Can't unlock mt6737 tablet. #1218
Comments
|
But which unlock is it if it's bootloader unlock it clear the tool hasn't
surpased the stage where it gets access to seccfg partition responsible for
bootloader unlock consider getting Auth file to enable full booting of the
device first also prior knowledge if device properties and names would help
us more tackle on the issue
…On Sat, 21 Sept 2024, 16:04 HALt, ***@***.***> wrote:
I'm trying to unlock lenovo-tb7304i, i've done this earlier, tried to port
lineage os, then abandoned it. now i flashed stock firmware on tablet and
trying to unlock, but getting this:
`....Port - Device detected :)
Preloader - CPU: MT6737M/MT6735G()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x335
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x0
Mtk - We're not in bootrom, trying to crash da...
Exploitation - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL
(0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to
brom mode
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
Port - Device detected :)
Preloader - CPU: MT6737M/MT6735G()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x335
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 6D722AF8F0702E2A88BA943F19969E7E
Preloader
Preloader - [LIB]: Auth file is required. Use --auth option.
PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload:
/home/hallt/trash/mtkclient-main/mtkclient/payloads/mt6737_payload.bin
Port - Device detected :)
DaHandler - Device was protected. Successfully bypassed security.
DaHandler - Device is in BROM mode. Trying to dump preloader.
Successfully extracted preloader for this device to:
preloader_hq8735b_tb_n.bin
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt - Legacy DA2 is patched.
LegacyExt - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04029b
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 484a0190613447414a09a532593aeb94
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x14
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 5740
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x80000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x80000000
randomid = 0x5FA5627D657C704FA7F185ACD97E1517
m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3ab400000
m_emmc_cid = 4147346190014a4894eba55932a5094a
m_emmc_fwver = a500000000000000
LegacyExt - Detected V3 Lockstate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly.
Results may be wrong.
Sej - HACC run
Sej - HACC terminate
Traceback (most recent call last):
File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1021, in
main()
File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1017, in main
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/mtk_main.py",
line 684, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File
"/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_da_handler.py",
line 877, in handle_da_cmds
v = mtk.daloader.seccfg(args.flag)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_daloader.py",
line 394, in seccfg
return self.lft.seccfg(lockflag)
^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/extension/legacy.py",
line 196, in seccfg
if self.legacy.writeflash(addr=partition.sector *
self.mtk.daloader.daconfig.pagesize,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py",
line 951, in writeflash
return self.sdmmc_write_data(addr=addr, length=length, filename=filename,
offset=offset, parttype=parttype,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py",
line 853, in sdmmc_write_data
fh = open(filename, "rb")
^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: ''
***@***.*** ~/t/mtkclient-main [1]> ./mtk.py da seccfg unlock
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024
LegacyExt - Detected V3 Lockstate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly.
Results may be wrong.
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly.
Results may be wrong.
Sej - HACC run
Sej - HACC terminate
SecCfgV3
SecCfgV3 - [LIB]: Unknown V3 seccfg encryption !
DaHandler
DaHandler - [LIB]: Device has is either already unlocked or algo is
unknown. Aborting.
***@***.*** ~/t/mtkclient-main>
with earlier versions of mtkclient i getting this:legacyext - Detected V3
Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej
sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly.
Results may be wrong.
sej - HACC run
sej - HACC terminate
Progress: |██████████████████████████████████████████████████| 100.0%
Write (Sector 0xD of 0xD, ) 47.37 MB/s
DA_handler - Successfully wrote seccfg.`
but device falling to red state and refuses to boot.
any ideas?
—
Reply to this email directly, view it on GitHub
<#1218>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFRDI3BBTB67HDH4BUVRTP3ZXVVEHAVCNFSM6AAAAABOTSPBASVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU2DAMRUGQ4TGNQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
i tried to use --auth with .auth file when unlocking bootloader, it didn't helped. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to unlock lenovo-tb7304i, i've done this earlier, tried to port lineage os, then abandoned it. now i flashed stock firmware on tablet and trying to unlock, but getting this:
`....Port - Device detected :)
Preloader - CPU: MT6737M/MT6735G()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x335
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x0
Mtk - We're not in bootrom, trying to crash da...
Exploitation - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
DeviceClass
DeviceClass - [LIB]: Couldn't get device configuration.
Port - Device detected :)
Preloader - CPU: MT6737M/MT6735G()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x335
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 6D722AF8F0702E2A88BA943F19969E7E
Preloader
Preloader - [LIB]: Auth file is required. Use --auth option.
PLTools - Loading payload from mt6737_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/hallt/trash/mtkclient-main/mtkclient/payloads/mt6737_payload.bin
Port - Device detected :)
DaHandler - Device was protected. Successfully bypassed security.
DaHandler - Device is in BROM mode. Trying to dump preloader.
Successfully extracted preloader for this device to: preloader_hq8735b_tb_n.bin
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt - Legacy DA2 is patched.
LegacyExt - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 04029b
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 484a0190613447414a09a532593aeb94
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x14
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 5740
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x80000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - Reconnecting to stage2 with higher speed
DeviceClass - [Errno 2] Entity not found
DALegacy - Connected to stage2 with higher speed
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x20000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x80000000
randomid = 0x5FA5627D657C704FA7F185ACD97E1517
m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3ab400000
m_emmc_cid = 4147346190014a4894eba55932a5094a
m_emmc_fwver = a500000000000000
LegacyExt - Detected V3 Lockstate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
Sej - HACC run
Sej - HACC terminate
Traceback (most recent call last):
File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1021, in
main()
File "/home/hallt/trash/mtkclient-main/./mtk.py", line 1017, in main
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/mtk_main.py", line 684, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_da_handler.py", line 877, in handle_da_cmds
v = mtk.daloader.seccfg(args.flag)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/mtk_daloader.py", line 394, in seccfg
return self.lft.seccfg(lockflag)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/extension/legacy.py", line 196, in seccfg
if self.legacy.writeflash(addr=partition.sector * self.mtk.daloader.daconfig.pagesize,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 951, in writeflash
return self.sdmmc_write_data(addr=addr, length=length, filename=filename, offset=offset, parttype=parttype,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hallt/trash/mtkclient-main/mtkclient/Library/DA/legacy/dalegacy_lib.py", line 853, in sdmmc_write_data
fh = open(filename, "rb")
^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: ''
hallt@localhost ~/t/mtkclient-main [1]> ./mtk.py da seccfg unlock
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024
LegacyExt - Detected V3 Lockstate
Sej - HACC init
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
Sej - HACC run
Sej - HACC terminate
Sej - HACC init
Sej
Sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong.
Sej - HACC run
Sej - HACC terminate
SecCfgV3
SecCfgV3 - [LIB]: Unknown V3 seccfg encryption !
DaHandler
DaHandler - [LIB]: Device has is either already unlocked or algo is unknown. Aborting.
hallt@localhost ~/t/mtkclient-main> '
with earlier versions of mtkclient i getting this:
legacyext - Detected V3 Lockstate sej - HACC init sej - HACC run sej - HACC terminate sej - HACC init sej sej - [LIB]: SEJ Legacy Hardware seems not to be configured correctly. Results may be wrong. sej - HACC run sej - HACC terminate Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xD of 0xD, ) 47.37 MB/s DA_handler - Successfully wrote seccfg.but device falling to red state and refuses to boot.
any ideas?
The text was updated successfully, but these errors were encountered: