`mtk printgpt` crashes on Unihertz Jelly Star with `TypeError: 'NoneType' object is not subscriptable` in brom mode, or does nothing when not pressing any hardware button.

[dreirund]

Ahoj,

I have a ↗ Unihertz Jelly Star (SoC: MediaTek MT6789 according to ↗ here, CPU: Helio G99).

I have built mtkclient from this git repository using the Arch Linux AUR package ↗ here, git commit hash: ad0ed80

When I run mtk printgpt and then connect the phone with hardware buttons held down, mtk crashes.

Here is the terminal output:

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

.......Port - Device detected :)
Preloader -     CPU:            MT6789(MTK Helio G99)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     Var1:           0xa
Preloader - Disabling Watchdog...
Preloader - HW code:            0x1208
Preloader - Target config:      0xe0
Preloader -     SBC enabled:        False
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          D3B6FC97D974258619C228DA8EFD91A6
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from generic_patcher_payload.bin, 0x538 bytes
Exploitation - Kamakiri Run
Traceback (most recent call last):
  File "/usr/bin/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_main.py", line 635, in run
    mtk = da_handler.configure_da(mtk, preloader)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/DA/mtk_da_handler.py", line 102, in configure_da
    mtk = mtk.bypass_security()  # Needed for dumping preloader
          ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/mtk_class.py", line 191, in bypass_security
    if plt.runpayload(filename=self.config.payloadfile):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/pltools.py", line 79, in runpayload
    ack = self.exploit.runpayload(payload, ack, addr, dontack)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/Exploit/kamakiri2.py", line 204, in runpayload
    if self.da_payload(payload, addr, True):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/exploit_handler.py", line 80, in da_payload
    if self.exploit(payload, addr):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mtkclient/Library/Exploit/kamakiri2.py", line 65, in exploit
    ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable

When I run mtk printgpt and then only connect USB without pressing any hardware button, the Port - Hint: outputs of mtk stop, but nothing more happens on the terminal.

mtk logs in brom mode produces a log.txt with the following content:

F0: 102B 0000
F3: 1001 0000 [0200]
F3: 1001 0000
F7: 0000 0000
V0: 0000 0000 [0001]

Regards!

[hopez13]

duplicate of #758

[dreirund]

But I still think that in that case it should not crash but exit gracefully with a error message saying that something is not supported, or so.