[MT6752] Request for support

howetuft commented 1 year ago

Hello,

First, thank you for this wonderful tool.

--> Could you please add full support for MT6752? At now, there are some parameters missing, like send_ptr, brom_register_address etc. which prevents kamakiri2 to work fine.

Brute force bootrom dump succeeds:

$ python mtk brute
[...]
Port - Device detected :)
Preloader - Get Target info
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader - Jumping to 0x0
Preloader - Jumping to 0x0: ok.
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - Get Target info
Preloader - BROM mode detected.
Kamakiri - Bruteforce, testing 0x9da8...
Kamakiri - Found 0x9da8, dumping bootrom to brom_6752.bin
Progress: |██████████████████████████████████████████████████| 100.0% Complete

brom_6752.zip

Side question: I'm really willing to do it myself but I don't know how. Are there some instructions somewhere?

Many thanks in advance!

bkerler commented 1 year ago

Sure, I'm going to add support and let you know.

bkerler commented 1 year ago

Can you please test commit 3e696d4 ?

howetuft commented 1 year ago

Thank you!

Some commands work fine: python mtk r boot boot.bin python mtk r preloader preloader.bin --parttype=boot1 python mtk printgpt python mtk da generatekeys python mtk dumppreloader

For some others, they work fine till certain point, but I get some errors:

1st case:

user@mtk:~/mtkclient$ python mtk script run.example
MTK Flash/Exploit Client V1.6.2 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........
Port - Device detected :)
Preloader -     CPU:            MT6752()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x6752
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca01
Preloader -     SW Ver:         0x1
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext - Legacy DA2 is patched.
legacyext - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028f
DALegacy - Setting stage 2 config ...
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x80000000
randomid = 0xA36638613712BC8CFE71315EE41C2190

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3ab800000
m_emmc_cid = 4147326590014a487652433305075177
m_emmc_fwver = 0700000000000000

GPT Table:
-------------
proinfo:             Offset 0x0000000000080000, Length 0x0000000000300000, Flags 0x00000000, UUID f57ad330-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
nvram:               Offset 0x0000000000380000, Length 0x0000000000500000, Flags 0x00000000, UUID fe686d97-3544-4a41-21be-167e25b61b6f, Type EFI_BASIC_DATA
protect1:            Offset 0x0000000000880000, Length 0x0000000000a00000, Flags 0x00000000, UUID 1cb143a8-b1a8-4b57-51b2-945c5119e8fe, Type EFI_BASIC_DATA
protect2:            Offset 0x0000000001280000, Length 0x0000000000a00000, Flags 0x00000000, UUID 3b9e343b-cdc8-4d7f-a69f-b6812e50ab62, Type EFI_BASIC_DATA
kb:                  Offset 0x0000000001c80000, Length 0x0000000000100000, Flags 0x00000000, UUID 5f6a2c79-6617-4b85-02ac-c2975a14d2d7, Type EFI_BASIC_DATA
dkb:                 Offset 0x0000000001d80000, Length 0x0000000000100000, Flags 0x00000000, UUID 4ae2050b-5db5-4ff7-d3aa-5730534be63d, Type EFI_BASIC_DATA
seccfg:              Offset 0x0000000001e80000, Length 0x0000000000040000, Flags 0x00000000, UUID 1f9b0939-e16b-4bc9-bca5-dc2ee969d801, Type EFI_BASIC_DATA
lk:                  Offset 0x0000000001ec0000, Length 0x0000000000060000, Flags 0x00000000, UUID d722c721-0dee-4cb8-838a-2c63cd1393c7, Type EFI_BASIC_DATA
boot:                Offset 0x0000000001f20000, Length 0x0000000001000000, Flags 0x00000000, UUID e02179a8-ceb5-48a9-3188-4f1c9c5a8695, Type EFI_BASIC_DATA
recovery:            Offset 0x0000000002f20000, Length 0x0000000001000000, Flags 0x00000000, UUID 84b09a81-fad2-41ac-0e89-407c24975e74, Type EFI_BASIC_DATA
secro:               Offset 0x0000000003f20000, Length 0x0000000000600000, Flags 0x00000000, UUID e8f0a5ef-8d1b-42ea-2a9c-835cd77de363, Type EFI_BASIC_DATA
para:                Offset 0x0000000004520000, Length 0x0000000000080000, Flags 0x00000000, UUID d5f0e175-a6e1-4db7-c094-f82ad032950b, Type EFI_BASIC_DATA
logo:                Offset 0x00000000045a0000, Length 0x0000000000800000, Flags 0x00000000, UUID 1d9056e1-e139-4fca-0b8c-b75fd74d81c6, Type EFI_BASIC_DATA
expdb:               Offset 0x0000000004da0000, Length 0x0000000000a00000, Flags 0x00000000, UUID 7792210b-b6a8-45d5-91ad-3361ed14c608, Type EFI_BASIC_DATA
tee1:                Offset 0x00000000057a0000, Length 0x0000000000500000, Flags 0x00000000, UUID 138a6db9-1032-451d-e991-0fa38ff94fbb, Type EFI_BASIC_DATA
tee2:                Offset 0x0000000005ca0000, Length 0x0000000000500000, Flags 0x00000000, UUID 756d934c-50e3-4c91-46af-02d824169ca7, Type EFI_BASIC_DATA
metadata:            Offset 0x00000000061a0000, Length 0x0000000002660000, Flags 0x00000000, UUID a3f3c267-5521-42dd-24a7-3bdec20c7c6f, Type EFI_BASIC_DATA
system:              Offset 0x0000000008800000, Length 0x0000000080000000, Flags 0x00000000, UUID 8c68cd2a-ccc9-4c5d-578b-34ae9b2dd481, Type EFI_BASIC_DATA
cache:               Offset 0x0000000088800000, Length 0x0000000007000000, Flags 0x00000000, UUID 6a5cebf8-54a7-4b89-1d8d-c5eb140b095b, Type EFI_BASIC_DATA
userdata:            Offset 0x000000008f800000, Length 0x000000031af80000, Flags 0x00000000, UUID a0d65bf8-e8de-4107-3494-1d318c843d37, Type EFI_BASIC_DATA
flashinfo:           Offset 0x00000003aa780000, Length 0x0000000001000000, Flags 0x00000000, UUID 46f0c0bb-f227-4eb6-2fb8-66408e13e36d, Type EFI_BASIC_DATA

