chipmunkmc/mtkclient
1
0
Fork 0
mirror of https://github.com/bkerler/mtkclient.git synced 2025-02-25 22:14:31 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add legacy basic support

Browse source
This commit is contained in:
Bjoern Kerler 2021-11-30 09:49:10 +01:00
parent 534c0d0a97
commit 7ccb0d8c8f
10 changed files with 880 additions and 150 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
mtk
View file

@ -1087,9 +1087,9 @@ class Main(metaclass=LogBase):
self.error(f"Error: Couldn't detect partition: {partition}\nAvailable partitions:")
for rpartition in res[1]:
self.info(rpartition.name)
if (countFP == len(partitions) and countFP > 1):
if countFP == len(partitions) and countFP > 1:
print(f"All partitions formatted.")
elif (countFP != len(partitions) and countFP > 1):
elif countFP != len(partitions) and countFP > 1:
print(f"Failed to format all partitions.")
self.close()
elif cmd == "es":

460
mtkclient/Library/error.py
View file

@ -3,6 +3,433 @@
# (c) B.Kerler 2018-2021 GPLv3 License
ErrorCodes = {
0x0: "OK",
# COMMON
0x3E8: "STOP", # 1000
0x3E9: "UNDEFINED_ERROR",
0x3EA: "INVALID_ARGUMENTS",
0x3EB: "INVALID_BBCHIP_TYPE",
0x3EC: "INVALID_EXT_CLOCK",
0x3ED: "INVALID_BMTSIZE",
0x3EE: "GET_DLL_VER_FAIL",
0x3EF: "INVALID_BUF",
0x3F0: "BUF_IS_NULL",
0x3F1: "BUF_LEN_IS_ZERO",
0x3F2: "BUF_SIZE_TOO_SMALL",
0x3F3: "NOT_ENOUGH_STORAGE_SPACE",
0x3F4: "NOT_ENOUGH_MEMORY",
0x3F5: "COM_PORT_OPEN_FAIL",
0x3F6: "COM_PORT_SET_TIMEOUT_FAIL",
0x3F7: "COM_PORT_SET_STATE_FAIL",
0x3F8: "COM_PORT_PURGE_FAIL",
0x3F9: "FILEPATH_NOT_SPECIFIED_YET",
0x3FA: "UNKNOWN_TARGET_BBCHIP",
0x3FB: "SKIP_BBCHIP_HW_VER_CHECK",
0x3FC: "UNSUPPORTED_VER_OF_BOOT_ROM",
0x3FD: "UNSUPPORTED_VER_OF_BOOTLOADER",
0x3FE: "UNSUPPORTED_VER_OF_DA",
0x3FF: "UNSUPPORTED_VER_OF_SEC_INFO",
0x400: "UNSUPPORTED_VER_OF_ROM_INFO",
0x401: "SEC_INFO_NOT_FOUND",
0x402: "ROM_INFO_NOT_FOUND",
0x403: "CUST_PARA_NOT_SUPPORTED",
0x404: "CUST_PARA_WRITE_LEN_INCONSISTENT",
0x405: "SEC_RO_NOT_SUPPORTED",
0x406: "SEC_RO_WRITE_LEN_INCONSISTENT",
0x407: "ADDR_N_LEN_NOT_32BITS_ALIGNMENT",
0x408: "UART_CHKSUM_ERROR",
0x409: "EMMC_FLASH_BOOT",
0x40A: "NOR_FLASH_BOOT",
0x40B: "NAND_FLASH_BOOT",
0x40C: "UNSUPPORTED_VER_OF_EMI_INFO",
0x40D: "PART_NO_VALID_TABLE",
0x40E: "PART_NO_SPACE_FOUND",
0x40F: "UNSUPPORTED_VER_OF_SEC_CFG",
0x410: "UNSUPPORTED_OPERATION",
0x411: "CHKSUM_ERROR",
0x412: "TIMEOUT",
# BROM
0x7D0: "SET_META_REG_FAIL",
0x7D1: "SET_FLASHTOOL_REG_FAIL",
0x7D2: "SET_REMAP_REG_FAIL",
0x7D3: "SET_EMI_FAIL",
0x7D4: "DOWNLOAD_DA_FAIL",
0x7D5: "CMD_STARTCMD_FAIL",
0x7D6: "CMD_STARTCMD_TIMEOUT",
0x7D7: "CMD_JUMP_FAIL",
0x7D8: "CMD_WRITE16_MEM_FAIL",
0x7D9: "CMD_READ16_MEM_FAIL",
0x7DA: "CMD_WRITE16_REG_FAIL",
0x7DB: "CMD_READ16_REG_FAIL",
0x7DC: "CMD_CHKSUM16_MEM_FAIL",
0x7DD: "CMD_WRITE32_MEM_FAIL",
0x7DE: "CMD_READ32_MEM_FAIL",
0x7DF: "CMD_WRITE32_REG_FAIL",
0x7E0: "CMD_READ32_REG_FAIL",
0x7E1: "CMD_CHKSUM32_MEM_FAIL",
0x7E2: "JUMP_TO_META_MODE_FAIL",
0x7E3: "WR16_RD16_MEM_RESULT_DIFF",
0x7E4: "CHKSUM16_MEM_RESULT_DIFF",
0x7E5: "BBCHIP_HW_VER_INCORRECT",
0x7E6: "FAIL_TO_GET_BBCHIP_HW_VER",
0x7E7: "AUTOBAUD_FAIL",
0x7E8: "SPEEDUP_BAUDRATE_FAIL",
0x7E9: "LOCK_POWERKEY_FAIL",
0x7EA: "WM_APP_MSG_OUT_OF_RANGE",
0x7EB: "NOT_SUPPORT_MT6205B",
0x7EC: "EXCEED_MAX_DATA_BLOCKS",
0x7ED: "EXTERNAL_SRAM_DETECTION_FAIL",
0x7EE: "EXTERNAL_DRAM_DETECTION_FAIL",
0x7EF: "GET_FW_VER_FAIL",
0x7F0: "CONNECT_TO_BOOTLOADER_FAIL",
0x7F1: "CMD_SEND_DA_FAIL",
0x7F2: "CMD_SEND_DA_CHKSUM_DIFF",
0x7F3: "CMD_JUMP_DA_FAIL",
0x7F4: "CMD_JUMP_BL_FAIL",
0x7F5: "EFUSE_REG_NO_MATCH_WITH_TARGET",
0x7F6: "EFUSE_WRITE_TIMEOUT",
0x7F7: "EFUSE_DATA_PROCESS_ERROR",
0x7F8: "EFUSE_BLOW_ERROR",
0x7F9: "EFUSE_ALREADY_BROKEN",
0x7FA: "EFUSE_BLOW_PARTIAL",
0x7FB: "SEC_VER_FAIL",
0x7FC: "PL_SEC_VER_FAIL",
0x7FD: "SET_WATCHDOG_FAIL",
0x7FE: "EFUSE_VALUE_IS_NOT_ZERO",
0x7FF: "EFUSE_WRITE_TIMEOUT_WITHOUT_EFUSE_VERIFY",
0x800: "EFUSE_UNKNOW_EXCEPTION_WITHOUT_EFUSE_VERIFY",
# DA error
0xBB8: "INT_RAM_ERROR",
0xBB9: "EXT_RAM_ERROR",
0xBBA: "SETUP_DRAM_FAIL",
0xBBB: "SETUP_PLL_ERR",
0xBBC: "SETUP_EMI_PLL_ERR",
0xBBD: "DRAM_ABNORMAL_TYPE_SETTING",
0xBBE: "DRAMC_RANK0_CALIBRATION_FAILED",
0xBBF: "DRAMC_RANK1_CALIBRATION_FAILED",
0xBC0: "DRAM_NOT_SUPPORT",
0xBC1: "RAM_FLOARTING",
0xBC2: "RAM_UNACCESSABLE",
0xBC3: "RAM_ERROR",
0xBC4: "DEVICE_NOT_FOUND",
0xBC5: "NOR_UNSUPPORTED_DEV_ID",
0xBC6: "NAND_UNSUPPORTED_DEV_ID",
0xBC7: "NOR_FLASH_NOT_FOUND",
0xBC8: "NAND_FLASH_NOT_FOUND",
