MT8163 Asus Z301M Unknown V3 seccfg structure

[arefdsg]

MTK Flash/Exploit Client Public V2.0.1 (c) B.Kerler 2018-2024

Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.


...........

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.


.....Port - Device detected :)
Preloader - 	CPU:			MT8163()
Preloader - 	HW version:		0x0
Preloader - 	WDT:			0x10007000
Preloader - 	Uart:			0x11002000
Preloader - 	Brom payload addr:	0x100a00
Preloader - 	DA payload addr:	0x201000
Preloader - 	CQ_DMA addr:		0x10212c00
Preloader - 	Var1:			0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:			0x8163
Preloader - Target config:		0x1
Preloader - 	SBC enabled:		True
Preloader - 	SLA enabled:		False
Preloader - 	DAA enabled:		False
Preloader - 	SWJTAG enabled:		False
Preloader - 	EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:	False
Preloader - 	Root cert required:	False
Preloader - 	Mem read auth:		False
Preloader - 	Mem write auth:		False
Preloader - 	Cmd 0xC8 blocked:	False
Preloader - Get Target info
Preloader - 	HW subcode:		0x8a00
Preloader - 	HW Ver:			0xcb00
Preloader - 	SW Ver:			0x1
Mtk - We're not in bootrom, trying to crash da...
Exploitation - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DA_IMAGE_SIG_VERIFY_FAIL (0x2001)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.


Port - Device detected :)
Preloader - 	CPU:			MT8163()
Preloader - 	HW version:		0x0
Preloader - 	WDT:			0x10007000
Preloader - 	Uart:			0x11002000
Preloader - 	Brom payload addr:	0x100a00
Preloader - 	DA payload addr:	0x201000
Preloader - 	CQ_DMA addr:		0x10212c00
Preloader - 	Var1:			0xb1
Preloader - Disabling Watchdog...
Preloader - HW code:			0x8163
Preloader - Target config:		0x1
Preloader - 	SBC enabled:		True
Preloader - 	SLA enabled:		False
Preloader - 	DAA enabled:		False
Preloader - 	SWJTAG enabled:		False
Preloader - 	EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:	False
Preloader - 	Root cert required:	False
Preloader - 	Mem read auth:		False
Preloader - 	Mem write auth:		False
Preloader - 	Cmd 0xC8 blocked:	False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - 	HW subcode:		0x8a00
Preloader - 	HW Ver:			0xcb00
Preloader - 	SW Ver:			0x1
Preloader - ME_ID:			7CC287ABC0FC74D4EE1AA1268A51B87C
PLTools - Loading payload from mt8163_payload.bin, 0x258 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/h/mtkclient/mtkclient/payloads/mt8163_payload.bin
Port - Device detected :)
DaHandler - Device was protected. Successfully bypassed security.
DaHandler - Device is in BROM mode. Trying to dump preloader.
DALegacy - Uploading legacy da...
DALegacy - Uploading legacy stage 1 from MTK_DA_V5.bin
LegacyExt - Legacy DA2 is patched.
LegacyExt - Legacy DA2 CMD F0 is patched.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DALegacy - Got loader sync !
DALegacy - Reading nand info
DALegacy - Reading emmc info
DALegacy - ACK: 0402a1
DALegacy - Setting stage 2 config ...
DALegacy - DRAM config needed for : 150100414a4e4234520782084c8e4463
DALegacy - Reading dram nand info ...
DALegacy - Sending dram info ... EMI-Version 0x10
DALegacy - RAM-Length: 0xbc
DALegacy - Checksum: 1563
DALegacy - M_EXT_RAM_RET : 0
DALegacy - M_EXT_RAM_TYPE : 0x2
DALegacy - M_EXT_RAM_CHIP_SELECT : 0x0
DALegacy - M_EXT_RAM_SIZE : 0x80000000
DALegacy - Uploading stage 2...
DALegacy - Successfully uploaded stage 2
DALegacy - Connected to stage2
DALegacy - m_int_sram_ret = 0x0
m_int_sram_size = 0x40000
m_ext_ram_ret = 0x0
m_ext_ram_type = 0x2
m_ext_ram_chip_select = 0x0
m_int_sram_ret = 0x0
m_ext_ram_size = 0x80000000
randomid = 0x6072B41BCAE5B40541506742ECF6E155

m_emmc_ret = 0x0
m_emmc_boot1_size = 0x400000
m_emmc_boot2_size = 0x400000
m_emmc_rpmb_size = 0x400000
m_emmc_gp_size[0] = 0x0
m_emmc_gp_size[1] = 0x0
m_emmc_gp_size[2] = 0x0
m_emmc_gp_size[3] = 0x0
m_emmc_ua_size = 0x3a3e00000
m_emmc_cid = 4a4e4234150100414c8e446352078208
m_emmc_fwver = 0700000000000000

