search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.33k stars 477 forks source link

Preloader stuck at "Jumping to 0x110000: ok." #782

Open denysvitali opened 9 months ago

denysvitali commented 9 months ago

I'm trying to dump the flash of an MT6592 device:

Preloader -     CPU:            MT6592/MT8392()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x111000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x6592
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0

No matter if I run it in brom or preloader mode, the command:

mtk rf --preloader preloader_aeon6592_wet_l.bin flash.bin

Simply fails by getting stuck at:

DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.
DALegacy
DALegacy - [LIB]: Error on DA sync

As far as I can tell, the device is completely unlocked, so this should work without any particular issue. I was able to dump the brom and preloader without any issues (brom_MT6592_MT8392_6592.bin, preloader_aeon6592_wet_l.bin) - but I don't know if there is anything I can do from my side to solve the problem.

Any pointers are greatly appreciated :)

Full log when loading from preload:

$ mtk rf --preloader preloader_aeon6592_wet_l.bin flash.bin                                                                                                         [14:25:47]
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader -     CPU:            MT6592/MT8392()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x111000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x6592
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.

Full log when loading from brom:

Port - Device detected :)
Preloader -     CPU:            MT6592/MT8392()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x111000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x6592
Preloader - Target config:      0x0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          C75E97A54F9F0AE151D8D51449982810
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6592_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /usr/lib/python3.11/site-packages/mtkclient/payloads/mt6592_payload.bin
Port - Device detected :)
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.
DALegacy
DALegacy - [LIB]: Error on DA sync
djfergus commented 9 months ago

Hello. I have the exact same issue on the same/similar MT6592 device (mine is a chinese clone tablet branded BDF - faked Android 10 and faked 512GB storage).

Using "MTK_AllInOne_DA_5.1824.bin" I get the same failure above (debug indicates its timing out).

If I delete the 1824 file then it falls back to "MTK_AllInOne_DA_5.1420.bin" and it seems to make it a little further (DA sync but then gets an 0x0 and stops).

I've attached the debug logs. Happy to perform any further commands or testing, let me know.

df@gpdwin2mate:~$ mtk rl out
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

..Port - Device detected :)
Preloader -     CPU:                    MT6592/MT8392()
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x111000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x6592
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1420.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x110000
Preloader - Jumping to 0x110000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028a
DALegacy - Setting stage 2 config ...
DALegacy
DALegacy - [LIB]: OK (0x0)
df@gpdwin2mate:~$

logs1824.txt logs1420.txt

bkerler commented 8 months ago

I don't own any mt65xx device, so I cannot add support. mtkclient is mainly meant to be used with 6580, 67xx and some 68xx. However I could add using a remote session or if someone donates/lends a mt6592 device to me

github-actions[bot] commented 3 days ago

Stale issue message