ASUS X008D - SEJ Legacy Hardware seems not to be configured correctly

[sbechet]

Hello,

I look to unlock and root an old phone to play with a bluetooth app.

I tried with github main and 1.52 tag.

I can confirm seccfg parition is correctly written with good value.

After ./mtk da seccfg unlock:

hexdump -C seccfg.bin | head -n 10
00000000  41 4e 44 5f 53 45 43 43  46 47 5f 76 00 00 00 00  |AND_SECCFG_v....|
00000010  4d 4d 4d 4d 03 00 00 00  60 18 00 00 f2 00 00 00  |MMMM....`.......|
00000020  00 00 f2 07 00 00 00 00  00 00 00 00 ac c9 5c 7e  |..............\~|

Then I magisck with pleasure and use ./mtk w boot myboot.img. But when i reboot :

Red State

Your device has failed verification and may not
work properly
Your device will boot in 5 seconds

If i try using fastboot it saying phone is lock... (nevertheless i'm not sure i can use fastboot with mediatek phones...?)

I found error message in lk partition: lk: Offset 0x0000000001c80000, Length 0x0000000000080000, Flags 0x00000000, UUID 5f6a2c79-6617-4b85-02ac-c2975a14d2d7, Type EFI_BASIC_DATA

I can use ghidra and f*ck^H^H^Hind a solution about lk partition but before i do it i want to know if i have forgoten something?

Any idea?

Here is the log:

./mtk da seccfg unlock
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........
Port - Device detected :)
Preloader -     CPU:            MT6737M/MT6735G()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10212000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10217c00
Preloader -     Var1:           0x28
Preloader - Disabling Watchdog...
Preloader - HW code:            0x335
Preloader - Target config:      0x1
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        False
Preloader -     SWJTAG enabled:     False
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      False
Preloader -     Mem write auth:     False
Preloader -     Cmd 0xC8 blocked:   False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xcb00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          6C202F51695BA21C0327D1A1B562D4B3
DA_handler - Device is unprotected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/famille/mtk/mtkclient-1.63/mtkclient/payloads/mt6737_payload.bin
Port - Device detected :)
DA_handler
DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
Successfully extracted preloader for this device to: preloader_d281l.bin
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_AllInOne_DA_5.2228.bin
legacyext - Legacy DA2 is patched.
legacyext - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04029b
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 520001154d4231582bff07429d9f7e6a
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ...
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: CCC5
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0xc0000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0xc0000000
randomid = 0xE3ED352D6571BA75D3447E312C6FA6D6

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x747c00000
m_emmc_cid = 5831424d150100526a7e939d4207ff2b
m_emmc_fwver = 0700000000000000

legacyext - Detected V3 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xD of 0xD, ) 89.95 MB/s
DA_handler - Successfully wrote seccfg.

[sbechet]

Hello @bkerler,

I understood i can't do anything with lk partition... So I added some debug logs when testing mtk da seccfg unlock.

(note: it's not a good idea to overwrite self.info in seccfg.py about AND_SECCFG_v if we want to use self.info() logger function...maybe another name like self.info_header can be a good idea)

• my hwtype is V2
• data is correctly decoded and encoded
• first pass (decrypt) legacy=0, second pass (crypt) legacy=1?
• self.reg seems to be 16 bits not 32? when waiting for value

Do you have any idea what i can do to unlock really this phone?

seccfgV3 - seccfg_env_len = 0x1000000

sej - HACC init
sej - ben = 0x0
sej - iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - legacy = 0x0
sej - HACC run
sej - HACC terminate

seccfgV3 - hwtype = V2
seccfgV3 - org_data = 494949496c6b00000... <- data seems ok!
seccfgV3 - seccfg_attr = 0x33333333

sej - encrypting in sej_sec_cfg_hw
sej - HACC init
sej - ben = 0x1
sej - iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - legacy = 0x1

sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |...| 100.0% Write (Sector 0xD of 0xD, ) 68.27 MB/s
DA_handler - Successfully wrote seccfg.

[bkerler]

Please upload the stock seccfg as it was on the device before unlocking and also the preloader

[sbechet]

I am ready to try your idea. In fact, maybe i have damaged seccfg using other asus official tools (not working because asus remove support).

I found UL-ASUS_X008_1-WW-15.10.1810.275-user.zip on the internet (same version on my phone):

• no stock seccfg data inside :(
• preloader seems to be the exactly same (0x800 bytes header in zip file with EMMC_BOOT at start? i suppose it is not to write at preloader partition...)
• lk is exactly the same

Is someone have a stock seccfg for ASUS X008D?

I can send you my ciphered and unciphered seccfg and also my preloader if it can help? I can look too if you give me some tips.

From what I understand, brom code is executed then preload, then it's code in the lk partition that checks if the phone is unlocked then, it's API code in the preloader partition that manipulates seccfg? If I find the code in this partition, I will be able to understand the organization of the seccfg partition is that right?

Here you find my full functions flow from main branch:

legacyext - Detected V3 Lockstate
legacyext - legacy.py/calling seccfgV3()
legacyext - legacy.py/calling seccfgV3.parse()
seccfgV3 - seccfg.py/parse()/seccfg_env_len = 0x1000000
seccfgV3 - seccfg.py/parse()/calling sej_sec_cfg_sw()
seccfgV3 - seccfg.py/parse()/calling sej_sec_cfg_hw_V3()
sej - HACC init
sej - XXX ben = 0x0
sej - XXX iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - XXX legacy = 0x0
sej - HACC run
sej - HACC terminate
seccfgV3 - seccfg.py/parse()/hwtype = V2
seccfgV3 - seccfg.py/parse()/org_data = 494949496c6b00000... ; first is lk partition info
seccfgV3 - seccfg.py/parse()/seccfg_status = 0x43434343 ; SEC_CFG_COMPLETE_NUM
seccfgV3 - seccfg.py/parse()/seccfg_attr = 0x33333333 ; ATTR_DEFAULT
legacyext - legacy.py/calling seccfgV3.create()
seccfgV3 - seccfg.py/create()/lockflag = unlock
seccfgV3 - seccfg.py/create()/calling sej_sec_cfg_hw()
sej - hwcrypto_sej.py/sej_sec_cfg_hw()
sej - HACC init
sej - hwcrypto_sej.py/sej_sec_cfg_hw()/calling SEJ_V3_Init() with legacy=true
sej - XXX ben = 0x1
sej - XXX iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - XXX legacy = 0x1
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |...| 100.0% Write (Sector 0xD of 0xD, ) 66.56 MB/s

Thx u.

[sbechet]

I found an old preloader for WW_Phone-14.10.1711.92-20171218. I can try it but i don't know how to overwrite preloader on linux using mtk. There is no partition. Must I use mtk poke byte after byte from offset 0? It seems strange.

[sbechet]

Hello @bkerler,

I have an excellent news. mtkclient works! Thank you!

For trace for the next ones to play with this ASUS Zenfone 3 Max ZC520TL MT6737M phone:

• downgrade the Android version to version 7 using WW_ZC520TL_Phone-14.10.1711.92-20171218. "stupidly" use spflashtool with format+download on the whole thing.
• use the classic mtkclient process to unlock the phone
• launch the phone and go to the end of the android installation process
• follow the classic magisk process with the default options (remove AVB 2.0/dm-verity and keep forced encryption)
• recover the file and flash it with mtkclient w boot boot-magisk.bin

and there you go!

I send you my small contribution with an little pull request. Again thank you for you help and for your nice piece of software.