search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.75k stars 530 forks source link

MT6789 da2 patching results in TypeError / Support for newer V6 / bootrom patched based devices (MT68xx/MT69xx) #758

Closed JamiKettunen closed 8 months ago

JamiKettunen commented 1 year ago

I see https://github.com/bkerler/mtkclient/commit/81694c4aae9af5190e9ea1d037e727bf1f7dbe5a at least may be relevant, I ran mtkclient from commit 4549fdc3963ad71a04ebe55c79dd3ccca8eae397. Let me know if I can help in any way. The device is a Gigaset GX4

$ mtk printgpt
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

Port - Device detected :)
Preloader -     CPU:            MT6789(MTK Helio G99)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x1208
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_mt6789.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
xflashext - Patching da2 ...
Traceback (most recent call last):
  File "/usr/bin/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_main.py", line 635, in run
    mtk = da_handler.configure_da(mtk, preloader)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_da_cmd.py", line 119, in configure_da
    if not mtk.daloader.upload_da(preloader=preloader):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_daloader.py", line 211, in upload_da
    return self.da.upload_da()
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_daxflash.py", line 1170, in upload_da
    if self.upload():
       ^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_daxflash.py", line 1092, in upload
    da2 = self.xft.patch_da2(da2)
          ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/xflash_ext.py", line 193, in patch_da2
    da2patched[is_security_enabled:is_security_enabled + 2] = b"\x00\x23"
                                   ~~~~~~~~~~~~~~~~~~~~^~~
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'
bkerler commented 1 year ago

Thanks, I will have a look :)

bkerler commented 1 year ago

The MT6789 da has a complete different command structure using xml commands. In order to support the mt6789 DA, please try to use sp flash v6 for reading back data and try to sniff the usb connection (for example using wireshark) and upload the pcapng over here.

JamiKettunen commented 1 year ago

Hope this helps, used spflash v6 readback with read pt and captured the following with wireshark (had to zip due to github upload rules): gx4-readback-read-pt.pcapng.zip

bkerler commented 1 year ago

Yes, that helps a lot. Which files did you use for the V6 spflash tool ?

JamiKettunen commented 1 year ago

These should be everything relevant: DA_BR.zip MT6789_Android_scatter.xml.txt

Shakib-BD commented 1 year ago

Is there any way to contact with you? @JamiKettunen

Bossrd commented 1 year ago

These should be everything relevant: DA_BR.zip MT6789_Android_scatter.xml.txt

hi bro, you still work on its ?

hopez13 commented 1 year ago

Have Attached Following Files In Issue #789 If Required rock

Thanks A Lot For Your Great Work 👍🙏

Shakib-BD commented 1 year ago

issue fixed?

hopez13 commented 1 year ago

not yet

issue fixed?

hopez13 commented 1 year ago

@bkerler any updates regarding this issue?

davidlip123 commented 1 year ago

is mt6789 supported now? @bkerler

hopez13 commented 1 year ago

is mt6789 supported now? @bkerler

not yet

zeigfred commented 1 year ago

is mt6789 supported now? @bkerler

not yet

is it done?

zeigfred commented 1 year ago

is mt6789 supported now? @bkerler

not yet

can this fix realme 10?

bkerler commented 1 year ago

Still waiting for my gigaset gx4 to arrive... will keep you updated on the progress

drodge1 commented 1 year ago

Did it work on mt6789?

bkerler commented 1 year ago

Gx4 has arrived, will start to add implementation next week

bkerler commented 1 year ago

First progress ..

.....Port - Device detected :)
Preloader -     CPU:            MT6789(MTK Helio G99)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x1208
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          EEFFAABB62CCB1DD8EEE04FFF50AA8BB
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DAXML - Uploading xflash stage 1 from DA_BR.bin
DAXML - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXML - Stage 1 successfully loaded.
DAXML - Uploading stage 2...
DAXML - Successfully uploaded stage 2.
DAXML - Successfully uploaded stage 2
DAXML - SLA is disabled

