Preloader updated?

[shomykohai]

Downloading firmware for penangf Android 13, I compared the preloader file with the new one.

It looks like the two file differ.
Could this be the reason we get DA Anti Rollback when using old DA file included in firmware?
Did the preloader got patched after release date? Or does the preloader changes based on different retail channels?
This would also explain the DA file changing from MT6768_USER.bin to DA_PL_NO_CERT_V6.bin

Old preloader: https://mirrors.lolinet.com/firmware/lenomola/2023/penangf/official/RETAIL/penangf_g_user_13_THA33.31-26_release-keys.zip

Flash Tool with all DAs: https://mirrors.lolinet.com/firmware/lenomola/2023/penangf/flashtool/SP_Flash_Tool_Penang4G_V6.zip

[shomykohai]

DA_PL_NO_CERT_V6 seems to be the default DA file right after the release of the phone.

MT6768_USER.bin creation dates 4 days before DA_PL_NO_CERT_V6.
This could mean many things, my guess is that the other DA file provided too many feature and they changed it because of this.

[shomykohai]

So basically for penangf they just threw what worked without even caring enough to give the ability to format, that says a lot

[cxzstuff]

So basically for penangf they just threw what worked without even caring enough to give the ability to format, that says a lot

Same difference in scatter files with G13, but for some reason it didn't ask...
They do these things in many ways. Like many devices has a blankflash package for bricked devices. We don't.
From the readme of such that is meant for a MTK one, G54. It uses both DA, scatter, etc. but fastboot mode to flash.

how to use blankflash package to make the "brick" unit working again:

1. enter MTK download mode:
   normally, MTK Can enumlate 2 kinds ports. BootRom Vcom and Preloader Vcom
   BootRom Vcom:

   1. blank borad always enumlated BootRom Vcom
   2. emergency download mode(hard key,power + vol- ) can enumlated BootRom Vcom

   Preloader Vcom:
   if the unit has flashed a workable preloader.
   every boot unit will enumlated perloader Vcom 2.5 second for handshake with MTK
   console mode tool(SP_download_tool.exe).

So, how we wipe the whole thing? Or is preloader enough? Or all the boots?

[shomykohai]

For wiping we should be able to use either meta mode or recovery as found in the thread about adb sideload

[cxzstuff]

For wiping we should be able to use either meta mode or recovery as found in the thread about adb sideload

I have seen wipe in these different SPFT config files. Depends maybe the firmware, tool, etc. is it usable...

With G23 RSA acts the same... Naturally. Same tool and the same firmware.

[progzone122]

For wiping we should be able to use either meta mode or recovery as found in the thread about adb sideload

I have seen wipe in these different SPFT config files. Depends maybe the firmware, tool, etc. is it usable...

With G23 RSA acts the same... Naturally. Same tool and the same firmware.

Our DA himself seems to forbid it

[progzone122]

Downloading firmware for penangf Android 13, I compared the preloader file with the new one.

It looks like the two file differ.
Could this be the reason we get DA Anti Rollback when using old DA file included in firmware?
Did the preloader got patched after release date? Or does the preloader changes based on different retail channels?
This would also explain the DA file changing from MT6768_USER.bin to DA_PL_NO_CERT_V6.bin

Old preloader: https://mirrors.lolinet.com/firmware/lenomola/2023/penangf/official/RETAIL/penangf_g_user_13_THA33.31-26_release-keys.zip

Flash Tool with all DAs: https://mirrors.lolinet.com/firmware/lenomola/2023/penangf/flashtool/SP_Flash_Tool_Penang4G_V6.zip

Yes, preloader changed every update (at least version) and that's why we get ANTI_ROLLBACK. Also DA file was changed at least once, because if you use some DA from lolinet - you get ANTI_ROLLACK error in mtkclient

[shomykohai]

https://github.com/andreya108/bindu-kernel-mediatek/blob/master/platform/mt6589/preloader/src/drivers/platform.c#L275

Looks like our preloader was compiled with the ability to do this since we get the "emergency download mode" error!!

What worries me is the timeout of 5 seconds 🤔
Is that how much time it stays in this mode, or how much time they give you to access it?

Note

I found an older chipset preloader src, but I assume it would still apply somehow.

I can't read the preloader decompilation, I don't know asm that much, but surely if we could get an hint on how this function works in our preloader, we might understand better.

[shomykohai]

We should avoid updating

in case they patch stuff in the preloader or efuses for loading brom.

Our best candidates to boot brom are KPCOL0 if they didn't patch preloader to disable the TP or short CLK.

