So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
hey i am getting handshake failed error, not sure how to fix this.
Sidharth09 said:
So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
View attachment 5741507
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
View attachment 5741509
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
View attachment 5741511
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
Click to expand...
Click to collapse
Hello have you made the Linux version?
Thank you for this guide, I have encountered an error on Tecno spark 8C(kg5j) when trying either of the commands in ubuntu.
Here is an output of the error.
-----
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1
-----
Johnhek said:
handshake failed error
Click to expand...
Click to collapse
Check this out: https://github.com/bkerler/mtkclient/issues/52
Fair warning, there are a TON of multiple GB dependencies to make this work. I'm seriously starting to wonder if trying to un brick my $1,800 device is even worth the trouble.
I have an RFinder B1+ with a MTK 6765 chipset. It has external batteries only and boot loops when one is attached due to a bad lk.img flash. The device does show up brieflu in Windows task manager as a MediaTek COM port when I plug in a USB cable with no battery attached.
Should I plug in the battery first or try to run mtkclient without it?
I was using "wl" command (write list: write partitions from directory to flash) and I had a very dumb issue:
I moved the partition images to the mtkclient folder and started the wl comand, but when the partitions were all copied, the comand continued checking all the subfolders looking for more partition files to write to the phone... and it "found" one: inside of the python lib folder there is a file called gpt and the command overwrited my pgpt partition with that file!
Now of course any command trying to read or write partitions crash because the pgpt partition is corrupt.
I can read sectors and indeed I have confirmed that the contents of the first sectors (that would correspond to pgpt partition) actually contains plain text from the pgt file at python lib folder.
Before this mistake, I saved the gpt table to a file and I also have gpt scatter information from my phone.
I would need help to restore the pgpt partition using the sgpt partition or using the pgt scatter information, or the gpt table copied from my phone before the deletion or any other way to restore the phone...
Someone can help me?
I Have a lg k61, I can use mtkclient but I have no fastboot. Im wondering if its posible to boot a bin without flashing it (like fastboot boot recovery.img) because I think that the only reazon I cant install a working twrp in my device is the way I flash it, directly to boot partition.
Maybe is it possible to flash the recovery to b slot, force boot from that slot, flash from twrp the zip to boot_a partition, then set a slot?
Sidharth09 said:
So most of you probably don't know what mtkclient is. It is basically an exploit which is used to boot any (mtk) phone into BROM mode (basically EDL for mtk)
I am writing this guide especially for the RM6785 community.
This tool is very useful, you can unlock almost any mediatek device using it (brand won't matter), you can write partitions, read partitions, and even erase partitions.
This tool can also get you out of any kind of brick!
Thanks to bkerler for making such an amazing tool!
How to use it?
Well first of all, I will talk about how to install it inside windows, because most of the users here are most likely using windows.
Download the mtkclient folder from here: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
Extract it, and open it.
View attachment 5741507
Now it's time to download python.
If you are on windows 11/10, you can download Python directly from the microsoft store, and I recommend you to do it from there.
If you are on windows 8.1 or lower, you will have to download it from the web.
After installing python is complete.
Open the command prompt inside the mtkclient-main folder.
connect to the internet
and type:
pip3 install -r requirements.txt
View attachment 5741509
and wait for it to install completely.
This will basically set up mtkclient to perform every command.
View attachment 5741511
(ignore this warning)
So after this command is done, you need to install usbdk.
Releases · daynix/UsbDk
Usb Drivers Development Kit for Windows. Contribute to daynix/UsbDk development by creating an account on GitHub.
github.com
After you install usbdk, just restart your PC.
So your mtkclient setup is finished now!
Now you can basically do anything with it.
Let me tell you how it works:
For example, if you want to flash something into a partition, you do:
python mtk w *partitionname* *filename*
the w indicates "write"
so for example if i want to flash, lets say boot img.
python mtk w boot *location of the boot img*
in simple words:
python mtk w boot boot.img
to pull a partition from your device:
python mtk r *partitionname* *filename*
the r indicates "read"
you can pull the image as any name that you'd like"
example:
python mtk r vbmeta realme6vbmeta.img
to erase partitions:
python mtk e *partition*
the e indicates "erase
so for example i want to clear my userdata partition
python mtk e userdata
you can also write,flash,erase multiple partitions at once.
for example:
python mtk w boot,vbmeta boot.img,vbmeta.img
python mtk r dtbo,boot dtbo.img,boot.img
python mtk e metadata,userdata
you can also unlock the bootloader through it:
python mtk da seccfg unlock
so to actually begin the flashing/reading/erasing process, enter the command.
power off your device
hold both of the volume buttons, and quickly connect usb (do not leave the volume buttons until the command is done)
So that is basically how you use it, thanks for reading!
I will make a version for linux users soon!
Click to expand...
Click to collapse
Hi, not quite sure with the terminologies in the commands part, if i want to root /give root access to my phone which command should i use?
darklight_69 said:
Hi, not quite sure with the terminologies in the commands part, if i want to root /give root access to my phone which command should i use?
Click to expand...
