From f22c7fb86c5b34ee445c1774f282a602ebf371d1 Mon Sep 17 00:00:00 2001 From: John Doe <johndoe@example.com> Date: Sun, 19 May 2024 12:45:49 -0500 Subject: [PATCH] initial commit

--- mediatek.txt | 199 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 199 insertions(+) create mode 100644 mediatek.txt diff --git a/mediatek.txt b/mediatek.txt new file mode 100644 index 0000000..3cb9129 --- /dev/null +++ b/mediatek.txt @@ -0,0 +1,199 @@ +# Identifying an Android Phone Chipset + - Search online, but note the device could be a fake or clone + - Use the Hardware Info or CPU-Z Android App + - Try proprietary general flashing systems that can identify any chipset + - Try free chipset-specific flashing programs and see which ones accept the device + +## Flashing Tools +### Windows Drivers + +Note that on Windows you may need specific up-to-date drivers to access the embedded chipset. + +### General-Purpose Proprietary Flashing Boxes and Dongles + +Commercial repair shops license commercial flashing tools. +These originally come with a hardware dongle for DRM protection. The software can be found online. +Hovatek links to https://journal.hovatek.com/you-might-have-to-buy-a-box-dongle-heres-why/ + +Partial List: Infinity CM2, Miracle box, Miracle Thunder, EFT dongle, +NCK Pro box, UMT dongle, Medusa Pro box, XTC 2 Clip, BST dongle, IP +box, Octopus box, Sigma box, Riff box, Octoplus Pro box + +### Chipset Manufacturer's Flashing Tool + +Each chipset manufacturer generally has a suite of flashing tools used to originally program the phones. +These generally flash chipset-specific scatter formats with partition maps. +- Mediatek: SP Flash Tool. Note this is available for Linux. + +### Open Source Tools + +Each chipset reverse engineering community has at least one open source flashing tool. +Unlike the chipset manufacturer's flashing tools, these tools may include the use of exploits for software access to devices that are bricked or locked. +They generally flash raw image data provided via their interface, rather than a scatter file. +- Mediatek: mtkclient in python + +# MediaTek +- Easier than unisoc, harder than qualcomm + +## Identifying a MediaTek Android ROM Format + - update.zip / Tcard + - contains META-INF/ and scatter.txt + - flashed in stock recovery mode, NOT with a scatter flash tool + - .img / Scatter + - contains MT****_Android_scatter.img, .img files, .bin files + - flash with a proprietary MediaTek flashing tool such as SP Flash Tool, NCK, Infinity CM2, SP Multiport, ... + - Single .bin + - single raw file + - associated with GSM Aladdin, Miracle, Infinity CM2 + - TWRP backup + - contains .win/.win.md5 files, other recoveries might have .ext4.tar or .img + - flash with the recovery type they were made with + - Custom rom + - device specific + - flash with custom recovery like TWRP, Phiz, CWM + +## Common MediaTek Partitions & Associated Troubleshooting + - Secro /secro: baseband info. "Unknown Baseband" if corrupt. + - Preloader: initializes device, won't even charge if corrupt + - Nvram: radio info, imei, wifi, bluetooth mac addresses + - Boot /boot: kernel and ramdisk, won't boot to OS if corrupt + - System /system: OS and apps, stuck at logo if corrupt + - Lk or Uboot: kernel code, corrupt -> white,black,multicolored screen + - Logo: controls boot logo image + - Userdata /userdata: user apps, contacts, etc. userspace errors or lag if corrupt + +## MediaTek Boot Modes + +### BootROM +BROM mode is the initial hardware boot stage. +This usually hands off to the preloader, but the system can be configured to +boot straight to