[Please help] Bricked Xiaomi Redmi 9c NFC (No Fastboot/No Recovery/Stopped being detected by PC)
[Please help] Bricked Xiaomi Redmi 9c NFC (No Fastboot/No Recovery/Stopped being detected by PC)
(30-11-2024, 04:06 PM)guevara.janosik The problem seems to be that on my Windows 11 64-bit Pro OS with Secure Boot, the unsigned Mediatek drivers are silently not being installed. I've tried disabling driver signature enforcement with little success.
Attempting to self-sign the drivers breaks upon a problem in the inf file, which I am currently unable to find a solution for:
C:\Tools\driver-signing>"F:\Program Files\Windows Kits\10\bin\10.0.26100.0\x86\Inf2cat.exe" /driver:C:\Tools\driver-signing /os:10_x64
.....................................................................
Signability test failed.
Errors:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] section in driver-signing\cdc-acm.inf; driver may not sign correctly until this is resolved.
Warnings:
None
Anyone knows how to solve this?
(03-12-2024, 11:01 AM)guevara.janosik I was not able to make mtkclient work under Windows 11 64-bit Pro and the drivers you're referring to were actually the first choice I've tried, but since no tool I've tried was able to connect with the phone in Brom before or after I've bricked it, I somehow wrongly assumed that Brom drivers are not included with the Signed Driver package, only the unsigned one, mea culpa.
Nevertheless I've made some progress, I was capable to figure out the correct timings and most of the nuances of using the Test Point method correctly: I am capable to short Data 0 with GND for cca. 6 seconds with conductive tweezers while USB is disconnected on one side, then connecting USB and releasing Test Point shorting connection after the tool makes enough progress. I am just not sure when exactly I should release, since no matter what timing I use, the device gets after a few seconds of successful data transfer disconnected which ruins all my endeavor.
Therefore I was not able to provide any screenshots of the Device Manager since the phone disconnects so rapidly that I am unable to find the new device in Device Manager fast enough, not even to screenshot it. After the connection, the Device Manager was still refreshing/redrawing itself (not showing anything yet) when already I've got a sound clue that the device disconnected already. Not sure what I could possibly do to get the desired result, whether there is some trick to it in such situations how to set up the device manager to react.
I was capable, after many attempts due to not having a laptop available and the USB port being 1,5m away fixed on my Tower PC, to install the libusb-win32-devel-filter correctly on the Mediatek VCOM 0e8d:0003 driver. Installed UsbDk_1.0.22_x64 just not sure how to configure it, because the installation alone by itself did not make any tools work for me, especially not mtkclient. But the libusb-win32-devel-filter made mtkclient work finally to some degree at least.
After running bypass_utility now and shorting the Test Points with a disconnected battery and plugging USB at the right moment, the tool reports successful bypassing and exits, but when I run SP Flash Tool from the above link with the corresponding DA and auth file and open the scatter file of a angelican_eea_global_images_V12.5.4.0.RCSEUXM_20220724.0000.00_11.0_eea_ca1f08045a.tgz (the version of firmware I was running on before trigerring Anti Rollback Protection by restoring a full backup made previously on 12.0 eea) the flashing bar turns to red and no progress is shown, I assume that the phone disconnects.
On Windows mtkclient gives me the following output:
python.exe mtk.py w recovery,vbmeta,boot recovery.img,vbmeta_disabled.img,boot.img --preloader preloader_new.img --auth auth_sv5.auth
Port - Device detected
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: C423B5BCBBF9DB3E3DAECAEE616F2D17
Preloader - SOC_ID: 2F7D0D3101884B36A444DD3BCBF4185588E5E647951C14BC0015864D501E9CBE
DaHandler - Device is protected. 09:18DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: C:\Tools\mtkclient\mtkclient\payloads\mt6765_payload.bin
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DeviceClass - USBError(5, 'Input/Output Error')
DAXFlash
DAXFlash - [LIB]: ←[31mStage was't executed. Maybe dram issue ?.←[0m
DAXFlash
DAXFlash - [LIB]: ←[31mError on booting to da (xflash)←[0m
Would setting Transmit, and perhaps also Receive, Buffers to 12 in Advanced Port Settings possibly solve the issue? Should I leave Bits per second, Data bits, Parity, Stop bits and Flow control at their default values? (9600, 8, None, 1, None)
I've also managed to install the latest stable Ubuntu version and compiled mtkclient and had success with the mtk CLI tool. (GUI gets stuck after bypassing due to phone disconnecting I assume).
Now I am stuck with the phone disconnecting during a flash:
mtk w recovery,vbmeta,boot recovery.img,vbmeta_disabled.img,boot.img --preloader preloader_12.5.img --auth auth_sv5.auth
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: C423B5BCBBF9DB3E3DAECAEE616F2D17
Preloader - SOC_ID: 2F7D0D3101884B36A444DD3BCBF4185588E5E647951C14BC0015864D501E9CBE
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri RunPort - Device detected
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: C423B5BCBBF9DB3E3DAECAEE616F2D17
Preloader - SOC_ID: 2F7D0D3101884B36A444DD3BCBF4185588E5E647951C14BC0015864D501E9CBE
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Runs
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/savant/.local/share/pipx/venvs/mtkclient/lib/python3.12/site-packages/mtkclient/payloads/mt6765_payload.bin
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Boot to succeeded.