Click to collapse
You read to your pc from your phone vía mtkclient the boot_a.bin. You then rename it to boot_a.img, then you turn on your phone, move the img to it, install magisk, patch the boot.img, move it to your pc again, rename the patched to *.bin again and flash it to your boot_a partition vía mtkclient.
Jaguar_90 said:
You read to your pc from your phone vía mtkclient the boot_a.bin. You then rename it to boot_a.img, then you turn on your phone, move the img to it, install magisk, patch the boot.img, move it to your pc again, rename the patched to *.bin again and flash it to your boot_a partition vía mtkclient.
Click to expand...
Click to collapse
if it's not bothering, could you please make a detailed step by step or link a post for a detailed instruction on how to exactly do what youve said? sorry i am having a hard time comprehending the steps, dont want to mess the procedure, thank you
or can i pm u instead?
darklight_69 said:
if it's not bothering, could you please make a detailed step by step or link a post for a detailed instruction on how to exactly do what youve said? sorry i am having a hard time comprehending the steps, dont want to mess the procedure, thank you
or can i pm u instead?
Click to expand...
Click to collapse
Here is a more detail steps.
You need to find out if the Phone is using AB slot or not. For AB slot partitions, you need to know which slot is active and flash accordingly.
Use Mtkclientand to copy the boot_a.bin.
For AB slot: python mtk r boot_a boot_a.bin
For AB slot: python mtk r boot_b boot_b.bin
For single slot: python mtk r boot boot.bin
You rename it to boot_a.img
Copy the boot_a.img to phone's internal storage.
Install Magisk on the phone.
Open Magisk app.
Click the Install button .
Select the patch the image file option.
After you patched boot_a.img, copy the patched boot_a.img to the PC.
Rename the patched boot_a.img to boot_a.bin.
Use MTKClient to flash it to the boot_a partition.
For AB slot: python mtk w boot boot.bin
For AB slot: python mtk w boot_a boot_a.bin
For single slot: python mtk w boot_b boot_b.bin
edited this instead sicne i cant delte this reply, please ignore this one
i want to ask some questions here in advance after reading the entire process so i can reduce the unnecessary replies from me lol
magi44ken said:
You need to find out if the Phone is using AB slot or not. For AB slot partitions, you need to know which slot is active and flash accordingly.
Click to expand...
Click to collapse
-my phone is using a/b slot and is currently on B slot
magi44ken said:
Use Mtkclientand to copy the boot_a.bin.
For AB slot: python mtk r boot boot.bin
For AB slot: python mtk r boot_a boot_a.bin
Click to expand...
Click to collapse
do i need to run all of them one by one?
and in 2nd command's case, sicne i'm currently in slot b should i rename "boot_a | boot_a.bin" to "boot_b | boot_b.bin"?
magi44ken said:
You rename it to boot_a.img
Click to expand...
Click to collapse
okay for this part its just changing the extension
magi44ken said:
Copy the boot_a.img to phone's internal storage.
Click to expand...
Click to collapse
you mean like the regular transfer when the phone is on right? XD
magi44ken said:
Install Magisk on the phone.
Open Magisk app.
Click the Install button .
Select the patch the image file option.
After you patched boot_a.img, copy the patched boot_a.img to the PC.
Rename the patched boot_a.img to boot_a.bin.
Use MTKClient to flash it to the boot_a partition.
For AB slot: python mtk w boot boot.bin
For AB slot: python mtk w boot_a boot_a.bin
For single slot: python mtk w boot_b boot_b.bin
Click to expand...
Click to collapse
well, the earlier questions will clear the confusion in this part anyways but i still got the gist of it.
also on this post, it mentioned something about vbmeta.img, do i no longer need that?
Hello, if I have a bin file (Rom1) from another device, can I read the rpmb key with mtkclient this way?
I do not understand these messages:
mtkclient-main\mtk_gui:557: DeprecationWarning: Enum value 'Qt::ApplicationAttribute.AA_EnableHighDpiScaling' is marked as deprecated, please check the documentation for more information.
QApplication.setAttribute(Qt.AA_EnableHighDpiScaling, True)
...and...
\mtkclient-main\mtk_gui:118: DeprecationWarning: Function: 'QLibraryInfo.location(QLibraryInfo.LibraryPath location)' is marked as deprecated, please check the documentation for more information.
translations_path = QLibraryInfo.location(QLibraryInfo.TranslationsPath)
When trying to flash the preloader, the execution of the command started like this:
Device detected : )
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 5649224A4BD6F0263F7ABC130DCE05AA
Preloader - SOC_ID: 67EB8D8456F3D36A30C5801507195F549290F216EF032600F78136D5E0D540D5
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
It is a Unihertz Titanium (UFS) that stopped responding. The previous owner tried to prepare the bottles of Gargoyle-LOS20 by deleting user data, cache and system. I would like to help him and save the device for him.
I would like to use the graphical interface of mtkclient. But unfortunately the tool does not load the files from the unpacked stock ROM...where do I have to put the files in the mtkclient-main directory?
how come your preloader gets detected? mine only shows up for 1 sec in device manager
Medionato said:
I do not understand these messages:
mtkclient-main\mtk_gui:557: DeprecationWarning: Enum value 'Qt::ApplicationAttribute.AA_EnableHighDpiScaling' is marked as deprecated, please check the documentation for more information.
