Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix preloader handshake #1205

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix preloader handshake #1205

wants to merge 3 commits into from
+34 −49

Conversation

hopez13
Copy link
Contributor

@hopez13 hopez13 commented Sep 14, 2024

No description provided.

@hopez13 hopez13 mentioned this pull request Sep 14, 2024
Closed
@hopez13
Copy link
Contributor Author

hopez13 commented Sep 14, 2024

Following Changes Fixed Preloader Handshake Timeout

  • Removing Print Logic Running In Loop

  • Inlining run_handshake into handshake

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 15, 2024
edited
Loading

Some Good Progress

Notice How It's Xiaomi Device With Remote SLA But We Are Able To Load Signed OEM DA Without Requiring SLA

All Because Of Signed Engineering Preloader Flashed To Preloader Partition Which We Got From
Engineering ROM Of This Device ( may be internally they use these preloaders for actually flashing/testing that's why it doesn't require SLA)


E:\mtk>python mtk.py r vbmeta_a vbmeta.bin --loader=PocoM5.bin
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

DAconfig - Using custom loader: PocoM5.bin
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Device detected :)
Preloader -     CPU:                    MT6789(MTK Helio G99)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x1208
Preloader - Target config:              0x7
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            True
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      14206xxxxxxxxxxxxxxx
Preloader - SOC_ID:                     67D76xxxxxxxxxxxxxxx
DaHandler - Device is protected.
DaHandler - Device is in Preloader-Mode.
DAXML - Uploading xflash stage 1 from PocoM5.bin
DAXML - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXML - Stage 1 successfully loaded.
DAXML - Uploading stage 2...
Progress: |██████████| 100.0% Written (0x284/0x284, ) 0.00 MB/s
DAXML - Successfully uploaded stage 2.
DAXML - Successfully uploaded stage 2
Traceback (most recent call last):
  File "E:\mtk\mtk.py", line 1016, in <module>
    main()
  File "E:\mtk\mtk.py", line 1012, in main
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "E:\mtk\mtkclient\Library\mtk_main.py", line 662, in run
    mtk = da_handler.configure_da(mtk, preloader)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "E:\mtk\mtkclient\Library\DA\mtk_da_handler.py", line 161, in configure_da
    if not mtk.daloader.upload_da(preloader=preloader):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "E:\mtk\mtkclient\Library\DA\mtk_daloader.py", line 297, in upload_da
    return self.da.upload_da()
           ^^^^^^^^^^^^^^^^^^^
  File "E:\mtk\mtkclient\Library\DA\xml\xml_lib.py", line 616, in upload_da
    self.change_usb_speed()
  File "E:\mtk\mtkclient\Library\DA\xml\xml_lib.py", line 801, in change_usb_speed
    if "Unsupported" in resp:
       ^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'bool' is not iterable

@hopez13 hopez13 mentioned this pull request Sep 16, 2024
Closed
@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024

After Applying f8272a4

E:\mtk>python mtk.py r vbmeta_a vbmeta.bin --loader=PocoM5.bin
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

