No, I didn’t reboot or unplug the device. I keep it connected to the same USB port.
I can’t run a bypass utility twice without a power cycle. BTW is it expected?
First time output is the same that I posted already, when I try to runt it again it just output:
Waiting for device
With power cycle the outputs are the same.
Please also take into account that bypass utility is not working correctly without these changes
diff --git a/src/device.py b/src/device.py
index cd75939..a1a49c9 100644
--- a/src/device.py
+++ b/src/device.py
@@ -123,13 +123,16 @@ class Device:
self.echo(addr, 4)
self.echo(size, 4)
- self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+# self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
for _ in range(size):
data = from_bytes(self.dev.read(4), 4)
result.append(data)
- self.check(self.dev.read(2), to_bytes(0, 2)) # status
+# self.check(self.dev.read(2), to_bytes(0, 2)) # status
+
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
# support scalar
if len(result) == 1:
otherwise it’s throwing an exception:
[2021-04-22 10:49:08.729440] Disabling protection
Traceback (most recent call last):
File "C:bypass_utilitymain.py", line 213, in <module>
main()
File "C:bypass_utilitymain.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:bypass_utilitysrcexploit.py", line 17, in exploit
device.read32(addr - (cnt - i) * 4, cnt - i + 1)
File "C:bypass_utilitysrcdevice.py", line 126, in read32
self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
File "C:bypass_utilitysrcdevice.py", line 88, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x0000 got 0x0003
Check this comment from the original issue #25 (comment)
-
02.12.2018, 16:51
Fish
- Регистрация:
- 17.08.2013
- Сообщений:
- 34,098
- Репутация:
13214
Принесли телефон Meizu M5 на перепрошивку. SP Flash Tool постоянно выбивал одну и ту же ошибку 0xC0010001. Телефон определялся корректно, но прошиваться не хотел.
Решилась проблема удалением всех драйверов МТК и установкой по новой драйвера. До этого (куча устройств была прошито) проблем с драйверами не было.
Архив с драйвером, который ставил прикрепил к посту.
Cкачать:
USB-to-Serial_1_0_1.zip
-
14.11.2021, 09:55
Алексей Полоскин
- Регистрация:
- 23.02.2015
- Сообщений:
- 1
- Репутация:
0
Сообщение от Fish
Принесли телефон Meizu M5 на перепрошивку. SP Flash Tool постоянно выбивал одну и ту же ошибку 0xC0010001. Телефон определялся корректно, но прошиваться не хотел.
Решилась проблема удалением всех драйверов МТК и установкой по новой драйвера. До этого (куча устройств была прошито) проблем с драйверами не было.
Архив с драйвером, который ставил прикрепил к посту.
вложение не скачивается
-
29.04.2023, 12:18
Fish
- Регистрация:
- 17.08.2013
- Сообщений:
- 34,098
- Репутация:
13214
Сообщение от Алексей Полоскин
вложение не скачивается
Для скачивания вложений зарегестрируйтесь и оформите подписку
USB-to-Serial_1_0_1.zip
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
1. The flashing machine has passed the red bar, and the purple bar is stuck. (Error code 4008)
If this happens, you can remove the battery, then reinstall it, and choose to shut down after entering REC. Then brush again.
2. After the driver is installed, an error message will pop up after a few flashes.
This situation is generally due to the power supply problem of the USB port. Use the USB port on the back of the PC, or unplug several devices with high power consumption.
3. Under normal operation/working conditions, it is different from the problem prompt in step 2. (Typical 3013 question, the highest occurrence rate)
This question is often asked by everyone. This question basically occurs because everyone upgraded to 4.1.2 and then wanted to go back to 4.0.4. Everyone uses 4.1. 2 When flashing, you can use SP_Flash_Tool to flash 4.0.4 again, or use the official SP_Flash_Tool of Turtle 4.1.2.
Summary of MTK mobile phone line flashing error messages and solutions
[1022 error]: The flashing software version does not match the mobile phone, or the USB interface is not working well
[Solution] First change the USB port to flash: no It is recommended to download the latest flashing software and try it!
[1040 Error]: S_UNSUPPORTED_OPERATION flashing boot file Scatter.txt does not match
[Solution]: Download the line flashing ROM suitable for your machine, it is obvious that this copycat opportunity is encountered! For example, the machine is a dual-core 6577, but the downloaded flashing ROM is a single-core 6575, so an error will be reported.
[2005 Error]: S_BROM_CMD_STARTCMD_FAIL
[Solution]: Actually, the flashing package file is not loaded. Yes, reopen the flashing software and continue to flash!
