bkerler
commented
4 months ago If you can provide the first 0x20000 bytes (including the MBR header), I can add support.
Open buddyjojo opened 9 months ago
bkerler
commented
4 months ago If you can provide the first 0x20000 bytes (including the MBR header), I can add support.
buddyjojo
commented
4 months ago Well seems pretty empty but here I guess. (Sorry for the mega link couldn't think of another way to send it) https://mega.nz/file/Mh92gL4S#8IW8At0sxlbTRxI5uCuZWmgvaHF6OuCnU30dcxlY34o
00p513-dev
commented
4 months ago Well seems pretty empty but here I guess. (Sorry for the mega link couldn't think of another way to send it) https://mega.nz/file/Mh92gL4S#8IW8At0sxlbTRxI5uCuZWmgvaHF6OuCnU30dcxlY34o
GitHub supports uploading attachments as .zip
Re-uploading for convenience
bkerler
commented
4 months ago yeah ... seems more is missing. I see the basic mbr info but not the corresponding partition info. Would it be possible to upload to last 0x20000 bytes as well ? Hopefully it is stored there
buddyjojo
commented
4 months ago The last 0x20000 bytes is entirely empty. here's the scatter of the device if you can see any interesting partitions that could have it. Oddly EBR1 and 2 are also equally empty as the MBR but I'll give them anyways too. Archive.zip
bkerler
commented
4 months ago Would it be possible to upload the whole flash ?
buddyjojo
commented
4 months ago Here's all the partitions minus userdata and system I had on hand. Do you need a full flash bin instead?
buddyjojo
commented
3 months ago I wonder if it would be better to support scatter files instead of trying to look for the mbr table if it's something a bit more non standard then gpt devices.
R0rt1z2
commented
3 months ago I wonder if it would be better to support scatter files instead of trying to look for the mbr table if it's something a bit more non standard then gpt devices.
I feel like parsing MBR on the fly (if that's even possible, like we do on GPT-based devices) would be cooler and more "universal" (or automated). I have several legacy MTK devices with MBR at home; I'll try to dump the whole flash later. Apparently, there's an existing Kaitai struct for MBR (in case it's helpful), but I'm not sure if it'll be any different in our case.
R0rt1z2
commented
3 months ago So I gave my MT8127 tablet with MBR a try and apparently I ran into a different error:
r0rt1z2@r0rt1z2-pc:~/mtkclient$ sudo python3 mtk.py printgpt --preloader=/home/r0rt1z2/Desktop/preloader.bin
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024
ArgHandler - O:Var1: 0x0
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
Port - Device detected :)
Preloader - CPU: MT8127/MT3367()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x8127
Preloader - Target config: 0x1
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca03
Preloader - SW Ver: 0x0
Preloader - ME_ID: 471378C451B8AAF7105AEB996E415483
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
DaHandler - Using supplied preloader. Skipping exploitation!
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt
LegacyExt - [LIB]: Legacy address check not patched.
LegacyExt
LegacyExt - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028d
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 700100543532373136011accdce4244f
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x10
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 1386
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x40000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DeviceClass
DeviceClass - [LIB]: USB Overflow
Traceback (most recent call last):
File "/home/r0rt1z2/mtkclient/mtk.py", line 1000, in <module>
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/mtk_main.py", line 662, in run
mtk = da_handler.configure_da(mtk, preloader)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 161, in configure_da
if not mtk.daloader.upload_da(preloader=preloader):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/mtk_daloader.py", line 298, in upload_da
return self.da.upload_da()
^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 755, in upload_da
if self.upload_da1():
^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 613, in upload_da1
if self.read_flash_info():
^^^^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 524, in read_flash_info
pi = PassInfo(self.usbread(0xA))
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 37, in __init__
self.ack = sh.bytes()
^^^^^^^^^^
File "/home/r0rt1z2/mtkclient/mtkclient/Library/utils.py", line 280, in bytes
return dat[0]
~~~^^^
IndexError: index out of range
r0rt1z2@r0rt1z2-pc:~/mtkclient$Here's all the partitions minus userdata and system I had on hand. Do you need a full flash bin instead?
Thanks .. that really helps a lot. Will have a closer look.
bkerler
commented
3 months ago I wonder if it would be better to support scatter files instead of trying to look for the mbr table if it's something a bit more non standard then gpt devices.
