[CLOSED]Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m ERROR - Android Software/Hacking General [Developers Only]

E:\Damn God Android Repairer\mtkclient-main>python mtk w boot_a boot.img
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Port - Device detected
Preloader - CPU: MT6735/T()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x321
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: D5844894FB09EE8D9D4EC77074C057D5
PLTools - Loading payload from mt6735_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: E:\Damn God Android Repairer\mtkclient-main\mtkclient\payloads\mt6735_payload.bin
Port - Device detected
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
DALegacy - Uploading da...
DALegacy - Uploading stage 1...
Preloader
Preloader - [LIB]: ←[31mError on DA_Send cmd←[0m
Main
Main - [LIB]: ←[31mError uploading da←[0m
Does anyone have the solution for me? im trying to fix my hard bricked samsung galaxy j2 prime

Kei1999 said:
E:\Damn God Android Repairer\mtkclient-main>python mtk w boot_a boot.img
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Port - Device detected
Preloader - CPU: MT6735/T()
Preloader - HW version: 0x0
Preloader - WDT: 0x10212000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10217c00
Preloader - Var1: 0x28
Preloader - Disabling Watchdog...
Preloader - HW code: 0x321
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: D5844894FB09EE8D9D4EC77074C057D5
PLTools - Loading payload from mt6735_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: E:\Damn God Android Repairer\mtkclient-main\mtkclient\payloads\mt6735_payload.bin
Port - Device detected
Main - Device is protected.
Main - Device is in BROM mode. Trying to dump preloader.
DALegacy - Uploading da...
DALegacy - Uploading stage 1...
Preloader
Preloader - [LIB]: ←[31mError on DA_Send cmd←[0m
Main
Main - [LIB]: ←[31mError uploading da←[0m
Does anyone have the solution for me? im trying to fix my hard bricked samsung galaxy j2 prime
Click to expand...
Click to collapse
Note: Questions go in Q&A Forum
If you are posting a Question Thread post it in the Q&A forum. Technical discussion of Android development and hacking. No noobs, please. Device-specific releases should go under the appropriate device forum...
forum.xda-developers.com

Related

firehose programmer for Pixel OG (sailfish)

Hi,
I have a Pixel OG (sailfish) that is stuck in EDL mode.
Does anyone has access to a firehose programmer to reflash it?
I'm here:
Code:
$ ./edl.py
Qualcomm Sahara / Firehose Client V3.3 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x0005f0e100000000 (MSM_ID:0x0005f0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected: "MSM8996Pro"
PK_HASH: 0xba2102da99c924058c758fa9f4250847c92cabde17fdcef01d4daff8df5d6753
Serial: [redacted]
Thanks!
kick29 said:
Hi,
I have a Pixel OG (sailfish) that is stuck in EDL mode.
Does anyone has access to a firehose programmer to reflash it?
I'm here:
Code:
$ ./edl.py
Qualcomm Sahara / Firehose Client V3.3 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: 0x0005f0e100000000 (MSM_ID:0x0005f0e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected: "MSM8996Pro"
PK_HASH: 0xba2102da99c924058c758fa9f4250847c92cabde17fdcef01d4daff8df5d6753
Serial: [redacted]
Thanks!
Click to expand...
Click to collapse
This is probably too late but you can try a website called romprovider(DOT)com (MODS THIS IS NOT AN ADVERTISEMENT I AM JUST TRYING TO ANSWER A QUESTION). It has firehose programmers and flashing tools that claim to bypass edl authentication for many makes and models. Not sure how helpful it is but it's the only thing I found other than a hacking tool on github called firehorse(it was reverse-engineered from a firehose programmer).

Question How to Unbrick Redmi Note 11 Pro 5G Mediatek Dimensity 920 (China)?

