Related
IDENTIFYING THE "BRICK" TYPE
This is a raw "unbrick" method ONLY of use to those people that tried to downgrade from 5.1.1 to 5.0.1 and "bricked" their tablet during these attempts. The symptoms of the "brick" I experienced are: tablet seems to be dead, screen never turns on, no ADB and no FASTBOOT available from the USB port.
NOTE: At the moment I could only test this method on the Fire 7 5th Generation tablets, though it is possible that the same procedure could work on other Mediatek SoC.
From a serial console this kind of soft "brick" can be identified by the following output (just the last few lines):
Code:
[ANTI-ROLLBACK] Processing anti-rollback data
mmc_rpmb_send_command -> req_type=0x1, type=0x4, blks=0x1
mmc_rpmb_send_command -> req_type=0x2, type=0x4, blks=0x1
[ANTI-ROLLBACK] PL: 2 TEE: 3002 LK: 3
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] L: 3 R: 2
This state reveals that the UBOOT code ("lk.bin" version 5.0.1) is blocked by Amazon enforced [ANTI-ROLLBACK] protection checks. If this is your case I am 100% sure this method can be used to recover your tablet from the soft "brick" (tested twice).
"UNBRICK" METHOD DETAILS
The method makes use of Zeroepoch's Python code used previously to "root" the Amazon Fire TV2 and works very well making it possible to directly and unconditionally write to the EMMC memory space of our Fire 7" 5th Generation tablets. There is no need to sign code, no SHA keys and no certificates involved in the process.
NOTE: Initially I opened my tablet, connected cables + serial break-out board by soldering them directly to the internal UART TX/RX pads on the mainboard. I even ripped off some of the pads. However this is absolutely not necessary for this method, I did that to ensure myself complete control over the tablet and to learn all I could related to this tablet.
All the procedure can be completed through the normal USB cable and a Linux terminal console logged in as the "root" user. I preferred to do everything as the "root" user to exclude permission problems on the devices.
Unfortunately this method is really slow due to the fact that the process is executed through a USB serial connection at 115200 bps and at the moment the proposed code can only write very small chunks of data one after one through a call to a boot loader operation.
I executed the complete process from a Linux system (Fedora 23) but I believe the same could be done from both Windows and Mac OS X. On Windows it would be slightly more difficult since it requires the correct USB drivers and the Python interpreter. On Linux everything should be already available on any distribution. This will make the process much easier by excluding variables like wrong USB drivers or difficult Python installations.
THE REQUISITES
Download the following code archive from Gitlab (thanks to Zeroepoch):
AFTV2-Toolsthen unzip the downloaded archive in its new folder. The name of the original folder will be something like:
aftv2-tools-master-5a6de7663bd7c20c54f59ed10b3a5cec841d6564.zipRename the folder to a shorter name like "aftv2-tools" to make it easier and shorter to type and move between folders. There are several files and directories in the unpacked AFTV2 archive. However we will only need 4 of them for our method. They are 4 Python scripts named "handshake.py", "read_mmc.py", "write_mmc.py" and "read32.py".
It is possible that you will need to install a Python module called "pyserial" since that is a required dependency. You can do that using the "pip" utility, the command is "pip install pyserial" (the same also for Windows and Mac OS).
THE PROCEDURE
The first step is to ensure the tablet is switched off, then "cd" to the "aftv2-tools" folder that you renamed and execute:
Code:
./handshake.py
on the next line in the console you will immediately see:
waiting for preloader ...now connect the tablet (ensure it is switched off) to the USB port of your PC and wait a couple of second until the Python script exits and the following appears on the console:
Found port = /dev/ttyACM0
Handshake complete!
Now the tablet is in the [USBDL] / [USBDOWNLOAD] mode.
NOTE: Do not disconnect the cable until the end of the complete write procedure and only after executing the disconnect command below.
TRAINING WITH A "READ" OPERATION
Before doing more damages and to ensure the setup/environment works, let's use a READ operation as an exercise and make a backup copy of the current UBOOT partition (it will take a while, prepare your coffee).
Knowing that the UBOOT partition starts at 0x1460000 (hex) and that the length of the partition in bytes is 0x100000 (hex) we could read the complete partition with the following command:
Code:
./read_mmc.py $((0x1460000)) $((0x100000)) UBOOT_501_backup.part
The command above would take about 2 hours or more to complete and read the full 16Mbytes , so you may skip that.
Since we know that the size of the original "lk_501.bin" is exactly 406964 bytes it will be enough to read just what we need (40x less read operations thus 40x less time). A bit of math is needed here, we have to find the minimum number of 512 bytes blocks needed to make up a length of at least 406964 bytes. That is 795 * 512 = 407040 so the command will be:
Code:
./read_mmc.py $((0x1460000)) $((795*512)) UBOOT_501_backup.part
this will create a file slightly larger than the original, but we will trim it down with the next command below.
To double check that everything went fine and knowing that the length in bytes of the original 5.0.1 lk.bin is 406964 (dec) we can compare what we have read from the serial connection with the "lk.bin" taken from the 5.0.1 version of the original Amazon update using the following commands. The first line is to trim down what we read to the same size of the original "lk_501.bin" while the second will calculate the MD5 sum of the two files to ensure they are identical:
Code:
dd if=UBOOT_501_backup.part of=UBOOT_501_backup.bin bs=406964 count=1
md5sum UBOOT_501_backup.bin lk_501.bin
The above command will print 2 lines containing the MD5 sum of both files, the 2 hex number should be the same. Don't worry if the numbers are different, it may be due to a different version of 5.0.x that you used to try the downgrade. Actually there where 3 or more 5.0.1 partial updates. However check with an hex editor that the first four bytes of the backup you just made are HEX: 88 16 88 58 and that bytes number 8 and 9 (start counting from 0) are HEX: 4C 4B which correspond to the ASCII string "LK".
NOW THE "UNBRICK" PART
At this point to "unbrick" the tablet we need to write the 5.1.1 version of "lk.bin" to the UBOOT partition with this command:
Code:
./write_mmc.py $((0x1460000)) lk_511.bin
Wait for this command to complete it will take some time (may be 5 to 10 minutes).
Now we need to exit the [USBDL] / [USBDOWNLOAD] mode before disconnecting the USB cable.
Use this command to do that, it may print some error on the console but that is the expected behavior:
Code:
./read32.py 0 1
wait 10 seconds and then pull the USB cable to disconnect it from the PC.
NOTE if you can’t get your device out of [USBDL] / [USBDOWNLOAD] mode at this point then pop the back cover off of the device and remove the battery plug that has 6 wires and the plug lifts straight up. Wait 5 seconds and reconnect the battery and place the cover on the back of your tablet then power it up.
If all went well the device will reboot with a working "UBOOT/lk.bin". You can now boot to recovery and "adb sideload" stock fire os 5.1.1 update to get your device fully working again (not downgraded but fully functional).
Most of the things explained here are also written in the README files contained in the archives you have downloaded (aftv2-tools / fbtool) and in the documents linked in previous posts.
Have to say thanks to Sturmflut for the invaluable Mediatek SoC docs and to Zeroepoch for the Python scripts.
Have fun,
.:HWMOD:.
Reserved for future expansion
nice work
sd_shadow said:
nice work
Click to expand...
Click to collapse
I will try to make a video on this soon
Ahhh! A glimmer of hope for a bricked Fire. I had tried to downgrade a 5.1.2 to a 5.1.1 and bricked it... but I did see the MediaTek USB ACM device pop up and down. If I can find a 5.1.2 update, I can try to extract that, slap that on the internal MMC, and see if I can unbrick my (first) Fire that way.
STrRedWolf said:
...If I can find a 5.1.2 update...
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=62986665&postcount=3
Quick guide to "unbrick" 5.1.2 from downgrade attempts
STrRedWolf said:
Ahhh! A glimmer of hope for a bricked Fire. I had tried to downgrade a 5.1.2 to a 5.1.1 and bricked it... but I did see the MediaTek USB ACM device pop up and down. If I can find a 5.1.2 update, I can try to extract that, slap that on the internal MMC, and see if I can unbrick my (first) Fire that way.
Click to expand...
Click to collapse
This is a condensed resume of post #1 to "unbrick" and rollback to stock firmware 5.1.2.
You will need a working system with Python3 installed and the "pyserial" module.
Download and unzip AFTV2-Tools in a new folder on your PC.
From inside the AFTV2-Tools folder execute the following script:
Code:
./handshake.py
if your setup is OK the script will print this message to the console:
waiting for preloader ...now ensure the tablet is switched off, then connect it to the PC with the USB cable.
In a couple of seconds the script will detect the serial port and print this message:
Found port = /dev/ttyACM0
Handshake complete!confirming the tablet was successfully switched to [USBDOWNLOAD] mode.
Next you need to write the 5.1.2 version of "lk.bin" to the UBOOT partition:
Code:
./write_mmc.py $((0x1460000)) lk_512.bin
now exit the [USBDownload] mode by executing the following script:
Code:
./read32.py 0 1
this will possibly print a few error in the console but that is expected.
Wait 10 seconds and then pull the USB cable to disconnect it from the PC.
If all went well the device will reboot with a working "UBOOT/lk.bin" partition.
You can now boot into recovery mode and "adb sideload" stock fire os 5.1.2 update.
You will have your device fully working again (not downgraded but fully functional).
.:HWMOD:.
hwmod said:
This is a condensed resume of post #1 to "unbrick" and rollback to stock firmware 5.1.2.
You will need a working system with Python3 installed and the "pyserial" module.
Download and unzip AFTV2-Tools in a new folder on your PC.
From inside the AFTV2-Tools folder execute the following script:
Code:
./handshake.py
if your setup is OK the script will print this message to the console:
waiting for preloader ...now ensure the tablet is switched off, then connect it to the PC with the USB cable.
