Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Last update: Dec 31, 2022

Related tags

Overview

mtkclient

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For linux, a patched kernel is needed (see Setup folder) (except for read/write flash). For windows, you need to install zadig driver and replace pid 0003 / pid 2000 driver.

Once the mtk.py script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.

Installation

Use Re LiveDVD (everything ready to go):

Download Re Live DVD User: livedvd, Password:livedvd

Use FireISO as LiveDVD:

Download FireIso Live DVD

Install python >=3.8

sudo apt install python3
pip3 install -r requirements.txt

Install gcc armeabi compiler

sudo apt-get install gcc-arm-none-eabi

Compile patched kernel (if you don't use FireISO)

For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch :

sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev
git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
cd pahole && mkdir build && cd build && cmake .. && make && sudo make install
sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig

wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz
tar xvf linux-`uname -r`.tar.xz
cd linux-`uname -r`
patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch
cp -v /boot/config-$(uname -r) .config
make menuconfig
make
sudo make modules_install 
sudo make install

These aren't needed for current ubuntu (as make install will do, just for reference):

sudo update-initramfs -c -k `uname -r`
sudo update-grub

See Setup/kernels for ready-to-use kernel setups

Reboot

sudo reboot

Usage

Bypass SLA, DAA and SBC (using generic_patcher_payload)

./mtk.py payload If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".

Dump brom

Device has to be in bootrom mode, or da mode has to be crashed to enter damode
if no option is given, either kamakiri or da will be used (da for insecure targets)
if "kamakiri" is used as an option, kamakiri is enforced
Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu) and "hashimoto" (via cqdma)

./mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]

Run custom payload

./mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]

Run stage2 in bootrom

./mtk.py stage

Run stage2 in preloader

./mtk.py plstage

Read rpmb in stage2 mode

./stage2.py --rpmb

Read preloader in stage2 mode

./stage2.py --preloader

Read memory as hex data in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16

Read memory to file in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16 --filename brom.bin

Write hex data to memory in stage2 mode

./stage2.py --memwrite --start 0x0 --data 12345678AABBCCDD

Write memory from file in stage2 mode

./stage2.py --memwrite --start 0x0 --filename brom.bin

Crash da in order to enter brom

./mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]

Read flash

Dump boot partition to filename boot.bin via preloader

./mtk.py r boot boot.bin

Dump boot partition to filename boot.bin via bootrom

./mtk.py r boot boot.bin --preloader=Loader/Preloader/your_device_preloader.bin

Read full flash to filename flash.bin (use --preloader for brom)

./mtk.py rf flash.bin

Dump all partitions to directory "out". (use --preloader for brom)

./mtk.py rl out

Show gpt (use --preloader for brom)

./mtk.py printgpt

Write flash

(use --preloader for brom)

Write filename boot.bin to boot partition

./mtk.py w boot boot.bin

Write filename flash.bin as full flash (currently only works in da mode)

./mtk.py wf flash.bin

Write all files in directory "out" to the flash partitions

./mtk.py wl out

Erase flash

Erase boot partition (use --preloader for brom)

./mtk.py e boot

I need logs !

Run the mtk.py tool with --debugmode. Log will be written to log.txt (hopefully)

Rules / Infos

Chip details / configs

Go to config/brom_config.py
Unknown usb vid/pids for autodetection go to config/usb_ids.py

Comments

Xflash doesn't work on legacy devices

Hi, for a few weeks I've always been interested in trying to unlock the bootloader with this tool, after several fixes this tool should work but now I get this error that I don't know how to fix:

Thanks in advance
enhancement

opened by XRedCubeX 29
Error on getting status on connection get_emmc_info/send_emi

Microsoft Windows [versão 10.0.19042.1052] (c) Microsoft Corporation. Todos os direitos reservados.

C:\Users\Mcdiniz>cd..

C:\Users>cd..

