][31]name=userdata, part_id=8, start_sect=0x5FEC00, nr_sects=0x17203DF
[GPT_PL][32]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][33]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][34]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][35]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][36]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][37]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][38]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][39]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][40]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][41]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][42]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][43]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][44]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][45]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][46]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][47]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][48]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][49]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][50]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][51]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][52]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][53]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][54]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][55]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][56]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][57]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][58]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][59]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][60]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][61]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][62]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][63]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][64]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][65]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][66]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][67]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][68]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][69]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][70]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][71]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][72]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][73]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][74]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][75]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][76]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][77]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][78]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][79]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][80]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][81]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][82]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][83]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][84]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][85]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][86]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][87]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][88]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][89]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][90]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][91]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][92]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][93]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][94]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][95]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][96]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][97]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][98]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][99]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][100]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][101]name=, part_id=8, start_sect=0x0, nr_sects=0x1
[GPT_PL][102]name=, part_id=8, start_
chr type: 1
[PLFM] USB cable in
[TOOL] USB enum timeout (Yes), handshake timeout(Yes)
[TOOL] Enumeration(Start)
HS is detected
[TOOL] Enumeration(End): OK 488ms
[TOOL] : usb listen timeout
[TOOL] <USB> cannot detect tools!
Device APC domain init setup:
Domain Setup Infra (0x33333333),(0x30333333),(0x32333333),(0x33333333)
Device APC: sec_init Infra MAS_SEC_0=0x20
[BLDR] check active part. of lk and lk2
[BLDR] lk active = 0, lk2 active = 0
[BLDR] Loading lk Partition...
[PART] partition name = lk
[LIB] S-CHIP
[SEC_POLICY] sboot_state = 0x1
[SEC_POLICY] lock_state = 0x4
[PART] img_auth_required = 1
[PART] partition hdr (1)
[PART] Image with part header
[PART] name : lk
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 541612
[PART] magic: 58881688h
sbc_en = 1
sbc_en = 1
[SBC] cert verify, part = lk, img = lk...ok
[PART] part: lk img: lk cert vfy(135 ms)
[PART] load "lk" from 0x00000000082C0200 (dev) to 0x56000000 (mem) [SUCCESS]
[PART] load speed: 35260KB/s, 541612 bytes, 15ms
[PART] img vfy...[SBC] img auth ok
ok
[PART] part: lk img: lk vfy(43 ms)
[BLDR] check active part. of tee1 and tee2
[BLDR] tee1 active = 0, tee2 active = 0
[BLDR] Loading tee1 Partition...
[PART] partition name = tee1
[LIB] S-CHIP
[SEC_POLICY] sboot_state = 0x1
[SEC_POLICY] lock_state = 0x4
[PART] img_auth_required = 1
[PART] partition hdr (1)
[PART] Image with part header
[PART] name : atf
[PART] addr : FFFFFFFFh mode : 0
[PART] size : 123392
[PART] magic: 58881688h
sbc_en = 1
sbc_en = 1
[SBC] cert verify, part = tee1, img = atf...ok
[PART] part: tee1 img: atf cert vfy(132 ms)