I was trying to change Firmware from China ROM to Global ROM but I accidentally uploaded wrong firmware and the phone was dead, the phone can be detected in Device Manager (Please image below) but it cannot be detected in MIFlash Tool. Kindly please help me how to recover my phone thanks..
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Is your phone going in fastboot mode. And which option(clean all, clean all and lock etc.) did you select while flashing rom?
Can you provide these details?
Manjotbenipal said:
Is your phone going in fastboot mode. And which option(clean all, clean all and lock etc.) did you select while flashing rom?
Can you provide these details?
Click to expand...
Click to collapse
Hi, my phone does not turn on anymore, It cannot go to fastboot it cannot also be detected in MIUI ROM Flashing Tool but it can be detected in device manager in computer.
When I flashed the firmware I selected clean all.
Try mtkclient:
onw2 said:
Try mtkclient:
Click to expand...
Click to collapse
I tried this but it stops in emi sending data... do you have any idea how to fix this?
Here's my full log below.
Port - Device detected
Preloader - CPU: MT6877(Dimensity 900)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x959
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: F4242E2342AE14544513EFDFB0123568
Preloader - SOC_ID: 511B3B60165C3E695EAEE7B05D6D6F788EE3C4D0D4A336E517838A6749AC55F4
PLTools - Loading payload from mt6877_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\Users\bronz23_\Desktop\Mediatek MTK Client Drivers\mtkclient-main\mtkclient\payloads\mt6877_payload.bin
Port - Device detected
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS FWVer: 0x0
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: H9HQ15AFAMBDAR
DAXFlash - UFS CID: ad014839485131354146414d42444152
DAXFlash - UFS LU0 Size: 0x1dcb000000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : ad014839485131354146414d42444152
DAXFlash - Sending emi data ...
C:\Users\bronz23_\Desktop\Mediatek MTK Client Drivers\mtkclient-main>
BTW I loaded the boot.img and vbmeta.img from this firmware version,
veux_global_images_V13.0.13.0.RKCMIXM_20220518.0000.00_11.0_global
Did you try rebooting into fastboot after flashing those 2 images? If it's booting into fastboot, that means your device is functioning properly and you can flash your stock ROM using flashall.bat program provided at stock ROM file. If you can't boot into fastboot, try flashing everything manually with mtkclient tool. When i say everything i mean it, all images provided at stock ROM file.
onw2 said:
Did you try rebooting into fastboot after flashing those 2 images? If it's booting into fastboot, that means your device is functioning properly and you can flash your stock ROM using flashall.bat program provided at stock ROM file. If you can't boot into fastboot, try flashing everything manually with mtkclient tool. When i say everything i mean it, all images provided at stock ROM file.
Click to expand...
Click to collapse
I tried after flashing but it can't boot into fastboot. Do you have any instructions how to flash everything manually? Trying to google it but can't find a specific instructions how to do it. Thank you..
I have the same problem bro. Did you find any solution?
hi guys , i had same problem with redmi note 11 5g + MTK D920 chinese version totally was dead after i tried to change Rom to global
i used
*MIflash
*Sp_flash tool
* even unlocktool
*adb and also all arabic and russian even turkey tools
but nothing change ( it was a horrible time ) i thing i had all problems message(status error 0x0010001 and 0*000003 etc ....)
phone was at COM and LTP (mediatek) device does not respond
i solved it through these steps :
* you need to remove back cover (battery cover ) and unattached battery 1 and 2
*you need to touch Test point
*Unlocktools _ mediatek _
*you need install standard driver (MTK drivers )(LibUSB-Win32) (unlock drivers )
PS : if you have a blue screen in windows 10 so you need to remove (unstallation )OPPO driver if you have and go filter Wizard (remove all devices ) after remove LibUSB-Win32 and MTK drivers -next step restart windows 10 +after that you need to install (MTK drivers )(LibUSB-Win32) again
*the last firmware i used (pissarro_in_global_images_V14.0.2.0.TKTINXM_13.0)
*open unlocktool go to mediatek laod MT6877_Android_scatter and press flash ( dont forget connect telephone USB )
*press flash and wait around 10 min
* oh redmi working )))))
firmware redmi note 11 pro
https://miuirom.org/ru/phones/redmi-note-11-pro-plus-5g
speak EN -РУ-عربي-FR

