Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff

Last update: Dec 31, 2022

Related tags

Overview

mtkclient

Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For linux, a patched kernel is needed (see Setup folder) (except for read/write flash). For windows, you need to install zadig driver and replace pid 0003 / pid 2000 driver.

Once the mtk.py script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.

Installation

Use Re LiveDVD (everything ready to go):

Download Re Live DVD User: livedvd, Password:livedvd

Use FireISO as LiveDVD:

Download FireIso Live DVD

Install python >=3.8

sudo apt install python3
pip3 install -r requirements.txt

Install gcc armeabi compiler

sudo apt-get install gcc-arm-none-eabi

Compile patched kernel (if you don't use FireISO)

For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch :

sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev
git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
cd pahole && mkdir build && cd build && cmake .. && make && sudo make install
sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig

wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz
tar xvf linux-`uname -r`.tar.xz
cd linux-`uname -r`
patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch
cp -v /boot/config-$(uname -r) .config
make menuconfig
make
sudo make modules_install 
sudo make install

These aren't needed for current ubuntu (as make install will do, just for reference):

sudo update-initramfs -c -k `uname -r`
sudo update-grub

See Setup/kernels for ready-to-use kernel setups

Reboot

sudo reboot

Usage

Bypass SLA, DAA and SBC (using generic_patcher_payload)

./mtk.py payload If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".

Dump brom

Device has to be in bootrom mode, or da mode has to be crashed to enter damode
if no option is given, either kamakiri or da will be used (da for insecure targets)
if "kamakiri" is used as an option, kamakiri is enforced
Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu) and "hashimoto" (via cqdma)

./mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]

Run custom payload

./mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]

Run stage2 in bootrom

./mtk.py stage

Run stage2 in preloader

./mtk.py plstage

Read rpmb in stage2 mode

./stage2.py --rpmb

Read preloader in stage2 mode

./stage2.py --preloader

Read memory as hex data in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16

Read memory to file in stage2 mode

./stage2.py --memread --start 0x0 --length 0x16 --filename brom.bin

Write hex data to memory in stage2 mode

./stage2.py --memwrite --start 0x0 --data 12345678AABBCCDD

Write memory from file in stage2 mode

./stage2.py --memwrite --start 0x0 --filename brom.bin

Crash da in order to enter brom

./mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]

Read flash

Dump boot partition to filename boot.bin via preloader

./mtk.py r boot boot.bin

Dump boot partition to filename boot.bin via bootrom

./mtk.py r boot boot.bin --preloader=Loader/Preloader/your_device_preloader.bin

Read full flash to filename flash.bin (use --preloader for brom)

./mtk.py rf flash.bin

Dump all partitions to directory "out". (use --preloader for brom)

./mtk.py rl out

Show gpt (use --preloader for brom)

./mtk.py printgpt

Write flash

(use --preloader for brom)

Write filename boot.bin to boot partition

./mtk.py w boot boot.bin

Write filename flash.bin as full flash (currently only works in da mode)

./mtk.py wf flash.bin

Write all files in directory "out" to the flash partitions

./mtk.py wl out

Erase flash

Erase boot partition (use --preloader for brom)

./mtk.py e boot

I need logs !

Run the mtk.py tool with --debugmode. Log will be written to log.txt (hopefully)

Rules / Infos

Chip details / configs

Go to config/brom_config.py
Unknown usb vid/pids for autodetection go to config/usb_ids.py

Comments

Xflash doesn't work on legacy devices

Hi, for a few weeks I've always been interested in trying to unlock the bootloader with this tool, after several fixes this tool should work but now I get this error that I don't know how to fix:

Thanks in advance
enhancement

opened by XRedCubeX 29
Error on getting status on connection get_emmc_info/send_emi

Microsoft Windows [versão 10.0.19042.1052] (c) Microsoft Corporation. Todos os direitos reservados.

C:\Users\Mcdiniz>cd..

C:\Users>cd..

