DAA_SIG_VERIFY_FAILED on mt6893

[Giovix92]

Hi there! I've recently updated my OnePlus Nord 2 to C.10, and while booting to BROM mode, now it throws an error. On C.01 and older versions it works fine with the same procedure (both vol pressed and cable connect). Here's the log, taken on PopOS 22.10 with the latest mtkclient (python 3.10):

..........Port - Device detected :)
Preloader -   CPU:      MT6893(Dimensity 1200)
Preloader -   HW version:    0x0
Preloader -   WDT:      0x10007000
Preloader -   Uart:      0x11002000
Preloader -   Brom payload addr:  0x100a00
Preloader -   DA payload addr:  0x201000
Preloader -   CQ_DMA addr:    0x10212000
Preloader -   Var1:      0xa
Preloader - Disabling Watchdog...
Preloader - HW code:      0x950
Preloader - Target config:    0x5
Preloader -   SBC enabled:    True
Preloader -   SLA enabled:    False
Preloader -   DAA enabled:    True
Preloader -   SWJTAG enabled:    True
Preloader -   EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -   Root cert required:  False
Preloader -   Mem read auth:    False
Preloader -   Mem write auth:    False
Preloader -   Cmd 0xC8 blocked:  False
Preloader - Get Target info
Preloader -   HW subcode:    0x8a00
Preloader -   HW Ver:      0xca00
Preloader -   SW Ver:      0x0
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
DeviceClass - USBError(5, 'Input/Output Error')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Any hint or solution? Thank you in advance!

• Giovix92

[Beanow]

Same issue pretty much on an up-to-date Nord 2T (A.15 update)

Port - Device detected :)
Preloader -     CPU:            MT6893(Dimensity 1200)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x950
Preloader - Target config:      0x5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
DeviceClass - USBError(19, 'No such device (it may have been disconnected)')
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

[Beanow]

Just wondering @Giovix92 have you been able to use commands that don't involve the DA / crashing to brom? Looking at a boot loop here, and even just a payload to reach fastboot would be great :sweat_smile:

[Beanow]

Including a log for mtk payload --metamode FASTBOOT --debugmode log.txt

[Giovix92]

Just wondering @Giovix92 have you been able to use commands that don't involve the DA / crashing to brom? Looking at a boot loop here, and even just a payload to reach fastboot would be great sweat_smile

Actually no, on Nord 2 fastboot mode isn't accessible. It just throws out "serial is not match", plus a reboot in almost a split second.

We just have fastbootd, which isn't helpful either cause it's limited as hell.

[Beanow]

:scream: no fastboot? Was that including vol- and power or when trying via mtkclient?

For the Nord 2T at least vol- and power was giving me fastboot.

But I got in a brilliant loop, where both boot_a and boot_b are bad. And I believe the androidboot.init_fatal_reboot_target=recovery kernel cmd is the culprit here. (Nord 2T has no recovery partition, so bad boot_a/_b means bad recovery too.) Instead of the usual "orange state" warning from the preloader it has "RECOVERY MODE" in the bottom and reboots all day.

Annoyingly this doesn't seem to respond to the hw key inputs to go to fastboot instead. So it's either connected to mtkclient in the preloader stage, or rebooting.

[Petitoto]

Hey,

Same problem here.

I tried to find a test point, but I only found:

• a point which only loads preloader (and not BROM), as vol + / - do
• a point which prevents the phone from loading Android and OnePlus logos at startup (what's that?)

I don't know if I have any chance to find something better. An other solution would be to short DAT0 on eMMC to prevent BROM to find the preloader, making it to run into EDL. But it may be hard to find...

Meta mode using payload requires to access BROM. We can try to send directly commands to the preloader, but mtkclient doesn't find the device for an unknown reason. mtk-bootseq.py finds the device, but my Nord 2 doesn't accept the command to switch to fastboot (or any other mode) even if the code seems to be still present in the preloader. I don't know if this technique worked before the upgrade.

Another solution would be to use a custom DA / auth file, but it seems hard to find.

@Beanow fastboot has been disabled at startup by the update (like BROM mode). And as Giovix reports, it may have been fully disabled.

UPDATE: mtkclient doesn't find device when using the meta command, because it checks for a specific PID: https://github.com/bkerler/mtkclient/blob/2e62c4a3331094d2b5d334e020f457fb8cbfd265/mtkclient/Library/meta.py#L54

It works on some devices in default preloader mode, so I don't think we require this condition @bkerler. However it still doesn't work on my OnePlus Nord 2

[Beanow]

On that note, something I think got removed in the recent update for me as well was a bunch of, what looks like factory init logs from the pl/lk. This hung out in the oplusreserved2 partition for some time till only recently it got removed. mobilelog.zip Don't know how often these are found but thought I would share for the RE efforts :shrug:

[bkerler]

Double of issue #830