diff --git a/mtkclient/Library/mtk_class.py b/mtkclient/Library/mtk_class.py index 351801c..7f45db9 100644 --- a/mtkclient/Library/mtk_class.py +++ b/mtkclient/Library/mtk_class.py @@ -34,7 +34,7 @@ class Mtk(metaclass=LogBase): if preinit: self.setup(self.vid, self.pid, self.interface, serialportname) - def patch_preloader_security(self, data): + def patch_preloader_security_da1(self, data): patched = False data = bytearray(data) patches = [ @@ -69,6 +69,40 @@ class Mtk(metaclass=LogBase): data = data return data + def patch_preloader_security_da2(self, data): + patched = False + data = bytearray(data) + patches = [ + ("A3687BB12846", "0123A3602846", "oppo security"), + ("B3F5807F01D1", "B3F5807F01D14FF000004FF000007047", "mt6739 c30"), + ("B3F5807F04BF4FF4807305F011B84FF0FF307047", "B3F5807F04BF4FF480734FF000004FF000007047", "regular"), + ("10B50C680268", "10B5012010BD", "ram blacklist"), + ("08B5104B7B441B681B68", "00207047000000000000", "seclib_sec_usbdl_enabled"), + ("5072656C6F61646572205374617274","50617463686564204C205374617274", "Patched loader msg"), + ("F0B58BB002AE20250C460746","002070470000000000205374617274", "sec_img_auth"), + ("FFC0F3400008BD","FF4FF0000008BD","get_vfy_policy") + ] + i = 0 + for patchval in patches: + pattern = bytes.fromhex(patchval[0]) + idx = data.find(pattern) + if idx != -1: + patch = bytes.fromhex(patchval[1]) + data[idx:idx + len(patch)] = patch + self.info(f"Patched \"{patchval[2]}\" in preloader") + patched = True + # break + i += 1 + if not patched: + self.warning(f"Failed to patch preloader security") + else: + # with open("preloader.patched", "wb") as wf: + # wf.write(data) + # print("Patched !") + # self.info(f"Patched preloader security: {hex(i)}") + data = data + return data + def parse_preloader(self, preloader): if isinstance(preloader, str): if os.path.exists(preloader): diff --git a/mtkclient/Library/mtk_main.py b/mtkclient/Library/mtk_main.py index 2366bc5..d15ecbc 100644 --- a/mtkclient/Library/mtk_main.py +++ b/mtkclient/Library/mtk_main.py @@ -459,7 +459,7 @@ class Main(metaclass=LogBase): with open(plstage, "rb") as rf: rf.seek(0) if os.path.basename(plstage)!="pl.bin": - pldata = mtk.patch_preloader_security(rf.read()) + pldata = mtk.patch_preloader_security_da1(rf.read()) else: pldata = rf.read() if mtk.preloader.init(): @@ -477,13 +477,13 @@ class Main(metaclass=LogBase): "Trying to dump preloader from ram.") plt = PLTools(mtk=mtk, loglevel=self.__logger.level) dadata, filename = plt.run_dump_preloader(self.args.ptype) - mtk.config.preloader = mtk.patch_preloader_security(dadata) + mtk.config.preloader = mtk.patch_preloader_security_da1(dadata) if mtk.config.preloader_filename is not None: self.info("Using custom preloader : " + mtk.config.preloader_filename) mtk.preloader.setreg_disablewatchdogtimer(mtk.config.hwcode) daaddr, dadata = mtk.parse_preloader(mtk.config.preloader_filename) - dadata = mtk.config.preloader = mtk.patch_preloader_security(dadata) + dadata = mtk.config.preloader = mtk.patch_preloader_security_da1(dadata) if mtk.preloader.send_da(daaddr, len(dadata), 0x100, dadata): self.info(f"Sent preloader to {hex(daaddr)}, length {hex(len(dadata))}") if mtk.preloader.jump_da(daaddr): diff --git a/mtkclient/Library/xflash_ext.py b/mtkclient/Library/xflash_ext.py index 2bf9f39..c78b81e 100644 --- a/mtkclient/Library/xflash_ext.py +++ b/mtkclient/Library/xflash_ext.py @@ -173,7 +173,7 @@ class xflashext(metaclass=LogBase): self.info("Patching da1 ...") if da1 is not None: da1patched = bytearray(da1) - da1patched = self.mtk.patch_preloader_security(da1patched) + da1patched = self.mtk.patch_preloader_security_da1(da1patched) # Patch security da_version_check = find_binary(da1, b"\x1F\xB5\x00\x23\x01\xA8\x00\x93\x00\xF0\xDE\xFE") @@ -187,7 +187,7 @@ class xflashext(metaclass=LogBase): return da1patched def patch_da2(self, da2): - da2 = self.mtk.patch_preloader_security(da2) + da2 = self.mtk.patch_preloader_security_da2(da2) # Patch error 0xC0030007 self.info("Patching da2 ...") # open("da2.bin","wb").write(da2)