C:>cd mtkclient-main

C:\mtkclient-main>py mtk printgpt Capstone library is missing (optional). Keystone library is missing (optional). MTK Flash/Exploit Client V1.41 (c) B.Kerler 2018-2021 Preloader - Status: Waiting for PreLoader VCOM, please connect mobile Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, please retry←[0m

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

........... Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - ME_ID: 18B4C2D22A72052A1E0CFE67A32C8CB3 Preloader - SOC_ID: 2B86505243A63FB955E98AD4193B2BC84D86A0590B5C7D50DDDB8AA9C3F7B534 PLTools - Loading payload from C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 DAXFlash - Successfully received DA sync Traceback (most recent call last): File "C:\mtkclient-main\mtk", line 1034, in mtk = Main().run() File "C:\mtkclient-main\mtk", line 667, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 87, in upload_da return self.da.upload_da() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 961, in upload_da emmc_info=self.get_emmc_info(False) File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 563, in get_emmc_info status=self.status() File "C:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 226, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

C:\mtkclient-main>
bug

opened by ligteltelecom 25
unpack requires a buffer of 12 bytes

C:\mtk\Python39\Doc>C:\mtk\Python39\python mtk printgpt MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

Port - Device detected :) Preloader - CPU: MT6765(Helio P35/G35) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0x25 Preloader - Disabling Watchdog... Preloader - HW code: 0x766 Preloader - Target config: 0xe7 Preloader - SBC enabled: True Preloader - SLA enabled: True Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xca00 Preloader - SW Ver: 0x0 Preloader - ME_ID: A370334038856A78CE1122089D50D053 Preloader - SOC_ID: 62334295B1C499DB5046FC5BFF5187C83D494C685493537B1C08B0DFE3D44DAC PLTools - Loading payload from C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\mtk\Python39\Doc\mtkclient\payloads\mt6765_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - DRAM config needed for : 150100424a544434 DAXFlash - Sending emi data ... DAXFlash DAXFlash - [LIB]: ←[31mError on sending emi: unpack requires a buffer of 12 bytes←[0m Main Main - [LIB]: ←[31mError uploading da←[0m

opened by deyvs02 24

Moto E6s 2020: cannot connect to device due to "Operation not supported or unimplemented on this platform"

Status: Waiting for PreLoader VCOM, please connect mobile
Couldn't detect the device. Is it connected ?
Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.

Couldn't detect the device. Is it connected ?
Couldn't detect the device. Is it connected ?
  CONFIGURATION 1: 500 mA ==================================
   bLength              :    0x9 (9 bytes)
   bDescriptorType      :    0x2 Configuration
   wTotalLength         :   0x46 (70 bytes)
   bNumInterfaces       :    0x2
   bConfigurationValue  :    0x1
   iConfiguration       :    0x3 USB CDC ACM for preloader
   bmAttributes         :   0xc0 Self Powered
   bMaxPower            :   0xfa (500 mA)
    INTERFACE 1: CDC Data ==================================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x1
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x2
     bInterfaceClass    :    0xa CDC Data
     bInterfaceSubClass :    0x0
     bInterfaceProtocol :    0x0
     iInterface         :    0x4 CDC ACM Data Interface
      ENDPOINT 0x1: Bulk OUT ===============================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :    0x1 OUT
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
      ENDPOINT 0x81: Bulk IN ===============================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x81 IN
       bmAttributes     :    0x2 Bulk
       wMaxPacketSize   :  0x200 (512 bytes)
       bInterval        :    0x0
    INTERFACE 0: CDC Communication =========================
     bLength            :    0x9 (9 bytes)
     bDescriptorType    :    0x4 Interface
     bInterfaceNumber   :    0x0
     bAlternateSetting  :    0x0
     bNumEndpoints      :    0x1
     bInterfaceClass    :    0x2 CDC Communication
     bInterfaceSubClass :    0x2
     bInterfaceProtocol :    0x1
     iInterface         :    0x5 CDC ACM Communication Interface
      ENDPOINT 0x83: Interrupt IN ==========================
       bLength          :    0x8 (7 bytes)
       bDescriptorType  :    0x5 Endpoint
       bEndpointAddress :   0x83 IN
       bmAttributes     :    0x3 Interrupt
       wMaxPacketSize   :   0x40 (64 bytes)
       bInterval        :   0x10
No kernel driver supported: Operation not supported or unimplemented on this platform
No kernel driver supported: Operation not supported or unimplemented on this platform
[Errno 10060] Operation timed out
[Errno 10060] Operation timed out
Status: Handshake failed, retrying...
Operation not supported or unimplemented on this platform
Couldn't detect the device. Is it connected ?

Hint:

Power off the

Specs: https://www.gsmarena.com/motorola_moto_e6s_(2020)-10135.php

PLATFORM | OS | Android 9.0 (Pie)
-- | -- | --
Chipset | Mediatek MT6762 Helio P22 (12 nm)
CPU | Octa-core 2.0 GHz Cortex-A53
GPU | PowerVR GE8320

bug

opened by mslhii 23

sej - HACC init stuck

E:\mtkclient-main>python mtk xflash seccfg unlock MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

........... Port - Device detected :) Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18) Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212c00 Preloader - Var1: 0xa Preloader - Disabling Watchdog... Preloader - HW code: 0x326 Preloader - Target config: 0x1 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: False Preloader - SWJTAG enabled: False Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: False Preloader - Mem write auth: False Preloader - Cmd 0xC8 blocked: False Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x1 Preloader - ME_ID: 5636FD6EB5F5D5C8723BEC0713B26A3B Main - Device is unprotected. PLTools - Loading payload from E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin, 0x258 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: E:\mtkclient-main\mtkclient\payloads\mt6755_payload.bin Port - Device detected :) Main Main - [LIB]: [33mDevice is in BROM mode. No preloader given, trying to dump preloader from ram.[0m DAXFlash - Uploading stage 1... DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: RC14MB DAXFlash - EMMC CID: 150100524331344d42071a92d0ae9353 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x400000 DAXFlash - EMMC USER Size: 0xe8f800000 DAXFlash - Reconnecting to preloader DAXFlash - Connected to preloader DAXFlash - DA-CODE : 0x50B76 DAXFlash DAXFlash - [LIB]: [31mError on sending data: DA hash mismatch (0xc0070004)[0m DAXFlash DAXFlash - [LIB]: [33mDA Extensions failed to enable[0m sej - HACC init

Traceback (most recent call last): File "E:\mtkclient-main\mtk", line 1704, in mtk = Main(args).run() File "E:\mtkclient-main\mtk", line 1097, in run mtk.daloader.seccfg(args.flag) File "E:\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 173, in seccfg return self.xft.seccfg(lockflag) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 444, in seccfg sc_new.create(prelock, hwtype) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 74, in create enc_hash = self.hwc.sej.sej_sec_cfg_hw(dec_hash, True) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 489, in sej_sec_cfg_hw self.SEJ_Init(encrypt=encrypt) File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 281, in SEJ_Init if self.reg.HACC_ACON2 > 0x80000000: File "E:\mtkclient-main\mtkclient\Library\hwcrypto_sej.py", line 83, in getattribute return self.read32(addr) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 278, in readmem val = self.custom_read(addr + pos * 4, 4) File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 247, in custom_read if self.cmd(XCmd.CUSTOM_READ): File "E:\mtkclient-main\mtkclient\Library\xflash_ext.py", line 237, in cmd if self.xsend(self.xflash.Cmd.DEVICE_CTRL): File "E:\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 185, in xsend return self.usbwrite(data) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 460, in usbwrite res = self.write(data, pktsize) File "E:\mtkclient-main\mtkclient\Library\usblib.py", line 391, in write ctr = self.EP_OUT.write(command[pos:pos + pktsize]) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 408, in write return self.device.write(self, data, timeout) File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 979, in write return fn( File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 837, in bulk_write return self.__write(self.lib.libusb_bulk_transfer, File "C:\Users\Ryan\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 930, in __write retval = fn(dev_handle.handle, KeyboardInterrupt ^C E:\mtkclient-main>

opened by lczact 20
My Device cannot Connect

Already put USB no button usb with power up (Handshake failure) usb with power down and up (Handshake failure) what the problem?

