From 93da46b707dcca8f5eab4e9b1abdef3418badb4b Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Wed, 5 Jun 2024 16:47:38 +0200 Subject: [PATCH] Minor fixes --- README.md | 3 ++- mtk | 2 +- mtkclient/Library/DA/legacy/dalegacy_lib.py | 2 +- .../Library/DA/xflash/extension/xflash.py | 4 +++ mtkclient/Library/DA/xflash/xflash_lib.py | 14 +++++++++- mtkclient/Library/DA/xml/extension/v6.py | 26 ++++++++++++++++--- mtkclient/Library/DA/xml/xml_lib.py | 12 ++++++++- mtkclient/Library/Hardware/hwcrypto.py | 1 + mtkclient/Library/mtk_preloader.py | 22 ++++++++++++++++ mtkclient/Tools/da_parser | 11 +++++--- pyproject.toml | 8 +++++- 11 files changed, 91 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 558f54e..0b38b93 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ User: user, Password:user (based on Ubuntu 22.04 LTS) #### For Debian/Ubuntu ``` -sudo apt install python3 git libusb-1.0-0 python3-pip +sudo apt install python3 git libusb-1.0-0 python3-pip libfuse2 ``` #### For ArchLinux ``` @@ -56,6 +56,7 @@ yay -S python python-pip git libusb ``` git clone https://github.com/bkerler/mtkclient cd mtkclient +pip3 install -r requirements.txt pip3 install . ``` diff --git a/mtk b/mtk index 7b2662c..6d2dad9 100755 --- a/mtk +++ b/mtk @@ -4,7 +4,7 @@ import argparse from mtkclient.Library.mtk_main import Main, metamodes -info = "MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023" +info = "MTK Flash/Exploit Client Public V2.0.0 (c) B.Kerler 2018-2024" cmds = { "printgpt": "Print GPT Table information", diff --git a/mtkclient/Library/DA/legacy/dalegacy_lib.py b/mtkclient/Library/DA/legacy/dalegacy_lib.py index 277412b..6dd54e2 100755 --- a/mtkclient/Library/DA/legacy/dalegacy_lib.py +++ b/mtkclient/Library/DA/legacy/dalegacy_lib.py @@ -340,7 +340,7 @@ class DALegacy(metaclass=LogBase): self.error("EMI Config not accepted :(") return False if ret == self.Rsp.ACK: - self.info("Sending dram info ...") + self.info(f"Sending dram info ... EMI-Version {hex(self.daconfig.emiver)}") dramlength = len(self.daconfig.emi) if self.daconfig.emiver in [0xF, 0x10, 0x11, 0x14, 0x15]: dramlength = unpack(">I", self.usbread(0x4))[0] # 0x000000BC diff --git a/mtkclient/Library/DA/xflash/extension/xflash.py b/mtkclient/Library/DA/xflash/extension/xflash.py index cf8cb26..d2e0d6d 100755 --- a/mtkclient/Library/DA/xflash/extension/xflash.py +++ b/mtkclient/Library/DA/xflash/extension/xflash.py @@ -232,6 +232,10 @@ class xflashext(metaclass=LogBase): da2patched[authaddr:authaddr + 14] = b"\x4F\xF0\x00\x09\x32\x46\x01\x98\x03\x99\x4F\xF0\x00\x09" else: self.warning("Hash check not patched.") + # Disable security checks + security_check = find_binary(da2, b"\x01\x23\x03\x60\x00\x20\x70\x47\x70\xB5") + if security_check: + da2patched[security_check:security_check+2]=b"\x00\x23" # Disable da anti rollback version check antirollback = find_binary(da2, int.to_bytes(0xC0020053, 4, 'little')) if antirollback: diff --git a/mtkclient/Library/DA/xflash/xflash_lib.py b/mtkclient/Library/DA/xflash/xflash_lib.py index 54a69ec..7ecdfad 100755 --- a/mtkclient/Library/DA/xflash/xflash_lib.py +++ b/mtkclient/Library/DA/xflash/xflash_lib.py @@ -296,9 +296,18 @@ class DAXFlash(metaclass=LogBase): return False if status == 0x434E5953 or status == 0x0: + self.info(f"Boot to succeeded.") return True else: - self.error(f"Error on boot to: {self.eh.status(status)}") + self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}") + else: + self.error(f"Error on boot to send_data, addr: {hex(addr)}") + else: + self.error(f"Error on boot usbwrite, addr: {hex(addr)}") + else: + self.error(f"Error on boot usbwrite, addr: {hex(addr)}") + else: + self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}") return