[PART] load "tee1" from 0x000000000E040200 (dev) to 0x54601000 (mem) [SUCCESS]
[PART] load speed: 30125KB/s, 123392 bytes, 4ms
[PART] img vfy...[SBC] img auth ok
ok
[PART] part: tee1 img: atf vfy(10 ms)
[BLDR_MTEE] sha256 takes 0 (ms) for 122816 bytes
[BLDR_MTEE] rsa2048 takes 57 (ms)
[BLDR_MTEE] verify pkcs#1 pss takes 0 (ms)
[BLDR_MTEE] aes128cbc takes 1 (ms) for 122816
[PART] partition name = tee1
[LIB] S-CHIP
[SEC_POLICY] sboot_state = 0x1
[SEC_POLICY] lock_state = 0x4
[PART] img_auth_required = 1
[PART] partition hdr (1)
[PART] Image with part header
[PART] name : tee
[PART] addr : 600000h mode : 0
[PART] size : 2440192
[PART] magic: 58881688h
sbc_en = 1
sbc_en = 1
[SBC] cert verify, part = tee1, img = tee...ok
[PART] part: tee1 img: tee cert vfy(146 ms)
mblock[0].start: 0x0000000040000000, sz: 0x000000003FFC0000, limit: 0x0000000100000000, max_addr: 0x0000000000000000, target: -1, reserved_addr: 0x000000007F980000,reserved_size: 0x0000000000640000
mblock_reserve dbg[0]: 1, 1, 1, 1
mblock[1].start: 0x0000000080000000, sz: 0x0000000040000000, limit: 0x0000000100000000, max_addr: 0x000000007FFC0000, target: 0, reserved_addr: 0x00000000BF9C0000,reserved_size: 0x0000000000640000
mblock_reserve dbg[1]: 1, 1, 1, 1
mblock[2].start: 0x00000000C0000000, sz: 0x0000000080000000, limit: 0x0000000100000000, max_addr: 0x00000000C0000000, target: 1, reserved_addr: 0x00000000FF9C0000,reserved_size: 0x0000000000640000
mblock_reserve dbg[2]: 1, 1, 1, 1
mblock[2]: 00000000C0000000, 000000003F9C0000 from mblock
mblock[3]: 0000000100000000, 0000000040000000 from mblock
mblock_reserve: 00000000FF9C0000 - 0000000100000000 from mblock 2
mblock_reserve[0].start: 0x0000000040000000, sz: 0x000000003FFC0000
mblock_reserve[1].start: 0x0000000080000000, sz: 0x0000000040000000
mblock_reserve[2].start: 0x00000000C0000000, sz: 0x000000003F9C0000
mblock_reserve[3].start: 0x0000000100000000, sz: 0x0000000040000000
mblock_reserve-R[0].start: 0x000000007FFC0000, sz: 0x0000000000040000 map:1 name:log_store
mblock_reserve-R[1].start: 0x00000000FF9C0000, sz: 0x0000000000640000 map:0 name:tee
[PART] load "tee1" from 0x000000000E05F470 (dev) to 0xFFA00000 (mem) [SUCCESS]
[PART] load speed: 41806KB/s, 2440192 bytes, 57ms
[PART] img vfy...[SBC] img auth ok
ok
[PART] part: tee1 img: tee vfy(189 ms)
[BLDR_MTEE] sha256 takes 12 (ms) for 2439616 bytes
[BLDR_MTEE] rsa2048 takes 57 (ms)
[BLDR_MTEE] verify pkcs#1 pss takes 0 (ms)
[BLDR_MTEE] aes128cbc takes 14 (ms) for 2439616
[TZ_INIT] TEE start entry : 0xFFA00000
[TZ_INIT] MEID : 0xC5, 0xFE, 0xD2, 0xA8
[TZ_INIT] MEID : 0xEE, 0xD9, 0x5D, 0x10
[TZ_INIT] MEID : 0xE7, 0x2C, 0xC1, 0xD6
[TZ_INIT] MEID : 0x47, 0x65, 0xFB, 0xD8
[BLDR] bldr load tee part ret=0x0, addr=0x54601000
[BLDR] part_load_raw_part ret=0x0
[BLDR] part_load_images ret=0x0
[BLDR] - wdt_rpmb_program_mode MTK_WDT_NONRST_REG2: 60000004
[PICACHU]start_picachu
[PICACHU] dram_rank_size[0] = 0x0000000080000000
[PICACHU] dram_rank_size[1] = 0x0000000080000000
[PICACHU] before modify dram_size = 0x0000000100000000
[PICACHU] CFG_DRAM_ADDR = 0x40000000
[PICACHU] after modify dram_size = 0x00000000BF000000
[PICACHU] pi_dram_log_addr max address = 0xFF000000
mblock[0].start: 0x0000000040000000, sz: 0x000000003FFC0000, limit: 0x00000000FF000000, max_addr: 0x0000000000000000, target: -1, reserved_addr: 0x000000007FE00000,reserved_size: 0x0000000000100000
mblock_reserve dbg[0]: 1, 1, 1, 1
mblock[1].start: 0x0000000080000000, sz: 0x0000000040000000, limit: 0x00000000FF000000, max_addr: 0x000000007FFC0000, target: 0, reserved_addr: 0x00000000BFF00000,reserved_size: 0x0000000000100000
mblock_reserve dbg[1]: 1, 1, 1, 1
mblock[2].start: 0x00000000C0000000, sz: 0x000000003F9C0000, limit: 0x00000000FF000000, max_addr: 0x00000000C0000000, target: 1, reserved_addr: 0x00000000FEF00000,reserved_size: 0x0000000000100000
mblock_reserve dbg[2]: 1, 1, 1, 1
mblock[3].start: 0x0000000100000000, sz: 0x0000000040000000, limit: 0x00000000FF000000, max_addr: 0x00000000FF9C0000, target: 2, reserved_addr: 0x00000000FEF00000,reserved_size: 0x0000000000100000
mblock_reserve dbg[3]: 1, 0, 1, 1
mblock[2]: 00000000C0000000, 000000003EF00000 from mblock
mblock[3]: 00000000FF000000, 00000000009C0000 from mblock
mblock_reserve: 00000000FEF00000 - 00000000FF000000 from mblock 2
mblock_reserve[0].start: 0x0000000040000000, sz: 0x000000003FFC0000
mblock_reserve[1].start: 0x0000000080000000, sz: 0x0000000040000000
mblock_reserve[2].start: 0x00000000C0000000, sz: 0x000000003EF00000
mblock_reserve[3].start: 0x00000000FF000000, sz: 0x00000000009C0000
mblock_reserve[4].start: 0x0000000100000000, sz: 0x0000000040000000
mblock_reserve-R[0].start: 0x000000007FFC0000, sz: 0x0000000000040000 map:1 name:log_store
mblock_reserve-R[1].start: 0x00000000FF9C0000, sz: 0x0000000000640000 map:0 name:tee
mblock_reserve-R[2].start: 0x00000000FEF00000, sz: 0x0000000000100000 map:0 name:PICACHU
[pmic_get_auxadc_value] reg_val = 0x60F2, adc_result = 4089
[DOE_ENV] No doconfig setting
[DOE_ENV]read_env_area fail, ret = -1
[DOE_ENV]get_env PICACHU_DOE
[PICACHU] L Freq: 2001
[PLFM],64S3,boot_opt=0x0
[PLFM],32N2,boot_opt=0x6
[PLFM],64N2,boot_opt=0x4
lastpc[0][0] = 0
lastpc[0][1] = 0
lastpc[0][2] = 0
lastpc[0][3] = 0
lastpc[0][4] = 0
lastpc[0][5] = 0
lastpc[0][6] = 0
lastpc[0][7] = 0
lastpc[1][0] = 0
lastpc[1][1] = 0
lastpc[1][2] = 0
lastpc[1][3] = 0
lastpc[1][4] = 0
lastpc[1][5] = 0
lastpc[1][6] = 0
lastpc[1][7] = 0
lastpc[2][0] = 0
lastpc[2][1] = 0
lastpc[2][2] = 0
lastpc[2][3] = 0
lastpc[2][4] = 0
lastpc[2][5] = 0
lastpc[2][6] = 0
lastpc[2][7] = 0
lastpc[3][0] = 0
lastpc[3][1] = 0
lastpc[3][2] = 0
lastpc[3][3] = 0
lastpc[3][4] = 0
lastpc[3][5] = 0
lastpc[3][6] = 0
lastpc[3][7] = 0
[PLFM] boot to LK by ATAG.
