You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Device flashed with a backup made previously before upgrading ROM from MIUI 12.0 to MIUI 12.5 (flashed both through recovery and fastboot) which triggered Xiaomi Antirollback Protection. When entering BROM mode through Test Point activation, mtkclient is able correctly to hack through SLA/DAA/SBC protection, but attempts at fixing either boot or preloader or recovery or any other partition I've tried always end with a abrubt disconnect after merely few seconds during the process on both Windows 11 64-bit Pro and current latest Ubuntu Linux (tried both binary and self compiled versions).
Windows 11 64-bit Pro mtkclient:
c:\\Python311\\python.exe c:\\Tools\\mtkclient\\mtk.py w preloader preloader_12.5.img --preloader preloader_12.5.img --auth auth_sv5.auth
Port - Device detected :)
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: C423B5BCBBF9DB3E3DAECAEE616F2D17
Preloader - SOC_ID: 2F7D0D3101884B36A444DD3BCBF4185588E5E647951C14BC0015864D501E9CBE
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload... 12:52PLTools - Successfully sent payload: C:\Tools\mtkclient\mtkclient\payloads\mt6765_payload.bin
Port - Device detected :)
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DeviceClass - USBError(5, 'Input/Output Error')
DAXFlash
DAXFlash - [LIB]: Stage was't executed. Maybe dram issue ?.
DAXFlash
DAXFlash - [LIB]: Error on booting to da (xflash)
Not sure whether this is a bug in mtkclient or expected behaviour with a Xiaomi Antirollback Protection Triggered brick? With connected battery the phone is stuck with a Redmi logo in the middle of the screen and a small android logo in the lower part and unable to be turned off. Boot and recovery and fastboot are broken, not sure how much preloader is functional. With disconnected battery BROM mode is accessible but the phone disconnects after a few seconds whether I keep the test point shorted during the process or release it after SLA/DAA/SBC is sucessfully passed.
Any suggestions what I might try on my part? This is the first mobile I am experimenting on with mtkclient, therefore my experience/knowledge with this technology is still rather limited, so please bear with me.
The text was updated successfully, but these errors were encountered:
Manufacturer : Xiaomi
Product Model : M2006C3MNG
Product : Redmi 9C NFC
Platform : Mediatek( MTK ) MT6765
Hardware Rev : ca00
Storage : 51.8 GB RAM : 4.5 GB Download Size : 128 MB
Device flashed with a backup made previously before upgrading ROM from MIUI 12.0 to MIUI 12.5 (flashed both through recovery and fastboot) which triggered Xiaomi Antirollback Protection. When entering BROM mode through Test Point activation, mtkclient is able correctly to hack through SLA/DAA/SBC protection, but attempts at fixing either boot or preloader or recovery or any other partition I've tried always end with a abrubt disconnect after merely few seconds during the process on both Windows 11 64-bit Pro and current latest Ubuntu Linux (tried both binary and self compiled versions).
Windows 11 64-bit Pro mtkclient:
Ubuntu Linux - lsusb:
Ubuntu Linux - libusb:
Ubuntu Linux - mtkclient:
Not sure whether this is a bug in mtkclient or expected behaviour with a Xiaomi Antirollback Protection Triggered brick? With connected battery the phone is stuck with a Redmi logo in the middle of the screen and a small android logo in the lower part and unable to be turned off. Boot and recovery and fastboot are broken, not sure how much preloader is functional. With disconnected battery BROM mode is accessible but the phone disconnects after a few seconds whether I keep the test point shorted during the process or release it after SLA/DAA/SBC is sucessfully passed.
Any suggestions what I might try on my part? This is the first mobile I am experimenting on with mtkclient, therefore my experience/knowledge with this technology is still rather limited, so please bear with me.
The text was updated successfully, but these errors were encountered: