search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.63k stars 523 forks source link

"Kamakiri2 failed, cache issue :(" with a MT6833P (Dimensity 810) Phone #977

Closed weimzh closed 4 months ago

weimzh commented 6 months ago

I attempted to use mtkclient with a Baidu Qinghe W30 phone (Dimensity 810), however I keep getting this error :

# mtk printgpt
MTK Flash/Exploit Client V1.6.3 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

.....Port - Device detected :)
Preloader -     CPU:            MT6833(Dimensity 700 5G k6833)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x73
Preloader - Disabling Watchdog...
Preloader - HW code:            0x989
Preloader - Target config:      0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          9DBF5CAB73A0C86470A25BECB18A87BB
Preloader - SOC_ID:         C93429A0EC0D4E75E87008D1D16D45D2EF6D10A1B45E54C0DE004500C5AF310D
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Traceback (most recent call last):
  File "/usr/bin/mtk", line 855, in <module>
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/mtk_main.py", line 631, in run
    mtk = da_handler.configure_da(mtk, preloader)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/mtk_da_cmd.py", line 87, in configure_da
    mtk = mtk.bypass_security()
          ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/mtk_class.py", line 190, in bypass_security
    if plt.runpayload(filename=self.config.payloadfile):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/pltools.py", line 102, in runpayload
    if self.kama.payload(payload, addr, True, exploittype):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/kamakiri.py", line 139, in payload
    if self.exploit2(payload, addr):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/kamakiri.py", line 117, in exploit2
    ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/kamakiri.py", line 68, in da_read
    return self.da_read_write(address, length, None, check_result)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/kamakiri.py", line 107, in da_read_write
    return self.mtk.preloader.brom_register_access(address - 0x40, length, data, check_result)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/mtkclient/Library/mtk_preloader.py", line 636, in brom_register_access
    raise RuntimeError("Kamakiri2 failed, cache issue :(")
RuntimeError: Kamakiri2 failed, cache issue :(

any suggestions?

Thanks in advance.

weimzh commented 6 months ago

I upgraded to latest revision and the error is now different:

# ./mtk printgpt
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

Port - Device detected :)
Preloader -     CPU:            MT6833(Dimensity 700 5G k6833)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x73
Preloader - Disabling Watchdog...
Preloader - HW code:            0x989
Preloader - Target config:      0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
Preloader - ME_ID:          9DBF5CAB73A0C86470A25BECB18A87BB
Preloader - SOC_ID:         C93429A0EC0D4E75E87008D1D16D45D2EF6D10A1B45E54C0DE004500C5AF310D
DA_handler - Device is protected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation
Exploitation - [LIB]: Error on sending payload.
PLTools - Successfully sent payload: /home/whistler/mtkclient/mtkclient/payloads/mt6833_payload.bin

then nothing happens.

weimzh commented 6 months ago

output when I'm running mtkclient with --debugmode:

