Minor fixes

This commit is contained in:
Bjoern Kerler 2024-06-05 16:47:38 +02:00
parent 4c604f0d3f
commit 93da46b707
No known key found for this signature in database
GPG key ID: A3E0FAF79F2F4578
11 changed files with 91 additions and 14 deletions

View file

@ -41,7 +41,7 @@ User: user, Password:user (based on Ubuntu 22.04 LTS)
#### For Debian/Ubuntu
```
sudo apt install python3 git libusb-1.0-0 python3-pip
sudo apt install python3 git libusb-1.0-0 python3-pip libfuse2
```
#### For ArchLinux
```
@ -56,6 +56,7 @@ yay -S python python-pip git libusb
```
git clone https://github.com/bkerler/mtkclient
cd mtkclient
pip3 install -r requirements.txt
pip3 install .
```

2
mtk
View file

@ -4,7 +4,7 @@
import argparse
from mtkclient.Library.mtk_main import Main, metamodes
info = "MTK Flash/Exploit Client Public V2.0.0 Beta (c) B.Kerler 2018-2023"
info = "MTK Flash/Exploit Client Public V2.0.0 (c) B.Kerler 2018-2024"
cmds = {
"printgpt": "Print GPT Table information",

View file

@ -340,7 +340,7 @@ class DALegacy(metaclass=LogBase):
self.error("EMI Config not accepted :(")
return False
if ret == self.Rsp.ACK:
self.info("Sending dram info ...")
self.info(f"Sending dram info ... EMI-Version {hex(self.daconfig.emiver)}")
dramlength = len(self.daconfig.emi)
if self.daconfig.emiver in [0xF, 0x10, 0x11, 0x14, 0x15]:
dramlength = unpack(">I", self.usbread(0x4))[0] # 0x000000BC

View file

@ -232,6 +232,10 @@ class xflashext(metaclass=LogBase):
da2patched[authaddr:authaddr + 14] = b"\x4F\xF0\x00\x09\x32\x46\x01\x98\x03\x99\x4F\xF0\x00\x09"
else:
self.warning("Hash check not patched.")
# Disable security checks
security_check = find_binary(da2, b"\x01\x23\x03\x60\x00\x20\x70\x47\x70\xB5")
if security_check:
da2patched[security_check:security_check+2]=b"\x00\x23"
# Disable da anti rollback version check
antirollback = find_binary(da2, int.to_bytes(0xC0020053, 4, 'little'))
if antirollback:

View file

@ -296,9 +296,18 @@ class DAXFlash(metaclass=LogBase):
return False
if status == 0x434E5953 or status == 0x0:
self.info(f"Boot to succeeded.")
return True
else:
self.error(f"Error on boot to: {self.eh.status(status)}")
self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}")
else:
self.error(f"Error on boot to send_data, addr: {hex(addr)}")
else:
self.error(f"Error on boot usbwrite, addr: {hex(addr)}")
else:
self.error(f"Error on boot usbwrite, addr: {hex(addr)}")
else:
self.error(f"Error on boot to: {self.eh.status(status)}, addr: {hex(addr)}")
return False
def get_connection_agent(self):
@ -1161,6 +1170,9 @@ class DAXFlash(metaclass=LogBase):
self.info("Uploading stage 2...")
stage = stage + 1
if not self.mtk.daloader.patch:
#if self.carbonara is not None:
# loaded = self.carbonara.patchda1_and_upload_da2()
#else:
loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)
else:
loaded = self.boot_to(self.daconfig.da_loader.region[stage].m_start_addr, self.daconfig.da2)

View file

@ -1,6 +1,8 @@
import logging
import os
import sys
from struct import unpack, pack
# from keystone import *
from mtkclient.config.payloads import pathconfig
from mtkclient.config.brom_config import efuse
@ -105,14 +107,14 @@ class xmlflashext(metaclass=LogBase):
xmlcmd = self.xflash.Cmd.create_cmd("CUSTOMACK")
if self.xsend(xmlcmd):
# result =
self.xflash.get_response()