LegacyExt - Detected V3 Lockstate
SecCfgV3
SecCfgV3 - [LIB]: Unknown V3 seccfg structure !
DaHandler
DaHandler - [LIB]: Device has is either already unlocked or algo is unknown. Aborting.

seccfg.bin
preloader_asus8163_ew_380_z301.bin

[SwiftScriptr]

Hi, just a query, did your device 'orange-state' after this procedure, I noted It is SBC enabled (secure boot if not mistaken), so a bootloop could happen if anything changed before it terminated.

[arefdsg]

Hi, just a query, did your device 'orange-state' after this procedure, I noted It is SBC enabled (secure boot if not mistaken), so a bootloop could happen if anything changed before it terminated.

i've only seen "yellow state" from booting TWRP and "red state" from messing with boot, haven't seen "orange state"
running the command didn't change it from the state it was in at the time

[SwiftScriptr]

i've only seen "yellow state" from booting TWRP and "red state" from messing with boot, haven't seen "orange state" running the command didn't change it from the state it was in at the time

Hey, did some digging and appears your device started on android 6 appareantly, point being I want to know how you went about avb if that is the case.

Was the version as I suspect 1.1, thus how was it implemented for the twrp to say 'yellow state' and if possible please tell me if you implemented higher versions with a sys image vbmeta and the whole partition along with it.

I ask as that would be an example of 'upgrading' compatible devices with the later versions of the protocol. It confused me seeing dm-verity all other the guides of custom roms when many devices don't have the partition (that I own).

[SwiftScriptr]

Also, I read/concluded that there are keys/signatures avb-v1.1 is managed were found in the LK (linux kernel) partition, like how the device state messages are certainly found/loaded from there, where was this for your device if you looked there to inspect the hashes also?

Sources of info:

https://wiki.postmarketos.org/wiki/Android_Verified_Boot_(AVB)

https://sakophone.wordpress.com/2021/09/24/how-to-remove-orange-red-state-warnings-on-bootlogo-screens-of-mediatek-devices/

[arefdsg]

i've only seen "yellow state" from booting TWRP and "red state" from messing with boot, haven't seen "orange state" running the command didn't change it from the state it was in at the time

Hey, did some digging and appears your device started on android 6 appareantly, point being I want to know how you went about avb if that is the case.

Was the version as I suspect 1.1, thus how was it implemented for the twrp to say 'yellow state' and if possible please tell me if you implemented higher versions with a sys image vbmeta and the whole partition along with it.

I ask as that would be an example of 'upgrading' compatible devices with the later versions of the protocol. It confused me seeing dm-verity all other the guides of custom roms when many devices don't have the partition (that I own).

it has android 7, not 6, and the TWRP build was made by a guy on XDA years ago, not me https://xdaforums.com/t/twrp-recovery-asus-zenpad-10-z300m-z301m-z301mf-locked-bootloader-ok.3763025/
they did share the code for it though, that's likely to give you the info you're looking for

[arefdsg]

Also, I read/concluded that there are keys/signatures avb-v1.1 is managed were found in the LK (linux kernel) partition, like how the device state messages are certainly found/loaded from there, where was this for your device if you looked there to inspect the hashes also?

Sources of info:

https://wiki.postmarketos.org/wiki/Android_Verified_Boot_(AVB)

https://sakophone.wordpress.com/2021/09/24/how-to-remove-orange-red-state-warnings-on-bootlogo-screens-of-mediatek-devices/

lk.bin
the "red state" on it is slightly different than the one on the second link, it has the 5 second wait but doesn't reboot after

[SwiftScriptr]

Ok, thanks for the source, atleast i can hunt around for possible solutions (if thread has any active users will ask where they found any avb refferences for your dev to work yeloow state effortlessly), find it interesting/annoying how companies in tech make it seem impossible to use these tools on purpose.

Most of the usage is basic upon understanding the Jargon, yet the process is tedious for non driven people to quit.

https://android.googlesource.com/platform/external/avb/