False def get_connection_agent(self): @@ -1161,6 +1170,9 @@ class DAXFlash(metaclass=LogBase): self.info("Uploading stage 2...") stage = stage + 1 if not self.mtk.daloader.patch: + #if self.carbonara is not None: + # loaded = self.carbonara.patchda1_and_upload_da2() + #else: loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2) else: loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2) diff --git a/mtkclient/Library/DA/xml/extension/v6.py b/mtkclient/Library/DA/xml/extension/v6.py index 6dbf1dd..9b93048 100755 --- a/mtkclient/Library/DA/xml/extension/v6.py +++ b/mtkclient/Library/DA/xml/extension/v6.py @@ -1,6 +1,8 @@ +import logging import os import sys from struct import unpack, pack + # from keystone import * from mtkclient.config.payloads import pathconfig from mtkclient.config.brom_config import efuse @@ -105,14 +107,14 @@ class xmlflashext(metaclass=LogBase): xmlcmd = self.xflash.Cmd.create_cmd("CUSTOMACK") if self.xsend(xmlcmd): # result = - self.xflash.get_response() + result = self.xflash.get_response() # DATA data = - self.xflash.get_response(raw=True) + data = self.xflash.get_response(raw=True) # CMD:END result = - self.xflash.get_response() + result2 = self.xflash.get_response() self.xflash.ack() # CMD:START result = - self.xflash.get_response() + resp = self.xflash.get_response() self.xflash.ack() if data == b"\xA4\xA3\xA2\xA1": return True @@ -229,6 +231,22 @@ class xmlflashext(metaclass=LogBase): self.info("Patched write partitions / allow_read / allow_write") if not patched: self.warning("Write not allowed not patched.") + idx2 = find_binary(da2patched, b"\x30\x48\x2D\xE9\x08\xB0\x8D\xE2\x20\xD0\x4D\xE2\x01\x50\xA0\xE1") + if idx2 is not None: + da2patched[idx2:idx2+8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1" + self.info("Patched Infinix SLA authentification.") + else: + idx2 = find_binary(da2patched, b"\x70\x4C\x2D\xE9\x10\xB0\x8D\xE2\x00\x60\xA0\xE1\x02\x06\xA0\xE3") + if idx2 is not None: + da2patched[idx2:idx2 + 8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1" + self.info("Patched Oppo SLA authentification.") + idx3 = find_binary(da2patched,b"\x03\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x01\x00\x00\x00") + if idx3 is not None: + da2patched[idx3:idx3+4]=b"\xFF\x00\x00\x00" + self.info("Patched Oppo Allowance flag.") + else: + self.warning("SLA authentification not patched.") + #open("/home/bjk/Projects/mtkclient_le/Loaders/V6/infinix/mt6789/DA_BR_2_40000000.patched.bin", "wb").write(da2patched) return da2patched def custom_rpmb_read(self, sector, ufs=False): diff --git a/mtkclient/Library/DA/xml/xml_lib.py b/mtkclient/Library/DA/xml/xml_lib.py index a1d705f..cb7ea13 100755 --- a/mtkclient/Library/DA/xml/xml_lib.py +++ b/mtkclient/Library/DA/xml/xml_lib.py @@ -541,6 +541,15 @@ class DAXML(metaclass=LogBase): self.error("Wrong boot_to response :(") return False + def handle_sla(self, data=b"\x00"*0x100, display=True, timeout=0.5): + result = self.send_command(self.Cmd.cmd_security_set_flash_policy(host_offset=0x8000000,length=len(data))) + if type(result) is dwnfile: + self.info("Running sla auth...") + if self.upload(result, data): + self.info("Successfully uploaded sla auth.") + return True + return False + def upload_da(self): if self.upload_da1(): self.info("Stage 1 successfully loaded.") @@ -784,7 +793,8 @@ class DAXML(metaclass=LogBase): if self.daconfig.flashtype == "emmc": length = min(length, self.emmc.gp1_size) else: - self.error('Unknown parttype. Known parttypes are "boot1","boot2","gp1","gp2","gp3","gp4","rpmb"') + self.error("Unknown parttype. Known parttypes are \"boot1\",\"boot2\",\"gp1\"," + + "\"gp2\",\"gp3\",\"gp4\",\"rpmb\"") return [] elif