chipmunkmc/mtkclient
1
0
Fork 0
mirror of https://github.com/bkerler/mtkclient.git synced 2024-11-14 19:25:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix MT6592 issues

Browse source
This commit is contained in:
Bjoern Kerler 2022-06-15 14:17:56 +02:00
parent 1cd57943cf
commit e76c470471
No known key found for this signature in database
GPG key ID: 52E823BB96A55380
8 changed files with 100 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
mtkclient/Library/daconfig.py
View file

@ -126,7 +126,7 @@ class DAconfig(metaclass=LogBase):
self.sparesize = 0
self.readsize = 0
self.pagesize = 512
self.da = None
self.da_loader = None
self.da2 = None
self.dasetup = {}
self.loader = loader
@ -205,6 +205,8 @@ class DAconfig(metaclass=LogBase):
bootldr.seek(0x6C + (i * 0xDC))
da = DA(bootldr.read(0xDC))
da.setfilename(loader)
if da.hw_code == 0x6592 and "5.1648" not in loader:
continue
if da.hw_code not in self.dasetup:
self.dasetup[da.hw_code] = [da]
else:
@ -229,10 +231,10 @@ class DAconfig(metaclass=LogBase):
for loader in loaders:
if loader.hw_version <= self.config.hwver:
if loader.sw_version <= self.config.swver:
if self.da is None:
self.da = loader
if self.da_loader is None:
self.da_loader = loader
self.loader = loader.loader
if self.da is None:
self.error("No da config set up")
return self.da
if self.da_loader is None:
self.error("No da_loader config set up")
return self.da_loader

11
mtkclient/Library/kamakiri.py
View file

@ -10,6 +10,7 @@ from mtkclient.Library.utils import LogBase, print_progress, revdword, logsetup,
from mtkclient.Library.Connection.usblib import usb
from mtkclient.config.payloads import pathconfig
class Kamakiri(metaclass=LogBase):
def __init__(self, mtk, loglevel=logging.INFO):
self.__logger = logsetup(self, self.__logger, loglevel, mtk.config.gui)
@ -152,7 +153,7 @@ class Kamakiri(metaclass=LogBase):
def bruteforce2(self, args, startaddr=0x9900):
found = False
while not found:
#self.mtk.init()
# self.mtk.init()
self.mtk.preloader.display = False
if self.mtk.preloader.init(display=False):
self.mtk = self.mtk.crasher(display=False)
@ -283,12 +284,12 @@ class Kamakiri(metaclass=LogBase):
with open(filename, 'wb') as wf:
print_progress(0, 100, prefix='Progress:', suffix='Complete', bar_length=50)
length = self.mtk.port.usbread(4)
length = int.from_bytes(length,'big')
rlen = min(length,0x20000)
for i in range(length//rlen):
length = int.from_bytes(length, 'big')
rlen = min(length, 0x20000)
for i in range(length // rlen):
data = self.mtk.port.usbread(rlen)
wf.write(data)
print_progress(i, length//rlen, prefix='Progress:', suffix='Complete', bar_length=50)
print_progress(i, length // rlen, prefix='Progress:', suffix='Complete', bar_length=50)
print_progress(100, 100, prefix='Progress:', suffix='Complete', bar_length=50)
return True
except Exception as e:

