vbmeta patching script does not correctly read the current slot

[ilya980]

Hi,

I am getting an error trying to patch vbmeta. It looks like the 'slot' variable in mtk_da_handler.py is not read correctly. Do you know what is wrong? The phone is LG K40, MT 6765, bootloader is unlocked, has 2 slots: "a" and "b". Thanks!

kali㉿kali)-[~/mtkclient]
└─$ python mtk.py da vbmeta 3
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

DAXFlash - HW-CODE : 0x766
DAXFlash - HWSUB-CODE : 0x8A00
DAXFlash - HW-VERSION : 0xCA00
DAXFlash - SW-VERSION : 0x0
DAXFlash - CHIP-EVOLUTION : 0x0
DAXFlash - DA-VERSION : 1.0
Traceback (most recent call last):
File "/home/kali/mtkclient/mtk.py", line 1021, in
main()
File "/home/kali/mtkclient/mtk.py", line 1017, in main
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/mtkclient/mtkclient/Library/mtk_main.py", line 684, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "/home/kali/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 942, in handle_da_cmds
self.da_vbmeta(vbmode=vbmode)
File "/home/kali/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 188, in da_vbmeta
slot = self.get_current_slot()
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/mtkclient/mtkclient/Library/DA/mtk_da_handler.py", line 679, in get_current_slot
slot = tmp[0x800:0x802].decode('utf-8')
~~~^^^^^^^^^^^^^
TypeError: 'NoneType' object is not subscriptable

[MohamedHassanNasr]

Hi i'm facing the same issue also:

mtk da vbmeta 3
MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

......Port - Device detected :)
Preloader - CPU: MT6761/MT6762/MT3369/MT8766B(Helio A20/P22/A22/A25/G25)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x717
Preloader - Target config: 0xe1
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca01
Preloader - SW Ver: 0x200
Preloader - ME_ID: 14F334F8728EDF8EB79A193B8DE76246
Preloader - SOC_ID: 1932B221466F48E9A354406C5C50335B508FFC8BF063CB7F62780EB198D36099
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6761_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: D:\Projects\Python\mtkclient\mtkclient\payloads\mt6761_payload.bin
Port - Device detected :)
DaHandler
DaHandler - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Boot to succeeded.
DAXFlash - Successfully uploaded stage 2
DAXFlash - DA SLA is disabled
DAXFlash - EMMC FWVer: 0x0
DAXFlash - EMMC ID: B10030
DAXFlash - EMMC CID: f40122423130303330243b6601a56abf
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size: 0x0
DAXFlash - EMMC GP2 Size: 0x0
DAXFlash - EMMC GP3 Size: 0x0
DAXFlash - EMMC GP4 Size: 0x0
DAXFlash - EMMC RPMB Size: 0x400000
DAXFlash - EMMC USER Size: 0x1c8000000
DAXFlash - HW-CODE : 0x717
DAXFlash - HWSUB-CODE : 0x8A00
DAXFlash - HW-VERSION : 0xCA01
DAXFlash - SW-VERSION : 0x200
DAXFlash - CHIP-EVOLUTION : 0x0
DAXFlash - DA-VERSION : 1.0
DAXFlash - Extensions were accepted. Jumping to extensions...
DAXFlash - Boot to succeeded.
DAXFlash - DA Extensions successfully added
Traceback (most recent call last):
File "D:\Projects\Python\mtkclient\mtk.py", line 1021, in
main()
File "D:\Projects\Python\mtkclient\mtk.py", line 1017, in main
mtk = Main(args).run(parser)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\Projects\Python\mtkclient\mtkclient\Library\mtk_main.py", line 684, in run
da_handler.handle_da_cmds(mtk, cmd, self.args)
File "D:\Projects\Python\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 942, in handle_da_cmds
self.da_vbmeta(vbmode=vbmode)
File "D:\Projects\Python\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 188, in da_vbmeta
slot = self.get_current_slot()
^^^^^^^^^^^^^^^^^^^^^^^
File "D:\Projects\Python\mtkclient\mtkclient\Library\DA\mtk_da_handler.py", line 679, in get_current_slot
slot = tmp[0x800:0x802].decode('utf-8')
~~~^^^^^^^^^^^^^
TypeError: 'NoneType' object is not subscriptable