Topic: Tools to dump DA (download agent) info and communicate with BL/DA

As becomes clear from other topics here on Fernvale topic, hacking a particular SoC is a dead-end - there're too many of them, new ones displacing older all the time. Also as discussed in other topics, one approach to scale up to other chips is to get hold of vendor's "DA" (download agent) which provides common set of operations (e.g. read/write flash) across number of phones (by actually providing collection of SoC-specific executable blobs implementing common wire interface).

Well, common wire interface is wishful thinking, given number and variety of Mediatek SoC. There're 2 big-groups of MTK phone SoC:

1. ARM7/ARM11-nommu (soon Cortex-M?) based feature-phone targeted ones (MT62xx/MT25xx series).
2. ARM11mmu/Cortex-A based smart-phone targeted ones (MT65xx/MT67xx/MT26xx, also MT81xx/MT83xx tablet/mediabox-targetted).

So, unfortunately the common thing with their BootROM bootloaders is that you enter it with "\xa0\x0a\x50\x05" sequence. That's where commonality ends. With Cortex-A devices, next thing you do is to issue 0xfd command to get chip ID, but such command doesn't work on ARM7, where you need to read chip ID directly from registers, as can be seen in Fernly.

With such a prelude, I'm happy to announce https://github.com/mtek-hack-hack/mtk-open-tools repo, containing so far:

  • da-dump.py - tool to dump info from combined DA binary. This binary is usually named MTK_AllInOne_DA.bin, even though it's different files for Linux/non-Linux SoCs, coming from different vendor flash tools (however named almost the same - SP Flash Tool vs Flash Tool).

  • mtk-bootloader-tool.py - tool to load DA parts and communicate with them to read flash on a Linux phone. So far, it has hardcoded thing for MT6580.

The idea is to keel elaborating and generalizing these tools, eventually extended to non-Linux SoC like the main topic of Fernvale project.

Enjoy, share your experiences, submit clean patches!

Re: Tools to dump DA (download agent) info and communicate with BL/DA

Hi Michaela,

This seemed like a good jumping off point. I will download your mtk-open-tools and see what they can do for me. Right now I am trying to get osmocom-bb osmocon tool to work with a SIM800H device (DFRobot shield to be precise). I have a wireshark usbmon trace that shows the conversation I expect but I see a 0xbe or similar coming in before the conversation starts and then some USB control sequences which I suspect are changing baud rate or serial line settings maybe. Didn't know if you would have any suggestions for me. Attached is an annotated pcapng file, starting around packet 2738 or so is the conversation. And look! It has a 6260 inside as has been noted before. smile (packet 2808 in response to read 0x80 00 00 00)

So hopefully I'll add to your tool and maybe use it to load osmocom-bb/nuttx/nuttx-bb.

I wonder if you can see this file? https://usercontent.irccloud-cdn.com/fi … nvo.pcapng if not, I'll attach another way.

Craig

3 (edited by craig_comstock 2017-12-09 05:09:08)

Re: Tools to dump DA (download agent) info and communicate with BL/DA

Wasn't able to get your code to work partly due to timing of sending beacon and receiving.

I got a basic python script working that I wrote from scratch sort of based on your code. Used 115200 baud the whole time and was able to get through init and able to read 80000008 and get 6260. I'll do some more experimenting and try to send up PR(s) to your repo. Also plan on looking into mt6735 (zte obisidian phone) which I already did some digging on and got the chip id address (which is different). So maybe we could investigate several addresses for things to determine what sort of device we are talking to.

https://github.com/craigcomstock/mtk-op … -serial.py