2021-12-25 17:01:25 -05:00
|
|
|
|
# MTKClient
|
2021-12-26 13:45:08 -05:00
|
|
|
|
![Logo](mtkclient/gui/images/logo_256.png)
|
2021-12-25 17:01:25 -05:00
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff.
|
2021-08-04 16:40:41 -04:00
|
|
|
|
For windows, you need to install the stock mtk port and the usbdk driver (see instructions below).
|
2021-09-28 11:56:15 -04:00
|
|
|
|
For linux, a patched kernel is only needed when using old kamakiri (see Setup folder) (except for read/write flash).
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
Once the mtk script is running, boot into brom mode by powering off device, press and hold either
|
|
|
|
|
vol up + power or vol down + power and connect the phone. Once detected by the tool,
|
|
|
|
|
release the buttons.
|
|
|
|
|
|
2024-07-22 12:32:28 -04:00
|
|
|
|
## MT6781, MT6789, MT6855, MT6886, MT6895, MT6983, MT8985
|
2023-12-14 08:41:42 -05:00
|
|
|
|
- These chipsets use a new protocol called V6 and the bootrom is patched, thus you need a valid da via --loader option.
|
|
|
|
|
- On some devices, preloader is deactivated, but you still use it by running "adb reboot edl".
|
|
|
|
|
- This only works with UNFUSED devices currently.
|
|
|
|
|
- For all devices with DAA, SLA and Remote-Auth activated no public solution currently exists (for various reasons).
|
2023-09-04 02:46:23 -04:00
|
|
|
|
|
2021-08-02 10:17:59 -04:00
|
|
|
|
## Credits
|
2021-08-02 10:19:02 -04:00
|
|
|
|
- kamakiri [xyzz]
|
2021-08-03 04:35:21 -04:00
|
|
|
|
- linecode exploit [chimera]
|
2021-08-02 10:19:02 -04:00
|
|
|
|
- Chaosmaster
|
2021-12-25 17:01:25 -05:00
|
|
|
|
- Geert-Jan Kreileman (GUI, design & fixes)
|
2021-08-02 10:19:02 -04:00
|
|
|
|
- All contributors
|
2021-08-02 10:00:57 -04:00
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
## Installation
|
|
|
|
|
|
2021-08-05 07:42:20 -04:00
|
|
|
|
### Use Re LiveDVD (everything ready to go, based on Ubuntu):
|
2022-06-03 08:26:07 -04:00
|
|
|
|
User: user, Password:user (based on Ubuntu 22.04 LTS)
|
2022-06-03 08:25:43 -04:00
|
|
|
|
|
2022-06-28 06:01:57 -04:00
|
|
|
|
[Live DVD V4](https://www.androidfilehost.com/?fid=15664248565197184488)
|
2022-06-03 08:25:43 -04:00
|
|
|
|
|
|
|
|
|
[Live DVD V4 Mirror](https://drive.google.com/file/d/10OEw1d-Ul_96MuT3WxQ3iAHoPC4NhM_X/view?usp=sharing)
|
2022-06-03 08:26:07 -04:00
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Install
|
|
|
|
|
|
2024-06-29 10:51:23 -04:00
|
|
|
|
### Linux - (Ubuntu recommended, no patched kernel needed except for kamakiri)
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
#### Install python >=3.8, git and other deps
|
|
|
|
|
|
2023-01-08 20:54:52 -05:00
|
|
|
|
#### For Debian/Ubuntu
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
2024-06-05 10:47:38 -04:00
|
|
|
|
sudo apt install python3 git libusb-1.0-0 python3-pip libfuse2
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
2023-01-08 20:54:52 -05:00
|
|
|
|
#### For ArchLinux
|
|
|
|
|
```
|
2024-06-12 08:24:26 -04:00
|
|
|
|
(sudo) pacman -S python python-pip git libusb fuse2
|
2023-01-08 20:54:52 -05:00
|
|
|
|
```
|
|
|
|
|
or
|
|
|
|
|
```
|
2024-06-12 08:24:26 -04:00
|
|
|
|
yay -S python python-pip git libusb fuse2
|
2023-01-08 20:54:52 -05:00
|
|
|
|
```
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
2024-09-13 12:07:55 -04:00
|
|
|
|
#### For Fedora
|
|
|
|
|
```
|
|
|
|
|
sudo dnf install python3 git libusb1 fuse
|
|
|
|
|
```
|
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
#### Grab files
|
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/bkerler/mtkclient
|
|
|
|
|
cd mtkclient
|
2024-06-05 10:47:38 -04:00
|
|
|
|
pip3 install -r requirements.txt
|
2023-12-14 08:09:04 -05:00
|
|
|
|
pip3 install .