0xBC9: "SOC_CHECK_FAIL",
0xBCA: "NOR_PROGRAM_FAILED",
0xBCB: "NOR_ERASE_FAILED",
0xBCC: "NAND_PAGE_PROGRAM_FAILED",
0xBCD: "NAND_SPARE_PROGRAM_FAILED",
0xBCE: "NAND_HW_COPYBACK_FAILED",
0xBCF: "NAND_ERASE_FAILED",
0xBD0: "TIMEOUT",
0xBD1: "IN_PROGRESS",
0xBD2: "SUPERAND_ONLY_SUPPORT_PAGE_READ",
0xBD3: "SUPERAND_PAGE_PRGRAM_NOT_SUPPORT",
0xBD4: "SUPERAND_SPARE_PRGRAM_NOT_SUPPORT",
0xBD5: "SUPERAND_COPYBACK_NOT_SUPPORT",
0xBD6: "NOR_CMD_SEQUENCE_ERR",
0xBD7: "NOR_BLOCK_IS_LOCKED",
0xBD8: "NAND_BLOCK_IS_LOCKED",
0xBD9: "NAND_BLOCK_DATA_UNSTABLE",
0xBDA: "NOR_BLOCK_DATA_UNSTABLE",
0xBDB: "NOR_VPP_RANGE_ERR",
0xBDC: "INVALID_BEGIN_ADDR",
0xBDD: "NOR_INVALID_ERASE_BEGIN_ADDR",
0xBDE: "NOR_INVALID_READ_BEGIN_ADDR",
0xBDF: "NOR_INVALID_PROGRAM_BEGIN_ADDR",
0xBE0: "INVALID_RANGE",
0xBE1: "NOR_PROGRAM_AT_ODD_ADDR",
0xBE2: "NOR_PROGRAM_WITH_ODD_LENGTH",
0xBE3: "NOR_BUFPGM_NO_SUPPORT",
0xBE4: "NAND_UNKNOWN_ERR",
0xBE5: "NAND_BAD_BLOCK",
0xBE6: "NAND_ECC_1BIT_CORRECT",
0xBE7: "NAND_ECC_2BITS_ERR",
0xBE8: "NAND_SPARE_CHKSUM_ERR",
0xBE9: "NAND_HW_COPYBACK_DATA_INCONSISTENT",
0xBEA: "NAND_INVALID_PAGE_INDEX",
0xBEB: "NFI_NOT_SUPPORT",
0xBEC: "NFI_CS1_NOT_SUPPORT",
0xBED: "NFI_16BITS_IO_NOT_SUPPORT",
0xBEE: "NFB_BOOTLOADER_NOT_EXIST",
0xBEF: "NAND_NO_GOOD_BLOCK",
0xBF0: "NAND_UBIIMG_NOT_SPARSEIMAGE",
0xBF1: "BOOTLOADER_IS_TOO_LARGE",
0xBF2: "SIBLEY_REWRITE_OBJ_MODE_REGION",
0xBF3: "SIBLEY_WRITE_B_HALF_IN_CTRL_MODE_REGION",
0xBF4: "SIBLEY_ILLEGAL_CMD",
0xBF5: "SIBLEY_PROGRAM_AT_THE_SAME_REGIONS",
0xBF6: "UART_GET_DATA_TIMEOUT",
0xBF7: "UART_GET_CHKSUM_LSB_TIMEOUT",
0xBF8: "UART_GET_CHKSUM_MSB_TIMEOUT",
0xBF9: "UART_DATA_CKSUM_ERROR",
0xBFA: "UART_RX_BUF_FULL",
0xBFB: "UART_RX_BUF_NOT_ENOUGH",
0xBFC: "FLASH_RECOVERY_BUF_NOT_ENOUGH",
0xBFD: "HANDSET_SEC_INFO_NOT_FOUND",
0xBFE: "HANDSET_SEC_INFO_MAC_VERIFY_FAIL",
0xBFF: "HANDSET_ROM_INFO_NOT_FOUND",
0xC00: "HANDSET_FAT_INFO_NOT_FOUND",
0xC01: "OPERATION_UNSUPPORT_FOR_NFB",
0xC02: "BYPASS_POST_PROCESS",
0xC03: "NOR_OTP_NOT_SUPPORT",
0xC04: "NOR_OTP_EXIST",
0xC05: "NOR_OTP_LOCKED",
0xC06: "NOR_OTP_GETSIZE_FAIL",
0xC07: "NOR_OTP_READ_FAIL",
0xC08: "NOR_OTP_PROGRAM_FAIL",
0xC09: "NOR_OTP_LOCK_FAIL",
0xC0A: "NOR_OTP_LOCK_CHECK_STATUS_FAIL",
0xC0B: "BLANK_FLASH",
0xC0C: "CODE_AREA_IS_BLANK",
0xC0D: "SEC_RO_AREA_IS_BLANK",
0xC0E: "NOR_OTP_UNLOCKED",
0xC0F: "UNSUPPORTED_BBCHIP",
0xC10: "FAT_NOT_EXIST",
0xC11: "EXT_SRAM_NOT_FOUND",
0xC12: "EXT_DRAM_NOT_FOUND",
0xC13: "MT_PIN_LOW",
0xC14: "MT_PIN_HIGH",
0xC15: "MT_PIN_SHORT",
0xC16: "MT_BUS_ERROR",
0xC17: "MT_ADDR_NOT_2BYTE_ALIGNMENT",
0xC18: "MT_ADDR_NOT_4BYTE_ALIGNMENT",
0xC19: "MT_SIZE_NOT_2BYTE_ALIGNMENT",
0xC1A: "MT_SIZE_NOT_4BYTE_ALIGNMENT",
0xC1B: "MT_DEDICATED_PATTERN_ERROR",
0xC1C: "MT_INC_PATTERN_ERROR",
0xC1D: "MT_DEC_PATTERN_ERROR",
0xC1E: "NFB_BLOCK_0_IS_BAD",
0xC1F: "CUST_PARA_AREA_IS_BLANK",
0xC20: "ENTER_RELAY_MODE_FAIL",
0xC21: "ENTER_RELAY_MODE_IS_FORBIDDEN_AFTER_META",
0xC22: "NAND_PAGE_READ_FAILED",
0xC23: "NAND_IMAGE_BLOCK_NO_EXIST",
0xC24: "NAND_IMAGE_LIST_NOT_EXIST",
0xC25: "MBA_RESOURCE_NO_EXIST_IN_TARGET",
0xC26: "MBA_PROJECT_VERSION_NO_MATCH_WITH_TARGET",
0xC27: "MBA_UPDATING_RESOURCE_NO_EXIST_IN_TARGET",
0xC28: "MBA_UPDATING_RESOURCE_SIZE_EXCEED_IN_TARGET",
0xC29: "NAND_BIN_SIZE_EXCEED_MAX_SIZE",
0xC2A: "NAND_EXCEED_CONTAINER_LIMIT",
0xC2B: "NAND_REACH_END_OF_FLASH",
0xC2C: "NAND_OTP_NOT_SUPPORT",
0xC2D: "NAND_OTP_EXIST",
0xC2E: "NAND_OTP_LOCKED",
0xC2F: "NAND_OTP_LOCK_FAIL",
0xC30: "NAND_OTP_UNLOCKED",
0xC31: "OTP_NOT_SUPPORT",
0xC32: "OTP_EXIST",
0xC33: "OTP_LOCKED",
0xC34: "OTP_GETSIZE_FAIL",
0xC35: "OTP_READ_FAIL",
0xC36: "OTP_PROGRAM_FAIL",
0xC37: "OTP_LOCK_FAIL",
0xC38: "OTP_LOCK_CHECK_STATUS_FAIL",
0xC39: "OTP_UNLOCKED",
0xC3A: "SEC_RO_ILLEGAL_MAGIC_TAIL",
0xC3B: "HANDSET_FOTA_INFO_NOT_FOUND",
0xC3C: "HANDSET_UA_INFO_NOT_FOUND",
0xC3D: "SB_FSM_INVALID_INFO",
0xC3E: "NFB_TARGET_DUAL_BL_PAIRED_VERSION_NOT_MATCHED_WITH_MAUI",
0xC3F: "NFB_TARGET_DUAL_BL_FEATURE_COMBINATION_NOT_MATCHED_WITH_MAUI",
0xC40: "NFB_TARGET_IS_SINGLE_BL_BUT_PC_NOT",
0xC41: "NFB_TARGET_IS_DUAL_BL_BUT_PC_NOT",
0xC42: "NOR_TARGET_BL_PAIRED_VERSION_NOT_MATCHED_WITH_MAUI",
0xC43: "NOR_TARGET_BL_FEATURE_COMBINATION_NOT_MATCHED_WITH_MAUI",
0xC44: "NOR_TARGET_IS_NOT_NEW_BL_BUT_PC_IS",
0xC45: "NOR_TARGET_IS_NEW_BL_BUT_PC_NOT",
0xC46: "DOWNLOAD_BOOTLOADER_FLASH_DEV_IS_NONE",
0xC47: "DOWNLOAD_BOOTLOADER_FLASH_DEV_IS_NOT_SUPPORTED",
0xC48: "DOWNLOAD_BOOTLOADER_BEGIN_ADDR_OVERLAPS_WITH_PREVIOUS_BOUNDARY",
