И What instructions? What exactly needs to be done?I don't have the tablet more exact I have one tablet that I can't recover. but to kill my first one I folowwed the instruction and everything worked right away.
И What instructions? What exactly needs to be done?I don't have the tablet more exact I have one tablet that I can't recover. but to kill my first one I folowwed the instruction and everything worked right away.
Pretty sure you have one that doesnt have bootrom access. Serial mismatch is the preloader mode. You have to be in bootrom mode. It was blocked for unlocking Jannuary 2020.
How can I find out what year it is for me?Pretty sure you have one that doesnt have bootrom access. Serial mismatch is the preloader mode. You have to be in bootrom mode. It was blocked for unlocking Jannuary 2020.
should be like the last few digits of the serial number if i remember. if it ends in a 0, you're SOL....
Maybe you know if I can backup boot files from bootrom mode.should be like the last few digits of the serial number if i remember. if it ends in a 0, you're SOL....
Your can copy files over, not sure how to anymore, but I have done it, easier to unlock and do it from twrp if you get into bootrom.
Read the script files from the bootrom-step, I believe that will tell you how it's doing it.the twrp is not compatible with my model I have prototype one, and I killed it writing incorrect boot files but I have another one and whanted to copy this boot files from it. I can still enter bootrom mode on it
you might be able to with the SP flash tool
The above was posted May 6, 2021. Unfortunately, the follow-up just says "I fixed it".I thought I was done, but I am having an issue when installing 6300.zip. I keep receiving the message "updater process ended with ERROR: 7." Below is a screenshot. Any advice on what I need to do?
Thank you!
View attachment 5301737
[10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
[10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003
[10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device
[2019-01-26 23:30:02.157670] Waiting for bootrom
[2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
[2019-01-26 23:30:20.439362] Handshake
[2019-01-26 23:30:20.441693] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-01-26 23:30:22.636037] Init crypto engine
[2019-01-26 23:30:22.661832] Disable caches
[2019-01-26 23:30:22.662505] Disable bootrom range checks
[2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-01-26 23:30:22.693170] Send payload
[2019-01-26 23:30:23.527965] Let's rock
[2019-01-26 23:30:23.528832] Wait for the payload to come online...
[2019-01-26 23:30:24.260602] all good
[2019-01-26 23:30:24.261069] Check GPT
[2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-01-26 23:30:24.596619] Check boot0
[2019-01-26 23:30:24.841858] Check rpmb
[2019-01-26 23:30:25.051079] Downgrade rpmb
[2019-01-26 23:30:25.052924] Recheck rpmb
[2019-01-26 23:30:25.949978] rpmb downgrade ok
[2019-01-26 23:30:25.950284] Flash lk-payload
[5 / 5]
[2019-01-26 23:30:26.471797] Flash preloader
[288 / 288]
[2019-01-26 23:30:44.845804] Flash tz
[6732 / 6732]
[2019-01-26 23:33:08.502134] Flash lk
[685 / 685]
[2019-01-26 23:33:23.337460] Inject microloader
[4 / 4]
[2019-01-26 23:33:23.667547] Reboot to unlocked fastboot
Unless you hide root CTS will always fail. Not easy to do even with magisk.
OK, this is the paper that I had in mind. It's by XDA member @djrbliss from 2013 for the Galaxy S4. And this is the thread he made.
Damn, if you were not aware of that work and came up with your exploit independently, that's even more amazing. My hat's off to you sir.
This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
Code:[2019-01-28 00:01:40.973289] Disable bootrom range checks
Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
I do have the kernel-sources for the device and am willing to investigate correct addressing etc.
Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?