DAconfig - Using custom loader: PocoM5.bin
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Device detected :)
Preloader -     CPU:                    MT6789(MTK Helio G99)
Preloader -     HW version:             0x0
Preloader -     WDT:                    0x10007000
Preloader -     Uart:                   0x11002000
Preloader -     Brom payload addr:      0x100a00
Preloader -     DA payload addr:        0x201000
Preloader -     Var1:                   0xa
Preloader - Disabling Watchdog...
Preloader - HW code:                    0x1208
Preloader - Target config:              0x7
Preloader -     SBC enabled:            True
Preloader -     SLA enabled:            True
Preloader -     DAA enabled:            True
Preloader -     SWJTAG enabled:         True
Preloader -     EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:  False
Preloader -     Root cert required:     False
Preloader -     Mem read auth:          False
Preloader -     Mem write auth:         False
Preloader -     Cmd 0xC8 blocked:       False
Preloader - Get Target info
Preloader -     HW subcode:             0x8a00
Preloader -     HW Ver:                 0xca00
Preloader -     SW Ver:                 0x0
Preloader - ME_ID:                      14206xxxxxxxxxxxxxxxxxxxxxxxxxxx
Preloader - SOC_ID:                     67D76xxxxxxxxxxxxxxxxxxxxxxxxxxx
DaHandler - Device is protected.
DaHandler - Device is in Preloader-Mode.
DAXML - Uploading xflash stage 1 from PocoM5.bin
DAXML - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXML - Stage 1 successfully loaded.
DAXML - Uploading stage 2...
Progress: |██████████| 100.0% Written (0x284/0x284, ) 0.00 MB/s
DAXML - Successfully uploaded stage 2.
DAXML - Successfully uploaded stage 2
DAXML - SLA is disabled
DAXML
DAXML - [LIB]: �[31mDA XML Extensions failed.�[0m
DaHandler - Requesting available partitions ....
Traceback (most recent call last):
  File "E:\mtk\mtk.py", line 1016, in <module>
    main()
  File "E:\mtk\mtk.py", line 1012, in main
    mtk = Main(args).run(parser)
          ^^^^^^^^^^^^^^^^^^^^^^
  File "E:\mtk\mtkclient\Library\mtk_main.py", line 664, in run
    da_handler.handle_da_cmds(mtk, cmd, self.args)
  File "E:\mtk\mtkclient\Library\DA\mtk_da_handler.py", line 713, in handle_da_cmds
    self.da_read(partitionname=partitionname, parttype=parttype, filename=filename)
  File "E:\mtk\mtkclient\Library\DA\mtk_da_handler.py", line 251, in da_read
    if gptentry.name.lower() == partition.lower():
       ^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'name'

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024
edited
Loading

that traceback might not reflect the true issue because it was generated after keyboard interrupt

as mtkclient was stuck at DaHandler - Requesting available partitions .... forever

I will send debug log

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024

Here's Relevant Debug Log

TX:efeeeefe0100000003000000
TX:4f4b00
USB get_response: length(0xc)
RX:efeeeefe0100000066000000
USB get_response: length(0x66)
RX:<?xml version="1.0" encoding="utf-8"?><host><version>1.0</version><command>CMD:START</command></host>�
TX:efeeeefe0100000003000000
TX:4f4b00
TX:efeeeefe0100000063000000
TX:<?xml version="1.0" encoding="utf-8"?><da><version>1.0</version><command>CMD:CUSTOM</command></da>�
USB get_response: length(0xc)
RX:efeeeefe0100000010000000
USB get_response: length(0x10)
RX:45525221554e535550504f5254454400
DA XML Extensions failed.
Requesting available partitions ....
Requesting available partitions ....
TX:efeeeefe01000000dd000000
TX:<?xml version="1.0" encoding="utf-8"?><da><version>1.0</version><command>CMD:READ-FLASH</command><arg><partition>UFS-LUA2</partition><offset>0x0</offset><length>0x20000</length><target_file>ROM_0</target_file></arg></da>�
USB get_response: length(0xc)
RX:efeeeefe01000000b6000000
USB get_response: length(0xb6)
RX:<?xml version="1.0" encoding="utf-8"?><host><version>1.0</version><command>CMD:END</command><arg><result>ERR!UNSUPPORTED</result><message>Unsupported command.</message></arg></host>�
Timed out
Timed out
Timed out
Timed out
Timed out

@bkerler

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024
edited
Loading

Ok So This Error Must Be DA specific

Not Surprised To Know This OEM DA Doesn't Support CMD:READ-FLASH 🫨

Ok Then We Might Need Scatter File Support In MTK Client

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024

I'm not sure what file types the --gpt_file argument supports.
Does it work with files like scatter.xml or scatter.txt?
Also, in Xiaomi firmware, there's a PGPT file with the following header magic: 45 46 49 20 50 41 52 54 (GPT HEADER)

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 16, 2024

If the custom DA file does not support CMD:READ-FLASH, using read or --printgpt in mtkclient gets stuck indefinitely without relevant output or proper exit. well it should provide clear feedback, and exiting gracefully to prevent the tool from getting stuck forever
thanks

@hopez13
Copy link
Contributor Author

hopez13 commented Sep 17, 2024
edited
Loading

13.jpg

since neither DA is patched for carbonara nor the preloader

it would be interesting to explore the capabilities of carbonara

coz on official DA we have don't have read flash support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hopez13