GPT Table:
-------------
proinfo:             Offset 0x0000000000008000, Length 0x0000000000300000, Flags 0x00000000, UUID 00000000-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
misc:                Offset 0x0000000000308000, Length 0x0000000000080000, Flags 0x00000000, UUID 00000001-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
para:                Offset 0x0000000000388000, Length 0x0000000000080000, Flags 0x00000000, UUID 00000002-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
expdb:               Offset 0x0000000000408000, Length 0x0000000008000000, Flags 0x00000000, UUID 00000003-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
frp:                 Offset 0x0000000008408000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000004-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
nvcfg:               Offset 0x0000000008508000, Length 0x0000000002000000, Flags 0x00000000, UUID 00000005-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
nvdata:              Offset 0x000000000a508000, Length 0x0000000004000000, Flags 0x00000000, UUID 00000006-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_a:            Offset 0x000000000e508000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000007-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_system_a:     Offset 0x000000000ed08000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000008-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_vendor_a:     Offset 0x000000000f508000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000009-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_b:            Offset 0x000000000fd08000, Length 0x0000000000800000, Flags 0x00000000, UUID 0000000a-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_system_b:     Offset 0x0000000010508000, Length 0x0000000000800000, Flags 0x00000000, UUID 0000000b-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vbmeta_vendor_b:     Offset 0x0000000010d08000, Length 0x0000000000800000, Flags 0x00000000, UUID 0000000c-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
metadata:            Offset 0x0000000011508000, Length 0x0000000002000000, Flags 0x00000000, UUID 0000000d-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
persist:             Offset 0x0000000013508000, Length 0x00000000032f8000, Flags 0x00000000, UUID 0000000e-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
protect1:            Offset 0x0000000016800000, Length 0x0000000000800000, Flags 0x00000000, UUID 0000000f-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
protect2:            Offset 0x0000000017000000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000010-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
seccfg:              Offset 0x0000000017800000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000011-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
otp:                 Offset 0x0000000018000000, Length 0x0000000003000000, Flags 0x00000000, UUID 00000012-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
md1img_a:            Offset 0x000000001b000000, Length 0x000000000c800000, Flags 0x00000000, UUID 00000013-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
spmfw_a:             Offset 0x0000000027800000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000014-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
pi_img_a:            Offset 0x0000000027900000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000015-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
dpm_a:               Offset 0x0000000027a00000, Length 0x0000000000400000, Flags 0x00000000, UUID 00000016-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
scp_a:               Offset 0x0000000027e00000, Length 0x0000000000600000, Flags 0x00000000, UUID 00000017-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
sspm_a:              Offset 0x0000000028400000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000018-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
mcupm_a:             Offset 0x0000000028500000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000019-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
gz_a:                Offset 0x0000000028600000, Length 0x0000000002000000, Flags 0x00000000, UUID 0000001a-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
lk_a:                Offset 0x000000002a600000, Length 0x0000000000400000, Flags 0x00000000, UUID 0000001b-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
boot_a:              Offset 0x000000002aa00000, Length 0x0000000004000000, Flags 0x00000000, UUID 0000001c-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vendor_boot_a:       Offset 0x000000002ea00000, Length 0x0000000004000000, Flags 0x00000000, UUID 0000001d-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
dtbo_a:              Offset 0x0000000032a00000, Length 0x0000000000800000, Flags 0x00000000, UUID 0000001e-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
tee_a:               Offset 0x0000000033200000, Length 0x0000000000500000, Flags 0x00000000, UUID 0000001f-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
sec1:                Offset 0x0000000033700000, Length 0x0000000000200000, Flags 0x00000000, UUID 00000020-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
nvram:               Offset 0x0000000033900000, Length 0x0000000004000000, Flags 0x00000000, UUID 00000021-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
boot_para:           Offset 0x0000000037900000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000022-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
dram_para:           Offset 0x0000000037a00000, Length 0x0000000001900000, Flags 0x00000000, UUID 00000023-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_bt_a:        Offset 0x0000000039300000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000024-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_wifi_a:      Offset 0x0000000039b00000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000025-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_gnss_a:      Offset 0x000000003a300000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000026-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
logo:                Offset 0x000000003ab00000, Length 0x0000000001d00000, Flags 0x00000000, UUID 00000027-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
md1img_b:            Offset 0x000000003c800000, Length 0x000000000c800000, Flags 0x00000000, UUID 00000028-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
spmfw_b:             Offset 0x0000000049000000, Length 0x0000000000100000, Flags 0x00000000, UUID 00000029-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
pi_img_b:            Offset 0x0000000049100000, Length 0x0000000000100000, Flags 0x00000000, UUID 0000002a-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
dpm_b:               Offset 0x0000000049200000, Length 0x0000000000400000, Flags 0x00000000, UUID 0000002b-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
scp_b:               Offset 0x0000000049600000, Length 0x0000000000600000, Flags 0x00000000, UUID 0000002c-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
sspm_b:              Offset 0x0000000049c00000, Length 0x0000000000100000, Flags 0x00000000, UUID 0000002d-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
mcupm_b:             Offset 0x0000000049d00000, Length 0x0000000000100000, Flags 0x00000000, UUID 0000002e-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
gz_b:                Offset 0x0000000049e00000, Length 0x0000000002000000, Flags 0x00000000, UUID 0000002f-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
lk_b:                Offset 0x000000004be00000, Length 0x0000000000400000, Flags 0x00000000, UUID 00000030-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
boot_b:              Offset 0x000000004c200000, Length 0x0000000004000000, Flags 0x00000000, UUID 00000031-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
vendor_boot_b:       Offset 0x0000000050200000, Length 0x0000000004000000, Flags 0x00000000, UUID 00000032-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_bt_b:        Offset 0x0000000054200000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000033-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_wifi_b:      Offset 0x0000000054a00000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000034-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
connsys_gnss_b:      Offset 0x0000000055200000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000035-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
dtbo_b:              Offset 0x0000000055a00000, Length 0x0000000000800000, Flags 0x00000000, UUID 00000036-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
tee_b:               Offset 0x0000000056200000, Length 0x0000000000600000, Flags 0x00000000, UUID 00000037-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
super:               Offset 0x0000000056800000, Length 0x0000000240000000, Flags 0x00000000, UUID 00000038-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
userdata:            Offset 0x0000000296800000, Length 0x0000000c4dff8000, Flags 0x00000000, UUID 00000039-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA
flashinfo:           Offset 0x0000000ee47f8000, Length 0x0000000001000000, Flags 0x00000000, UUID 0000003a-39c2-4488-b09b-00cb43c9ccd4, Type EFI_BASIC_DATA

