Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Overview

mtkclient

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For linux, a patched kernel is needed (see Setup folder) (except for read/write flash). For windows, you need to install zadig driver and replace pid 0003 / pid 2000 driver.

Once the mtk.py script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.

Installation

Use Re LiveDVD (everything ready to go):

Download Re Live DVD User: livedvd, Password:livedvd

Use FireISO as LiveDVD:

Download FireIso Live DVD

Install python >=3.8

sudo apt install python3
pip3 install -r requirements.txt

Install gcc armeabi compiler

sudo apt-get install gcc-arm-none-eabi

Compile patched kernel (if you don't use FireISO)

  • For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch :
sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev
git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
cd pahole && mkdir build && cd build && cmake .. && make && sudo make install
sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz
tar xvf linux-`uname -r`.tar.xz
cd linux-`uname -r`
patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch
cp -v /boot/config-$(uname -r) .config
make menuconfig
make
sudo make modules_install 
sudo make install
  • These aren't needed for current ubuntu (as make install will do, just for reference):
sudo update-initramfs -c -k `uname -r`
sudo update-grub

See Setup/kernels for ready-to-use kernel setups

  • Reboot
sudo reboot

Usage

Bypass SLA, DAA and SBC (using generic_patcher_payload)

./mtk.py payload If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".

Dump brom

  • Device has to be in bootrom mode, or da mode has to be crashed to enter damode
  • if no option is given, either kamakiri or da will be used (da for insecure targets)
  • if "kamakiri" is used as an option, kamakiri is enforced
  • Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu) and "hashimoto" (via cqdma)
./mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]

Run custom payload

./mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]

Run stage2 in bootrom

./mtk.py stage

Run stage2 in preloader

./mtk.py plstage

Read rpmb in stage2 mode

./stage2.py --rpmb

Read preloader in stage2 mode

./stage2.py --preloader

Read memory as hex data in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16

Read memory to file in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16 --filename brom.bin

Write hex data to memory in stage2 mode

./stage2.py --memwrite --start 0x0 --data 12345678AABBCCDD

Write memory from file in stage2 mode

./stage2.py --memwrite --start 0x0 --filename brom.bin

Crash da in order to enter brom

./mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]

Read flash

Dump boot partition to filename boot.bin via preloader

./mtk.py r boot boot.bin

Dump boot partition to filename boot.bin via bootrom

./mtk.py r boot boot.bin --preloader=Loader/Preloader/your_device_preloader.bin

Read full flash to filename flash.bin (use --preloader for brom)

./mtk.py rf flash.bin

Dump all partitions to directory "out". (use --preloader for brom)

./mtk.py rl out

Show gpt (use --preloader for brom)

./mtk.py printgpt

Write flash

(use --preloader for brom)

Write filename boot.bin to boot partition

./mtk.py w boot boot.bin

Write filename flash.bin as full flash (currently only works in da mode)

./mtk.py wf flash.bin

Write all files in directory "out" to the flash partitions

./mtk.py wl out

Erase flash

Erase boot partition (use --preloader for brom)

./mtk.py e boot

I need logs !

  • Run the mtk.py tool with --debugmode. Log will be written to log.txt (hopefully)

Rules / Infos

Chip details / configs

  • Go to config/brom_config.py
  • Unknown usb vid/pids for autodetection go to config/usb_ids.py
Comments
  • Xflash doesn't work on legacy devices

    Xflash doesn't work on legacy devices

    Hi, for a few weeks I've always been interested in trying to unlock the bootloader with this tool, after several fixes this tool should work but now I get this error that I don't know how to fix:

    immagine

    Thanks in advance

    enhancement 
    opened by XRedCubeX 29
  • Error on getting status on connection get_emmc_info/send_emi

    Error on getting status on connection get_emmc_info/send_emi

    Microsoft Windows [versão 10.0.19042.1052] (c) Microsoft Corporation. Todos os direitos reservados.

    C:\Users\Mcdiniz>cd..

    C:\Users>cd..

