Related
Sensation !!!!
We have found a method to restore dead Boot for
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
--------------------------------------
Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
PDA-HACK.NET Team http://pda-hack.net
If our article has helped you, you can donate the Web Money
WMID 378286389551
for WMZ: Z396747110007
for WME: E114645323227
for WMR: R351032339900
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, O2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the file boot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER
Also, you might want to list the hardware we need so we can go look for it.
Ultimate Chicken said:
Also, you might want to list the hardware we need so we can go look for it.
Click to expand...
Click to collapse
Need 4 resistors 100 Om, LPT connector and
old cable for the floppy drive 5.25 ".
This is a great fine. Once you have finalized this one. Please post it in the WIKI. I have constantly updated it with relevant information for our device.
Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry
greekfragma said:
Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry
Click to expand...
Click to collapse
The Atom never had a problem with the bootloader. Its the Atom Exec that has it. Also, the solution the common problems with the Atom upgrading has been posted in the Wiki already.
thnx for the fast reply jiggs and sorry for the mis-writing of my post......i have atom exec and i wrote atom just to shorten my post.sorry again for the mess
keep walking mate.u are doing marvelous job in here
oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-
I dont have the O2 Atom and I dont access to the O2 Atom.
The technology will be one, but other pinouts contact (may be)
The time is dancing!!!
Tehnology is working on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725.
TESTED !!!
Nice to hear
See
http://wiki.xda-developers.com/index.php?pagename=HTC_Atom
Problems (Read here before posting on Forum):
Dead Boot Loader on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725
Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, J2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the fileeboot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER
serialzs said:
oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-
Click to expand...
Click to collapse
hey brother, i was in the same shoes as yours a few days ago.
had a dead bootloader since i upgraded using SD card...
there is a slight chance you can revive your atom this way (which i revived mine)
unplug the battery for a few days - then when you plug the battery in, observe the power light and the hangup button, see if it has a very quick red flash. if it does, you might be in luck.
now, hold the action button (circle button in the middle) and keep plugging and unplugging the battery in the atom. do the same on the power button and the camera button. mine worked with the action button, and it booted into the bootloader menu again!
now im flashing the original rom in the unit =)
How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
Read forums.
Read documentations.
You bootloader IS NOT DEAD!
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
Click to expand...
Click to collapse
wow . thanks . although my xda atom never bricked but I'm happy that it will never happend. with your method we never see bricked atom again
alex_beda said:
How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
- #1 i am not replying your topic, i am merely helping the others and see if my method works.
Read forums.
-duh, who wouldn't read the forum.
Read documentations.
You bootloader IS NOT DEAD!
i didn't say my bootloader is dead or not dead.
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Click to expand...
Click to collapse
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.
kazuni said:
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.
Click to expand...
Click to collapse
Sorry if you are offended
But your method apply for only not absolutely dead bootloader.
if bootloader is absolutely dead -
Not enter in bootloader.
Flashing with SD card impossible.
Device is dead.
Only replace board in Service center,
or reflashing with JTAG.
Is this applicable to Atom Life? I have tried but I got this error:
C:\Boot\JFlash_MM>start.bat
C:\Boot\JFlash_MM>jflashmm pxa27x32 ebo_a.nb0 N 0 PAR
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.001
PXA27x revision ??
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: FFFF
Lower half reads: 0
Failed to read the Flash ID. Retrying 4 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 3 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 2 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 1 more times...
Failed to read the Flash ID. Retrying 0 more times...
Cannot open input file: Flash_0_2_32.dat
This program supports flash devices defined by DAT files
contained in the same directory as the executable program.
If the file cannot be opened, there are four possibilities:
1 - The flash device installed is not supported.
2 - The flash device is a licensed product.
3 - The device ID could not be read, resulting in a poorly
constructed filename. The first numeric value in the
filename is the device ID. Verify this value with the
component specification.
4 - The memory bus is not functional. Check all CPLD and FPGA
devices. Make sure that you are using the correct
platform data file.
Mr. Jiggs... Kabayan. Is there any service center of O2 Atom in the Philippines, my atom life is dead due to SD card upgrade. I am here in KSA where the services is not available. Thanks.
Can I use it for PROPHET!!
alex_beda said:
Sensation !!!!
We have found a method to restore dead Boot for
Atom Exec, Rover G5, Orsio n725, and may be Atom (Atom may be, not tested).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
Please wait 1-3 days.
