search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.71k stars 528 forks source link

OPPOR7(MT6752) could not print gpt #832

Closed mouzei closed 8 months ago

mouzei commented 1 year ago

Thank you for your great project!

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

.Port - Device detected :) Preloader - CPU: MT6752() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x6752 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x1 Preloader - ME_ID: 9231134096DAF9575F3E9E50D49D7434 DA_handler - Device is unprotected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6752_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: xxx\mtkclient\payloads\mt6752_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin legacyext - Legacy DA2 is patched. legacyext - Legacy DA2 CMD F0 is patched. Preloader - Jumping to 0x110000 Preloader - Jumping to 0x110000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04028f DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 150100523331424d42014509e0d38241 DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... DALegacy DALegacy - [LIB]: Unknown emi version: 17 DeviceClass - USBError(5, 'Input/Output Error') Traceback (most recent call last): File "xxx\mtkclient\mtk", line 855, in mtk = Main(args).run(parser) File "xxx\mtkclient\Library\mtk_main.py", line 635, in run mtk = da_handler.configure_da(mtk, preloader) File "xxx\mtkclient\Library\DA\mtk_da_handler.py", line 119, in configure_da if not mtk.daloader.upload_da(preloader=preloader): File "xxx\mtkclient\Library\DA\mtk_daloader.py", line 240, in upload_da return self.da.upload_da() File "xxx\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 688, in upload_da if self.upload_da1(): File "xxx\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 543, in upload_da1 if self.set_stage2_config(self.config.hwcode): File "xxx\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 357, in set_stage2_config checksum = unpack(">H", self.usbread(2))[0] # 0x440C struct.error: unpack requires a buffer of 2 bytes

bkerler commented 10 months ago

Can you please try the latest release 2.0 ?

mouzei commented 10 months ago

Can you please try the latest release 2.0 ?

Thank you for your reply, but 2.0.0 Beta still cannot run properly.

....Port - Device detected :) Preloader - CPU: MT6752() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x6752 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x1 Preloader - ME_ID: XXX DA_handler - Device is unprotected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6752_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: D:\XXX\mtkclient\payloads\mt6752_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. Successfully extracted preloader for this device to: preloader_oppo6752_15011.bin DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin legacyext - Legacy DA2 is patched. legacyext - Legacy DA2 CMD F0 is patched. Preloader - Jumping to 0x110000 Preloader - Jumping to 0x110000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04028f DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 150100523331424d42014509e0d38241 DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... DALegacy DALegacy - [LIB]: Unknown emi version: 17 DeviceClass - USBError(5, 'Input/Output Error') Traceback (most recent call last): File "D:\XXX\mtkclient\mtk", line 949, in mtk = Main(args).run(parser) File "D:\XXX\mtkclient\Library\mtk_main.py", line 652, in run mtk = da_handler.configure_da(mtk, preloader) File "D:\XXX\mtkclient\Library\DA\mtk_da_handler.py", line 130, in configure_da if not mtk.daloader.upload_da(preloader=preloader): File "D:\XXX\mtkclient\Library\DA\mtk_daloader.py", line 293, in upload_da return self.da.upload_da() File "D:\XXX\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 741, in upload_da if self.upload_da1(): File "D:\XXX\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 597, in upload_da1 if self.set_stage2_config(self.config.hwcode): File "D:\XXX\mtkclient\Library\DA\legacy\dalegacy_lib.py", line 372, in set_stage2_config checksum = unpack(">H", self.usbread(2))[0] # 0x440C struct.error: unpack requires a buffer of 2 bytes

mouzei commented 8 months ago

The version updated last week still hasn't solve this problem. It will get stuck in this step: DALegacy - [LIB]: Unknown emi version: 17

bkerler commented 8 months ago

Please try latest commit e33a28d

mouzei commented 8 months ago

preloader_oppo6752_15011.zip

I tried e33a28d:

.....Port - Device detected :) Preloader - CPU: MT6752() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0x28 Preloader - Disabling Watchdog... Preloader - HW code: 0x6752 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x1 Preloader - ME_ID: xxx DA_handler - Device is unprotected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6752_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: D:\xxx\mtkclient\payloads\mt6752_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin legacyext - Legacy DA2 is patched. legacyext - Legacy DA2 CMD F0 is patched. Preloader - Jumping to 0x110000 Preloader - Jumping to 0x110000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04028f DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 150100523331424d42014509e0d38241 DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... DALegacy - RAM-Length: 0xb0 DALegacy - Checksum: 4F72 DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0xc0000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DALegacy - Connected to stage2 DALegacy - Reconnecting to stage2 with higher speed DALegacy - Waiting for reconnection DALegacy - Waiting for reconnection DALegacy - Waiting for reconnection DALegacy - Waiting for reconnection

Then device reboot into "MediaTek DA USB VCOM (Android)", and could not reconnect.

mouzei commented 8 months ago

I use --noreconnect and successfully print gpt. Thank you!