search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.67k stars 525 forks source link

[MT6789] mtkclient bypasses but fails while running kamakiri bypass - Helio G99 #857

Closed techyminati closed 10 months ago

techyminati commented 10 months ago 
D:\mtk>python mtk printgpt
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

Port - Device detected :)
Preloader -     CPU:                    MT6789(MTK Helio G99)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x1208
Preloader - Target config:              0xe0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          True
Preloader -     Mem write auth:         True
Preloader -     Cmd 0xC8 blocked:       True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      C4D45D297B8B1C7434888589C3D7482E
Preloader - SOC_ID:                     622FC725382C0272B048B6EFB9E9FA3C6F7DB4A8614CD7BFBB7A4637FBEA13D4
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from generic_patcher_payload.bin, 0x538 bytes
Exploitation - Kamakiri Run
Traceback (most recent call last):
  File "D:\mtk\mtk", line 949, in <module>
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\mtk_main.py", line 652, in run
    mtk = da_handler.configure_da(mtk, preloader)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\DA\mtk_da_handler.py", line 108, in configure_da
    mtk = mtk.bypass_security()  # Needed for dumping preloader
          ^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\mtk_class.py", line 202, in bypass_security
    if plt.runpayload(filename=self.config.payloadfile):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\pltools.py", line 79, in runpayload
    ack = self.exploit.runpayload(payload, ack, addr, dontack)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\Exploit\kamakiri2.py", line 206, in runpayload
    if self.da_payload(payload, addr, True):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\exploit_handler.py", line 80, in da_payload
    if self.exploit(payload, addr):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\Exploit\kamakiri2.py", line 67, in exploit
    ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable
D:\mtk>python mtk payload
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........
Port - Device detected :)
Preloader -     CPU:                    MT6789(MTK Helio G99)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x1208
Preloader - Target config:              0xe0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          True
Preloader -     Mem write auth:         True
Preloader -     Cmd 0xC8 blocked:       True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      C4D45D297B8B1C7434888589C3D7482E
Preloader - SOC_ID:                     622FC725382C0272B048B6EFB9E9FA3C6F7DB4A8614CD7BFBB7A4637FBEA13D4
PLTools - Loading payload from generic_patcher_payload.bin, 0x538 bytes
Exploitation - Kamakiri Run
Traceback (most recent call last):
  File "D:\mtk\mtk", line 949, in <module>
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\mtk_main.py", line 620, in run
    self.cmd_payload(mtk=mtk, payloadfile=payloadfile)
  File "D:\mtk\mtkclient\Library\mtk_main.py", line 681, in cmd_payload
    plt.runpayload(filename=payloadfile)
  File "D:\mtk\mtkclient\Library\pltools.py", line 79, in runpayload
    ack = self.exploit.runpayload(payload, ack, addr, dontack)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\Exploit\kamakiri2.py", line 206, in runpayload
    if self.da_payload(payload, addr, True):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\exploit_handler.py", line 80, in da_payload
    if self.exploit(payload, addr):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\mtk\mtkclient\Library\Exploit\kamakiri2.py", line 67, in exploit
    ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
TypeError: 'NoneType' object is not subscriptable
bkerler commented 10 months ago

Kamakiri doeesn't work with mt6789. Try to use preloader instead of bootrom.

techyminati commented 10 months ago

Oh sure thanks, So I should adb reboot edl And then try to pull boot.img using python mtk r boot boot.img?

techyminati commented 10 months ago

adb reboot edl is just rebooting my device anyway

techyminati commented 10 months ago
mdsalauddinkayesh commented 7 months ago

I have a device running g99. Flashed wrong twrp as boot. Now cant boot into fastboot or recovery. Any solutions

drodge1 commented 5 months ago

any solution for poco-m5 bypass

xMLSx commented 2 months ago

I have a device running g99. Flashed wrong twrp as boot. Now cant boot into fastboot or recovery. Any solutions

I have the same problem, have you fixed it not able to disable auth using Android utility any other program?