# ./mtk printgpt --debugmode
MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023

Main
Main - [LIB]: ./mtk printgpt --debugmode
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
.
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]: Couldn't detect the device. Is it connected ?
DeviceClass
DeviceClass - [LIB]:   CONFIGURATION 1: 0 mA ====================================
   bLength              :    0x9 (9 bytes)
   bDescriptorType      :    0x2 Configuration
   wTotalLength         :   0x43 (67 bytes)
   bNumInterfaces       :    0x2
   bConfigurationValue  :    0x1
   iConfiguration       :    0x0 
   bmAttributes         :   0x80 Bus Powered
   bMaxPower            :    0x0 (0 mA)
    INTERFACE 0: CDC Communication =========================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x0
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x1
     bInterfaceClass    :    0x2 CDC Communication
     bInterfaceSubClass :    0x2
     bInterfaceProtocol :    0x1
     iInterface         :    0x1 comm_if̦data_if̄Љ斬
      ENDPOINT 0x84: Interrupt IN ==========================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x84 IN
       bmAttributes     :    0x3 Interrupt
       wMaxPacketSize   :   0x40 (64 bytes)
       bInterval        :    0x1
    INTERFACE 1: CDC Data ==================================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x1
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x2
     bInterfaceClass    :    0xa CDC Data
     bInterfaceSubClass :    0x0
     bInterfaceProtocol :    0x0
     iInterface         :    0x2 data_if̄Љ斬呪풅ཊꤛ漢䕄礤
      ENDPOINT 0x81: Bulk IN ===============================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x81 IN
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
      ENDPOINT 0x1: Bulk OUT ===============================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :    0x1 OUT
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
DeviceClass
DeviceClass - [LIB]: Detaching kernel driver
DeviceClass
DeviceClass - [LIB]:   CONFIGURATION 1: 0 mA ====================================
   bLength              :    0x9 (9 bytes)
   bDescriptorType      :    0x2 Configuration
   wTotalLength         :   0x43 (67 bytes)
   bNumInterfaces       :    0x2
   bConfigurationValue  :    0x1
   iConfiguration       :    0x0 
   bmAttributes         :   0x80 Bus Powered
   bMaxPower            :    0x0 (0 mA)
    INTERFACE 0: CDC Communication =========================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x0
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x1
     bInterfaceClass    :    0x2 CDC Communication
     bInterfaceSubClass :    0x2
     bInterfaceProtocol :    0x1
     iInterface         :    0x1 comm_if̦data_if̄Љ斬
      ENDPOINT 0x84: Interrupt IN ==========================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x84 IN
       bmAttributes     :    0x3 Interrupt
       wMaxPacketSize   :   0x40 (64 bytes)
       bInterval        :    0x1
    INTERFACE 1: CDC Data ==================================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x1
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x2
     bInterfaceClass    :    0xa CDC Data
     bInterfaceSubClass :    0x0
     bInterfaceProtocol :    0x0
     iInterface         :    0x2 data_if̄Љ斬呪풅ཊꤛ漢䕄礤
      ENDPOINT 0x81: Bulk IN ===============================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x81 IN
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
      ENDPOINT 0x1: Bulk OUT ===============================
       bLength          :    0x7 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :    0x1 OUT
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
Port - Device detected :)
DeviceClass
DeviceClass - [LIB]: TX:fd
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:fd
DeviceClass
DeviceClass - [LIB]: rdword:0x4
DeviceClass
DeviceClass - [LIB]: RX:09890000
Preloader -     CPU:            MT6833(Dimensity 700 5G k6833)
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11002000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212000
Preloader -     Var1:           0x73
Preloader - Disabling Watchdog...
DeviceClass
DeviceClass - [LIB]: TX:d4
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:d4
DeviceClass
DeviceClass - [LIB]: TX:10007000
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:10007000
DeviceClass
DeviceClass - [LIB]: TX:00000001
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000001
DeviceClass
DeviceClass - [LIB]: rword:0x2
DeviceClass
DeviceClass - [LIB]: RX:0001
DeviceClass
DeviceClass - [LIB]: TX:22000064
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:22000064
DeviceClass
DeviceClass - [LIB]: rword:0x2
DeviceClass
DeviceClass - [LIB]: RX:0001
Preloader - HW code:            0x989
DeviceClass
DeviceClass - [LIB]: TX:d8
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:d8
DeviceClass
DeviceClass - [LIB]: rbyte:0x6
DeviceClass
DeviceClass - [LIB]: RX:000000e50000
Preloader - Target config:      0xe5
Preloader -     SBC enabled:        True
Preloader -     SLA enabled:        False
Preloader -     DAA enabled:        True
Preloader -     SWJTAG enabled:     True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required: False