PL_VERSION = 0.1.00
[mt_charger_type_detection] Got data !!, 1
emmc ocr = 0xC0FF8080
emmc cid: 0x15010041 0x4A544434 0x5206436A 0xBCE0A76F
emmc csd: 0xD0270132 0xF5903FF 0xF6DBFFEF 0x8E40400D
RAM_CONSOLE. wdt_status 0x2, fiq_step 0x0, exp_type 0x0
BOOT_REASON: 14
BOOT_MODE: 0
META_COM TYPE: 0
META_COM ID: 0
META_COM PORT: 285224960
LOG_COM PORT: 285220864
LOG_COM BAUD: 921600
LOG_COM EN: 1
LOG_COM SWITCH: 1
MEM_NUM: 2
MEM_SIZE: 0x3FFC0000
MEM_SIZE: 0x40000000
mblock num: 0x5
mblock start: 0x0000000040000000
mblock size: 0x000000003FFC0000
mblock rank: 0x0
mblock start: 0x0000000080000000
mblock size: 0x0000000040000000
mblock rank: 0x0
mblock start: 0x00000000C0000000
mblock size: 0x000000003EF00000
mblock rank: 0x1
mblock start: 0x00000000FF000000
mblock size: 0x00000000009C0000
mblock rank: 0x1
orig_dram num: 0x2
orig_dram start: 0x0000000040000000
orig_dram size: 0x0000000080000000
orig_dram start: 0x00000000C0000000
orig_dram size: 0x0000000080000000
orig_dram start: 0x0000000000000000
orig_dram size: 0x0000000000000000
orig_dram start: 0x0000000000000000
orig_dram size: 0x0000000000000000
lca start: 0x0000000000000000
lca size: 0x0000000000000000
tee start: 0x00000000FF9C0000
tee size: 0x0000000000040000
MD_INFO: 0x0
MD_INFO: 0x0
MD_INFO: 0xFF
MD_INFO: 0xFF
BOOT_TIME: 5888
DA_INFO: 0xFFFFFFFF
DA_INFO: 0xFFFFFFFF
DA_INFO: 0xFFFFFFFF
DA_INFO: 0xFFFFFFFF
DA_INFO: 0xFFFFFFFF
SEC_INFO: 0xFFFFFFFF
SEC_INFO: 0xFFFFFFFF
PART_NUM: 3
PART_INFO: 0x42058A24
EFLAG: 0
DDR_RESERVE: 0
DDR_RESERVE: 0
DDR_RESERVE: 0
DRAM_BUF: 1576896
SMC: 0x0
SMC: 0x6
SMC: 0x4
SRAM satrt: 0x111D00
SRAM size: 0x300
PLAT_DBG_INFO key: 0x0
PLAT_DBG_INFO base: 0x0
PLAT_DBG_INFO size: 0x0
PLAT_DBG_INFO key: 0x0
PLAT_DBG_INFO base: 0x0
PLAT_DBG_INFO size: 0x0
PLAT_DBG_INFO key: 0xDB45
PLAT_DBG_INFO base: 0x111E0C
PLAT_DBG_INFO size: 0x10
[TZ_INIT] hwuid[0] : 0xA8D2FEC5
[TZ_INIT] hwuid[1] : 0x105DD9EE
[TZ_INIT] hwuid[2] : 0xD6C12CE7
[TZ_INIT] hwuid[3] : 0xD8FB6547
[TZ_INIT] HRID[0] : 0xA2A0D71F
[TZ_INIT] HRID[1] : 0x804C73ED
[TZ_INIT] atf_log_port : 0x11002000
[TZ_INIT] atf_log_baudrate : 0xE1000
[TZ_INIT] atf_irq_num : 281
[TZ_INIT] ATF log buffer start : 0xFF9C0000
[TZ_INIT] ATF log buffer size : 0x40000
[TZ_INIT] ATF aee buffer start : 0xFF9FC000
[TZ_INIT] ATF aee buffer size : 0x4000
Device APC: sec_postinit Infra MAS_SEC_0=0x0
[BLDR] Others, jump to ATF
[BLDR] jump to 0x56000000
[BLDR] <0x56000000>=0xEA000007
[BLDR] <0x56000004>=0xEA007FC7
RAM_CONSOLE. wdt_status 0x2, fiq_step 0x0, exp_type 0x0
[TZ_SEC_CFG] SRAMROM Secure Addr 0x10011C00
[TZ_SEC_CFG] SRAMROM Secure Addr 1 0x30000
[TZ_SEC_CFG] SRAMROM Secure Addr 2 0x38000
[TZ_SEC_CFG] SRAMROM Secure Control 2 0xB680000
[TZ_SEC_CFG] SRAMROM Secure Control 5 0xB690000
[TZ_SEC_CFG] SRAMROM Secure Control 6 0xB690000
[TZ_SEC_CFG] SRAMROM Secure Control 0xC0000B69
MPU [LOCK
[TZ_EMI_MPU] MPU [0xFFA00000-0xFFFFFFFF]
[TZ_INIT] set secure memory protection : 0xFFA00000, 0xFFFFFFFF (OPT)
MPU [LOCK
[TZ_EMI_MPU] MPU [0x54600000-0x5462FFFF]
[TZ_INIT] set secure memory protection : 0x54600000, 0x5462FFFF
[TZ_INIT] Jump to ATF, then 0xFFA00000 and 0x56000000
INFO: [ATF](0)[6.025173]log_enable:1
INFO: [ATF](0)[6.025613]atf_log_port:0x11002000
INFO: [ATF](0)[6.026173]BOOT_REASON: 14
INFO: [ATF](0)[6.026647]IS_ABNORMAL_BOOT: 0
INFO: [ATF](0)[6.027164]CPUxGPT reg(0)
INFO: [ATF](0)[6.027627][systimer] CNTCR_REG(0x505)
INFO: [ATF](0)[6.028230]Secondary bootloader is AArch32
INFO: [ATF](0)[6.028876]bl31_plat_arch_setup()
INFO: [ATF](0)[6.029425]mmap atf buffer : 0xff9c0000, 0x40000
[ATF](0)[6.030582]mmap:
[ATF](0)[6.030841] VA:0x10f000 PA:0x10f000 size:0x2000 attr:0x8 granularity:0x40000000
[ATF](0)[6.031832] VA:0x11d000 PA:0x11d000 size:0x1000 attr:0x18 granularity:0x40000000
[ATF](0)[6.032833] VA:0xc000000 PA:0xc000000 size:0x600000 attr:0x8 granularity:0x40000000
[ATF](0)[6.033867] VA:0x10006000 PA:0x10006000 size:0x100000 attr:0x8 granularity:0x40000000
[ATF](0)[6.034922] VA:0x10000000 PA:0x10000000 size:0x400000 attr:0x8 granularity:0x40000000
[ATF](0)[6.035978] VA:0x10400000 PA:0x10400000 size:0x50000 attr:0x8 granularity:0x40000000
[ATF](0)[6.037023] VA:0x10480000 PA:0x10480000 size:0x10000 attr:0x8 granularity:0x40000000
[ATF](0)[6.038067] VA:0x11000000 PA:0x11000000 size:0x4000000 attr:0x8 granularity:0x40000000
[ATF](0)[6.039133] VA:0x54601000 PA:0x54601000 size:0x1c000 attr 0x5f900000, sz: 0x206c0000
[206] mblock_reserve [4].start: 0x80000000, sz: 0x40000000
[206] mblock_reserve [5].start: 0xc0000000, sz: 0x3ef00000
[207] mblock_reserve [6].start: 0xff000000, sz: 0x9c0000
[208] mblock_reserve [7].start: 0x100000000, sz: 0x40000000
[208] mblock_reserve-R[0].start: 0x7ffc0000, sz: 0x40000 map:1 name:log_store
[209] mblock_reserve-R[1].start: 0xff9c0000, sz: 0x640000 map:0 name:tee
[210] mblock_reserve-R[2].start: 0xfef00000, sz: 0x100000 map:0 name:PICACHU
[211] mblock_reserve-R[3].start: 0x56000000, sz: 0x400000 map:0 name:lk_addr_mb
[212] mblock_reserve-R[4].start: 0x56900000, sz: 0x9000000 map:0 name:scratch_addr_mb
[213] mblock_reserve-R[5].start: 0x54000000, sz: 0x80000 map:0 name:dtb_kernel_addr_mb
[214] mblock[0].start: 0x40000000, sz: 0x14000000, limit: 0x4c880000, max_addr: 0x0, target: -1, reserved_addr: 0x40080000,reserved_size: 0xc800000
[215] mblock_reserve dbg[0]: 1, 1, 1, 1
[216] mblock[1].start: 0x54080000, sz: 0x1f80000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[217] mblock_reserve dbg[1]: 1, 0, 1, 1
[218] mblock[2].start: 0x56400000, sz: 0x500000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[219] mblock_reserve dbg[2]: 1, 0, 1, 1
[220] mblock[3].start: 0x5f900000, sz: 0x206c0000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[222] mblock_reserve dbg[3]: 1, 0, 1, 1
[222] mblock[4].start: 0x80000000, sz: 0x40000000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[224] mblock_reserve dbg[4]: 1, 0, 1, 1
[224] mblock[5].start: 0xc0000000, sz: 0x3ef00000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[226] mblock_reserve dbg[5]: 1, 0, 1, 1
[226] mblock[6].start: 0xff000000, sz: 0x9c0000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[228] mblock_reserve dbg[6]: 1, 0, 1, 1
[228] mblock[7].start: 0x100000000, sz: 0x40000000, limit: 0x4c880000, max_addr: 0x54000000, target: 0, reserved_addr: 0x40080000,reserved_size: 0xc800000
[230] mblock_reserve dbg[7]: 1, 0, 1, 1
[230] mblock[0]: 40000000, 80000 from mblock
mblock[1]: 4c880000, 7780000 from mblock
[231] mblock_reserve: 40080000 - 4c880000 from mblock 0
[232] mblock_reserve [0].start: 0x40000000, sz: 0x80000
[233] mblock_reserve [1].start: 0x4c880000, sz: 0x7780000
[233] mblock_reserve [2].start: 0x54080000, sz: 0x1f80000
[234] mblock_reserve [3].start: 0x56400000, sz: 0x500000
[235] mblock_reserve [4].start: 0x5f900000, sz: 0x206c0000
[235] mblock_reserve [5].start: 0x80000000, sz: 0x40000000
[236] mblock_reserve [6].start: 0xc0000000, sz: 0x3ef00000
[237] mblock_reserve [7].start: 0xff000000, sz: 0x9c0000
[237] mblock_reserve [8].start: 0x100000000, sz: 0x40000000
[238] mblock_reserve-R[0].start: 0x7ffc0000, sz: 0x40000 map:1 name:log_store
[239] mblock_reserve-R[1].start: 0xff9c0000, sz: 0x640000 map:0 name:tee
[240] mblock_reserve-R[2].start: 0xfef00000, sz: 0x100000 map:0 name:PICACHU
[240] mblock_reserve-R[3].start: 0x56000000, sz: 0x400000 map:0 name:lk_addr_mb
[241] mblock_reserve-R[4].start: 0x56900000, sz: 0x9000000 map:0 name:scratch_addr_mb
[242] mblock_reserve-R[5].start: 0x54000000, sz: 0x80000 map:0 name:dtb_kernel_addr_mb
[243] mblock_reserve-R[6].start: 0x40080000, sz: 0xc800000 map:0 name:kernel_addr_mb
[244] mblock[0].start: 0x40000000, sz: 0x80000, limit: 0x56000000, max_addr: 0x0, target: -1, reserved_addr: 0x3f080000,reserved_size: 0x1000000
[246] mblock_reserve dbg[0]: 1, 0, 1, 1
[246] mblock[1].start: 0x4c880000, sz: 0x7780000, limit: 0x56000000, max_addr: 0x0, target: -1, reserved_addr: 0x53000000,reserved_size: 0x1000000
[248] mblock_reserve
[595] config color dirty = 0
[595] config ccorr dirty = 0
[595] config aal dirty = 0
[596] config gamma dirty = 0
[596] config dither dirty = 0
[596] disp_dither_bypass(bypass = 1)[597] config color dirty = 0
[597] config ccorr dirty = 0
[597] config aal dirty = 0
[598] config gamma dirty = 0
[598] config dither dirty = 0
[598] disp_dither_bypass(bypass = 1)[599] [lk logo: mt_disp_fill_rect 289]