Click to expand...
Click to collapse
Hey Buddy
I know its foolish on my part but can I use this method on my o2 Neo --prophet
It does not boot at all.Al that I get when I put it to wall charger is a ORANGE LED which even remains when I remove the Batt..
Soe time again it diapperars.In either cases the area near the USB tends to get very very HOT.
Sometimes I feel it will just bust because of this heat!!
Pls do reply
I flashed a wrong rom, and now have phone N9006 mtk 6572 bricked, it gives this error now , dont turn on and connection takes few second,,
it gives this error now
Flash files count is :12
Action : Firmware update.
Selected Samsung Clone: Note 3 Clone(MT6572)
Phone must be off with battery inside.
Please insert USB cable now...
Detected : MTK USB Port (COM21)
Phone detected...Please wait
Sending DA agent, please wait...
Connect error: S_FT_ENABLE_DRAM_FAIL
Error connect phone, aborting.
All done.
I didnt make backup my fault, before that I read the info of phone which was stuck at logo, the info read via volcano box is this, can some one give a backup or any rom to at least revive this phone,
Version: V3.8
SN:xxxxxxxxxxx
Port:COM57
After format or Flash you have to press & hold power button for at least 1.30 mins.
Note for win7 users :
Start your Win 7 64bit with F8 key and choose 'Disable Driver Signature Enforcement'.
After that the spd drivers will have the ability to be loaded.
Available Ports:COM1 COM3 COM8 COM9 COM57
Current Port:COM57
Analysis of USB port,Please insert phone USB cable.
Connecting...
CPU TYPE:MT6572
Hardware version:CA01
Software version:0000
Boot downloading complete!
EMMC_ID:0x45010053454D3034472805A6827A513B
EMMC_PRODUCT_NAME: SAMSUNG :0x53454D303447
EMMC_BOOT1_SIZE: 0x00200000
EMMC_BOOT2_SIZE: 0x00200000
EMMC_PRMB_SIZE: 0x00200000
EMMC_GP1_SIZE: 0x00000000
EMMC_GP2_SIZE: 0x00000000
EMMC_GP3_SIZE: 0x00000000
EMMC_GP4_SIZE: 0x00000000
EMMC_USER_SIZE: 0x0EC000000(3.69 G)
Analysis of system files...
PRELOADER: addr:0x000000 --length:0x880000
MBR: addr:0x880000 --length:0x080000
EBR1: addr:0x900000 --length:0x080000
PRO_INFO: addr:0x980000 --length:0x300000
NVRAM: addr:0xC80000 --length:0x500000
PROTECT_F: addr:0x1180000 --length:0xA00000
PROTECT_S: addr:0x1B80000 --length:0xA00000
SECCFG: addr:0x2580000 --length:0x020000
UBOOT: addr:0x25A0000 --length:0x060000
BOOTIMG: addr:0x2600000 --length:0x600000
RECOVERY: addr:0x2C00000 --length:0x600000
SEC_RO: addr:0x3200000 --length:0x040000
MISC: addr:0x3240000 --length:0x080000
LOGO: addr:0x32C0000 --length:0x300000
EXPDB: addr:0x35C0000 --length:0xA00000
ANDROID: addr:0x3FC0000 --length:0x28A00000
CACHE: addr:0x2C9C0000 --length:0x17800000
USRDATA: addr:0x441C0000 --length:0x52C00000
FAT: addr:0x96DC0000 --length:0x54340000
BMTPOOL: addr:0xFFFF00A8 --length:0x000000
Format addr:0x481C0000 --Format length:0x4EC00000
>>Read phone information success.
these are the info , so please can some one help me urgently thankyou.
bcnboy
They say, that unfortunately, a majority of new Unisoc (Spreadtrum) chips have bootloaders that cannot be unlocked without a key, which is not provided by the SoC manufacturer, and is beyond the control of the ODM. Many low-end Android smartphones are powered by such chips, and the end result is that root is impossible on those devices, i.e. ZTE Blade A5 2019, Doogee N10, etc. (Unisoc SC9863A)
Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it's memory or storage, besides de-capping it and reading the bits with an electron microscope) -- more info here: https://source.android.com/security/trusty
However, Spreadtrum actually does verify the whole boot process, meaning that booting a modified binary is impossible. If you change the boot partition, it will infinitely reboot with a black screen and vibration. If you leave the boot as-is, but change system, it will get to the splash screen and then reboot. etc.