0xC49: "UPDATE_BOOTLOADER_EXIST_MAGIC_NOT_MATCHED",
0xC4A: "UPDATE_BOOTLOADER_FILE_TYPE_NOT_MATCHED",
0xC4B: "UPDATE_BOOTLOADER_FILE_SIZE_EXCEEDS_BOUNDARY_ADDR",
0xC4C: "UPDATE_BOOTLOADER_BEGIN_ADDR_NOT_MATCHED",
0xC4D: "EMMC_FLASH_NOT_FOUND",
0xC4E: "EMMC_FW_VER_CHECK_FAIL",
0xC4F: "SDMMC_FLASH_NOT_FOUND",
0xC50: "SDMMC_CONFIG_FAILED",
0xC51: "SDMMC_READ_FAILED",
0xC52: "SDMMC_WRITE_FAILED",
0xC53: "SDMMC_ERR_CRC",
0xC54: "SDMMC_ERR_TIMEOUT",
0xC55: "SDMMC_UNSUPPORTED",
0xC56: "DSPBL_CHECK_PLATFORM_FAILED",
0xC57: "UFS_FLASH_NOT_FOUND",
0xC58: "UFS_CONFIG_FAILED",
0xC59: "UFS_READ_FAILED",
0xC5A: "UFS_WRITE_FAILED",
0xC5B: "UFS_ERR_TIMEOUT",
0xC5C: "UFS_UNSUPPORTED",
0xC5D: "UFS_OTP_NOT_SUPPORT",
0xC5E: "UFS_OTP_EXIST",
0xC5F: "UFS_OTP_LOCKED",
0xC60: "UFS_OTP_LOCK_FAIL",
0xC61: "UFS_OTP_UNLOCKED",
0xC62: "HANDSET_SEC_CFG_NOT_FOUND",
0xC63: "EMMC_OTP_NOT_SUPPORT",
0xC64: "EMMC_OTP_EXIST",
0xC65: "EMMC_OTP_LOCKED",
0xC66: "EMMC_OTP_LOCK_FAIL",
0xC67: "EMMC_OTP_UNLOCKED",
0xC68: "READ_IMEI_PID_SWV_NOT_SUPPORT",
0xC69: "NFI_EMPTY_PAGE",
0xC6A: "INVALID_STORAGE_TYPE",
0xC6B: "SEND_CMD_FAIL",
0xC6C: "READ_CMD_ACK_FAIL",
0xC6D: "READ_FLASH_STATUS_INFO_FAIL",
0xC6E: "PL_VALIDATION_FAIL",
0xC6F: "STORAGE_NOT_MATCH",
0xC70: "CHIP_TYPE_NOT_MATCH",
0xC71: "EXCEED_MAX_PARTITION_COUNT",
# SECURITY
0x1770: "CALLBACK_SLA_CHALLENGE_FAIL",
0x1771: "SLA_WRONG_AUTH_FILE",
0x1772: "SLA_INVALID_AUTH_FILE",
0x1773: "SLA_CHALLENGE_FAIL",
0x1774: "SLA_FAIL",
0x1775: "DAA_FAIL",
0x1776: "SBC_FAIL",
0x1777: "SF_SECURE_VER_CHECK_FAIL",
0x1778: "SF_HANDSET_SECURE_CUSTOM_NAME_NOT_MATCH",
0x1779: "SF_FTCFG_LOCKDOWN",
0x177A: "SF_CODE_DOWNLOAD_FORBIDDEN",
0x177B: "SF_CODE_READBACK_FORBIDDEN",
0x177C: "SF_CODE_FORMAT_FORBIDDEN",
0x177D: "SF_SEC_RO_DOWNLOAD_FORBIDDEN",
0x177E: "SF_SEC_RO_READBACK_FORBIDDEN",
0x177F: "SF_SEC_RO_FORMAT_FORBIDDEN",
0x1780: "SF_FAT_DOWNLOAD_FORBIDDEN",
0x1781: "SF_FAT_READBACK_FORBIDDEN",
0x1782: "SF_FAT_FORMAT_FORBIDDEN",
0x1783: "SF_RESTRICTED_AREA_ACCESS_FORBIDDEN",
0x1784: "SECURE_CUSTOM_NAME_NOT_MATCH_BETWEEN_AUTH_AND_DL_HANDLE",
0x1785: "DOWNLOAD_FILE_IS_CORRUPTED",
0x1786: "NOT_SUPPORT",
0x1787: "BOOTLOADER_IMAGE_SIGNATURE_FAIL",
0x1788: "BOOTLOADER_ELDER_SW_VERSION_CANNOT_BE_DOWNLOADED",
0x1789: "BOOTLOADER_IMAGE_NO_SIGNATURE",
0x178A: "BOOTLOADER_CORRUPTED_SCATTER_FILE",
0x178B: "SECURE_USB_DL_NO_MAUI_IN_SCATTER_FILE",
0x178C: "SEND_CERT_FAIL",
0x178D: "SEND_AUTH_FAIL",
0x178E: "GET_SEC_CONFIG_FAIL",
0x178F: "GET_ME_ID_FAIL",
0x1790: "GET_HW_SW_VER_FAIL",
0x1791: "GET_HW_CODE_FAIL",
0x1792: "ROM_INFO_NOT_FOUND",
0x1793: "ROM_INFO_ID_MISMATCH",
0x1794: "SEC_CTRL_ID_MISMATCH",
0x1795: "SEC_KEY_ID_MISMATCH",
0x1796: "SECURE_USB_DL_FAIL",
0x1797: "SECURE_USB_DL_CHECK_TARGET_STATUS_FAIL",
0x1798: "SECURE_USB_DL_SEND_CHIP_STATUS_FAIL",
0x1799: "SECURE_USB_DL_DISABLED",
0x179A: "SECURE_USB_DL_ENABLED",
0x179B: "SECURE_USB_DL_IMAGE_PUBLIC_N_KEY_READ_FAIL",
0x179C: "SECURE_USB_DL_IMAGE_PUBLIC_E_KEY_READ_FAIL",
0x179D: "SECURE_USB_DL_IMAGE_SIGN_HEADER_NOT_FOUND",
0x179E: "SECURE_USB_DL_IMGAE_SIGNATURE_VERIFY_FAIL",
0x179F: "SECURE_USB_DL_IMAGE_HASH_FAIL",
0x17A0: "SECURE_USB_DL_IMAGE_NOT_FOUND",
0x17A1: "SECURE_USB_DL_INVALID_IMAGE_ARGUMENT",
0x17A2: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_INIT_FAIL",
0x17A3: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_IMAGE_NAME_FAIL",
0x17A4: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_IMAGE_NAME_LEN_FAIL",
0x17A5: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_TYPE_FAIL",
0x17A6: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_HEADER_FAIL",
0x17A7: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_IMAGE_OFFSET_FAIL",
0x17A8: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRITE_SIGNATURE_HASH_FAIL",
0x17A9: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_GET_CHECK_RESULT_FAIL",
0x17AA: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_DOWNLOAD_IMAGE_INVALID",
0x17AB: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_UNKNOWN_CHECK_RESULT",
0x17AC: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_WRONG_OPERATION",
0x17AD: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_INVALID_HEADER_LENGTH",
0x17AE: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_INVALID_IMAGE_OFFSET",
0x17AF: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_INVALID_SIGNATURE_LENGTH",
0x17F0: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_SIGNATURE_LENGTH_TOO_LARGE",
