Closed mslhii closed 2 years ago
bkerler
commented
3 years ago Seems like you didn't install mtkclient properly. If you use windows, make sure you have a valid port driver installed and usbdk working. Also make sure you've installed all needed pip packages as stated in the readme.
mslhii
commented
3 years ago Weird, I've already rooted a Nokia C2 Tava, AT&T Radiant Core, BLU View 1, LG K51/K31/L455DL with your tool, just that the Moto E6s is giving me connection issues. Might need a little more filter tweaking?
I do have existing preloader.bin and DA auth files, can I pass those in as params to force the phone to BROM mode anyways?
bkerler
commented
3 years ago It could be they use a different vid / pid for the brom mode. Can you have a look ?
mslhii
commented
3 years ago What's a good way for me to check it out and get those values for you?
bkerler
commented
3 years ago In linux, run lsusb in a bash loop and then connect phone. Under windows, there are usb monitoring tools. You could also use wireshark with usbmon.
mslhii
commented
3 years ago Here's what I found:
Apparently there's a really small window where the device is in preloader mode, like 1 second at most before it reverts to it's regular IO driver. I don't have a readily available linux machine so I just used your LiveDVD in VirtualBox for now. My guess is that it waits for SP Flash Tool to do something with it and if it doesn't detect it then it goes to the battery charging screen. Here are the vid/pid values that I managed to find in the pics below:
mslhii
commented
3 years ago Preloader if you want to do anything with it: preloader_fiji.zip
ghost
commented
3 years ago I think it's impossible use virtual box and preloader of mediatek. I lost many time when SP Flash Tool are not avaiable on linux. When I tried to connect modemmeta from windows in virtualbox never catch the device, so I found an alternative mtk-bootseq.py put the device in META MODE from linux and I attached the serial port to windows. This situation is different and the OS are inverted but your issue confirm my same issue. You can boot livedvd from usb pen and you got native linux without touch the harddisk with OS windows. Don't lost your time with virtualbox.
ghost
commented
3 years ago In linux, run lsusb in a bash loop and then connect phone. Under windows, there are usb monitoring tools. You could also use wireshark with usbmon.
all history attached devices are shown in dmesg or /var/log/messages don't need catch with a loop. If in livedvd logging is not enalbed, sure in dmesg you can find them.
mslhii
commented
3 years ago I think it's impossible use virtual box and preloader of mediatek. I lost many time when SP Flash Tool are not avaiable on linux. When I tried to connect modemmeta from windows in virtualbox never catch the device, so I found an alternative mtk-bootseq.py put the device in META MODE from linux and I attached the serial port to windows. This situation is different and the OS are inverted but your issue confirm my same issue. You can boot livedvd from usb pen and you got native linux without touch the harddisk with OS windows. Don't lost your time with virtualbox.
Think the issue here is not virtual box but rather the device stays in preloader mode for 1 second before booting normally. For some reason SPFT can communicate normally and get it into BROM mode but mtkclient doesn't detect the device. That's why bkerler asked me to get the vendor ID/product ID to see if they're using a different way to communicate. Let's see what he says about it
bkerler
commented
3 years ago If you need to use a vm, only vmware works, virtualbox doesn't. Also the pid is 0x2000, which is preloader mode, but you need to connect in brom mode (0x0003).
bkerler
commented
3 years ago The reason why virtualbox doesn't work : Their usb stack isn't implemented correctly, thus the kamakiri exploit will fail.
mslhii
commented
3 years ago If you need to use a vm, only vmware works, virtualbox doesn't. Also the pid is 0x2000, which is preloader mode, but you need to connect in brom mode (0x0003).
BROM mode might be tricky without a testpoint since I can only get it to boot in preloader mode for 1 second or meta mode. Seems like Motorola anticipated some MTK exploits around booting and did their best to block it off. Funny thing is in their stock FW files from LMSA I can get the DA and auth files to use with SPFT. Any chance mtkclient will allow flashing with provided DA/auth files besides just the preloader?
The reason why virtualbox doesn't work : Their usb stack isn't implemented correctly, thus the kamakiri exploit will fail.