It genuinely does cryptographicaly verify the signature and hash of every partition. Which is great for security, in theory, unless the OS has preloaded spyware, but the secureboot process prevents you from removing it.
Been there, and I didn't even realised the cause.
MTK is quite good, but it's becoming worse in the perf/$ ratio, i.e. the SC9863A is a octa core A55 chip at 1.5GHz, while similar MTK devices are dual core A7 at 1.2 GHz. The architecture improvements alone are excellent, not mentioning the extra cores and higher clock speed.
The key is most certainly not the same, because I doubt they would go through the trouble of doing actual secure boot verification, and storing the data in the TEE, and just have the same key. Additionally, the U-boot code I obtained lies to the user about commands not being found, if the command doesn't contain a valid unlock key.
there is a dedicated thread on hovatek forum for rooitng this chipset
that thread on hovatek is thrilling...
Hovatek forums indicate you need a PAC or FDL file to do anything unless you buy extra hardware. Can anything be done for a vendor that hasn't released either? Even a temproot exploit like mtk-su is fine, if it works on Android 9.
those El-Cheapo phones are simply not supported well by hackerdom.
if we can port mtk-su to this processor or create a new temp root we are done
Skorpion96 said:
if we can port mtk-su to this processor or create a new temp root we are done
Click to expand...
Click to collapse
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request
lepusang said:
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request
Click to expand...
Click to collapse
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app
Skorpion96 said:
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app
Click to expand...
Click to collapse
Can it really be done? I have a ZTE blade vantage 2 and I'd love to root it if possible.
I just tried a zip to enable fastboot on the axon mini on my zte blade A5 2019, it flashes, fails because model is different but it is not a signature error meaning that it has the same signature. So signature is the same for every zte, now I'm asking zte Italy to help me getting the unlock file or the signature itself which is the same since or I will flash the file directly or I will sign it and flash. I hope they will help.
Useless try, they refused to help because of their policy
Went out and bought an m8l plus to try it. This is the first time I've ever dealt with a unisoc sc9863a. I was optimistic about it at first, but now I'm doubtful
*Update* found modified fastboot folder and did the following. Unlocked bootloader, about to try to root with magisk. Root achieved with magisk. Made copy of firmware, moved boot_a to phone and patched with magisk. Flashed patched boot_a with adb. Currently deleting system apps. Root is go. This is unisoc sc9863a blu m8l Android 11
Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder
you can get the modified Fastboot folder anywhere, used that trick to bl unlock all my blu and wiko phones
R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder
Click to expand...
Click to collapse
It succeeded ....but. when i try
fastboot flash recovery recovery.img
It says
Sending recovery... (Size shows in KB)
Then says writing recovery... Fot infinity ....
I ported custom twrp recovery using hovatek's automatic unisoc twrp porting guide....have any solution? I also tried to flash twrp by spd research tool and it stuck at probably 95/97 percent
R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text: ....
Click to expand...
Click to collapse
fastboot oem get_identifier_token
Give only back the Serial Number in hexadecimal
Put your SN of your Device in a Hexeditor and change the view to Hexview
when you compare you will see its the SN
I show you the output of my Device, it's an blackview A70 Smartphone. This device is my favorite victim, because it is stubborn as a donkey.
Code:
d:\android\blackview\a70>fastboot oem get_identifier_token
(bootloader) identifier token:
(bootloader) 334b3032384137304545413037313431
(bootloader) 37
okay [ 0.031s]
finished. total time: 0.031s
(the number above in a phantasy number)
Interesting is, here are 3 lines (bootloader)
1. is title
2. is first part of SN
3. is 2. Part of SN
yes the length of the SN of this device is 17 characters. In this case you have to put line 2 and line 3 together to build the number.
If you dont do that, not success with unlock.
for example, this is my SN read with
fastboot devices
3K028A70EEA071417
fastboot oem get_identifier_token
334b3032384137304545413037313431
37
the difference is only binary and hex view
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I have 2 android tvboxes and i want to exchange them the remote controls.
1) H9x3 with Slimbox firmware
2) VONTAR X3 with Slimbox firmware
I have the 2 files remote.conf. I tried to copy the files on /etc folder but are read only. Also there is not remote.conf files in /etc folder.