0x17F1: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_IMAGE_NAME_LENGTH_TOO_LONG",
0x17F2: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_EXT_HEADER_TOO_LARGE",
0x17F3: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_EXT_HEADER_OFFSET_INVALID",
0x17F4: "SECURE_USB_DL_IMAGE_INFO_CHECK_CMD_EXT_HEADER_SELF_COPY_FAIL",
0x17F5: "SEC_CFG_NOT_EXIST",
0x17F6: "SEC_CFG_WRITE_CMD_INIT_FAIL",
0x17F7: "SEC_CFG_WRONG_MAGIC_NUMBER",
0x17F8: "SEC_CFG_IS_FULL_CANNOT_ADD_NEW_IMAGE",
0x17F9: "SEC_CFG_IMAGE_NOT_FOUND_SO_CANNOT_UPDATE",
0x17FA: "SEC_CFG_IMAGE_CUST_NAME_MISMATCH",
0x17FB: "SEC_CFG_IMAGE_CANNOT_ROLL_BACK_SW_LOAD",
0x17FC: "SEC_CFG_IMAGE_EXIST_CANNOT_CREATE_MEW_FILE",
0x17FD: "SEC_CFG_WRITE_FAIL_CFG_NOT_EXIST",
0x17FE: "SEC_CFG_WRITE_FAIL_MAGIC_INCORRECT",
0x17FF: "SEC_CFG_WRITE_FAIL_CANNOT_WRITE_TO_FIRST_BLOCK",
0x1800: "SEC_CFG_WRITE_FAIL_YAFFS2_POST_PROCESS_FAIL",
0x1801: "SEC_CFG_WRITE_FAIL_NAND_DEVICE",
0x1802: "SEC_CFG_WRITE_FAIL_CANNOT_READ_BACK",
0x1803: "SEC_CFG_WRITE_FAIL_READ_BACK_MAGIC_INCORRECT",
0x1804: "SEC_CFG_WRITE_FAIL_READ_BACK_ID_INCORRECT",
0x1805: "SEC_CFG_WRITE_FAIL_READ_BACK_STATUS_INCORRECT",
0x1806: "SEC_CFG_WRITE_FAIL_READ_BACK_END_PATTERN_INCORRECT",
0x1807: "SEC_CFG_WRITE_FAIL_SEC_CFG_CANNOT_OVERWRITE_NEXT_PARTITION",
0x1808: "SEC_CFG_WRITE_FAIL_NAND_NOT_DETECTED",
0x1809: "SEC_CFG_WRITE_FAIL_EMMC_NOT_DETECTED",
0x180a: "SEC_CFG_WRITE_FAIL_EMMC_DEVICE",
0x180b: "SEC_CFG_WRITE_FAIL_NAND_PAGE_SIZE_NOT_SUPPORT",
0x180c: "SEC_CFG_WRITE_FAIL_NAND_FIND_GOOD_BLK_FAIL",
0x180d: "SEC_CFG_WRITE_FAIL_NAND_ERASE_FAIL",
0x180e: "SEC_CFG_WRITE_FAIL_UNKNOWN_DEVIE_TYPE",
0x180f: "SEC_CFG_READ_FAIL_NAND_NOT_DETECTED",
0x1810: "SEC_CFG_READ_FAIL_EMMC_NOT_DETECTED",
0x1811: "SEC_CFG_READ_FAIL_EMMC_DEVICE",
0x1812: "SEC_CFG_READ_FAIL_NAND_PAGE_SIZE_NOT_SUPPORT",
0x1813: "SEC_CFG_READ_FAIL_NAND_FIND_GOOD_BLK_FAIL",
0x1814: "SEC_CFG_READ_FAIL_UNKNOWN_DEVIE_TYPE",
0x1815: "SEC_CFG_READ_FAIL_NAND_LOGICAL_READ_FAIL",
0x1816: "SEC_CFG_EXT_REGION_SPACE_OVERFLOW",
0x1817: "SECURE_USB_DL_ROM_INFO_UPDATE_REQUEST_FAIL",
0x1818: "SECURE_USB_DL_DA_RETURN_INVALID_TYPE",
0x1819: "SECURE_USB_DL_MOVE_IMAGE_HEADER_TO_END_FAIL",
0x181a: "SECURE_USB_DL_NO_NEED_TO_MOVE_IMAGE_HEADER",
0x181b: "SECURE_USB_DL_NO_NEED_TO_REMOVE_IMAGE_HEADER_AND_SIG",
0x181c: "CIPHER_DATA_UNALIGNED",
0x181d: "CIPHER_MODE_INVALID",
0x181e: "CIPHER_KEY_INVALID",
0x181f: "CIPHER_INIT_FAIL",
0x1820: "CIPHER_ROM_NOT_LOADED",
0x1821: "CIPHER_DEC_FAIL",
0x1822: "CIPHER_ENC_TEST_FAIL",
0x1823: "AES_VER_INVALID",
0x1824: "INVALID_IMGDEC_CFG",
0x1825: "IMGDEC_INVALID_FORCE_DEC_PARAM",
0x1826: "IMGDEC_INVALID_AES_KEY_SIZE",
0x1827: "IMGDEC_FAIL_IMAGE_NOT_ENCRYPTED",
0x1828: "IMGDEC_INIT_FAIL_FTH_IS_NULL",
0x1829: "IMGDEC_INIT_FAIL_DECH_IS_NULL",
0x182a: "INIDEC_FAIL_INI_NOT_ENCRYPTED",
0x182b: "INIDEC_INVALID_AES_KEY_SIZE",
0x182c: "INVALID_PROJECT",
0x182d: "SECRO_ANTICLONE_LENGTH_INVALID",
0x182e: "SECRO_HASH_INCORRECT",
0x182f: "SECRO_ENCRYPT_FAIL",
0x1830: "AC_REGION_NOT_FOUND_IN_SECROIMG",
# common
0x1b58: "EPP_FAIL",
0x1b59: "EPP_EXT_DRAM_NOT_FOUND",
0x1b5a: "EPP_EXT_DRAM_INIT_FAIL",
0x1b5b: "EPP_NO_EMI_CONFIG_PARAM_FAIL",
0x2711: "PL_MODE_UNSUPPORTED",
0x2712: "PL_MODE_FORBIDDEN",
0x2713: "PL_MODE_INVALID_ARGUMETS",
0x2714: "PL_READ_FAIL",
0x2715: "PL_WRITE_FAIL",
0x2716: "PL_READ_TIMEOUT",
0x2717: "PL_WRITE_TIMEOUT",
0x2718: "PL_DISC_CMD_NEEDED",
0x1000: "CRYPTO_INIT_FAIL",
0x1001: "CRYPTO_DEINIT_FAIL",
0x1002: "CRYPTO_MODE_INVALID",
@ -101,22 +528,22 @@ ErrorCodes = {
0xA005: "OTP_WRITE_FAIL"
}
COMMON=1
AUTHENTICATION=2
LIBRARY=3
DEV_HW=4
FUNCTION=5
BROM=6
DA=7
PRELOADER=8
COMMON = 1
AUTHENTICATION = 2
LIBRARY = 3
DEV_HW = 4
FUNCTION = 5
BROM = 6
DA = 7
PRELOADER = 8
SUCCESS=(0 << 30)
INFO=(1 << 30)
WARNING=(2 << 30)
ERROR=(3 << 30)
SUCCESS = (0 << 30)
INFO = (1 << 30)
WARNING = (2 << 30)
ERROR = (3 << 30)
ErrorCodes_XFlash={
0:"OK",
ErrorCodes_XFlash = {
0: "OK",
0xc0010001: "Error",
0xc0010002: "Abort",
0xc0010003: "Unsupported command",
@ -278,6 +705,7 @@ ErrorCodes_XFlash={
0xc0070005: "DA exceed max num"
}
class ErrorHandler:
def __init__(self):
self.ec = ErrorCodes
@ -285,7 +713,7 @@ class ErrorHandler:
def status(self, status):
if status in self.ec:
return self.ec[status]+" ("+hex(status)+")"
return self.ec[status] + " (" + hex(status) + ")"
if status in self.xec:
return self.xec[status]+" ("+hex(status)+")"
return self.xec[status] + " (" + hex(status) + ")"
return "Unknown: " + hex(status)

