search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.56k stars 510 forks source link

DAXFlash - Sending emi data... ERROR #532

Closed pkdeva closed 3 months ago

pkdeva commented 1 year ago

I hard-bricked my Vivo V83 smartphone. Now I'm trying to unbrick it using this MTKClient tool. But I'm getting the following error while flashing boot.img on my phone.

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

........... Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 3EEAB1AC0F66B25D188561B50123B72E Preloader - SOC_ID: D28DB26EA327F1E9266FDCBD4E5C95427BAC8AEDF84DAD4CD41CA545C616303E PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\PK-Dev\Desktop\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader xflashext xflashext - [LIB]: ←[33mError on patching da1 version check...←[0m Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 90014a4842473461 DAXFlash - No preloader given. Searching for preloader DAXFlash - Sending emi data ...

bkerler commented 1 year ago

Wrong preloader used, as it seems. Or preloader was patched against kamakiri.

robzambdev commented 1 year ago

On Redmi 9c I get stuck in this error:

Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 0182F5C144946695EC9D8C44FBF1FE93 Preloader - SOC_ID: 287D7334F2E6BE69C9197BDB6AC3F2B20596BB5C389337922456A9E803AAA7D9 PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Rob\Desktop\mtkclient-main\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100424a544434 DAXFlash - Sending emi data ...

[here the process get stuck and I disconnect the cable, and then...]

DeviceClass - USBError(5, 'Input/Output Error') DAXFlash DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes

mkrasuski commented 1 year ago

I've tried XiaoXin Tab Pro 2022 and have:

Preloader - CPU: MT6893(Dimensity 1200) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x950 Preloader - Target config: 0x5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Mtk - We're not in bootrom, trying to crash da... PLTools - Crashing da... Preloader Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024) Preloader Preloader - [LIB]: Error on uploading da data Preloader - Jumping to 0x0 DeviceClass - USBError(5, 'Input/Output Error') Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Port - Device detected :) Preloader - CPU: MT6893(Dimensity 1200) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x950 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: C007D645F4454601121DADF91A3A9973 Preloader - SOC_ID: 9B656922BADA4532EE37F61CBBDFE774483B70B768C213F240AC383A8EB905E9 PLTools - Loading payload from mt6893_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: /home/mkr/roms/mtkclient/mtkclient/payloads/mt6893_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - UFS Blocksize:0x1000 DAXFlash - UFS ID: MT128GAXAT2U31 DAXFlash - UFS MID: 0x2c DAXFlash - UFS CID: 2c014d54313238474158415432553331 DAXFlash - UFS FWVer: 30313034 DAXFlash - UFS Serial: 79674e200000000000000000 DAXFlash - UFS LU0 Size: 0x1dcb000000 DAXFlash - UFS LU1 Size: 0x400000 DAXFlash - UFS LU2 Size: 0x400000 DAXFlash - DRAM config needed for : 2c014d54313238474158415432553331 DAXFlash - Sending emi data ... DAXFlash DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes

cichy17 commented 1 year ago

Hey Guys, did anyone succeed in solving this issue? I have exactly the same problem (hard-bricked phone) after trying to flash unofficial TWRP recovery in fastboot mode on BV9600 Pro (MT6771T p70 version). It looks like both tools (SP Flash Tool and Mtk Client) stops at exactly the same point (sending EMI data): Mtk Client: python mtk r boot boot.img --preloader=preloader_k71v1_64_bsp_bv9600.bin --debugmode ... TX:efeeeefe0100000050020000 TX:4d544b5f424c4f414445525f494e464f5f763336000000000000007072656c6f616465725f6b373176315f36345f6273702e62696e00000000000000000000000000000000000000000000000000000000000000000000005631313622884433900070004d544b5f42494e000300000001000000060200000900000000000000150100335636434d420000000000000000000000000000005431533223008484000000000000000000000000000000000000000000000000000000000000000000000080000000000000000001000000000000000000000000000000000000000010420059308404593084040200000000000000000000000000000000000000000000000000000001000000000000000100000006020000090000000000000090014a6844456150330000000000000000000000000000005431533223008484000000000000000000000000000000000000000000000000000000000000000000000080000000000000000001000000000000000000000000000000000000000000210459308404593084040200000000000000000000000000000000000000000000000000000006000000000000000100000006020000090000000000000045010044413431323800000000000000000000000000000054315332230084840000000000000000000000000000000000000000000000000000000000000000 TX:0000008000000000000000000100000000000000000000000000000000000000001042005930840459308404020000000000000000000000000000000000000000000000000000000600000000000000 Timed out Timed out Timed out Timed out Timed out Timed out Error on sending emi: unpack requires a buffer of 12 bytes