storage == DaStorage.MTK_DA_STORAGE_UFS: if parttype is None or parttype == "lu3" or parttype == "user": # USER diff --git a/mtkclient/Library/Hardware/hwcrypto.py b/mtkclient/Library/Hardware/hwcrypto.py index 341a2f5..850444c 100755 --- a/mtkclient/Library/Hardware/hwcrypto.py +++ b/mtkclient/Library/Hardware/hwcrypto.py @@ -60,6 +60,7 @@ class hwcrypto(metaclass=LogBase): if mode == "cbc": return self.sej.hw_aes128_cbc_encrypt(buf=data, encrypt=True) elif mode == "sst": + self.sej.sej_base = 0xC0016000 data2 = self.sej.generate_hw_meta(encrypt=True, data=data) data3 = self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=True) print(data2.hex()) diff --git a/mtkclient/Library/mtk_preloader.py b/mtkclient/Library/mtk_preloader.py index c3c93be..702a35a 100755 --- a/mtkclient/Library/mtk_preloader.py +++ b/mtkclient/Library/mtk_preloader.py @@ -1141,6 +1141,28 @@ class Preloader(metaclass=LogBase): "7c9a404c97433f46d983bd0c5f49fa4b013b9d86e5f1377f563d8299675c0ea2b81f51c33ad74a265184df9389eefb8" + "e72d2f0585e4a41826b8846b0ee6da5ef8cce471536109fe4c658735247ebbc301")) ), + # Motorola G13 + ( + bytes_to_long(bytes.fromhex("00010001")), + # N + bytes_to_long(bytes.fromhex("DA61964924F441559A1F8B5264CEB01DACE8E417413BBA4657F4556811D07B85074FD69" + + "87F315A7492E003D03C57FC83D3B889F2D4F136D0989E515A08628A7B16A300217162DC" + + "35C340B1127046AA86649B763AF97F7C9871964483DE6695CDA2E8CCE82E1F6A0F701AF" + + "8BE767BB16927489524F8FC9A2C280F5692E850E4C4E2606436CF2E253147AFAB32E6B9" + + "2A19FA180C43CF480619B71B3D6A7863C7CC376C0A36BCF8BA3DA89CBF3E6DAA4691DCD" + + "769C0AE4535E502A9966AFF3F123C7A0EDA2DF04593B0E1FC60DC688F2BA7617DFE67D3" + + "1854443ED95D2645323728C594CA49DAA9351A572E3182D0A1B3146C92CEF87380CBD2D" + + "EFFEBC4E8F420D3")), + # D + bytes_to_long(bytes.fromhex("AEAC47CD11A5DD6C5EEEC43D8F2C536A2917CEF95AD02F5A7C978E88C35702B590F7A72" + + "A2AF28AEB9B5F5B2D8056D03F916595D189C9B6927AC0874980537178AACE8E1831DD65" + + "4E0B72FF2F44670196A57A43C340355CAF828B331A5715AED4E06D5D18896BCF25B201A" + + "0DC9760B0B2EF1CFB4EAB6940D7F8E2EBD86DC1E678AA69F6B0BBF55C688BF72C2123CF" + + "42E367F789E2592CE281C7C4752E14F6FD00D54610977DEF753E3890F12F704688537E8" + + "60D81142805750B805E7CAE3AACDE1CD7A272D227E9F8CCAADCB4D06489664627BAC46C" + + "AF5DA0F0740CEEDEBC7ED1C1D1EB1E37C6A8A9E6A0454F742B3248448B20C93D5FF6E5C" + + "789907A862C90A1")), + ) ] if isbrom: # e, n, d diff --git a/mtkclient/Tools/da_parser b/mtkclient/Tools/da_parser index 1ccdb53..b32663d 100755 --- a/mtkclient/Tools/da_parser +++ b/mtkclient/Tools/da_parser @@ -40,10 +40,13 @@ def main(): da_setup = [] loaders = [] pc = pathconfig() - for root, dirs, files in os.walk(pc.get_loader_path(), topdown=False): - for file in files: - if "MTK_AllInOne" in file: - loaders.append(os.path.join(root, file)) + if len(sys.argv)>1: + loaders.append(sys.argv[1]) + else: + for root, dirs, files in os.walk(pc.get_loader_path(), topdown=False): + for file in files: + if "MTK_DA_V5.bin" in file: + loaders.append(os.path.join(root, file)) if not os.path.exists("loaders"): os.mkdir("loaders") dadb = {} diff --git a/pyproject.toml b/pyproject.toml index 913d035..0e0efb8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -38,8 +38,14 @@ keywords = ["mediatek", "mtk", "flashing", "reverse engineering", "firmware"] Repository = "https://github.com/bkerler/mtkclient.git" Issues = "https://github.com/bkerler/mtkclient/issues" +[project.scripts] +mtk = "mtk:main" +stage2 = "stage2:main" + +[project.gui-scripts] +mtk_gui = "mtk_gui:main" + [tool.setuptools] # See also the MANIFEST.in file. # We want to install all the files in the package directories... include-package-data = true -script-files = ["mtk", "stage2", "mtk_gui"]