230
mtkclient/Library/legacy_ext.py Normal file
View file

@ -0,0 +1,230 @@
import os
from struct import unpack, pack
from mtkclient.config.payloads import pathconfig
from mtkclient.Library.error import ErrorHandler
from mtkclient.Library.hwcrypto import crypto_setup, hwcrypto
from mtkclient.Library.utils import LogBase, progress, logsetup, find_binary
from mtkclient.Library.settings import writesetting, loadsetting
from mtkclient.Library.seccfg import seccfg
from binascii import hexlify
import hashlib
class LCmd:
CUSTOM_READ = b"\x29"
CUSTOM_WRITE = b"\x2A"
ACK = b"\x5A"
NACK = b"\xA5"
class legacyext(metaclass=LogBase):
def __init__(self, mtk, legacy, loglevel):
self.pathconfig = pathconfig()
self.__logger = logsetup(self, self.__logger, loglevel)
self.info = self.__logger.info
self.debug = self.__logger.debug
self.error = self.__logger.error
self.warning = self.__logger.warning
self.mtk = mtk
self.loglevel = loglevel
self.__logger = self.__logger
self.eh = ErrorHandler()
self.config = self.mtk.config
self.usbwrite = self.mtk.port.usbwrite
self.usbread = self.mtk.port.usbread
self.echo = self.mtk.port.echo
self.rbyte = self.mtk.port.rbyte
self.rdword = self.mtk.port.rdword
self.rword = self.mtk.port.rword
self.legacy = legacy
self.Cmd=LCmd()
self.da2 = None
self.da2address = None
def patch_da2(self, da2):
da2patched = bytearray(da2)
# Patch security
check_addr = find_binary(da2, b"\x08\xB5\x4F\xF4\x50\x42\xA0\xF1\x81\x53")
if check_addr is not None:
da2patched[check_addr:check_addr + 6] = b"\x08\xB5\x00\x20\x08\xBD"
else:
self.warning("Legacy address check not patched.")
return da2patched
def fix_hash(self, da1, da2, da2sig_len, hashpos, hashmode):
da1 = bytearray(da1)
dahash = None
if hashmode == 1:
dahash = hashlib.sha1(da2[:-da2sig_len]).digest()
elif hashmode == 2:
dahash = hashlib.sha256(da2[:-da2sig_len]).digest()
da1[hashpos:hashpos + len(dahash)] = dahash
return da1
def readmem(self, addr, dwords=1):
res = []
for pos in range(dwords):
data = self.legacy.read_reg32(addr + pos * 4)
if data is None:
return False
if dwords == 1:
return data
res.append(data)
return res
def custom_read(self, addr, length):
dwords=length//4
if length%4!=0:
dwords+=1
data = b"".join([pack(">I",val) for val in self.readmem(addr, dwords)])
return data[:length]
def writeregister(self, addr, dwords):
if isinstance(dwords, int):
dwords = [dwords]
pos = 0
for val in dwords:
if not self.legacy.write_reg32(addr + pos, val):
return False
pos += 4
return True
def writemem(self, addr, data):
for i in range(0, len(data), 4):
value = data[i:i + 4]
while len(value) < 4:
value += b"\x00"
self.writeregister(addr + i, unpack("<I", value))
return True
def custom_write(self, addr, data):
return self.writemem(addr, data)
def setotp(self, hwc):
otp = None
if self.mtk.config.preloader is not None:
idx = self.mtk.config.preloader.find(b"\x4D\x4D\x4D\x01\x30")
if idx != -1:
otp = self.mtk.config.preloader[idx + 0xC:idx + 0xC + 32]
if otp is None:
otp = 32 * b"\x00"
hwc.sej.sej_set_otp(otp)
def cryptosetup(self):
setup = crypto_setup()
setup.blacklist = self.config.chipconfig.blacklist
setup.gcpu_base = self.config.chipconfig.gcpu_base
setup.dxcc_base = self.config.chipconfig.dxcc_base
setup.da_payload_addr = self.config.chipconfig.da_payload_addr
setup.sej_base = self.config.chipconfig.sej_base
setup.read32 = self.readmem
setup.write32 = self.writeregister
setup.writemem = self.writemem
return hwcrypto(setup, self.loglevel)
def seccfg(self, lockflag):
if lockflag not in ["unlock", "lock"]:
print("Valid flags are: unlock, lock")
return False
hwc = self.cryptosetup()
sc_org = seccfg(hwc)
data, guid_gpt = self.legacy.partition.get_gpt(0, 0, 0, "user")
seccfg_data = None
partition = None
for rpartition in guid_gpt.partentries:
if rpartition.name == "seccfg":
partition = rpartition
seccfg_data = self.legacy.readflash(
addr=partition.sector * self.mtk.daloader.daconfig.pagesize,
length=partition.sectors * self.mtk.daloader.daconfig.pagesize,
filename="", parttype="user", display=False)
break
if seccfg_data is None:
self.error("Couldn't detect existing seccfg partition. Aborting unlock.")
return False
if seccfg_data[:4] != pack("<I", 0x4D4D4D4D):
self.error("Unknown seccfg partition header. Aborting unlock.")
return False
if not sc_org.parse(seccfg_data):
return False
sc_new = seccfg(hwc)
self.setotp(hwc)
hwtype = "hw"
V3 = True
sc_new.create(sc_org=sc_org, hwtype=hwtype, V3=V3)
if sc_org.hash != sc_new.hash:
V3=False
sc_new.create(sc_org=sc_org, hwtype=hwtype, V3=V3)
if sc_org.hash != sc_new.hash:
hwtype = "sw"
sc_new.create(sc_org=sc_org, hwtype=hwtype)
if sc_org.hash != sc_new.hash:
self.error("Device has is either already unlocked or algo is unknown. Aborting.")
return False
writedata = sc_new.create(sc_org=None, hwtype=hwtype, lockflag=lockflag, V3=V3)
if self.legacy.writeflash(addr=partition.sector * self.mtk.daloader.daconfig.pagesize,
length=len(writedata),
filename=None, wdata=writedata, parttype="user", display=True):
self.info("Successfully wrote seccfg.")
return True
self.error("Error on writing seccfg config to flash.")
return False
def generate_keys(self):
hwc = self.cryptosetup()
meid = b""
meidv = loadsetting("meid")
socidv = loadsetting("socid")
if meidv is not None:
meid = bytes.fromhex(meidv)
self.info("MEID : " + meidv)
if socidv is not None:
socid = bytes.fromhex(socidv)
self.info("SOCID : " + socidv)
if self.config.chipconfig.dxcc_base is not None:
self.info("Generating dxcc rpmbkey...")
rpmbkey = hwc.aes_hwcrypt(btype="dxcc", mode="rpmb")
self.info("Generating dxcc fdekey...")
fdekey = hwc.aes_hwcrypt(btype="dxcc", mode="fde")
self.info("Generating dxcc rpmbkey2...")
rpmb2key = hwc.aes_hwcrypt(btype="dxcc", mode="rpmb2")
self.info("Generating dxcc km key...")
ikey = hwc.aes_hwcrypt(btype="dxcc", mode="itrustee")
#self.info("Generating dxcc platkey + provkey key...")
#platkey, provkey = hwc.aes_hwcrypt(btype="dxcc", mode="prov")
#self.info("Provkey : " + hexlify(provkey).decode('utf-8'))
#self.info("Platkey : " + hexlify(platkey).decode('utf-8'))
if rpmbkey is not None:
self.info("RPMB : " + hexlify(rpmbkey).decode('utf-8'))
writesetting("rpmbkey",hexlify(rpmbkey).decode('utf-8'))
if rpmb2key is not None:
self.info("RPMB2 : " + hexlify(rpmb2key).decode('utf-8'))
writesetting("rpmb2key",hexlify(rpmb2key).decode('utf-8'))
if fdekey is not None:
self.info("FDE : " + hexlify(fdekey).decode('utf-8'))
writesetting("fdekey",hexlify(fdekey).decode('utf-8'))
if ikey is not None:
self.info("iTrustee : " + hexlify(ikey).decode('utf-8'))
writesetting("kmkey", hexlify(ikey).decode('utf-8'))
if self.config.chipconfig.prov_addr:
provkey = self.custom_read(self.config.chipconfig.prov_addr, 16)
self.info("PROV : " + hexlify(provkey).decode('utf-8'))
writesetting("provkey", hexlify(provkey).decode('utf-8'))
"""
hrid = self.xflash.get_hrid()
if hrid is not None:
self.info("HRID : " + hexlify(hrid).decode('utf-8'))
open(os.path.join("logs", "hrid.txt"), "wb").write(hexlify(hrid))
"""
elif self.config.chipconfig.sej_base is not None:
if meid == b"":
if self.config.chipconfig.meid_addr:
meid = self.custom_read(self.config.chipconfig.meid_addr,16)
if meid != b"":
self.info("Generating sej rpmbkey...")
self.setotp(hwc)
rpmbkey = hwc.aes_hwcrypt(mode="rpmb", data=meid, btype="sej")
self.info("RPMB : " + hexlify(rpmbkey).decode('utf-8'))
writesetting("rpmbkey", hexlify(rpmbkey).decode('utf-8'))
else:
self.info("SEJ Mode: No meid found. Are you in brom mode ?")
return True

