bkerler
commented
2 years ago Can you dump the brom ?
Closed Mujeebb closed 2 years ago
bkerler
commented
2 years ago Can you dump the brom ?
Mujeebb
commented
2 years ago ok i will try then send you log
On Wed, Jul 6, 2022 at 4:49 AM Bjoern Kerler @.***> wrote:
Can you dump the brom ?
— Reply to this email directly, view it on GitHub https://github.com/bkerler/mtkclient/issues/412#issuecomment-1175577753, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALB6DK5GN5PJU2ZVBPPDYHTVSS3Y3ANCNFSM52VGOERA . You are receiving this because you authored the thread.Message ID: @.***>
Mujeebb
commented
2 years ago Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
......Port - Device detected :) Preloader - CPU: MT6781(Helio G96) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - Var1: 0x73 Preloader - Disabling Watchdog... Preloader - HW code: 0x1066 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 5C9E6955D63C5E67BC9A3B3E3866E1DC Preloader - SOC_ID: F5BA016F77BD53CAA8DC18B53C5AF13A61B9AF1135B59CFFBA57D57195A94845 PLTools PLTools - [LIB]: Unknown dumpbrom ptype: [amonet,kamakiri,hashimoto] PLTools - Available ptypes are: amonet, kamakiri, kamakiri2, hashimoto PLTools PLTools - [LIB]: Error on dumping Bootrom.
bkerler
commented
2 years ago you need to use a testpoint as they patched kamakiri
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
...........
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.
......Port - Device detected :) Preloader - CPU: MT6781(Helio G96) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - Var1: 0x73 Preloader - Disabling Watchdog... Preloader - HW code: 0x1066 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 5C9E6955D63C5E67BC9A3B3E3866E1DC Preloader - SOC_ID: F5BA016F77BD53CAA8DC18B53C5AF13A61B9AF1135B59CFFBA57D57195A94845 PLTools - Loading payload from mt6781_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Traceback (most recent call last): File "C:\Users\ASUS\mtkclient\mtk", line 781, in
mtk = Main(args).run(parser)
File "C:\Users\ASUS\mtkclient\mtkclient\Library\mtk_main.py", line 554, in run
self.cmd_payload(mtk=mtk, payloadfile=payloadfile)
File "C:\Users\ASUS\mtkclient\mtkclient\Library\mtk_main.py", line 616, in cmd_payload
plt.runpayload(filename=payloadfile)
File "C:\Users\ASUS\mtkclient\mtkclient\Library\pltools.py", line 102, in runpayload
if self.kama.payload(payload, addr, True, exploittype):
File "C:\Users\ASUS\mtkclient\mtkclient\Library\kamakiri.py", line 139, in payload
if self.exploit2(payload, addr):
File "C:\Users\ASUS\mtkclient\mtkclient\Library\kamakiri.py", line 117, in exploit2
ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
File "C:\Users\ASUS\mtkclient\mtkclient\Library\kamakiri.py", line 68, in da_read
return self.da_read_write(address, length, None, check_result)
File "C:\Users\ASUS\mtkclient\mtkclient\Library\kamakiri.py", line 107, in da_read_write
return self.mtk.preloader.brom_register_access(address - 0x40, length, data, check_result)
File "C:\Users\ASUS\mtkclient\mtkclient\Library\mtk_preloader.py", line 578, in brom_register_access
raise RuntimeError(self.eh.status(status))
RuntimeError: Unknown: 0x1a1d