59
mtkclient/Library/mtk_dalegacy.py
View file

@ -821,6 +821,7 @@ class DALegacy(metaclass=LogBase):
def set_stage2_config(self, hwcode):
# m_nor_chip_select[0]="CS_0"(0x00), m_nor_chip_select[1]="CS_WITH_DECODER"(0x08)
self.config.set_da_config(self.daconfig)
self.usbwrite(pack("B", self.mtk.config.bromver))
self.usbwrite(pack("B", self.mtk.config.blver))
m_nor_chip = 0x08
@ -849,7 +850,6 @@ class DALegacy(metaclass=LogBase):
if hwcode == 0x6592:
is_gpt_solution = 0
self.usbwrite(pack(">I", is_gpt_solution))
toread = (6 * 4)
elif hwcode == 0x6580 or hwcode == 0x8163:
slc_percent = 0x1
self.usbwrite(pack(">I", slc_percent))
@ -915,18 +915,24 @@ class DALegacy(metaclass=LogBase):
dramlength = len(self.daconfig.emi)
if self.daconfig.emiver in [0x10, 0x14, 0x15]:
dramlength = unpack(">I", self.usbread(0x4))[0] # 0x000000BC
self.debug("Info: " + hex(dramlength))
self.info("RAM-Length: " + hex(dramlength))
self.usbwrite(self.Rsp.ACK)
lendram = len(self.daconfig.emi)
self.usbwrite(pack(">I", lendram))
elif self.daconfig.emiver in [0x0B]:
info = self.usbread(0x10) # 0x000000BC
self.debug("Info: " + hexlify(info).decode('utf-8'))
self.info("RAM-Info: " + hexlify(info).decode('utf-8'))
dramlength = unpack(">I", self.usbread(0x4))[0]
self.usbwrite(self.Rsp.ACK)
elif self.daconfig.emiver in [0x0D]:
dramlength = unpack(">I", self.usbread(0x4))[0]
self.info("RAM-Length: " + hex(dramlength))
self.usbwrite(self.Rsp.ACK)
self.daconfig.emi = self.daconfig.emi[:dramlength]
self.daconfig.emi = pack(">I", 0x100) + self.daconfig.emi[0x4:dramlength]
elif self.daconfig.emiver in [0x00]:
dramlength = unpack(">I", self.usbread(0x4))[0] # 0x000000B0
self.debug("Info: " + hex(dramlength))
self.info("RAM-Length: " + hex(dramlength))
self.usbwrite(self.Rsp.ACK)
lendram = len(self.daconfig.emi)
self.daconfig.emi = self.daconfig.emi[:dramlength]
@ -935,13 +941,13 @@ class DALegacy(metaclass=LogBase):
self.warning("Unknown emi version: %d" % self.daconfig.emiver)
self.usbwrite(self.daconfig.emi)
checksum = unpack(">H", self.usbread(2))[0] # 0x440C
self.debug("Status: %04X" % checksum)
self.info("Checksum: %04X" % checksum)
self.usbwrite(self.Rsp.ACK)
self.usbwrite(pack(">I", 0x80000001)) # Send DRAM config
m_ext_ram_ret = unpack(">I", self.usbread(4))[0] # 0x00000000 S_DONE
self.info(f"M_EXT_RAM_RET : {m_ext_ram_ret}")
if m_ext_ram_ret != 0:
self.error("Preloader error: %d => %s" % (m_ext_ram_ret, error_to_string(m_ext_ram_ret)))
self.error("Preloader error: 0x%X => %s" % (m_ext_ram_ret, error_to_string(m_ext_ram_ret)))
self.mtk.port.close(reset=False)
return False
m_ext_ram_type = self.usbread(1)[0] # 0x02 HW_RAM_DRAM
@ -950,6 +956,12 @@ class DALegacy(metaclass=LogBase):
self.info(f"M_EXT_RAM_CHIP_SELECT : {hex(m_ext_ram_chip_select)}")
m_ext_ram_size = unpack(">Q", self.usbread(8))[0] # 0x80000000
self.info(f"M_EXT_RAM_SIZE : {hex(m_ext_ram_size)}")
if self.daconfig.emiver in [0x0D]:
self.usbread(4) # 00000003
Raw_0 = self.usbread(4) # 1C004004
Raw_1 = self.usbread(4) # aa080033
CJ_0 = self.usbread(4) # 00000013
CJ_1 = self.usbread(4) # 00000010
else:
self.error("Preloader needed due to dram config.")
self.mtk.port.close(reset=True)
@ -982,33 +994,36 @@ class DALegacy(metaclass=LogBase):
return False
def upload(self):
if self.daconfig.da is None:
if self.daconfig.da_loader is None:
self.error("No valid da loader found... aborting.")
return False
loader = self.daconfig.loader
self.info(f"Uploading legacy stage 1 from {os.path.basename(loader)}")
with open(loader, 'rb') as bootldr:
# stage 1
da1offset = self.daconfig.da.region[1].m_buf
da1size = self.daconfig.da.region[1].m_len
da1address = self.daconfig.da.region[1].m_start_addr
da2address = self.daconfig.da.region[1].m_start_addr
da1sig_len = self.daconfig.da.region[1].m_sig_len
da1offset = self.daconfig.da_loader.region[1].m_buf
da1size = self.daconfig.da_loader.region[1].m_len
da1address = self.daconfig.da_loader.region[1].m_start_addr
da2address = self.daconfig.da_loader.region[1].m_start_addr
da1sig_len = self.daconfig.da_loader.region[1].m_sig_len
bootldr.seek(da1offset)
da1 = bootldr.read(da1size)
# ------------------------------------------------
da2offset = self.daconfig.da.region[2].m_buf
da2sig_len = self.daconfig.da.region[2].m_sig_len
da2offset = self.daconfig.da_loader.region[2].m_buf
da2sig_len = self.daconfig.da_loader.region[2].m_sig_len
bootldr.seek(da2offset)
da2 = bootldr.read(self.daconfig.da.region[2].m_len)
da2 = bootldr.read(self.daconfig.da_loader.region[2].m_len)
if self.mtk.config.is_brom or not self.mtk.config.target_config["sbc"]:
hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da2sig_len)
if hashaddr is not None:
da2 = self.lft.patch_da2(da2)
da1 = self.mtk.daloader.fix_hash(da1, da2, hashaddr, hashmode, hashlen)
self.patch = True
self.daconfig.da2 = da2[:hashlen]
da2patched = self.lft.patch_da2(da2)
if da2patched != da2:
da1 = self.mtk.daloader.fix_hash(da1, da2, hashaddr, hashmode, hashlen)
self.patch = True
self.daconfig.da2 = da2patched[:hashlen]
else:
self.daconfig.da2 = da2[:hashlen]
else:
self.daconfig.da2 = da2[:-da2sig_len]
else:
@ -1103,9 +1118,9 @@ class DALegacy(metaclass=LogBase):
self.mtk.port.close(reset=True)
def brom_send(self, dasetup, dadata, stage, packetsize=0x1000):
offset = dasetup.da.region[stage].m_buf
size = dasetup.da.region[stage].m_len
address = dasetup.da.region[stage].m_start_addr
offset = dasetup.da_loader.region[stage].m_buf
size = dasetup.da_loader.region[stage].m_len
address = dasetup.da_loader.region[stage].m_start_addr
self.usbwrite(pack(">I", address))
self.usbwrite(pack(">I", size))
self.usbwrite(pack(">I", packetsize))

