Issues on latest 2.0 version with dumppreloader

[schizoidcock]

i was trying to test an lg stylo 6 device, forcing brom with the tool, on older versions after sucessfully uploaded the payload after forcing the brom and you reconnected the device to do any operation it dumped the preloader from the ram and sucessfully do the operations like read partitions or erase, now it doesnt do that on the new versions after loading the payload, even if we dump the preloader and give it through the option --preloader on the v2 version it gives error of unpack buffer requires 12 bytes, i will attach logs for reference @bkerler

This is with an older version, to be exact v1.58, it works well and we can do any operation since it dumps the preloader from the ram, with no issues

......Port - Device detected :)
Preloader -     CPU:                    MT6765/MT8768t(Helio P35/G35)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0x25
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x766
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      F143FBCA1B96E2C5245CBD8224901E90
Preloader - SOC_ID:                     6EC83E3D60F746B5A77EF89047B9BDF6354ACB49A3194F1475501BB3C1EE50BF
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\PhoneSolutions\tool\mtkclient\payloads\mt6765_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
Successfully extracted preloader for this device to: preloader_muse6765_64_dh50_q.bin
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 13014e47314a3950
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         G1J9P8
DAXFlash - EMMC CID:        13014e47314a3950381005ea02e877db
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x1000000
DAXFlash - EMMC USER Size:  0xe8f800000
DAXFlash - HW-CODE         : 0x766
DAXFlash - HWSUB-CODE      : 0x8A00
DAXFlash - HW-VERSION      : 0xCA00
DAXFlash - SW-VERSION      : 0x0
DAXFlash - CHIP-EVOLUTION  : 0x0
DAXFlash - DA-VERSION      : 1.0
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - DA Extensions successfully added
DA_handler - Requesting available partitions ....

now in the latest version after you put the device on brom and loads the payload and everything, when you reconnect the device to the pc like in older versions to continue doing operations this is what happens, the DA_HANDLER fails to dump the preloader from ram, and even if you provide the dumped preloader it fails the operation

......Port - Device detected :)
Preloader -     CPU:                    MT6765/MT8768t(Helio P35/G35)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0x25
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x766
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      F143FBCA1B96E2C5245CBD8224901E90
Preloader - SOC_ID:                     6EC83E3D60F746B5A77EF89047B9BDF6354ACB49A3194F1475501BB3C1EE50BF
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: C:\PhoneSolutions\tool 2.0\mtkclient\payloads\mt6765_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: Failed to dump preloader from ram, provide a valid one via --preloader option
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 13014e47314a3950
DAXFlash - No preloader given. Searching for preloader
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup failed: unpack requires a buffer of 12 bytes
DAXFlash - Emi data NOT accepted ...
DAXFlash
DAXFlash - [LIB]: No preloader given. Operation may fail due to missing dram setup.
DAXFlash - Uploading stage 2...
Traceback (most recent call last):
  File "C:\PhoneSolutions\tool 2.0\mtk", line 1037, in <module>
    mtk = Main(args).run(parser)
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\mtk_main.py", line 652, in run
    mtk = da_handler.configure_da(mtk, preloader)
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\DA\mtk_da_handler.py", line 143, in configure_da
    if not mtk.daloader.upload_da(preloader=preloader):
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\DA\mtk_daloader.py", line 292, in upload_da
    return self.da.upload_da()
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\DA\xflash\xflash_lib.py", line 1166, in upload_da
    loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\DA\xflash\xflash_lib.py", line 275, in boot_to
    if self.status() == 0:
  File "C:\PhoneSolutions\tool 2.0\mtkclient\Library\DA\xflash\xflash_lib.py", line 129, in status
    magic, datatype, length = unpack("<III", hdr)
struct.error: unpack requires a buffer of 12 bytes

[bkerler]

I will have a closer look.

[sarunelis]

Cannot read preloader from erased or destroyed device.

[bkerler]

Cannot read preloader from erased or destroyed device.

Yes, of course. For that you have to use the --preloader option.

[schizoidcock]

Cannot read preloader from erased or destroyed device.

Not trying to be rude, buddy you need to read what i posted before commenting something that we already know, obviusly that if the gpt, pgpt or spgt partition table is destroyed you need the preloader to load the partition information, that doesnt apply on this case because im not destroying the partition table, what im doing crashing the port to enter on brom stage those are two different type of exploits, we are explaining that the software in the past if you run payload command on the device, the device entered to brom state and you could do any operation after reconnecting the device or without d/c since mtkclient dumped the preloader from ram, but is not dumping it from ram anymore and when you try to load the preloader from the --preloader command is not working either @sarunelis , you can test this with the new version and downloading and old release

[schizoidcock]

Any thoughs or fix on this @bkerler ?

[bkerler]

If --preloader is failing, solder tx and rx to the uart pins to see why it is failing.dumppreloader only works with existing preloader as it is being dumped from ram. You need to get and extract the preloader from firmware.

[schizoidcock]

There is nothing wrong with the phone @bkerler, as i stated there is a bug on your code since it can dump the preloader and load the emi info on older versions but on version 2.0 not even with the --preloader option and pointing out the preloader the 2.0 works.

[bkerler]

This should be already fixed with the current commit. But I will have a look at it again.

[github-actions[bot]]

Stale issue message