[599] [lk logo: init_fb_screen 59]
[600] mt_get_logo_db_addr: 0x5e900000
[600] [lk logo: init_fb_screen 77]MTK_LCM_PHYSICAL_ROTATION = 270
[601] [lk logo: sync_anim_version 42]
[601] [lk logo: init_fb_screen 100]pinfo[0]=0x0000002a, pinfo[1]=0x00189e3a, pinfo[2]=176
[602] [lk logo: init_fb_screen 102]define ANIMATION_NEW:show new animation with capacity num
[603] [lk logo: init_fb_screen 103]CAPACITY_LEFT =172, CAPACITY_TOP =330
[604] [lk logo: init_fb_screen 104]LCM_HEIGHT=307, LCM_WIDTH=546
[605] [show_logo_common: fill_rect_with_color_by_32bit 388]
[675] fb dump: 0x00000000, 0x00000000, 0x00000000, 0x00000000
[677] ovl start done idx = 0, addr = 0x1400b00c
[677] ovl start done addr0 = 0x1000
[678] ovl start done addr1 = 0x0
[678] ovl start done addr2 = 0x1400b00c
[679] ovl start done addr3 = 0x1400b00c
[679] ovl start done addr4 = 0x1400b00c
[680] s_mt65xx_gd.gdfIndex=3[680] mt_get_logo_db_addr_pa: 0x5e900000
[680] [PART_LK][get_part] logo
[681] [PART_LK][get_part] logo
[681]
=========================================
[682] [LK_BOOT] logo magic number : 0x58881688
[682] [LK_BOOT] logo name : logo
[683] [LK_BOOT] logo size : 1613370
[683] =========================================
SMART RESET: FALSE
rst from: lk
kedump mini start
kedump: current time: [2010/1/1 0:5:36]
kedump: ddr reserve mode disabled
kedump: ddr reserve mode failed
[692] mblock[0].start: 0x40000000, sz: 0x80000, limit: 0xc0000000, max_addr: 0x0, target: -1, reserved_addr: 0x40000000,reserved_size: 0x80000
[693] mblock_reserve dbg[0]: 1, 1, 1, 1
[694] mblock[1].start: 0x4c880000, sz: 0x7780000, limit: 0xc0000000, max_addr: 0x40080000, target: 0, reserved_addr: 0x53f80000,reserved_size: 0x80000
[695] mblock_reserve dbg[1]: 1, 1, 1, 1
[696] mblock[2].start: 0x54080000, sz: 0xf80000, limit: 0xc0000000, max_addr: 0x54000000, target: 1, reserved_addr: 0x54f80000,reserved_size: 0x80000
[698] mblock_reserve dbg[2]: 1, 1, 1, 1
[698] mblock[3].start: 0x56400000, sz: 0x500000, limit: 0xc0000000, max_addr: 0x55000000, target: 2, reserved_addr: 0x56880000,reserved_size: 0x80000
[700] mblock_reserve dbg[3]: 1, 1, 1, 1
[700] mblock[4].start: 0x5f900000, sz: 0x1c1e0000, limit: 0xc0000000, max_addr: 0x56900000, target: 3, reserved_addr: 0x7ba60000,reserved_size: 0x80000
[702] mblock_reserve dbg[4]: 1, 1, 1, 1
[702] mblock[5].start: 0x7da00000, sz: 0x25c0000, limit: 0xc0000000, max_addr: 0x7bae0000, target: 4, reserved_addr: 0x7ff40000,reserved_size: 0x80000
[704] mblock_reserve dbg[5]: 1, 1, 1, 1
[704] mblock[6].start: 0x80000000, sz: 0x40000000, limit: 0xc0000000, max_addr: 0x7ffc0000, target: 5, reserved_addr: 0xbff80000,reserved_size: 0x80000
[706] mblock_reserve dbg[6]: 1, 1, 1, 1
[706] mblock[7].start: 0xc0000000, sz: 0x3ef00000, limit: 0xc0000000, max_addr: 0xc0000000, target: 6, reserved_addr: 0xbff80000,reserved_size: 0x80000
[708] mblock_reserve dbg[7]: 1, 0, 1, 1
[709] mblock[8].start: 0xff000000, sz: 0x9c0000, limit: 0xc0000000, max_addr: 0xc0000000, target: 6, reserved_addr: 0xbff80000,reserved_size: 0x80000
[710] mblock_reserve dbg[8]: 1, 0, 1, 1
[711] mblock[9].start: 0x100000000, sz: 0x40000000, limit: 0xc0000000, max_addr: 0xc0000000, target: 6, reserved_addr: 0xbff80000,reserved_size: 0x80000
[712] mblock_reserve dbg[9]: 1, 0, 1, 1
[713] mblock_reserve: bff80000 - c0000000 from mblock 6
[713] mblock_reserve [0].start: 0x40000000, sz: 0x80000
[714] mblock_reserve [1].start: 0x4c880000, sz: 0x7780000
[715] mblock_reserve [2].start: 0x54080000, sz: 0xf80000
[715] mblock_reserve [3].start: 0x56400000, sz: 0x500000
[716] mblock_reserve [4].start: 0x5f900000, sz: 0x1c1e0000
[717] mblock_reserve [5].start: 0x7da00000, sz: 0x25c0000
[717] mblock_reserve [6].start: 0x80000000, sz: 0x3ff80000
[718] mblock_reserve [7].start: 0xc0000000, sz: 0x3ef00000
[719] mblock_reserve [8].start: 0xff000000, sz: 0x9c0000
[719] mblock_reserve [9].start: 0x100000000, sz: 0x40000000
[720] mblock_reserve-R[0].start: 0x7ffc0000, sz: 0x40000 map:1 name:log_store
[721] mblock_reserve-R[1].start: 0xff9c0000, sz: 0x640000 map:0 name:tee
[721] mblock_reserve-R[2].start: 0xfef00000, sz: 0x100000 map:0 name:PICACHU
