Bricked Redmi K50 (mt6895)

jhonny-oliveira commented 1 year ago

I bricked my Redmi K50 (mt6895) and I'm unable to use mtk to recover it.

python mtk printgpt --preloader=mtkclient/Loader/Preloader/preloader_rubens.bin

```` MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Port - Hint: Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset. ........... Port - Device detected :) Preloader - CPU: MT6895(Dimensity 8100) Preloader - HW version: 0x0 Preloader - WDT: 0x1c007000 Preloader - Uart: 0x11001000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x1172 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 465A62C61033F2338C2602031ED0DA0F PLTools - Loading payload from generic_patcher_payload.bin, 0x56c bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Traceback (most recent call last): File "C:\Users\JWP\Downloads\New\mtkclient\mtk", line 813, in mtk = Main(args).run(parser) File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\mtk_main.py", line 615, in run mtk = da_handler.configure_da(mtk, preloader) File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\mtk_da_cmd.py", line 87, in configure_da mtk = mtk.bypass_security() File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\mtk_class.py", line 155, in bypass_security if plt.runpayload(filename=self.config.payloadfile): File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\pltools.py", line 102, in runpayload if self.kama.payload(payload, addr, True, exploittype): File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\kamakiri.py", line 139, in payload if self.exploit2(payload, addr): File "C:\Users\JWP\Downloads\New\mtkclient\mtkclient\Library\kamakiri.py", line 117, in exploit2 ptr_send = unpack("

python mtk dumpbrom --debug

```` MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022 Main Main - [LIB]: mtk dumpbrom --debug Preloader - Status: Waiting for PreLoader VCOM, please connect mobile DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? DeviceClass DeviceClass - [LIB]: Couldn't detect the device. Is it connected ? Port - Hint: Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset. DeviceClass DeviceClass - [LIB]: CONFIGURATION 1: 0 mA ==================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x2 Configuration wTotalLength : 0x43 (67 bytes) bNumInterfaces : 0x2 bConfigurationValue : 0x1 iConfiguration : 0x0 bmAttributes : 0x80 Bus Powered bMaxPower : 0x0 (0 mA) INTERFACE 0: CDC Communication ========================= bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x0 bAlternateSetting : 0x0 bNumEndpoints : 0x1 bInterfaceClass : 0x2 CDC Communication bInterfaceSubClass : 0x2 bInterfaceProtocol : 0x1 iInterface : 0x1 comm_if̦data_if̄Љ憸 ENDPOINT 0x83: Interrupt IN ========================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x83 IN bmAttributes : 0x3 Interrupt wMaxPacketSize : 0x40 (64 bytes) bInterval : 0x1 INTERFACE 1: CDC Data ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x1 bAlternateSetting : 0x0 bNumEndpoints : 0x2 bInterfaceClass : 0xa CDC Data bInterfaceSubClass : 0x0 bInterfaceProtocol : 0x0 iInterface : 0x2 data_if̄Љ憸呪풅ཊꤛ漢䕄礤 ENDPOINT 0x81: Bulk IN =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x81 IN bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 ENDPOINT 0x1: Bulk OUT =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x1 OUT bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 DeviceClass DeviceClass - [LIB]: No kernel driver supported: Operation not supported or unimplemented on this platform DeviceClass DeviceClass - [LIB]: CONFIGURATION 1: 0 mA ==================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x2 Configuration wTotalLength : 0x43 (67 bytes) bNumInterfaces : 0x2 bConfigurationValue : 0x1 iConfiguration : 0x0 bmAttributes : 0x80 Bus Powered bMaxPower : 0x0 (0 mA) INTERFACE 0: CDC Communication ========================= bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x0 bAlternateSetting : 0x0 bNumEndpoints : 0x1 bInterfaceClass : 0x2 CDC Communication bInterfaceSubClass : 0x2 bInterfaceProtocol : 0x1 iInterface : 0x1 comm_if̦data_if̄Љ憸 ENDPOINT 0x83: Interrupt IN ========================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x83 IN bmAttributes : 0x3 Interrupt wMaxPacketSize : 0x40 (64 bytes) bInterval : 0x1 INTERFACE 1: CDC Data ================================== bLength : 0x9 (9 bytes) bDescriptorType : 0x4 Interface bInterfaceNumber : 0x1 bAlternateSetting : 0x0 bNumEndpoints : 0x2 bInterfaceClass : 0xa CDC Data bInterfaceSubClass : 0x0 bInterfaceProtocol : 0x0 iInterface : 0x2 data_if̄Љ憸呪풅ཊꤛ漢䕄礤 ENDPOINT 0x81: Bulk IN =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x81 IN bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 ENDPOINT 0x1: Bulk OUT =============================== bLength : 0x7 (7 bytes) bDescriptorType : 0x5 Endpoint bEndpointAddress : 0x1 OUT bmAttributes : 0x2 Bulk wMaxPacketSize : 0x200 (512 bytes) bInterval : 0x0 DeviceClass DeviceClass - [LIB]: No kernel driver supported: Operation not supported or unimplemented on this platform Port - Device detected :) DeviceClass DeviceClass - [LIB]: TX:fd DeviceClass DeviceClass - [LIB]: echo:0x1 DeviceClass DeviceClass - [LIB]: RX:fd DeviceClass DeviceClass - [LIB]: rdword:0x4 DeviceClass DeviceClass - [LIB]: RX:11720000 Preloader - CPU: MT6895(Dimensity 8100) Preloader - HW version: 0x0 Preloader - WDT: 0x1c007000 Preloader - Uart: 0x11001000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... DeviceClass DeviceClass - [LIB]: TX:d4 DeviceClass DeviceClass - [LIB]: echo:0x1 DeviceClass DeviceClass - [LIB]: RX:d4 DeviceClass DeviceClass - [LIB]: TX:1c007000 DeviceClass DeviceClass - [LIB]: echo:0x4 DeviceClass DeviceClass - [LIB]: RX:1c007000 DeviceClass DeviceClass - [LIB]: TX:00000001 DeviceClass DeviceClass - [LIB]: echo:0x4 DeviceClass DeviceClass - [LIB]: RX:00000001 DeviceClass DeviceClass - [LIB]: rword:0x2 DeviceClass DeviceClass - [LIB]: RX:0001 DeviceClass DeviceClass - [LIB]: TX:22000064 DeviceClass DeviceClass - [LIB]: echo:0x4 DeviceClass DeviceClass - [LIB]: RX:22000064 DeviceClass DeviceClass - [LIB]: rword:0x2 DeviceClass DeviceClass - [LIB]: RX:0001 Preloader - HW code: 0x1172 DeviceClass DeviceClass - [LIB]: TX:d8 DeviceClass DeviceClass - [LIB]: echo:0x1 DeviceClass DeviceClass - [LIB]: RX:d8 DeviceClass DeviceClass - [LIB]: rbyte:0x6 DeviceClass DeviceClass - [LIB]: RX:000000e70000 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info DeviceClass DeviceClass - [LIB]: TX:fe DeviceClass DeviceClass - [LIB]: get_blver:0x1 DeviceClass DeviceClass - [LIB]: RX:fe Preloader - BROM mode detected. DeviceClass DeviceClass - [LIB]: TX:ff DeviceClass DeviceClass - [LIB]: get_bromver:0x1 DeviceClass DeviceClass - [LIB]: RX:05 DeviceClass DeviceClass - [LIB]: TX:fc DeviceClass DeviceClass - [LIB]: mtk_cmd:0x1 DeviceClass DeviceClass - [LIB]: RX:fc DeviceClass DeviceClass - [LIB]: mtk_cmd:0x8 DeviceClass DeviceClass - [LIB]: RX:8a00ca0000000000 Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 DeviceClass DeviceClass - [LIB]: TX:fe DeviceClass DeviceClass - [LIB]: get_meid:0x1 DeviceClass DeviceClass - [LIB]: RX:fe DeviceClass DeviceClass - [LIB]: TX:e1 DeviceClass DeviceClass - [LIB]: get_meid:0x1 DeviceClass DeviceClass - [LIB]: RX:e1 DeviceClass DeviceClass - [LIB]: get_meid:0x4 DeviceClass DeviceClass - [LIB]: RX:00000010 DeviceClass DeviceClass - [LIB]: get_meid:0x10 DeviceClass DeviceClass - [LIB]: RX:465a62c61033f2338c2602031ed0da0f DeviceClass DeviceClass - [LIB]: get_meid:0x2 DeviceClass DeviceClass - [LIB]: RX:0000 Preloader - ME_ID: 465A62C61033F2338C2602031ED0DA0F PLTools - Kamakiri2 PLTools - Unknown chipset, please run "brute" command and send the brom as an issue on github ````

python mtk brute

On this last, I had to put the phone several times in brom mode as some of the tests would make it restart or Windows just decided to suspend it self.

Let me know if there is any chance you can support this phone or if you need me to provide any additional data.

Thak you!

Atassen21 commented 1 year ago

why this chip is sooo abandoned 😥😥😥

Atassen21 commented 1 year ago

anyone successful to unbricked?

Atassen21 commented 1 year ago

0x1172: chipconfig(
    var1=0xA,
    watchdog=0x1c007000,
    uart=0x11001000,
    brom_payload_addr=0x100A00,
    da_payload_addr=0x201000,
    pl_payload_addr=0x40200000,
    gcpu_base=0x10050000,
    dxcc_base=0x10210000,
    sej_base=0x1000a000,
    cqdma_base=0x10212000,
    ap_dma_mem=0x11300800 + 0x1a0,
    #blacklist=[(0x102848, 0x0), (0x00106B60, 0x0)],
    #blacklist_count=0x0000000A,
    #send_ptr=(0x102888, 0xE79C),
    #ctrl_buffer=0x00102A9C,
    #cmd_handler=0x0000F569,
    #brom_register_access=(0xeba4, 0xec5c),
    #meid_addr=0x102B98,
    #socid_addr=0x102BA8,
    #prov_addr=0x1066C0,
    damode=damodes.XFLASH,
    dacode=0x6895,
    name="MT6895",
    description="Dimensity 8100"

hopez13 commented 11 months ago

duplicate of #758

github-actions[bot] commented 1 month ago

Stale issue message

bkerler / mtkclient

Bricked Redmi K50 (mt6895) #495