C:>cd mtkclient-main

C:\mtkclient-main>py mtk printgpt Capstone library is missing (optional). Keystone library is missing (optional). MTK Flash/Exploit Client V1.41 (c) B.Kerler 2018-2021 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

........... Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - ME_ID: 18B4C2D22A72052A1E0CFE67A32C8CB3 Preloader - SOC_ID: 2B86505243A63FB955E98AD4193B2BC84D86A0590B5C7D50DDDB8AA9C3F7B534 PLTools - Loading payload from C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 DAXFlash - Successfully received DA sync Traceback (most recent call last): File "C:\mtkclient-main\mtk", line 1034, in mtk = Main().run() File "C:\mtkclient-main\mtk", line 667, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 87, in upload_da return self.da.upload_da() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 961, in upload_da emmc_info=self.get_emmc_info(False) File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 563, in get_emmc_info status=self.status() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 226, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

C:\mtkclient-main>
bug

opened by ligteltelecom 25
unpack requires a buffer of 12 bytes

C:\mtk\Python39\Doc>C:\mtk\Python39\python mtk printgpt MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

Port - Device detected :) Preloader - CPU: MT6765(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: A370334038856A78CE1122089D50D053 Preloader - SOC_ID: 62334295B1C499DB5046FC5BFF5187C83D494C685493537B1C08B0DFE3D44DAC PLTools - Loading payload from C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100424a544434 DAXFlash - Sending emi data ... DAXFlash DAXFlash - [LIB]: ←[31mError on sending emi: unpack requires a buffer of 12 bytes←[0m Main Main - [LIB]: ←[31mError uploading da←[0m

opened by deyvs02 24

Moto E6s 2020: cannot connect to device due to "Operation not supported or unimplemented on this platform"

Status: Waiting for PreLoader VCOM, please connect mobile
Couldn't detect the device. Is it connected ?
Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

Couldn't detect the device. Is it connected ?
Couldn't detect the device. Is it connected ?
  CONFIGURATION 1: 500 mA ==================================
   bLength              :    0x9 (9 bytes)
   bDescriptorType      :    0x2 Configuration
   wTotalLength         :   0x46 (70 bytes)
   bNumInterfaces       :    0x2
   bConfigurationValue  :    0x1
   iConfiguration       :    0x3 USB CDC ACM for preloader
   bmAttributes         :   0xc0 Self Powered
   bMaxPower            :   0xfa (500 mA)
    INTERFACE 1: CDC Data ==================================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x1
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x2
     bInterfaceClass    :    0xa CDC Data
     bInterfaceSubClass :    0x0
     bInterfaceProtocol :    0x0
     iInterface         :    0x4 CDC ACM Data Interface
      ENDPOINT 0x1: Bulk OUT ===============================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :    0x1 OUT
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
      ENDPOINT 0x81: Bulk IN ===============================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x81 IN
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
    INTERFACE 0: CDC Communication =========================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x0
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x1
     bInterfaceClass    :    0x2 CDC Communication
     bInterfaceSubClass :    0x2
     bInterfaceProtocol :    0x1
     iInterface         :    0x5 CDC ACM Communication Interface
      ENDPOINT 0x83: Interrupt IN ==========================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x83 IN
       bmAttributes     :    0x3 Interrupt
       wMaxPacketSize   :   0x40 (64 bytes)
       bInterval        :   0x10
No kernel driver supported: Operation not supported or unimplemented on this platform
No kernel driver supported: Operation not supported or unimplemented on this platform
[Errno 10060] Operation timed out
[Errno 10060] Operation timed out
Status: Handshake failed, retrying...
Operation not supported or unimplemented on this platform
Couldn't detect the device. Is it connected ?

Hint:

Power off the

Specs: https://www.gsmarena.com/motorola_moto_e6s_(2020)-10135.php

PLATFORM | OS | Android 9.0 (Pie)
-- | -- | --
Chipset | Mediatek MT6762 Helio P22 (12 nm)
CPU | Octa-core 2.0 GHz Cortex-A53
GPU | PowerVR GE8320

bug

opened by mslhii 23

sej - HACC init stuck

E:\mtkclient-main>python mtk xflash seccfg unlock MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

........... Port - Device detected :) Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x326 Preloader - Target config: 0x1 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 5636FD6EB5F5D5C8723BEC0713B26A3B Main - Device is unprotected. PLTools - Loading payload from E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin, 0x258 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin Port - Device detected :) Main Main - [LIB]: [33mDevice is in BROM mode. No preloader given, trying to dump preloader from ram.[0m DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: RC14MB DAXFlash - EMMC CID: 150100524331344d42071a92d0ae9353 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0xe8f800000 DAXFlash - Reconnecting to preloader DAXFlash - Connected to preloader DAXFlash - DA-CODE : 0x50B76 DAXFlash DAXFlash - [LIB]: [31mError on sending data: DA hash mismatch (0xc0070004)[0m DAXFlash DAXFlash - [LIB]: [33mDA Extensions failed to enable[0m sej - HACC init

