Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Overview

mtkclient

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For linux, a patched kernel is needed (see Setup folder) (except for read/write flash). For windows, you need to install zadig driver and replace pid 0003 / pid 2000 driver.

Once the mtk.py script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.

Installation

Use Re LiveDVD (everything ready to go):

Download Re Live DVD User: livedvd, Password:livedvd

Use FireISO as LiveDVD:

Download FireIso Live DVD

Install python >=3.8

sudo apt install python3
pip3 install -r requirements.txt

Install gcc armeabi compiler

sudo apt-get install gcc-arm-none-eabi

Compile patched kernel (if you don't use FireISO)

  • For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch :
sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev
git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
cd pahole && mkdir build && cd build && cmake .. && make && sudo make install
sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz
tar xvf linux-`uname -r`.tar.xz
cd linux-`uname -r`
patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch
cp -v /boot/config-$(uname -r) .config
make menuconfig
make
sudo make modules_install 
sudo make install
  • These aren't needed for current ubuntu (as make install will do, just for reference):
sudo update-initramfs -c -k `uname -r`
sudo update-grub

See Setup/kernels for ready-to-use kernel setups

  • Reboot
sudo reboot

Usage

Bypass SLA, DAA and SBC (using generic_patcher_payload)

./mtk.py payload If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".

Dump brom

  • Device has to be in bootrom mode, or da mode has to be crashed to enter damode
  • if no option is given, either kamakiri or da will be used (da for insecure targets)
  • if "kamakiri" is used as an option, kamakiri is enforced
  • Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu) and "hashimoto" (via cqdma)
./mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]

Run custom payload

./mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]

Run stage2 in bootrom

./mtk.py stage

Run stage2 in preloader

./mtk.py plstage

Read rpmb in stage2 mode

./stage2.py --rpmb

Read preloader in stage2 mode

./stage2.py --preloader

Read memory as hex data in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16

Read memory to file in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16 --filename brom.bin

Write hex data to memory in stage2 mode

./stage2.py --memwrite --start 0x0 --data 12345678AABBCCDD

Write memory from file in stage2 mode

./stage2.py --memwrite --start 0x0 --filename brom.bin

Crash da in order to enter brom

./mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]

Read flash

Dump boot partition to filename boot.bin via preloader

./mtk.py r boot boot.bin

Dump boot partition to filename boot.bin via bootrom

./mtk.py r boot boot.bin --preloader=Loader/Preloader/your_device_preloader.bin

Read full flash to filename flash.bin (use --preloader for brom)

./mtk.py rf flash.bin

Dump all partitions to directory "out". (use --preloader for brom)

./mtk.py rl out

Show gpt (use --preloader for brom)

./mtk.py printgpt

Write flash

(use --preloader for brom)

Write filename boot.bin to boot partition

./mtk.py w boot boot.bin

Write filename flash.bin as full flash (currently only works in da mode)

./mtk.py wf flash.bin

Write all files in directory "out" to the flash partitions

./mtk.py wl out

Erase flash

Erase boot partition (use --preloader for brom)

./mtk.py e boot

I need logs !

  • Run the mtk.py tool with --debugmode. Log will be written to log.txt (hopefully)

Rules / Infos

Chip details / configs

  • Go to config/brom_config.py
  • Unknown usb vid/pids for autodetection go to config/usb_ids.py
Comments
  • Xflash doesn't work on legacy devices

    Xflash doesn't work on legacy devices

    Hi, for a few weeks I've always been interested in trying to unlock the bootloader with this tool, after several fixes this tool should work but now I get this error that I don't know how to fix:

    immagine

    Thanks in advance

    enhancement 
    opened by XRedCubeX 29
  • Error on getting status on connection get_emmc_info/send_emi

    Error on getting status on connection get_emmc_info/send_emi

    Microsoft Windows [versão 10.0.19042.1052] (c) Microsoft Corporation. Todos os direitos reservados.

    C:\Users\Mcdiniz>cd..

    C:\Users>cd..