Question Bricked OP 2T 12GB/256GB

Hi fellow XDA members,
I had my OP Nord 2T rooted and tried to revert back to stock by:
- Turning off the modules in Magisk
- Lock bootlader via fastboot => corrupted image boot/recovery message
I then tried to flash a payload.bin file via mtk_gui and only realized after the transfer that it was the CPH2401 file instead of the CPH2399 file. The mtk-gui was not responsive after the 100% transfer and also the phone stopped responding... Unfortunately my phone now seems dead, the screen stays black, the phone is sometimes recognized in mtk_gui, but there is no succesful handshake anymore :/
Is there any way for me to get the phone back alive from it's current state? Can someone share the CPH2399 A11 stock ROM? Maybe I could flash this stock rom if the phone manages a succefull connection via mtk_gui. Is there maybe another way I should try to tackle this issue?
I will be happy to donate some money via PayPal to those that are able to get my phone back working.
Dump from cmd when using mtk_gui. It freezes after the last line displayed below.
Port - Device detected
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 49939DEBB365775208865EAA0DCE5FFE
Preloader - SOC_ID: 2A32AFFED999CD65E36EAF4C8A2666625DAEBBB505E6F6D650E8837D23B3F6E0
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
....Port - Device detected
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 49939DEBB365775208865EAA0DCE5FFE
Preloader - SOC_ID: 2A32AFFED999CD65E36EAF4C8A2666625DAEBBB505E6F6D650E8837D23B3F6E0
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da1 ...
xflashext
xflashext - [LIB]: ←[33mError on patching da1 version check...←[0m
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS FWVer: 0x31
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: KLUEG8UHDC-B0E
DAXFlash - UFS CID: ce014b4c55454738554844432d423045
DAXFlash - UFS LU0 Size: 0x3b96000000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : ce014b4c55454738554844432d423045
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - UFS FWVer: 0x31
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: KLUEG8UHDC-B0E
DAXFlash - UFS CID: ce014b4c55454738554844432d423045
DAXFlash - UFS LU0 Size: 0x3b96000000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - HW-CODE : 0x950
DAXFlash - HWSUB-CODE : 0x8A00
DAXFlash - HW-VERSION : 0xCA00
DAXFlash - SW-VERSION : 0x0
DAXFlash - CHIP-EVOLUTION : 0x2
DAXFlash - DA-VERSION : 1.0
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - DA Extensions successfully added
mtk_gui freezes after the DA Extensions successfully added
Can someone share the scatter file of Oneplus Nord 2T?
I would recommend you to give your phone to service center and tell them that the new update bricked your phone. They will have the firmware to fix your device. That's how I managed to fix my device.

Asus Zenfone Max Plus M1 [X018D] bricked - some advice to recover data ?