QApplication.setAttribute(Qt.AA_EnableHighDpiScaling, True)
...and...
\mtkclient-main\mtk_gui:118: DeprecationWarning: Function: 'QLibraryInfo.location(QLibraryInfo.LibraryPath location)' is marked as deprecated, please check the documentation for more information.
translations_path = QLibraryInfo.location(QLibraryInfo.TranslationsPath)
When trying to flash the preloader, the execution of the command started like this:
Device detected : )
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 5649224A4BD6F0263F7ABC130DCE05AA
Preloader - SOC_ID: 67EB8D8456F3D36A30C5801507195F549290F216EF032600F78136D5E0D540D5
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
It is a Unihertz Titanium (UFS) that stopped responding. The previous owner tried to prepare the bottles of Gargoyle-LOS20 by deleting user data, cache and system. I would like to help him and save the device for him.
I would like to use the graphical interface of mtkclient. But unfortunately the tool does not load the files from the unpacked stock ROM...where do I have to put the files in the mtkclient-main directory?
Click to expand...
Click to collapse
I tried installing directly from here: https://github.com/bkerler/mtkclient. It works for the most part. But I would have liked to use the graphical interface, but that somehow fails. The files don't load into the selection windows and the command buttons don't respond either. Only the terminal control works. But I could not flash the preloader yet. The battery of the device doesn't seem to be charged either. I can't control this...is this possibly a hindering problem?
Medionato said:
I tried installing directly from here: https://github.com/bkerler/mtkclient. It works for the most part. But I would have liked to use the graphical interface, but that somehow fails. The files don't load into the selection windows and the command buttons don't respond either. Only the terminal control works. But I could not flash the preloader yet. The battery of the device doesn't seem to be charged either. I can't control this...is this possibly a hindering problem?
Click to expand...
Click to collapse
Which device are you using?
anybody knows how to solve this problem? i get this whenever i try to extract boot.bin
Code:
.DeviceClass
DeviceClass - [LIB]: ←[31mCouldn't get device configuration.←[0m
Related
[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
I am thinking that bytes 0...4487 is the real bootloader code, so:
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Wow! Excited to see this! Thanks
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Good job, if needed i can help with the checking
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
abl.img is not the bootloader i guess.
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
On other devices they've been able to swap this image with another one to "hide" the message, to "get rid of it".
Would we sweet if we could get rid of the unlocked bootloader message too.
dennisbednarz said:
Would we sweet if we could get rid of the unlocked bootloader message too.
Click to expand...
Click to collapse
+1
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Use this https://forum.xda-developers.com/oneplus-6t/how-to/tool-6t-msmdownloadtool-v4-0-oos-9-0-5-t3867448
Should try for several times with instruction here
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
patelparth120595 said:
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
Click to expand...
Click to collapse
Disabled dm-verity caused red warning, i guess.
---------- Post added at 10:01 AM ---------- Previous post was at 09:58 AM ----------
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
And then:
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Edited abl.img ? and flashed via recovery/fastboot ?
AnoopKumar said:
Edited abl.img ? and flashed via recovery/fastboot ?
Click to expand...
Click to collapse
No, just flashed using dd command in TWRP shell.
foobar66 said:
No, just flashed using dd command in TWRP shell.
Click to expand...
Click to collapse
Phone still dead ?
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
foobar66 said:
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
Click to expand...
Click to collapse
I assume that, there is nothing to do with the abl.img. Only thing we can do with it is change the default strings to a song lyric or something. abl.img is the uefi firmware i guess. Bootloader is using the images stored in the logo partition.
Gsi's flash without breaking verity if u flash to both slots. And totally format. Fastboot -w. The phone sees any changes to partitions as corruption and breaks verity, hence red warning.. if someone would be inclined to talk to invisiblek from the essential threads, he could tell u of a fix. The solution is not in abl. It's in the stock boot.img. if I had more time, I would help
---------- Post added at 02:52 PM ---------- Previous post was at 02:51 PM ----------
tech_head said:
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Click to expand...
Click to collapse
No, they are talking about breaking verity also. Seems to be both messages, but more recently the broken verity message. Which there is two types, one u can boot from, one u cannot.
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
I would love that idea. That would be really nice to have on our device
How to unlock the Realme 8 Pro bootloader?
1. you'd better write in english, to get a broader range of people who understand you question ;-).
2. Also waiting for that ... it's a shame.
Greetz
Kurt
How to unlock bootloader realme 8 5G
Answer from [email protected] from today :
Unlock Bootloader tutorial for Realme 8 Pro RMX3081 is not available as of now.Further, keep following our social media handles and official community portal for the latest updates,
Yeah, we can achieve the bootloader unlock of realme 8 pro. Mine is unlocked. The build number and security patch must be (RMX3081_11_A.44) (November 5,2021)
This is Export rom not the GDPR rom (EU)
Have flashed it and can unlock and flash files via fastboot.