[3002 Error]: If the following picture is not checked, after flashing, it will prompt [>TOOL DL image Fail! =>uboot is blocking
by dl info]
[Solution]Remember to check the option in the following figure, and just re-line it once! In this way, the boot screen will not be stuck.
[3144 Error] S_DA_EMMC_FLASH_NOT_FOUND:
[Solution]: The boot file Scatter.txt does not match, please change to the correct line and package! Mainly common in EMMC partition model
and MTD partition machine boot TXT can not be mixed!
[4004 error]: driver problem
[solution]: first try to install the MTP driver, if it fails, uninstall the driver and then reinstall the driver to identify or reinstall the computer
[4032 error]: operation method problem
[Solution]: After the red progress bar is completed, please press the volume down button (the key to decrease the volume) immediately to trigger the subsequent
yellow progress bar for flashing. It is best to brush the machine with the battery installed. For details, please refer to the tutorial post on the top of the Lenovo S920 section.
There are more detailed operations!
【4050 Error】: S_FT_NEED_DOWNLOAD_ALL_FAIL; a common error in single recovery. Because there is a big gap between the target ROM file and the handheld
system, it is impossible to flash it alone.
[Solution]: Replace the recovery.img file into the original factory line brush package, click the screenshot below to select, and then line brush, so
the progress bar will go. If it still doesn’t work, refresh the line completely.
[5066 error] S_DL_PC_BL_INVALID_GFH_FILE_INFOR:
[Solution]: Import the flashing boot file txt error, check whether the imported txt file is used for flashing! Do it again!
[8038 Error]: SP FLASH TOOL ERROR, the specific reason is unknown
[Solution]: 1. If you encounter this prompt, then, you must only click on the “fireware-upgrade” or “solid”
Piece-upgrade” button to refresh! Complete the line brush once!
2. It may also be that the version of the flashing software is not suitable for mobile phones
[8100 error]: can not find usb port! This is a reminder that the flashing driver is not fully recognized/installed. Please reinstall the driver
or change the port to change the computer system to XP, etc.
[Solution]: Please reinstall the driver and shut down to identify it, it is recommended Change the computer, change the desktop, etc.
[8200 error]: The reason is that the mobile phone system and the flash package system are different from the chip platform.
[Solution]: Method 1: Find the ROM again, your ROM is wrong ! For example, the machine is 6575 and the flashing package is 6577, so it will
report such an error. Method 2: Update the latest version of the flashing software
dsborets opened this issue 2 years ago · comments
I disabled a protection by using this utility and than tried to readback using SP Flash Tool (UART mode) but constantly getting ERROR: STATUS_ERR (0xC0010001) According to this https://forum.hovatek.com/thread-439.html
Error 0xC0010001)
Message: ERROR: STATUS_ERR (0xC0010001)
Meaning DA or Auth verification failed
Solution: Ensure to load a custom DA or Auth for the device or bypass DA / Auth check
Does it mean that the device is still protected even this tool showed it’s successfully disabled?
[2021-04-21 21:50:53.296370] Waiting for device
[2021-04-21 21:51:00.679548] Found port = COM5 [2021-04-21 21:51:00.751481] Device hw code: 0x8167
[2021-04-21 21:51:00.752482] Device hw sub code: 0x8a00
[2021-04-21 21:51:00.753479] Device hw version: 0xcb00
[2021-04-21 21:51:00.753479] Device sw version: 0x1
[2021-04-21 21:51:00.753479] Device secure boot: True
[2021-04-21 21:51:00.754478] Device serial link authorization: False
[2021-04-21 21:51:00.754478] Device download agent authorization: True [2021-04-21 21:51:00.755477] Disabling watchdog timer
[2021-04-21 21:51:00.756476] Disabling protection
[2021-04-21 21:51:00.813923] Protection disabled
Did you reboot or unplug the device before running SP Flash Tool?
Can you please run the bypass utility twice in a row and post the output?
No, I didn’t reboot or unplug the device. I keep it connected to the same USB port.
I can’t run a bypass utility twice without a power cycle. BTW is it expected?
First time output is the same that I posted already, when I try to runt it again it just output:
Waiting for device
With power cycle the outputs are the same.