Total disk size:0x0000000ee5819000, sectors:0x0000000000ee5819
Yukiihana commented 1 year ago

After done of the implementation we can use mtk client using G99 and flash full firmware?

bkerler commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

ryenyuku commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

I have DAA enabled, does that mean it will not work for my device for now?

Shirayuki39 commented 1 year ago

How do I know if my device uses remote auth?

derfi85 commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

when can we expect a full bypass?

hopez13 commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

does carbonara work on MT6789 ?

Shirayuki39 commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

does carbonara work on MT6789 ?

Nope, tried it on my phone

Arsetha commented 1 year ago

When it's fully finished, then yes, but only for unfused devices or if the da does exist and has no remote auth. Right now only reading is working.

does carbonara work on MT6789 ?

Not yet, i tried yesterday but realized its not added yet

bkerler commented 1 year ago

No idea what @LordDemecrius83 tested, but it wasn't carbonara for sure, as carbonara is only served in local restaurants. First things first ... fully implementing the v6 protocol will take its time. Once everything is understood, I can start searching for new vulnerabilities. Don't expect any solution in the next weeks (or even months maybe).

And for you guys from Mediatek, Oppo and other vendors closely monitoring this github (yes, I know you do !): Instead of wasting resources, why not make the life of smartphone owners easier ? Just give them the right to FULLY unlock (bootloader, not SIM) and unbrick the devices WITHOUT remote account, and just provide the flashing tools.

ryenyuku commented 1 year ago

And for you guys from Mediatek, Oppo and other vendors closely monitoring this github (yes, I know you do !): Instead of wasting resources, why not make the life of smartphone owners easier ? Just give them the right to FULLY unlock (bootloader, not SIM) and unbrick the devices WITHOUT remote account, and just provide the flashing tools.

Agree, and I just don't like how Mediatek phones can't boot straight into bootloader's fastboot mode without loading the boot kernel like phones from other vendors can

Shirayuki39 commented 1 year ago

No idea what @LordDemecrius83 tested, but it wasn't carbonara for sure, as carbonara is only served in local restaurants. First things first ... fully implementing the v6 protocol will take its time. Once everything is understood, I can start searching for new vulnerabilities. Don't expect any solution in the next weeks (or even months maybe).

And for you guys from Mediatek, Oppo and other vendors closely monitoring this github (yes, I know you do !): Instead of wasting resources, why not make the life of smartphone owners easier ? Just give them the right to FULLY unlock (bootloader, not SIM) and unbrick the devices WITHOUT remote account, and just provide the flashing tools.

Nah, I thought it was added already I later realized it wasn't added yet

hopez13 commented 1 year ago

https://github.com/bkerler/mtkclient/blob/b63c933c24cbc4058ad584f72c54ec119066549a/mtkclient/Library/pltools.py#L58 👀

danielml3 commented 1 year ago

since then device is in bootloop it's gki enabled device with no dedicated recovery partition and fastboot is also gone

Average mediatek device after doing anything

drodge1 commented 1 year ago

Did you manage to add the poco m5?