BROM, and this can be forced by grounding KPCOL0 or the EMMC +storage pins. This can be used to unbrick a device with a corrupt preloader. +If there is no preloader enabled, the bootrom will briefly connect a serial +device to the USB port to allow a flasher to interrupt boot and flash the +system. + +### Preloader +The preloader is the software bootloader which hands off to normal booting. +The code executed is in a flashable partition. +Before booting, like the BROM, the preloader will connect a serial device +to the USB port to communicate with a flasher. +Whether the phone is running the preloader or the bootrom can be identified +by the identity of the connected serial device. + +For the bootrom to accept a new preloader, an Authentication File is needed. + +MediaTek designs it such that the flashing tool uploads a signed Download +Agent to RAM, which the preloader verifies the signature of and then hands +off control to. This is called Secure Boot. + +If the Download Agent file is wrong, errors might include: +Boot Error! S_INVALID_DA_FILE, S_FT_DOWNLOAD_FAIL (2004), +S_BROM_DOWNLOAD_DA_FAIL, S_SECURITY_SECURE_USB_DL_DA_RETURN_INVALID_TY PE +(6104), MSP ERROR CODE: 0X00, S_AUTH_HANDLE_IS_NOT_READY (5000), +STATUS_SEC_AUTH_FILE_NEEDED (0xC0030012) and many more + +NEVER DESTROY THE PRELOADER AND SECURE BOOT DATA! You may need private keys +to recover. + +Community DA collection: https://forum.hovatek.com/forum-112.html + +Tecno, Infinix, and Itel / Transsion devices have tools that work without DA +files. + +### Recovery Mode +Recovery mode is for normal flashing. +1. Power off the device +2. Hold volume-up +3. Hold power while volume-up is held +4. Release both when boot logo appears +For some devices, steps 2 and 3 are reversed. + +### Factory Mode +Factory mode is for diagnostics, running tests, clearing the emmc, and resetting the touch calibration. +1. Power off the device +2. Hold volume-down +3. Hold power while volume-down is held +4. Release both when boot logo appears. +For some devices, steps 2 and 3 are reversed. + +### Safe mode +Safe mode disables installed apps, and is good for troubleshooting whether problems are associated with user apps. +1. Long-press power button like you intend to reboot +2. Long-press the reboot option in Android +3. A dialog prompts regarding safe mode. Selecgt OK +4. Allow the device to reboot +5. It should say "safe mode" in the lower left during operation + +## Dumping Firmware + +### Dumping firmware with SP Flash Tool +SP Flash Tool requires a provided download agent signed with a key the +device accepts. + - Use Wwr MTK to create a temporary scatter file. Go to auto mode, select chipset and memory type. More templates available at Hovatek forum. Click create and save as. + - Load SP Flash Tool, click to browse for download agent, select .bin file. + - Select the Wwr scatter file. + - Use the physical address and length information from the scatter file. + - Go to readback tab, click add, double-click the entry. EMMC_BOOT1, then PGPT. + - Initiate the transfer + - Remove the battery from the device, then connect it. + - The length of the full dump is stored in the PGPT. It's the same length as boot_1 is in the user region. + - WWR can load the preloader PGPT. Click "select file" in the upper right and open the preloader from emmc_boot_1. Then head to the table of sections tab, and load the PGPT to populate it. "Full volume of GPT" field shows entire size of data. Partition offsets and lengths are shown to perform partial dumps. + NOTE: can't the PGPT be changed? there are more direct