I use a Mac/Windows environment for mtkclient rooting and USBPcap was giving me a bunch of gibberish when I was looking for vid/pid values. The behavior has been the same when using Mac/Windows: USB cable + volume down = 1 second preloader mode before normal boot, all volume and/or power buttons pressed = meta mode. Maybe this phone is unexploitable for now
mslhii
commented
3 years ago I dumped the seccfg partition earlier with SPFT and took a look at it with HxD as well as your script to see if I can manually change it and it seems we need some HW values while the phone is in BROM mode to calculate a hash after writing the boot loader unlock value? Is that right?
bkerler
commented
3 years ago Yes, hw crypto is involved. I might have a look if I can add auth support as well.
mslhii
commented
3 years ago Was just thinking, is there a way to manually edit seccfg and hash it without the phone being in BROM mode? Since I have DA/auth for this device, I can probably edit the scatter and flash it normally with SPFT similar to how others can restore their IMEI by flashing nvram/nvdata
mslhii
commented
2 years ago @bkerler I have some new info for you. Tried reinstalling the drivers and redid my USB filters and experimented with running the bypass-utility to crash the preloader -> BROM then trying mtkclient stage 2, but there seems to be a communication issue. Here are the bypass-utility logs:
C:\scripts\bypass_utility>python main.py -p C:\scripts\mtkclient\preloader_fiji.bin
[2021-10-30 17:07:11.067752] Waiting for device
[2021-10-30 17:07:16.262721] Found device = 0e8d:2000
[2021-10-30 17:07:40.199276] Device hw code: 0x766
[2021-10-30 17:07:40.199276] Device hw sub code: 0x8a00
[2021-10-30 17:07:40.199276] Device hw version: 0xca00
[2021-10-30 17:07:40.199276] Device sw version: 0x0
[2021-10-30 17:07:40.199276] Device secure boot: True
[2021-10-30 17:07:40.199276] Device serial link authorization: False
[2021-10-30 17:07:40.199276] Device download agent authorization: True
[2021-10-30 17:07:40.199276] Found device in preloader mode, trying to crash...
[2021-10-30 17:07:40.214895] status is 7024
[2021-10-30 17:07:41.219402] Waiting for device
[2021-10-30 17:07:41.219402] Found device = 0e8d:2000
Traceback (most recent call last):
File "C:\scripts\bypass_utility\src\device.py", line 84, in find
self.configuration = self.udev.get_active_configuration()
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 921, in get_active_configuration
return self._ctx.get_active_configuration(self)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 249, in get_active_configuration
self.managed_open()
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 131, in managed_open
self.handle = self.backend.open_device(self.dev)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
return _DeviceHandle(dev)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 604, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\scripts\bypass_utility\main.py", line 238, in <module>
main()
File "C:\scripts\bypass_utility\main.py", line 46, in main
device = crash_preloader(device, config)
File "C:\scripts\bypass_utility\main.py", line 232, in crash_preloader
device = Device().find()
File "C:\scripts\bypass_utility\src\device.py", line 93, in find
self.udev.set_configuration()
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 915, in set_configuration
self._ctx.managed_set_configuration(self, configuration)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 158, in managed_set_configuration
self.managed_open()
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 131, in managed_open
self.handle = self.backend.open_device(self.dev)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
return _DeviceHandle(dev)
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "C:\Users\testuser\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 604, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error
C:\scripts\bypass_utility>My logs just running mtkclient xflash and regular partition reading:
C:\scripts\mtkclient>python mtk xflash seccfg unlock
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
....Preloader
Preloader - [LIB]: [31mStatus: Handshake failed, retrying...[0m
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
...........
Traceback (most recent call last):
File "C:\scripts\mtkclient\mtk", line 1843, in <module>
mtk = Main(args).run()
File "C:\scripts\mtkclient\mtk", line 647, in run
if mtk.preloader.init():
File "C:\scripts\mtkclient\mtkclient\Library\mtk_preloader.py", line 140, in init
res = self.mtk.port.handshake(maxtries=maxtries)
File "C:\scripts\mtkclient\mtkclient\Library\Port.py", line 93, in handshake
time.sleep(0.3)
KeyboardInterrupt
^C
C:\scripts\mtkclient>C:\scripts\mtkclient>python mtk r vbmeta vbmetae6s.img --debugmode
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Main
Main - [LIB]: [95mmtk r vbmeta vbmetae6s.img --debugmode[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95m CONFIGURATION 1: 500 mA ==================================
bLength : 0x9 (9 bytes)
bDescriptorType : 0x2 Configuration
wTotalLength : 0x46 (70 bytes)
bNumInterfaces : 0x2
bConfigurationValue : 0x1
iConfiguration : 0x3 USB CDC ACM for preloader
bmAttributes : 0xc0 Self Powered
bMaxPower : 0xfa (500 mA)
INTERFACE 1: CDC Data ==================================
bLength : 0x9 (9 bytes)
bDescriptorType : 0x4 Interface
bInterfaceNumber : 0x1
bAlternateSetting : 0x0
bNumEndpoints : 0x2
bInterfaceClass : 0xa CDC Data
bInterfaceSubClass : 0x0
bInterfaceProtocol : 0x0
iInterface : 0x4 CDC ACM Data Interface
ENDPOINT 0x1: Bulk OUT ===============================
bLength : 0x8 (7 bytes)
bDescriptorType : 0x5 Endpoint
bEndpointAddress : 0x1 OUT
bmAttributes : 0x2 Bulk
wMaxPacketSize : 0x200 (512 bytes)
bInterval : 0x0
ENDPOINT 0x81: Bulk IN ===============================
bLength : 0x8 (7 bytes)
bDescriptorType : 0x5 Endpoint
bEndpointAddress : 0x81 IN
bmAttributes : 0x2 Bulk
wMaxPacketSize : 0x200 (512 bytes)
bInterval : 0x0
INTERFACE 0: CDC Communication =========================
bLength : 0x9 (9 bytes)
bDescriptorType : 0x4 Interface
bInterfaceNumber : 0x0
bAlternateSetting : 0x0
bNumEndpoints : 0x1
bInterfaceClass : 0x2 CDC Communication
bInterfaceSubClass : 0x2
bInterfaceProtocol : 0x1
iInterface : 0x5 CDC ACM Communication Interface
ENDPOINT 0x83: Interrupt IN ==========================
bLength : 0x8 (7 bytes)
bDescriptorType : 0x5 Endpoint
bEndpointAddress : 0x83 IN
bmAttributes : 0x3 Interrupt
wMaxPacketSize : 0x40 (64 bytes)
bInterval : 0x10[0m
usb_class
usb_class - [LIB]: [95mNo kernel driver supported: Operation not supported or unimplemented on this platform[0m
usb_class
usb_class - [LIB]: [95mNo kernel driver supported: Operation not supported or unimplemented on this platform[0m
Port
Port - [LIB]: [95m[Errno 10060] Operation timed out[0m
Preloader
Preloader - [LIB]: [31mStatus: Handshake failed, retrying...[0m
usb_class
usb_class - [LIB]: [95mOperation not supported or unimplemented on this platform[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
usb_class
usb_class - [LIB]: [95mCouldn't detect the device. Is it connected ?[0m
Traceback (most recent call last):
File "C:\scripts\mtkclient\mtk", line 1843, in <module>
mtk = Main(args).run()
File "C:\scripts\mtkclient\mtk", line 647, in run
if mtk.preloader.init():
File "C:\scripts\mtkclient\mtkclient\Library\mtk_preloader.py", line 140, in init
res = self.mtk.port.handshake(maxtries=maxtries)
File "C:\scripts\mtkclient\mtkclient\Library\Port.py", line 93, in handshake
time.sleep(0.3)
KeyboardInterrupt
^C
C:\scripts\mtkclient>It seems either I don't have the right drivers or there's some exploit that other boxes like Hydra Tool uses to force the e6s into BROM mode. Took a look at other issues for both mttkclient and bypass-utility and I think the 67xx series has some extra security that tries to prevent the device from entering BROM from preloader:
https://github.com/MTK-bypass/bypass_utility/issues/32 https://forum.hovatek.com/thread-39636.html https://forum.gsmhosting.com/vbb/f970/xt2053-2-reset-frp-failure-2976463/
BROM mode without shorting test points/EMMC is definitely possible but only paid hacking tools have solved the problem so far: https://forum.gsmhosting.com/vbb/f1110/motorola-xt2053-2-help-answered-2992332/
Can you let me know which MTK drivers I should install on my Windows 10 setup or should I just use the liveDVD you uploaded?
bkerler
commented
2 years ago Does this issue still persist ?
mslhii
commented
2 years ago Yea unfortunately I tried again with your latest pushes and still can't connect to the device. Keep getting handshake failures. Also no luck with the bypass-utility either, output is still the same as my Oct 30 comment
severagent007
commented
2 years ago i am bad english i am ukrainian) now i am unlocking this smart e6s. Help info editing lk remove 5 sec and message and root. twrp from e6+ work in e6s? i am risk beacause i am not have any telefon and risk flash this twrp ;) UPD Patching stok boot magisk and flash by spft now have root) Part recovery still not found, in scatter not see this partition, fastboot not flash any part only spft work for flash custom partitions
mslhii
commented
2 years ago Closing this issue, apparently @severagent007 's method posted on XDA worked to root my e6s
Specs: https://www.gsmarena.com/motorola_moto_e6s_(2020)-10135.php