74
mtkclient/Library/mtk_dalegacy.py
View file

@ -5,6 +5,7 @@ import sys
import logging
import os
import time
import hashlib
from struct import pack, unpack
from binascii import hexlify
from mtkclient.Library.utils import LogBase, progress, read_object, logsetup, structhelper
@ -13,7 +14,7 @@ from mtkclient.Library.daconfig import DaStorage, EMMC_PartitionType
from mtkclient.Library.partition import Partition
from mtkclient.config.payloads import pathconfig
from mtkclient.Library.settings import writesetting
from mtkclient.Library.legacy_ext import legacyext
class norinfo:
m_nor_ret = None
@ -673,6 +674,29 @@ class DALegacy(metaclass=LogBase):
self.partition = Partition(self.mtk, self.readflash, self.read_pmt, loglevel)
self.progress = progress(self.daconfig.pagesize)
self.pathconfig = pathconfig()
self.patch = False
self.generatekeys = self.mtk.config.generatekeys
if self.generatekeys:
self.patch = True
self.lft = legacyext(self.mtk, self, loglevel)
def read_reg32(self, addr:int):
if self.usbwrite(self.Cmd.READ_REG32_CMD): # 0x7A
self.usbwrite(pack(">I", addr))
value = unpack(">I",self.usbread(4))[0]
ack = self.usbread(1)
if ack == self.Rsp.ACK:
return value
return None
def write_reg32(self, addr:int, data:int):
self.usbwrite(self.Cmd.WRITE_REG32_CMD) # 0x7B
self.usbwrite(pack(">I",addr))
self.usbwrite(pack(">I",data))
ack = self.usbread(1)
if ack == self.Rsp.ACK:
return True
return False
def read_pmt(self): # A5
class GptEntries:
@ -941,18 +965,33 @@ class DALegacy(metaclass=LogBase):
self.error("No valid da loader found... aborting.")
return False
loader = self.daconfig.loader
self.info("Uploading stage 1...")
self.info(f"Uploading legacy stage 1 from {os.path.basename(loader)}")
with open(loader, 'rb') as bootldr:
# stage 1
stage = 1
offset = self.daconfig.da.region[stage].m_buf
size = self.daconfig.da.region[stage].m_len
address = self.daconfig.da.region[stage].m_start_addr
sig_len = self.daconfig.da.region[stage].m_sig_len
bootldr.seek(offset)
dadata = bootldr.read(size)
if self.mtk.preloader.send_da(address, size, sig_len, dadata):
if self.mtk.preloader.jump_da(address):
da1offset = self.daconfig.da.region[1].m_buf
da1size = self.daconfig.da.region[1].m_len
da1address = self.daconfig.da.region[1].m_start_addr
da2address = self.daconfig.da.region[1].m_start_addr
da1sig_len = self.daconfig.da.region[1].m_sig_len
bootldr.seek(da1offset)
da1 = bootldr.read(da1size)
# ------------------------------------------------
da2offset = self.daconfig.da.region[2].m_buf
da2sig_len = self.daconfig.da.region[2].m_sig_len
bootldr.seek(da2offset)
da2 = bootldr.read(self.daconfig.da.region[2].m_len)
hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da2sig_len)
if hashaddr is not None:
da2 = self.lft.patch_da2(da2)
da1 = self.mtk.daloader.fix_hash(da1, da2, hashaddr, hashmode, hashlen)
self.patch = True
self.daconfig.da2 = da2[:hashlen]
else:
self.daconfig.da2 = da2[:-da2sig_len]
if self.mtk.preloader.send_da(da1address, da1size, da1sig_len, da1):
if self.mtk.preloader.jump_da(da1address):
sync = self.usbread(1)
if sync != b"\xC0":
self.error("Error on DA sync")
@ -995,7 +1034,7 @@ class DALegacy(metaclass=LogBase):
self.set_stage2_config(self.config.hwcode)
self.info("Uploading stage 2...")
# stage 2
if self.brom_send(self.daconfig, bootldr, 2):
if self.brom_send(self.daconfig, da2, 2):
if self.read_flash_info():
if self.daconfig.flashtype == "nand":
self.daconfig.flashsize = self.nand.m_nand_flash_size
@ -1035,12 +1074,10 @@ class DALegacy(metaclass=LogBase):
self.finish(0x0) # DISCONNECT_USB_AND_RELEASE_POWERKEY
self.mtk.port.close(reset=True)
def brom_send(self, dasetup, da, stage, packetsize=0x1000):
def brom_send(self, dasetup, dadata, stage, packetsize=0x1000):
offset = dasetup.da.region[stage].m_buf
size = dasetup.da.region[stage].m_len
address = dasetup.da.region[stage].m_start_addr
da.seek(offset)
dadata = da.read(size)
self.usbwrite(pack(">I", address))
self.usbwrite(pack(">I", size))
self.usbwrite(pack(">I", packetsize))
@ -1065,9 +1102,10 @@ class DALegacy(metaclass=LogBase):
def check_usb_cmd(self):
if self.usbwrite(self.Cmd.USB_CHECK_STATUS): # 72
res = self.usbread(2)
if len(res) > 1:
if res[0] is self.Rsp.ACK[0]:
res = self.usbread(1)
if res == self.Rsp.ACK:
res = self.usbread(1)
if len(res) > 0:
return True
return False