DAXFlash - Successfully uploaded stage 2
DAXFlash - DA SLA is disabled
DAXFlash - EMMC FWVer: 0x0
DAXFlash - EMMC ID: Y2P064
DAXFlash - EMMC CID: 9b0100593250303634005d513fb51969
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size: 0x0
DAXFlash - EMMC GP2 Size: 0x0
DAXFlash - EMMC GP3 Size: 0x0
DAXFlash - EMMC GP4 Size: 0x0
DAXFlash - EMMC RPMB Size: 0x1000000
DAXFlash - EMMC USER Size: 0xe8f800000
DAXFlash - HW-CODE : 0x766
DAXFlash - HWSUB-CODE : 0x8A00
DAXFlash - HW-VERSION : 0xCA00
DAXFlash - SW-VERSION : 0x0
DAXFlash - CHIP-EVOLUTION : 0x0
DAXFlash - DA-VERSION : 1.0
DAXFlash - Extensions were accepted. Jumping to extensions...
DAXFlash - Boot to succeeded.
DAXFlash - DA Extensions successfully added
Progress: |█---------| 6.2% Write (0x2000/0x20000, 05s left) 11.19 MB/s
DAXFlash - [LIB]: unpack requires a buffer of 12 bytes
Failed to write recovery.img to sector 2112 with sector count 131072.
DAXFlash
DAXFlash - [LIB]: Error on sending dev ctrl 262151:OK (0x0)
DaHandler
DaHandler - [LIB]: Error: Couldn't detect partition: vbmeta
Available partitions:
DAXFlash
DAXFlash - [LIB]: Error on sending dev ctrl 262151:OK (0x0)
DaHandler
DaHandler - [LIB]: Error: Couldn't detect partition: boot
Available partitions:
And when releasing the tweezers a bit sooner it does not even get as far as before:
mtk w recovery,vbmeta,boot recovery.img,vbmeta_disabled.img,boot.img --preloader preloader_12.5.img --auth auth_sv5.auth
Port - Device detected
Preloader - CPU: MT6765/MT8768t(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: C423B5BCBBF9DB3E3DAECAEE616F2D17
Preloader - SOC_ID: 2F7D0D3101884B36A444DD3BCBF4185588E5E647951C14BC0015864D501E9CBE
DaHandler - Device is protected.
DaHandler - Device is in BROM-Mode. Bypassing security.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/savant/.local/share/pipx/venvs/mtkclient/lib/python3.12/site-packages/mtkclient/payloads/mt6765_payload.bin
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_DA_V5.bin
XFlashExt - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
XFlashExt - Patching da2 ...
XFlashExt - Security check patched
XFlashExt - DA version anti-rollback patched
XFlashExt - SBC patched to be disabled
XFlashExt - Register read/write not allowed patched
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DeviceClass
DeviceClass - [LIB]: Device disconnected........
Before I've tried those commands above, I have first tried optimistically to restore the full system, but it flashed up to 90% of the preloader and then got stuck/disconnected:
mtk w preloader,recovery,cust,vbmeta_system,vbmeta_vendor,md1img,spmfw,scp1,scp2,sspm_1,sspm_2,lk,lk2,boot,logo,dtbo,tee1,tee2,super,vbmeta,cache preloader_12.5.img,recovery.img,cust.img,vbmeta_system.img,vbmeta_vendor.img,md1img.img,spmfw.img,scp1.img,scp2.img,sspm_1.img,sspm_2.img,lk.img,lk2.img,boot.img,logo.bin,dtbo.img,tee1.img,tee2.img,super.img,vbmeta.img,cache.img --preloader preloader_12.5.img --auth auth_sv5.auth
Hope I did not mess up here, I've assumed, perhaps wrongly, that flashing the preloader while possibly using it at the same time to flash its newer version does not affect the operation of it, i.e. that it is being used from some kind of hierarchically higher level faster operational memory system, or there is some kind of other atomicity providing protection mechanism available making it possible to use a preloader to flash "the preloader" without breaking one self in the middle of the process.
I suppose that power should not possibly be the issue? I am using a 2m data cable connected to a USB 2.0 port due to 3.0 being only at the back of the tower and much more trickier to reach for connecting fast enough. Since the battery has to be disconnected to access BROM and since most likely according to what I've read a bricked phone does not charge up anymore, all the power for the flashing has to be supplied by the USB cable I suppose, but USB 2.0 should provide enough for emmc operations I suppose...
I suppose tweaking the transmit buffer to 12 might be possibly a solution to the problem even in Windows, even though there is nothing in Windows in the logs/error messages hinting at it being so. Just hypothesizing, was not able to test it yet, due to enlighting coming upupon me only just now while assembling this post together....
Or is there possibly anything else I could try to do now that Test Point shorting became already a new second nature/habit?