Most probably non-gpt devices will require this. mbr only has infos about the segmentation but no infos about the partition name. The latter I assume is hardcoded in lk or preloader.
bkerler
commented
3 months ago So I gave my MT8127 tablet with MBR a try and apparently I ran into a different error:
r0rt1z2@r0rt1z2-pc:~/mtkclient$ sudo python3 mtk.py printgpt --preloader=/home/r0rt1z2/Desktop/preloader.bin MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024 ArgHandler - O:Var1: 0x0 Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode Port - Hint: Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset. Port - Device detected :) Preloader - CPU: MT8127/MT3367() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x8127 Preloader - Target config: 0x1 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca03 Preloader - SW Ver: 0x0 Preloader - ME_ID: 471378C451B8AAF7105AEB996E415483 DaHandler - Device is protected. DaHandler - Device is in BROM-Mode. Bypassing security. DaHandler - Using supplied preloader. Skipping exploitation! DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin LegacyExt LegacyExt - [LIB]: Legacy address check not patched. LegacyExt LegacyExt - [LIB]: Legacy DA2 CMD F0 not patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 04028d DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 700100543532373136011accdce4244f DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... EMI-Version 0x10 DALegacy - RAM-Length: 0xbc DALegacy - Checksum: 1386 DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0x40000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DeviceClass DeviceClass - [LIB]: USB Overflow Traceback (most recent call last): File "/home/r0rt1z2/mtkclient/mtk.py", line 1000, in <module> mtk = Main(args).run(parser) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/mtk_main.py", line 662, in run mtk = da_handler.configure_da(mtk, preloader) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 161, in configure_da if not mtk.daloader.upload_da(preloader=preloader): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/mtk_daloader.py", line 298, in upload_da return self.da.upload_da() ^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 755, in upload_da if self.upload_da1(): ^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 613, in upload_da1 if self.read_flash_info(): ^^^^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 524, in read_flash_info pi = PassInfo(self.usbread(0xA)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 37, in __init__ self.ack = sh.bytes() ^^^^^^^^^^ File "/home/r0rt1z2/mtkclient/mtkclient/Library/utils.py", line 280, in bytes return dat[0] ~~~^^^ IndexError: index out of range r0rt1z2@r0rt1z2-pc:~/mtkclient$
Can you use wireshark, sniff usb and upload the pcap ? Seems like more bytes need to be requested then are actually requested by mtkclient. Also please open up a different issue with "mt8127 support", thanks !
bkerler
commented
3 months ago Here's all the partitions minus userdata and system I had on hand. Do you need a full flash bin instead?
@buddyjojo Ah .. in fact I need a dump of the flash, not the individual partitions. No need for userdata ... so you can abort it like at 10% and just upload the file 7zipped. Thanks !
R0rt1z2
commented
3 months ago Here's all the partitions minus userdata and system I had on hand. Do you need a full flash bin instead? Archive.zip
@buddyjojo Ah .. in fact I need a dump of the flash, not the individual partitions. No need for userdata ... so you can abort it like at 10% and just upload the file 7zipped. Thanks !
Here is a dump of my MT8127 tablet (which again, uses MBR as well). I also included the scatter for reference. I dumped from 0x0 to 0x5C00000 (to exclude cache, system and userdata): MT8127.zip (I used SP Flash Tools' readback option, not sure if that's fine). The original ROM can be downloaded from here (in case you want to compare some files).
As for the USB sniffing, I'll do that later and I'll create a separate issue.
R0rt1z2
commented
3 months ago I wonder if it would be better to support scatter files instead of trying to look for the mbr table if it's something a bit more non standard then gpt devices.
Most probably non-gpt devices will require this. mbr only has infos about the segmentation but no infos about the partition name. The latter I assume is hardcoded in lk or preloader.
About this, I feel like you're right. I've dumped UART logs of my MT6592 (with MBR) tablet and I don't see any kind of dynamic parsing happening so the partition offsets are most likely hardcoded. This is the log, for reference:
==== Dump RGU Reg ========
RGU MODE: 14
RGU LENGTH: FFE0
RGU STA: 40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 0
RGU MTK_WDT_NONRST_REG2: 4
RGU MTK_WDT_NONRST_REG: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
wdt disable rgu eco.....
mtk_wdt_mode_config mode value=10, tmp:22000010
PL RGU RST: ??
SW reset without bypass power key flag
SW reset without bypass power key flag
No bypass powerkey fwdt enable rgu e
kpd read addr: or this project!requency_meter: 0
[RTC] bbpu =sec_reboot_check
[RTC] new_sparePLFM] RTC boot!
DS(0) RS(0)
[Bus Width: 8
[K(52000kHz): SCLet_code: 0
[I2e: i2c_read: rett6333_read_byte: yte = 0x54
mt6arse = 19
rankfine = 80
10:|
byte:2, (DQS,am_Buffer] strucd_pt===scan pmt 000040000
partze 0000000000100000000000A00000
rt UBOOT size 0000031A0000 0000000
part LOGO s0000006000000 007B00000
part BFFFF] "PRELOADER0-0x00000000000F0x000000000040000 blocks)
[PAD3FFFF] "SECURE"0-0x000000000319RT] [0x0000000001024 blocks)
FFFF] "EXPDB" (252800000-0x00000
[ROM_INFO] 'v2C] AES Legacy : 131222-133749'
seccfg magic is 0x8C
[0x5]=0x8
[0xF]=0x1
[0x
[0x19]=0x0
0x0
[0x23]=0x0x2C]=0x44
[0x2
[0x36]=0x0
USB cable in
[Speed
[TOOL] Eh timeout
usbdlush timeout
[
[TOOL] <UARTUTHEN] rsa.N lenit s [PART] Image with part header
[PART]
[PART] load "UBOOT" from 0x0000000001D40200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 10520KB/s, 237020 bytes, 22ms
chr force dis
[PLFM] ram_console->start=0xE15
[PLFM] ram_console(0x2)=0x2 (boot reason)
[PLFM] boot reason: 2
[PLFM] boot mode: 0
[PLFM] META COM0: 0e: 4455ms
[BLDR] jump rgu pl md reset
wdt disable rgu eco.....
mtk_wdt_mode_config mode value=10, tmp:22000010
UB wdt init
wdt enable rgu eco(22000001)
mtk_wdt_mode_config mode value=5c, tmp:2200005c
[LCM Auto Detect], we have 1 lcm drivers built in
[LCM Auto Detect], try to find driver for [unknown]
[LCM Specified] [nt71397_fhd_dsi_vdo_truly]
DSI_PHY_clk_adjusting: efuse r2_15=0x0
befor
[dsi_drv.c] PLL config:data_rate=880,txdiv=1,pcw=1135688467,delta1=5,pdelta1=0x800
after efuse adjust, DSI_CLK_REG = 0x821, DSI_DAT0_REG=0x401,DSI_DAT1_REG=0x101,DSI_DAT2_REG=0x101,DSI_DAT3_REG=0x101
[DISP] - DSI_PowerOn. 0x 0
DISP/[DISP] - kernel - _DSI_PHY_TIMCONFI = 4
DISP/[DIA_GO = 32, CLK_TP/[dsi_drv.c] LKSP/[DISP] kernellcm is not connected
[Dlution: 1920 x 1vel [LEDS]LK: isink_init: tu[I2C-LK] addr [I2C-LK] addr [I2C-LK] a[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr[I2C-LK] addr 75 r[I2C-LK] addr 75 re[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[I2C-LK] addr 7[10] platform_init()
[mt_part_register_device]
[mt_part_register_device]malloc 1024 : 81e592b8
mt6577_part_init_pmt
============func=load_pt===scan pmt from 3ab700000=====
find pt at 3ab700000
Find pt
partition PRELOADER size 0000000000000000 0000000000040000
partition MBR size 0000000000000000 0000000000080000
partition EBR1 size 0000000000080000 0000000000080000
partition PRO_INFO size 0000000000100000 0000000000300000
partition NVRAM si00
partition P
partition SECCFOOTIMG size 0000ze 00000000045a00000 00000000008004c800000
pa
[mt_par[LK_ENV]ENV initialize su
[LK_ENV]get_env
[DSS]disp_path_lk_adjusting: efjust, DSI_CLK_RE[dsi_drv.c] PLL config:data_rate=880,txdiv=1,pcw=1135688467,delta1=5,pdelta1=0x800
after efuse adjust, DSI_CLK_REG = 0x821, DSI_DAT0_REG=0x401,DSI_DAT1_REG=0x101,DSI_DAT2_REG=0x101,DSI_DAT3_REG=0x101
[DISP] - DSI_PowerOn. 0x 0
DISP/[DISP] - kernel - _DSI_PHY_TIMCONF = 4
DISP/[DIA_GO = 32, CLK_TP/[dsi_drv.c] LKSP/[DISP] kernel[DDP] disp_bls_init : srcWidth = 1920, srcHeight = 1200
[DDP] disp_bls_init : CG = 0x0, BLS_EN = 0x0, PWM_DUTY = 1023
[DSS]dispsys_bypass_color, width=1920, height=1200
[DSS]dispsys_bypass_color, 0x2000203c, 0x1, 0x780, 0x4b0
RDMA: w=1920, h=1200, pitch=5760, mode=0
DISP/DISP_Init, 503
DISP/DISP_Init, 506
[mt_part_get_partition] LOGO
[mt_part_get_partition] 26100
[mt_part_get_partition] LOGO
[mt_part_get_partition] 26100
[720]
=========================================