In a couple of seconds the script will detect the serial port and print this message:
Found port = /dev/ttyACM0
Handshake complete!confirming the tablet was successfully switched to [USBDOWNLOAD] mode.
Next you need to write the 5.1.2 version of "lk.bin" to the UBOOT partition:
Code:
./write_mmc.py $((0x1460000)) lk_512.bin
now exit the [USBDownload] mode by executing the following script:
Code:
./read32.py 0 1
this will possibly print a few error in the console but that is expected.
Wait 10 seconds and then pull the USB cable to disconnect it from the PC.
If all went well the device will reboot with a working "UBOOT/lk.bin" partition.
You can now boot into recovery mode and "adb sideload" stock fire os 5.1.2 update.
You will have your device fully working again (not downgraded but fully functional).
.:HWMOD:.
Click to expand...
Click to collapse
I've just tried that... and no go. It won't boot into it. I'm wondering what else needs to be flashed this way...
STrRedWolf said:
I've just tried that... and no go. It won't boot into it. I'm wondering what else needs to be flashed this way...
Click to expand...
Click to collapse
Did the "handshake.py" script return the expected messages ?
Did the "write_mmc.py" script output the progress of writing the "lk_512.bin" ?
Did you get some message indicating errors from running the two scripts above ?
I suggest people trying this method to save the output and include relevant parts in their posts.
This way I may be able to give extra instructions or help.
.:HWMOD:.
hwmod said:
Did the "handshake.py" script return the expected messages ?
Did the "write_mmc.py" script output the progress of writing the "lk_512.bin" ?
Did you get some message indicating errors from running the two scripts above ?
I suggest people trying this method to save the output and include relevant parts in their posts.
This way I may be able to give extra instructions or help.
.:HWMOD:.
Click to expand...
Click to collapse
Yep, yep, and nope. Here's the output.
Code:
sandra aftv2-tools # ./handshake.py
Waiting for preloader...
Found port = /dev/ttyACM0
Handshake complete!
sandra aftv2-tools # ./write_mmc.py $((0x1460000)) ~tygris/dls/kindle/lk.bin
Addr: 0x1460000
Addr: 0x1460200
Addr: 0x1460400
Addr: 0x1460600
Addr: 0x1460800
Addr: 0x1460a00
Addr: 0x1460c00
Addr: 0x1460e00
Addr: 0x1461000
Addr: 0x1461200
Addr: 0x1461400
Addr: 0x1461600
Addr: 0x1461800
Addr: 0x1461a00
Addr: 0x1461c00
Addr: 0x1461e00
Addr: 0x1462000
Addr: 0x1462200
Addr: 0x1462400
Addr: 0x1462600
Addr: 0x1462800
Addr: 0x1462a00
Addr: 0x1462c00
Addr: 0x1462e00
Addr: 0x1463000
Addr: 0x1463200
Addr: 0x1463400
Addr: 0x1463600
Addr: 0x1463800
Addr: 0x1463a00
Addr: 0x1463c00
Addr: 0x1463e00
Addr: 0x1464000
Addr: 0x1464200
Addr: 0x1464400
Addr: 0x1464600
Addr: 0x1464800
Addr: 0x1464a00
Addr: 0x1464c00
Addr: 0x1464e00
Addr: 0x1465000
Addr: 0x1465200
Addr: 0x1465400
Addr: 0x1465600
Addr: 0x1465800
Addr: 0x1465a00
Addr: 0x1465c00
Addr: 0x1465e00
Addr: 0x1466000
Addr: 0x1466200
Addr: 0x1466400
Addr: 0x1466600
Addr: 0x1466800
Addr: 0x1466a00
Addr: 0x1466c00
Addr: 0x1466e00
Addr: 0x1467000
Addr: 0x1467200
Addr: 0x1467400
Addr: 0x1467600
Addr: 0x1467800
Addr: 0x1467a00
Addr: 0x1467c00
Addr: 0x1467e00
Addr: 0x1468000
Addr: 0x1468200
Addr: 0x1468400
Addr: 0x1468600
Addr: 0x1468800
Addr: 0x1468a00
Addr: 0x1468c00
Addr: 0x1468e00
Addr: 0x1469000
Addr: 0x1469200
Addr: 0x1469400
Addr: 0x1469600
Addr: 0x1469800
Addr: 0x1469a00
Addr: 0x1469c00
Addr: 0x1469e00
Addr: 0x146a000
Addr: 0x146a200
Addr: 0x146a400
Addr: 0x146a600
Addr: 0x146a800
Addr: 0x146aa00
Addr: 0x146ac00
Addr: 0x146ae00
Addr: 0x146b000
Addr: 0x146b200
Addr: 0x146b400
Addr: 0x146b600
Addr: 0x146b800
Addr: 0x146ba00
Addr: 0x146bc00
Addr: 0x146be00
Addr: 0x146c000
Addr: 0x146c200
Addr: 0x146c400
Addr: 0x146c600
Addr: 0x146c800
Addr: 0x146ca00
Addr: 0x146cc00
Addr: 0x146ce00
Addr: 0x146d000
Addr: 0x146d200
Addr: 0x146d400
Addr: 0x146d600
Addr: 0x146d800
Addr: 0x146da00
Addr: 0x146dc00
Addr: 0x146de00
Addr: 0x146e000
Addr: 0x146e200
Addr: 0x146e400
Addr: 0x146e600
Addr: 0x146e800
Addr: 0x146ea00
Addr: 0x146ec00
Addr: 0x146ee00
Addr: 0x146f000
Addr: 0x146f200
Addr: 0x146f400
Addr: 0x146f600
Addr: 0x146f800
Addr: 0x146fa00
Addr: 0x146fc00
Addr: 0x146fe00
Addr: 0x1470000
Addr: 0x1470200
Addr: 0x1470400
Addr: 0x1470600
Addr: 0x1470800
Addr: 0x1470a00
Addr: 0x1470c00
Addr: 0x1470e00
Addr: 0x1471000
Addr: 0x1471200
Addr: 0x1471400
Addr: 0x1471600
Addr: 0x1471800
Addr: 0x1471a00
Addr: 0x1471c00
Addr: 0x1471e00
Addr: 0x1472000
Addr: 0x1472200
Addr: 0x1472400
Addr: 0x1472600
Addr: 0x1472800
Addr: 0x1472a00
Addr: 0x1472c00
Addr: 0x1472e00
Addr: 0x1473000
Addr: 0x1473200
Addr: 0x1473400
Addr: 0x1473600
Addr: 0x1473800
Addr: 0x1473a00
Addr: 0x1473c00
Addr: 0x1473e00
Addr: 0x1474000
Addr: 0x1474200
Addr: 0x1474400
Addr: 0x1474600
Addr: 0x1474800
Addr: 0x1474a00
Addr: 0x1474c00
Addr: 0x1474e00
Addr: 0x1475000
Addr: 0x1475200
Addr: 0x1475400
Addr: 0x1475600
Addr: 0x1475800
Addr: 0x1475a00
Addr: 0x1475c00
Addr: 0x1475e00
Addr: 0x1476000
Addr: 0x1476200
Addr: 0x1476400
Addr: 0x1476600
Addr: 0x1476800
Addr: 0x1476a00
Addr: 0x1476c00
Addr: 0x1476e00
Addr: 0x1477000
Addr: 0x1477200
Addr: 0x1477400
Addr: 0x1477600
Addr: 0x1477800
Addr: 0x1477a00
Addr: 0x1477c00
Addr: 0x1477e00
Addr: 0x1478000
Addr: 0x1478200
Addr: 0x1478400
Addr: 0x1478600
Addr: 0x1478800
Addr: 0x1478a00
Addr: 0x1478c00
Addr: 0x1478e00
Addr: 0x1479000
Addr: 0x1479200
Addr: 0x1479400
Addr: 0x1479600
Addr: 0x1479800
Addr: 0x1479a00
Addr: 0x1479c00
Addr: 0x1479e00
Addr: 0x147a000
Addr: 0x147a200
Addr: 0x147a400
Addr: 0x147a600
Addr: 0x147a800
Addr: 0x147aa00
Addr: 0x147ac00
Addr: 0x147ae00
Addr: 0x147b000
Addr: 0x147b200
Addr: 0x147b400
Addr: 0x147b600
Addr: 0x147b800
Addr: 0x147ba00
Addr: 0x147bc00
Addr: 0x147be00
Addr: 0x147c000
Addr: 0x147c200
Addr: 0x147c400
Addr: 0x147c600
Addr: 0x147c800
Addr: 0x147ca00
Addr: 0x147cc00
Addr: 0x147ce00
Addr: 0x147d000
Addr: 0x147d200
Addr: 0x147d400
Addr: 0x147d600
Addr: 0x147d800
Addr: 0x147da00
Addr: 0x147dc00
Addr: 0x147de00
Addr: 0x147e000
Addr: 0x147e200
Addr: 0x147e400
Addr: 0x147e600
Addr: 0x147e800
Addr: 0x147ea00
Addr: 0x147ec00
Addr: 0x147ee00
Addr: 0x147f000
Addr: 0x147f200
Addr: 0x147f400
Addr: 0x147f600
Addr: 0x147f800
Addr: 0x147fa00
Addr: 0x147fc00
Addr: 0x147fe00
Addr: 0x1480000
Addr: 0x1480200
Addr: 0x1480400
Addr: 0x1480600
Addr: 0x1480800
Addr: 0x1480a00
Addr: 0x1480c00
Addr: 0x1480e00
Addr: 0x1481000
Addr: 0x1481200
Addr: 0x1481400
Addr: 0x1481600
Addr: 0x1481800
Addr: 0x1481a00
Addr: 0x1481c00
Addr: 0x1481e00
Addr: 0x1482000
Addr: 0x1482200
Addr: 0x1482400
Addr: 0x1482600
Addr: 0x1482800
Addr: 0x1482a00
Addr: 0x1482c00
Addr: 0x1482e00
Addr: 0x1483000
Addr: 0x1483200
Addr: 0x1483400
Addr: 0x1483600
Addr: 0x1483800
Addr: 0x1483a00
Addr: 0x1483c00
Addr: 0x1483e00
Addr: 0x1484000
Addr: 0x1484200
Addr: 0x1484400
Addr: 0x1484600
Addr: 0x1484800
Addr: 0x1484a00
Addr: 0x1484c00
Addr: 0x1484e00
Addr: 0x1485000
Addr: 0x1485200
Addr: 0x1485400
Addr: 0x1485600
Addr: 0x1485800
Addr: 0x1485a00
Addr: 0x1485c00
Addr: 0x1485e00
Addr: 0x1486000
Addr: 0x1486200
Addr: 0x1486400
Addr: 0x1486600
Addr: 0x1486800
Addr: 0x1486a00
Addr: 0x1486c00
Addr: 0x1486e00
Addr: 0x1487000
Addr: 0x1487200
Addr: 0x1487400
Addr: 0x1487600
Addr: 0x1487800
Addr: 0x1487a00
Addr: 0x1487c00
Addr: 0x1487e00
Addr: 0x1488000
Addr: 0x1488200
Addr: 0x1488400
Addr: 0x1488600
Addr: 0x1488800
Addr: 0x1488a00
Addr: 0x1488c00
Addr: 0x1488e00
Addr: 0x1489000
Addr: 0x1489200
Addr: 0x1489400
Addr: 0x1489600
Addr: 0x1489800
Addr: 0x1489a00
Addr: 0x1489c00
Addr: 0x1489e00
Addr: 0x148a000
Addr: 0x148a200
Addr: 0x148a400
Addr: 0x148a600
Addr: 0x148a800
Addr: 0x148aa00
Addr: 0x148ac00
Addr: 0x148ae00
Addr: 0x148b000
Addr: 0x148b200
Addr: 0x148b400
Addr: 0x148b600
Addr: 0x148b800
Addr: 0x148ba00
Addr: 0x148bc00
Addr: 0x148be00
Addr: 0x148c000
Addr: 0x148c200
Addr: 0x148c400
Addr: 0x148c600
Addr: 0x148c800
Addr: 0x148ca00
Addr: 0x148cc00
Addr: 0x148ce00
Addr: 0x148d000
Addr: 0x148d200
Addr: 0x148d400
Addr: 0x148d600
Addr: 0x148d800
Addr: 0x148da00
Addr: 0x148dc00
Addr: 0x148de00
Addr: 0x148e000
Addr: 0x148e200
Addr: 0x148e400
Addr: 0x148e600
Addr: 0x148e800
Addr: 0x148ea00
Addr: 0x148ec00
Addr: 0x148ee00
Addr: 0x148f000
Addr: 0x148f200
Addr: 0x148f400
Addr: 0x148f600
Addr: 0x148f800
Addr: 0x148fa00
Addr: 0x148fc00
Addr: 0x148fe00
Addr: 0x1490000
Addr: 0x1490200
Addr: 0x1490400
Addr: 0x1490600
Addr: 0x1490800
Addr: 0x1490a00
Addr: 0x1490c00
Addr: 0x1490e00
Addr: 0x1491000
Addr: 0x1491200
Addr: 0x1491400
Addr: 0x1491600
Addr: 0x1491800
Addr: 0x1491a00
Addr: 0x1491c00
Addr: 0x1491e00
Addr: 0x1492000
Addr: 0x1492200
Addr: 0x1492400
Addr: 0x1492600
Addr: 0x1492800
Addr: 0x1492a00
Addr: 0x1492c00
Addr: 0x1492e00
Addr: 0x1493000
Addr: 0x1493200
Addr: 0x1493400
Addr: 0x1493600
Addr: 0x1493800
Addr: 0x1493a00
Addr: 0x1493c00
Addr: 0x1493e00
Addr: 0x1494000
Addr: 0x1494200
Addr: 0x1494400
Addr: 0x1494600
Addr: 0x1494800
Addr: 0x1494a00
Addr: 0x1494c00
Addr: 0x1494e00
Addr: 0x1495000
Addr: 0x1495200
Addr: 0x1495400
Addr: 0x1495600
Addr: 0x1495800
Addr: 0x1495a00
Addr: 0x1495c00
Addr: 0x1495e00
Addr: 0x1496000
Addr: 0x1496200
Addr: 0x1496400
Addr: 0x1496600
Addr: 0x1496800
Addr: 0x1496a00
Addr: 0x1496c00
Addr: 0x1496e00
Addr: 0x1497000
Addr: 0x1497200
Addr: 0x1497400
Addr: 0x1497600
Addr: 0x1497800
Addr: 0x1497a00
Addr: 0x1497c00
Addr: 0x1497e00
Addr: 0x1498000
Addr: 0x1498200
Addr: 0x1498400
Addr: 0x1498600
Addr: 0x1498800
Addr: 0x1498a00
Addr: 0x1498c00
Addr: 0x1498e00
Addr: 0x1499000
Addr: 0x1499200
Addr: 0x1499400
Addr: 0x1499600
Addr: 0x1499800
Addr: 0x1499a00
Addr: 0x1499c00
Addr: 0x1499e00
Addr: 0x149a000
Addr: 0x149a200
Addr: 0x149a400
Addr: 0x149a600
Addr: 0x149a800
Addr: 0x149aa00
Addr: 0x149ac00
Addr: 0x149ae00
Addr: 0x149b000
Addr: 0x149b200
Addr: 0x149b400
Addr: 0x149b600
Addr: 0x149b800
Addr: 0x149ba00
Addr: 0x149bc00
Addr: 0x149be00
Addr: 0x149c000
Addr: 0x149c200
Addr: 0x149c400
Addr: 0x149c600
Addr: 0x149c800
Addr: 0x149ca00
Addr: 0x149cc00
Addr: 0x149ce00
Addr: 0x149d000
Addr: 0x149d200
Addr: 0x149d400
Addr: 0x149d600
Addr: 0x149d800
Addr: 0x149da00
Addr: 0x149dc00
Addr: 0x149de00
Addr: 0x149e000
Addr: 0x149e200
Addr: 0x149e400
Addr: 0x149e600
Addr: 0x149e800
Addr: 0x149ea00
Addr: 0x149ec00
Addr: 0x149ee00
Addr: 0x149f000
Addr: 0x149f200
Addr: 0x149f400
Addr: 0x149f600
Addr: 0x149f800
Addr: 0x149fa00
Addr: 0x149fc00
Addr: 0x149fe00
Addr: 0x14a0000
Addr: 0x14a0200
Addr: 0x14a0400
Addr: 0x14a0600
Addr: 0x14a0800
Addr: 0x14a0a00
Addr: 0x14a0c00
Addr: 0x14a0e00
Addr: 0x14a1000
Addr: 0x14a1200
Addr: 0x14a1400
Addr: 0x14a1600
Addr: 0x14a1800
Addr: 0x14a1a00
Addr: 0x14a1c00
Addr: 0x14a1e00
Addr: 0x14a2000
Addr: 0x14a2200
Addr: 0x14a2400
Addr: 0x14a2600
Addr: 0x14a2800
Addr: 0x14a2a00
Addr: 0x14a2c00
Addr: 0x14a2e00
Addr: 0x14a3000
Addr: 0x14a3200
Addr: 0x14a3400
Addr: 0x14a3600
Addr: 0x14a3800
Addr: 0x14a3a00
Addr: 0x14a3c00
Addr: 0x14a3e00
Addr: 0x14a4000
Addr: 0x14a4200
Addr: 0x14a4400
Addr: 0x14a4600
Addr: 0x14a4800
Addr: 0x14a4a00
Addr: 0x14a4c00
Addr: 0x14a4e00
Addr: 0x14a5000
Addr: 0x14a5200
Addr: 0x14a5400
Addr: 0x14a5600
Addr: 0x14a5800
Addr: 0x14a5a00
Addr: 0x14a5c00
Addr: 0x14a5e00
Addr: 0x14a6000
Addr: 0x14a6200
Addr: 0x14a6400
Addr: 0x14a6600
Addr: 0x14a6800
Addr: 0x14a6a00
Addr: 0x14a6c00
Addr: 0x14a6e00
Addr: 0x14a7000
Addr: 0x14a7200
Addr: 0x14a7400
Addr: 0x14a7600
Addr: 0x14a7800
Addr: 0x14a7a00
Addr: 0x14a7c00
Addr: 0x14a7e00
Addr: 0x14a8000
Addr: 0x14a8200
Addr: 0x14a8400
Addr: 0x14a8600
Addr: 0x14a8800
Addr: 0x14a8a00
Addr: 0x14a8c00
Addr: 0x14a8e00
Addr: 0x14a9000
Addr: 0x14a9200
Addr: 0x14a9400
Addr: 0x14a9600
Addr: 0x14a9800
Addr: 0x14a9a00
Addr: 0x14a9c00
Addr: 0x14a9e00
Addr: 0x14aa000
Addr: 0x14aa200
Addr: 0x14aa400
Addr: 0x14aa600
Addr: 0x14aa800
Addr: 0x14aaa00
Addr: 0x14aac00
Addr: 0x14aae00
Addr: 0x14ab000
Addr: 0x14ab200
Addr: 0x14ab400
Addr: 0x14ab600
Addr: 0x14ab800
Addr: 0x14aba00
Addr: 0x14abc00
Addr: 0x14abe00
Addr: 0x14ac000
Addr: 0x14ac200
Addr: 0x14ac400
Addr: 0x14ac600
Addr: 0x14ac800
Addr: 0x14aca00
Addr: 0x14acc00
Addr: 0x14ace00
Addr: 0x14ad000
Addr: 0x14ad200
Addr: 0x14ad400
Addr: 0x14ad600
Addr: 0x14ad800
Addr: 0x14ada00
Addr: 0x14adc00
Addr: 0x14ade00
Addr: 0x14ae000
Addr: 0x14ae200
Addr: 0x14ae400
Addr: 0x14ae600
Addr: 0x14ae800
Addr: 0x14aea00
Addr: 0x14aec00
Addr: 0x14aee00
Addr: 0x14af000
Addr: 0x14af200
Addr: 0x14af400
Addr: 0x14af600
Addr: 0x14af800
Addr: 0x14afa00
Addr: 0x14afc00
Addr: 0x14afe00
Addr: 0x14b0000
Addr: 0x14b0200
Addr: 0x14b0400
Addr: 0x14b0600
Addr: 0x14b0800
Addr: 0x14b0a00
Addr: 0x14b0c00
Addr: 0x14b0e00
Addr: 0x14b1000
Addr: 0x14b1200
Addr: 0x14b1400
Addr: 0x14b1600
Addr: 0x14b1800
Addr: 0x14b1a00
Addr: 0x14b1c00
Addr: 0x14b1e00
Addr: 0x14b2000
Addr: 0x14b2200
Addr: 0x14b2400
Addr: 0x14b2600
Addr: 0x14b2800
Addr: 0x14b2a00
Addr: 0x14b2c00
Addr: 0x14b2e00
Addr: 0x14b3000
Addr: 0x14b3200
Addr: 0x14b3400
Addr: 0x14b3600
Addr: 0x14b3800
Addr: 0x14b3a00
Addr: 0x14b3c00
Addr: 0x14b3e00
Addr: 0x14b4000
Addr: 0x14b4200
Addr: 0x14b4400
Addr: 0x14b4600
Addr: 0x14b4800
Addr: 0x14b4a00
Addr: 0x14b4c00
Addr: 0x14b4e00
Addr: 0x14b5000
Addr: 0x14b5200
Addr: 0x14b5400
Addr: 0x14b5600
Addr: 0x14b5800
Addr: 0x14b5a00
Addr: 0x14b5c00
Addr: 0x14b5e00
Addr: 0x14b6000
Addr: 0x14b6200
Addr: 0x14b6400
Addr: 0x14b6600
Addr: 0x14b6800
Addr: 0x14b6a00
Addr: 0x14b6c00
Addr: 0x14b6e00
Addr: 0x14b7000
Addr: 0x14b7200
Addr: 0x14b7400
Addr: 0x14b7600
Addr: 0x14b7800
Addr: 0x14b7a00
Addr: 0x14b7c00
Addr: 0x14b7e00
Addr: 0x14b8000
Addr: 0x14b8200
Addr: 0x14b8400
Addr: 0x14b8600
Addr: 0x14b8800
Addr: 0x14b8a00
Addr: 0x14b8c00
Addr: 0x14b8e00
Addr: 0x14b9000
Addr: 0x14b9200
Addr: 0x14b9400
Addr: 0x14b9600
Addr: 0x14b9800
Addr: 0x14b9a00
Addr: 0x14b9c00
Addr: 0x14b9e00
Addr: 0x14ba000
Addr: 0x14ba200
Addr: 0x14ba400
Addr: 0x14ba600
Addr: 0x14ba800
Addr: 0x14baa00
Addr: 0x14bac00
Addr: 0x14bae00
Addr: 0x14bb000
Addr: 0x14bb200
Addr: 0x14bb400
Addr: 0x14bb600
Addr: 0x14bb800
Addr: 0x14bba00
Addr: 0x14bbc00
Addr: 0x14bbe00
Addr: 0x14bc000
Addr: 0x14bc200
Addr: 0x14bc400
Addr: 0x14bc600
Addr: 0x14bc800
Addr: 0x14bca00
Addr: 0x14bcc00
Addr: 0x14bce00
Addr: 0x14bd000
Addr: 0x14bd200
Addr: 0x14bd400
Addr: 0x14bd600
Addr: 0x14bd800
Addr: 0x14bda00
Addr: 0x14bdc00
Addr: 0x14bde00
Addr: 0x14be000
Addr: 0x14be200
Addr: 0x14be400
Addr: 0x14be600
Addr: 0x14be800
Addr: 0x14bea00
Addr: 0x14bec00
Addr: 0x14bee00
Addr: 0x14bf000
Addr: 0x14bf200
Addr: 0x14bf400
Addr: 0x14bf600
Addr: 0x14bf800
Addr: 0x14bfa00
Addr: 0x14bfc00
Addr: 0x14bfe00
Addr: 0x14c0000
Addr: 0x14c0200
Addr: 0x14c0400
Addr: 0x14c0600
Addr: 0x14c0800
Addr: 0x14c0a00
Addr: 0x14c0c00
Addr: 0x14c0e00
Addr: 0x14c1000
Addr: 0x14c1200
Addr: 0x14c1400
Addr: 0x14c1600
Addr: 0x14c1800
Addr: 0x14c1a00
Addr: 0x14c1c00
Addr: 0x14c1e00
Addr: 0x14c2000
Addr: 0x14c2200
Addr: 0x14c2400
Addr: 0x14c2600
Addr: 0x14c2800
Addr: 0x14c2a00
Addr: 0x14c2c00
Addr: 0x14c2e00
Addr: 0x14c3000
Addr: 0x14c3200
Addr: 0x14c3400
sandra aftv2-tools # ./read32.py 0 1
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib64/python3.4/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('device reports readiness to read but returned no data (device disconnected or multiple access on port?)')
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib64/python3.4/site-packages/serial/serialposix.py", line 480, in read
if e[0] != errno.EAGAIN:
TypeError: 'SerialException' object does not support indexing
sandra aftv2-tools #
STrRedWolf said:
Yep, yep, and nope. Here's the output.
Code:
sandra aftv2-tools # ./handshake.py
Waiting for preloader...
Found port = /dev/ttyACM0
Handshake complete!
sandra aftv2-tools # ./write_mmc.py $((0x1460000)) ~tygris/dls/kindle/lk.bin
Addr: 0x1460000
Addr: 0x1460200
Addr: 0x1460400
Addr: 0x1460600
Addr: 0x1460800
Addr: 0x1460a00
Addr: 0x1460c00
Addr: 0x1460e00
Addr: 0x1461000
Addr: 0x1461200
Addr: 0x1461400
Addr: 0x1461600
Addr: 0x1461800
Addr: 0x1461a00
Addr: 0x1461c00
Addr: 0x1461e00
Addr: 0x1462000
Addr: 0x1462200
Addr: 0x1462400
Addr: 0x1462600
Addr: 0x1462800
Addr: 0x1462a00
Addr: 0x1462c00
Addr: 0x1462e00
Addr: 0x1463000
Addr: 0x1463200
Addr: 0x1463400
Addr: 0x1463600
Addr: 0x1463800
Addr: 0x1463a00
Addr: 0x1463c00
Addr: 0x1463e00
Addr: 0x1464000
Addr: 0x1464200
Addr: 0x1464400
Addr: 0x1464600
Addr: 0x1464800
Addr: 0x1464a00
Addr: 0x1464c00
Addr: 0x1464e00
Addr: 0x1465000
Addr: 0x1465200
Addr: 0x1465400
Addr: 0x1465600
Addr: 0x1465800
Addr: 0x1465a00
Addr: 0x1465c00
Addr: 0x1465e00
Addr: 0x1466000
Addr: 0x1466200
Addr: 0x1466400
Addr: 0x1466600
Addr: 0x1466800
Addr: 0x1466a00
Addr: 0x1466c00
Addr: 0x1466e00
Addr: 0x1467000
Addr: 0x1467200
Addr: 0x1467400
Addr: 0x1467600
Addr: 0x1467800
Addr: 0x1467a00
Addr: 0x1467c00
Addr: 0x1467e00
Addr: 0x1468000
Addr: 0x1468200
Addr: 0x1468400
Addr: 0x1468600
Addr: 0x1468800
Addr: 0x1468a00
Addr: 0x1468c00
Addr: 0x1468e00
Addr: 0x1469000
Addr: 0x1469200
Addr: 0x1469400
Addr: 0x1469600
Addr: 0x1469800
Addr: 0x1469a00
Addr: 0x1469c00
Addr: 0x1469e00
Addr: 0x146a000
Addr: 0x146a200
Addr: 0x146a400
Addr: 0x146a600
Addr: 0x146a800
Addr: 0x146aa00
Addr: 0x146ac00
Addr: 0x146ae00
Addr: 0x146b000
Addr: 0x146b200
Addr: 0x146b400
Addr: 0x146b600
Addr: 0x146b800
Addr: 0x146ba00
Addr: 0x146bc00