OFP - Original Firmware Project :
Code:
Model Project Project ID Download link
RMX3081 20711 (Project ID-20711)_INDIA,MM,BD,PK RMX3081export_11_A.44 https://fileload.coloros.com/504197RMX3081export_11_A.44_2021110921030235.zip
RMX3081 20712 (Project ID-20712)_PH,VN,KH,-EG,IQ,MY RMX3081export_11_A.44 https://fileload.coloros.com/504198RMX3081export_11_A.44_2021110921100000.zip
RMX3081 20713 (Project ID-20713)_LUX,CH,ES,UK,FR,IT,DE,NL,BE,NO,PT,FIN,CY RMX3081GDPR_11_A.44 https://fileload.coloros.com/504200RMX3081GDPR_11_A.44_2021110921090000.zip
RMX3081 20713 (????) RMX3081export_11_A.44 https://fileload.coloros.com/504199RMX3081export_11_A.44_2021110921060000.zip
RMX3081 20714 (????) RMX3081export_11_A.44 https://fileload.coloros.com/504201RMX3081export_11_A.44_2021110921110000.zip
@Shibu Shaji share us the
getprop ro.build.display.full_id
Yeah, we can achieve the bootloader unlock of realme 8 pro. Mine is unlocked. The build number and security patch must be (RMX3081_11_A.44) (November 5,2021)
StratOS_HTC said:
This is Export rom not the GDPR rom (EU)
Have flashed it and can unlock and flash files via fastboot.
OFP - Original Firmware Project :
Code:
Model Project Project ID Download link
RMX3081 20711 (Project ID-20711)_INDIA,MM,BD,PK RMX3081export_11_A.44 https://fileload.coloros.com/504197RMX3081export_11_A.44_2021110921030235.zip
RMX3081 20712 (Project ID-20712)_PH,VN,KH,-EG,IQ,MY RMX3081export_11_A.44 https://fileload.coloros.com/504198RMX3081export_11_A.44_2021110921100000.zip
RMX3081 20713 (Project ID-20713)_LUX,CH,ES,UK,FR,IT,DE,NL,BE,NO,PT,FIN,CY RMX3081GDPR_11_A.44 https://fileload.coloros.com/504200RMX3081GDPR_11_A.44_2021110921090000.zip
RMX3081 20713 (????) RMX3081export_11_A.44 https://fileload.coloros.com/504199RMX3081export_11_A.44_2021110921060000.zip
RMX3081 20714 (????) RMX3081export_11_A.44 https://fileload.coloros.com/504201RMX3081export_11_A.44_2021110921110000.zip
@Shibu Shaji share us the
getprop ro.build.display.full_id
Click to expand...
Click to collapse
Here is my id : RMX3081export_11_A.44_2021110921030235
Yeah, see it's exported Project ID-20711 and don't have a bootloader locked.
Have flashed it previously and know that.
The GDPR versions of ROM you cannot do almost nothing 4 now.
Oh bro, this is not GDPR version.. After I unlocked my bootloader, i tried to root realme 8 pro with patched boot image from OFP Rom but it's doesn't work for me..
Any thing to say about this?
StratOS_HTC said:
Yeah, see it's exported Project ID-20711 and don't have a bootloader locked.
Have flashed it previously and know that.
The GDPR versions of ROM you cannot do almost nothing 4 now.
Click to expand...
Click to collapse
Well let me guide you throught it :
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
*fastboot flashing unlock_critical
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
or use it with --force additional option
after finish it give feedback, please.
If successfull go back fo fastbootd mode and provide me with two files fetched from the system
fetch could be limited in fastboot
fastboot fetch vbmeta vbmeta.xxx
fastboot fetch vbmeta_system vbmeta_system.xxx
U can get it via adb (I guess)
adb pull /dev/block/sde18 vbmeta
adb pull /dev/block/sde16 vbmeta_system
Since jour project id is 20711
Guess your PCB shows 0020711*
dial : *#899#
press the PCB num
StratOS_HTC said:
Well let me guide you throught it :
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
Click to expand...
Click to collapse
StratOS_HTC said:
Well let me guide you throught it :
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
*fastboot flashing unlock_critical
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
or use it with --force additional option
after finish it give feedback, please.
If successfull go back fo fastbootd mode and provide me with two files fetched from the system
fetch could be limited in fastboot
fastboot fetch vbmeta vbmeta.xxx
fastboot fetch vbmeta_system vbmeta_system.xxx
U can get it via adb (I guess)
adb pull /dev/block/sde18 vbmeta
adb pull /dev/block/sde16 vbmeta_system
Click to expand...
Click to collapse
Yeah , tried but nothing seems to be work.
StratOS_HTC said:
Well let me guide you throught it :
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
*fastboot flashing unlock_critical
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
or use it with --force additional option
after finish it give feedback, please.
If successfull go back fo fastbootd mode and provide me with two files fetched from the system
fetch could be limited in fastboot
fastboot fetch vbmeta vbmeta.xxx
fastboot fetch vbmeta_system vbmeta_system.xxx
U can get it via adb (I guess)
adb pull /dev/block/sde18 vbmeta
adb
Click to expand...
