bkerler
commented
9 months ago Please try if this fixes your issue: a9f2223
Closed stevenvandenbrandenstift closed 2 months ago
stevenvandenbrandenstift
commented
9 months ago The tool run without issues so I believe it worked fine: python mtk da seccfg unlock
gave this output? is this correct also: python mtk e metadata,userdata,md_udc --debugmode ran without issues now
[steven@frozenpc mtkclient]$ python mtk da seccfg unlock
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
.Port - Device detected :)
Preloader - CPU: MT6582/MT6574/MT8382()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x6582
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x1
DA_handler - Device is unprotected.
DA_handler - Device is in Preloader-Mode :(
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 040287
DALegacy - Setting stage 2 config ...
DALegacy
DALegacy - [LIB]: OK (0x0)
python mtk printgpt -> gives the same output, should it not give a partition layout? just trying to understand the correct behaviour should be.
stevenvandenbrandenstift
commented
9 months ago ok it seems I had to use press al the buttons, then it starts in brom mode. It suggests to Error reading gpt, please read whole flash using "mtk rf flash.bin". -> This command is now running and dumping flash, I will retry the unlocking in the same way afterwards.
bkerler
commented
9 months ago if the device has no gpt, then printgpt won't work. Most probable the partition table is a PMT or BMT table at the very end of the flash.
stevenvandenbrandenstift
commented
9 months ago python mtk da seccfg unlock -> why does this command then try gpt? do a need another mode to unlock or?
...Port - Device detected :)
Preloader - CPU: MT6582/MT6574/MT8382()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x6582
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x1
Preloader - ME_ID: D7EE4702336B9E8E9171BA4756C63241
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6582_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/steven/mtkclient/mtkclient/payloads/mt6582_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.1824.bin
legacyext
legacyext - [LIB]: Legacy address check not patched.
legacyext
legacyext - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 040287
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 1501004b3858564d4201f76cd04362b3
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ...
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 147B
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x40000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x40000000
randomid = 0xFE92419C02E4F5C67E712EA0395DBF5B
m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3a3e00000
m_emmc_cid = 3858564d1501004bd04362b34201f76c
m_emmc_fwver = 0100000000000000
Traceback (most recent call last):
File "/home/steven/mtkclient/mtk", line 855, in <module>
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/steven/mtkclient/mtkclient/Library/mtk_main.py", line 637, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "/home/steven/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 766, in handle_da_cmds
v = mtk.daloader.seccfg(args.flag)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/steven/mtkclient/mtkclient/Library/DA/mtk_daloader.py", line 290, in seccfg
return self.lft.seccfg(lockflag)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/steven/mtkclient/mtkclient/Library/DA/legacy/extension/legacy.py", line 169, in seccfg
for rpartition in guid_gpt.partentries:
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'partentries'
Is there a irc/matrix room for chat for help?
stevenvandenbrandenstift
commented
9 months ago Is there anything I can try to get the unlock to work with the other partition layout? Do i even need guid_gpt table since the boot partitions of emmc are on seperate partitions: m_emmc_boot1_size = 0x400000 m_emmc_boot2_size = 0x400000
-> I am not new to uboot development but since this is not uboot I am trying to understand what is supposed to happen to unlock the bootloader for this board... Is the best idea to find the uart pins to continue?
github-actions[bot]
commented
2 months ago Stale issue message
python mtk e metadata,userdata,md_udc --debugmode
DA_handler - [LIB]: Error: Couldn't detect partition: metadata Available partitions:
See full debuglog attached.
log.txt
Note that when I use the ubuntu image with the tools I got another error (usb overflow) so I retested the tools on fedora 39 and that seems to work better.
When i tried the mtk gui it als gets an empty list when trying to get the partitions.
The goals is to be able to unlock the bootloader..