search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.7k stars 528 forks source link

MEIZU MX6 (Helio X20 MT6797) could not unlock bl #967

Closed mouzei closed 5 months ago

mouzei commented 7 months ago

command: mtk da seccfg unlock --noreconnect I suspect that the da in mtkclient cannot be used. Its official tool seems to use specialized da. printgpt, read and write partition is available. can I use unlocked seccfg in same platform? MX6.zip

Port - Device detected :) Preloader - CPU: MT6797/MT6767(Helio X23/X25/X27) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x279 Preloader - Target config: 0x7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca01 Preloader - SW Ver: 0x0 Preloader - ME_ID: xxx DA_handler - Device is protected. DA_handler - Device is in BROM-Mode. Bypassing security. PLTools - Loading payload from mt6797_payload.bin, 0x258 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: xxx\mtkclient\payloads\mt6797_payload.bin Port - Device detected :) DA_handler DA_handler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin xflashext - Patching da1 ... Mtk - Patched "Patched loader msg" in preloader Mtk - Patched "hash_check2" in preloader xflashext xflashext - [LIB]: Error on patching da1 version check... Mtk - Patched "Patched loader msg" in preloader xflashext - Patching da2 ... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: BJNB4R DAXFlash - EMMC CID: 150100424a4e423452072af2b8c98389 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0x747c00000 DAXFlash - HW-CODE : 0x279 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCA01 DAXFlash - SW-VERSION : 0x0 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash - Extensions were accepted. Jumping to extensions... DAXFlash - DA Extensions successfully added DAXFlash DAXFlash - [LIB]: Status error: Wrong magic xflashext - Detected V4 Lockstate sej - HACC init DeviceClass - USBError(5, 'Input/Output Error') Traceback (most recent call last): File "xxx\mtk", line 948, in mtk = Main(args).run(parser) File "xxx\mtkclient\Library\mtk_main.py", line 654, in run da_handler.handle_da_cmds(mtk, cmd, self.args) File "xxx\mtkclient\Library\DA\mtk_da_handler.py", line 806, in handle_da_cmds v = mtk.daloader.seccfg(args.flag) File "xxx\mtkclient\Library\DA\mtk_daloader.py", line 387, in seccfg return self.xft.seccfg(lockflag) File "xxx\mtkclient\Library\DA\xflash\extension\xflash.py", line 557, in seccfg if not sc_org.parse(seccfg_data): File "xxx\mtkclient\Library\Hardware\seccfg.py", line 57, in parse dec_hash = self.hwc.sej.sej_sec_cfg_hw(self.hash, False) File "xxx\mtkclient\Library\Hardware\hwcrypto_sej.py", line 700, in sej_sec_cfg_hw self.SEJ_V3_Init(ben=encrypt, iv=self.g_HACC_CFG_1, legacy=True) File "xxx\mtkclient\Library\Hardware\hwcrypto_sej.py", line 534, in SEJ_V3_Init self.reg.HACC_AKEY0 = 0 # 0x20 File "xxx\mtkclient\Library\Hardware\hwcrypto_sej.py", line 93, in setattr return self.write32(addr, value) File "xxx\mtkclient\Library\DA\xflash\extension\xflash.py", line 343, in writeregister if not self.custom_writeregister(addr + pos, val): File "xxx\mtkclient\Library\DA\xflash\extension\xflash.py", line 309, in custom_writeregister if self.cmd(XCmd.CUSTOM_WRITEREGISTER): File "xxx\mtkclient\Library\DA\xflash\extension\xflash.py", line 268, in cmd status = self.status() File "xxx\mtkclient\Library\DA\xflash\xflash_lib.py", line 129, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

mxpro1996 commented 5 months ago

Hi Bro, actually there is another way to unlock this device I know. If needed, I will publish it. But bear in mind that don't write preloader by mtkclient, this tool can't flash "preloader" partition properly from my pointview.

