bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.69k stars 527 forks source link

Realme 7 MTK6785 double sim preload -- brick #848

Closed Jack-demolay closed 10 months ago

Jack-demolay commented 11 months ago

Hello After a few weeks trying to flash my Realme 7 without success, I managed to leave it as a brick. My device is a Realme 7 with helio G90 MTK 6785 microprocessor, but it has some features, and that is that it is dual SIM+ SD (3 bays), so it is not the same as the RMX2151. It is a device that can not enter fastboot mode. At the moment it is locked. The only way I managed to install recovery and ROM is through brun mode, and with the MTKclient python tools. But, the ROMs that I have managed to install do not work, some get to install, but then the phone does not have all its features, for example, they do not recognize SIM. In my case the ROMs of the RMX2151, or the OPPO did not work. The last ROM that I installed, has left me the phone as a brick, and now the MTKckient tells me that there is no PRELOAD I've been looking at GITHUB MTKclient bkerler MTKclient page and says that the MTK678X chip is not supported. So, ask if anyone knows. can I install a preload from brun mode on a MX2155?

matejmajny commented 10 months ago

I dont know what about you, but I've got realme 6 (which uses MT6785 as well) and it works just fine. Could you please post your console reading here?

Jack-demolay commented 10 months ago

Hello Thank you for commenting. This is the console before the command

❯ python mtk r preloader .\preloader_oppo6785_Realme_7.bin --parttype=boot1

MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.

........... Port - Device detected :) Preloader - CPU: MT6785(Helio G90) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x813 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 548B4DA225E2FEF7A2BFBA3C99631164 Preloader - SOC_ID: FC37F4FBBB216312542E887A8A104F61C1A1945CBDC943988DA698DACE937BC9 PLTools - Loading payload from mt6785_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: C:\prueba mtk\mtkclient\mtkclient\payloads\mt6785_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2228.bin xflashext - Patching da1 ... Mtk - Patched "hash_check" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "get_vfy_policy" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - UFS Blocksize:0x1000 DAXFlash - UFS ID: KM8V8001JM-B81 DAXFlash - UFS MID: 0xce DAXFlash - UFS CID: ce014b4d3856383030314a4d2d423831 DAXFlash - UFS FWVer: 31393030 DAXFlash - UFS Serial: 346135326332303831393139 DAXFlash - UFS LU0 Size: 0x1dcb000000 DAXFlash - UFS LU1 Size: 0x400000 DAXFlash - UFS LU2 Size: 0x400000 DAXFlash - DRAM config needed for : ce014b4d3856383030314a4d2d423831 DAXFlash - No preloader given. Searching for preloader DAXFlash - Sending emi data ... DAXFlash - DRAM setup failed: unpack requires a buffer of 12 bytes Traceback (most recent call last): File "C:\prueba mtk\mtkclient\mtk", line 855, in mtk = Main(args).run(parser) ^^^^^^^^^^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\mtk_main.py", line 635, in run mtk = da_handler.configure_da(mtk, preloader) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 119, in configure_da if not mtk.daloader.upload_da(preloader=preloader): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\DA\mtk_daloader.py", line 240, in upload_da return self.da.upload_da() ^^^^^^^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 1088, in upload_da if not self.send_emi(self.daconfig.emi): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 222, in send_emi status = self.status() ^^^^^^^^^^^^^ File "C:\prueba mtk\mtkclient\mtkclient\Library\DA\xflash\xflash_lib.py", line 113, in status magic, datatype, length = unpack("<III", hdr)

matejmajny commented 10 months ago

Why did you include .\ before the filename? Also are you using the latest version?

Jack-demolay commented 10 months ago

Yes, I use the last version. This is what I get when I tried the MTK_gui

❯ python mtk_gui --preloader=preloader.bin Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

...........

...........

Preloader - CPU: MT6785(Helio G90) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x813 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 548B4DA225E2FEF7A2BFBA3C99631164 Preloader - SOC_ID: FC37F4FBBB216312542E887A8A104F61C1A1945CBDC943988DA698DACE937BC9 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: Status: Handshake failed, retrying...

...........

...........

...........

........... Preloader - CPU: MT6785(Helio G90) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x813 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: 548B4DA225E2FEF7A2BFBA3C99631164 Preloader - SOC_ID: FC37F4FBBB216312542E887A8A104F61C1A1945CBDC943988DA698DACE937BC9 Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok.

Jack-demolay commented 10 months ago

Hello

it's already fixed. I downloaded a new ROM and extracted the boot.img, Vbmeta.img and preload.ini files. and burn them to the phone with python mtk r boot,vbmeta boot.img,vbmeta.img --preloader=preloader.bin

After that, download all the other ROM files with python mtk rl out --preloader=preloader.bin

At this point the MTKclient v.2 GUI recognized my phone, and I was able to install the latest ROM.

Thank you very much