Click to collapse
StratOS_HTC said:
Well let me guide you throught it :
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
*fastboot flashing unlock_critical
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
or use it with --force additional option
after finish it give feedback, please.
If successfull go back fo fastbootd mode and provide me with two files fetched from the system
fetch could be limited in fastboot
fastboot fetch vbmeta vbmeta.xxx
fastboot fetch vbmeta_system vbmeta_system.xxx
U can get it via adb (I guess)
adb pull /dev/block/sde18 vbmeta
adb pull /dev/block/sde16 vbmeta_sys
Click to expand...
Click to collapse
StratOS_HTC said:
Well let me guide you throught it :
Get the firmware in zip
Extract the boot.img and vbmeta files from the opf file.
adb reboot bootloader
fastboot flashing unlock (Unlock bootloader)
*fastboot flashing unlock_critical
Use magisk to patch the boot.img use patched image as boot.img
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
fastboot flash boot boot.img
fastboot reboot
or use it with --force additional option
after finish it give feedback, please.
If successfull go back fo fastbootd mode and provide me with two files fetched from the system
fetch could be limited in fastboot
fastboot fetch vbmeta vbmeta.xxx
fastboot fetch vbmeta_system vbmeta_system.xxx
U can get it via adb (I guess)
adb pull /dev/block/sde18 vbmeta
adb pull /dev/block/sde16 vbmeta_system
Click to expand...
Click to collapse
Yeah i tried the steps that u said above to ROOT realme 8 pro, but it doesn't work for me... here are the steps that i did.
Fastboot mode
*Fastboot flashing unlock
*Fastboot --disable-verity --disable-verification
flash vbmeta vbmeta.img
*Fastboot flash boot (magisk patched) boot.img
Result : Device went to bootloop. Retrieved from
bootloop by flashing stock boot image that previously extracted from OFP file and now the device is fine.
Also tried this step
Fastboot mode
*Fastboot flashing unlock
*Fastboot --disable-verity --disable-verification
flash vbmeta vbmeta.img
* Fastboot --disable-verity --disable-verification
flash vbmeta_system vbmeta_system.img
*Fastboot --disable-verity --disable-verification
flash vbmeta_vendor vbmeta_vendor.img
*Fastboot flash boot (magisk patched) boot.img
Result : Bootlooped. Retrieved by flashing stock boot image..
And also, i tried to BOOT patched boot image... and it shows
FAILED <remote: unknown command>
ABV is still active.
THX @Shibu Shaji
For showing us the 20711 EXPORT .44 ROM fastboot getvar all infos.
I have also the 20713 GDPR .44 ROM fastboot getvar all infos.
The bootloader in EXPORT is unlocked and is not userspaced.
From green to orange state ... some progress after all ...
It seems your bootloader unlocked? actually how? I think ur AVB is now disabled
StratOS_HTC said:
View attachment 5505451
From green to orange state ... some progress after all ...
Click to expand...
Click to collapse
Wow, how did you do it?
currently via isp ufs access and help of a reversing from a friend.
On bootloop also ...
Oh bro, So what to do next? Is there any other problems with ur partitions after this?
Since EDL is not configured correctly (No kernel driver supported: Operation not supported or unimplemented on this platform) after the firehose programmer sucessfully boot ...
Also QFIL and unimplemented <CONFIGURE> or <SIG> and signed and certed things the only thing to do is via ISP UFS control.
OR possible USB port communication debug via MSM flash.
For EXPORT version have prepared seen action on the screen for this ROM
Code:
Project 20711
RMX3081
Version Flash MSM download tool v.2.0.51 for eMMC/UFS
Rom ofp : RMX3081export_11_A.28_202104090210
Server : India
Use default NV=yes
Reboot on finish=yes
Download Firehose protocol file
Sahara communication succeeded
Boot via firehose
Trying to handshake
Get sign data
Verify data
Getting NV code from server
Failed to get NV code. Default NV code would be used
Firehose GetUfsInfo
Erasing the partition Primarly GPT
Erasing the partition BackupGPT
Erasing the partition userdata
Downloading cdt_engineering_release.img
Erasing partition keystore
Downloading cache.img
Downloading recovery.img
Downloading metadata.img
Downloading userdata.img
Downloading gpt_main0.bin
Downloading xbl.elf
Downloading gpt_main1.bin
Downloading gpt_main2.bin
Downloading aop.mbn
Downloading tz.mbn
Downloading NON-HLOS.bin
Erasing the partition mdtpsecapp
Erasing the partition mdtp
Downloading abl.elf
Downloading dspso.bin
Downloading boot.img
Downloading devcfg.mbn
Downloading vbmeta_vendor.img
Downloading dtbo.img
Downloading imagefv.elf
Downloading oppo_sec.mbn
Downloading dpAP.mbn
Erasing the partition spunvm
Downloading splash.img
Downloading logfs_ufs_8mb.bin
Erasing the partition cateloader
Erasing the partition rawdump
Erasing the partition logdump
Download multi_image.mbn
Erasing the partition catefv
Downloading gpt_main4.bin
Download static_nvbk.bin
Erasing the partition opporeserve1
Downloading emmc_fw.bin
Downloading DRIVER.ISO
Downloading gpt_main5.bin
Restarting
Downloading Firehose protocol file
Sahara communication succeeded
Trying to handshake via Firehose
Configure the settings of Firehose
Get sign data
Verify data
Downloading super partsuper.0
Downloading super partsuper.1
Downloading super partsuper.2
Get basic data
Write patch image to user partition
Restarting
Download succeeded
Get sign data
Verify data
Currently non-implemented/documented also by MSM7125 ?