Has anyone any idea how i do that ?
Unfortunately, it's much more difficult than just copying the remote.conf files but not impossible. I've just done the same thing. Firstly, you need to be rooted. Secondly, you need to have access to the box via adb, Thirdly, you need to use a root file explorer like X-plore which is included in slimbox fw. Have a look here:
H96 MAX X3 (S905X3) [Android] - 4PDA
H96 MAX X3 (S905X3) [Android], [TV Box][Amlogic S905X3]
4pda.ru
You will definitely need a couple of hours if not more.
Thanks i will give a try. At first glance, I think the most difficult part is that it is in Russian language.
Just use Google translate. I can help you with the files for my remote to get a better idea of how they should look like.
That would be helpful.
In /vendor/etc/init/hw/init.amlogic.rc I added this line:
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote_tanix.cfg -t /vendor/etc/remote_tanix.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
I added remote_tanix.cfg and remote_tanix.tab in /vendor/etc with 644 rights. remote_tanix.cfg is basically the same as remote.cfg. remote_tanix.tab was created using dmesg output after pressing the buttons on a Tanix remote which I wanted to use with my h96 max x3 box.
I think that something is wrong with my remote.tab file or something missing.
I have these errors when push buttons from remote control
Code:
[ 1175.201851] <3>[ [email protected]] meson-remote ff808040.rc: invalid custom:0xbd42df00
[ 1175.202336] <3>[ [email protected]] meson-remote ff808040.rc: cur_custom is nulll
[ 1175.207881] <3>[ [email protected]] meson-remote ff808040.rc: no valid key to handle
[ 1208.559821] <3>[ [email protected]] meson-remote ff808040.rc: invalid custom:0xf906df00
[ 1208.560346] <3>[ [email protected]] meson-remote ff808040.rc: cur_custom is nulll
[ 1208.565872] <3>[ [email protected]] meson-remote ff808040.rc: no valid key to handle
Code:
HOME -> 0xbd42df00
OK -> 0xf906df00
I used remote-0xfа00.tab from 4pda.ru seems are same remote control
Your remote code is df00 but the code of the remote tab you downloaded is fа00 assuming 0xfа00 in the file name is remote code. Check if you have 0x42 and 0x06 in the tab file. I'm positive you won't find them because otherwise you wouldn't have that error if your tab file was correct.
Perfect, you are right. I changed ff00 with df00 and detected the remote control.
I have found all buttons codes.
I think the only i must found, is the key number (2,3,4,etc.). How can i found them ?
Code:
0x54 2 #1
0x16 3 #2
0x15 4 #3
0x50 5 #4
0x12 6 #5
0x11 7 #6
0x4c 8 #7
0x0e 9 #8
0x0d 10 #9
0x0c 11 #0
If i use the following code, it will work ?
Code:
0xdf1a KEY_UP
0xdf48 KEY_DOWN
0xdf47 KEY_LEFT
0xdf07 KEY_RIGHT
Code:
0x54 2 #1
0x16 3 #2
0x15 4 #3
0x50 5 #4
0x12 6 #5
0x11 7 #6
0x4c 8 #7
0x0e 9 #8
0x0d 10 #9
0x0c 11 #0
This should work fine according to your button codes.
You can find the Linux codes in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl
Linux key for number 1 is 2 etc.
Code:
0xdf1a KEY_UP
0xdf48 KEY_DOWN
0xdf47 KEY_LEFT
0xdf07 KEY_RIGHT
No. You erase 2 characters after 0x and replace them with the next 2.
Code:
0x1a 103 #KEY_UP
0x48 108 #KEY_DOWN
0x47 105 #KEY_LEFT
0x07 106 #KEY_RIGHT
Finally i did it. It was a bit time consuming but the result pleased me.
Thank you very much for your help !!
I will upload the 2 files if anyone want them in the future.
Also, the remote control df00 to work the 2 buttons APPLICATION_SWITCH & MEDIA_PLAY_PAUSE, i did add the line
Code:
key 0 MOUSE
in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl
I don't know why it needed that line, but without this line, didn't detect these 2 buttons.
hello, how can i fix Enter in external keyboard, like this
Post in thread '[v7.5] Aidan's ROM [S905X] [ATV 7.1.2] (Lag & Bloat Free, Pre Rooted, Samba & Miracast) [TV NETFLIIX] 2021 Update!' https://forum.xda-developers.com/t/...tv-netfliix-2021-update.4104869/post-87228333
1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test
vag13 said:
1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test
Click to expand...
Click to collapse
ok thank you very much
vag13 said:
1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test
Click to expand...
Click to collapse
I did what was written, the result did not see a negative control
Resim Yükle, Herkesle Paylaş - resimyukle.io
resimyukle.io
If I give you a teamviewer id, can you connect remotely and help?
IMG_20220805_001250
Image IMG_20220805_001250 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
IMG_20220805_001354
Image IMG_20220805_001354 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
I think that your remote is not same with mine.
Try to connect via adb and find the correct code of your remote https://forum.xda-developers.com/t/exchange-the-remote-control-from-2-tv-boxes.4265345/post-84891999
sarigol45 said:
If I give you a teamviewer id, can you connect remotely and help?
IMG_20220805_001250
Image IMG_20220805_001250 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
IMG_20220805_001354
Image IMG_20220805_001354 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
Click to expand...
Click to collapse
Sorry, i don't use teamviewer.
The remote is working on slimbox atv 12.2 rom, can you check if I upload these files here?
Can you edit these files? I uploaded the working files.
root/vendor/etc
root/vendor/etc/init/hw
root/vendor/usr/keylayout
slimbox 12.2.rar
drive.google.com
Hey,
I've recently updated my Nord 2 from A21 to C10. Phone was unlocked and rooted, so after having reflashed the original boot.img, I forced the installation of the official OTA through TWRP. I had to set ro.commonsoft.ota=OP515BL1 to make it work. After the installation, TWRP failed to mount /system, but that didn't surprised me. I checked that the boot partition has been well flashed.
Now every time I try to power on the phone, it directly tries to run into recovery mode. However it fails and start again and again...
Maybe the system tries to install the OTA using the original recovery, which of course fails, and because of an unknown reason, it doesn't reboot to system.
Because of the last update, fastboot is not accessible anymore using vol -, and BROM mode is not accessible using vol + / vol -.
I tried to crash the preloader using mtkclient but it didn't work.
I tried to use META mode to switch to fastboot, but preloader only answers "READY" (instead of "READYTOOBTSAF"), and nothing changes.
I try to reverse engineer preloader and lk but it's something new for me. META mode code is still present in the preloader, so I don't understand what's wrong with it. Maybe disabled by default on USB...
Does anyone has a solution to boot into BROM mode or make META mode work ?
Or maybe I could find DA authentication files somewhere ?
@Petitoto can you share a bit about how you got the meta command running?
I'm in a similar situation with a Nord 2T. While mtkclient can get some info out of the preloader, meta never seems to connect.
Code:
mtk gettargetconfig
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Main - Getting target info...
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Code:
mtk meta FASTBOOT
META - Status: Waiting for PreLoader VCOM, please connect mobile
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
Hey @Beanow,
I have the same gettargetconfig output, which indicates that the phone is not in BROM mode but stuck in preloader. Trying to interact with the preloader always lead to error because of the DAA (DAA_SIG_VERIFY_FAILED for example).
I have the same issue with mtkclient and meta mode. You can use the following modified mtk-bootseq.py:
py mtk-bootseq.py FASTBOOT COMXX (or python3 mtk-bootseq.py FASTBOOT /dev/ttyACMXX on linux).
Python:
import sys
import time
from serial import Serial
BOOTSEQ = bytes(sys.argv[1], "ascii")
DEVICE = sys.argv[2]
CONFIRM = b"READY" + BOOTSEQ[::-1]
while True:
try:
s = Serial(DEVICE, 115200, timeout=0.1)
print(".\n[+] Device detected")
break
except OSError as e:
sys.stdout.write("."); sys.stdout.flush()
time.sleep(0.1)
print("<-", s.read(256))
def send(bytes):
s.write(bytes)
print("->", str(bytes))
resp = s.read(256)
print("<-", str(resp))
return resp
resp = b''
while resp != CONFIRM:
resp = send(BOOTSEQ)
print("[+] Boot sequence sent")
On another device, it works and I get:
Code:
...............................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READYTOOBTSAF'
[+] Boot sequence sent
However, on my Nord 2, I get:
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Then the next s.write() is hanging.
I get the same result for any other boot mode. However, the code is still present in the preloader.
I unfolded my phone to try to find a test point. I tried all golden points but I only found:
- a point which loads preloader (and not BROM...) in the same way vol + / - do (in red in the picture)
- a point which boots the phone but without Android and OnePlus pictures (what's that ??) (in green)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I don't know how test point is handled: if that's the role of preloader, it may have been disabled by the update (as the BROM and fastboot). We may need to find the DAT0 point of the eMMC to short it and prevent the BROM to find the preloader, making it to go in EDL mode. However, I think that this point isn't exposed, and I won't disassemble my phone further without beeing sure of success...
Thank you so much for the work so far!
Unfortunately I get no response at all on the Nord 2T.
Code:
.......................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
Traceback (most recent call last):
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 31, in <module>
resp = send(BOOTSEQ)
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 24, in send
resp = s.read(256)
File "/usr/lib/python3.10/site-packages/pyserial-3.5-py3.10.egg/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
How did you connect to the device that you're getting these responses?
In my case, I need to use vol+, vol- and power, like mtkclient, or the ttyACM0 won't exist.
(I've got udevadm monitor up, watching for the usb/tty to be added)
Indeed, you need to run into preloader using vol +, vol -
Maybe a driver / python module issue. I've got similar issues on my linux. Try on windows or try to reinstall drivers.
It should work at least for the first answer. Else it means that your preloader doesn't send any data, which is not the case as mtkclient works.
I also tried a different baud, because a pl_lk log from oplusreserve2 partition suggested it may be used. No luck though. Note, this was a very old log I saved early on. Definitely not reflective of latest Nord 2T update.
Code:
[PLFM] boot_tag size = 0x0
BOOT_TAG_VERSION: 0
BOOT_REASON: 0
BOOT_MODE: 0
META_COM TYPE: 0
META_COM ID: 0
META_COM PORT: 285220864
META LOG DISABLE: 0
FAST META GPIO: 5906
LOG_COM PORT: 285220864
LOG_COM BAUD: 921600
LOG_COM EN: 1
LOG_COM SWITCH: 0
MEM_NUM: 2
MEM_SIZE: 0xAE7B
MEM_SIZE: 0xAE8D
I guess I'll try windows then
Code:
python mtk-bootseq.py FASTBOOT COM4
...................................................................................................................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Windows looks to behave similar. Though windows wouldn't take the MTK VCOM driver, so this is win10 default serial, in a VM over USB passthrough.
So, same result not in a VM. Though specifically with powershell I got the same output as you did.
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
This is really a helpfull post for us. I've already a oneplus nord 2 phn,from this post i know the more information about this phn.
Thank you so much.
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
Thanks for this. No need to switch to windows anymore, to use mtk client.
Petitoto said:
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
Click to expand...
Click to collapse
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
All theories, but I would find it really hard to believe there's a problem with Linux drivers / libraries for something as basic as a UART/serial console over USB.
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
I also suspected this PID check and tried to log the else cases, but never reaches those for me.
So removing the check didn't help for mtkclients' meta commands.
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
Click to expand...
Click to collapse
Differents results when using cmd and powershell? There is really no reason for that. Unless it's not the same Python environment, with different pyserial for eg. I have issues to run mtk-bootseq on Linux, but always the same output on Windows' cmd.
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Click to expand...
Click to collapse
Maybe. On linux, I can get different results depending on baud rate, timeout (and luck?). If there is an issue related to the connection, it might explain why the preloader doesn't answer as expected. But as other commands (like mtk gettargetconfig, but also manually handshaking connections and gathering informations in pyserial) work well, I tend to think it's just disabled.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
Click to expand...
Click to collapse
I don't really know how it works. The code is still present in the preloader. However this functionnality is not always enabled. Maybe reversing the preloader more or analysing the log you provided on Github might help to determine whether or not it is enabled. Moreover, even if we manage to switch to fastboot, if the bootloader has been fully disabled, we may face the issue of the preloader trying to run into a non existant fastboot. Maybe the FACTFACT mode may help to reset the device, but I don't really know a lot about this mode.
So removing the check didn't help for mtkclients' meta commands.
Click to expand...
Click to collapse
Once you removed this check, if you print the data sent by the preloader, you'll get the multiple "READY" like mtk-bootseq on Windows. Moreover, I can switch to fastboot using this command on another MTK device.
Dear Sir,
Do you have any method to recover my phone as the figure show?
Thank You