20
mtkclient/Library/mtk_daxflash.py
View file

@ -1007,25 +1007,25 @@ class DAXFlash(metaclass=LogBase):
return False
def upload(self):
if self.daconfig.da is None:
if self.daconfig.da_loader is None:
self.error("No valid da loader found... aborting.")
return False
loader = self.daconfig.loader
self.info(f"Uploading xflash stage 1 from {os.path.basename(loader)}")
with open(loader, 'rb') as bootldr:
# stage 1
da1offset = self.daconfig.da.region[1].m_buf
da1size = self.daconfig.da.region[1].m_len
da1address = self.daconfig.da.region[1].m_start_addr
da2address = self.daconfig.da.region[1].m_start_addr
da1sig_len = self.daconfig.da.region[1].m_sig_len
da1offset = self.daconfig.da_loader.region[1].m_buf
da1size = self.daconfig.da_loader.region[1].m_len
da1address = self.daconfig.da_loader.region[1].m_start_addr
da2address = self.daconfig.da_loader.region[1].m_start_addr
da1sig_len = self.daconfig.da_loader.region[1].m_sig_len
bootldr.seek(da1offset)
da1 = bootldr.read(da1size)
# ------------------------------------------------
da2offset = self.daconfig.da.region[2].m_buf
da2sig_len = self.daconfig.da.region[2].m_sig_len
da2offset = self.daconfig.da_loader.region[2].m_buf
da2sig_len = self.daconfig.da_loader.region[2].m_sig_len
bootldr.seek(da2offset)
da2 = bootldr.read(self.daconfig.da.region[2].m_len)
da2 = bootldr.read(self.daconfig.da_loader.region[2].m_len)
hashaddr, hashmode, hashlen = self.mtk.daloader.compute_hash_pos(da1, da2, da2sig_len)
if hashaddr is not None:
@ -1162,7 +1162,7 @@ class DAXFlash(metaclass=LogBase):
self.info("Uploading stage 2...")
with open(self.daconfig.loader, 'rb') as bootldr:
stage = stage + 1
loaded = self.boot_to(self.daconfig.da.region[stage].m_start_addr, self.daconfig.da2)
loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)
if loaded:
self.info("Successfully uploaded stage 2")
self.reinit(True)

