Closed sbechet closed 8 months ago
Hello @bkerler,
I understood i can't do anything with lk
partition...
So I added some debug logs when testing mtk da seccfg unlock
.
(note: it's not a good idea to overwrite self.info
in seccfg.py
about AND_SECCFG_v
if we want to use self.info() logger function...maybe another name like self.info_header
can be a good idea)
Do you have any idea what i can do to unlock really this phone?
seccfgV3 - seccfg_env_len = 0x1000000
sej - HACC init
sej - ben = 0x0
sej - iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - legacy = 0x0
sej - HACC run
sej - HACC terminate
seccfgV3 - hwtype = V2
seccfgV3 - org_data = 494949496c6b00000... <- data seems ok!
seccfgV3 - seccfg_attr = 0x33333333
sej - encrypting in sej_sec_cfg_hw
sej - HACC init
sej - ben = 0x1
sej - iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - legacy = 0x1
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |...| 100.0% Write (Sector 0xD of 0xD, ) 68.27 MB/s
DA_handler - Successfully wrote seccfg.
Please upload the stock seccfg as it was on the device before unlocking and also the preloader
I am ready to try your idea.
In fact, maybe i have damaged seccfg
using other asus official tools (not working because asus remove support).
I found UL-ASUS_X008_1-WW-15.10.1810.275-user.zip
on the internet (same version on my phone):
seccfg
data inside :(preloader
seems to be the exactly same (0x800 bytes header in zip file with EMMC_BOOT at start? i suppose it is not to write at preloader partition...)lk
is exactly the sameIs someone have a stock seccfg
for ASUS X008D?
I can send you my ciphered and unciphered seccfg
and also my preloader if it can help? I can look too if you give me some tips.
From what I understand, brom
code is executed then preload
, then it's code in the lk
partition that checks if the phone is unlocked then, it's API code in the preloader partition that manipulates seccfg? If I find the code in this partition, I will be able to understand the organization of the seccfg partition is that right?
Here you find my full functions flow from main branch:
legacyext - Detected V3 Lockstate
legacyext - legacy.py/calling seccfgV3()
legacyext - legacy.py/calling seccfgV3.parse()
seccfgV3 - seccfg.py/parse()/seccfg_env_len = 0x1000000
seccfgV3 - seccfg.py/parse()/calling sej_sec_cfg_sw()
seccfgV3 - seccfg.py/parse()/calling sej_sec_cfg_hw_V3()
sej - HACC init
sej - XXX ben = 0x0
sej - XXX iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - XXX legacy = 0x0
sej - HACC run
sej - HACC terminate
seccfgV3 - seccfg.py/parse()/hwtype = V2
seccfgV3 - seccfg.py/parse()/org_data = 494949496c6b00000... ; first is lk partition info
seccfgV3 - seccfg.py/parse()/seccfg_status = 0x43434343 ; SEC_CFG_COMPLETE_NUM
seccfgV3 - seccfg.py/parse()/seccfg_attr = 0x33333333 ; ATTR_DEFAULT
legacyext - legacy.py/calling seccfgV3.create()
seccfgV3 - seccfg.py/create()/lockflag = unlock
seccfgV3 - seccfg.py/create()/calling sej_sec_cfg_hw()
sej - hwcrypto_sej.py/sej_sec_cfg_hw()
sej - HACC init
sej - hwcrypto_sej.py/sej_sec_cfg_hw()/calling SEJ_V3_Init() with legacy=true
sej - XXX ben = 0x1
sej - XXX iv = 0x9ed40400 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg 0xgggggggg
sej - XXX legacy = 0x1
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej - XXX self.reg.HACC_ACON2 = 0x8000
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |...| 100.0% Write (Sector 0xD of 0xD, ) 66.56 MB/s
Thx u.
I found an old preloader
for WW_Phone-14.10.1711.92-20171218. I can try it but i don't know how to overwrite preloader on linux using mtk. There is no partition. Must I use mtk poke byte after byte from offset 0? It seems strange.
Hello @bkerler,
I have an excellent news. mtkclient works! Thank you!
For trace for the next ones to play with this ASUS Zenfone 3 Max ZC520TL MT6737M phone:
WW_ZC520TL_Phone-14.10.1711.92-20171218
.
"stupidly" use spflashtool with format+download on the whole thing.and there you go!
I send you my small contribution with an little pull request. Again thank you for you help and for your nice piece of software.
Hello,
I look to unlock and root an old phone to play with a bluetooth app.
I tried with github main and 1.52 tag.
I can confirm seccfg parition is correctly written with good value.
After
./mtk da seccfg unlock
:Then I magisck with pleasure and use
./mtk w boot myboot.img
. But when i reboot :If i try using fastboot it saying phone is lock... (nevertheless i'm not sure i can use fastboot with mediatek phones...?)
I found error message in lk partition:
lk: Offset 0x0000000001c80000, Length 0x0000000000080000, Flags 0x00000000, UUID 5f6a2c79-6617-4b85-02ac-c2975a14d2d7, Type EFI_BASIC_DATA
I can use ghidra and f*ck^H^H^Hind a solution about lk partition but before i do it i want to know if i have forgoten something?
Any idea?
Here is the log: