bkerler
commented
6 months ago try to run with --noreconnect. However mt65xx aren't officially supported as I only have mt6580 devices but not older ones.
Closed mouzei closed 6 months ago
bkerler
commented
6 months ago try to run with --noreconnect. However mt65xx aren't officially supported as I only have mt6580 devices but not older ones.
mouzei
commented
6 months ago I tried --noreconnect but "Error reading gpt".
Port - Device detected :) Preloader - CPU: MT6582/MT6574/MT8382() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x6582 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x1 Preloader - ME_ID: xxxx DA_handler - Device is unprotected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6582_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: D:\xxx\mtkclient\payloads\mt6582_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin legacyext legacyext - [LIB]: Legacy address check not patched. legacyext legacyext - [LIB]: Legacy DA2 CMD F0 not patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 040287 DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 90014a4834473164048602a20f00901b DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... DALegacy - RAM-Length: 0xbc DALegacy - Checksum: 13DF DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0x20000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DALegacy - Connected to stage2 DALegacy - m_int_sram_ret = 0x0 m_int_sram_size = 0x20000 m_ext_ram_ret = 0x0 m_ext_ram_type = 0x2 m_ext_ram_chip_select = 0x0 m_int_sram_ret = 0x0 m_ext_ram_size = 0x20000000 randomid = 0xC339FF05C84EFCC5885F90A5D3ABF35
m_emmc_ret = 0x0 m_emmc_boot1_size = 0x200000 m_emmc_boot2_size = 0x200000 m_emmc_rpmb_size = 0x200000 m_emmc_gp_size[0] = 0x0 m_emmc_gp_size[1] = 0x0 m_emmc_gp_size[2] = 0x0 m_emmc_gp_size[3] = 0x0 m_emmc_ua_size = 0xe7000000 m_emmc_cid = 3447316490014a480f00901b048602a2 m_emmc_fwver = 8600000000000000
DA_handler DA_handler - [LIB]: Error reading gpt, please read whole flash using "mtk rf flash.bin".
I'm dumping flash.
bkerler
commented
6 months ago yes, the older devices have no gpt but hardcoded partition table, sometimes PMT table, so only "mtk rf flash.bin" possible
liu2-3zhi
commented
5 months ago yes, the older devices have no gpt but hardcoded partition table, sometimes PMT table, so only "mtk rf flash.bin" possible
How should I split out system.img, boot.img and other files from the full backup and calculate the corresponding addresses?
...Port - Device detected :) Preloader - CPU: MT6582/MT6574/MT8382() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x6582 Preloader - Target config: 0x0 Preloader - SBC enabled: False Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x1 Preloader - ME_ID: xxx DA_handler - Device is unprotected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6582_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: D:\xxx\mtkclient\mtkclient\payloads\mt6582_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DALegacy - Uploading legacy da... DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin legacyext legacyext - [LIB]: Legacy address check not patched. legacyext legacyext - [LIB]: Legacy DA2 CMD F0 not patched. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DALegacy - Got loader sync ! DALegacy - Reading nand info DALegacy - Reading emmc info DALegacy - ACK: 040287 DALegacy - Setting stage 2 config ... DALegacy - DRAM config needed for : 90014a4834473164048602a20f00901b DALegacy - Reading dram nand info ... DALegacy - Sending dram info ... DALegacy - RAM-Length: 0xbc DALegacy - Checksum: 13DF DALegacy - M_EXT_RAM_RET : 0 DALegacy - M_EXT_RAM_TYPE : 0x2 DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0 DALegacy - M_EXT_RAM_SIZE : 0x20000000 DALegacy - Uploading stage 2... DALegacy - Successfully uploaded stage 2 DALegacy - Connected to stage2 DALegacy - Reconnecting to stage2 with higher speed
Then device reconnect , program exit without gpt output.