    C:>cd mtkclient-main

    C:\mtkclient-main>py mtk printgpt Capstone library is missing (optional). Keystone library is missing (optional). MTK Flash/Exploit Client V1.41 (c) B.Kerler 2018-2021 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ........... Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - ME_ID: 18B4C2D22A72052A1E0CFE67A32C8CB3 Preloader - SOC_ID: 2B86505243A63FB955E98AD4193B2BC84D86A0590B5C7D50DDDB8AA9C3F7B534 PLTools - Loading payload from C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 DAXFlash - Successfully received DA sync Traceback (most recent call last): File "C:\mtkclient-main\mtk", line 1034, in mtk = Main().run() File "C:\mtkclient-main\mtk", line 667, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 87, in upload_da return self.da.upload_da() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 961, in upload_da emmc_info=self.get_emmc_info(False) File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 563, in get_emmc_info status=self.status() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 226, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

    C:\mtkclient-main>

    bug 
    opened by ligteltelecom 25
  • unpack requires a buffer of 12 bytes

    unpack requires a buffer of 12 bytes

    C:\mtk\Python39\Doc>C:\mtk\Python39\python mtk printgpt MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    Port - Device detected :) Preloader - CPU: MT6765(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: A370334038856A78CE1122089D50D053 Preloader - SOC_ID: 62334295B1C499DB5046FC5BFF5187C83D494C685493537B1C08B0DFE3D44DAC PLTools - Loading payload from C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100424a544434 DAXFlash - Sending emi data ... DAXFlash DAXFlash - [LIB]: ←[31mError on sending emi: unpack requires a buffer of 12 bytes←[0m Main Main - [LIB]: ←[31mError uploading da←[0m

    opened by deyvs02 24
  • Moto E6s 2020: cannot connect to device due to

    Moto E6s 2020: cannot connect to device due to "Operation not supported or unimplemented on this platform"

    Status: Waiting for PreLoader VCOM, please connect mobile
    Couldn't detect the device. Is it connected ?
    Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    Couldn't detect the device. Is it connected ?
    Couldn't detect the device. Is it connected ?
      CONFIGURATION 1: 500 mA ==================================
       bLength              :    0x9 (9 bytes)
       bDescriptorType      :    0x2 Configuration
       wTotalLength         :   0x46 (70 bytes)
       bNumInterfaces       :    0x2
       bConfigurationValue  :    0x1
       iConfiguration       :    0x3 USB CDC ACM for preloader
       bmAttributes         :   0xc0 Self Powered
       bMaxPower            :   0xfa (500 mA)
        INTERFACE 1: CDC Data ==================================
         bLength            :    0x9 (9 bytes)
         bDescriptorType    :    0x4 Interface
         bInterfaceNumber   :    0x1
         bAlternateSetting  :    0x0
         bNumEndpoints      :    0x2
         bInterfaceClass    :    0xa CDC Data
         bInterfaceSubClass :    0x0
         bInterfaceProtocol :    0x0
         iInterface         :    0x4 CDC ACM Data Interface
          ENDPOINT 0x1: Bulk OUT ===============================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :    0x1 OUT
           bmAttributes     :    0x2 Bulk
           wMaxPacketSize   :  0x200 (512 bytes)
           bInterval        :    0x0
          ENDPOINT 0x81: Bulk IN ===============================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :   0x81 IN
           bmAttributes     :    0x2 Bulk
           wMaxPacketSize   :  0x200 (512 bytes)
           bInterval        :    0x0
        INTERFACE 0: CDC Communication =========================
         bLength            :    0x9 (9 bytes)
         bDescriptorType    :    0x4 Interface
         bInterfaceNumber   :    0x0
         bAlternateSetting  :    0x0
         bNumEndpoints      :    0x1
         bInterfaceClass    :    0x2 CDC Communication
         bInterfaceSubClass :    0x2
         bInterfaceProtocol :    0x1
         iInterface         :    0x5 CDC ACM Communication Interface
          ENDPOINT 0x83: Interrupt IN ==========================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :   0x83 IN
           bmAttributes     :    0x3 Interrupt
           wMaxPacketSize   :   0x40 (64 bytes)
           bInterval        :   0x10
    No kernel driver supported: Operation not supported or unimplemented on this platform
    No kernel driver supported: Operation not supported or unimplemented on this platform
    [Errno 10060] Operation timed out
    [Errno 10060] Operation timed out
    Status: Handshake failed, retrying...
    Operation not supported or unimplemented on this platform
    Couldn't detect the device. Is it connected ?
    