36
mtkclient/Library/mtk_preloader.py
View file

@ -118,9 +118,9 @@ class Preloader(metaclass=LogBase):
def __init__(self, mtk, loglevel=logging.INFO):
self.mtk = mtk
self.__logger = logsetup(self, self.__logger, loglevel, mtk.config.gui)
# self.info = self.__logger.info
# self.debug = self.__logger.debug
# self.error = self.__logger.error
self.info = self.__logger.info
self.debug = self.__logger.debug
self.error = self.__logger.error
self.eh = ErrorHandler()
self.gcpu = None
self.config = mtk.config
@ -138,7 +138,7 @@ class Preloader(metaclass=LogBase):
try:
os.remove(".state")
os.remove(os.path.join("logs", "hwparam.json"))
except:
except OSError:
pass
readsocid = self.config.readsocid
skipwdt = self.config.skipwdt
@ -230,7 +230,7 @@ class Preloader(metaclass=LogBase):
ack = self.echo(pack(">I", dwords))
status = self.rword()
if ack and status <= 0xFF:
if length==32:
if length == 32:
result = self.rdword(dwords)
else:
result = self.rword(dwords)
@ -242,10 +242,10 @@ class Preloader(metaclass=LogBase):
return result
def read32(self, addr, dwords=1) -> list:
return self.read(addr,dwords,32)
return self.read(addr, dwords, 32)
def read16(self, addr, dwords=1) -> list:
return self.read(addr,dwords,16)
return self.read(addr, dwords, 16)
def write(self, addr, values, length=32) -> bool:
cmd = self.Cmd.WRITE16 if length == 16 else self.Cmd.WRITE32
@ -304,7 +304,7 @@ class Preloader(metaclass=LogBase):
usbdlreg &= ~USBDL_BROM
# Add magic number for MT6582
usbdlreg |= USBDL_MAGIC # | 0x444C0000
usbdlreg |= USBDL_MAGIC # | 0x444C0000
# set BOOT_MISC0 as watchdog resettable
RST_CON = self.config.chipconfig.misc_lock + 8
@ -328,7 +328,7 @@ class Preloader(metaclass=LogBase):
status = self.rword()
if status <= 0xFF:
status2 = self.rword()
if status <= 0xFF:
if status2 <= 0xFF:
return True
return False
@ -368,7 +368,6 @@ class Preloader(metaclass=LogBase):
SetReg_DisableWatchDogTimer; BRom_WriteCmd32(): Reg 0x10007000[1]={ Value 0x22000000 }.
"""
addr, value = self.config.get_watchdog_addr()
res = None
if hwcode in [0x6575, 0x6577]:
"""
@ -659,13 +658,18 @@ class Preloader(metaclass=LogBase):
pos += size
# self.usbwrite(b"")
try:
checksum, status = self.rword(2)
if gen_chksum != checksum and checksum != 0:
self.warning("Checksum of upload doesn't match !")
if 0 <= status <= 0xFF:
return True
res = self.rword(2)
if isinstance(res, list):
checksum, status = res
if gen_chksum != checksum and checksum != 0:
self.warning("Checksum of upload doesn't match !")
if 0 <= status <= 0xFF:
return True
else:
self.error(f"upload_data failed with error: " + self.eh.status(status))
return False
else:
self.error(f"upload_data failed with error: " + self.eh.status(status))
self.error("Error on getting checksum while uploading data.")
return False
except Exception as e:
self.error(f"upload_data resp error : " + str(e))