Please also take into account that bypass utility is not working correctly without these changes
diff --git a/src/device.py b/src/device.py
index cd75939..a1a49c9 100644
--- a/src/device.py
+++ b/src/device.py
@@ -123,13 +123,16 @@ class Device:
self.echo(addr, 4)
self.echo(size, 4)
- self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+# self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
for _ in range(size):
data = from_bytes(self.dev.read(4), 4)
result.append(data)
- self.check(self.dev.read(2), to_bytes(0, 2)) # status
+# self.check(self.dev.read(2), to_bytes(0, 2)) # status
+
+ assert from_bytes(self.dev.read(2), 2) <= 0xff
# support scalar
if len(result) == 1:
otherwise it’s throwing an exception:
[2021-04-22 10:49:08.729440] Disabling protection
Traceback (most recent call last):
File "C:bypass_utilitymain.py", line 213, in <module>
main()
File "C:bypass_utilitymain.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:bypass_utilitysrcexploit.py", line 17, in exploit
device.read32(addr - (cnt - i) * 4, cnt - i + 1)
File "C:bypass_utilitysrcdevice.py", line 126, in read32
self.check(self.dev.read(2), to_bytes(0, 2)) # arg check
File "C:bypass_utilitysrcdevice.py", line 88, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x0000 got 0x0003
Check this comment from the original issue #25 (comment)
No, on a second run, it should show that security is disabled and dump the brom.
It seems there may be an issue with the payload, though it’s not clear what. @bkerler is looking into it.
In the meantime can you try the attached payload?
It WILL NOT disable security, but hopefully when running the utility the second time, it should not be stuck «Waiting for device».
I’ll look into updating the code in order to allow the different response produced by your device.
Also can you maybe give some more details, what device this is?
Are you able to attach a serial console (UART) to it?
mt8167_payload.zip
It’s a noname Chinese smart speaker. The only test pads for communication I found it’s a usb.
The new payload doesn’t work as well. It stuck with «Waiting for device» when running utility for the second time. But it does say that «Protection disabled» after the first run.
I also tried to run the utility second time main.py --serial-port=COM5 with new payload:
[2021-04-23 10:27:18.436998] Disabling watchdog timer
[2021-04-23 10:27:18.438996] Disabling protection
Traceback (most recent call last):
File "C:bypass_utilitymain.py", line 213, in <module>
main()
File "C:sbypass_utilitymain.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:bypass_utilitysrcexploit.py", line 25, in exploit
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d0c
It worked with the old payload and dumped bootrom
Ah yes, i forgot to mention that you need to supply --serial-port with the second run.
Can you please run the utility twice with the old payload (supplying --serial-port on the second run).
And post the complete output.
>py -3 main.py --serial_port=COM5 [2021-04-23 11:01:59.084724] Device hw code: 0x8167
[2021-04-23 11:01:59.084724] Device hw sub code: 0x8a00
[2021-04-23 11:01:59.085723] Device hw version: 0xcb00
[2021-04-23 11:01:59.085723] Device sw version: 0x1
[2021-04-23 11:01:59.086722] Device secure boot: False
[2021-04-23 11:01:59.087721] Device serial link authorization: False
[2021-04-23 11:01:59.087721] Device download agent authorization: False
[2021-04-23 11:01:59.088720] Disabling watchdog timer
[2021-04-23 11:01:59.090718] Insecure device, sending payload using send_da
[2021-04-23 11:01:59.119691] Found send_dword, dumping bootrom to bootrom_8167.bin
but after that the device seems like automatically rebooted in the normal mode
Update. When I keep pressing a button and run the utility second time I see that the original COM port (COM5 in my case) disappeared and new port COM6 MediaTek PreLoader USB VCOM Port (COM6) appeared. I also tried to run SP Flash Tool on that port — same error (C0010001)
Yes, running it twice is just to confirm the payload is working as expected.
After the second run the device will reboot normally with security enabled.
However it confirms that security is disabled successfully as can be seen from the output of the second run.
So to use SP just run it once, make sure the device isn’t rebooted or unplugged and use the default Download Agent.
Yeah, this is what I tried. Interesting situation now. SPFT now doesn’t show a COM port in dropdown, so I cannot select any. In the win device manager I do see a com port MTK USB Port (COM5) and this utility also can work with this port (in case of second run). What could be wrong? I tried to re-run SPFT and reboot a PC, same thing. When I tried to read back it shows me the same error C0010001. It doesn’t complain about inability to open a port. In the bottom status bar I see UART: , 115200
SPFT log:
...