[720] [LK_BOOT] LOGO magic number : 0x58881688
[720] [LK_BOOT] LOGO name : LOGO
[720] [LK_BOOT] LOGO size : 862395
[720] =========================================
[720] read the data of LOGO
is_low_battery, FALSE
[wwy] hardware address = fda2f000, fb_offset_logo = 3
DISP/[Func]LCD_ConfigOVL
[wwy] enter DSI_RegUpdate
[wwy] DSI_RegUpdate dsi_wait_time = 0
[wwy] DSI_RegUpdate dsi_wait_time = 1
[wwy] DSI_RegUpdate dsi_wait_time = 2
[wwy] DSI_RegUpdate dsi_wait_time = 3
[wwy] DSI_RegUpdate dsi_wait_time = 4
[wwy] DSI_RegUpdate dsi_wait_time = 5
[wwy] DSI_RegUpdate dsi_wait_time = 6
[wwy] DSI_RegUpdate dsi_wait_time = 7
[wwy] DSI_RegUpdate dsi_wait_time = 8
[wwy] DSI_RegUpdate d DSI_] DSI DSI_R DSI_ DSI_] DSI_] DSI] DSI] DSI_] DSI] DSI] DSI_] DSI] DSI] DSI_ DSI_] DSI] DSI_ DSI_] DSI DSI_R DSI_ DSI_R DSI_] DSI] DSI_] DSI] DSI] DSI_] eDISP/[Func]LCD_ConfigOVL
kpd read addr: 0x0502: data:0x4004
is_low_battery, FALSE
[LEDS]LK: mt65xx_backlight_on
[LEDS]LK: lcd-backlight level is 255
[LEDS][256] LK: backlight_set_pwm:duty is 255/255
[LEDS][256] LK: backlight_set_pwm:clk_src/div is 03
[LEDS][256] LK: backlight_set_pwm: old mode: thres/data_width is 255/255
detecting pmic just reset
[mt_part_get_partition] PRELOADER
[mt_part_get_partition] 0
[partition_get_index]find seccfg SECURE index 7
[mt_part_get_partition] SECURE
[mt_part_get_partition] e800
[partition_get_index]find sec_ro SECSTATIC index 11
[mt_part_get_partition] SECSTATIC
[mt_part_get_partition] 22d00
[SBC] NS-CHIP
[SBC] Don't check
the bat_vol is 3805,the bat_tempture is 554,the bat_temp is 24
[mt65xx_bat_init] check VBAT=3793 mV with 3450 mV
mt65xx_bat_init] samwwwwwwwwwwwwwwwwwwwwwwwwwww
[I2C-LK] addr 6b read byte = 0x46
[I2C-LK] i2[I2C-LK] addr 6b [I2C-LK] addr 6b r[I2C-LK] addr 6b r[I2C-LK] addr 6b [I2C-LK] addr 6b r[I2C-LK] addr 6b r[I2C-LK] addr 6b [I2C-LK] addr 6b r[I2C-LK] addr 6b r[I2C-LK] addr 6b [I2C-LK] addr 6b r[I2C-LK] addr 6b r[I2C-LK] addr 6b [I2C-LK] addr 6b r[I2C-LK] addr 6b r[I2C-LK] addr 6b read byte = 0x46
[I2C-LK] i2c_write
[I2C-LK] addr 6b read byte = 0x5c
[I2C-LK] i2c_write
[I2C-LK] addr 6b read byte = 0x42
[I2C-LK] i2c_write
[I2C-LK] addr 6b read byte = 0x1b
[I2C-LK] i2c_write
[I2C-LK] addr 6b read byte = 0x42
[I2C-LK] addr 6b read byte = 0x1b
[I2C-LK] addr 6b read byte = 0x0
[I2C-LK] addr 6b read byte = 0x21
[I2C-LK] addr 6b read byte = 0xd6
[I2C-LK] addr 6b read byte = 0x9c
[I2C-LK] addr 6b read byte = 0x7b
[I2C-LK] addr 6b read byte = 0x48
[I2C-LK] addr 6b read byte =[I2C-LK] a[I2C-LK] as_low_battery,ticks=0
[wwy] hardware address = fcd00000, fb_offset_logo = 0
DISP/[Func]LCD_ConfigOVL
[wwy] enter DSI_RegUpdate
[wwy] DSI_RegUpdate dsi_wait_time = 0
[wwy] DSI_RegUpdate dsi_wait_time = 1
[wwy] DSI_RegUpdate dsi_wait_time = 2
[wwy] DSI_RegUpdate dsi_wait_time = 3
[wwy] DSI_RegUpdate dsi_wait_time = 4
[wwy] DSI_RegUpdate dsi_wait_time = 5
[wwy] DSI_RegUpdate dsi_wait_time = 6
[wwy] DSI_RegUpdate dsi_wait_time = 7
[wwyDSI_Re] DSI] DSI] DSI DSI_R DSI_] DSI_ DSI_ DSI_] DSI] DSI_] DSI] DSI_] DSI] DSI] DSI_] DSI] DSI DSI_R] DSI] DSI] DSI_] DSI] DSI DSI_R] DSI DSI_ end DSI_Reg[2580] [LK_BOOT] Load 'PRO_INFO' partition to 0x81E5921C (19 bytes in 11 ms)
[mt_part_get_partition] PRELOADER
[mt_part_get_partition] 0
[partition_get_index]find seccfg SECURE index 7
[mt_part_get_partition] SECURE
[mt_part_get_partition] e800
[partition_get_index]find sec_ro SECSTATIC check
[SBC] tition] R[2640]