Hello XDA community !
To be honest I'm a newbie here, and not really experienced on mobile phone technical stuff
My Zenfone suddenly stopped working last week, without any particular reason.
The only thing I can see when I on the device is the "Powered by Android" logo. But nothing else happens after.
Then I wanted to start the recovery menu, but even when I select "recovery mode" or "fastboot" nothing happens, it's still showing "Powered by Android" logo and no more
See this screenshot :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I tried to plug the device with USB to my linux laptop with android studio installed, but adb devices show nothing
I also tried to create a microSD card, bootable, with exFAT partition and put the phone firmware on the root of the card (as described https://www.asus.com/supportonly/zenfone max plus (m1)(zb570tl)/helpdesk_download/). Even with it, recovery or fastboot options give the same screen as above
My idea was to be able to boot from sd card and be able to "revive" somehow the phone, and at least being able to download user data from it with the help of adb
I'm not sure if it's possible of if I should prepare the microsd with another format or partition layout
Any idea to guide me ?
Don't think you can recover any user-data this because probably bootloader completely got corrupted. Re-flash Stock ROM.
Thanks for your answer.
Sorry also because I made a mistake : I think fastboot mode is active
What I did : In the menu above, I selected "Fastboot mode"
then I got an output : "CSC FASTBOOT mode"
Then I plugged the phone on my laptop USB
The "lsusb" command returned an additionnal device :
Code:
Bus 001 Device 004: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo / FP1
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0bb4 HTC (High Tech Computer Corp.)
idProduct 0x0c01 Dream / ADP1 / G1 / Magic / Tattoo / FP1
bcdDevice 1.00
iManufacturer 1 MediaTek
iProduct 2 Android
iSerial 3 J1AXJR04D658EJ6
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 256mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 4 fastboot
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Device Status: 0x0001
Self Powered
"adb devices" still returns nothing but "fastboot devices" does :
J1AXJR04D658EJ6 fastboot
"fastboot reboot" does also reboot the phone ...
From there I guess at least I can do something. I don't know if I'll be able to recover some data, but anyway if I can recover my phone that would be fine too.
you can unlock bootloader with mtkclient (do a backup beforehand) and flash TWRP from fastboot, to see if that leads to something.
ok thanks a lot. I'll have a look to mtkclient / TWRP and try to manage !
Will let you know soon.
keep in mind unlocking from fastboot forces factory reset. It will flush keystore in TEE, don't try this even with full backup. TEE can't backed up.
unlocking from mtkclient afaik does not wipe userdata. but do a backup of userdata + metadata + seccfg (or even better full dump) just in case.
you can try to boot into EDL mode with both vol keys + usb, modified fastboot, DIY deep flash cable or test point method.
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo]
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo] Reboot to EDL mode from FASTBOOT! No more Test Point Method needed ;) Technical Details: Redmi Note 3 support rebooting to EDL in Android Bootloader aboot...
forum.xda-developers.com
also please note TWRP is maybe not able to decrypt, because encryption keys are bonded to bootloader lock state.
however some people claim it's possible, maybe due the fact that seccfg is patched in way to circumvent this (untested).
if you can't boot into recovery from bootloader, you can boot into file from fastboot (requires bootable slot)
Code:
fastboot boot twrp.img
thanks Alecxs for all the information. I'll take some time to read carefully everything.
In the meantime, I installed successfully mtkclient on my laptop. I didn't know about this tool before
I used first the read partition tool, which went fine for almost all partitions except userdata :-(
it started but stopped after 9 GB (over 52) with the following message
Failed to dump sector 12517376 with sector count 109592543 as MyZenfone-partition dump/userdata.bin
18.0% Read (Sector 0x12D6C80 of 0x6883FDF, 42m:19s left) 18.67 MB/sDAXFlash
DAXFlash - [LIB]: Error on reading data: MMC error (0xc0040030)
looks like game over ...
well.. if this is game over, then you have nothing to lose I guess? so backup all partitions excluding userdata (--skip=userdata) then only try to unlock seccfg (do not erase any partition ignore instructions) then boot into fastboot and check if TWRP can boot
TRY AT OWN RISK YOU MAY CORRUPT USERDATA ENCRYPTION OR ERASE USERDATA​
Code:
python3 mtk da seccfg unlock
python3 mtk payload --metamode FASTBOOT
fastboot boot path/to/twrp.img
might be possible to dump userdata excluding unreadable sectors. but you need to read the instructions. nevertheless the dump (even if healthy) is impossible to decrypt on PC, can only be decrypted on the origin phone itself...
thanks alecxs, I think I'll try to boot into twrp
My concern is to find a suitable twrp for my device. There is no official port for Asus X018D
I tried to find it by googling and found this on "unofficial twrp" site
twrp 3.2.3 For Mediatek MT6750 Phone
which could be ok for mine maybe except they it's for android 8 and 8.1, while I was still on Nougat 7
I don't know if trying this could work or not ?
you need TWRP for the Plus variant. can you share boot.img + recovery.img read off device?
yes I can share the dumped partitions from mtkclient (the extension is .bin)
boot.bin :
boot.bin
drive.google.com
recovery.bin
recovery.bin
drive.google.com
okay let me try to port generic TWRP. you can meanwhile try that Oreo+recovery+tested.img (login required)
edit: X018D_TWRP.img for android 9 (no login required)
So I tried to unlock bootloader from mtkclient, which resulted in :
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Done |--------------------------------------------------| 0.0% Write (Sector 0x0 of 0x1) 0.00 MB/sDAXFlash
DAXFlash - [LIB]: Error on writeflash: MMC error (0xc0040030)
and then after (maybe I shouldn't have ...)
python3 mtk payload --metamode FASTBOOT
I think I did something wrong, because now I cannot list GPT
python mtk printgpt
gives
Code:
Port - Device detected :)
Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212c00
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x326
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Preloader - ME_ID: 10A8E97D4708BDEB74D8D7B3C7E0EBFA
PLTools - Loading payload from mt6755_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/laurent/Applications/DevOps/Android/mtkclient/mtkclient/payloads/mt6755_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1
actually, the second command was just to exit preloader mode and switch into fastboot... sorry for the confusion. I have also attached the android 7 version of twrp for testing.. (see above)
If I got this right, unlocking was trying to write Sector 0x0 of 0x1 but it deny writing anything because eMMC is not writeable at 0xc0040030. But isn't that in userdata area?
however, on android 7 for some mediatek devices it's possible to boot into TWRP on locked bootloader. but needs flashing. you can try another flash tool, but it requires windows
edit:
@arthur.levene I got it wrong, seems there is also linux version. Anyway, please read golden rules for SP Flash Tool.
I recommend to create your own scatter file based on the current partition table, either with mtkclient or with WwR MTK v2.51 (most likely you can use the one that already comes with that twrp as the recovery start address is at 0x8000 on many devices, but I personally generally don't trust any scatter file just random downloaded).
lol thought 0xc0040030 was the address of the unreadable sector. turns out it is a fault code. so that could mean eMMC error (most likely) or insufficient permissions.
So any flashing attempts will probably fail no matter what tool used. maybe there is a cheat with heating gun or refrigerator (just guesswork, beware of condensating water)
thanks again alecxs for your time and advice.
I will continue my investigations based on your informations. If i understand your comment about eMMC error, this is not good news.
I will try also the flashing solution in case it could work, though not very skilled on that part too
actually I have never used mtkclient myself but according to documention flashing looks quite easy.
Code:
python3 mtk w recovery twrp.img
However, as you stated in OP you can't enter recovery mode from bootloader menu, so this could be bigger challenge.
I tried but currently I have an error
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - DA Extensions successfully added
Done |--------------------------------------------------| 0.0% Write (Sector 0x0Progress: |███████-------------------------------------------| 14.0% Write (SectProgress: |██████████████------------------------------------| 28.0% Write (Sector 0x2000 of 0x7254, 01s left) 6.74 MB/s
DAXFlash
DAXFlash - [LIB]: unpack requires a buffer of 12 bytes
quick search gives hint is might be driver issue. but you're on linux right? you could try again with libusb-1.0-0-dev_1.0.26-1_amd64.deb
https://github.com/bkerler/mtkclient/issues/192