58
mtkclient/Library/mtk_daloader.py
View file

@ -4,6 +4,7 @@
import json
import logging
import os
import hashlib
from mtkclient.Library.utils import LogBase, logsetup
from mtkclient.Library.error import ErrorHandler
from mtkclient.Library.daconfig import DAconfig
@ -11,6 +12,7 @@ from mtkclient.Library.mtk_dalegacy import DALegacy, norinfo, emmcinfo, sdcinfo,
from mtkclient.Library.mtk_daxflash import DAXFlash
from mtkclient.config.brom_config import damodes
from mtkclient.Library.xflash_ext import xflashext
from mtkclient.Library.legacy_ext import legacyext
class DAloader(metaclass=LogBase):
def __init__(self, mtk, loglevel=logging.INFO):
@ -29,6 +31,7 @@ class DAloader(metaclass=LogBase):
self.daconfig = DAconfig(mtk=self.mtk, loader=self.mtk.config.loader,
preloader=self.mtk.config.preloader, loglevel=loglevel)
self.xft = None
self.lft = None
self.da = None
def writestate(self):
@ -48,6 +51,39 @@ class DAloader(metaclass=LogBase):
open(".state", "w").write(json.dumps(config))
def compute_hash_pos(self, da1, da2, da2sig_len):
hashlen = len(da2)-da2sig_len
hashmode, idx = self.calc_da_hash(da1, da2[:hashlen])
if idx == -1:
hashlen = len(da2)
hashmode, idx = self.calc_da_hash(da1, da2[:hashlen])
if idx == -1:
self.error("Hash computation failed.")
return None, None, None
return idx, hashmode, hashlen
return idx, hashmode, hashlen
def calc_da_hash(self, da1, da2):
hashdigest = hashlib.sha1(da2).digest()
hashdigest256 = hashlib.sha256(da2).digest()
idx = da1.find(hashdigest)
hashmode = 1
if idx == -1:
idx = da1.find(hashdigest256)
hashmode = 2
return hashmode, idx
def fix_hash(self, da1, da2, hashpos, hashmode, hashlen):
da1 = bytearray(da1)
dahash = None
if hashmode == 1:
dahash = hashlib.sha1(da2[:hashlen]).digest()
elif hashmode == 2:
dahash = hashlib.sha256(da2[:hashlen]).digest()
da1[hashpos:hashpos + len(dahash)] = dahash
return da1
def reinit(self):
if os.path.exists(".state"):
config = json.loads(open(".state", "r").read())
@ -59,7 +95,8 @@ class DAloader(metaclass=LogBase):
self.daconfig.flashtype = config["flashtype"]
self.daconfig.flashsize = config["flashsize"]
self.da.reinit()
self.xft=xflashext(self.mtk, self.da, self.loglevel)
self.xft = xflashext(self.mtk, self.da, self.loglevel)
self.lft = None
else:
self.da = DALegacy(self.mtk, self.daconfig, self.loglevel)
self.daconfig.flashtype = config["flashtype"]
@ -68,7 +105,7 @@ class DAloader(metaclass=LogBase):
self.da.nand = nandinfo64()
self.da.emmc = emmcinfo()
self.da.sdc = sdcinfo()
self.lft=legacyext(self.mtk, self.da, self.loglevel)
self.da.emmc.m_emmc_ua_size = config["m_emmc_ua_size"]
self.da.emmc.m_emmc_boot1_size = config["m_emmc_boot1_size"]
self.da.emmc.m_emmc_boot2_size = config["m_emmc_boot2_size"]
@ -94,6 +131,7 @@ class DAloader(metaclass=LogBase):
self.xft = xflashext(self.mtk, self.da, self.loglevel)
else:
self.da = DALegacy(self.mtk, self.daconfig, self.loglevel)
self.lft = legacyext(self.mtk, self.da, self.loglevel)
def setmetamode(self, porttype: str):
self.xflash = False
@ -169,26 +207,26 @@ class DAloader(metaclass=LogBase):
def peek(self, addr: int, length:int):
if self.xflash:
return self.xft.custom_read(addr=addr, length=length)
self.error("Device is not in xflash mode, cannot run peek cmd.")
return b""
else:
return self.lft.custom_read(addr=addr, length=length)
def poke(self, addr: int, data: bytes or bytearray):
if self.xflash:
return self.xft.custom_write(addr=addr, data=data)
self.error("Device is not in xflash mode, cannot run poke cmd.")
return False
else:
return self.lft.custom_write(addr=addr, data=data)
def keys(self):
if self.xflash:
return self.xft.generate_keys()
self.error("Device is not in xflash mode, cannot run keys cmd.")
return False
else:
return self.lft.generate_keys()
def seccfg(self, lockflag):
if self.xflash:
return self.xft.seccfg(lockflag)
self.error("Device is not in xflash mode, cannot run unlock cmd.")
return False
else:
return self.lft.seccfg(lockflag)
def read_rpmb(self, filename=None):
if self.xflash:

29
mtkclient/Library/mtk_daxflash.py
View file

@ -131,10 +131,6 @@ class DAXFlash(metaclass=LogBase):
self.warning = self.__logger.warning
self.mtk = mtk
self.loglevel = loglevel
self.patch = False
self.generatekeys = self.mtk.config.generatekeys
if self.generatekeys:
self.patch = True
self.daext = False
self.sram = None
self.dram = None
@ -157,6 +153,10 @@ class DAXFlash(metaclass=LogBase):
self.partition = Partition(self.mtk, self.readflash, self.read_pmt, loglevel)
self.progress = progress(self.daconfig.pagesize)
self.pathconfig = pathconfig()
self.patch = False
self.generatekeys = self.mtk.config.generatekeys
if self.generatekeys:
self.patch = True
self.xft = xflashext(self.mtk, self, loglevel)
def usleep(self, usec):
@ -345,19 +345,6 @@ class DAXFlash(metaclass=LogBase):
self.error(f"Error on sending data: {self.eh.status(status)}")
return False
def compute_hash_pos(self, da1, da2):
hashdigest = hashlib.sha1(da2).digest()
hashdigest256 = hashlib.sha256(da2).digest()
idx = da1.find(hashdigest)
hashmode = 1
if idx == -1:
idx = da1.find(hashdigest256)
hashmode = 2
if idx != -1:
return idx, hashmode
self.error("Hash computation failed.")
return None, None
def boot_to(self, at_address, da, display=True, timeout=0.5): # =0x40000000
if self.xsend(self.Cmd.BOOT_TO):
if self.status() == 0:
@ -976,7 +963,7 @@ class DAXFlash(metaclass=LogBase):
self.error("No valid da loader found... aborting.")
return False
loader = self.daconfig.loader
self.info(f"Uploading stage 1 from {os.path.basename(loader)}")
self.info(f"Uploading xflash stage 1 from {os.path.basename(loader)}")
with open(loader, 'rb') as bootldr:
# stage 1
da1offset = self.daconfig.da.region[1].m_buf
@ -992,12 +979,12 @@ class DAXFlash(metaclass=LogBase):
bootldr.seek(da2offset)
da2 = bootldr.read(self.daconfig.da.region[2].m_len)
hashaddr, hashmode = self.compute_hash_pos(da1, da2[:-da2sig_len])
hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da2sig_len)
if hashaddr is not None:
da2 = self.xft.patch_da2(da2)
da1 = self.xft.fix_hash(da1, da2, hashaddr, hashmode)
da1 = self.mtk.daloader.fix_hash(da1, da2, hashaddr, hashmode, hashlen)
self.patch = True
self.daconfig.da2 = da2
self.daconfig.da2 = da2[:hashlen]
else:
self.daconfig.da2 = da2[:-da2sig_len]