    C:>cd mtkclient-main

    C:\mtkclient-main>py mtk printgpt Capstone library is missing (optional). Keystone library is missing (optional). MTK Flash/Exploit Client V1.41 (c) B.Kerler 2018-2021 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ........... Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - ME_ID: 18B4C2D22A72052A1E0CFE67A32C8CB3 Preloader - SOC_ID: 2B86505243A63FB955E98AD4193B2BC84D86A0590B5C7D50DDDB8AA9C3F7B534 PLTools - Loading payload from C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 DAXFlash - Successfully received DA sync Traceback (most recent call last): File "C:\mtkclient-main\mtk", line 1034, in mtk = Main().run() File "C:\mtkclient-main\mtk", line 667, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 87, in upload_da return self.da.upload_da() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 961, in upload_da emmc_info=self.get_emmc_info(False) File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 563, in get_emmc_info status=self.status() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 226, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

    C:\mtkclient-main>

    bug 
    opened by ligteltelecom 25
  • unpack requires a buffer of 12 bytes

    unpack requires a buffer of 12 bytes

    C:\mtk\Python39\Doc>C:\mtk\Python39\python mtk printgpt MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    Port - Device detected :) Preloader - CPU: MT6765(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: A370334038856A78CE1122089D50D053 Preloader - SOC_ID: 62334295B1C499DB5046FC5BFF5187C83D494C685493537B1C08B0DFE3D44DAC PLTools - Loading payload from C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100424a544434 DAXFlash - Sending emi data ... DAXFlash DAXFlash - [LIB]: ←[31mError on sending emi: unpack requires a buffer of 12 bytes←[0m Main Main - [LIB]: ←[31mError uploading da←[0m

    opened by deyvs02 24
  • Moto E6s 2020: cannot connect to device due to

    Moto E6s 2020: cannot connect to device due to "Operation not supported or unimplemented on this platform"

    Status: Waiting for PreLoader VCOM, please connect mobile
    Couldn't detect the device. Is it connected ?
    Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    Hint:
    
    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.
    
    Couldn't detect the device. Is it connected ?
    Couldn't detect the device. Is it connected ?
      CONFIGURATION 1: 500 mA ==================================
       bLength              :    0x9 (9 bytes)
       bDescriptorType      :    0x2 Configuration
       wTotalLength         :   0x46 (70 bytes)
       bNumInterfaces       :    0x2
       bConfigurationValue  :    0x1
       iConfiguration       :    0x3 USB CDC ACM for preloader
       bmAttributes         :   0xc0 Self Powered
       bMaxPower            :   0xfa (500 mA)
        INTERFACE 1: CDC Data ==================================
         bLength            :    0x9 (9 bytes)
         bDescriptorType    :    0x4 Interface
         bInterfaceNumber   :    0x1
         bAlternateSetting  :    0x0
         bNumEndpoints      :    0x2
         bInterfaceClass    :    0xa CDC Data
         bInterfaceSubClass :    0x0
         bInterfaceProtocol :    0x0
         iInterface         :    0x4 CDC ACM Data Interface
          ENDPOINT 0x1: Bulk OUT ===============================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :    0x1 OUT
           bmAttributes     :    0x2 Bulk
           wMaxPacketSize   :  0x200 (512 bytes)
           bInterval        :    0x0
          ENDPOINT 0x81: Bulk IN ===============================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :   0x81 IN
           bmAttributes     :    0x2 Bulk
           wMaxPacketSize   :  0x200 (512 bytes)
           bInterval        :    0x0
        INTERFACE 0: CDC Communication =========================
         bLength            :    0x9 (9 bytes)
         bDescriptorType    :    0x4 Interface
         bInterfaceNumber   :    0x0
         bAlternateSetting  :    0x0
         bNumEndpoints      :    0x1
         bInterfaceClass    :    0x2 CDC Communication
         bInterfaceSubClass :    0x2
         bInterfaceProtocol :    0x1
         iInterface         :    0x5 CDC ACM Communication Interface
          ENDPOINT 0x83: Interrupt IN ==========================
           bLength          :    0x8 (7 bytes)
           bDescriptorType  :    0x5 Endpoint
           bEndpointAddress :   0x83 IN
           bmAttributes     :    0x3 Interrupt
           wMaxPacketSize   :   0x40 (64 bytes)
           bInterval        :   0x10
    No kernel driver supported: Operation not supported or unimplemented on this platform
    No kernel driver supported: Operation not supported or unimplemented on this platform
    [Errno 10060] Operation timed out
    [Errno 10060] Operation timed out
    Status: Handshake failed, retrying...
    Operation not supported or unimplemented on this platform
    Couldn't detect the device. Is it connected ?
    