KPCOL0 could get patched, CLK should work in any case (because we make impossible to read the eMMC)

[progzone122]

We should avoid updating

in case they patch stuff in the preloader or efuses for loading brom.

Our best candidates to boot brom are KPCOL0 if they didn't patch preloader to disable the TP or short CLK.

KPCOL0 could get patched, CLK should work in any case (because we make impossible to read the eMMC)

We still don't know exactly what KPCOL0 gives us... I can't help you yet because of the damn battery.

[shomykohai]

I can't help you yet because of the damn battery.

I know, but we have time for sure so no rush, just be sure not to update and download the current firmware to be sure.

I'm trying to get bypass_utility to work because I want to try something, but the version on the aur is using LTS kernel and not the latest 6.12, and the precompiled aur doesn't work so i'm compiling the kernel with kamakiri patch.

FireISO didn't work for me

[shomykohai]

What I want to do is try to crash preloader with mtkclient, and in the 5 seconds time frame try to run mtk bypass.

Would have been easier if mtkclient decided to work under windows correctly

[progzone122]

What I want to do is try to crash preloader with mtkclient, and in the 5 seconds time frame try to run mtk bypass.

Would have been easier if mtkclient decided to work under windows correctly

Yeah! Running mtkclient on Windows is a pain...

[cxzstuff]

Yeah! Running mtkclient on Windows is a pain...

Kind of hack for LG stylo 6 etc. SP flash tool and mtkclient used in the same time on windows to make connection. Later LG removed the brom mode, so downgrading is now needed...
https://xdaforums.com/t/how-to-unlock-bootloader-and-root-the-lg-stylo-6-and-k51-k61-and-other-k-model-lg-devices.4364489/

[cxzstuff]

If one looks the files in those older firmware packages (A13), one can find some interesting stuff.
Like those *.tmp files left there. Commands that may or may not work. Also check the .bat, that shows how fastboot is used - maybe as default (+ command for flash_tool commented out, also included in A14 ). Different preloaders and DA files...

For most firmware RSA downloads just a platform tools package instead of SPFT. It should be easily checked which one it uses. (G24's SPFT run normally doesn't show GUI at all. Then again RSA doesn't show SPFT or any other GUI anyway... )

[progzone122]

It may not necessarily be BROM. Because flash tool says that it also connects to BROM, but in fact it is Preloader

Mmh, yeah you could be right

What's interesting though is the without_battery part Did we test all this stuff while the battery was disconnected?

I've tried plugging it in a bunch of times with no battery and it boot in Preloader

[shomykohai]

At least we know now

[shomykohai]

@progzone122 i think that the efuse.tmp file is some sort of file to tell sp flash tool what to do, like the scatter file.
Do you think you can find a way to use it to read the device efuses? If we can get this information it'd be a great help to understand if we have access to brom or not!

[cxzstuff]

Those tmp files are like that download.xml file in that bat file's example. If run from a command line. IDK what xml files are loaded as default in GUI mode, if any.

From flash tool's usb_settings.xml one can find those ports...

[shomykohai]

Those tmp files are like that download.xml file in that bat file's example. If run from a command line. IDK what xml files are loaded as default in GUI mode, if any.

From flash tool's usb_settings.xml one can find those ports...

Does this mean we have no luck reading efuses?

[shomykohai]

I think they disabled BROM by efuse:

[Run-Time] Already blow Disable_BROM_CMD: %d, read_data = 0x%x 
[Run-Time] first time blow Disable_BROM_CMD: %d

Found in lk.img

[cxzstuff]

You would have to try 1.2089258196146292e+24 combinations 😅

26 upper case letters + 10 numbers and length is 20 = 36^20 = 1.3367495e+31 ???

[shomykohai]

You would have to try 1.2089258196146292e+24 combinations 😅

26 letters + 10 numbers and length is 20 = 36^20 = 1.3367495e+31 ???

Oops, I messed up my calculations, but yeah even worse

[shomykohai]

Maybe in fastboot there is also an analog of the get_unlock_data command?

that commands just gathers some data from the phone!

We can manually recreate the data needed
First line is the IMEI rearranged,
Second line is Serial Number
Third line is the Phone HASH (which we don't have)
Fourth line is SoC_ID

[shomykohai]

But this still wouln't be useful, as we still wouldn't get the key from the website, not even device with unlock_data have a lucky time getting the eligible popup.

In my opinion, most of the data in the "unlock_data" is useless, just needed for confirmation and masking of what they actually need to give you the correct key.

Our device also uses mtk default bootloader, so the process might be even different from what the official moto bootloader does

[shomykohai]

Guess what? This efuse warning appears since the first lk of android 13, so at least we know it wasn't patched after, but they disabled it on production directly, so not even phones with android 13 could be a chance

[progzone122]

@shomykohai I can't figure out what this command does?