Total disk size:0x00000003ab784200, sectors:0x0000000001d5bc21

DA_handler - Requesting available partitions ....
DA_handler - Dumping partition "boot"
Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x8000 of 0x8000, ) 2.11 MB/s50 MB/s
DA_handler - Dumped sector 63744 with sector count 32768 as boot.img.
Traceback (most recent call last):
  File "/home/user/mtkclient/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
  File "/home/user/mtkclient/mtkclient/Library/mtk_main.py", line 383, in run
    da_handler.handle_da_cmds(mtk, cmd, self.args)
  File "/home/user/mtkclient/mtkclient/Library/mtk_da_cmd.py", line 712, in handle_da_cmds
    os.remove(os.path.join("logs", "hwparam.json"))
FileNotFoundError: [Errno 2] No such file or directory: 'logs/hwparam.json'

2nd case:

user@mtk:~/mtkclient$ python mtk da seccfg unlock
MTK Flash/Exploit Client V1.6.2 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

........Port - Device detected :)
Preloader -     CPU:            MT6752()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x6752
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca01
Preloader -     SW Ver:         0x1
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext - Legacy DA2 is patched.
legacyext - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028f
DALegacy - Setting stage 2 config ...
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x80000000
randomid = 0xA36638613712BC8CFE71315EE41C2190

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3ab800000
m_emmc_cid = 4147326590014a487652433305075177
m_emmc_fwver = 0700000000000000

legacyext - Detected V3 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
Done |--------------------------------------------------| 0.0% Write (Sector 0x0 of 0x0) 0.00 MB/sTraceback (most recent call last):
  File "/home/user/mtkclient/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
  File "/home/user/mtkclient/mtkclient/Library/mtk_main.py", line 633, in run
    da_handler.handle_da_cmds(mtk, cmd, self.args)
  File "/home/user/mtkclient/mtkclient/Library/mtk_da_cmd.py", line 765, in handle_da_cmds
    v = mtk.daloader.seccfg(args.flag)
  File "/home/user/mtkclient/mtkclient/Library/mtk_daloader.py", line 260, in seccfg
    return self.lft.seccfg(lockflag)
  File "/home/user/mtkclient/mtkclient/Library/legacy_ext.py", line 194, in seccfg
    if self.legacy.writeflash(addr=partition.sector * self.mtk.daloader.daconfig.pagesize,
  File "/home/user/mtkclient/mtkclient/Library/mtk_dalegacy.py", line 1627, in writeflash
    return self.sdmmc_write_data(addr=addr, length=length, filename=filename, offset=offset, parttype=parttype,
  File "/home/user/mtkclient/mtkclient/Library/mtk_dalegacy.py", line 1557, in sdmmc_write_data
    chksum = sum(data) & 0xFFFF
TypeError: unsupported operand type(s) for +: 'int' and 'str'

(please note I didn't try any write command)

github-actions[bot] commented 2 months ago

Stale issue message

bkerler / mtkclient

[MT6752] Request for support #704