Prepare V2

README.md

@@ -9,10 +9,11 @@ Once the mtk script is running, boot into brom mode by powering off device, pres
 vol up + power or vol down + power and connect the phone. Once detected by the tool,
 release the buttons.
 
-## Unsupported chipsets
-- MT678x, MT689x, MT688x, MT698x
-- These chipsets use a new protocol called V6 and the bootrom is patched. There is currently NO support for these chipsets (due to the way these loaders are implemented)
-- If you want support, consider donating so that I can afford one of these devices in order to start researching them
+## MT678x, MT689x, MT688x, MT698x
+- These chipsets use a new protocol called V6 and the bootrom is patched, thus you need a valid da via --loader option. 
+- On some devices, preloader is deactivated, but you still use it by running "adb reboot edl".
+- This only works with UNFUSED devices currently.
+- For all devices with DAA, SLA and Remote-Auth activated no public solution currently exists (for various reasons).
 
 ## Credits
 - kamakiri [xyzz]

mtkclient/Library/DA/daconfig.py

@@ -153,7 +153,7 @@ def __init__(self, mtk, loader=None, preloader=None, loglevel=logging.INFO):
             loaders = []
             for root, dirs, files in os.walk(self.pathconfig.get_loader_path(), topdown=False):
                 for file in files:
-                    if "MTK_AllInOne_DA" in file:
+                    if "MTK_AllInOne_DA" in file or "MTK_DA" in file:
                         loaders.append(os.path.join(root, file))
             loaders = sorted(loaders)[::-1]
             for loader in loaders:
@@ -217,14 +217,19 @@ def parse_da_loader(self, loader):
             with open(loader, 'rb') as bootldr:
                 # data = bootldr.read()
                 # self.debug(hexlify(data).decode('utf-8'))
-                bootldr.seek(0x68)
+                hdr = bootldr.read(0x68)
                 count_da = unpack("<I", bootldr.read(4))[0]
+                if b"MTK_DA_v6" in hdr:
+                    v6 = True
+                else:
+                    v6 = False
                 for i in range(0, count_da):
                     bootldr.seek(0x6C + (i * 0xDC))
                     da = DA(bootldr.read(0xDC))
                     da.setfilename(loader)
-                    if da.hw_code == 0x8127 and "5.1824" not in loader:
-                        continue
+                    da.v6 = v6
+                    #if da.hw_code == 0x8127 and "5.1824" not in loader:
+                    #    continue
                     if da.hw_code not in self.dasetup:
                         if da.hw_code!=0:
                             self.dasetup[da.hw_code] = [da]

mtkclient/Library/DA/legacy/dalegacy_lib.py

@@ -72,6 +72,9 @@ def __init__(self, mtk, daconfig, loglevel=logging.INFO):
             self.patch = True
         self.lft = legacyext(self.mtk, self, loglevel)
 
+    def boot_to(self, addr, data, display=True, timeout=0.5):
+        pass
+
     def get_fat_info(self, addr: int, dwords: int):
         if self.usbwrite(self.Cmd.GET_FAT_INFO_CMD):  # 0xF0
             self.usbwrite(pack(">I", addr))
@@ -209,12 +212,22 @@ def check_security(self):
             return True
         return False
 
-    def recheck(self):  # If Preloader is needed
+    def sec_usb_recheck(self):  # If Preloader is needed
+        # toDo / sha1 hash
         sec_info_len = 0
         cmd = self.Cmd.SECURE_USB_RECHECK_CMD + pack(">I", sec_info_len)  # B4
         status = unpack(">I", self.mtk.port.mtk_cmd(cmd, 1))[0]
         if status == 0x1799:
-            return False  # S-USBDL disabled
+            self.info("S-USBDL disabled")
+            return True
+        elif status == 0x179A:
+            self.info("S-USBDL enabled")
+        buffer1=bytearray()
+        buffer2=bytearray()
+        for i in range(0x100):
+            buffer1.append(self.rbyte(1))
+        for i in range(0x5):
+            buffer2.append(self.rbyte(1))
         return True
 
     def set_stage2_config(self, hwcode):
@@ -274,6 +287,8 @@ def set_stage2_config(self, hwcode):
             self.error("Didn't receive Stage2 dram info, please check usb cable/hub and retry.")
             return False
         errorcode = int.from_bytes(buffer,'big')
+        if errorcode == 0x0:
+            return True
         if errorcode != 0xBC3:
             self.error(self.eh.status(errorcode))
             return False
@@ -303,7 +318,7 @@ def set_stage2_config(self, hwcode):
             if len(returnval)!=4:
                 self.error("Didn't get a response on dram read")
                 return False
-            errorval = errorcode = int.from_bytes(returnval,'big')
+            errorval = int.from_bytes(returnval,'big')
             if errorval != 0xBC4:
                 self.error(self.eh.status(errorval))
                 return False
@@ -382,8 +397,47 @@ def set_stage2_config(self, hwcode):
                     return False
         return True
 