mi account bypass redmi 9A

I'm noob to android cracking/bypassing
Is there any way to bypass the screen 'This device is locked' Activate or Open WF? I flashed firmware dandelion_global_images_V12.5.7.0.RCDMIXM_20221107.0000.00_11.0_global_3319fae180.tgz successfully
I use linux arch and I've read that you need to format 'persist' +'frp' partitions
Cheers guys!
tendouser said:
I'm noob to android cracking/bypassing
Is there any way to bypass the screen 'This device is locked' Activate or Open WF? I flashed firmware dandelion_global_images_V12.5.7.0.RCDMIXM_20221107.0000.00_11.0_global_3319fae180.tgz successfully
I use linux arch and I've read that you need to format 'persist' +'frp' partitions
Cheers guys!
Click to expand...
Click to collapse
Hi, try this.
Jan Skokan said:
Hi, try this.
Click to expand...
Click to collapse
it doesn't work
there is an unbricking thingy called SPflash tool, it might work for what you want
Ivan.Adriazola said:
there is an unbricking thingy called SPflash tool, it might work for what you want
Click to expand...
Click to collapse
I installed mtkclient under arch successfully and ran it in the terminal....
Code:
mtkclient]# python mtk payload
MTK Flash/Exploit Client V1.6.1 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
mtkclient]# python mtk payload
MTK Flash/Exploit Client V1.6.1 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
.....Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 46D2502A61B6F1630BA8BCECFBB37D02
Preloader - SOC_ID: 63AF61F17131312A0BA4C909AA5A849D22A50DF2CC7A880698AF40C4F21655BB
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/*******/mtkclient/mtkclient/payloads/mt6765_payload.bin
I guess it was patched in latest dandelion ROM since is not working in order to disable SLA/DAA (Mi Account)
tendouser said:
I installed mtkclient under arch successfully and ran it in the terminal....
Code:
mtkclient]# python mtk payload
MTK Flash/Exploit Client V1.6.1 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
Preloader
Preloader - [LIB]: Status: Handshake failed, retrying...
mtkclient]# python mtk payload
MTK Flash/Exploit Client V1.6.1 (c) B.Kerler 2018-2023
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
...........
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
.....Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 46D2502A61B6F1630BA8BCECFBB37D02
Preloader - SOC_ID: 63AF61F17131312A0BA4C909AA5A849D22A50DF2CC7A880698AF40C4F21655BB
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/*******/mtkclient/mtkclient/payloads/mt6765_payload.bin
I guess it was patched in latest dandelion ROM since is not working to disable SLA/DAA (Mi Account)
Click to expand...
Click to collapse
Listen I don't know enough about it to understand all that code, but that's not entirely what I was suggesting, I was suggesting you investigate the unbricking tool SPflash tool and how to use it
The first step would be to install MTK drivers, then the libisb filter wizard, turn off your phone, plug it and pressing both volup voldown at the same time, installing filter for your device, using a bootroom bypass tool, and then using SPFlash tool.
That would be useful if you havent unlocked bootloader, if you did, I'm pretty sure you can even just use miflash tool.
Look for yurian's post, I've left extensive guides on how to unbrick dead devices, from what I understand that's not what you want, but it should work as in it (maybe) would work on the worst possible scenario, I haven't tried on locked bootloader, but from what I gather of how it is supposed to work it's definitely possible.
The first step would be to install MTK drivers, then the libisb filter wizard, turn off your phone, plug it and pressing both volup voldown at the same time, installing filter for your device, using a bootroom bypass tool, and then using SPFlash tool.
Click to expand...
Click to collapse
is there any tutorial on how to install those drivers/filters under linux?
tendouser said:
is there any tutorial on how to install those drivers/filters under linux?
Click to expand...
Click to collapse
Uff... Gotta be honest, I've used both Linux and windows, Linux is great for people that know a lot more about programming than me, even myself (I consider myself an ignorant) have found stuff easier to do in Linux than windows, but for really useful stuff, someone always made it before you and even left instructions, the difference is on windows they tell it like you're dumb and in Linux they assume you know it already.
IDK man, I can't help you.

Categories

Resources