[722] mblock_reserve-R[3].start: 0x56000000, sz: 0x400000 map:0 name:lk_addr_mb
[723] mblock_reserve-R[4].start: 0x56900000, sz: 0x9000000 map:0 name:scratch_addr_mb
[724] mblock_reserve-R[5].start: 0x54000000, sz: 0x80000 map:0 name:dtb_kernel_addr_mb
[725] mblock_reserve-R[6].start: 0x40080000, sz: 0xc800000 map:0 name:kernel_addr_mb
[726] mblock_reserve-R[7].start: 0x55000000, sz: 0x1000000 map:0 name:ramdisk_addr_mb
[727] mblock_reserve-R[8].start: 0x7bae0000, sz: 0x1f20000 map:0 name:platform_init
[728] mbl
[901] [lc709203f_init]
[902] [lc709203f_check_power_on] lc709203f_get_ic_power_mode [0x1]
[903] [lc709203f_check_power_on] lc709203f_get_thermistor_b [0xd34]
[905] [lc709203f_check_power_on] lc709203f_get_adjustment_pack_appli [0xb4]
[906] [lc709203f_check_power_on] 1
[910] [mt65xx_bat_init] g_capacity_status=[82]
[910] [lc709203f_init]
[911] [lc709203f_check_power_on] lc709203f_get_ic_power_mode [0x1]
[913] [lc709203f_check_power_on] lc709203f_get_thermistor_b [0xd34]
[914] [lc709203f_check_power_on] lc709203f_get_adjustment_pack_appli [0xb4]
[915] [lc709203f_check_power_on] 1
[916] mtk detect key function key = 0
[917] [LEDS]LK: mt65xx_backlight_on:level = 63
[917] [LEDS]LK: lcd-backlight level is 63
[918] cust->mode is 6
[918] cust->mode E cust_data= 0x56017bfd; level =63
[919] [LEDS]LK: mt65xx_leds_brightness_set is done
[919] fb dump: 0x00000000, 0x00000000, 0x00000000, 0x00000000
[LK_ENV]get_env MTK_DEVICE_ID
[922] [PART_LK][get_part] proinfo
[922] [LK_BOOT] Load 'proinfo' partition to 0x560A6788 (19 bytes in 0 ms)
[923] Serial #: "0L0V041811"
[924] [USB] ep0_urb: 0x560b3cc4
[928] Part Info.(1blk=512B):
[928] [0x0000000000080000-0x000000000037ffff] ( 6144 blocks): "proinfo"
[929] [0x0000000000380000-0x000000000047ffff] ( 2048 blocks): "boot_para"
[930] [0x0000000000480000-0x000000000137ffff] ( 30720 blocks): "cam_vpu1"
[931] [0x0000000001380000-0x000000000227ffff] ( 30720 blocks): "cam_vpu2"
[932] [0x0000000002280000-0x000000000317ffff] ( 30720 blocks): "cam_vpu3"
[933] [0x0000000003180000-0x000000000367ffff] ( 10240 blocks): "nvram"
[933] [0x0000000003680000-0x000000000407ffff] ( 20480 blocks): "protect1"
[934] [0x0000000004080000-0x0000000004a7ffff] ( 20480 blocks): "protect2"
[935] [0x0000000004a80000-0x0000000007a7ffff] ( 98304 blocks): "persist"
[936] [0x0000000007a80000-0x000000000827ffff] ( 16384 blocks): "nvcfg"
[937] [0x0000000008280000-0x00000000082bffff] ( 512 blocks): "seccfg"
[938] [0x00000000082c0000-0x00000000083bffff] ( 2048 blocks): "lk"
[938] [0x00000000083c0000-0x00000000084bffff] ( 2048 blocks): "lk2"
[939] [0x00000000084c0000-0x00000000094bffff] ( 32768 blocks): "boot"
[940] [0x00000000094c0000-0x000000000a4bffff] ( 32768 blocks): "recovery"
[941] [0x000000000a4c0000-0x000000000a53ffff] ( 1024 blocks): "para"
[942] [0x000000000a540000-0x000000000ad3ffff] ( 16384 blocks): "logo"
[942] [0x000000000ad40000-0x000000000b53ffff] ( 16384 blocks): "dtbo"
[943] [0x000000000b540000-0x000000000bf3ffff] ( 20480 blocks): "expdb"
[944] [0x000000000bf40000-0x000000000c03ffff] ( 2048 blocks): "frp"
[945] [0x000000000c040000-0x000000000e03ffff] ( 65536 blocks): "nvdata"
[946] [0x000000000e040000-0x000000000e53ffff] ( 10240 blocks): "tee1"
[946] [0x000000000e540000-0x000000000ea3ffff] ( 10240 blocks): "tee2"
[947] [0x000000000ea40000-0x000000000ec3ffff] ( 4096 blocks): "kb"
[948] [0x000000000ec40000-0x000000000ee3ffff] ( 4096 blocks): "dkb"
[949] [0x000000000ee40000-0x0000000010e3ffff] ( 65536 blocks): "metadata"
[950] [0x0000000010e40000-0x000000001197ffff] ( 23040 blocks): "vbmeta"
[950] [0x0000000011980000-0x0000000065d7ffff] ( 2760704 blocks): "system"
[951] [0x0000000065d80000-0x000000007ed7ffff] ( 819200 blocks): "vendor"
[952] [0x000000007ed80000-0x000000007fd7ffff] ( 32768 blocks): "factory"
[953] [0x000000007fd80000-0x00000000bfd7ffff] ( 2097152 blocks): "cache"
[954] [0x00000000bfd80000-0x00000003a3dfbdff] (24249311 blocks): "userdata"
[954]
[955] fastboot_init()
[955] [ccci] using default loading method
[LK_ENV]get_env off-mode-charge
[959] [[PART_LK]] map partition lk(from lk2) with lk
[1454] fastboot: processing commands
I just bought a mt8168 tablet and support should arrive soon.