Unfortunately, my "MX6" was bricked for writing preloader via mtkclient. I guess some issues existing at the "Read/Write" function about "preloader" of the mtkclient, Given the SBC,SLA,DAA enabled, I want to get some tools like "Meizu authorized SP FlashTool", any useful tools will be highly appreciated!

mouzei commented 5 months ago

Hi Bro, actually there is another way to unlock this device I know. If needed, I will publish it. But bear in mind that don't write preloader by mtkclient, this tool can't flash "preloader" partition properly from my pointview.

Unfortunately, my "MX6" was bricked for writing preloader via mtkclient. I guess some issues existing at the "Read/Write" function about "preloader" of the mtkclient, Given the SBC,SLA,DAA enabled, I want to get some tools like "Meizu authorized SP FlashTool", any useful tools will be highly appreciated!

I just tested the latest MTKClient, and although it is very slow, it can still read and write partitions correctly in the end. As for using SPFlash for reading and writing, I am still trying. If you have any methods for unlocking bootloader, you can share them with me. Thank you very much!

mxpro1996 commented 5 months ago

@mouzei OK, just take this file, and all at your risk. assume you know what to do, may need "xdelta3" patch tool sometimes. GOOD LUCK sent_to.zip

I was about to do some kernel devworks on it, but my phone deaded. Owing to secure boot, only kernel or system can be customized.

mouzei commented 5 months ago

@mouzei OK, just take this file, and all at your risk. assume you know what to do, may need "xdelta3" patch tool sometimes. GOOD LUCK sent_to.zip

I was about to do some kernel devworks on it, but my phone deaded. Owing to secure boot, only kernel or system can be customized.

I got an eng rom in 4pda that allows flashing and boot unofficial image in locked state. Its lk partition can also start a normal system. I think this is no different from unlocked state anymore.

mouzei commented 5 months ago

@mouzei OK, just take this file, and all at your risk. assume you know what to do, may need "xdelta3" patch tool sometimes. GOOD LUCK sent_to.zip

I was about to do some kernel devworks on it, but my phone deaded. Owing to secure boot, only kernel or system can be customized.

SP_Flash_Tool_v5.1728 could flash MX6 normally. A mtkclient "payload" command is necessary before flashing. SP_Flash_Tool_v5.1728: https://zpx1r-my.sharepoint.com/personal/yhcmain1_zpx1r_onmicrosoft_com/_layouts/15/download.aspx?share=EcN3-7F4w9pMqp9akfPnKJIBtiQeEnn5nbBDXuCxGbb6IA The unbreak rom I made: https://zpx1r-my.sharepoint.com/personal/yhcmain1_zpx1r_onmicrosoft_com/_layouts/15/download.aspx?share=EbaKgD87jzNMskAQPsBlbM0BdymHn1ZxDq2Pu9TWW-LcOA By the way, it seems that WiFi could not work after flashing eng lk.

mxpro1996 commented 5 months ago

@mouzei Nice Bro, thx for your awesome gifts. Through the "mtk-bypass" same as the "./mtk payload", I succeeded in unbricking my phone. In fact, by selecting the Special DA and DLL files or 'payload' command, SPFlashTool from 5.16xx to 22xx all OK for the flash.

Last month, I had tried the MTK-Bypass, with only the "red-bar" showed in the spflash-tool. Today I find the helling cause, the incomplete MTK-VCOM drivers about "0E8D:2001" on WIN11. How matters one good driver!

  1. The issue regarding with the "mtkclient" still exist, the command below can't flash one correct preloader partition. Wish the developer could take this into consideration. Using the spflash to write preloader is the most robusty way for the time being now. 
    
./mtk w preloader "preloader_to_flash.img" --parttype=boot1
./mtk w preloader "preloader_to_flash.img" --parttype=boot2

When in "BootRom"(Manually select the "preloader" image to get EMI data)

./mtk w preloader "preloader_to_flash.img" --parttype=boot1 --preloader="official_preloader.img" ./mtk w preloader "preloader_to_flash.img" --parttype=boot2 --preloader="official_preloader.img"

mxpro1996 commented 5 months ago

Now continuing the KernelWork, on the old kernel-3.18-src for Android-6.

mouzei commented 5 months ago

Now continuing the KernelWork, on the old kernel-3.18-src for Android-6.

It seems that WiFi could not work after flashing eng lk. Is it true?