5
mtkclient/Library/partition.py
View file

@ -36,6 +36,11 @@ class Partition(metaclass=LogBase):
part_entry_start_lba=gpt_settings.gpt_part_entry_start_lba,
)
header = guid_gpt.parseheader(data, self.config.pagesize)
if header.signature == b'\x00\x00\x00\x00\x00\x00\x00\x00':
data = self.readflash(addr=self.mtk.daloader.daconfig.flashsize-0x4000, length=2 * self.config.pagesize, filename="", parttype=parttype, display=False)
header = guid_gpt.parseheader(data, self.config.pagesize)
if header.signature == b'\x00\x00\x00\x00\x00\x00\x00\x00':
return None, None
sectors = header.first_usable_lba
if sectors == 0:
return None, None

2
mtkclient/Library/xflash_ext.py
View file

@ -68,7 +68,7 @@ class xflashext(metaclass=LogBase):
def patch(self):
self.da2 = self.xflash.daconfig.da2
self.da2address = self.xflash.daconfig.da.region[2].m_start_addr # at_address
self.da2address = self.xflash.daconfig.da_loader.region[2].m_start_addr # at_address
daextensions = os.path.join(self.pathconfig.get_payloads_path(), "da_x.bin")
if os.path.exists(daextensions):
daextdata = bytearray(open(daextensions, "rb").read())

23
mtkclient/config/mtk_config.py
View file

@ -39,6 +39,7 @@ class Mtk_Config(metaclass=LogBase):
else:
self.ptype = "kamakiri2"
self.generatekeys = None
self.daconfig = None
self.bmtflag = None
self.bmtblockcount = None
self.bmtpartsize = None
@ -48,7 +49,6 @@ class Mtk_Config(metaclass=LogBase):
self.sparesize = 16
self.plcap = None
self.blver = -2
self.da = None
self.gcpu = None
self.pagesize = 512
self.SECTOR_SIZE_IN_BYTES = 4096 # fixme
@ -75,6 +75,9 @@ class Mtk_Config(metaclass=LogBase):
def set_peek(self, peek):
self.peek = peek
def set_da_config(self, daconfig):
self.daconfig = daconfig
def set_gui_status(self, status):
if self.update_status_text is not None:
self.update_status_text.emit(status)
@ -189,7 +192,7 @@ class Mtk_Config(metaclass=LogBase):
bmtblockcount = 0
bmtpartsize = 0
if hwcode in [0x6592, 0x6582, 0x8127, 0x6571]:
if self.da.daconfig.flashtype == "emmc":
if self.daconfig.flashtype == "emmc":
bmtflag = 1
bmtblockcount = 0xA8
bmtpartsize = 0x1500000
@ -197,38 +200,38 @@ class Mtk_Config(metaclass=LogBase):
bmtflag = 1
bmtpartsize = 0
elif hwcode in [0x6571]:
if self.da.daconfig.flashtype == "nand":
if self.daconfig.flashtype == "nand":
bmtflag = 0
bmtblockcount = 0x38
bmtpartsize = 0xE00000
elif self.da.daconfig.flashtype == "emmc":
elif self.daconfig.flashtype == "emmc":
bmtflag = 1
bmtblockcount = 0xA8
bmtpartsize = 0x1500000
elif hwcode in [0x6575]:
if self.da.daconfig.flashtype == "nand":
if self.daconfig.flashtype == "nand":
bmtflag = 0
bmtblockcount = 0x50
elif self.da.daconfig.flashtype == "emmc":
elif self.daconfig.flashtype == "emmc":
bmtflag = 1
bmtblockcount = 0xA8
bmtpartsize = 0x1500000
elif hwcode in [0x6582]:
if self.da.daconfig.flashtype == "emmc":
if self.daconfig.flashtype == "emmc":
bmtflag = 2
bmtblockcount = 0xA8
bmtpartsize = 0x1500000
elif hwcode in [0x6572]:
if self.da.daconfig.flashtype == "nand":
if self.daconfig.flashtype == "nand":
bmtflag = 0
bmtpartsize = 0xA00000
bmtblockcount = 0x50
elif self.da.daconfig.flashtype == "emmc":
elif self.daconfig.flashtype == "emmc":
bmtflag = 0
bmtpartsize = 0xA8
bmtblockcount = 0x50
elif hwcode in [0x6577, 0x6583, 0x6589]:
if self.da.daconfig.flashtype == "nand":
if self.daconfig.flashtype == "nand":
bmtflag = 0
bmtpartsize = 0xA00000
bmtblockcount = 0xA8