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Install rules
|
|
|
|
|
```
|
2021-08-04 17:05:49 -04:00
|
|
|
|
sudo usermod -a -G plugdev $USER
|
|
|
|
|
sudo usermod -a -G dialout $USER
|
2023-12-14 08:09:04 -05:00
|
|
|
|
sudo cp mtkclient/Setup/Linux/*.rules /etc/udev/rules.d
|
2021-08-01 16:25:44 -04:00
|
|
|
|
sudo udevadm control -R
|
2024-09-11 12:21:55 -04:00
|
|
|
|
sudo udevadm trigger
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
2022-02-07 14:46:15 -05:00
|
|
|
|
Make sure to reboot after adding the user to dialout/plugdev. If the device
|
|
|
|
|
has a vendor interface 0xFF (like LG), make sure to add "blacklist qcaux" to
|
|
|
|
|
the "/etc/modprobe.d/blacklist.conf".
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
2021-08-04 17:03:25 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
2021-08-04 16:59:15 -04:00
|
|
|
|
|
2024-06-29 10:51:23 -04:00
|
|
|
|
### macOS
|
|
|
|
|
|
|
|
|
|
#### Install brew, macFUSE, OpenSSL
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
|
|
|
|
|
brew install macfuse openssl
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
You may need to **reboot**
|
|
|
|
|
|
|
|
|
|
#### Grab files
|
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/bkerler/mtkclient
|
|
|
|
|
cd mtkclient
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Create python 3.9 venv and install dependencies
|
|
|
|
|
```
|
|
|
|
|
python3.9 -m venv mtk_venv
|
|
|
|
|
source mtk_venv/bin/activate
|
|
|
|
|
pip3 install --pre --no-binary capstone capstone
|
|
|
|
|
pip3 install PySide6 libusb
|
|
|
|
|
pip3 install -r requirements.txt
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
|
|
2021-08-04 16:59:15 -04:00
|
|
|
|
### Windows
|
|
|
|
|
|
|
|
|
|
#### Install python + git
|
2023-12-14 08:09:04 -05:00
|
|
|
|
- Install python >= 3.9 and git
|
2021-08-04 16:59:15 -04:00
|
|
|
|
- If you install python from microsoft store, "python setup.py install" will fail, but that step isn't required.
|
|
|
|
|
- WIN+R ```cmd```
|
|
|
|
|
|
2024-06-19 11:27:38 -04:00
|
|
|
|
#### Install Winfsp (for fuse)
|
|
|
|
|
Download and install [here](https://winfsp.dev/rel/)
|
|
|
|
|
|
2021-08-04 16:59:15 -04:00
|
|
|
|
#### Grab files and install
|
|
|
|
|
```
|
|
|
|
|
git clone https://github.com/bkerler/mtkclient
|
|
|
|
|
cd mtkclient
|
|
|
|
|
pip3 install -r requirements.txt
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Get latest UsbDk 64-Bit
|
|
|
|
|
- Install normal MTK Serial Port driver (or use default Windows COM Port one, make sure no exclamation is seen)
|
|
|
|
|
- Get usbdk installer (.msi) from [here](https://github.com/daynix/UsbDk/releases/) and install it
|
|
|
|
|
- Test on device connect using "UsbDkController -n" if you see a device with 0x0E8D 0x0003
|
|
|
|
|
- Works fine under Windows 10 and 11 :D
|
|
|
|
|
|
2024-07-25 04:28:57 -04:00
|
|
|
|
#### Building wheel issues (creds to @Oyoh-Edmond)
|
|
|
|
|
##### Download and Install the Build Tools:
|
|
|
|
|
Go to the Visual Studio Build Tools [download](https://visualstudio.microsoft.com/visual-cpp-build-tools) page.
|
|
|
|
|
Download the installer and run it.
|
|
|
|
|
|
|
|
|
|
###### Select the Necessary Workloads:
|
|
|
|
|
In the installer, select the "Desktop development with C++" workload.
|
|
|
|
|
Ensure that the "MSVC v142 - VS 2019 C++ x64/x86 build tools" (or later) component is selected.
|
|
|
|
|
You can also check "Windows 10 SDK" if it’s not already selected.
|
|
|
|
|
|
|
|
|
|
###### Complete the Installation:
|
|
|
|
|
Click on the "Install" button to begin the installation.