Addr: 0x146be00
Addr: 0x146c000
Addr: 0x146c200
Addr: 0x146c400
Addr: 0x146c600
Addr: 0x146c800
Addr: 0x146ca00
Addr: 0x146cc00
Addr: 0x146ce00
Addr: 0x146d000
Addr: 0x146d200
Addr: 0x146d400
Addr: 0x146d600
Addr: 0x146d800
Addr: 0x146da00
Addr: 0x146dc00
Addr: 0x146de00
Addr: 0x146e000
Addr: 0x146e200
Addr: 0x146e400
Addr: 0x146e600
Addr: 0x146e800
Addr: 0x146ea00
Addr: 0x146ec00
Addr: 0x146ee00
Addr: 0x146f000
Addr: 0x146f200
Addr: 0x146f400
Addr: 0x146f600
Addr: 0x146f800
Addr: 0x146fa00
Addr: 0x146fc00
Addr: 0x146fe00
Addr: 0x1470000
Addr: 0x1470200
Addr: 0x1470400
Addr: 0x1470600
Addr: 0x1470800
Addr: 0x1470a00
Addr: 0x1470c00
Addr: 0x1470e00
Addr: 0x1471000
Addr: 0x1471200
Addr: 0x1471400
Addr: 0x1471600
Addr: 0x1471800
Addr: 0x1471a00
Addr: 0x1471c00
Addr: 0x1471e00
Addr: 0x1472000
Addr: 0x1472200
Addr: 0x1472400
Addr: 0x1472600
Addr: 0x1472800
Addr: 0x1472a00
Addr: 0x1472c00
Addr: 0x1472e00
Addr: 0x1473000
Addr: 0x1473200
Addr: 0x1473400
Addr: 0x1473600
Addr: 0x1473800
Addr: 0x1473a00
Addr: 0x1473c00
Addr: 0x1473e00
Addr: 0x1474000
Addr: 0x1474200
Addr: 0x1474400
Addr: 0x1474600
Addr: 0x1474800
Addr: 0x1474a00
Addr: 0x1474c00
Addr: 0x1474e00
Addr: 0x1475000
Addr: 0x1475200
Addr: 0x1475400
Addr: 0x1475600
Addr: 0x1475800
Addr: 0x1475a00
Addr: 0x1475c00
Addr: 0x1475e00
Addr: 0x1476000
Addr: 0x1476200
Addr: 0x1476400
Addr: 0x1476600
Addr: 0x1476800
Addr: 0x1476a00
Addr: 0x1476c00
Addr: 0x1476e00
Addr: 0x1477000
Addr: 0x1477200
Addr: 0x1477400
Addr: 0x1477600
Addr: 0x1477800
Addr: 0x1477a00
Addr: 0x1477c00
Addr: 0x1477e00
Addr: 0x1478000
Addr: 0x1478200
Addr: 0x1478400
Addr: 0x1478600
Addr: 0x1478800
Addr: 0x1478a00
Addr: 0x1478c00
Addr: 0x1478e00
Addr: 0x1479000
Addr: 0x1479200
Addr: 0x1479400
Addr: 0x1479600
Addr: 0x1479800
Addr: 0x1479a00
Addr: 0x1479c00
Addr: 0x1479e00
Addr: 0x147a000
Addr: 0x147a200
Addr: 0x147a400
Addr: 0x147a600
Addr: 0x147a800
Addr: 0x147aa00
Addr: 0x147ac00
Addr: 0x147ae00
Addr: 0x147b000
Addr: 0x147b200
Addr: 0x147b400
Addr: 0x147b600
Addr: 0x147b800
Addr: 0x147ba00
Addr: 0x147bc00
Addr: 0x147be00
Addr: 0x147c000
Addr: 0x147c200
Addr: 0x147c400
Addr: 0x147c600
Addr: 0x147c800
Addr: 0x147ca00
Addr: 0x147cc00
Addr: 0x147ce00
Addr: 0x147d000
Addr: 0x147d200
Addr: 0x147d400
Addr: 0x147d600
Addr: 0x147d800
Addr: 0x147da00
Addr: 0x147dc00
Addr: 0x147de00
Addr: 0x147e000
Addr: 0x147e200
Addr: 0x147e400
Addr: 0x147e600
Addr: 0x147e800
Addr: 0x147ea00
Addr: 0x147ec00
Addr: 0x147ee00
Addr: 0x147f000
Addr: 0x147f200
Addr: 0x147f400
Addr: 0x147f600
Addr: 0x147f800
Addr: 0x147fa00
Addr: 0x147fc00
Addr: 0x147fe00
Addr: 0x1480000
Addr: 0x1480200
Addr: 0x1480400
Addr: 0x1480600
Addr: 0x1480800
Addr: 0x1480a00
Addr: 0x1480c00
Addr: 0x1480e00
Addr: 0x1481000
Addr: 0x1481200
Addr: 0x1481400
Addr: 0x1481600
Addr: 0x1481800
Addr: 0x1481a00
Addr: 0x1481c00
Addr: 0x1481e00
Addr: 0x1482000
Addr: 0x1482200
Addr: 0x1482400
Addr: 0x1482600
Addr: 0x1482800
Addr: 0x1482a00
Addr: 0x1482c00
Addr: 0x1482e00
Addr: 0x1483000
Addr: 0x1483200
Addr: 0x1483400
Addr: 0x1483600
Addr: 0x1483800
Addr: 0x1483a00
Addr: 0x1483c00
Addr: 0x1483e00
Addr: 0x1484000
Addr: 0x1484200
Addr: 0x1484400
Addr: 0x1484600
Addr: 0x1484800
Addr: 0x1484a00
Addr: 0x1484c00
Addr: 0x1484e00
Addr: 0x1485000
Addr: 0x1485200
Addr: 0x1485400
Addr: 0x1485600
Addr: 0x1485800
Addr: 0x1485a00
Addr: 0x1485c00
Addr: 0x1485e00
Addr: 0x1486000
Addr: 0x1486200
Addr: 0x1486400
Addr: 0x1486600
Addr: 0x1486800
Addr: 0x1486a00
Addr: 0x1486c00
Addr: 0x1486e00
Addr: 0x1487000
Addr: 0x1487200
Addr: 0x1487400
Addr: 0x1487600
Addr: 0x1487800
Addr: 0x1487a00
Addr: 0x1487c00
Addr: 0x1487e00
Addr: 0x1488000
Addr: 0x1488200
Addr: 0x1488400
Addr: 0x1488600
Addr: 0x1488800
Addr: 0x1488a00
Addr: 0x1488c00
Addr: 0x1488e00
Addr: 0x1489000
Addr: 0x1489200
Addr: 0x1489400
Addr: 0x1489600
Addr: 0x1489800
Addr: 0x1489a00
Addr: 0x1489c00
Addr: 0x1489e00
Addr: 0x148a000
Addr: 0x148a200
Addr: 0x148a400
Addr: 0x148a600
Addr: 0x148a800
Addr: 0x148aa00
Addr: 0x148ac00
Addr: 0x148ae00
Addr: 0x148b000
Addr: 0x148b200
Addr: 0x148b400
Addr: 0x148b600
Addr: 0x148b800
Addr: 0x148ba00
Addr: 0x148bc00
Addr: 0x148be00
Addr: 0x148c000
Addr: 0x148c200
Addr: 0x148c400
Addr: 0x148c600
Addr: 0x148c800
Addr: 0x148ca00
Addr: 0x148cc00
Addr: 0x148ce00
Addr: 0x148d000
Addr: 0x148d200
Addr: 0x148d400
Addr: 0x148d600
Addr: 0x148d800
Addr: 0x148da00
Addr: 0x148dc00
Addr: 0x148de00
Addr: 0x148e000
Addr: 0x148e200
Addr: 0x148e400
Addr: 0x148e600
Addr: 0x148e800
Addr: 0x148ea00
Addr: 0x148ec00
Addr: 0x148ee00
Addr: 0x148f000
Addr: 0x148f200
Addr: 0x148f400
Addr: 0x148f600
Addr: 0x148f800
Addr: 0x148fa00
Addr: 0x148fc00
Addr: 0x148fe00
Addr: 0x1490000
Addr: 0x1490200
Addr: 0x1490400
Addr: 0x1490600
Addr: 0x1490800
Addr: 0x1490a00
Addr: 0x1490c00
Addr: 0x1490e00
Addr: 0x1491000
Addr: 0x1491200
Addr: 0x1491400
Addr: 0x1491600
Addr: 0x1491800
Addr: 0x1491a00
Addr: 0x1491c00
Addr: 0x1491e00
Addr: 0x1492000
Addr: 0x1492200
Addr: 0x1492400
Addr: 0x1492600
Addr: 0x1492800
Addr: 0x1492a00
Addr: 0x1492c00
Addr: 0x1492e00
Addr: 0x1493000
Addr: 0x1493200
Addr: 0x1493400
Addr: 0x1493600
Addr: 0x1493800
Addr: 0x1493a00
Addr: 0x1493c00
Addr: 0x1493e00
Addr: 0x1494000
Addr: 0x1494200
Addr: 0x1494400
Addr: 0x1494600
Addr: 0x1494800
Addr: 0x1494a00
Addr: 0x1494c00
Addr: 0x1494e00
Addr: 0x1495000
Addr: 0x1495200
Addr: 0x1495400
Addr: 0x1495600
Addr: 0x1495800
Addr: 0x1495a00
Addr: 0x1495c00
Addr: 0x1495e00
Addr: 0x1496000
Addr: 0x1496200
Addr: 0x1496400
Addr: 0x1496600
Addr: 0x1496800
Addr: 0x1496a00
Addr: 0x1496c00
Addr: 0x1496e00
Addr: 0x1497000
Addr: 0x1497200
Addr: 0x1497400
Addr: 0x1497600
Addr: 0x1497800
Addr: 0x1497a00
Addr: 0x1497c00
Addr: 0x1497e00
Addr: 0x1498000
Addr: 0x1498200
Addr: 0x1498400
Addr: 0x1498600
Addr: 0x1498800
Addr: 0x1498a00
Addr: 0x1498c00
Addr: 0x1498e00
Addr: 0x1499000
Addr: 0x1499200
Addr: 0x1499400
Addr: 0x1499600
Addr: 0x1499800
Addr: 0x1499a00
Addr: 0x1499c00
Addr: 0x1499e00
Addr: 0x149a000
Addr: 0x149a200
Addr: 0x149a400
Addr: 0x149a600
Addr: 0x149a800
Addr: 0x149aa00
Addr: 0x149ac00
Addr: 0x149ae00
Addr: 0x149b000
Addr: 0x149b200
Addr: 0x149b400
Addr: 0x149b600
Addr: 0x149b800
Addr: 0x149ba00
Addr: 0x149bc00
Addr: 0x149be00
Addr: 0x149c000
Addr: 0x149c200
Addr: 0x149c400
Addr: 0x149c600
Addr: 0x149c800
Addr: 0x149ca00
Addr: 0x149cc00
Addr: 0x149ce00
Addr: 0x149d000
Addr: 0x149d200
Addr: 0x149d400
Addr: 0x149d600
Addr: 0x149d800
Addr: 0x149da00
Addr: 0x149dc00
Addr: 0x149de00
Addr: 0x149e000
Addr: 0x149e200
Addr: 0x149e400
Addr: 0x149e600
Addr: 0x149e800
Addr: 0x149ea00
Addr: 0x149ec00
Addr: 0x149ee00
Addr: 0x149f000
Addr: 0x149f200
Addr: 0x149f400
Addr: 0x149f600
Addr: 0x149f800
Addr: 0x149fa00
Addr: 0x149fc00
Addr: 0x149fe00
Addr: 0x14a0000
Addr: 0x14a0200
Addr: 0x14a0400
Addr: 0x14a0600
Addr: 0x14a0800
Addr: 0x14a0a00
Addr: 0x14a0c00
Addr: 0x14a0e00
Addr: 0x14a1000
Addr: 0x14a1200
Addr: 0x14a1400
Addr: 0x14a1600
Addr: 0x14a1800
Addr: 0x14a1a00
Addr: 0x14a1c00
Addr: 0x14a1e00
Addr: 0x14a2000
Addr: 0x14a2200
Addr: 0x14a2400
Addr: 0x14a2600
Addr: 0x14a2800
Addr: 0x14a2a00
Addr: 0x14a2c00
Addr: 0x14a2e00
Addr: 0x14a3000
Addr: 0x14a3200
Addr: 0x14a3400
Addr: 0x14a3600
Addr: 0x14a3800
Addr: 0x14a3a00
Addr: 0x14a3c00
Addr: 0x14a3e00
Addr: 0x14a4000
Addr: 0x14a4200
Addr: 0x14a4400
Addr: 0x14a4600
Addr: 0x14a4800
Addr: 0x14a4a00
Addr: 0x14a4c00
Addr: 0x14a4e00
Addr: 0x14a5000
Addr: 0x14a5200
Addr: 0x14a5400
Addr: 0x14a5600
Addr: 0x14a5800
Addr: 0x14a5a00
Addr: 0x14a5c00
Addr: 0x14a5e00
Addr: 0x14a6000
Addr: 0x14a6200
Addr: 0x14a6400
Addr: 0x14a6600
Addr: 0x14a6800
Addr: 0x14a6a00
Addr: 0x14a6c00
Addr: 0x14a6e00
Addr: 0x14a7000
Addr: 0x14a7200
Addr: 0x14a7400
Addr: 0x14a7600
Addr: 0x14a7800
Addr: 0x14a7a00
Addr: 0x14a7c00
Addr: 0x14a7e00
Addr: 0x14a8000
Addr: 0x14a8200
Addr: 0x14a8400
Addr: 0x14a8600
Addr: 0x14a8800
Addr: 0x14a8a00
Addr: 0x14a8c00
Addr: 0x14a8e00
Addr: 0x14a9000
Addr: 0x14a9200
Addr: 0x14a9400
Addr: 0x14a9600
Addr: 0x14a9800
Addr: 0x14a9a00
Addr: 0x14a9c00
Addr: 0x14a9e00
Addr: 0x14aa000
Addr: 0x14aa200
Addr: 0x14aa400
Addr: 0x14aa600
Addr: 0x14aa800
Addr: 0x14aaa00
Addr: 0x14aac00
Addr: 0x14aae00
Addr: 0x14ab000
Addr: 0x14ab200
Addr: 0x14ab400
Addr: 0x14ab600
Addr: 0x14ab800
Addr: 0x14aba00
Addr: 0x14abc00
Addr: 0x14abe00
Addr: 0x14ac000
Addr: 0x14ac200
Addr: 0x14ac400
Addr: 0x14ac600
Addr: 0x14ac800
Addr: 0x14aca00
Addr: 0x14acc00
Addr: 0x14ace00
Addr: 0x14ad000
Addr: 0x14ad200
Addr: 0x14ad400
Addr: 0x14ad600
Addr: 0x14ad800
Addr: 0x14ada00
Addr: 0x14adc00
Addr: 0x14ade00
Addr: 0x14ae000
Addr: 0x14ae200
Addr: 0x14ae400
Addr: 0x14ae600
Addr: 0x14ae800
Addr: 0x14aea00
Addr: 0x14aec00
Addr: 0x14aee00
Addr: 0x14af000
Addr: 0x14af200
Addr: 0x14af400
Addr: 0x14af600
Addr: 0x14af800
Addr: 0x14afa00
Addr: 0x14afc00
Addr: 0x14afe00
Addr: 0x14b0000
Addr: 0x14b0200
Addr: 0x14b0400
Addr: 0x14b0600
Addr: 0x14b0800
Addr: 0x14b0a00
Addr: 0x14b0c00
Addr: 0x14b0e00
Addr: 0x14b1000
Addr: 0x14b1200
Addr: 0x14b1400
Addr: 0x14b1600
Addr: 0x14b1800
Addr: 0x14b1a00
Addr: 0x14b1c00
Addr: 0x14b1e00
Addr: 0x14b2000
Addr: 0x14b2200
Addr: 0x14b2400
Addr: 0x14b2600
Addr: 0x14b2800
Addr: 0x14b2a00
Addr: 0x14b2c00
Addr: 0x14b2e00
Addr: 0x14b3000
Addr: 0x14b3200
Addr: 0x14b3400
Addr: 0x14b3600
Addr: 0x14b3800
Addr: 0x14b3a00
Addr: 0x14b3c00
Addr: 0x14b3e00
Addr: 0x14b4000
Addr: 0x14b4200
Addr: 0x14b4400
Addr: 0x14b4600
Addr: 0x14b4800
Addr: 0x14b4a00
Addr: 0x14b4c00
Addr: 0x14b4e00
Addr: 0x14b5000
Addr: 0x14b5200
Addr: 0x14b5400
Addr: 0x14b5600
Addr: 0x14b5800
Addr: 0x14b5a00
Addr: 0x14b5c00
Addr: 0x14b5e00
Addr: 0x14b6000
Addr: 0x14b6200
Addr: 0x14b6400
Addr: 0x14b6600
Addr: 0x14b6800
Addr: 0x14b6a00
Addr: 0x14b6c00
Addr: 0x14b6e00
Addr: 0x14b7000
Addr: 0x14b7200
Addr: 0x14b7400
Addr: 0x14b7600
Addr: 0x14b7800
Addr: 0x14b7a00
Addr: 0x14b7c00
Addr: 0x14b7e00
Addr: 0x14b8000
Addr: 0x14b8200
Addr: 0x14b8400
Addr: 0x14b8600
Addr: 0x14b8800
Addr: 0x14b8a00
Addr: 0x14b8c00
Addr: 0x14b8e00
Addr: 0x14b9000
Addr: 0x14b9200
Addr: 0x14b9400
Addr: 0x14b9600
Addr: 0x14b9800
Addr: 0x14b9a00
Addr: 0x14b9c00
Addr: 0x14b9e00
Addr: 0x14ba000
Addr: 0x14ba200
Addr: 0x14ba400
Addr: 0x14ba600
Addr: 0x14ba800
Addr: 0x14baa00
Addr: 0x14bac00
Addr: 0x14bae00
Addr: 0x14bb000
Addr: 0x14bb200
Addr: 0x14bb400
Addr: 0x14bb600
Addr: 0x14bb800
Addr: 0x14bba00
Addr: 0x14bbc00
Addr: 0x14bbe00
Addr: 0x14bc000
Addr: 0x14bc200
Addr: 0x14bc400
Addr: 0x14bc600
Addr: 0x14bc800
Addr: 0x14bca00
Addr: 0x14bcc00
Addr: 0x14bce00
Addr: 0x14bd000
Addr: 0x14bd200
Addr: 0x14bd400
Addr: 0x14bd600
Addr: 0x14bd800
Addr: 0x14bda00
Addr: 0x14bdc00
Addr: 0x14bde00
Addr: 0x14be000
Addr: 0x14be200
Addr: 0x14be400
Addr: 0x14be600
Addr: 0x14be800
Addr: 0x14bea00
Addr: 0x14bec00
Addr: 0x14bee00
Addr: 0x14bf000
Addr: 0x14bf200
Addr: 0x14bf400
Addr: 0x14bf600
Addr: 0x14bf800
Addr: 0x14bfa00
Addr: 0x14bfc00
Addr: 0x14bfe00
Addr: 0x14c0000
Addr: 0x14c0200
Addr: 0x14c0400
Addr: 0x14c0600
Addr: 0x14c0800
Addr: 0x14c0a00
Addr: 0x14c0c00
Addr: 0x14c0e00
Addr: 0x14c1000
Addr: 0x14c1200
Addr: 0x14c1400
Addr: 0x14c1600
Addr: 0x14c1800
Addr: 0x14c1a00
Addr: 0x14c1c00
Addr: 0x14c1e00
Addr: 0x14c2000
Addr: 0x14c2200
Addr: 0x14c2400
Addr: 0x14c2600
Addr: 0x14c2800
Addr: 0x14c2a00
Addr: 0x14c2c00
Addr: 0x14c2e00
Addr: 0x14c3000
Addr: 0x14c3200
Addr: 0x14c3400
sandra aftv2-tools # ./read32.py 0 1
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib64/python3.4/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('device reports readiness to read but returned no data (device disconnected or multiple access on port?)')
