I can confirm. Tried this in a stock Nord 2 5G with OOS12. stuck in preloader VCOM. SadPSA: There's code to blow efuse gating BROM mode entry in the Android 12 update that's started rolling out recently.
Meaning: unbricking via mtkclient may no longer work once you update to Android 12.
Diff between DN2103_11_A.20 (Android 11 EU) and DN2101_11_C.4 (Android 12 India):
Code:+[Run-Time] SEC_LOCK = %x +Blow Disable_BROM_CMD: %d +Already blow Disable_BROM_CMD: %d, read_data = 0x%x +[Run-Time] first time blow Disable_BROM_CMD: %d
(lk.bin strings)
Whether this really pertains to disabling volume buttons remains to be seen (I'm not flashing lk.bin from Android 12 update so as to avoid crippling my own device).
Can somebody who has updated to Android 12 confirm that mtkclient no longer works for you (= stuck in preloader VCOM)?
Oppo and Xiaomi are known to have deployed something similar in the past.
Took the time to confirm your findings. It's true as far as the code goes which I assume is UART strings but I could be wrong. Will keep this in mind in case I decide to update. I've read on various other forums that people are still able to create backups and restore them using mtkclient (read/write) after updating. If I had to make a guess, BROM mode is still accessible to those who have used mtkclient on their device at least once as it runs an exploit to permanently disable the usual BROM security locks (SLA, DAA, SBC, Mem read/write auth, etc.). It would seem that the efuse is only effective when those are still enabled. Again, this is a complete guess (probably completely wrong too) and I haven't done any device specific research.PSA: There's code to blow efuse gating BROM mode entry in the Android 12 update that's started rolling out recently.
Meaning: unbricking via mtkclient may no longer work once you update to Android 12.
Diff between DN2103_11_A.20 (Android 11 EU) and DN2101_11_C.4 (Android 12 India):
Code:+[Run-Time] SEC_LOCK = %x +Blow Disable_BROM_CMD: %d +Already blow Disable_BROM_CMD: %d, read_data = 0x%x +[Run-Time] first time blow Disable_BROM_CMD: %d
(lk.bin strings)
Whether this really pertains to disabling volume buttons remains to be seen (I'm not flashing lk.bin from Android 12 update so as to avoid crippling my own device).
Can somebody who has updated to Android 12 confirm that mtkclient no longer works for you (= stuck in preloader VCOM)?
Oppo and Xiaomi are known to have deployed something similar in the past.
There's always a way - by removing storage during boot (shorting a CLK pin on eMMC or UFS.). I've seen youtube tutorials for some Oppo MTK phone already.I'm curious whether there is another way to access BROM mode, such as a different exploit or a test point on the mainboard but unfortunately I don't have the expertise to figure it out.
Thanks for the info. I was under the impression that you boot directly into BROM. Things make more sense now that I know. I guess to really know under what circumstances the efuse gets tripped, the lk.bin file would have to be reverse engineered. Not the easiest thing to say the least. Unless somebody is willing to take up the task, for now we can only wait to see if any more reports of mtkclient not working come up.There's always a way - by removing storage during boot (shorting a CLK pin on eMMC or UFS.). I've seen youtube tutorials for some Oppo MTK phone already.
Volume button(s) is what preloader.bin checks, whether to jump *back* to BROM EDL mode, but initial BROM boot itself cares only about storage, it doesn't listen to buttons. Point being, you now have to disassemble the phone (and short proper pin) to use mtkclient.
Another hypothesis is that the code triggers only when the phone bootloader is in locked state.
The way boot works is:Thanks for the info. I was under the impression that you boot directly into BROM. Things make more sense now that I know. I guess to really know under what circumstances the efuse gets tripped, the lk.bin file would have to be reverse engineered. Not the easiest thing to say the least. Unless somebody is willing to take up the task, for now we can only wait to see if any more reports of mtkclient not working come up.
I simply omit preloader.bin and lk.bin while flashing the OTA that looks sus like this. Either it works fine, or you get a bootloop (in which case you decide, whether you restore backup, or try your luck by completing the update by flashing preloader *AND* lk.bin - Never ever flash disperate versions of preloader & lk separately. Keep either both old, or both new. Version mismatch *between* those two is frequent source of bricks.By the way, how would you go about flashing the stock Android 12 update with the known good lk.bin?
Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.The vol-down check (as well as others debugging stuff, like HW UART via USB) that lies in preloader is gated by efuse during manufacture (if you search ALPS9 tree for xml files, you'll find a list of whats in there).
So what if you want to disable the vol-down access as an OTA update? That's right, you tack a module on lk.bin to burn the efuse (which seems to be heavily implied by the string). The question is under which circumstances, if at all, this routine triggers in lk.bin (the bootable parts of OTA seems to be for bunch along with Nord, think stuff like Oppo Reno 5Z).
Same question here. Could we get an update for A.21?Btw, @Raygen any chance to update the thread with A.21?
I disabled my updater because of Android 12. Received directly from A.20...
Thanks.
Both BROM and fastboot work on 05 for me.looks like the BROM EDL/Vol key check only gets disabled in C.05
Yep, Xiaomi did the same thing too - downgrading preloader restored BROM key, so the efuse check is most likely added in updated version of preloader.bin. This implies that for as long rollback is possible (without BROM!), you're fine.Quick update. According to this video, looks like the BROM EDL/Vol key check only gets disabled in C.05 and C.06 (at least for the Indian market). You seem to be able to regain functionality by rolling back to Android 11. I assume the preloader got updated in order to include the efuse check, which would explain why rolling back fixes it, as the preloader gets downgraded. Either that or the efuse wasn't permanent to begin with. Feel free to correct me if I'm wrong. Also, I'm pretty sure the device in the video had an unlocked bootloader so I don't know if that would affect things.
How did you update exactly? Was everything stock beforehand?
2103 A20 - 2101 C4 - 2101 C5
try to bypass with this utilityhello i am bricked no matter what i have this error:
Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m
/*
* Your warranty is... still valid!
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed.
* Please do some research yourself before asking or use anything on this thread.
* I do not offer private assistance via Telegram or any other social outside XDA.
*/
This project is no longer actively mantained, help yourself in the comments! - OP switched to a custom ROM - AndroidFileHost is no longer available for uploads (downloads are still available)
pip3 install -r requirements.txt
python mtk_gui
to start Mtkclient GUI.python mtk r partition_name_1,partition_name_2,partition_name_3,... img_bak/partition_name_1.img,img_bak/partition_name_2.img,img_bak/partition_name_3.img,...
. Example: python mtk r boot,vbmeta,super img_bak/boot.img,img_bak/vbmeta.img,img_bak/super.img
. You'll find all your backups inside the /opt/mtkclient/img_bak folder (copy them back to your pendrive to not loose them).python mtk wl img
. Be sure that the file names have the same name of the partition they're meant to write!Example: The file named "boot.img" <---> Will write the "boot" partition.
python mtk r preloader img_bak/preloaderdump_backup.bin --parttype=lu1
to backup your preloader partition. You'll find your backup inside the /opt/mtkclient/img_bak folder (copy it back to your pendrive to not loose it).python mtk w preloader img/preloaderdump_stock.bin --parttype=lu1
to flash the preloader partition.fastboot flashing unlock
does not work.Are you using windows ? check it in device-manager when you are in "userspace-fastboot" it should report as adb-bootlaoder-interface. If not click on use driver - > adb bootlaoder interface
python mtk wl img
python mtk w lk,lk2,boot,recovery,vbmeta lk.img,lk2.img,boot.img,recovery.img,vbmeta.img
python mtk w name_1,name_2 name_1.img,name_2.img