    Hint:
    
    Power off the 
    

    Specs: https://www.gsmarena.com/motorola_moto_e6s_(2020)-10135.php

    PLATFORM | OS | Android 9.0 (Pie)
    -- | -- | --
    Chipset | Mediatek MT6762 Helio P22 (12 nm)
    CPU | Octa-core 2.0 GHz Cortex-A53
    GPU | PowerVR GE8320
    
    bug 
    opened by mslhii 23
  • sej - HACC init stuck

    sej - HACC init stuck

    E:\mtkclient-main>python mtk xflash seccfg unlock MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ........... Port - Device detected :) Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x326 Preloader - Target config: 0x1 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 5636FD6EB5F5D5C8723BEC0713B26A3B Main - Device is unprotected. PLTools - Loading payload from E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin, 0x258 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin Port - Device detected :) Main Main - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: RC14MB DAXFlash - EMMC CID: 150100524331344d42071a92d0ae9353 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0xe8f800000 DAXFlash - Reconnecting to preloader DAXFlash - Connected to preloader DAXFlash - DA-CODE : 0x50B76 DAXFlash DAXFlash - [LIB]: Error on sending data: DA hash mismatch (0xc0070004) DAXFlash DAXFlash - [LIB]: DA Extensions failed to enable sej - HACC init

    Traceback (most recent call last): File "E:\mtkclient-main\mtk", line 1704, in mtk = Main(args).run() File "E:\mtkclient-main\mtk", line 1097, in run mtk.daloader.seccfg(args.flag) File "E:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 173, in seccfg return self.xft.seccfg(lockflag) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 444, in seccfg sc_new.create(prelock, hwtype) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 74, in create enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 489, in sej_sec_cfg_hw self.SEJ_Init(encrypt=encrypt) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 281, in SEJ_Init if self.reg.HACC_ACON2 > 0x80000000: File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 83, in getattribute return self.read32(addr) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 278, in readmem val = self.custom_read(addr + pos * 4, 4) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 247, in custom_read if self.cmd(XCmd.CUSTOM_READ): File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 237, in cmd if self.xsend(self.xflash.Cmd.DEVICE_CTRL): File "E:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 185, in xsend return self.usbwrite(data) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 460, in usbwrite res = self.write(data, pktsize) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 391, in write ctr = self.EP_OUT.write(command[pos:pos + pktsize]) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 408, in write return self.device.write(self, data, timeout) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 979, in write return fn( File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 837, in bulk_write return self.__write(self.lib.libusb_bulk_transfer, File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 930, in __write retval = fn(dev_handle.handle, KeyboardInterrupt ^C E:\mtkclient-main>

    opened by lczact 20
  • My Device cannot Connect

    My Device cannot Connect

    Already put USB no button usb with power up (Handshake failure) usb with power down and up (Handshake failure) what the problem?

    `C:\MTK>python mtk e backup --preloader=preloader_k65v1_64_bsp.bin MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.`

    opened by Linssang 18
  • Crash at kamakiri2 Stage

    Crash at kamakiri2 Stage

    opened by azwhikaru 17
  • MT6739 ERROR DA-CODE      : 0x999F0

    MT6739 ERROR DA-CODE : 0x999F0

    Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - ME_ID: 09DA2F8B575108A8A1C3D49F6143330A Preloader - SOC_ID: DB3F67997429C9F8DFF6778CEBE3485BFA87F3937F2BA4C5D148F5D48B52679D PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.1824.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: FJ25AB DAXFlash - EMMC CID: 150100464a323541420229d590ffc269 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - DA-CODE : 0x999F0 Traceback (most recent call last): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 1709, in mtk = Main(args).run() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 662, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 141, in upload_da return self.da.upload_da() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 1093, in upload_da if self.boot_to(at_address=0x68000000, da=daextdata): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 341, in boot_to status = self.status() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 211, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

    opened by StelinFex 16
  • Console multiple commands

    Console multiple commands

    Hi,

    I know this question has been asked many times but the since you made mtk_gui script to perform several commands on same connetion then mtk script can did that, Please can edit that or help to do that ?