+    def set_speed_iot(self):
+        self.usbwrite(b"\x59")
+        ack = self.usbread(1)
+        self.usbwrite(b"\xF0")
+        ret = self.usbread(28)
+        self.usbwrite(self.Cmd.SPEED_CMD+b"\x01\x01")
+        ack = self.usbread(1)
+        if ack != b"\x5A":
+            return False
+        self.usbwrite(b"\x5A")
+        #try:
+        #    self.mtk.port.cdc.setcontrollinestate(RTS=True,DTR=True)
+        #except:
+        #    pass
+        try:
+            self.mtk.port.cdc.setLineCoding(baudrate=921600, parity=0, databits=8, stopbits=1)
+        except Exception as err:
+            print(err)
+            pass
+
+        time.sleep(0.1)
+        for i in range(10):
+            self.usbwrite(b"\xC0")
+            ack = self.usbread(1)
+            if ack == b"\xC0":
+                break
+            time.sleep(0.02)
+        self.usbwrite(b"\x5A")
+        ack = self.usbread(1)
+        if ack == b"\x5A":
+            for i in range(256):
+                loop_val = pack(">B", i)
+                self.usbwrite(loop_val)
+                if self.usbread(1) != loop_val:
+                    return False
+        else:
+            return False
+        return True
+
     def set_speed(self):
-        self.usbwrite(DALegacy.Cmd.SPEED_CMD)
+        self.usbwrite(self.Cmd.SPEED_CMD)
         self.usbwrite(int.to_bytes(921600, 4, 'big'))
         ack = self.usbread(1)
         if ack != b"\x5A":
@@ -485,7 +539,7 @@ def upload_da1(self):
                 bootldr.seek(da2offset)
                 da2 = bootldr.read(self.daconfig.da_loader.region[2].m_len)
                 if self.mtk.config.is_brom or not self.mtk.config.target_config["sbc"]:
-                    hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da2sig_len)
+                    hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da1sig_len, da2sig_len,self.daconfig.da_loader.v6)
                     if hashaddr is not None:
                         da2patched = self.lft.patch_da2(da2)
                         if da2patched != da2:
@@ -602,7 +656,6 @@ def upload_da1(self):
                 da3sig_len = self.daconfig.da_loader.region[stage1 + 2].m_sig_len
                 bootldr.seek(da3offset)
                 da3 = bootldr.read(da3size)
-
             if self.mtk.preloader.send_da(da1address, da1size, da1sig_len, da1):
                 if self.mtk.preloader.send_da(da2address, da2size, da2sig_len, da2):
                     if self.mtk.preloader.jump_da(da1address):
@@ -645,7 +698,6 @@ def upload_da1(self):
             i = 0
             while bytestosend > 0:
                 data = da3[i:i + 0x24]
-                print(data.hex())
                 self.usbwrite(data)
                 i += 0x24
                 bytestosend -= 0x24
@@ -679,6 +731,7 @@ def upload_da1(self):
                         self.daconfig.flashsize = self.sdc.m_sdmmc_ua_size
                 elif self.daconfig.flashtype == "nor":
                     self.daconfig.flashsize = self.nor.m_nor_flash_size
+                self.set_speed_iot()
                 return True
 