`C:\MTK>python mtk e backup --preloader=preloader_k65v1_64_bsp.bin MTK Flash/Exploit Client V1.50 (c) B.Kerler 2018-2021

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.

...........

Port - Hint:

Power off the phone before connecting. For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb. For preloader mode, don't press any hw button and connect usb.`

opened by Linssang 18
Crash at kamakiri2 Stage

Can't work on mt8168, seems its a newer and rarer one. . . Still I hope we can find something in these logs and my preloader.bin. . .?

log_debugmode.txt log.txt preloader.zip

opened by azwhikaru 17
MT6739 ERROR DA-CODE : 0x999F0

Port - Device detected :) Preloader - CPU: MT6739/MT6731() Preloader - HW version: 0x0 Preloader - WDT: 0x10007000 Preloader - Uart: 0x11002000 Preloader - Brom payload addr: 0x100a00 Preloader - DA payload addr: 0x201000 Preloader - CQ_DMA addr: 0x10212000 Preloader - Var1: 0xb4 Preloader - Disabling Watchdog... Preloader - HW code: 0x699 Preloader - Target config: 0xe5 Preloader - SBC enabled: True Preloader - SLA enabled: False Preloader - DAA enabled: True Preloader - SWJTAG enabled: True Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False Preloader - Root cert required: False Preloader - Mem read auth: True Preloader - Mem write auth: True Preloader - Cmd 0xC8 blocked: True Preloader - HW subcode: 0x8a00 Preloader - HW Ver: 0xcb00 Preloader - SW Ver: 0x2 Preloader - ME_ID: 09DA2F8B575108A8A1C3D49F6143330A Preloader - SOC_ID: DB3F67997429C9F8DFF6778CEBE3485BFA87F3937F2BA4C5D148F5D48B52679D PLTools - Loading payload from mt6739_payload.bin, 0x264 bytes PLTools - Kamakiri / DA Run Kamakiri - Trying kamakiri2.. Kamakiri - Done sending payload... PLTools - Successfully sent payload: C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\payloads\mt6739_payload.bin Port - Device detected :) Main - Device is protected. Main - Device is in BROM mode. Trying to dump preloader. DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.1824.bin DAXFlash - Successfully uploaded stage 1, jumping .. Preloader - Jumping to 0x200000 Preloader - Jumping to 0x200000: ok. DAXFlash - Successfully received DA sync DAXFlash - Sending emi data ... DAXFlash - Sending emi data succeeded. DAXFlash - Uploading stage 2... DAXFlash - Successfully uploaded stage 2 DAXFlash - EMMC FWVer: 0x0 DAXFlash - EMMC ID: FJ25AB DAXFlash - EMMC CID: 150100464a323541420229d590ffc269 DAXFlash - EMMC Boot1 Size: 0x400000 DAXFlash - EMMC Boot2 Size: 0x400000 DAXFlash - EMMC GP1 Size: 0x0 DAXFlash - EMMC GP2 Size: 0x0 DAXFlash - EMMC GP3 Size: 0x0 DAXFlash - EMMC GP4 Size: 0x0 DAXFlash - EMMC RPMB Size: 0x80000 DAXFlash - EMMC USER Size: 0xe9000000 DAXFlash - DA-CODE : 0x999F0 Traceback (most recent call last): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 1709, in mtk = Main(args).run() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtk", line 662, in run if not mtk.daloader.upload_da(preloader=preloader): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daloader.py", line 141, in upload_da return self.da.upload_da() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 1093, in upload_da if self.boot_to(at_address=0x68000000, da=daextdata): File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 341, in boot_to status = self.status() File "C:\Users\Chappie\Downloads\Compressed\mtkclient-main\mtkclient-main\mtkclient\Library\mtk_daxflash.py", line 211, in status magic, datatype, length = unpack("<III", hdr) struct.error: unpack requires a buffer of 12 bytes

opened by StelinFex 16
Console multiple commands

Hi,

I know this question has been asked many times but the since you made mtk_gui script to perform several commands on same connetion then mtk script can did that, Please can edit that or help to do that ?

It is very important

Thanks in advance

@bkerler

opened by breakersvd 14
[LIB]: Status: Handshake failed, retrying

python mtk payload --metamode FASTBOOT

DeviceClass - [LIB]: Couldn't get device configuration. .Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying... Preloader Preloader - [LIB]: Status: Handshake failed, retrying...

opened by cata332 13
Cannot read ROM with MT6592

Impossible to do something else that extracting preloader. Here is the log file and preloader extracted. For info, SP Flash Tool get stuck also.. ErrorLog.txt preloader_sf6592_wet_l.zip Any help to understand what is missing ? Thanks

opened by Martilb 13
Unlock Bootloader support on Xiaomi D810 (MT6833)
Hey @bkerler , can you please add the bootloader unlock support for the following devices:

Redmi Note 11T 5G (evergo)

POCO M4 Pro 5G (evergreen)

Redmi Note 11S 5G (opal)

Thanks in advance!
opened by Sushrut1101 0

[Report] Failed to get device configuration on ColorOS 13/realmeUI 4 [RMX3242] [MT6833]

Hi, I've realme 8 5G/Narzo 30 5G, the device is stuck in brom mode and i can see OPLUS Preloader in Device Manager, but

mtk fails with following logs

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile



Port - Hint:



Power off the phone before connecting.

For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.

For preloader mode, don't press any hw button and connect usb.

If it is already connected and on, hold power for 10 seconds to reset.





.....DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

DeviceClass - [LIB]: Couldn't get device configuration.

.DeviceClass

Looks like realme/OPLUS has locked down brom completely on realmeUI4/ColorOS 13

The device uses MediaTek Dimensity 700 (MT6833) SoC, currently on stock Android T fw.

mtkclient used to work on Android R & S fw but it does not on T firmware now.

Would be huge help if you can look into that @bkerler . Thank you in advance

opened by techyminati 0

Failing handshake

Am successful on other phones but on one particular phone (tecno pop 5 pro bd4h) which I really need to flash am getting this same error no matter what command i put. .....Preloader Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m mtk client output.txt

The log is in the attached file in the link above

opened by patrick777777777 1
receive dvb-s signals by mt6762 helio p22 reverse engineering on Samsung Galaxy A10s

As I came across to project named cyrozap/mediatek-lte-baseband-re in the GITHUB website, In order to receive dvb-s channels by lte chipset on my smartphone (Samsung Galaxy A10s) is required lte baseband reverse engineering. I think that we require a dvb-s driver for mt6762 helio p22 and an app for watching dvb-s channels.

Would you please let me know how we can implement this work on my phone. Please guide me at this regards. Thank you very much.

opened by bracop8 0
Need clarification for stage2 keys command
Hi,

Could you please clarify what the stage2 keys command does? The description says "write memory", which is not really helpful. Which one of the following is correct description of the functionality?

generates new keys and store them in hwparam file

fetches existing keys and store them in hwparam file
opened by viraniac 0

Releases(1.52)

1.52(Nov 15, 2021)

Stable release, fixes many device issues
Source code(tar.gz)
Source code(zip)
1.42(Aug 16, 2021)
Fixed wrong registers for some targets (mt6572,mt6735,mt6768,mt6785,mt8695)

Fixed libusb0 backport compatibility issue

Improved handshake speed

Added basic mt2601 smartwatch support

Source code(tar.gz)
Source code(zip)
1.41(Aug 7, 2021)

Improved handshake, more stability, some bugfixes
Source code(tar.gz)
Source code(zip)
1.4(Aug 5, 2021)

Has Linux and Windows support.
Source code(tar.gz)
Source code(zip)

Owner

Bjoern Kerler

Reverse Engineer and Data/Crypto Analyst. QC and MTK Trustzone Pwner.