[progzone122]

[466424] [fastboot
(bootloader) ]-[download_base:0x4
(bootloader) e000000]-[download_s
(bootloader) ize:0x0]
[466424] [
(bootloader) Cmd process]-[buf:oe
(bootloader) m printk-ratelimit]-
(bootloader) [lenBuf:]
[SEC_USBD
(bootloader) L] 0x22, SC
[466424
(bootloader) ] UNKNOWN ARGUMENT

(bootloader) [SEC_USBDL] 0x22, SC
(bootloader)
[542130] [fastboot
(bootloader) : command buf]-[oem
(bootloader) printk-ratelimit]-[l
(bootloader) en=20]
[542130] [fa
(bootloader) stboot]-[download_ba
OKAY [  0.244s]

[progzone122]

[shomykohai]

I think it rates limit how much stuff can be printed by the kernel

[shomykohai]

@progzone122 do you have any idea how tools like AMT claim to unlock bootloader or remove frp on our device?

I saw AMT has bootloader unlock for g13 but not g23, but we know it's not an issue.
Fact is: how do they remove FRP from preloader??

We know that we don't have write access to frp in our device with mtkclient, and during the process AMT logs "patching security data"

Could it be that our device has a sort of hidden SLA enabled?

I thought, what if we analyze RSA requests with Wireshark to see? We know RSA is capable of upgrading firmware, included parts that we can't flash like preloader and lk.

Considering that with mtkclient we can't write even official firmware binaries to protected partitions, how does RSA/SPFT even do it??

You see the problem here? Official software can flash the same contents we can't flash with mtkclient

[shomykohai]

At least we can flash lk partition...

Problem is you might get red state if you patch it

But we haven't tried it yet, what if it works out

We could try, but LK is one of those partitions whose signature is verified, that's why I expect it to throw a red state

Even worse, we can't even flash it.

I guess we're back to finding either how to enter brom or generate the unlock key for fastboot

[cxzstuff]

What do you get doing
flash_tool.exe efuse -o -d <path to da>

That config file (efuse.tmp) has some keys etc. probably needed. Have you tried it from the command line?
flash_tool -o -i efuse.tmp
(paths fixed naturally)

[cxzstuff]

(paths fixed naturally)

efuse.xml.txt
Should write dump file too...

[shomykohai]

What do you get doing
flash_tool.exe efuse -o -d <path to da>

That config file (efuse.tmp) has some keys etc. probably needed. Have you tried it from the command line?
flash_tool -o -i efuse.tmp
(paths fixed naturally)

I don't think that would work, I'll try, but anyway, there's something curious here!
@cxzstuff @progzone122, The USB_DL_Type is set to 0, which means usb download happens on BROM, not bootloader, and since these are efuses it cannot be changed once written!!

[shomykohai]

Anyway, doesn't work, I can't read efuses

[cxzstuff]

Hmm...
Brom by volume buttons with some preloader. UMT might have something to do with it too.
https://hostingunlock.com/threads/frp-moto-g23.76244/

Many times just DA_PL_NO_CERT_V6 is shared for these tools. Sometimes with a firmware(?) preloader. Now just a preloader...

[shomykohai]

I can't see the attached image unfortunately, but yeah brom for us needs a combination of volume buttons, problem is that one of these is a test point 😅

You're right about which DA they share, but it must be something behind these tools too, they can write to frp, we cannot
https://moto-penangf.github.io/documentation/#/dev/partitions?id=non-empty-partitions-which-may-be-of-interest

[cxzstuff]

https://mega.nz/file/14MwjChR#o6Q8oGCfyxiF8hy460ZoEgb4LVMjmPM91gVkZeIqVDA

[shomykohai]

https://mega.nz/file/14MwjChR#o6Q8oGCfyxiF8hy460ZoEgb4LVMjmPM91gVkZeIqVDA

They share this preloader with moto g23 FRP???
Because this seem to be moto g22 preloader, but we know g22 has a way to access BROM and Erase FRP

[cxzstuff]

Typo in the title, okay, but in the tag too... ??

Well, there is a lot of info out there, some ok, some not so...
Like that test point I posted. In our telegram group they say it didn't work.
But then again they didn't test it themselves...

[shomykohai]

I don't understand what typo you're referring to

Anyway, those testpoints you sent are pretty hard to use, they are in the back of the motherboard under the shields, no wonder nobody tested them.

Though, they are indeed possible testpoints.
Anyawy, discussions of testpoints should be going on #1, just so we don't confuse stuff 😄

[cxzstuff]

I don't understand what typo you're referring to

Like if the poster meant it for G22...