             return False
@@ -1000,7 +1053,7 @@ def readflash(self, addr: int, length: int, filename: str, parttype=None, displa
             self.daconfig.readsize = self.daconfig.flashsize // self.daconfig.pagesize * (
                     self.daconfig.pagesize + self.daconfig.sparesize)
         elif self.daconfig.flashtype == "nor":
-            packetsize = 0x400
+            packetsize = 0x1000
             self.usbwrite(self.Cmd.READ_CMD)  # D6
             if not self.config.iot:
                 self.usbwrite(b"\x0C")  # Host:Linux, 0x0B=Windows
@@ -1026,24 +1079,27 @@ def readflash(self, addr: int, length: int, filename: str, parttype=None, displa
             worker = Thread(target=writedata, args=(filename, rq), daemon=True)
             worker.start()
             bytestoread = length
+            curpos = 0
             while bytestoread > 0:
                 size = bytestoread
                 if bytestoread > packetsize:
                     size = packetsize
-                rq.put(self.usbread(size))
+                tmp = self.usbread(size)
+                rq.put(tmp[:size])
                 bytestoread -= size
-                checksum = unpack(">H", self.usbread(1) + self.usbread(1))[0]
+                curpos+=size
+                checksum = unpack(">H", self.usbread(2))[0]
                 self.debug("Checksum: %04X" % checksum)
-                self.usbwrite(self.Rsp.ACK)
                 if length > bytestoread:
                     rpos = length - bytestoread
                 else:
                     rpos = 0
+                self.usbwrite(self.Rsp.ACK)
                 self.mtk.daloader.progress.show_progress("Read", rpos, length, display)
             self.mtk.daloader.progress.show_progress("Read", length, length, display)
             rq.put(None)
             worker.join(60)
-            return True
+            return b""
         else:
             buffer = bytearray()
             bytestoread = length

mtkclient/Library/DA/legacy/extension/legacy.py

@@ -1,4 +1,5 @@
 import os
+import sys
 from struct import unpack, pack
 
 from mtkclient.Library.settings import hwparam
@@ -219,6 +220,31 @@ def read_pubk(self):
         return None
 
     def generate_keys(self):
+        if self.config.hwcode in [0x2601,0x6572]:
+            base = 0x11141000
+        elif self.config.hwcode==0x6261:
+            base = 0x70000000
+        elif self.config.hwcode in [0x8172,0x8176]:
+            base = 0x122000
+        else:
+            base = 0x100000
+        data = b"".join([pack("<I", val) for val in self.readmem(0x111418EC, 0x20000 // 4)])
+        print(data.hex())
+        sys.stdout.flush()
+        if self.config.meid is None:
+            try:
+                data = b"".join([pack("<I", val) for val in self.readmem(base+0x8EC, 0x16 // 4)])
+                self.config.meid = data
+                self.config.set_meid(data)
+            except:
+                return
+        if self.config.socid is None:
+            try:
+                data = b"".join([pack("<I", val) for val in self.readmem(base+0x934, 0x20 // 4)])
+                self.config.socid = data
+                self.config.set_socid(data)
+            except:
+                return
         hwc = self.cryptosetup()
         retval = {}
         retval["hwcode"] = hex(self.config.hwcode)
@@ -233,8 +259,6 @@ def generate_keys(self):
         if meid is not None:
             self.info("MEID        : " + hexlify(meid).decode('utf-8'))
             retval["meid"] = hexlify(meid).decode('utf-8')
-            if self.config.hwparam is None:
-                self.config.hwparam = hwparam(meid, self.config.hwparam_path)
             self.config.hwparam.writesetting("meid", hexlify(meid).decode('utf-8'))
         if socid is not None:
             self.info("SOCID       : " + hexlify(socid).decode('utf-8'))
@@ -252,7 +276,7 @@ def generate_keys(self):
             self.info("Generating dxcc rpmbkey2...")
             rpmb2key = hwc.aes_hwcrypt(btype="dxcc", mode="rpmb2")
             self.info("Generating dxcc km key...")
-            ikey = hwc.aes_hwcrypt(btype="dxcc", mode="itrustee")
+            ikey = hwc.aes_hwcrypt(btype="dxcc", mode="itrustee", data=self.config.hwparam.appid)
             # self.info("Generating dxcc platkey + provkey key...")
             # platkey, provkey = hwc.aes_hwcrypt(btype="dxcc", mode="prov")
             # self.info("Provkey     : " + hexlify(provkey).decode('utf-8'))
@@ -335,3 +359,6 @@ def generate_keys(self):
                     retval["mtee2"] = hexlify(mtee2).decode('utf-8')
         self.config.hwparam.writesetting("hwcode", retval["hwcode"])
         return retval
+
+    def custom_read_reg(self, addr:int, length:int) -> bytes:
+        return self.custom_read(addr,length)