[MT6789] Hangs after Done sending payload, cannot dump BROM

[axiopaladin]

I've got a tablet with the MT6789 (Helio G99, its twin is MT8781) and I'm trying to dump the BROM. When I run mtk dumpbrom and connect the tablet while it's in BROM mode, the tool outputs this far:

Port - Device detected :)
Preloader - 	CPU:			MT6789/MT8781V(MTK Helio G99)
Preloader - 	HW version:		0x0
Preloader - 	WDT:			0x10007000
Preloader - 	Uart:			0x11002000
Preloader - 	Brom payload addr:	0x100a00
Preloader - 	DA payload addr:	0x201000
Preloader - 	Var1:			0xa
Preloader - Disabling Watchdog...
Preloader - HW code:			0x1208
Preloader - Target config:		0xe0
Preloader - 	SBC enabled:		False
Preloader - 	SLA enabled:		False
Preloader - 	DAA enabled:		False
Preloader - 	SWJTAG enabled:		False
Preloader - 	EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT:	False
Preloader - 	Root cert required:	False
Preloader - 	Mem read auth:		True
Preloader - 	Mem write auth:		True
Preloader - 	Cmd 0xC8 blocked:	True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - 	HW subcode:		0x8a00
Preloader - 	HW Ver:			0xca00
Preloader - 	SW Ver:			0x0
Preloader - ME_ID:			[REDACTED]
Preloader - SOC_ID:			[REDACTED]
PLTools - Kamakiri / DA Run
PLTools - Loading payload from generic_dump_payload.bin, 0xf4 bytes
Exploitation - Kamakiri Run
Exploitation - Sending payload via insecure da.
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
Exploitation - Done sending payload...

And then it hangs. From watching bkerler's masterclass I know that after this line it is supposed to say something like "Successfully sent payload" and then go on to actually dump the BROM, but for me it just hangs there until it times out:

Exploitation - Error, payload answered instead: 
PLTools
PLTools - [LIB]: Error on sending payload: ./mtkclient/venv/lib/python3.10/site-packages/mtkclient/payloads/generic_dump_payload.bin
Traceback (most recent call last):
  File "./mtkclient/venv/bin/mtk", line 8, in <module>
    sys.exit(main())
  File "./mtkclient/venv/lib/python3.10/site-packages/mtkclient/mtk.py", line 1017, in main
    mtk = Main(args).run(parser)
  File "./mtkclient/venv/lib/python3.10/site-packages/mtkclient/Library/mtk_main.py", line 450, in run
    plt.run_dump_brom(filename, self.args.ptype)
  File "./mtkclient/venv/lib/python3.10/site-packages/mtkclient/Library/pltools.py", line 140, in run_dump_brom
    if self.runpayload(filename=pfilename, ack=0xC1C2C3C4, offset=0):
  File "./mtkclient/venv/lib/python3.10/site-packages/mtkclient/Library/pltools.py", line 104, in runpayload
    self.error(f"Error, payload answered instead: {hexlify(response_ack).decode('utf-8')}")
TypeError: a bytes-like object is required, not 'NoneType'

Is there something else I should try at this point? Maybe specify a different payload or exploit for this chip?

[axiopaladin]

I ran it again with the --debugmode switch, here are the logs from that: https://paste.rs/DFbIR.txt

Any ideas on what's going on with the iInterface entries, on lines 29, 46, 82, 99? I'm always suspicious that there might be some kind of data corruption when I see non-latin characters show up in these things, like in comm_if̦data_if̄Љ檬 or data_if̄Љ檬呪풅ཊꤛ漢䕄礤

Maybe it's an issue with my USB drivers? I don't know why they would be; I'm running Pop!_OS, downstream of Ubuntu 22.04 LTS (kernel 6.9.3), so I don't think there is anything particularly unusual about my setup, but maybe that would explain why it's getting strange(?) interface names and timing out like this?