Open userse31 opened 6 months ago
So I thought "Maybe the payload is wrong. I should use a different payload!"
Well, I couldn't figure out the command santax, so I looked at the README.md
Then I came across this: "python mtk payload --metamode FASTBOOT".
Part of the entire issue is that the Alcatel 5041C has had security patches that disable fastboot. Well, what if I gave that command a shot?
Oh my Stanley, it actually works. I know! I can't believe it either! Normally computers fight against me every step of the way!
you need to bl unlock those phones in order to be able to flash non-signed partitions
@userse31 What da loader did you try to use ?
Having a similar problem with Xiaomi Redmi Note 4 MTK, except that it was caused by doing Format all + Download in SP Flash Tool. Using preloader from the firmware I downloaded from the internet and tried with --auth I got from https://xdaforums.com/t/help-unlock-mediatek-xiaomi-redmi-note-4-without-wiping-data.4064119/
The phone itself is stuck in brom mode, I unplugged the battery. SP Flash tool gives STATUS_ERR on any download, mtk only errors on certain partitions. Tried with python 3.9.19 and 3.12.4 on NixOS, ran inside sudo su
EDIT: I've used Format all + Download because I've used a scatter file without some partitions, which messed up PMT. mtk printgpt still seems fine tho
EDIT2: The phone has bootloader locked
I could solve it by switching to a windows computer. And later unlocked the bootloader with an older version of mtkclient on linux
you need to bl unlock those phones in order to be able to flash non-signed partitions
That is what I did. Must've forgot to post that here.
I did an "oopsiee" and now need to restore the phone from the firmware backup I made. (I need to restore boot.img).
Well, in my infinite wisdom I thought I had to erase the boot partition first and THEN flash the backup!
Fun fact: No.
(At least I was able to restore the partition table...)
I can read and erase any partition, but I can't write to certain partitions. Can you guess what category "boot" falls under? YEP! It's one of the write protected ones!
I have a full nand backup aswell, but "./mtk rf" errors out if the file is too big. (It probably encroaches on the protected areas past a certain size.)
So, I don't know what in Stanley's green EARTH is happening here, but here's the log for a partition based write:
`qwerty@debian:~/Documents/compiling/mtkclient$ ./mtk wl ~/Documents/5041C/5041C/ MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Port - Hint:
Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb. If it is already connected and on, hold power for 10 seconds to reset.
.......Port - Device detected :) Preloader - CPU: MT6739/MT6731/MT8765() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - Get Target info Preloader - BROM mode detected. Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - ME_ID: BD74B14635371A71CDB44606A64AAF1B Preloader - SOC_ID: 7067F0D01DC1B1ADF7EE6E0CEF92A47A3DA42813AF064FA39065EDFADD10D52E Preloader Preloader - [LIB]: Send auth error:DAA_Security_Error (0x7017) PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes Exploitation - Kamakiri Run Exploitation - Done sending payload... PLTools - Successfully sent payload: /home/qwerty/Documents/compiling/mtkclient/mtkclient/payloads/mt6739_payload.bin Port - Device detected :) DA_handler - Device is protected. DA_handler - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading xflash stage 1 from _MTK_DA_V5.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - DRAM setup passed. DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Upload data was accepted. Jumping to stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: QE63MB DAXFlash - EMMC CID: 150100514536334d42030a2f976fb54d DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0x3a3e00000 DAXFlash - HW-CODE : 0x699 DAXFlash - HWSUB-CODE : 0x8A00 DAXFlash - HW-VERSION : 0xCB00 DAXFlash - SW-VERSION : 0x2 DAXFlash - CHIP-EVOLUTION : 0x0 DAXFlash - DA-VERSION : 1.0 DAXFlash DAXFlash - [LIB]: Error on sending data: DA hash mismatch (0xc0070004) DAXFlash DAXFlash - [LIB]: DA Extensions failed to enable DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/lk.bin to sector 642048 with sector count 2048. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/para.bin to sector 83968 with sector count 1024. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/sec1.bin to sector 393216 with sector count 4096. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/mcupmfw.bin to sector 564224 with sector count 2048. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/fota.bin to sector 38912 with sector count 10240. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/gz1.bin to sector 566272 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/boot.bin to sector 646400 with sector count 32768. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x2800 of 0x2800, ) 4.92 MB/s Wrote /home/qwerty/Documents/5041C/5041C/nvram.bin to sector 6208 with sector count 10240. DA_handler DA_handler - [LIB]: Error: Couldn't detect partition: gpt_backup , skipping
DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/md1dsp.bin to sector 529408 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/metadata.bin to sector 209920 with sector count 65536. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x4000 of 0x4000, ) 3.61 MB/s25 MB/s Wrote /home/qwerty/Documents/5041C/5041C/protect2.bin to sector 291840 with sector count 16384. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x21C000 of 0x21C000, ) 3.04 MB/s13 MB/sMB/s Wrote /home/qwerty/Documents/5041C/5041C/vendor.bin to sector 753664 with sector count 2211840. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x654000 of 0x654000, ) 4.96 MB/s79 MB/sMB/s Wrote /home/qwerty/Documents/5041C/5041C/system.bin to sector 2965504 with sector count 6635520. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/tee1.bin to sector 728320 with sector count 10240. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/boot_para.bin to sector 81920 with sector count 2048. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/mobile_info.bin to sector 308224 with sector count 35840. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/tee2.bin to sector 738560 with sector count 15104. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/loader_ext2.bin to sector 646272 with sector count 128. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/lk2.bin to sector 644096 with sector count 2048. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1800 of 0x1800, ) 4.33 MB/s Wrote /home/qwerty/Documents/5041C/5041C/proinfo.bin to sector 64 with sector count 6144. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/nvdata.bin to sector 144384 with sector count 65536. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/logo.bin to sector 679168 with sector count 16384. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/flashinfo.bin to sector 30502879 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/expdb.bin to sector 84992 with sector count 40960. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xA0E00 of 0xA0E00, ) 4.09 MB/s75 MB/sMB/s Wrote /home/qwerty/Documents/5041C/5041C/userdata.bin to sector 10256384 with sector count 20158431. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xA0000 of 0xA0000, ) 3.64 MB/s24 MB/sMB/s Wrote /home/qwerty/Documents/5041C/5041C/cache.bin to sector 9601024 with sector count 655360. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x8000 of 0x8000, ) 3.57 MB/s23 MB/s Wrote /home/qwerty/Documents/5041C/5041C/persist.bin to sector 49152 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/otp.bin to sector 30414815 with sector count 88064. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/frp.bin to sector 125952 with sector count 2048. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x8000 of 0x8000, ) 4.60 MB/s45 MB/s Wrote /home/qwerty/Documents/5041C/5041C/odmdtbo.bin to sector 695552 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/loader_ext1.bin to sector 646144 with sector count 128. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x4000 of 0x4000, ) 4.51 MB/s67 MB/s Wrote /home/qwerty/Documents/5041C/5041C/nvcfg.bin to sector 128000 with sector count 16384. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/gz2.bin to sector 599040 with sector count 32768. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/spmfw.bin to sector 562176 with sector count 2048. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/recovery.bin to sector 345088 with sector count 48128. DA_handler DA_handler - [LIB]: Error: Couldn't detect partition: partitions , skipping
DA_handler - Writing partition gpt Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x22 of 0x22, ) 0.28 MB/s Wrote gpt to sector 0 Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x4000 of 0x4000, ) 3.78 MB/s72 MB/s Wrote /home/qwerty/Documents/5041C/5041C/protect1.bin to sector 275456 with sector count 16384. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/seccfg.bin to sector 344064 with sector count 1024. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/md1img.bin to sector 398336 with sector count 131072. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/redbend.bin to sector 32768 with sector count 6144. Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x400 of 0x400, ) 2.51 MB/s Wrote /home/qwerty/Documents/5041C/5041C/efuse.bin to sector 397312 with sector count 1024. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/pad4nvramwp.bin to sector 16448 with sector count 16320. DAXFlash DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c) Failed to write /home/qwerty/Documents/5041C/5041C/simlock.bin to sector 631808 with sector count 10240.`
The thing that confuses me though, why write protect certain areas but not prevent readback and erasing?