Preloader -     Mem read auth:      True
Preloader -     Mem write auth:     True
Preloader -     Cmd 0xC8 blocked:   True
Preloader - Get Target info
DeviceClass
DeviceClass - [LIB]: TX:fe
DeviceClass
DeviceClass - [LIB]: get_blver:0x1
DeviceClass
DeviceClass - [LIB]: RX:fe
Preloader - BROM mode detected.
DeviceClass
DeviceClass - [LIB]: TX:ff
DeviceClass
DeviceClass - [LIB]: get_bromver:0x1
DeviceClass
DeviceClass - [LIB]: RX:05
DeviceClass
DeviceClass - [LIB]: TX:fc
DeviceClass
DeviceClass - [LIB]: mtk_cmd:0x1
DeviceClass
DeviceClass - [LIB]: RX:fc
DeviceClass
DeviceClass - [LIB]: mtk_cmd:0x8
DeviceClass
DeviceClass - [LIB]: RX:8a00ca0000000000
Preloader -     HW subcode:     0x8a00
Preloader -     HW Ver:         0xca00
Preloader -     SW Ver:         0x0
DeviceClass
DeviceClass - [LIB]: TX:fe
DeviceClass
DeviceClass - [LIB]: get_meid:0x1
DeviceClass
DeviceClass - [LIB]: RX:fe
DeviceClass
DeviceClass - [LIB]: TX:e1
DeviceClass
DeviceClass - [LIB]: get_meid:0x1
DeviceClass
DeviceClass - [LIB]: RX:e1
DeviceClass
DeviceClass - [LIB]: get_meid:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000010
DeviceClass
DeviceClass - [LIB]: get_meid:0x10
DeviceClass
DeviceClass - [LIB]: RX:9dbf5cab73a0c86470a25becb18a87bb
DeviceClass
DeviceClass - [LIB]: get_meid:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
Preloader - ME_ID:          9DBF5CAB73A0C86470A25BECB18A87BB
DeviceClass
DeviceClass - [LIB]: TX:fe
DeviceClass
DeviceClass - [LIB]: get_socid:0x1
DeviceClass
DeviceClass - [LIB]: RX:fe
DeviceClass
DeviceClass - [LIB]: TX:e7
DeviceClass
DeviceClass - [LIB]: get_socid:0x1
DeviceClass
DeviceClass - [LIB]: RX:e7
DeviceClass
DeviceClass - [LIB]: get_socid:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000020
DeviceClass
DeviceClass - [LIB]: get_socid:0x20
DeviceClass
DeviceClass - [LIB]: RX:c93429a0ec0d4e75e87008d1d16d45d2ef6d10a1b45e54c0de004500c5af310d
DeviceClass
DeviceClass - [LIB]: get_socid:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
Preloader - SOC_ID:         C93429A0EC0D4E75E87008D1D16D45D2EF6D10A1B45E54C0DE004500C5AF310D
DA_handler - Device is protected.
DA_handler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
DeviceClass
DeviceClass - [LIB]: TX:da
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:da
DeviceClass
DeviceClass - [LIB]: TX:00000000
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000000
DeviceClass
DeviceClass - [LIB]: TX:00000000
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000000
DeviceClass
DeviceClass - [LIB]: TX:00000001
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000001
DeviceClass
DeviceClass - [LIB]: brom_register_access:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
DeviceClass
DeviceClass - [LIB]: brom_register_access:0x1
DeviceClass
DeviceClass - [LIB]: RX:00
DeviceClass
DeviceClass - [LIB]: brom_register_access:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
DeviceClass
DeviceClass - [LIB]: TX:d1
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:d1
DeviceClass
DeviceClass - [LIB]: TX:10007050
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:10007050
DeviceClass
DeviceClass - [LIB]: TX:00000001
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000001
DeviceClass
DeviceClass - [LIB]: rword:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
DeviceClass
DeviceClass - [LIB]: rdword:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000000
DeviceClass
DeviceClass - [LIB]: read:0x2
DeviceClass
DeviceClass - [LIB]: RX:0000
DeviceClass
DeviceClass - [LIB]: TX:da
DeviceClass
DeviceClass - [LIB]: echo:0x1
DeviceClass
DeviceClass - [LIB]: RX:da
DeviceClass
DeviceClass - [LIB]: TX:00000000
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000000
DeviceClass
DeviceClass - [LIB]: TX:0000dfa0
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:0000dfa0
DeviceClass
DeviceClass - [LIB]: TX:00000004
DeviceClass
DeviceClass - [LIB]: echo:0x4
DeviceClass
DeviceClass - [LIB]: RX:00000004
DeviceClass
DeviceClass - [LIB]: brom_register_access:0x2
DeviceClass
DeviceClass - [LIB]: RX:1d1a
Exploitation
Exploitation - [LIB]: Error on sending payload.
ElectroBoy404NotFound commented 5 months ago

I think it is caused due to kernel usb driver. I think we need to apply the patch for it to work. I think

weimzh commented 5 months ago

I think it is caused due to kernel usb driver. I think we need to apply the patch for it to work. I think

I've tried running it under Windows and still got the same issue so probably not because of this.

I've searched the issues tracker, however I've found some phones with the same SoC can get pass this point: https://github.com/bkerler/mtkclient/issues/847

so not sure if there is anything I did wrong.

ElectroBoy404NotFound commented 5 months ago

I think it is caused due to kernel usb driver. I think we need to apply the patch for it to work. I think

I've tried running it under Windows and still got the same issue so probably not because of this.

I've searched the issues tracker, however I've found some phones with the same SoC can get pass this point: #847

so not sure if there is anything I did wrong.

Hmm sorry, I don't know then.....

bkerler commented 4 months ago

newer revisions of the chips are patched against kamakiri