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib64/python3.4/site-packages/serial/serialposix.py", line 480, in read
if e[0] != errno.EAGAIN:
TypeError: 'SerialException' object does not support indexing
sandra aftv2-tools #
Click to expand...
Click to collapse
Looking at your log It looks like a successful "unbrick". The errors at the end after the "./read32.py 0 1" are the expected behavior for the wrong command needed to exit [USBDOWNLOAD] mode.
Try to remove the battery for 10 seconds then reconnect it and see if it reboots now.
Could you tell the size in bytes of the "lk.bin" you wrote ?
.:HWMOD:.
hwmod said:
Looking at your log It looks like a successful "unbrick". The errors at the end after the "./read32.py 0 1" are the expected behavior for the wrong command needed to exit [USBDOWNLOAD] mode.
Try to remove the battery for 10 seconds then reconnect it and see if it reboots now.
Could you tell the size in bytes of the "lk.bin" you wrote ?
.:HWMOD:.
Click to expand...
Click to collapse
Ugh. Time to take a spludger to my Kindle.
Code:
sandra aftv2-tools # ls -l ~tygris/dls/kindle/lk.bin
-rw-r--r-- 1 tygris tygris 407096 Apr 15 2015 /home/tygris/dls/kindle/lk.bin
FIre OS 5.1.2 LK.bin is 400 KB (409,600 bytes)
And... negative. No reboot into recovery.
STrRedWolf said:
And... negative. No reboot into recovery.
Click to expand...
Click to collapse
did you pull the battery and then plug it back in and try to reboot
Tomsgt said:
did you pull the battery and then plug it back in and try to reboot
Click to expand...
Click to collapse
Reflashed with the correct lk.bin file, pulled the battery... nothing. No reaction on screen. At least we are getting somewhere...
Tomsgt said:
FIre OS 5.1.2 LK.bin is 400 KB (409,600 bytes)
Click to expand...
Click to collapse
I can see that the length of "lk.bin" is different from what you suggested, both in 5.1.2 and 5.1.2.1.
update-kindle-global-37.5.4.2_user_542168620.bin (version 5.1.2) - lk.bin is 407096 bytes
update-kindle-37.5.4.2_user_542169020.bin (version 5.1.2.1) - lk.bin is 407096 bytes
the two "lk.bin" from these two versions are exactly the same and their "md5sum" is:
d73a2c504dc4db427d1dc3996ce4e206
This could be one of the possible reasons for @STrRedWolf not being able to "unbrick" his tablet. To reduce the risks of errors it would be advisable to always include the exact length of the files in bytes accompanied by the "md5sum".
.:HWMOD:.
hwmod said:
I can see that the length of "lk.bin" is different from what you suggested, both in 5.1.2 and 5.1.2.1.
update-kindle-global-37.5.4.2_user_542168620.bin (version 5.1.2) - lk.bin is 407096 bytes
update-kindle-37.5.4.2_user_542169020.bin (version 5.1.2.1) - lk.bin is 407096 bytes
the two "lk.bin" from these two versions are exactly the same and their "md5sum" is:
d73a2c504dc4db427d1dc3996ce4e206
This could be one of the possible reasons for @STrRedWolf not being able to "unbrick" his tablet. To reduce the risks of errors it would be advisable to always include the exact length of the files in bytes accompanied by the "md5sum".
.:HWMOD:.
Click to expand...
Click to collapse
I would also not post the MD5 hash but instead the SHA-256 hash. MD5's deprecated due to known security attacks against it. SHA-256 is considered much more secure (enough that SSL/TLS certificates are required to use it).
Here's the "sha256sum" of the lk-5.1.2.bin from the update-kindle-global-37.5.4.2_user_542168620.bin
Code:
[email protected] ~/dls/kindle $ sha256sum lk.bin
ef3e0cd928ddf380fa00da1f79fd63e6ed1279be1f4f2e093498116f6faec48e lk.bin
[email protected] ~/dls/kindle $ ls -l lk.bin
-rw-r--r-- 1 tygris tygris 407096 Apr 15 2015 lk.bin
STrRedWolf said:
I would also not post the MD5 hash but instead the SHA-256 hash. MD5's deprecated due to known security attacks against it. SHA-256 is considered much more secure (enough that SSL/TLS certificates are required to use it).
Click to expand...
Click to collapse
Security concerns are irrelevant in the context of determining file equivalency/integrity. Fine to provide one or both checksums but no valid reason to avoid MD5 in this use case.
MD5 or SHA-256?
Don't need reinvent the wheel
Amazon says "SHA-1" and publish SHA-1 for system, boot, recovery, UBOOT(=lk.bin), TEE1(=tz.img) in each update META-INF/com/amazon/android/target.blocklist + copy that to /cache/recovery/last_blocklist
For example, lk.bin
Code:
Ver Size Sha-1
5.0.1 406964 4690a896d2964b39d5dd8aea7b09b57a80511f22
5.1.1 409060 5f0c2350956fc03aaed24fa83c6c0f441af2b578
5.1.2 407096 995983f35352a3d20c979db447e82739249c52d8
5.1.2.1 407096 995983f35352a3d20c979db447e82739249c52d8
5.1.4 407160 618df04cb5cb96fc286d9c0eacba5256976aee4e
P.S. Same sha-1 and size for 5.1.2 and 5.1.2.1 = no brick after downgrade 5.1.2.1 -> 5.1.2
If lk.bin in 5.1.4 will have size 407096 and SHA-1 995983f35352a3d20c979db447e82739249c52d8 - downgrade to 5.1.2 is possible.
hey guys..
anyone has DA for this MTK device..? device is totally dead.. only preloader recognized as Device Manager..
Phone found! [ 46 ]
Sync...
Inital Boot Ok!
BB_CPU_PID : 8127
BB_CPU_NME : [MediaTek] MT8127_S00
BB_CPU_EXT : 0xCA03 , 0x8A00 , 0x0000
Processing BROM stage
Settings for BROM configured!
SecCfgVal : 0x00000000
BromVer : 0x00FF
BLVersion : 0x0001
PreLoader : Active [ Boot with PL ]
t-mobile_mda said:
hey guys..
anyone has DA for this MTK device..? device is totally dead.. only preloader recognized as Device Manager..
Phone found! [ 46 ]
Sync...
Inital Boot Ok!
BB_CPU_PID : 8127
BB_CPU_NME : [MediaTek] MT8127_S00
BB_CPU_EXT : 0xCA03 , 0x8A00 , 0x0000
Processing BROM stage
Settings for BROM configured!
SecCfgVal : 0x00000000
BromVer : 0x00FF
BLVersion : 0x0001
PreLoader : Active [ Boot with PL ]
Click to expand...
Click to collapse
I don't think anyone has this. It would have made hacking the tablet tins easier if we did.
Might be only option is the unlock thread, with shorting the PIN to get direct brom access(or whatever mode it is called)
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Hey will this work on vivo y91i with mt6762
Is there a possibility of phone getting bricked
This is not working on Redmi Note 11t 5g
belkaliz said:
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Click to expand...
Click to collapse
Will Try for unlocking FRP
belkaliz said:
Unlocking bootloader on Nokia 5.1
Code:
#include <std_disclaimer.h>
/*
* Your warranty is... still valid/probably? (Subject to OEM's)
*
* We are not responsible for bricked devices, dead SD cards
* unpleasant experiences. Custom ROM's are Custom for a reason and
* as developers, we try our best to give you the most complete experience
* When you choose our ROM, its a choice which you make but it doesnt make us
* liable to any unfortunate events. But we will be happy to help for the greater good.
*/
Requirements:
PC with Linux/Windows/MacOS.
Nokia 5.1 with any version of Android.
Installed mtkclient with offical instruction.
Straight arms.
If you using windows, installed preloader vcom driver.
Unlocking bootloader:
Open terminal (cmd) on folder with mtkclient.
Power off device.
Run command:
Code:
python mtk xflash seccfg unlock
Hold a Vol- button and connect device to PC.
Wait for the script to finish.
Enjoy unlocked bootloader.
Notes:
Data won't be wiped, but it is better to make backup.
Works on all MTK devices, except entering on BROM.
Click to expand...
Click to collapse
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Anonymous V said:
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Click to expand...
Click to collapse
the message "orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds...." is normal for bootloader unlocked mtk devices
yeah i know that but in my case it cause a boot loop, after i unlock the bootloader and boot my phone because of the bootloop do you know how to fix it?
$cronos_ said:
the message "orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds...." is normal for bootloader unlocked mtk devices
Click to expand...
Click to collapse
yeah i know that but in my case it cause a boot loop, after i unlock the bootloader and boot my phone because of the bootloop do you know how to fix it?
Anonymous V said:
i tried it but it says
orange state
your device has been unlocked and cannot be trusted
booting in 5 seconds....
then after that got i got a bootloop forcing me to relock it again and flash stock rom to fix my phone.
Click to expand...
Click to collapse
You just have to go to recovery mode and wipe all data and then just reboot the phone will boot normally
St4rh4ck3r said:
You just have to go to recovery mode and wipe all data and then just reboot the phone will boot normally
Click to expand...
Click to collapse
thanks for the answer !but i manage to unlock it without losing any data
Seems not working for vivo y72 5g, any help?
The command python mtk xflash seccfg unlock seems not to be working for mtk client also
Incomtus said:
Seems not working for vivo y72 5g, any help?
The command python mtk xflash seccfg unlock seems not to be working for mtk client also
Click to expand...
Click to collapse
Did you try the other comand??