BorneQuantique commented 1 year ago

The MT6789 da has a complete different command structure using xml commands. In order to support the mt6789 DA, please try to use sp flash v6 for reading back data and try to sniff the usb connection (for example using wireshark) and upload the pcapng over here.

Hello and best regards.

I want to thank you for your great work and support to the community.

I have an Infinix Note 12 Pro 4G MT6789 X676B. When will the Auth Bypass for MT6789 be available? I prefer to donate to you for your work and not to buy ctm2 software etc.

Thank you for your contribution to the community. Good luck.

hopez13 commented 1 year ago

rg @bkerler by auth you meant auth_sv5.auth file from device firmware?

bkerler commented 1 year ago

If only daa is active, then yes. If remote auth is active you're out of luck. Also I saw that some vendors block writing partitions.

hopez13 commented 1 year ago

If only daa is active, then yes. If remote auth is active you're out of luck. Also I saw that some vendors block writing partitions.

and if SBC and SLA is enabled along with DAA then have to wait for another exploit?

Shakib-BD commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn.

Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

jesushrek commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn.

Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

oops00 commented 1 year ago

do I need any help with 6789? Contacts (telegram): @keshkaTG

Shakib-BD commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

jesushrek commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

congratulations you just unlocked an expensive paper weight

hopez13 commented 1 year ago

No idea what @LordDemecrius83 tested, but it wasn't carbonara for sure, as carbonara is only served in local restaurants. First things first ... fully implementing the v6 protocol will take its time. Once everything is understood, I can start searching for new vulnerabilities. Don't expect any solution in the next weeks (or even months maybe).

And for you guys from Mediatek, Oppo and other vendors closely monitoring this github (yes, I know you do !): Instead of wasting resources, why not make the life of smartphone owners easier ? Just give them the right to FULLY unlock (bootloader, not SIM) and unbrick the devices WITHOUT remote account, and just provide the flashing tools.

@bkerler won't it be better to push to GitHub minimal v6 implementation with support for only reading partitions ( mtk r ) for early testing

Shakib-BD commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

congratulations you just unlocked an expensive paper weight

Don't joke man. I'm dead inside. 50% alive.

Shinwa69 commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

congratulations you just unlocked an expensive paper weight

Don't joke man. I'm dead inside. 50% alive.

All of us that has mt6789 or other patched brom are dead inside and has an expensive paper weight or might as well be used as a glorified mirror as well. Lmao

hopez13 commented 1 year ago

mt6789 device with SBC SLA DAA enabled 😭

hopez13 commented 1 year ago

SLA Serial Link Authorizationif enabled won't allow loading a DA ( download agent ) if we are not authorised

without loading DA we can't flash partitions

Shakib-BD commented 1 year ago

SLA Serial Link Authorizationif enabled won't allow loading a DA ( download agent ) if we are not authorised

without loading DA we can't flash partitions

So. Can we flash our mt6789 using mi authorized account?

Arsetha commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

congratulations you just unlocked an expensive paper weight

Don't joke man. I'm dead inside. 50% alive.

All of us that has mt6789 or other patched brom are dead inside and has an expensive paper weight or might as well be used as a glorified mirror as well. Lmao

Tecno / Infinix users are lucky, as android multi tool supports mt6789

ryenyuku commented 1 year ago

My Redmi 11 Prime 4G (Mt6789) Gone. I flashed custom rom and using peacefully. But i've decided to mod stock miui v14.0.3.0, I deleted some unnecessary app+file from system, Product, system_ext and converted to dat.br. after that i provided modified cust.img(cust was from previous version 14.0.2.0) and vbmeta.img(from latest 14.0.3.0) in that zip to make flashable zip in twrp. Flash success but after boot to system, it was looping in boot menu, that time i was able to reboot in fastboot mode to use volume (-) & power button, then i used fastboot reboot recovery to boot into twrp. Then my device gone. I can't enter to fastboot or recovery rn. Any way to unbrick? Or can i hope for support our SoC on Mtk Client? I really need it to unbrick anyway, i don’t have any other device to use, i'm on weird situation. :(

💀 take it to a service center

Can't. Because Redmi 11 Prime 4G is unofficial here. They're not accepting my device, i even said that i will pay for it. But they don't want.

congratulations you just unlocked an expensive paper weight

Don't joke man. I'm dead inside. 50% alive.

All of us that has mt6789 or other patched brom are dead inside and has an expensive paper weight or might as well be used as a glorified mirror as well. Lmao

Tecno / Infinix users are lucky, as android multi tool supports mt6789

Hmm is it? I tried to bypass auth using it, but it was stuck at detecting bootroom in my Infinix Note 30