    Hint:
    
    Power off the 
    

    Specs: https://www.gsmarena.com/motorola_moto_e6s_(2020)-10135.php

    PLATFORM | OS | Android 9.0 (Pie)
    -- | -- | --
    Chipset | Mediatek MT6762 Helio P22 (12 nm)
    CPU | Octa-core 2.0 GHz Cortex-A53
    GPU | PowerVR GE8320
    
    bug 
    opened by mslhii 23
  • sej - HACC init stuck

    sej - HACC init stuck

    E:\mtkclient-main>python mtk xflash seccfg unlock MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ........... Port - Device detected :) Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x326 Preloader - Target config: 0x1 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 5636FD6EB5F5D5C8723BEC0713B26A3B Main - Device is unprotected. PLTools - Loading payload from E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin, 0x258 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin Port - Device detected :) Main Main - [LIB]: Device is in BROM mode. No preloader given, trying to dump preloader from ram. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: RC14MB DAXFlash - EMMC CID: 150100524331344d42071a92d0ae9353 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0xe8f800000 DAXFlash - Reconnecting to preloader DAXFlash - Connected to preloader DAXFlash - DA-CODE : 0x50B76 DAXFlash DAXFlash - [LIB]: Error on sending data: DA hash mismatch (0xc0070004) DAXFlash DAXFlash - [LIB]: DA Extensions failed to enable sej - HACC init

    Traceback (most recent call last): File "E:\mtkclient-main\mtk", line 1704, in mtk = Main(args).run() File "E:\mtkclient-main\mtk", line 1097, in run mtk.daloader.seccfg(args.flag) File "E:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 173, in seccfg return self.xft.seccfg(lockflag) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 444, in seccfg sc_new.create(prelock, hwtype) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 74, in create enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 489, in sej_sec_cfg_hw self.SEJ_Init(encrypt=encrypt) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 281, in SEJ_Init if self.reg.HACC_ACON2 > 0x80000000: File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 83, in getattribute return self.read32(addr) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 278, in readmem val = self.custom_read(addr + pos * 4, 4) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 247, in custom_read if self.cmd(XCmd.CUSTOM_READ): File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 237, in cmd if self.xsend(self.xflash.Cmd.DEVICE_CTRL): File "E:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 185, in xsend return self.usbwrite(data) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 460, in usbwrite res = self.write(data, pktsize) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 391, in write ctr = self.EP_OUT.write(command[pos:pos + pktsize]) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 408, in write return self.device.write(self, data, timeout) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 979, in write return fn( File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 837, in bulk_write return self.__write(self.lib.libusb_bulk_transfer, File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 930, in __write retval = fn(dev_handle.handle, KeyboardInterrupt ^C E:\mtkclient-main>

    opened by lczact 20
  • My Device cannot Connect

    My Device cannot Connect

    Already put USB no button usb with power up (Handshake failure) usb with power down and up (Handshake failure) what the problem?

    `C:\MTK>python mtk e backup --preloader=preloader_k65v1_64_bsp.bin MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

    ...........

    Port - Hint:

    Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.`

    opened by Linssang 18
  • Crash at kamakiri2 Stage

    Crash at kamakiri2 Stage

    opened by azwhikaru 17
  • MT6739 ERROR DA-CODE      : 0x999F0

    MT6739 ERROR DA-CODE : 0x999F0

    Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - ME_ID: 09DA2F8B575108A8A1C3D49F6143330A Preloader - SOC_ID: DB3F67997429C9F8DFF6778CEBE3485BFA87F3937F2BA4C5D148F5D48B52679D PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.1824.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: FJ25AB DAXFlash - EMMC CID: 150100464a323541420229d590ffc269 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - DA-CODE : 0x999F0 Traceback (most recent call last): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 1709, in mtk = Main(args).run() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 662, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 141, in upload_da return self.da.upload_da() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 1093, in upload_da if self.boot_to(at_address=0x68000000, da=daextdata): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 341, in boot_to status = self.status() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 211, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

    opened by StelinFex 16
  • Console multiple commands

    Console multiple commands

    Hi,

    I know this question has been asked many times but the since you made mtk_gui script to perform several commands on same connetion then mtk script can did that, Please can edit that or help to do that ?