    It is very important

    Thanks in advance

    @bkerler

    opened by breakersvd 14
  •  [LIB]: Status: Handshake failed, retrying

    [LIB]: Status: Handshake failed, retrying

    python mtk payload --metamode FASTBOOT

    DeviceClass - [LIB]: Couldn't get device configuration. .Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying...

    opened by cata332 13
  • Cannot read ROM with MT6592

    Cannot read ROM with MT6592

    Impossible to do something else that extracting preloader. Here is the log file and preloader extracted. For info, SP Flash Tool get stuck also.. ErrorLog.txt preloader_sf6592_wet_l.zip Any help to understand what is missing ? Thanks

    opened by Martilb 13
  • Unlock Bootloader support on Xiaomi D810 (MT6833)

    Unlock Bootloader support on Xiaomi D810 (MT6833)

    Hey @bkerler , can you please add the bootloader unlock support for the following devices:

    • Redmi Note 11T 5G (evergo)
    • POCO M4 Pro 5G (evergreen)
    • Redmi Note 11S 5G (opal)

    Thanks in advance!

    opened by Sushrut1101 0
  • [Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

    [Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

    Hi, I've realme 8 5G/Narzo 30 5G, the device is stuck in brom mode and i can see OPLUS Preloader in Device Manager, but

    mtk fails with following logs

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
    
    
    
    Port - Hint:
    
    
    
    Power off the phone before connecting.
    
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    
    For preloader mode, don't press any hw button and connect usb.
    
    If it is already connected and on, hold power for 10 seconds to reset.
    
    
    
    
    
    .....DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    

    Looks like realme/OPLUS has locked down brom completely on realmeUI4/ColorOS 13

    The device uses MediaTek Dimensity 700 (MT6833) SoC, currently on stock Android T fw.

    mtkclient used to work on Android R & S fw but it does not on T firmware now.

    Would be huge help if you can look into that @bkerler . Thank you in advance

    opened by techyminati 0
  • Failing handshake

    Failing handshake

    Am successful on other phones but on one particular phone (tecno pop 5 pro bd4h) which I really need to flash am getting this same error no matter what command i put. .....Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m mtk client output.txt

    The log is in the attached file in the link above

    opened by patrick777777777 1
  • receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

    receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

    As I came across to project named cyrozap/mediatek-lte-baseband-re in the GITHUB website, In order to receive dvb-s channels by lte chipset on my smartphone (Samsung Galaxy A10s) is required lte baseband reverse engineering. I think that we require a dvb-s driver for mt6762 helio p22 and an app for watching dvb-s channels.

    Would you please let me know how we can implement this work on my phone. Please guide me at this regards. Thank you very much.

    opened by bracop8 0
  • Need clarification for stage2 keys command

    Need clarification for stage2 keys command

    Hi,

    Could you please clarify what the stage2 keys command does? The description says "write memory", which is not really helpful. Which one of the following is correct description of the functionality?

    • generates new keys and store them in hwparam file
    • fetches existing keys and store them in hwparam file
    opened by viraniac 0
Releases(1.52)
Owner
Bjoern Kerler
Reverse Engineer and Data/Crypto Analyst. QC and MTK Trustzone Pwner.
Bjoern Kerler
Small exercises to get you used to reading and writing Python code!

Pythonlings Welcome to Pythonlings, an automated Python tutorial program (inspired by Rustlings and Haskellings). WIP This program is still working in

鹤翔万里 5 Sep 23, 2022
A discord group chat creator just made it because i saw people selling this stuff for like up to 40 bucks

gccreator some discord group chat tools just made it because i saw people selling this stuff for like up to 40 bucks (im currently working on a faster

baum1810 6 Oct 3, 2022
a bit of my project :) and I use some of them for my school lesson or study for an exam! but some of them just for myself.

