search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.57k stars 511 forks source link

I think it worked? Helio P35/G35 #791

Closed ZakitheBig closed 3 months ago

ZakitheBig commented 12 months ago

I think everything is working correctly, but the bootloader is still locked

..........Port - Device detected :) Preloader - CPU: MT6765/MT8768t(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: BA5010BBFF8CBCBFEE2ED3E14556D03B Preloader - SOC_ID: 20F07F012BE885C972677C8A23557AD67E650269DD5438CCE146D2467D976E50 PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: /home/isaac/mtkclient/mtkclient/payloads/mt6765_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. Successfully extracted preloader for this device to: preloader_malta.bin DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2228.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: 4X6KMB DAXFlash - EMMC CID: 1501003458364b4d4203bb80bab64823 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0x747c00000 DAXFlash - HW-CODE : 0x766 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA00 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added xflashext - Detected V4 Lockstate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej - HACC run sej - HACC terminate Done |--------------------------------------------------| 0.0% Write (Sector 0x0Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.03 MB/s DA_handler - Successfully wrote seccfg.

preloader_malta.zip

Thanwisut commented 12 months ago

What is your model bro I use oppo A15 and have mtk p35 I want to try this is this really work? 🙏

RohitSurwase commented 12 months ago

@ZakitheBig I think even I have similar device, is this Samsung Galaxy Tab A7 Lite?

MinGW32-2006 commented 12 months ago

I have OPPO A55 with Dimensity 700 (MT6833), and have the same problem. Is there any solution?

Thanwisut commented 11 months ago

Bro it work for me My device is oppo A15 mt6765 I unlocked bootloader and rooted should try by yourself bro

xxroot commented 10 months ago

我有 OPPO A55 和天玑 700 (MT6833),也有同样的问题。有什么解决办法吗?

I also encountered this problem, after unlocking, the device will light up the screen for 1 second and then restart, BL will be re-locked, the problem is in the safe partition, I have solved it

asdv3424 commented 9 months ago

I have a Redmi note 10 5G the same problem

CastorDYvaine commented 4 months ago

I have this same issue with a Motorola E7 (malta64). I can successfully "unlock" the bootloader, and if I try running the command a second time in the same session it returns:

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

DAXFlash - HW-CODE         : 0x766
DAXFlash - HWSUB-CODE      : 0x8A00
DAXFlash - HW-VERSION      : 0xCA00
DAXFlash - SW-VERSION      : 0x0
DAXFlash - CHIP-EVOLUTION  : 0x0
DAXFlash - DA-VERSION      : 1.0
xflashext - Detected V4 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
DA_handler
DA_handler - [LIB]: Device is already unlocked

However when I reboot there is no bootloader message about Orange State, and if I try unlock again it gives 100.0% Write (Sector 0x1 of 0x1, ) 0.03 MB/s DA_handler - Successfully wrote seccfg. output instead of Device is already unlocked.

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

..Port - Device detected :)
Preloader -     CPU:            MT6765/MT8768t(Helio P35/G35)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x25
Preloader - Disabling Watchdog...
Preloader - HW code:            0x766
Preloader - Target config:      0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          4D54BF49D45E24F6B377EC736DA9B1DB
Preloader - SOC_ID:         E4E0169375A42B79663F68F2B0E649A68C4591D7129885FCE3AD4A0DE34A5DB5
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/user/phone/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2228.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 13014e47314a3952
DAXFlash - No preloader given. Searching for preloader
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Detected working preloader: /home/chris/phone/mtkclient/mtkclient/Loader/Preloader/preloader_ke5k.bin
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         G1J9R8
DAXFlash - EMMC CID:        13014e47314a395238100f3ee7a028cb
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x1000000
DAXFlash - EMMC USER Size:  0xe8f800000
DAXFlash - HW-CODE         : 0x766
DAXFlash - HWSUB-CODE      : 0x8A00
DAXFlash - HW-VERSION      : 0xCA00
DAXFlash - SW-VERSION      : 0x0
DAXFlash - CHIP-EVOLUTION  : 0x0
DAXFlash - DA-VERSION      : 1.0
DAXFlash - Extensions were accepted. Jumping to extensions...
DAXFlash - DA Extensions successfully added
xflashext - Detected V4 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1 of 0x1, ) 0.03 MB/s
DA_handler - Successfully wrote seccfg.

What I notice is that it is writing to sector 0x1 of 0x1, I feel it may be an incorrect memory address at fault, so MtkClient is just overwriting some of the partition white-space, this also affects other kinds of devices as can be seen in some of the other Github issues.

I have tried using the default DA loader and the one provided by the Lenovo RSA tool for this device (See attached zip). Tools.zip

Any help would be appreciated. Thanks.