mirror of
https://github.com/bkerler/mtkclient.git
synced 2024-11-14 19:25:05 -05:00
Minor fixes
This commit is contained in:
Bjoern Kerler
parent
4c604f0d3f
commit
93da46b707
11 changed files with 91 additions and 14 deletions
|
|
@ -41,7 +41,7 @@ User: user, Password:user (based on Ubuntu 22.04 LTS)
|
|||
|
||||
#### For Debian/Ubuntu
|
||||
```
|
||||
sudo apt install python3 git libusb-1.0-0 python3-pip
|
||||
sudo apt install python3 git libusb-1.0-0 python3-pip libfuse2
|
||||
```
|
||||
#### For ArchLinux
|
||||
```
|
||||
|
|
@ -56,6 +56,7 @@ yay -S python python-pip git libusb
|
|||
```
|
||||
git clone https://github.com/bkerler/mtkclient
|
||||
cd mtkclient
|
||||
pip3 install -r requirements.txt
|
||||
pip3 install .
|
||||
```
|
||||
|
||||
|
|
|
|||
2
mtk
2
mtk
|
|
@ -4,7 +4,7 @@
|
|||
import argparse
|
||||
from mtkclient.Library.mtk_main import Main, metamodes
|
||||
|
||||
info = "MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023"
|
||||
info = "MTK Flash/Exploit Client Public V2.0.0 (c) B.Kerler 2018-2024"
|
||||
|
||||
cmds = {
|
||||
"printgpt": "Print GPT Table information",
|
||||
|
|
|
|||
|
|
@ -340,7 +340,7 @@ class DALegacy(metaclass=LogBase):
|
|||
self.error("EMI Config not accepted :(")
|
||||
return False
|
||||
if ret == self.Rsp.ACK:
|
||||
self.info("Sending dram info ...")
|
||||
self.info(f"Sending dram info ... EMI-Version {hex(self.daconfig.emiver)}")
|
||||
dramlength = len(self.daconfig.emi)
|
||||
if self.daconfig.emiver in [0xF, 0x10, 0x11, 0x14, 0x15]:
|
||||
dramlength = unpack(">I", self.usbread(0x4))[0] # 0x000000BC
|
||||
|
|
|
|||
|
|
@ -232,6 +232,10 @@ class xflashext(metaclass=LogBase):
|
|||
da2patched[authaddr:authaddr + 14] = b"\x4F\xF0\x00\x09\x32\x46\x01\x98\x03\x99\x4F\xF0\x00\x09"
|
||||
else:
|
||||
self.warning("Hash check not patched.")
|
||||
# Disable security checks
|
||||
security_check = find_binary(da2, b"\x01\x23\x03\x60\x00\x20\x70\x47\x70\xB5")
|
||||
if security_check:
|
||||
da2patched[security_check:security_check+2]=b"\x00\x23"
|
||||
# Disable da anti rollback version check
|
||||
antirollback = find_binary(da2, int.to_bytes(0xC0020053, 4, 'little'))
|
||||
if antirollback:
|
||||
|
|
|
|||
|
|
@ -296,9 +296,18 @@ class DAXFlash(metaclass=LogBase):
|
|||
return False
|
||||
|
||||
if status == 0x434E5953 or status == 0x0:
|
||||
self.info(f"Boot to succeeded.")
|
||||
return True
|
||||
else:
|
||||
self.error(f"Error on boot to: {self.eh.status(status)}")
|
||||
self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}")
|
||||
else:
|
||||
self.error(f"Error on boot to send_data, addr: {hex(addr)}")
|
||||
else:
|
||||
self.error(f"Error on boot usbwrite, addr: {hex(addr)}")
|
||||
else:
|
||||
self.error(f"Error on boot usbwrite, addr: {hex(addr)}")
|
||||
else:
|
||||
self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}")
|
||||
return False
|
||||
|
||||
def get_connection_agent(self):
|
||||
|
|
@ -1161,6 +1170,9 @@ class DAXFlash(metaclass=LogBase):
|
|||
self.info("Uploading stage 2...")
|
||||
stage = stage + 1
|
||||
if not self.mtk.daloader.patch:
|
||||
#if self.carbonara is not None:
|
||||
# loaded = self.carbonara.patchda1_and_upload_da2()
|
||||
#else:
|
||||
loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)
|
||||
else:
|
||||
loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
import logging
|
||||
import os
|
||||
import sys
|
||||
from struct import unpack, pack
|
||||
|
||||
# from keystone import *
|
||||
from mtkclient.config.payloads import pathconfig
|
||||
from mtkclient.config.brom_config import efuse
|
||||
|
|
@ -105,14 +107,14 @@ class xmlflashext(metaclass=LogBase):
|
|||
xmlcmd = self.xflash.Cmd.create_cmd("CUSTOMACK")
|
||||
if self.xsend(xmlcmd):
|
||||
# result =
|
||||
self.xflash.get_response()
|
||||
result = self.xflash.get_response()
|
||||
# DATA data =
|
||||
self.xflash.get_response(raw=True)
|
||||
data = self.xflash.get_response(raw=True)
|
||||
# CMD:END result =
|
||||
self.xflash.get_response()
|
||||
result2 = self.xflash.get_response()
|
||||
self.xflash.ack()
|
||||
# CMD:START result =
|
||||
self.xflash.get_response()
|
||||
resp = self.xflash.get_response()
|
||||
self.xflash.ack()
|
||||
if data == b"\xA4\xA3\xA2\xA1":
|
||||
return True
|
||||
|
|
@ -229,6 +231,22 @@ class xmlflashext(metaclass=LogBase):
|
|||
self.info("Patched write partitions / allow_read / allow_write")
|
||||
if not patched:
|
||||
self.warning("Write not allowed not patched.")
|
||||
idx2 = find_binary(da2patched, b"\x30\x48\x2D\xE9\x08\xB0\x8D\xE2\x20\xD0\x4D\xE2\x01\x50\xA0\xE1")
|
||||
if idx2 is not None:
|
||||
da2patched[idx2:idx2+8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1"
|
||||
self.info("Patched Infinix SLA authentification.")
|
||||
else:
|
||||
idx2 = find_binary(da2patched, b"\x70\x4C\x2D\xE9\x10\xB0\x8D\xE2\x00\x60\xA0\xE1\x02\x06\xA0\xE3")
|
||||
if idx2 is not None:
|
||||
da2patched[idx2:idx2 + 8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1"
|
||||
self.info("Patched Oppo SLA authentification.")
|
||||
idx3 = find_binary(da2patched,b"\x03\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x01\x00\x00\x00")
|
||||
if idx3 is not None:
|
||||
da2patched[idx3:idx3+4]=b"\xFF\x00\x00\x00"
|
||||
self.info("Patched Oppo Allowance flag.")
|
||||
else:
|
||||
self.warning("SLA authentification not patched.")
|
||||
#open("/home/bjk/Projects/mtkclient_le/Loaders/V6/infinix/mt6789/DA_BR_2_40000000.patched.bin", "wb").write(da2patched)
|
||||
return da2patched
|
||||
|
||||
def custom_rpmb_read(self, sector, ufs=False):
|
||||
|
|
|
|||
|
|
@ -541,6 +541,15 @@ class DAXML(metaclass=LogBase):
|
|||
self.error("Wrong boot_to response :(")
|
||||
return False
|
||||
|
||||
def handle_sla(self, data=b"\x00"*0x100, display=True, timeout=0.5):
|
||||
result = self.send_command(self.Cmd.cmd_security_set_flash_policy(host_offset=0x8000000,length=len(data)))
|
||||
if type(result) is dwnfile:
|
||||
self.info("Running sla auth...")
|
||||
if self.upload(result, data):
|
||||
self.info("Successfully uploaded sla auth.")
|
||||
return True
|
||||
return False
|
||||
|
||||
def upload_da(self):
|
||||
if self.upload_da1():
|
||||
self.info("Stage 1 successfully loaded.")