Traceback (most recent call last): File "E:\mtkclient-main\mtk", line 1704, in mtk = Main(args).run() File "E:\mtkclient-main\mtk", line 1097, in run mtk.daloader.seccfg(args.flag) File "E:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 173, in seccfg return self.xft.seccfg(lockflag) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 444, in seccfg sc_new.create(prelock, hwtype) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 74, in create enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 489, in sej_sec_cfg_hw self.SEJ_Init(encrypt=encrypt) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 281, in SEJ_Init if self.reg.HACC_ACON2 > 0x80000000: File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 83, in getattribute return self.read32(addr) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 278, in readmem val = self.custom_read(addr + pos * 4, 4) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 247, in custom_read if self.cmd(XCmd.CUSTOM_READ): File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 237, in cmd if self.xsend(self.xflash.Cmd.DEVICE_CTRL): File "E:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 185, in xsend return self.usbwrite(data) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 460, in usbwrite res = self.write(data, pktsize) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 391, in write ctr = self.EP_OUT.write(command[pos:pos + pktsize]) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 408, in write return self.device.write(self, data, timeout) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 979, in write return fn( File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 837, in bulk_write return self.__write(self.lib.libusb_bulk_transfer, File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 930, in __write retval = fn(dev_handle.handle, KeyboardInterrupt ^C E:\mtkclient-main>

opened by lczact 20
My Device cannot Connect

Already put USB no button usb with power up (Handshake failure) usb with power down and up (Handshake failure) what the problem?

`C:\MTK>python mtk e backup --preloader=preloader_k65v1_64_bsp.bin MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.`

opened by Linssang 18
Crash at kamakiri2 Stage

Can't work on mt8168, seems its a newer and rarer one. . . Still I hope we can find something in these logs and my preloader.bin. . .?

log_debugmode.txt log.txt preloader.zip

opened by azwhikaru 17
MT6739 ERROR DA-CODE : 0x999F0

Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - ME_ID: 09DA2F8B575108A8A1C3D49F6143330A Preloader - SOC_ID: DB3F67997429C9F8DFF6778CEBE3485BFA87F3937F2BA4C5D148F5D48B52679D PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.1824.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: FJ25AB DAXFlash - EMMC CID: 150100464a323541420229d590ffc269 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - DA-CODE : 0x999F0 Traceback (most recent call last): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 1709, in mtk = Main(args).run() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 662, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 141, in upload_da return self.da.upload_da() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 1093, in upload_da if self.boot_to(at_address=0x68000000, da=daextdata): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 341, in boot_to status = self.status() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 211, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

opened by StelinFex 16
Console multiple commands

Hi,

I know this question has been asked many times but the since you made mtk_gui script to perform several commands on same connetion then mtk script can did that, Please can edit that or help to do that ?

It is very important

Thanks in advance

@bkerler

opened by breakersvd 14
[LIB]: Status: Handshake failed, retrying

python mtk payload --metamode FASTBOOT

DeviceClass - [LIB]: Couldn't get device configuration. .Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying...

opened by cata332 13
Cannot read ROM with MT6592

Impossible to do something else that extracting preloader. Here is the log file and preloader extracted. For info, SP Flash Tool get stuck also.. ErrorLog.txt preloader_sf6592_wet_l.zip Any help to understand what is missing ? Thanks

opened by Martilb 13
Unlock Bootloader support on Xiaomi D810 (MT6833)
Hey @bkerler , can you please add the bootloader unlock support for the following devices:

Redmi Note 11T 5G (evergo)

POCO M4 Pro 5G (evergreen)

Redmi Note 11S 5G (opal)

Thanks in advance!
opened by Sushrut1101 0

[Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

Hi, I've realme 8 5G/Narzo 30 5G, the device is stuck in brom mode and i can see OPLUS Preloader in Device Manager, but

mtk fails with following logs

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile



Port - Hint:



Power off the phone before connecting.

For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.

For preloader mode, don't press any hw button and connect usb.

If it is already connected and on, hold power for 10 seconds to reset.





.....DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

Looks like realme/OPLUS has locked down brom completely on realmeUI4/ColorOS 13

The device uses MediaTek Dimensity 700 (MT6833) SoC, currently on stock Android T fw.

mtkclient used to work on Android R & S fw but it does not on T firmware now.

Would be huge help if you can look into that @bkerler . Thank you in advance

opened by techyminati 0

Failing handshake

Am successful on other phones but on one particular phone (tecno pop 5 pro bd4h) which I really need to flash am getting this same error no matter what command i put. .....Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m mtk client output.txt

The log is in the attached file in the link above

opened by patrick777777777 1
receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

As I came across to project named cyrozap/mediatek-lte-baseband-re in the GITHUB website, In order to receive dvb-s channels by lte chipset on my smartphone (Samsung Galaxy A10s) is required lte baseband reverse engineering. I think that we require a dvb-s driver for mt6762 helio p22 and an app for watching dvb-s channels.

Would you please let me know how we can implement this work on my phone. Please guide me at this regards. Thank you very much.

opened by bracop8 0
Need clarification for stage2 keys command
Hi,

Could you please clarify what the stage2 keys command does? The description says "write memory", which is not really helpful. Which one of the following is correct description of the functionality?

generates new keys and store them in hwparam file

fetches existing keys and store them in hwparam file
opened by viraniac 0

Releases(1.52)

1.52(Nov 15, 2021)

Stable release, fixes many device issues
Source code(tar.gz)
Source code(zip)
1.42(Aug 16, 2021)
Fixed wrong registers for some targets (mt6572,mt6735,mt6768,mt6785,mt8695)

Fixed libusb0 backport compatibility issue

Improved handshake speed

Added basic mt2601 smartwatch support

Source code(tar.gz)
Source code(zip)
1.41(Aug 7, 2021)

Improved handshake, more stability, some bugfixes
Source code(tar.gz)
Source code(zip)
1.4(Aug 5, 2021)

Has Linux and Windows support.
Source code(tar.gz)
Source code(zip)

Owner

Bjoern Kerler

Reverse Engineer and Data/Crypto Analyst. QC and MTK Trustzone Pwner.

GitHub Repository

python package to showcase, test and build your own version of Pickhardt Payments

Pickhardt Payments Package The pickhardtpayments package is a collection of classes and interfaces that help you to test and implement your dialect of

37 Dec 18, 2022

Xoroshiro-cairo - A xoroshiro128** pseudorandom number generator implementation in Cairo

xoroshiro-cairo A xoroshiro128** pseudorandom number generator implementation in

26 Oct 05, 2022

Xbox-Flood is for flood anything

Intruduction Installation Usage Installing Python 3 Wiki Getting Started Creating a Key Intruduction Xbox-Flood is for flooding messages (invitations

4 Feb 18, 2022

An extremely configurable markdown reverser for Python3.

🔄 Unmarkd A markdown reverser. Unmarkd is a BeautifulSoup-powered Markdown reverser written in Python and for Python. Why This is created as a StackS

5 Jun 27, 2022

Poetry workspace plugin for Python monorepos.

poetry-workspace-plugin Poetry workspace plugin for Python monorepos. Inspired by Yarn Workspaces. Adds a new subcommand group, poetry workspace, whic

74 Jan 01, 2023

Simple Assembler with python

Assembler with python converts assembly source code to machine code Requirements Python 3 🐍 Usage python main.py [source] [output] [source] : Path t

1 Dec 24, 2021

A demo of a data science project using Kedro

iris Overview This is your new Kedro project, which was generated using Kedro 0.17.4. Take a look at the Kedro documentation to get started. Rules and

14 Oct 14, 2022

Buffer Overflows

BOF Buffer Overflows 1. BOF tips Practice using mona.py Download vulnerable exe from Exploit DB.

27 Dec 08, 2022

A Python script to parse Fortinet products serial numbers, and detect the associated model and version.

ParseFortinetSerialNumber A Python script to parse Fortinet products serial numbers, and detect the associated model and version. Example $ ./ParseFor

10 Oct 28, 2022

Navigate to your directory of choice the proceed as follows

Installation 🚀 Navigate to your directory of choice the proceed as follows; 1 .Clone the git repo and create a virtual environment Depending on your

2 Jan 31, 2022

Learn the basics of Python. These tutorials are for Python beginners. so even if you have no prior knowledge of Python, you won’t face any difficulty understanding these tutorials.

01_Python_Introduction Introduction 👋 Python is a modern, robust, high level programming language. It is very easy to pick up even if you are complet

245 Dec 30, 2022

🌈Python cheatsheet for all standard libraries(Continuously Updated)

Python Standard Libraries Cheatsheet Depend on Python v3.9.8 All code snippets have been tested to ensure they work properly. Fork me on GitHub. 中文 En

12 Dec 27, 2022

WaterAndScreenBreakReminders - A small python program that reminds to take a water break every 15 minutes and a screen break every 30 minutes

Water-break and Screen-break Reminder A simple python program to remind user to

2 Jan 14, 2022