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Hey will this work on vivo y91i with mt6762
Is there a possibility of phone getting bricked
This is not working on Redmi Note 11t 5g
belkaliz said:
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Click to expand...
Click to collapse
Will Try for unlocking FRP
belkaliz said:
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Click to expand...
Click to collapse
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Anonymous V said:
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Click to expand...
Click to collapse
the message "orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds...." is normal for bootloader unlocked mtk devices
yeah i know that but in my case it cause a boot loop, after i unlock the bootloader and boot my phone because of the bootloop do you know how to fix it?
$cronos_ said:
the message "orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds...." is normal for bootloader unlocked mtk devices
Click to expand...
Click to collapse
yeah i know that but in my case it cause a boot loop, after i unlock the bootloader and boot my phone because of the bootloop do you know how to fix it?
Anonymous V said:
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Click to expand...
Click to collapse
You just have to go to recovery mode and wipe all data and then just reboot the phone will boot normally
St4rh4ck3r said:
You just have to go to recovery mode and wipe all data and then just reboot the phone will boot normally
Click to expand...
Click to collapse
thanks for the answer !but i manage to unlock it without losing any data
Seems not working for vivo y72 5g, any help?
The command python mtk xflash seccfg unlock seems not to be working for mtk client also
Incomtus said:
Seems not working for vivo y72 5g, any help?
The command python mtk xflash seccfg unlock seems not to be working for mtk client also
Click to expand...
Click to collapse
Did you try the other comand??
This command -----------> python mtk da seccfg unlock
Because we have the same problen and this one solves it try it!
Anonymous V said:
Did you try the other comand??
This command -----------> python mtk da seccfg unlock
Because we have the same problen and this one solves it try it!
Click to expand...
Click to collapse
I already tried it, mtk client ask to plug the phone, I do it, it detects it, BUT two possibilities are happening every time I tried : it says the phone has been unplugged or it remains stuck on "trying kamakiri2" and nothing happens....
I installed mtk client again i tried again and it does the same. Sometimea it gets stuck on "jumping on 0x0"
Incomtus said:
I already tried it, mtk client ask to plug the phone, I do it, it detects it, BUT two possibilities are happening every time I tried : it says the phone has been unplugged or it remains stuck on "trying kamakiri2" and nothing happens....
I installed mtk client again i tried again and it does the same. Sometimea it gets stuck on "jumping on 0x0"
Click to expand...
Click to collapse
In developers option did you turn on the oem unlock option?? The error (trying kamakiri2) hhappened to me what i did is i reinstalled everything from python to preloader driver
Anonymous V said:
In developers option did you turn on the oem unlock option?? The error (trying kamakiri2) hhappened to me what i did is i reinstalled everything from python to preloader driver
Click to expand...
Click to collapse
Yes oem unlock is activated. okay you think that comes from python preloader driver? Can you give a little more details? It will be very nice
Incomtus said:
Yes oem unlock is activated. okay you think that comes from python preloader driver? Can you give a little more details? It will be very nice
Click to expand...
Click to collapse
Im not quite sure why but i think kamakiri2 uses python to operate the whole proccess thats why if the python is not working the whole process will not work too, while in preloader(its a substitute of fastboot)helps the mtk client connect or communicate with ur phone thats why if the drivers is corrupted or something wrong happened mtk client wont work correctly, btw while you are unlocking your bootloader did you see something like (DA failed to send or offset error)?
Anonymous V said:
Im not quite sure why but i think kamakiri2 uses python to operate the whole proccess thats why if the python is not working the whole process will not work too, while in preloader(its a substitute of fastboot)helps the mtk client connect or communicate with ur phone thats why if the drivers is corrupted or something wrong happened mtk client wont work correctly, btw while you are unlocking your bootloader did you see something like (DA failed to send or offset error)?
Click to expand...
Click to collapse
I am not sure bro, I will try again in the evening
Incomtus said:
I am not sure bro, I will try again in the evening
Click to expand...
Click to collapse
Ok bro and to be sure pls put your mtk client log, in here as well sowe can all se the problem.
Anonymous V said:
Ok bro and to be sure pls put your mtk client log, in here as well sowe can all se the problem.
Click to expand...
Click to collapse
Here is the logs
the first is when i try without touching any hw bouton :
Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
second with all butons (just detect and lost it)
..Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
PLTools - Crashing da...
DeviceClass - USBError(19, 'No such device (it may have been disconnected)')
Preloader
Preloader - [LIB]: Error on DA_Send cmd
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Last try when i pushed vol- and on/off button got stuck on kamakiri2:
Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
<
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
zepolyerf said:
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
Click to expand...