GitHub Repository

Automatically find solutions when your Python code encounters an issue.

What The Python?! Helping you find answers to the errors Python spits out. Installation You can find the source code on GitHub at: https://github.com/

139 Dec 14, 2022

Repo created for the purpose of adding any kind of programs and projects

Programs and Project Repository A repository for adding programs and projects of any kind starting from beginners level to expert ones Contributing to

3 Nov 02, 2022

This wishes a mentioned users on their birthdays

BirthdayWisher Requirements: "mysqlserver", "email id and password", "Mysqlconnector" In-Built Modules: "smtplib", "datetime","imghdr" In Mysql: A tab

1 Sep 13, 2022

Framework To Ease Operating with Quantum Computers

QType Framework To Ease Operating with Quantum Computers Concept # define an array of 15 cubits:

2 Jun 06, 2022

Islam - This is a simple python script.In this script I have written all the suras of Al Quran. As a result, by using this script, you can know the number of any sura at the moment.

Introduction: If you want to know sura number of al quran by just typing the name of sura than you can use this script. Usage in termux: $ pkg install

1 Jan 02, 2022

TallerStereoVision Convencion Python Chile 2021

TallerStereoVision Convencion Python Chile 2021 Taller Stereo Vision & Python PyCon.cl 2021 Instalación Se recomienta utilizar Virtual Environment pyt

2 Oct 20, 2022

In this project, we'll be creating a virtual personal assistant for ourselves using our favorite programming language

In this project, we'll be creating a virtual personal assistant for ourselves using our favorite programming language, Python. We can perform several offline as well as online operations using the bo

188 Jan 03, 2023

Block fingerprinting for the beacon chain, for client identification & client diversity metrics

blockprint This is a repository for discussion and development of tools for Ethereum block fingerprinting. The primary aim is to measure beacon chain

49 Dec 08, 2022

Python Osmium Examples

Python Osmium Examples This is a set (currently of size 1) of examples showing practical usage of PyOsmium, a thin wrapper around the osmium library.

1 Jan 26, 2022

KeyLogger cliente-servidor em Python para estudos

KeyLogger Esse projeto é apenas para estudos, não nos responsabilisamos por qualquer uso indevido ou prejudiciais do mesmo. Sobre O objetivo do projet

1 Dec 17, 2021

This is a simple quizz which can ask user for login/register session, then consult to the Quiz interface.

SIMPLE-QUIZ- This is a simple quizz which can ask user for login/register session, then consult to the Quiz interface. By CHAKFI Ahmed MASTER SYSTEMES

1 Jan 10, 2022

Simple logger for Urbit pier size, with systemd timer template

urbit-piermon Simple logger for Urbit pier size, with systemd timer template. Syntax piermon.py -i [PATH TO PIER] -o [PATH TO OUTPUT CSV] systemd serv

1 Nov 07, 2021

Batch Python Program Verify

Batch Python Program Verify About As a TA(teaching assistant) of Programming Class, it is very annoying to test students' homework assignments one by

7 Dec 20, 2022

AMTIO aka All My Tools in One

AMTIO AMTIO aka All My Tools In One. I plan to put a bunch of my tools in this one repo since im too lazy to make one big tool. Installation git clone

3 Jul 29, 2021

This app converts an pdf file into the audio file.

PDF-to-Audio This app takes an pdf as an input and convert it into audio, and the library text-to-speech starts speaking the preffered page given in t

3 Aug 04, 2021

Dungeon Dice Rolls is an aplication that the user can roll dices (d4, d6, d8, d10, d12, d20 and d100) and store the results in one of the 6 arrays.

1 Dec 31, 2021