    It is very important

    Thanks in advance

    @bkerler

    opened by breakersvd 14
  •  [LIB]: Status: Handshake failed, retrying

    [LIB]: Status: Handshake failed, retrying

    python mtk payload --metamode FASTBOOT

    DeviceClass - [LIB]: Couldn't get device configuration. .Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying...

    opened by cata332 13
  • Cannot read ROM with MT6592

    Cannot read ROM with MT6592

    Impossible to do something else that extracting preloader. Here is the log file and preloader extracted. For info, SP Flash Tool get stuck also.. ErrorLog.txt preloader_sf6592_wet_l.zip Any help to understand what is missing ? Thanks

    opened by Martilb 13
  • Unlock Bootloader support on Xiaomi D810 (MT6833)

    Unlock Bootloader support on Xiaomi D810 (MT6833)

    Hey @bkerler , can you please add the bootloader unlock support for the following devices:

    • Redmi Note 11T 5G (evergo)
    • POCO M4 Pro 5G (evergreen)
    • Redmi Note 11S 5G (opal)

    Thanks in advance!

    opened by Sushrut1101 0
  • [Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

    [Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

    Hi, I've realme 8 5G/Narzo 30 5G, the device is stuck in brom mode and i can see OPLUS Preloader in Device Manager, but

    mtk fails with following logs

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
    
    
    
    Port - Hint:
    
    
    
    Power off the phone before connecting.
    
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    
    For preloader mode, don't press any hw button and connect usb.
    
    If it is already connected and on, hold power for 10 seconds to reset.
    
    
    
    
    
    .....DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    
    DeviceClass - [LIB]: Couldn't get device configuration.
    
    .DeviceClass
    

    Looks like realme/OPLUS has locked down brom completely on realmeUI4/ColorOS 13

    The device uses MediaTek Dimensity 700 (MT6833) SoC, currently on stock Android T fw.

    mtkclient used to work on Android R & S fw but it does not on T firmware now.

    Would be huge help if you can look into that @bkerler . Thank you in advance

    opened by techyminati 0
  • Failing handshake

    Failing handshake

    Am successful on other phones but on one particular phone (tecno pop 5 pro bd4h) which I really need to flash am getting this same error no matter what command i put. .....Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m mtk client output.txt

    The log is in the attached file in the link above

    opened by patrick777777777 1
  • receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

    receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

    As I came across to project named cyrozap/mediatek-lte-baseband-re in the GITHUB website, In order to receive dvb-s channels by lte chipset on my smartphone (Samsung Galaxy A10s) is required lte baseband reverse engineering. I think that we require a dvb-s driver for mt6762 helio p22 and an app for watching dvb-s channels.

    Would you please let me know how we can implement this work on my phone. Please guide me at this regards. Thank you very much.

    opened by bracop8 0
  • Need clarification for stage2 keys command

    Need clarification for stage2 keys command

    Hi,

    Could you please clarify what the stage2 keys command does? The description says "write memory", which is not really helpful. Which one of the following is correct description of the functionality?

    • generates new keys and store them in hwparam file
    • fetches existing keys and store them in hwparam file
    opened by viraniac 0
Releases(1.52)
Owner
Bjoern Kerler
Reverse Engineer and Data/Crypto Analyst. QC and MTK Trustzone Pwner.
Bjoern Kerler
Minutaria is a basic educational Python timer used to learn python and software testing libraries.

minutaria minutaria is a basic educational Python timer. The project is educational, it aims to teach myself programming, python programming, python's

1 Jul 16, 2021
Nateve transpiler developed with python.

Adam Adam is a Nateve Programming Language transpiler developed using Python. Nateve Nateve is a new general domain programming language open source i

Nateve 7 Jan 15, 2022
OB_Template is a vault template reference for using Obsidian.