Click to collapse
Drivers installed?
Hi! How can I check if drivers are installed? I'm on Linux, if that matters.
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
V0latyle said:
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
Click to expand...
Click to collapse
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
zepolyerf said:
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
Click to expand...
Click to collapse
Your device might not have a recovery partition; in A/B partition layout devices, recovery lives in the boot image.
A bit of an explanation:
When you use fastboot boot <image> you're telling the device to load the image you're sending - so if you use fastboot boot twrp.img you're telling it to load the TWRP.img on your computer. This is what you should be using if you want to boot TWRP.
When you use fastboot flash <partition> <image> you're telling bootloader to flash the specified partition with the specified image. So, if you used fastboot flash boot twrp.img, bootloader will overwrite /boot with the TWRP image...meaning the device will only boot into TWRP.
As for why the device would only boot into stock recovery after you flashed the custom ROM, I suspect that it didn't flash the kernel, or otherwise may have corrupted the boot image. So, when the device tries to start the kernel, it failed and just boots into recovery instead.
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
zepolyerf said:
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
Click to expand...
Click to collapse
Reboot to bootloader. If you're currently in recovery mode, cancel the command (Ctrl+C) and use adb reboot bootloader. If you're currently in bootloader but it's not responding, just use the button combo to force a reset.
Remember, you can only use fastboot commands in bootloader mode. If you're in recovery, you can only use some ADB commands, but in this case, I don't think that will be much help.
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
I went into fastboot mode by pressing Vol Down + Power buttons.
Plugged the phone in to my Linux machine. Have VirtualBox recognize my device.
Opened MiFlash tool. Selected the flash rom from Xiaomi's site. Got an Antirollback error. Here's the logs:
Code:
[4:41:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:25 AM]:GetScriptDevices
[4:41:28 AM]:add device f8b471a6 index 0
[4:41:48 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:48 AM]:GetScriptDevices
[4:41:51 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:41:51 AM]:add device f8b471a6 index 0
[4:41:51 AM]:Thread start,thread id 11,thread name f8b471a6
[4:41:51 AM]:start process id 4212 name cmd
[4:49:16 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:16 AM]:GetScriptDevices
[4:49:16 AM]:add device f8b471a6 index 1
[4:49:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:24 AM]:GetScriptDevices
[4:49:24 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:49:24 AM]:add device f8b471a6 index 1
[4:49:24 AM]:Thread start,thread id 12,thread name f8b471a6
[4:49:24 AM]:start process id 1704 name cmd
[4:49:25 AM]:Thread stopped, thread id 12, thread name f8b471a6
[4:51:22 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:51:23 AM]:GetScriptDevices
[4:51:23 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:51:23 AM]:add device f8b471a6 index 1
[4:51:23 AM]:Thread start,thread id 19,thread name f8b471a6
[4:51:23 AM]:start process id 3400 name cmd
[4:52:26 AM]:GetUserInfo
[4:52:39 AM]:authentication edl error:Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
[4:56:31 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:56:31 AM]:GetScriptDevices
[6:00:17 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:18 AM]:driver oem5.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Google\Driver\android_winusb.inf to C:\Windows\INF\oem5.inf,result True,GetLastWin32Error
[6:00:19 AM]:set RegistryKey value:android_winusb.inf--oem5.inf
[6:00:19 AM]:mkdir "C:\Users\IEUser\.android"
[6:00:19 AM]:output:A subdirectory or file C:\Users\IEUser\.android already exists.
[6:00:19 AM]: echo 0x2717 >>"C:\Users\IEUser\.android\adb_usb.ini"
[6:00:19 AM]:output:
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Nvidia\Driver\NvidiaUsb.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:20 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\tetherxp.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:20 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\wpdmtphw.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:21 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:driver oem6.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:22 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\Driver\qcser.inf to C:\Windows\INF\oem6.inf,result True,GetLastWin32Error
[6:00:22 AM]:set RegistryKey value:qcser.inf--oem6.inf
[6:01:33 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:34 AM]:GetScriptDevices
[6:01:34 AM]:add device f8b471a6 index 1
[6:01:55 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:55 AM]:GetScriptDevices
[6:01:55 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[6:01:55 AM]:add device f8b471a6 index 1
[6:01:55 AM]:Thread start,thread id 12,thread name f8b471a6
[6:01:55 AM]:start process id 6280 name cmd
[6:01:56 AM]:Thread stopped, thread id 12, thread name f8b471a6
Any idea on what to do next?
BigChungus321 said:
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
Click to expand...
Click to collapse
It might as well be a brick haha. I must be dumb (very likely) or there's just not a lot of clear and comprehensive resources out there to fix this kind of thing.
Ahh anti roll back error is pretty simple to fix, you just have to remove the check from the .bat files, there are tutorials on YT that can help, after that reflash stock rom in MiFlash.
If you're worried about anti roll back, don't worry, ARB value for the device has been 3 so far so it's safe to downgrade. Goodluck
Seeing a ton of Bricked Notes on here this last week, Y`all making me nervous about doing anything with mine lol
I faced this problem in linux got around it with usb 2.0 interface doesn't worked with usb 3.0 and above but my device was different when I got this recovery flash waiting problem. Also try to updated the platform tools.