|
|
|
|
|
Follow the prompts to complete the installation.
|
|
|
|
|
Restart your computer if required.
|
|
|
|
|
|
2021-08-04 17:03:25 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
|
### Use kamakiri (optional, only needed for mt6260 or older)
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
- For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch :
|
|
|
|
|
```
|
|
|
|
|
sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev
|
|
|
|
|
git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
|
|
|
|
|
cd pahole && mkdir build && cd build && cmake .. && make && sudo make install
|
|
|
|
|
sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz
|
|
|
|
|
tar xvf linux-`uname -r`.tar.xz
|
|
|
|
|
cd linux-`uname -r`
|
|
|
|
|
patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch
|
|
|
|
|
cp -v /boot/config-$(uname -r) .config
|
|
|
|
|
make menuconfig
|
|
|
|
|
make
|
|
|
|
|
sudo make modules_install
|
|
|
|
|
sudo make install
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- These aren't needed for current ubuntu (as make install will do, just for reference):
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
sudo update-initramfs -c -k `uname -r`
|
|
|
|
|
sudo update-grub
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
See Setup/kernels for ready-to-use kernel setups
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Reboot
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
sudo reboot
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2021-08-04 17:03:25 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
2021-12-25 17:01:25 -05:00
|
|
|
|
### Using MTKTools via the graphical user interface:
|
2021-12-28 09:08:57 -05:00
|
|
|
|
For the 'basics' you can use the GUI interface. This supports dumping partitions or the full flash for now. Run the following command:
|
2021-12-25 17:01:25 -05:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk_gui.py
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Using stock mtk functionality without exploits :
|
|
|
|
|
```
|
|
|
|
|
python mtk.py --stock
|
2021-12-25 17:01:25 -05:00
|
|
|
|
```
|
|
|
|
|
|
2022-07-04 03:12:29 -04:00
|
|
|
|
### Run multiple commands
|
|
|
|
|
```bash
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py script run.example
|
2022-07-04 03:12:29 -04:00
|
|
|
|
```
|
2023-07-16 08:27:09 -04:00
|
|
|
|
See the file "[run.example](https://github.com/bkerler/mtkclient/blob/main/run.example)" on how to structure the script file
|
2022-07-04 03:12:29 -04:00
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
### Root the phone (Tested with android 9 - 12)
|
|
|
|
|
|
|
|
|
|
1. Dump boot and vbmeta
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py r boot,vbmeta boot.img,vbmeta.img
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2. Reboot the phone
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py reset
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
3. Download patched magisk for mtk:
|
2024-06-25 16:59:25 -04:00
|
|
|
|
Download latest Magisk [here](https://github.com/topjohnwu/Magisk/releases/latest)
|
2021-09-28 11:56:15 -04:00
|
|
|
|
|
|
|
|
|
4. Install on target phone
|
|
|
|
|
- you need to enable usb-debugging via Settings/About phone/Version, Tap 7x on build number
|
|
|
|
|
- Go to Settings/Additional settings/Developer options, enable "OEM unlock" and "USB Debugging"
|
|
|
|
|
- Install magisk apk
|
|
|
|
|
```
|
|
|
|
|
adb install app-release.apk
|
|
|
|
|
```
|
|
|
|
|
- accept auth rsa request on mobile screen of course to allow adb connection
|
|
|
|
|
|
|
|
|
|
5. Upload boot to /sdcard/Download
|
|
|
|
|
```
|
|
|
|
|
adb push boot.img /sdcard/Download
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
6. Start magisk, tap on Install, select boot.img from /sdcard/Download, then:
|
|
|
|
|
```
|
|
|
|
|
adb pull /sdcard/Download/[displayed magisk patched boot filename here]
|
|
|
|
|
mv [displayed magisk patched boot filename here] boot.patched
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
7. Do the steps needed in section "Unlock bootloader below"
|
|
|
|
|
|
2024-08-24 07:20:11 -04:00
|
|
|
|
8. Flash magisk-patched boot and disable verity + verification on vbmeta
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
2024-08-24 07:20:11 -04:00
|
|
|
|
python mtk.py da vbmeta 3
|
|
|
|
|
python mtk.py w boot boot.patched
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
9. Reboot the phone
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py reset
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
10. Disconnect usb cable and enjoy your rooted phone :)
|
|
|
|
|
|
|
|
|
|
|
2021-11-27 13:01:13 -05:00
|
|
|
|
### Boot to meta mode via payload
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py payload --metamode FASTBOOT
|
2021-11-27 13:01:13 -05:00
|
|
|
|
```
|
|
|
|
|
|
2024-08-24 08:34:26 -04:00
|
|
|
|
### Dump preloader
|
|
|
|
|
```
|
|
|
|
|
mtk.py r preloader preloader.bin --parttype boot1
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Dump serialnumber / special partition
|
|
|
|
|
```
|
|
|
|
|
mtk.py r preloader preloader.bin --parttype boot2
|
|
|
|
|
```
|
|
|
|
|
|
2022-09-13 17:57:30 -04:00
|
|
|
|
### Read efuses
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da efuse
|
2022-09-13 17:57:30 -04:00
|
|
|
|
```
|
2021-11-27 13:01:13 -05:00
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
### Unlock bootloader
|
|
|
|
|
|
2021-10-01 05:48:10 -04:00
|
|
|
|
1. Erase metadata and userdata (and md_udc if existing):
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py e metadata,userdata,md_udc
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2. Unlock bootloader:
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da seccfg unlock
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
for relocking use:
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da seccfg lock
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
3. Reboot the phone:
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py reset
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
and disconnect usb cable to let the phone reboot.
|
|
|
|
|
|
2021-09-28 13:38:01 -04:00
|
|
|
|
If you are getting a dm-verity error on Android 11, just press the power button,
|
|
|
|
|
then the device should boot and show a yellow warning about unlocked bootloader and
|
|
|
|
|
then the device should boot within 5 seconds.
|
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
### Read flash
|
|
|
|
|
|
|
|
|
|
Dump boot partition to filename boot.bin via preloader
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py r boot boot.bin
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Dump boot partition to filename boot.bin via bootrom
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py r boot boot.bin [--preloader=Loader/Preloader/your_device_preloader.bin]
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2021-10-28 13:49:28 -04:00
|
|
|
|
Dump preloader partition to filename preloader.bin via bootrom
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py r preloader preloader.bin --parttype=boot1 [--preloader=Loader/Preloader/your_device_preloader.bin]
|
2021-10-28 13:49:28 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
Read full flash to filename flash.bin (use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py rf flash.bin
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
2023-04-21 12:52:25 -04:00
|
|
|
|
Read full flash to filename flash.bin (use --preloader for brom) for IoT devices (MT6261/MT2301):
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py rf flash.bin --iot
|
2023-04-21 12:52:25 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-10-28 13:49:28 -04:00
|
|
|
|
Read flash offset 0x128000 with length 0x200000 to filename flash.bin (use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py ro 0x128000 0x200000 flash.bin
|
2021-10-28 13:49:28 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
Dump all partitions to directory "out". (use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py rl out
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Show gpt (use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py printgpt
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2024-05-01 07:29:32 -04:00
|
|
|
|
Mount the flash as a filesystem
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py fs /mnt/mtk
|
2024-05-01 07:29:32 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
### Write flash
|
|
|
|
|
(use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
Write filename boot.bin to boot partition
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py w boot boot.bin
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Write filename flash.bin as full flash (currently only works in da mode)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py wf flash.bin
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Write all files in directory "out" to the flash partitions
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py wl out
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-10-28 13:49:28 -04:00
|
|
|
|
write file flash.bin to flash offset 0x128000 with length 0x200000 (use --preloader for brom)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py wo 0x128000 0x200000 flash.bin
|
2021-10-28 13:49:28 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
### Erase flash
|
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
Erase boot partition
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py e boot
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
Erase boot sectors
|
2021-09-03 04:49:12 -04:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py es boot [sector count]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-11-30 03:52:46 -05:00
|
|
|
|
### DA commands:
|
2021-09-28 11:56:15 -04:00
|
|
|
|
|
|
|
|
|
Peek memory
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da peek [addr in hex] [length in hex] [optional: -filename filename.bin for reading to file]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Poke memory
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da poke [addr in hex] [data as hexstring or -filename for reading from file]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-11-30 03:52:46 -05:00
|
|
|
|
Read rpmb (Only xflash for now)
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da rpmb r [will read to rpmb.bin]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-11-30 03:52:46 -05:00
|
|
|
|
Write rpmb [Currently broken, xflash only]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da rpmb w filename
|
2021-09-03 04:49:12 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
Generate and display rpmb1-3 key
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da generatekeys
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Unlock / Lock bootloader
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py da seccfg [lock or unlock]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
```
|
2021-09-03 04:49:12 -04:00
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
### Bypass SLA, DAA and SBC (using generic_patcher_payload)
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py payload
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
### Dump preloader
|
|
|
|
|
- Device has to be in bootrom mode and preloader has to be intact on the device
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]] [--filename=preloader.bin]
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
### Dump brom
|
|
|
|
|
- Device has to be in bootrom mode, or da mode has to be crashed to enter damode
|
|
|
|
|
- if no option is given, either kamakiri or da will be used (da for insecure targets)
|
|
|
|
|
- if "kamakiri" is used as an option, kamakiri is enforced
|
|
|
|
|
- Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu)
|
|
|
|
|
and "hashimoto" (via cqdma)
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-04 16:59:15 -04:00
|
|
|
|
For to dump unknown bootroms, use brute option :
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py brute
|
2021-08-04 16:59:15 -04:00
|
|
|
|
```
|
|
|
|
|
If it's successful, please add an issue over here and append the bootrom in order to add full support.