============================================================
[2640] [LK_BOOT] Android Recovery IMG Hdr - MagANDROID
[2640] s Size : 0x75b9================rootfs mem offseition] 18d00
[r)
[2640[4480]
=========================================
[4480] [LK_BOOT] KERNEL magic number : 0x58881688
[4480] [LK_BOOT] KERNEL name : KERNEL
[4480] [LK_BOOT] KERNEL size : 0x5eb900
[4480] =========================================
[4480]
=========================================
[4480] [LK_BOOT] RECOVERY magic number : 0x58881688
[4480] [LK_BOOT] RECOVERY name : RECOVERY
[4480] [LK_BOOT] RECOVze : 0x7--- DISP/[Func]LCD_ConfigOVL
Screen Update Costs 17990 us
[wwy] mt_disp_adjusting_hardware_addr fb_offset_logo = 3
[LK_ENV]get_env DFO
[4580] SSSS size:31
[PROFILE] ------- boot_time takes 2417 ms --------
[LK_ENV]get_env hibboot
[LK_ENV]get_env resume
booting linux @ 0x80008000, ramdisk @ 0x84000000 (7714618)@buddyjojo Ah .. in fact I need a dump of the flash, not the individual partitions. No need for userdata ... so you can abort it like at 10% and just upload the file 7zipped. Thanks !
Here you go. fullflash.bin.zip
buddyjojo
commented
3 months ago I do see hardcoded partition names in my lk/"uboot" partition so I'm assuming that's the case too.
github-actions[bot]
commented
1 month ago Stale issue message
flydiscohuebr
commented
3 weeks ago Any updates? I was trying to backup the ROM of the Bravva BV Quad tablet but without success.
.Port - Device detected :)
Preloader - CPU: MT8127/MT3367()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x8127
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca04
Preloader - SW Ver: 0x0
DaHandler - Device is unprotected.
DaHandler - Device is in Preloader-Mode.
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt
LegacyExt - [LIB]: Legacy address check not patched.
LegacyExt
LegacyExt - [LIB]: Legacy DA2 CMD F0 not patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04028d
DALegacy - Setting stage 2 config ...
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DeviceClass
DeviceClass - [LIB]: USB Overflow
Traceback (most recent call last):
File "/home/fly/mtkclient/mtk.py", line 1021, in <module>
main()
File "/home/fly/mtkclient/mtk.py", line 1017, in main
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/mtk_main.py", line 682, in run
mtk = da_handler.configure_da(mtk, preloader)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 161, in configure_da
if not mtk.daloader.upload_da(preloader=preloader):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/mtk_daloader.py", line 297, in upload_da
return self.da.upload_da()
^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 757, in upload_da
if self.upload_da1():
^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 615, in upload_da1
if self.read_flash_info():
^^^^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 526, in read_flash_info
pi = PassInfo(self.usbread(0xA))
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 37, in __init__
self.ack = sh.bytes()
^^^^^^^^^^
File "/home/fly/mtkclient/mtkclient/Library/utils.py", line 280, in bytes
return dat[0]
~~~^^^
IndexError: index out of range
Trying to unlock some old RCA tablet but I keep getting this error:
I also get a similar error when trying to read the flash:
It seems to be looking for a gpt table but my device seems to have a mbr table instead.
(I get the same errors in brom mode too)
log.txt