google-mirror
commented
2 years ago uart connection is now available. Please let me know if there is anything I can do to help.
how can you connect to uart port?
mouseos
commented
2 years ago The following URL has a description of my TAB-A05-BD uart. It is at the bottom of the page. https://wiki3.jp/SmileTabLabo/page/12
This location is not helpful as it varies from device to device.
ihtarlik
commented
1 year ago Running under Windows 11 Pro, I tried brute and it scanned the addresses to no avail. Most other tasks (like get partition info) result in this:
MTK Flash/Exploit Client V1.6.1 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Device detected :)
Preloader - CPU: MT8168/MT6357()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x8168
Preloader - Target config: 0xe1
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb01
Preloader - SW Ver: 0x100
Preloader - ME_ID: 1C19DBF65F7ABE6F4A201F2CF6748555
Preloader - SOC_ID: 0000000000000000000000000000000000000000000000000000000000000000
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt8168_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Traceback (most recent call last):
File "C:\Users\higouser\Documents\mtkclient\mtk", line 814, in
ihtarlik
commented
1 year ago I got some more info from the log.txt that was generated during my efforts:
CONFIGURATION 1: 500 mA ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x2 Configuration wTotalLength : 0x43 (67 bytes) bNumInterfaces : 0x2 bConfigurationValue : 0x1 iConfiguration : 0x3 Error Accessing String bmAttributes : 0xc0 Self Powered bMaxPower : 0xfa (500 mA) INTERFACE 0: CDC Data ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x0 bAlternateSetting : 0x0 bNumEndpoints : 0x2 bInterfaceClass : 0xa CDC Data bInterfaceSubClass : 0x0 bInterfaceProtocol : 0x0 iInterface : 0x4 Error Accessing String ENDPOINT 0x1: Bulk OUT =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x1 OUT bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 ENDPOINT 0x81: Bulk IN =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x81 IN bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 INTERFACE 1: CDC Communication ========================= bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x1 bAlternateSetting : 0x0 bNumEndpoints : 0x1 bInterfaceClass : 0x2 CDC Communication bInterfaceSubClass : 0x2 bInterfaceProtocol : 0x1 iInterface : 0x5 Error Accessing String ENDPOINT 0x83: Interrupt IN ========================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x83 IN bmAttributes : 0x3 Interrupt wMaxPacketSize : 0x40 (64 bytes) bInterval : 0x10
mouseos
commented
1 year ago I checked soc on board.The soc was mt8365v but mtkclient returns "mt8168".
s1204IT
commented
11 months ago @bkerler
The soc was mt8365v
mouseos
commented
11 months ago This device (TAB-A05-BD) is powered by mt8365v. But it is recognized as mt8168. I think something is wrong because of that.
s1204IT
commented
11 months ago For accurate inspection, we'll send you the latest logs.
Host details
W:\Documents\MTKClient\exec: .\mtk gettargetcnfig
exec: .\mtk r --ptype kamakiri factory factory.img
exec: .\mtk dumpbrom --ptype kamakiri
exec: .\mtk payload --payload .\mtkclient\payloads\da_x.bin --ptype kamakiri
exec: .\mtk payload --payload .\mtkclient\payloads\da_x.bin (Use Kamakiri2)
@bkerler
If you need it, We can share the preloader.img and lk.bin of each build.
falk0069
commented
2 months ago I'm seeking information on the mt8168 chip support. I read on issue-426 and issue-772 that it is supported on unfused devices. What does this mean and how would one check this? I also see links to issue-758 talking about support for newer V6. Does this apply to the mt8168 chip? Would it be specific to fused devices? Sorry for all the newbie questions.
hopez13
commented
2 months ago if your chipset uses older v5 protocol mtkclient works flawlessly will work if your chipset is newer and uses v6 protocol (XML) it will only work if following three are false: Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False
ghost
commented
1 month ago This device does not work with mtkclient but I'll post the log just in case. mtkclient 2.0.1 mtk dumpbrom log (TAB-A05-BD)
You cannot use sp flash tools at all. This is a completely useless log. Just in case, I've attached the log for (read back). ↓
Port - Device detected :)
DeviceClass
DeviceClass - [LIB]: [95mTX:fd[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:fd[0m
DeviceClass
DeviceClass - [LIB]: [95mrdword:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:81680000[0m
Preloader - CPU: MT8168/MT6357()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
DeviceClass
DeviceClass - [LIB]: [95mTX:d4[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:d4[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:10007000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:10007000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mrword:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0001[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:22000064[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:22000064[0m
DeviceClass
DeviceClass - [LIB]: [95mrword:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0001[0m
Preloader - HW code: 0x8168
DeviceClass
DeviceClass - [LIB]: [95mTX:d8[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:d8[0m
DeviceClass
DeviceClass - [LIB]: [95mrbyte:0x6[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:000000e50000[0m
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
DeviceClass
DeviceClass - [LIB]: [95mTX:fe[0m
DeviceClass
DeviceClass - [LIB]: [95mget_blver:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:fe[0m
Preloader - BROM mode detected.