|
||||
|
|
@ -784,7 +793,8 @@ class DAXML(metaclass=LogBase):
|
|||
if self.daconfig.flashtype == "emmc":
|
||||
length = min(length, self.emmc.gp1_size)
|
||||
else:
|
||||
self.error('Unknown parttype. Known parttypes are "boot1","boot2","gp1","gp2","gp3","gp4","rpmb"')
|
||||
self.error("Unknown parttype. Known parttypes are \"boot1\",\"boot2\",\"gp1\"," +
|
||||
"\"gp2\",\"gp3\",\"gp4\",\"rpmb\"")
|
||||
return []
|
||||
elif storage == DaStorage.MTK_DA_STORAGE_UFS:
|
||||
if parttype is None or parttype == "lu3" or parttype == "user": # USER
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ class hwcrypto(metaclass=LogBase):
|
|||
if mode == "cbc":
|
||||
return self.sej.hw_aes128_cbc_encrypt(buf=data, encrypt=True)
|
||||
elif mode == "sst":
|
||||
self.sej.sej_base = 0xC0016000
|
||||
data2 = self.sej.generate_hw_meta(encrypt=True, data=data)
|
||||
data3 = self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=True)
|
||||
print(data2.hex())
|
||||
|
|
|
|||
|
|
@ -1141,6 +1141,28 @@ class Preloader(metaclass=LogBase):
|
|||
"7c9a404c97433f46d983bd0c5f49fa4b013b9d86e5f1377f563d8299675c0ea2b81f51c33ad74a265184df9389eefb8" +
|
||||
"e72d2f0585e4a41826b8846b0ee6da5ef8cce471536109fe4c658735247ebbc301"))
|
||||
),
|
||||
# Motorola G13
|
||||
(
|
||||
bytes_to_long(bytes.fromhex("00010001")),
|
||||
# N
|
||||
bytes_to_long(bytes.fromhex("DA61964924F441559A1F8B5264CEB01DACE8E417413BBA4657F4556811D07B85074FD69" +
|
||||
"87F315A7492E003D03C57FC83D3B889F2D4F136D0989E515A08628A7B16A300217162DC" +
|
||||
"35C340B1127046AA86649B763AF97F7C9871964483DE6695CDA2E8CCE82E1F6A0F701AF" +
|
||||
"8BE767BB16927489524F8FC9A2C280F5692E850E4C4E2606436CF2E253147AFAB32E6B9" +
|
||||
"2A19FA180C43CF480619B71B3D6A7863C7CC376C0A36BCF8BA3DA89CBF3E6DAA4691DCD" +
|
||||
"769C0AE4535E502A9966AFF3F123C7A0EDA2DF04593B0E1FC60DC688F2BA7617DFE67D3" +
|
||||
"1854443ED95D2645323728C594CA49DAA9351A572E3182D0A1B3146C92CEF87380CBD2D" +
|
||||
"EFFEBC4E8F420D3")),
|
||||
# D
|
||||
bytes_to_long(bytes.fromhex("AEAC47CD11A5DD6C5EEEC43D8F2C536A2917CEF95AD02F5A7C978E88C35702B590F7A72" +
|
||||
"A2AF28AEB9B5F5B2D8056D03F916595D189C9B6927AC0874980537178AACE8E1831DD65" +
|
||||
"4E0B72FF2F44670196A57A43C340355CAF828B331A5715AED4E06D5D18896BCF25B201A" +
|
||||
"0DC9760B0B2EF1CFB4EAB6940D7F8E2EBD86DC1E678AA69F6B0BBF55C688BF72C2123CF" +
|
||||
"42E367F789E2592CE281C7C4752E14F6FD00D54610977DEF753E3890F12F704688537E8" +
|
||||
"60D81142805750B805E7CAE3AACDE1CD7A272D227E9F8CCAADCB4D06489664627BAC46C" +
|
||||
"AF5DA0F0740CEEDEBC7ED1C1D1EB1E37C6A8A9E6A0454F742B3248448B20C93D5FF6E5C" +
|
||||
"789907A862C90A1")),
|
||||
)
|
||||
]
|
||||
if isbrom:
|
||||
# e, n, d
|
||||
|
|
|
|||
|
|
@ -40,9 +40,12 @@ def main():
|
|||
da_setup = []
|
||||
loaders = []
|
||||
pc = pathconfig()
|
||||
if len(sys.argv)>1:
|
||||
loaders.append(sys.argv[1])
|
||||
else:
|
||||
for root, dirs, files in os.walk(pc.get_loader_path(), topdown=False):
|
||||
for file in files:
|
||||
if "MTK_AllInOne" in file:
|
||||
if "MTK_DA_V5.bin" in file:
|
||||
loaders.append(os.path.join(root, file))
|
||||
if not os.path.exists("loaders"):
|
||||
os.mkdir("loaders")
|
||||
|
|
|
|||
|
|
@ -38,8 +38,14 @@ keywords = ["mediatek", "mtk", "flashing", "reverse engineering", "firmware"]
|
|||
Repository = "https://github.com/bkerler/mtkclient.git"
|
||||
Issues = "https://github.com/bkerler/mtkclient/issues"
|
||||
|
||||
[project.scripts]
|
||||
mtk = "mtk:main"
|
||||
stage2 = "stage2:main"
|
||||
|
||||
[project.gui-scripts]
|
||||
mtk_gui = "mtk_gui:main"
|
||||
|
||||
[tool.setuptools]
|
||||
# See also the MANIFEST.in file.
|
||||
# We want to install all the files in the package directories...
|
||||
include-package-data = true
|
||||
script-files = ["mtk", "stage2", "mtk_gui"]
|
||||
|
|
|
|||
Loading…
Reference in a new issue