search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.7k stars 528 forks source link

Amazon FireStick 4K TV #633

Closed phodina closed 5 months ago

phodina commented 1 year ago

Hi,

I've been able to get the GPT from the device and dump all the partitions.

However, on next reboot I'm unable to connect. It detects the SoC but fails with DA_IMAGE_SIG_VERIFY_FAIL.

Any idea on how to fix that?

mtk printgpt
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

...........
Port - Device detected :)
Preloader -     CPU:            MT8695()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x8695
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Main - Device is unprotected.
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2136.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         8GTF4R
DAXFlash - EMMC CID:        15010038475446345206928847f3291d
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x80000
DAXFlash - EMMC USER Size:  0x1d2000000
DAXFlash - DA-CODE      : 0x961B8
DAXFlash - DA Extensions successfully added

GPT Table:
-------------
lk:                  Offset 0x0000000000080000, Length 0x0000000000100000, Flags 0x00000000, UUID f586b052-e40a-47fd-e2a8-26717d862782, Type EFI_LINUX_DAYA
tee1:                Offset 0x0000000000180000, Length 0x0000000000500000, Flags 0x00000000, UUID eddd962d-1480-46d6-11a6-2dc3fc68ac1f, Type EFI_LINUX_DAYA
tee2:                Offset 0x0000000000680000, Length 0x0000000000500000, Flags 0x00000000, UUID 4c17b3d6-bf73-4981-96a1-9a1a8d9d50d0, Type EFI_LINUX_DAYA
boot:                Offset 0x0000000000b80000, Length 0x0000000001000000, Flags 0x00000000, UUID cf33c04b-363c-4b21-23ad-475fac317eba, Type EFI_LINUX_DAYA
recovery:            Offset 0x0000000001b80000, Length 0x0000000001000000, Flags 0x00000000, UUID 3d1a5c47-7777-483a-3fb8-09a2f6e8cf0d, Type EFI_LINUX_DAYA
logo:                Offset 0x0000000002b80000, Length 0x0000000000380000, Flags 0x00000000, UUID 5474ed5d-cf31-4000-689d-d2f5108663db, Type EFI_LINUX_DAYA
kb:                  Offset 0x0000000002f00000, Length 0x0000000000100000, Flags 0x00000000, UUID e55e4196-06ae-40ca-15a2-fe6af40b2916, Type EFI_LINUX_DAYA
dkb:                 Offset 0x0000000003000000, Length 0x0000000000100000, Flags 0x00000000, UUID e56f4c0f-413d-4ce2-1593-6009bcb75b2c, Type EFI_LINUX_DAYA
MISC:                Offset 0x0000000003100000, Length 0x0000000000100000, Flags 0x00000000, UUID 02ad1ecb-04f0-4065-deb7-f02bb1566368, Type EFI_LINUX_DAYA
vendor:              Offset 0x0000000003200000, Length 0x0000000009600000, Flags 0x00000000, UUID d1df9aa3-caaf-43be-f0ac-81dfa04f7d62, Type EFI_LINUX_DAYA
system:              Offset 0x000000000c800000, Length 0x0000000044c00000, Flags 0x00000000, UUID 7f40f9ba-be10-4737-0581-8a0a8ee300a0, Type EFI_LINUX_DAYA
cache:               Offset 0x0000000051400000, Length 0x0000000020000000, Flags 0x00000000, UUID 9d72d41f-ca32-4eef-dea9-18e60d0f3ad8, Type EFI_LINUX_DAYA
userdata:            Offset 0x0000000071400000, Length 0x0000000160bfbe00, Flags 0x00000000, UUID 2058565f-a137-455e-1381-c50a97e06910, Type EFI_LINUX_DAYA

Total disk size:0x00000001d2000000, sectors:0x0000000000e90000

Port - Device detected :)
Preloader -     CPU:            MT8695()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x8695
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Main - Device is unprotected.
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2136.bin
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
DAXFlash
DAXFlash - [LIB]: Error on sending DA.
Main
Main - [LIB]: Error uploading da
phodina commented 1 year ago

@bkerler have similar issue when preloader fails happened to you on other Mediatek SoCs?

bkerler commented 1 year ago

@bkerler have similar issue when preloader fails happened to you on other Mediatek SoCs?

Actually that's because mtk patched the preloder. I didn't have time to review what they patched

phodina commented 1 year ago

Is there a diagram or some document with description of the boot flow?

I've checked SP_Flash_Tool_v6.2152 and there's no binaries.

Do you extract them from Window drivers or what's the place that you get them?

phodina commented 1 year ago

I've managed to revert the state of the device. However, the device is still locked.

Any idea what partition name should be used? @bkerler

mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021

xflashext
xflashext - [LIB]: Couldn't detect existing seccfg partition. Aborting unlock.
phodina commented 1 year ago

I've managed to revert the state of the device. However, the device is still locked.

Any idea what partition name should be used? @bkerler

mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021

xflashext
xflashext - [LIB]: Couldn't detect existing seccfg partition. Aborting unlock.
bkerler commented 1 year ago

I assume they might use MISC or store the flag in rpmb. If you upload the LK partition I can have a look.