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
2021-08-04 16:59:15 -04:00
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
### Crash da in order to enter brom
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Read memory using patched preloader
|
|
|
|
|
- Boot in Brom or crash to Brom
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py peek [addr] [length] --preloader=patched_preloader.bin
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Run custom payload
|
|
|
|
|
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]
|
2021-08-01 16:25:44 -04:00
|
|
|
|
```
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
|
## Stage2 usage
|
2024-07-22 08:58:13 -04:00
|
|
|
|
### Run python mtk.py stage (brom) or mtk plstage (preloader)
|
2021-08-05 02:36:23 -04:00
|
|
|
|
|
|
|
|
|
#### Run stage2 in bootrom
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py stage
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
#### Run stage2 in preloader
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py plstage
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
2021-08-05 02:36:23 -04:00
|
|
|
|
#### Run stage2 plstage in bootrom
|
|
|
|
|
- Boot in Brom or crash to Brom
|
|
|
|
|
```
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python mtk.py plstage --preloader=preloader.bin
|
2021-08-05 02:36:23 -04:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Use stage2 tool
|
|
|
|
|
|
|
|
|
|
|
2021-08-02 06:46:18 -04:00
|
|
|
|
### Leave stage2 and reboot
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py reboot
|
2021-08-02 06:46:18 -04:00
|
|
|
|
``
|
|
|
|
|
|
2021-08-01 16:25:44 -04:00
|
|
|
|
### Read rpmb in stage2 mode
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py rpmb
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
|
|
|
|
### Read preloader in stage2 mode
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py preloader
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
|
|
|
|
### Read memory as hex data in stage2 mode
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py memread [start addr] [length]
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
|
|
|
|
### Read memory to file in stage2 mode
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py memread [start addr] [length] --filename filename.bin
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
|
|
|
|
|
2021-09-28 11:56:15 -04:00
|
|
|
|
### Write hex data to memory in stage2 mode
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py memwrite [start addr] --data [data as hexstring]
|
2021-09-28 11:56:15 -04:00
|
|
|
|
``
|
|
|
|
|
|
|
|
|
|
### Write memory from file in stage2 mode
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py memwrite [start addr] --filename filename.bin
|
2021-08-02 06:46:18 -04:00
|
|
|
|
``
|
|
|
|
|
|
|
|
|
|
### Extract keys
|
|
|
|
|
``
|
2024-07-22 08:58:13 -04:00
|
|
|
|
python stage2.py keys --mode [sej, dxcc]
|
2021-08-01 16:25:44 -04:00
|
|
|
|
``
|
2021-08-02 06:46:18 -04:00
|
|
|
|
For dxcc, you need to use plstage instead of stage
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
2021-09-29 05:47:02 -04:00
|
|
|
|
---------------------------------------------------------------------
|
2021-08-04 17:03:25 -04:00
|
|
|
|
|
|
|
|
|
### I have issues ....... please send logs and full console details !
|
2021-08-01 16:25:44 -04:00
|
|
|
|
|
|
|
|
|
- Run the mtk tool with --debugmode. Log will be written to log.txt (hopefully)
|
|
|
|
|
|
|
|
|
|
## Rules / Infos
|
|
|
|
|
|
|
|
|
|
### Chip details / configs
|
|
|
|
|
- Go to config/brom_config.py
|
|
|
|
|
- Unknown usb vid/pids for autodetection go to config/usb_ids.py
|
2024-08-29 13:06:13 -04:00
|
|
|
|
# [LEARNING_RESOURCES](https://github.com/bkerler/mtkclient/blob/main/learning_resources.md)
|