Handy Project a bit of my project :) and I use some of them for my school lesson or study for an exam! but some of them just for myself. the handy pro

amirkasra esmaeilian 13 Jul 5, 2021
automate some stuff so I can be more noob

dota automate some stuff so I can be more noob This is a simple project, but one that I've wanted forever! I use pyautogui, time, smtplib and datetime

Aaron Allen 17 Oct 18, 2022
This repository requires you to solve a problem by writing some basic python code.

Can You Solve a Problem? A beginner friendly repository that requires you to solve familiar problems with python. This could be as simple as implement

Precious Kolawole 11 Nov 30, 2022
tool to automate exploitation of android degubg bridge vulnerability

DISCLAIMER DISCLAIMER: ANY MALICIOUS USE OF THE CONTENTS FROM THIS ARTICLE WILL NOT HOLD THE AUTHOR RESPONSIBLE HE CONTENTS ARE SOLELY FOR EDUCATIONAL

null 6 Feb 12, 2022
Mnemosyne: efficient learning with powerful digital flash-cards.

Mnemosyne: Optimized Flashcards and Research Project Mnemosyne is: a free, open-source, spaced-repetition flashcard program that helps you learn as ef

null 359 Dec 24, 2022
The fastest way to copy to (not from) high speed flash storage.

FastestCopy The fastest way to copy to (not from) high speed flash storage. This is about 3-6x faster than file copy on explorer.exe to usb flash driv

Derek Frombach 0 Nov 3, 2021
This an Anki add on that automatically converts Notion notes into Anki flash cards. Currently in development!

NotionFlash This is an Anki add on in development that will allow automatically convert your Notion study notes into Anki flash cards. The Anki deck c

Neeraj Patel 10 Oct 7, 2022
Pyrmanent - Make all your classes permanent in a flash 💾

Pyrmanent A base class to make your Python classes permanent in a flash. Features Easy to use. Great compatibility. No database needed. Ask for new fe

Sergio Abad 4 Jan 7, 2022
Just some information about this nerd.

Greetings, mates, I am ErrorDIM - aka ErrorDimension ?? ?? Programming Languages I Can Use: ?? Top Starred Repositories: # Name Stars Size Major Langu

ErrorDIM 3 Jan 11, 2022
Some shitty programs just to brush up on my understanding of binary conversions.

Binary Converters Some shitty programs just to brush up on my understanding of binary conversions. Supported conversions formats = "unsigned-binary" |

Tim 2 Jan 9, 2022
BlackMamba is a multi client C2/post exploitation framework

BlackMamba is a multi client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework.

Gustavo 873 Dec 29, 2022
A tool to help you to do the monthly reading requirements

Monthly Reading Requirement Auto ⚙️ A tool to help you do the monthly reading requirements Important ⚠️ Some words can't be translated Links: Synonym

Julian Jauk 2 Oct 31, 2021
A tool to help the Poly copy-reading process! :D

PolyBot A tool to help the Poly copy-reading process! :D Let's face it-computers are better are repeatitive tasks. And, in spite of what one may want

null 1 Jan 10, 2022
Mines all the moneys and stuff and things.

NFT Miner NFT Miner - Version 1.1.0 - Quick Fix Since the whole NFT thing started booming on Twitter it's been hard not to see one of those ugly ass m

8w8 1 Dec 13, 2021
Tool to generate wrappers for Linux libraries allowing for dlopen()ing them without writing any boilerplate

Dynload wrapper This program will generate a wrapper to make it easy to dlopen() shared objects on Linux without writing a ton of boilerplate code. Th

Hein-Pieter van Braam 25 Oct 24, 2022
Lookup for interesting stuff in SMB shares

SMBSR - what is that? Well, SMBSR is a python script which given a CIDR/IP/IP_file/HOSTNAME(s) enumerates all the SMB services listening (445) among t

Vincenzo 112 Dec 15, 2022
Encode stuff with ducks!

Duckify Encoder Usage Download main.py and run it. main.py has an encoded version in encoded_main.py.txt. As A Module Download the duckify folder (or

Jeremiah 2 Nov 15, 2021