This command -----------> python mtk da seccfg unlock
Because we have the same problen and this one solves it try it!
Anonymous V said:
Did you try the other comand??
This command -----------> python mtk da seccfg unlock
Because we have the same problen and this one solves it try it!
Click to expand...
Click to collapse
I already tried it, mtk client ask to plug the phone, I do it, it detects it, BUT two possibilities are happening every time I tried : it says the phone has been unplugged or it remains stuck on "trying kamakiri2" and nothing happens....
I installed mtk client again i tried again and it does the same. Sometimea it gets stuck on "jumping on 0x0"
Incomtus said:
I already tried it, mtk client ask to plug the phone, I do it, it detects it, BUT two possibilities are happening every time I tried : it says the phone has been unplugged or it remains stuck on "trying kamakiri2" and nothing happens....
I installed mtk client again i tried again and it does the same. Sometimea it gets stuck on "jumping on 0x0"
Click to expand...
Click to collapse
In developers option did you turn on the oem unlock option?? The error (trying kamakiri2) hhappened to me what i did is i reinstalled everything from python to preloader driver
Anonymous V said:
In developers option did you turn on the oem unlock option?? The error (trying kamakiri2) hhappened to me what i did is i reinstalled everything from python to preloader driver
Click to expand...
Click to collapse
Yes oem unlock is activated. okay you think that comes from python preloader driver? Can you give a little more details? It will be very nice
Incomtus said:
Yes oem unlock is activated. okay you think that comes from python preloader driver? Can you give a little more details? It will be very nice
Click to expand...
Click to collapse
Im not quite sure why but i think kamakiri2 uses python to operate the whole proccess thats why if the python is not working the whole process will not work too, while in preloader(its a substitute of fastboot)helps the mtk client connect or communicate with ur phone thats why if the drivers is corrupted or something wrong happened mtk client wont work correctly, btw while you are unlocking your bootloader did you see something like (DA failed to send or offset error)?
Anonymous V said:
Im not quite sure why but i think kamakiri2 uses python to operate the whole proccess thats why if the python is not working the whole process will not work too, while in preloader(its a substitute of fastboot)helps the mtk client connect or communicate with ur phone thats why if the drivers is corrupted or something wrong happened mtk client wont work correctly, btw while you are unlocking your bootloader did you see something like (DA failed to send or offset error)?
Click to expand...
Click to collapse
I am not sure bro, I will try again in the evening
Incomtus said:
I am not sure bro, I will try again in the evening
Click to expand...
Click to collapse
Ok bro and to be sure pls put your mtk client log, in here as well sowe can all se the problem.
Anonymous V said:
Ok bro and to be sure pls put your mtk client log, in here as well sowe can all se the problem.
Click to expand...
Click to collapse
Here is the logs
the first is when i try without touching any hw bouton :
Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
second with all butons (just detect and lost it)
..Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
PLTools - Crashing da...
DeviceClass - USBError(19, 'No such device (it may have been disconnected)')
Preloader
Preloader - [LIB]: Error on DA_Send cmd
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Last try when i pushed vol- and on/off button got stuck on kamakiri2:
Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
PLTools - Loading payload from mt6833_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
<
Hey there
Recently I've bricked my 8i and I tried many unbrick tutorials on here.
Unfortunately, it worked a little bit, it just boot looped since this moment.
Now I tried another thing to stop boot loops, and it just prevents my phone to turn on now and I get theses error messages when trying to use mtk_client
```
python mtk da seccfg unlock
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
DA_handler - Please disconnect, start mtkclient and reconnect.
C:\Users\User\Downloads\mtkclient-main>python mtk da seccfg unlock
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected
Preloader - CPU: MT6781(Helio G96)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x1066
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: E4A43E3469FC06E6E6BB52C939A6FF58
Preloader - SOC_ID: 3237BB18D43F0CF85FDAFE911AA1F6E0A7F2E419B92870AD711BFFA06AECC9AB
PLTools - Loading payload from mt6781_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\Users\User\Downloads\mtkclient-main\mtkclient\payloads\mt6781_payload.bin
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da1 ...
Mtk
Mtk - [LIB]: ←[33mFailed to patch preloader security←[0m
xflashext
xflashext - [LIB]: ←[33mError on patching da1 version check...←[0m
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
Preloader
Preloader - [LIB]: ←[31mError on DA_Send cmd←[0m
DAXFlash
DAXFlash - [LIB]: ←[31mError on sending DA.←[0m
```
Thanks for your help
I have a Xiaomi Redmi 9 (cattail) device
I am trying to use mtkclient to unbrick my device but i am getting this error:
Code:
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Here is the entire output:
Code:
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: BEA9E2CD55FC2EB3794A2835E280608C
Preloader - SOC_ID: 27976D1C1A81DBCDB0FC5383E67CB00ADF62A75E37C7066C28E877FFDB8AC544
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/kyeboard/MIUI_FIX/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 150100434a544434
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Hey @LiaFourté, can you please help me?
here with the same problem
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
bretjoseph said:
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
Click to expand...
Click to collapse
didnt work
maybe write partition to boot_b or boot if you dont have a/b device
kuubichan said:
I have a Xiaomi Redmi 9 (cattail) device
I am trying to use mtkclient to unbrick my device but i am getting this error:
Code:
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Here is the entire output:
Code:
MTK Flash/Exploit Client V1.6.0 (c) B.Kerler 2018-2022
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.
Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: BEA9E2CD55FC2EB3794A2835E280608C
Preloader - SOC_ID: 27976D1C1A81DBCDB0FC5383E67CB00ADF62A75E37C7066C28E877FFDB8AC544
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/kyeboard/MIUI_FIX/mtkclient/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 150100434a544434
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
Click to expand...
Click to collapse
I can flash your device if you want to.
Let me know.
bretjoseph said:
If the devices isnt powering on you will have to dissamble so that you can remove the battery and put it back on it will power on.
Next write a boot partition using the devices preloader on your computer like like
Code:
mtk w boot_a boot.img --preloader=preloader_ki7_v7510.bin
Click to expand...
Click to collapse
From where do you get this, the one for R9a is preloader_k62v1_64_bsp
mvikrant97 said:
I can flash your device if you want to.
Let me know.
Click to expand...
Click to collapse
How? if the issue is with drivers or tool.
SubwayChamp said:
How? if the issue is with drivers or tool.
Click to expand...
Click to collapse
I'll use a paid software to flash the device.
Don't worry you don't need to pay for it.
mvikrant97 said:
I'll use a paid software to flash the device.
Don't worry you don't need to pay for it.
Click to expand...
Click to collapse
Good, and how we can do?, I have all the firmware for Redmi 9a, but I can´t get it to work as of now.
SubwayChamp said:
From where do you get this, the one for R9a is preloader_k62v1_64_bsp
Click to expand...
Click to collapse
try doing a boot.img dump it should also download the preloader when it fetches the boot.img in the folder where you dump
bretjoseph said:
try doing a boot.img dump it should also download the preloader when it fetches the boot.img in the folder where you dump
Click to expand...
Click to collapse
Thanks for replying, I´m not getting to work the mtk-client, it´s keeping throwing errors like DAXFlash - [LIB]: Error on sending DA, so I thought that the other way around could solve it, I could flash nor read any partition. It worked perfectly for my previous devices though.
SubwayChamp said:
Thanks for replying, I´m not getting to work the mtk-client, it´s keeping throwing errors like DAXFlash - [LIB]: Error on sending DA, so I thought that the other way around could solve it, flash nor read any partition. It worked perfectly for my previous devices though.
Click to expand...
Click to collapse
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Ank Sak said:
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Click to expand...
Click to collapse
Ank Sak said:
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Click to expand...
Click to collapse
which phone is it?
mvikrant97 said:
which phone is it?
Click to expand...
Click to collapse
Lenevo K8 note , mtk6797 mediatek cpu
Ank Sak said:
I reached that in mtk client when my device went through smack down!
&& Sp flash tool couldn't get through sending DA, I went to shop , they couldn't do anything.. told me motherboard is dead
Have tried the battery removing part. No use.
Click to expand...
Click to collapse
Thanks, in SPFT it throws "EXT_RAM_EXCEPTION" error.
Ank Sak said:
Maybe GitHub has a solution , people are talking about passing the preloader , idk if it works..
Click to expand...
Click to collapse
Maybe, It´s possible that the preloader is the culprit, probably the preloader is corrupt.
But the funniest is that some days ago, with those errors, I taken to a service center, with Unlock tool, without the need to do nothing more than pressing both volume buttons (device off) it started to flash, and solved it, I re-bricked it by flashing the firmware (the latest), it´s suppose to not cause damage but it bricked. So the eMMC is not damaged.
SubwayChamp said:
Thanks, in SPFT it throws "EXT_RAM_EXCEPTION" error.
Maybe, It´s possible that the preloader is the culprit, probably the preloader is corrupt.
But the funniest is that some days ago, with those errors, I taken to a service center, with Unlock tool, without the need to do nothing more than pressing both volume buttons (device off) it started to flash, and solved it, I re-bricked it by flashing the firmware (the latest), it´s suppose to not cause damage but it bricked. So the eMMC is not damaged.
Click to expand...
Click to collapse
service center don't use unlock tool but third party repair shop does
mvikrant97 said:
service center don't use unlock tool but third party repair shop does
Click to expand...
Click to collapse
A Service Center can be authorized or non authorized. Specialization and/or segmentation in the matter/product is what the Marketing inclines this or that name to give as proper, and client consider correct both. Where I live, there are a lot of Official Repair Shops along the country, they´re called too, Service Center/Repair Center, same way, there are a lot of Service Center of a specific product, this is where plays a role the segmentation and specialization. Just to add, that some large enterprises have both department in the hierarchy.