DeviceClass
DeviceClass - [LIB]: [95mTX:ff[0m
DeviceClass
DeviceClass - [LIB]: [95mget_bromver:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:05[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:fc[0m
DeviceClass
DeviceClass - [LIB]: [95mmtk_cmd:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:fc[0m
DeviceClass
DeviceClass - [LIB]: [95mmtk_cmd:0x8[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:8a00ca0101000000[0m
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x100
DeviceClass
DeviceClass - [LIB]: [95mTX:fe[0m
DeviceClass
DeviceClass - [LIB]: [95mget_meid:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:fe[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:e1[0m
DeviceClass
DeviceClass - [LIB]: [95mget_meid:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:e1[0m
DeviceClass
DeviceClass - [LIB]: [95mget_meid:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000010[0m
DeviceClass
DeviceClass - [LIB]: [95mget_meid:0x10[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:898fd84a6ddaa331048dd49f43c5e626[0m
DeviceClass
DeviceClass - [LIB]: [95mget_meid:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
Preloader - ME_ID: 898FD84A6DDAA331048DD49F43C5E626
DeviceClass
DeviceClass - [LIB]: [95mTX:fe[0m
DeviceClass
DeviceClass - [LIB]: [95mget_socid:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:fe[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:e7[0m
DeviceClass
DeviceClass - [LIB]: [95mget_socid:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:e7[0m
DeviceClass
DeviceClass - [LIB]: [95mget_socid:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000020[0m
DeviceClass
DeviceClass - [LIB]: [95mget_socid:0x20[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000000000000000000000000000000000000000000000000000000000000000[0m
DeviceClass
DeviceClass - [LIB]: [95mget_socid:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
Preloader - SOC_ID: 0000000000000000000000000000000000000000000000000000000000000000
Preloader
Preloader - [LIB]: [33mAuth file is required. Use --auth option.[0m
PLTools - Kamakiri / DA Run
PLTools - Loading payload from generic_dump_payload.bin, 0xf4 bytes
Exploitation - Kamakiri Run
DeviceClass
DeviceClass - [LIB]: [95mTX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mrword:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mrdword:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mread:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:000137f4[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:000137f4[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000004[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000004[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:78301000[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mrword:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mrdword:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mread:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:001009c0[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:001009c0[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:000000f4[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:000000f4[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:1d1a[0m
Exploitation
Exploitation - [LIB]: [31mError on sending payload.[0m
PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\generic_dump_payload.bin
DeviceClass
DeviceClass - [LIB]: [95mTX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:da[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00[0m
DeviceClass
DeviceClass - [LIB]: [95mbrom_register_access:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x1[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:d1[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:10007050[0m
DeviceClass
DeviceClass - [LIB]: [95mTX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mecho:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000001[0m
DeviceClass
DeviceClass - [LIB]: [95mrword:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
DeviceClass
DeviceClass - [LIB]: [95mrdword:0x4[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:00000000[0m
DeviceClass
DeviceClass - [LIB]: [95mread:0x2[0m
DeviceClass
DeviceClass - [LIB]: [95mRX:0000[0m
Exploitation
Exploitation - [LIB]: [31mError on opening brom_MT8168_MT6357_8168.bin for writing: unsupported operand type(s) for -: 'NoneType' and 'int'[0mAfter executing the command, the process stops and stops working. PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt8168_payload.bin ↑At this time, I unplugged the USB.
mtkclient 2.0.1 log(TAB-A05-BD)
Port - Device detected :)
Preloader - CPU: MT8168/MT6357()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x8168
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x100
Preloader - ME_ID: 898FD84A6DDAA331048DD49F43C5E626
Preloader - SOC_ID: 0000000000000000000000000000000000000000000000000000000000000000
Preloader
Preloader - [LIB]: [33mAuth file is required. Use --auth option.[0m
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt8168_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation
Exploitation - [LIB]: [31mError on sending payload.[0m
PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt8168_payload.bin
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DeviceClass - USBError(5, 'Input/Output Error')
Preloader
Preloader - [LIB]: [31mError on DA_Send cmd[0m
DAXFlash
DAXFlash - [LIB]: [31mError on sending DA.[0m
TAB-A05-BD_brute_debugmode_log.txt.zip
It doesn't have any particular meaning (TAB-A05-BD) Paste the --debugmode log of mtk brute.
I have attached the execution log of mtk stage
ghost
commented
1 month ago TAB-A05-BD This is the log when running mtk plstage. I'll paste it
ghost
commented
1 month ago @bkerler In AndroidUtility's meta mode "Para" can be read and written normally, so Save the pcap I made it into a zip.
https://mega.nz/file/ZWsjQRgD#Ax0mDNonrqXtt69Drj5KbFO1lnTHU8nwboF7qJoHmeU
I have a big question. mt8168(TAB-A05-BD) SBC ture SLA false DAA ture This device is clearly protected mtkclient and sp flash tools are not available.
Why can I read and write "para" from the meta mode of "AndroidUtility"? "AndroidUtility" can only dump "mmcblk0". I don't understand how it works... It's clearly a protected device.
write.pcapng para start binary 34AA7
Read.pcapng para start binary 357B7
mouseos
commented
1 month ago I myself have long wondered. Why can AndroidUtility break security features that are not possible with mtkclient?
ghost
commented
1 month ago @bkerler Sorry if I offended you with my question... Should I delete the question I posted?
bkerler
commented
1 month ago Meta mode isn't integrated, but it is on my todo. Currently mostly busy with researching newer mtk chipset which are a pain.
ghost
commented
1 month ago Meta mode isn't integrated, but it is on my todo. Currently mostly busy with researching newer mtk chipset which are a pain.
I understand Thank you for taking the time out of your busy schedule to reply.<(`・ω・´)
I would like to see support for mt8168 added. If there is anything I can do to help, I will. Thank you very much.