[shomykohai]

Oh okay, I get it now, I thought you were talking about something else because you made another post instead of replying to the old one, my bad

[cxzstuff]

so, actually my bad... lol.

[shomykohai]

@progzone122 Our preloader doesn't have this function

https://github.com/svoboda18/preloader/blob/73d33cc801ec3ab49c886529ca2f19a6b11f2d03/platform/mt6768/src/drivers/platform.c#L1155-L1177

[shomykohai]

Interesting enough, this is the code that sets the device to reboot to BROM:

// This comes from penangf preloader

void platform_safe_mode(int en, u32 timeout)
{
    U32 usbdlreg = 0;

    timeout = !timeout ? 0x0000FFFC : timeout / 1000;
    timeout = (timeout & 0x3fff) << 2

    usbdlreg |= timeout;
    
    if(en)
    {
        usbdlreg | 1;
    }
        usbdlreg &= ~USBDL_BIT_EN;
    
    DRV_WriteReg32(MISC_LOCK_KEY,MISC_LOCK_KEY_MAGIC); // MAGIC
    DRV_SetReg32(RST_CON,1);
    DRV_WriteReg32(MISC_LOCK_KEY,0);
    // DAT_0002b6ec = uVar3 | 0x444c0000

    DRV_WriteReg32(USBDL_FLAG,usbdlreg | 0x444C0000);

}

Here's a source code for comparison
We miss a line!!

    usbdlreg &= ~USBDL_BROM ;

Assuming the presence of compiler optimizations, this condition would only get removed if the value stayed the same, and in this case it would if USBDL_BROM was 0, and looking at the definition:

#define USBDL_BROM          (0x00000002) /* 0: usbdl by brom; 1: usbdl by bootloader */

What do you think @progzone122?

[shomykohai]

And this is called when there's an error in the preloader:

So we know that the first parameter is 1, and we know from the logs that timeout is 5000

[shomykohai]

Also, in our preloader, it should enter emergency download mode right away...

This is from the first line of a function that gets called right away in main

[shomykohai]

Basically our preloader hints everywhere that BROM is accessible for our device, but we can't get it for some reason

[shomykohai]

@progzone122 I found this source code that apparently made it possible to unlock a bootloader of an Amazon device while looking up for preloader exploit:
https://github.com/R0rt1z2/amonet/blob/mt8135-ariel/modules%2Fload_payload.py#L104-L125

Do you think we could make something similar? To disable DA verification

[shomykohai]

I wrote this guy a private message and invited him to a telegram group. He said he'd take a look when he got back from work.

Oh, perfect timing then to find out about this person! Let's hope he can help us then!!

I found the Repository while looking on some sources on preloader exploit, and it looked exactly like the same problem we had, with no access to brom.

I was planning on doing my tests with this, but if we can get him to help us as you said, I'll wait.

[shomykohai]

Anyway, just because I don't wanna open an issue for something this quick,

I pushed some small updates to the documentation the other day but they didn't make it to prod.
How is deployment now handled? Do we have a different branch in which we merge the commits later (and I guess it would be the html one if so), or do I have to manually trigger a deploy with actions?

@progzone122

[progzone122]

I wrote this guy a private message and invited him to a telegram group. He said he'd take a look when he got back from work.

Oh, perfect timing then to find out about this person! Let's hope he can help us then!!

I found the Repository while looking on some sources on preloader exploit, and it looked exactly like the same problem we had, with no access to brom.

I was planning on doing my tests with this, but if we can get him to help us as you said, I'll wait.

https://t.me/motoheliog85/1/46542

[progzone122]

I wrote this guy a private message and invited him to a telegram group. He said he'd take a look when he got back from work.

Oh, perfect timing then to find out about this person! Let's hope he can help us then!!

I found the Repository while looking on some sources on preloader exploit, and it looked exactly like the same problem we had, with no access to brom.

I was planning on doing my tests with this, but if we can get him to help us as you said, I'll wait.

Maybe we'll still have a chance...

[shomykohai]

I wrote this guy a private message and invited him to a telegram group. He said he'd take a look when he got back from work.

Oh, perfect timing then to find out about this person! Let's hope he can help us then!!

I found the Repository while looking on some sources on preloader exploit, and it looked exactly like the same problem we had, with no access to brom.

I was planning on doing my tests with this, but if we can get him to help us as you said, I'll wait.

Maybe we'll still have a chance...

Do you think we can reverse the OEM algorithm? We already have an Idea of what it does, but we don't know what kind of hashing and buffer copying it does.