So the solution was to entirely ditch Linux and use Windows to play with fastboot and adb commands via the terminal.
I don't understand why it worked when I did it on Windows when I was using the same platform tools on Linux. Oh well.
I have a Xiaomi Redmi 9 (cattail) device
I am trying to use mtkclient to unbrick my device but i am getting this error:
Code:
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Here is the entire output:
Code:
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: BEA9E2CD55FC2EB3794A2835E280608C
Preloader - SOC_ID: 27976D1C1A81DBCDB0FC5383E67CB00ADF62A75E37C7066C28E877FFDB8AC544
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/kyeboard/MIUI_FIX/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 150100434a544434
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Hey @LiaFourté, can you please help me?
here with the same problem
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
bretjoseph said:
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
Click to expand...
Click to collapse
didnt work
maybe write partition to boot_b or boot if you dont have a/b device
kuubichan said:
I have a Xiaomi Redmi 9 (cattail) device
I am trying to use mtkclient to unbrick my device but i am getting this error:
Code:
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Here is the entire output:
Code:
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: BEA9E2CD55FC2EB3794A2835E280608C
Preloader - SOC_ID: 27976D1C1A81DBCDB0FC5383E67CB00ADF62A75E37C7066C28E877FFDB8AC544
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/kyeboard/MIUI_FIX/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 150100434a544434
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Click to expand...
Click to collapse
I can flash your device if you want to.
Let me know.
bretjoseph said:
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
Click to expand...
Click to collapse
From where do you get this, the one for R9a is preloader_k62v1_64_bsp
mvikrant97 said:
I can flash your device if you want to.
Let me know.
Click to expand...
Click to collapse
How? if the issue is with drivers or tool.
SubwayChamp said:
How? if the issue is with drivers or tool.
Click to expand...
Click to collapse
I'll use a paid software to flash the device.
Don't worry you don't need to pay for it.
mvikrant97 said:
I'll use a paid software to flash the device.
Don't worry you don't need to pay for it.
Click to expand...
Click to collapse
Good, and how we can do?, I have all the firmware for Redmi 9a, but I can´t get it to work as of now.
SubwayChamp said:
From where do you get this, the one for R9a is preloader_k62v1_64_bsp
Click to expand...
Click to collapse
try doing a boot.img dump it should also download the preloader when it fetches the boot.img in the folder where you dump
bretjoseph said:
try doing a boot.img dump it should also download the preloader when it fetches the boot.img in the folder where you dump
Click to expand...
Click to collapse
Thanks for replying, I´m not getting to work the mtk-client, it´s keeping throwing errors like DAXFlash - [LIB]: Error on sending DA, so I thought that the other way around could solve it, I could flash nor read any partition. It worked perfectly for my previous devices though.
SubwayChamp said:
Thanks for replying, I´m not getting to work the mtk-client, it´s keeping throwing errors like DAXFlash - [LIB]: Error on sending DA, so I thought that the other way around could solve it, flash nor read any partition. It worked perfectly for my previous devices though.
Click to expand...
Click to collapse
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Ank Sak said:
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Click to expand...
Click to collapse
Ank Sak said:
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Click to expand...
Click to collapse
which phone is it?
mvikrant97 said:
which phone is it?
Click to expand...
Click to collapse
Lenevo K8 note , mtk6797 mediatek cpu
Ank Sak said:
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Click to expand...
Click to collapse
Thanks, in SPFT it throws "EXT_RAM_EXCEPTION" error.
Ank Sak said:
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Click to expand...
Click to collapse
Maybe, It´s possible that the preloader is the culprit, probably the preloader is corrupt.
But the funniest is that some days ago, with those errors, I taken to a service center, with Unlock tool, without the need to do nothing more than pressing both volume buttons (device off) it started to flash, and solved it, I re-bricked it by flashing the firmware (the latest), it´s suppose to not cause damage but it bricked. So the eMMC is not damaged.
SubwayChamp said:
Thanks, in SPFT it throws "EXT_RAM_EXCEPTION" error.
Maybe, It´s possible that the preloader is the culprit, probably the preloader is corrupt.
But the funniest is that some days ago, with those errors, I taken to a service center, with Unlock tool, without the need to do nothing more than pressing both volume buttons (device off) it started to flash, and solved it, I re-bricked it by flashing the firmware (the latest), it´s suppose to not cause damage but it bricked. So the eMMC is not damaged.
Click to expand...
Click to collapse
service center don't use unlock tool but third party repair shop does
mvikrant97 said:
service center don't use unlock tool but third party repair shop does
Click to expand...
Click to collapse
A Service Center can be authorized or non authorized. Specialization and/or segmentation in the matter/product is what the Marketing inclines this or that name to give as proper, and client consider correct both. Where I live, there are a lot of Official Repair Shops along the country, they´re called too, Service Center/Repair Center, same way, there are a lot of Service Center of a specific product, this is where plays a role the segmentation and specialization. Just to add, that some large enterprises have both department in the hierarchy.