Moto G23/G13 (penangf) and mtkclient

[progzone122]

Hello, everyone!

We’ve been working extensively to find a way to unlock the bootloader on the Moto G23/G13 devices (penangf).

In this issue, I’ll summarize our progress, findings, and issueses.

For each point, I’ve included links to relevant documentation we’ve compiled during our analysis.

We are reaching out to @bkerler and everyone else in the community for help!

Crash Preloader

It seems that this device has a patched preloader, making it impossible to enter BROM mode through the crash preloader vulnerability. Instead, the device just hangs in the preloader.

DAA/SBC

The device has DAA (Download Agent Authentication) and SBC (Secure Boot Check) enabled, requiring a proper DA file to interact with it using mtkclient.

BROM Mode

We’ve repeatedly tried to locate a test point for enabling BROM mode.
While the preloader’s decompiled code hints at the presence of an "Emergency mode," we haven’t found any test point to activate BROM yet.

All Testpoints info

There's also doubt that testpoint even exists, because I haven't found any phone on the SOC Helio G85 that has a testpoint to go to BROM.

We only have KPCOL0 testpoint, which on some Motorola models helped to go to BROM, but on our model it just boots into fastboot!

DA files

Here's the best part: we have 2 DA files

DA_PL_NO_CERT

Found in the archive with flash tool, which downloads RSA (official Motorola program for device recovery).

Flash Tool

Works great with any Flash Tool, allows flashing protected partitions (such as lk), but except for downloading firmware in Download mode this DA can't do anything in Flash Tool.
Even on Readback we get UNSUPPORTED_OP.

Mtkclient

mtkclient debug logs

It tries to download, but gives the error DAA_SIG_VERIFY_FAILED.

$ mtk printgpt --loader ./sources/DA_PL_NO_CERT_V6.bin  

Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
DAXFlash
DAXFlash - [LIB]: Error on sending DA.  

It seems to be a mtkclient problem? Because we can interact with this DA through Flash Tool.

MT6768_USER

Found in every archive with firmware and has been updated several times.

Flash Tool

Does not work, we get error STATUS_SEC_DL_FORBIDDEN.

Mtkclient

mtkclient debug logs

Works, but we are severely limited.

We have some warnings present

DAXFlash
DAXFlash - [LIB]: �[31mError on sending data: DA hash mismatch (0xc0070004)�[0m
DAXFlash
DAXFlash - [LIB]: �[31mError on boot to send_data, addr: 0x68000000�[0m
DAXFlash
DAXFlash - [LIB]: �[33mDA Extensions failed to enable�[0m

We can do backups, but we can't do write all partitions.

Information about which partitions we can write or read

We don't have access to write the seccfg partition, so it's not surprising that it doesn't work.

$ mtk da seccfg unlock --loader MT6768_USER.bin

...

DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c)  

DA_PL_NO_CERT and mtkclient

Is it possible to somehow make DA_PL_NO_CERT work in mtkclient? Maybe we can use this DA to make a modified seccfg entry and unlock the bootloader?

Any help and suggestions would be greatly appreciated! Write about everything in this issue or in discussions here.

[progzone122]

[shomykohai]

Something to add is that this device uses dummy auth to bypass DA SLA, but never it is confirmed whether DA SLA is disabled or not, just that the signature was accepted.

Something interesting is that in the DA_keys file there's a mention of Moto G13 (which is the same as g23, such that they use same firmware files), but that key isn't used 🤔

[progzone122]

We managed to solve the problem with DA_PL_NO_CERT. It turned out that we need to manually specify partition addresses when we write to them for this DA.
But we still can't flash protected partitions when the flash tool utility can do it. Why???

da_pl_no_cert_flash_lk.txt