17
mtkclient/Library/mtk_preloader.py
View file

@ -3,6 +3,7 @@
# (c) B.Kerler 2018-2021 GPLv3 License
import os
import logging
import shutil
from enum import Enum
from struct import unpack, pack
from binascii import hexlify
@ -126,7 +127,21 @@ class Preloader(metaclass=LogBase):
def init(self, maxtries=None, display=True):
if os.path.exists(".state"):
os.remove(".state")
try:
os.remove(".state")
except:
pass
settings=os.path.join("logs","hwparam.json")
if os.path.exists(settings):
try:
os.remove(settings)
except:
pass
if os.path.exists("logs"):
try:
shutil.rmtree("logs")
except:
pass
readsocid=self.config.readsocid
skipwdt = self.config.skipwdt

73
mtkclient/Library/seccfg.py Normal file
View file

@ -0,0 +1,73 @@
from struct import unpack, pack
import hashlib
class seccfg:
def __init__(self, hwc):
self.hwc = hwc
self.magic = 0x4D4D4D4D
self.seccfg_ver = None
self.seccfg_size = None
self.lock_state = None
self.critical_lock_state = None
self.sboot_runtime = None
self.endflag = 0x45454545
self.hash = b""
def parse(self, data):
seccfg_data = unpack("<IIIIIII", data[:7 * 4])
self.magic, self.seccfg_ver, self.seccfg_size, self.lock_state, self.critical_lock_state, \
self.sboot_runtime, self.endflag = seccfg_data
self.hash = data[7 * 4:(7 * 4) + 32]
if self.magic != 0x4D4D4D4D or self.endflag != 0x45454545:
self.error("Unknown seccfg structure !")
return False
return True
"""
LKS_DEFAULT = 0x01
LKS_MP_DEFAULT = 0x02
LKS_UNLOCK = 0x03
LKS_LOCK = 0x04
LKS_VERIFIED = 0x05
LKS_CUSTOM = 0x06
LKCS_UNLOCK = 0x01
LKCS_LOCK = 0x02
SBOOT_RUNTIME_OFF = 0
SBOOT_RUNTIME_ON = 1
"""
def create(self, sc_org, hwtype: str, lockflag: str = "unlock", V3=False):
if sc_org is None:
if lockflag == "unlock":
self.lock_state = 3
self.critical_lock_state = 1
self.seccfg_ver = 4
self.seccfg_size = 0x3C
self.sboot_runtime = 0
elif lockflag == "lock":
self.lock_state = 1
self.critical_lock_state = 1
self.seccfg_ver = 4
self.seccfg_size = 0x3C
self.sboot_runtime = 0
else:
self.lock_state = sc_org.lock_state
self.critical_lock_state = sc_org.critical_lock_state
self.seccfg_size = sc_org.seccfg_size
self.sboot_runtime = sc_org.sboot_runtime
self.seccfg_ver = sc_org.seccfg_ver
seccfg_data = pack("<IIIIIII", self.magic, self.seccfg_ver, self.seccfg_size, self.lock_state,
self.critical_lock_state, self.sboot_runtime, 0x45454545)
dec_hash = hashlib.sha256(seccfg_data).digest()
if hwtype == "sw":
enc_hash = self.hwc.sej.sej_sec_cfg_sw(dec_hash, True)
else:
if not V3:
enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True)
else:
enc_hash = self.hwc.sej.sej_sec_cfg_hw_V3(dec_hash, True)
self.hash = enc_hash
data = seccfg_data + enc_hash
data += b"\x00" * (0x200 - len(data))
return bytearray(data)

83
mtkclient/Library/xflash_ext.py
View file

@ -5,6 +5,7 @@ from mtkclient.Library.error import ErrorHandler
from mtkclient.Library.hwcrypto import crypto_setup, hwcrypto
from mtkclient.Library.utils import LogBase, progress, logsetup, find_binary
from mtkclient.Library.settings import writesetting, loadsetting
from mtkclient.Library.seccfg import seccfg
from binascii import hexlify
import hashlib
@ -21,77 +22,6 @@ class XCmd:
CUSTOM_READ_UFS_RPMB = 0x0F0008
CUSTOM_WRITE_UFS_RPMB = 0x0F0009
class seccfg:
def __init__(self, hwc):
self.hwc = hwc
self.magic = 0x4D4D4D4D
self.seccfg_ver = None
self.seccfg_size = None
self.lock_state = None
self.critical_lock_state = None
self.sboot_runtime = None
self.endflag = 0x45454545
self.hash = b""
def parse(self, data):
seccfg_data = unpack("<IIIIIII", data[:7 * 4])
self.magic, self.seccfg_ver, self.seccfg_size, self.lock_state, self.critical_lock_state, \
self.sboot_runtime, self.endflag = seccfg_data
self.hash = data[7 * 4:(7 * 4) + 32]
if self.magic != 0x4D4D4D4D or self.endflag != 0x45454545:
self.error("Unknown seccfg structure !")
return False
return True
"""
LKS_DEFAULT = 0x01
LKS_MP_DEFAULT = 0x02
LKS_UNLOCK = 0x03
LKS_LOCK = 0x04
LKS_VERIFIED = 0x05
LKS_CUSTOM = 0x06
LKCS_UNLOCK = 0x01
LKCS_LOCK = 0x02
SBOOT_RUNTIME_OFF = 0
SBOOT_RUNTIME_ON = 1
"""
def create(self, sc_org, hwtype: str, lockflag: str = "unlock", V3=False):
if sc_org is None:
if lockflag == "unlock":
self.lock_state = 3
self.critical_lock_state = 1
self.seccfg_ver = 4
self.seccfg_size = 0x3C
self.sboot_runtime = 0
elif lockflag == "lock":
self.lock_state = 1
self.critical_lock_state = 1
self.seccfg_ver = 4
self.seccfg_size = 0x3C
self.sboot_runtime = 0
else:
self.lock_state = sc_org.lock_state
self.critical_lock_state = sc_org.critical_lock_state
self.seccfg_size = sc_org.seccfg_size
self.sboot_runtime = sc_org.sboot_runtime
self.seccfg_ver = sc_org.seccfg_ver
seccfg_data = pack("<IIIIIII", self.magic, self.seccfg_ver, self.seccfg_size, self.lock_state,
self.critical_lock_state, self.sboot_runtime, 0x45454545)
dec_hash = hashlib.sha256(seccfg_data).digest()
if hwtype == "sw":
enc_hash = self.hwc.sej.sej_sec_cfg_sw(dec_hash, True)
else:
if not V3:
enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True)
else:
enc_hash = self.hwc.sej.sej_sec_cfg_hw_V3(dec_hash, True)
self.hash = enc_hash
data = seccfg_data + enc_hash
data += b"\x00" * (0x200 - len(data))
return bytearray(data)
class xflashext(metaclass=LogBase):
def __init__(self, mtk, xflash, loglevel):
self.pathconfig = pathconfig()
@ -212,6 +142,7 @@ class xflashext(metaclass=LogBase):
return daextdata
return None
def patch_da2(self, da2):
#open("da2.bin","wb").write(da2)
da2patched = bytearray(da2)
@ -261,16 +192,6 @@ class xflashext(metaclass=LogBase):
self.warning("Write not allowed not patched.")
return da2patched
def fix_hash(self, da1, da2, hashpos, hashmode):
da1 = bytearray(da1)
dahash = None
if hashmode == 1:
dahash = hashlib.sha1(da2).digest()
elif hashmode == 2:
dahash = hashlib.sha256(da2).digest()
da1[hashpos:hashpos + len(dahash)] = dahash
return da1
def cmd(self, cmd):
if self.xsend(self.xflash.Cmd.DEVICE_CTRL):
status = self.status()

2
setup.py
View file

@ -4,7 +4,7 @@ import os
setup(
name='mtkclient',
version='1.4',
version='1.5',
packages=find_packages(),
long_description=open("README.md").read(),
scripts=['mtk','stage2'],