LG K4 2016 bootloader unlocking failure (MT6735M)

[markussbk]

Hello, I am making a new issue, originally @brunothedev posted a comment afterwards in this issue https://github.com/bkerler/mtkclient/issues/698#issuecomment-1632482136 , which I also am now experiencing. It would be awesome, if it would be possible to solve this problem and unlock the bootloader, so further development by getting mainline linux running on this phone could continue.

user@user-Standard-PC-Q35-ICH9-2009:~/mtkclient$ python3 mtk e metadata,userdata,md_udc ; python3 mtk da seccfg unlock ; python3 mtk reset
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

Port - Device detected :)
Preloader -     CPU:            MT6737M/MT6735G()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10212000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10217c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x335
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          150FAA6F180E661DB9D8C3EB4E8E9276
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/user/mtkclient/mtkclient/payloads/mt6737_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.2228.bin
legacyext - Legacy DA2 is patched.
legacyext - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04029b
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 460001154d323237e6950042e38820c2
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ...
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 505E
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x40000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x40000000
randomid = 0x5C27005F01AB6413B27D3CC25822B0F

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x80000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x1d2000000
m_emmc_cid = 3732324d15010046c22013e3420095e6
m_emmc_fwver = 0000000000000000

DA_handler
DA_handler - [LIB]: Error: Couldn't detect partition: metadata
Available partitions:
DA_handler - proinfo
DA_handler - misc2
DA_handler - ftm
DA_handler - nvram
DA_handler - protect1
DA_handler - protect2
DA_handler - lk
DA_handler - lkbak
DA_handler - laf
DA_handler - para
DA_handler - boot
DA_handler - recovery
DA_handler - logo
DA_handler - lo_bak_go
DA_handler - expdb
DA_handler - seccfg
DA_handler - oemkeystore
DA_handler - secro
DA_handler - keystore
DA_handler - tee1
DA_handler - tee2
DA_handler - eksst
DA_handler - encrypt
DA_handler - persist_lg
DA_handler - mpt
DA_handler - persistent
DA_handler - lgfota
DA_handler - cust
DA_handler - rct
DA_handler - factory
DA_handler - persist
DA_handler - efuse
DA_handler - nvdata
DA_handler - system
DA_handler - cache
DA_handler - userdata
DA_handler - flashinfo
Formatted sector 6258688 with sector count 8977408.
DA_handler
DA_handler - [LIB]: Error: Couldn't detect partition: md_udc
Available partitions:
DA_handler - proinfo
DA_handler - misc2
DA_handler - ftm
DA_handler - nvram
DA_handler - protect1
DA_handler - protect2
DA_handler - lk
DA_handler - lkbak
DA_handler - laf
DA_handler - para
DA_handler - boot
DA_handler - recovery
DA_handler - logo
DA_handler - lo_bak_go
DA_handler - expdb
DA_handler - seccfg
DA_handler - oemkeystore
DA_handler - secro
DA_handler - keystore
DA_handler - tee1
DA_handler - tee2
DA_handler - eksst
DA_handler - encrypt
DA_handler - persist_lg
DA_handler - mpt
DA_handler - persistent
DA_handler - lgfota
DA_handler - cust
DA_handler - rct
DA_handler - factory
DA_handler - persist
DA_handler - efuse
DA_handler - nvdata
DA_handler - system
DA_handler - cache
DA_handler - userdata
DA_handler - flashinfo
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

legacyext - Detected V3 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
DA_handler
DA_handler - [LIB]: Can't find unlock state, current (0x44444444)
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Reset command was sent. Disconnect usb cable to power off.
user@user-Standard-PC-Q35-ICH9-2009:~/mtkclient$

[brunothedev]

i can say that this issue replicates on my machine (OpenSUSE Tumbleweed)

[commonuserlol]

almost same, but in my case it shows that results may wrong and bricks phone.

[bkerler]

if you can provide seccfg and the preloader I can have a look.

[github-actions[bot]]

Stale issue message