Obsidian Template OB_Template is a vault template reference for using Obsidian. If you've tested out Obsidian. and worked through the "Obsidian Help"

323 Dec 27, 2022
Add-In for Blender to automatically save files when rendering

Autosave - Render: Automatically save .blend, .png and readme.txt files when rendering with Blender Purpose This Blender Add-On provides an easy way t

Volker 9 Aug 10, 2022
Pyjiting is a experimental Python-JIT compiler, which is the product of my undergraduate thesis

Pyjiting is a experimental Python-JIT compiler, which is the product of my undergraduate thesis. The goal is to implement a light-weight miniature general-purpose Python JIT compiler.

Lance.Moe 10 Apr 17, 2022
Library for managing git hooks

Autohooks Library for managing and writing git hooks in Python. Looking for automatic formatting or linting, e.g., with black and pylint, while creati

Greenbone 165 Dec 16, 2022
Security-related flags and options for C compilers

Getting the maximum of your C compiler, for security

135 Nov 11, 2022
Covid-19-Trends - A project that me and my friends created as the CSC110 Final Project at UofT

Covid-19-Trends Introduction The COVID-19 pandemic has caused severe financial s

1 Jan 07, 2022
Simple Python-based web application to allow UGM students to fill their QR presence list without having another device in hand.

Praesentia Praesentia is a simple Python-based web application to allow UGM students to fill their QR presence list without having another device in h

loncat 20 Sep 29, 2022
Demodulate and error correct FIS-B and ADS-B signals on 978 MHz.

FIS-B 978 ('fisb-978') is a set of programs that demodulates and error corrects FIS-B (Flight Information System - Broadcast) and ADS-B (Automatic Dep

2 Nov 15, 2022
Entitlement AND Hardened Runtime Check

Python3 script for macOS to recursively check /Applications and also check /usr/local/bin, /usr/bin, and /usr/sbin for binaries with problematic/interesting entitlements. Also checks for hardened run

Cedric Owens 79 Nov 16, 2022
Mail Me My Social Media stats (SoMeMailMe)

Mail Me My Social Media follower count (SoMeMailMe) TikTok only show data 60 days back in time. With this repo you can easily scrape your follower cou

Daniel Wigh 1 Jan 07, 2022
Strong Typing in Python with Decorators

typy Strong Typing in Python with Decorators Description This light-weight library provides decorators that can be used to implement strongly-typed be

Ekin 0 Feb 06, 2022
Repository specifically for tcss503-22-wi Students

TCSS503: Algorithms and Problem Solving for Software Developers Course Description Introduces advanced data structures and key algorithmic techniques

Kevin E. Anderson 3 Nov 08, 2022
Shows VRML team stats of all players in your pubs

VRML Team Stat Searcher Displays Team Name, Team Rank (Worldwide), and tier of all the players in your pubs. GUI WIP: Only username search works (for

Hamish Burke 2 Dec 22, 2022
Python module for creating the circuit simulation definitions for Elmer FEM

elmer_circuitbuilder Python module for creating the circuit simulation definitions for Elmer FEM. The circuit definitions enable easy setup of coils (

5 Oct 03, 2022
Python based scripts for obtaining system information from Linux.

sysinfo Python based scripts for obtaining system information from Linux. Python2 and Python3 compatible Output in JSON format Simple scripts and exte

Petr Vavrin 70 Dec 20, 2022
The CS Netlogo Helper is a small python script I made, to make computer science homework easier.

The CS Netlogo Helper is a small python script I made, to make computer science homework easier. This project is really ironic now that I think about it.

1 Jan 13, 2022
Calc.py - A powerful Python REPL calculator

Calc - A powerful Python REPL calculator This is a calculator with a complex sou

Alejandro 8 Oct 22, 2022
EasyBuild is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

EasyBuild is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

EasyBuild community 87 Dec 27, 2022