approaches + - WWR can import larger regions of the dump, too, and identify other things about the device in the auto mode tab. It can then export firmware formats for other flashers to use. + Binary search option is useful. + +## Flashing Firmware + +Build number is everything! Settings -> About -> Build Number +Variants are two phones of the same model, with a slight difference, often indicated in changes to the build number. +You may or may not be able to interflash firmware across build variants or groups. +Sometimes variants do not change the build number. + +### Flashing firmware with SP Flash Tool + + +# links +- hovatek.com + phone repair support company with classes, articles, and a question answer service + - mediatek links from old phone repair class + - mtk vcom drivers: https://drive.google.com/file/d/0B9srKhKuVIMnalFkV3EzWjVXdUE/view + - adb & fastbot[ibid] drivers: https://androidfilehost.com/?fid=95855108297851314 + - Wwr_MTK: https://mega.nz/#!W8lwmC7b!98r6ttK9hATkZpW5vJ-JS7-qQ8Hp7PCRdRT2bGoYuGY + - Miracle box: https://mega.nz/#!6PZkxIJS!JVlJkweSsj77qUOHvQ977qkMD2E4eApRA6k9uUkUX7w + - NCK Pro box MTK: https://mega.nz/#!GP50wIoQ!kQxh9SsMJBQqKoh-q4Aks7FHARHWLyIVUBVzLCj-MaQ + - Infinity CM2: https://forum.hovatek.com/thread-21773.html + - SP flash tool: https://mega.nz/#!f11WEIrQ!KWFnNEe6GbFgcQtoZcYZ5zBKqrvqvSOLT3amnGU-Yso + - Software Download (transsion Aftersale) tool: https://mega.nz/#!ylFmlIAI!-lbOX0cAMKxGotE0vpedNQDw74cyZWU9BwSd6cYQsYk + - SP Multiport: https://mega.nz/#!y1N0FQLK!nLLLjWqX_FXrkIIBkMLt9EIGf3PN3aD_qwn0aHjMy3g + - SN Writer / Write tool: http://www.mediafire.com/file/94vbv8n3zpbcjlj/SN_Write_Tool_v2.1504.00.zip + - Maui Meta: https://drive.google.com/file/d/0B4S-Z726VJ2SZ0R1MHpDY3JISkU/view + - GSM Aladdin: https://mega.nz/#!Dk0WGJJL!LCR6ua1BDitYycE1sm-1SzvdwcvKxHie8hAjtd5Om2k + - Magisk Manager: https://bit.ly/2w2oQZz + - MTK TWRP Porter (GUI) v1.4: https://mega.nz/#!UTBFyS6Y!LrvJrJ7__HBn0_IDoFRnhwFe1Srv_jMCc1K5fm84YyA + - MTK TWRP Porter (GUI) v1.6: https://mega.nz/#!Ufxh0AIA!t6QvP3VWhrg0Lq39tcXrOwAJCUvuWtnUUN3PiFCiDBg + - MTK Philz porter (GUI): https://mega.nz/#!1HY03SLZ!al1OyLv_j_kSeLPFhn7K_OfRqe0sjpjHlP5V-iIbZR0 + - Z3X MST box: https://mega.nz/#!dT4j0RRb!iv4msg39ZbpiatKuImwQoo5wNO1HhtkugBOQ0cQGris + - CheckSum generator: https://mega.nz/#!pSZW3KYI!JYrOcMFkVYO_ZIYgTXkzTI9dwHbDhzZjhzv0TlvazF8 + - Blank vbmeta.img: https://mega.nz/#!dnAS3AhD!g5PnSg-0UKFvyhZSZ8Em6gKO2Do7avaUepPmsH75-Bg + - Mi Unlock tool: https://en.miui.com/unlock/download_en.html + - CDC driver: https://drive.google.com/file/d/0B4S-Z726VJ2Sc2hXaDhaRDFCb28/view + On 2024-02-07, I uploaded most of these to arweave with a download script that needs gnu parallel and jq. + Note, I was likely experiencing advanced compromise during this upload. + https://arweave.net/lLbBWwRthEAn-LFHSaAOUq29cZUJV7d_TlofzKPW8oQ/hovatek-mtk.... + "If https://arweave.net is blocked, change the GW variable in the script." + +# notes may be found in +- [x] morning spam + starting tue feb 6 2024 searching keywords 'mediatek' and 'hpp-l55b' so far found only logs and a link to hovatek.com +- [ ] non-canon spinoffs + phone repair course starting 2024-02-07 + i'm up to '05-32 How to get the build number of a bricked MTK device' + adding the infomration to the Flashing section above +- newae technology, embedded security article +- 'trying to take control of my free government phone' log +- trying to make unihertz titan boot +- information on unihertz titan +- the trials of mediating algorithms +- uhhh should i understand the exploits my new phone + -- 2.43.0