search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.55k stars 510 forks source link

Dumping the boot.img, vbmeta.img is only outputting an error on the latest commit. But on the 1.52 version, it is able to dump those files (with other issues as well) #895

Closed Fastball2880 closed 8 months ago

Fastball2880 commented 8 months ago

Due to no template for writing an issue in this repo, I'll be detailed as much as I can.

Device - Acer Iconia Tab 10 Tablet - P10-11-K5P5: https://store.acer.com/en-us/acer-iconia-tab-10-tablet-p10-11-k5p5

Description-

I'm attempting to root this device multiple times and some commands not working as well according from the README. I realized that I am using the wrong package that was on the release page (from this link - https://github.com/bkerler/mtkclient/releases/tag/1.52). Due to a lot of confusion in the README page, I figured out how to get the latest version.

When trying to dump the "boot.img and vbmeta.img" from the 2.0.0 beta, it's stuck on the "Uploading stage 2," and not be able to dump those files. Whereas I decided to go back to my mistake, and 1.52 version of the tool can dump those files.

This includes the following command of: python mtk e metadata,userdata,md_udc to unlock the bootloader, but same error. However, when I tried to to do it in 1.52, it doesn't recognize it (assuming it's due to changed syntax from previous commits).

After this, I am not going further due to confusion in the README and lack of documentation in the commands/syntaxes (man would be helpful) because I might damage the device further.

Reproduction -

  1. Input the following commands python mtk r boot,vbmeta boot.img,vbmeta.img
  2. Expecting to have a dump in the two files boot.img and vbmeta.img but only to be stuck in Uploading stage 2
  3. Getting an error that says: 
    DAXFlash - [LIB]: ←[31mStage was't executed. Maybe dram issue ?.←[0m
DAXFlash
DAXFlash - [LIB]: ←[31mError on booting to da (xflash)←[0m

Other information -

I am using WIndows 10 Pro Version 10.0.19044 Build 19044

Possible regression in: https://github.com/bkerler/mtkclient/issues/691, https://github.com/bkerler/mtkclient/issues/575, https://github.com/bkerler/mtkclient/issues/305.

Full log

For 1.52 build:

Port - Device detected :)
Preloader -     CPU:                    MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x788
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      074CE02A559DB099E510C8C253EED61B
Preloader - SOC_ID:                     555C4BFC0D7B9C287239E6F82E4D9D51D9C77779EBBC14F8DA7FED97D30956FA
Main - Device is unprotected.
PLTools - Loading payload from mt6771_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\Users\allen\Desktop\mtkclient-1.52\mtkclient\payloads\mt6771_payload.bin
Port - Device detected :)
Main
Main - [LIB]: ←[33mDevice is in BROM mode. No preloader given, trying to dump preloader from ram.←[0m
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2136.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 90014a6843396150
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer:      0x0
DAXFlash - EMMC ID:         hC9aP3
DAXFlash - EMMC CID:        90014a684339615033010f4c414d44c5
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size:   0x0
DAXFlash - EMMC GP2 Size:   0x0
DAXFlash - EMMC GP3 Size:   0x0
DAXFlash - EMMC GP4 Size:   0x0
DAXFlash - EMMC RPMB Size:  0x1000000
DAXFlash - EMMC USER Size:  0xe8f800000
DAXFlash - DA-CODE      : 0x888F0
DAXFlash - DA Extensions successfully added
Main - Requesting available partitions ....
Main - Dumping partition "boot"
Progress: |██████████████████████████████████████████████████| 100.0% Read (Sector 0x10000 of 0x10000, ) 31.32 MB/s4 MB/sB/s
Main - Dumped sector 1171456 with sector count 65536 as boot.img.
Main - Dumping partition "vbmeta"
Main - Dumped sector 111680 with sector count 16384 as vbmeta.img.
Main - All partitions were dumped

For latest build:

Port - Device detected :)
Preloader -     CPU:                    MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     CQ_DMA addr:            0x10212000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x788
Preloader - Target config:              0x0
Preloader -     SBC enabled:            False
Preloader -     SLA enabled:            False
Preloader -     DAA enabled:            False
Preloader -     SWJTAG enabled:         False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      074CE02A559DB099E510C8C253EED61B
Preloader - SOC_ID:                     555C4BFC0D7B9C287239E6F82E4D9D51D9C77779EBBC14F8DA7FED97D30956FA
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6771_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: C:\Users\allen\Desktop\mtkclient-main\mtkclient\payloads\mt6771_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: ←[31mFailed to dump preloader from ram, provide a valid one via --preloader option←[0m
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: ←[33mError on patching da1 version check...←[0m
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
xflashext - DA version anti-rollback patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 90014a6843396150
DAXFlash - No preloader given. Searching for preloader
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash - Emi data NOT accepted ...
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending parameter: DA exceed max num (0xc0070005)←[0m
DAXFlash - Emi data NOT accepted ...
DAXFlash
DAXFlash - [LIB]: ←[33mNo preloader given. Operation may fail due to missing dram setup.←[0m
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash
DAXFlash - [LIB]: ←[31mStage was't executed. Maybe dram issue ?.←[0m
DAXFlash
DAXFlash - [LIB]: ←[31mError on booting to da (xflash)←[0m
Fastball2880 commented 8 months ago

The latest commit https://github.com/bkerler/mtkclient/commit/29341e56cdcd0b4436fc8c66fcd1ec5c590c05a8, has fixed it.