)((APCore::Connection::ConnectBROM,....flashtoolConnConnection.cpp,103))(....flashtoolUIsrcBackgroundWorker.cpp,107)
04/23/2021 13:01:59.820 FlashTool[4832][5400][D]: APCore::DLHandle::GetScatterInfo(): Scatter version(V1.1.2)(....flashtoolResourceHandleDLHandle.cpp,133)
04/23/2021 13:01:59.827 FlashTool[4832][5400][D]: ISetting::set_stop_flag(): dummpy stop_flag(0x05926928) set.(d:homemtk14060dailyautobuildprojectwcp2_cleanroomdadownload_agent_mainflashtoolsettingISetting.h,45)
04/23/2021 13:01:59.828 FlashTool[4832][8580][D]: APCore::RBHandle::GetCount(): RB_GetCount(1)(....flashtoolResourceHandleRBHandle.cpp,98)
04/23/2021 13:01:59.828 FlashTool[4832][8580][D]: APCore::Connection::ConnectBROM(): Connecting to BROM...(....flashtoolConnConnection.cpp,75)
04/23/2021 13:02:03.633 FlashTool[4832][8580][D]: APCore::Connection::ConnectBROM(): Connect BROM failed: STATUS_ERR(-1073676287)(....flashtoolConnConnection.cpp,102)
04/23/2021 13:02:03.633 FlashTool[4832][8580][D]: APCore::Connection::Disconnect(): Disconnect!(....flashtoolConnConnection.cpp,186)
04/23/2021 13:02:03.692 FlashTool[4832][8580][D]: BackgroundWorker::run(): BROM Exception! ( ERROR : STATUS_ERR (0xC0010001)
[HINT]:
)((APCore::Connection::ConnectBROM,....flashtoolConnConnection.cpp,103))(....flashtoolUIsrcBackgroundWorker.cpp,107)
If you’re on windows use USB mode, not UART in SP Flash
Ok, I moved forward while using USB mode. Thank you!
But now when I tried to read back, I see:
BackgroundWorker::run(): BROM Exception! ( ERROR : STATUS_PRELOADER_INVALID (0xC0030004)
The Preloader file format is invalid!
[HINT]:
Please retry another official load.
Ok, it’s no longer related to the bypass utility, but maybe you know what could be wrong?
Make sure you’re using the correct scatter file and preloader for your device.
As this is an issue with SP Flash configuration, I am closing this issue.
@dsborets Did you ever find a solution? Currently working on the same platform — MT8167 (also a speaker) and getting the same issue with SPFT even with scatter file and preloader from a valid factory image.
You’re getting the STATUS_PRELOADER_INVALID ?
Does your preloader have the EMMC_BOOT header?
Can you share preloader + scatter?
Yes on both counts.
boot0.img from factory image does have EMMC_BOOT header:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Mediatek EMMC Flash Image Version 1
512 0x200 Mediatek Boot Header Version 1
532 0x214 Boot section Start 0x800 End 0x29200 Load-by-Bootrom
162976 0x27CA0 SHA256 hash constants, little endian
I did extract the boot section at 0x4d4d4d magic and try that as the preloader too. (preloader_mt8167s_ref.bin)
mt8167s_som_scatter.txt
preloader_mt8167s_ref.bin.zip
boot0.img.zip
Yeah, it needs to be without the EMMC_BOOT header for SPFT.
Your preloader_mt8167s_ref.bin does look fine though.
It’s definitely sending me a little crazy 😫
I have the brom dump and having thrown it through ghidra it does match up with the 8167 payload for mtk-bypass perfectly. (Despite my initial 1AM blindness)
I have the full factory images which I have flashed and works fine so the preloader from it has to be good.
and the scatter file I made by hand from the partition-table.img from the factory images.
I don’t have any real background with MTK devices prior to this one so am at a bit of a loss as to what to try next.
I guess you could try different versions of SPFT and different DAs.
Also please send me the GPT.
Tried a couple of versions of SPFT (all 5.x because I don’t think 8167 is supported before?)
And tried a few different DAs from Hovatek forum and no joy there either.
partition-table.zip
Here is the scatter my script produces, it is just for comparision and would need manual adjustment.
scatter-new.zip
2 major differences, PRELOADER size is 0x400000 vs 0x40000 and pgpt size is 0x80000 vs 0x5000
But I can’t see how pgpt size is correct because both scatter files still has next partition starting at 0x5000 (which would be right if pgpt is 0x0 on EMMC_USER)
Yeah, 0x80000 is probably wrong for pgpt
Tried a 3rd PC and it works with everything I had — same drivers, spft, scatter and preloader.
Is it usual that SPFT is so finicky? Just feels like one of those things that should work — or not, not just obscure errors.
Anyway, clearly something with my setup…again.
Appreciate your help and fast replies 🙇
Help me i am having the same error idk why