On SP Flash Tool: [00001256] [18:49:27:933942] [Tid0x0000490c] [info] /CMD/: CMD_INIT_EXT_RAM=0x10,00a #(device_instance.cpp, line:251) [00001257] [18:49:27:933942] [Tid0x0000490c] [debug] Tx->: 0x0000000c Hex[ef ee ee fe 01 00 00 00 04 00 00 00 ] [00001258] [18:49:27:935949] [Tid0x0000490c] [debug] Tx->: 0x00000004 Hex[0a 00 01 00 ] [00001260] [18:49:27:935949] [Tid0x0000490c] [info] receive response for command check. #(device_instance.cpp, line:256) [00001259] [18:49:27:935949] [Tid0x00005778] [debug] <-Rx: 0x0000000c Hex[ef ee ee fe 01 00 00 00 04 00 00 00 ] [00001261] [18:49:27:936966] [Tid0x00005778] [debug] <-Rx: 0x00000004 Hex[00 00 00 00 ] [00001262] [18:49:27:937967] [Tid0x0000490c] [info] emi length: 0x250 #(device_instance.cpp, line:268) [00001263] [18:49:27:938978] [Tid0x0000490c] [debug] Tx->: 0x0000000c Hex[ef ee ee fe 01 00 00 00 04 00 00 00 ] [00001264] [18:49:27:939967] [Tid0x0000490c] [debug] Tx->: 0x00000004 Hex[50 02 00 00 ] [00001265] [18:49:27:940971] [Tid0x0000490c] [debug] Tx->: 0x0000000c Hex[ef ee ee fe 01 00 00 00 50 02 00 00 ] [00001266] [18:49:27:941969] [Tid0x0000490c] [debug] Tx->: 0x00000250 Hex[4d 54 4b 5f 42 4c 4f 41 44 45 52 5f 49 4e 46 4f ] [00001267] [18:51:33:311034] [Tid0x0000490c] [error] ext ram init exception: #(device_instance.cpp, line:279) [00001268] [18:51:33:311034] [Tid0x0000490c] [error] ./dagent/device/protocol/data_mux.cpp(72): Throw in function void __thiscall data_mux::receive_exactly(class boost::shared_ptr &,unsigned int,data_type_t) Dynamic exception type: class boost::exception_detail::clone_impl std::exception::what: data_mux receive timeout. #(data_mux.cpp, line:72)

(device_instance.cpp, line:280)

[00001269] [18:51:33:311034] [Tid0x0000490c] [info] [result]: STATUS_EXT_RAM_EXCEPTION #(device_instance.cpp, line:284)

When I compare HEX data on both tools at the error point: mtk client: TX:4d 54 4b 5f 42 4c 4f 41 44 45 52 5f 49 4e 46 4f .... SP Flash Tool: Tx->: 0x00000250 Hex[4d 54 4b 5f 42 4c 4f 41 44 45 52 5f 49 4e 46 4f ] ....

It looks like it fails at the same point...

Does anyone have any idea how we could fix this? I will appreciate any help with this....

Just want to mention, that I tried number of different preloaders, with the same result...

mohamadali-halwani commented 1 year ago

i have the same phone and getting the same error

bkerler commented 3 months ago

Double of issue #830