result = self.xflash.get_response()
# DATA data =
self.xflash.get_response(raw=True)
data = self.xflash.get_response(raw=True)
# CMD:END result =
self.xflash.get_response()
result2 = self.xflash.get_response()
self.xflash.ack()
# CMD:START result =
self.xflash.get_response()
resp = self.xflash.get_response()
self.xflash.ack()
if data == b"\xA4\xA3\xA2\xA1":
return True
@ -229,6 +231,22 @@ class xmlflashext(metaclass=LogBase):
self.info("Patched write partitions / allow_read / allow_write")
if not patched:
self.warning("Write not allowed not patched.")
idx2 = find_binary(da2patched, b"\x30\x48\x2D\xE9\x08\xB0\x8D\xE2\x20\xD0\x4D\xE2\x01\x50\xA0\xE1")
if idx2 is not None:
da2patched[idx2:idx2+8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1"
self.info("Patched Infinix SLA authentification.")
else:
idx2 = find_binary(da2patched, b"\x70\x4C\x2D\xE9\x10\xB0\x8D\xE2\x00\x60\xA0\xE1\x02\x06\xA0\xE3")
if idx2 is not None:
da2patched[idx2:idx2 + 8] = b"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1"
self.info("Patched Oppo SLA authentification.")
idx3 = find_binary(da2patched,b"\x03\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x01\x00\x00\x00")
if idx3 is not None:
da2patched[idx3:idx3+4]=b"\xFF\x00\x00\x00"
self.info("Patched Oppo Allowance flag.")
else:
self.warning("SLA authentification not patched.")
#open("/home/bjk/Projects/mtkclient_le/Loaders/V6/infinix/mt6789/DA_BR_2_40000000.patched.bin", "wb").write(da2patched)
return da2patched
def custom_rpmb_read(self, sector, ufs=False):

View file

@ -541,6 +541,15 @@ class DAXML(metaclass=LogBase):
self.error("Wrong boot_to response :(")
return False
def handle_sla(self, data=b"\x00"*0x100, display=True, timeout=0.5):
result = self.send_command(self.Cmd.cmd_security_set_flash_policy(host_offset=0x8000000,length=len(data)))
if type(result) is dwnfile:
self.info("Running sla auth...")
if self.upload(result, data):
self.info("Successfully uploaded sla auth.")
return True
return False
def upload_da(self):
if self.upload_da1():
self.info("Stage 1 successfully loaded.")
@ -784,7 +793,8 @@ class DAXML(metaclass=LogBase):
if self.daconfig.flashtype == "emmc":
length = min(length, self.emmc.gp1_size)
else:
self.error('Unknown parttype. Known parttypes are "boot1","boot2","gp1","gp2","gp3","gp4","rpmb"')
self.error("Unknown parttype. Known parttypes are \"boot1\",\"boot2\",\"gp1\"," +
"\"gp2\",\"gp3\",\"gp4\",\"rpmb\"")
return []
elif storage == DaStorage.MTK_DA_STORAGE_UFS:
if parttype is None or parttype == "lu3" or parttype == "user": # USER

View file

@ -60,6 +60,7 @@ class hwcrypto(metaclass=LogBase):
if mode == "cbc":
return self.sej.hw_aes128_cbc_encrypt(buf=data, encrypt=True)
elif mode == "sst":
self.sej.sej_base = 0xC0016000
data2 = self.sej.generate_hw_meta(encrypt=True, data=data)
data3 = self.sej.SST_Secure_Algo_With_Level(buf=data, encrypt=True)
print(data2.hex())

View file

@ -1141,6 +1141,28 @@ class Preloader(metaclass=LogBase):
"7c9a404c97433f46d983bd0c5f49fa4b013b9d86e5f1377f563d8299675c0ea2b81f51c33ad74a265184df9389eefb8" +
"e72d2f0585e4a41826b8846b0ee6da5ef8cce471536109fe4c658735247ebbc301"))
),
# Motorola G13
(
bytes_to_long(bytes.fromhex("00010001")),
# N
bytes_to_long(bytes.fromhex("DA61964924F441559A1F8B5264CEB01DACE8E417413BBA4657F4556811D07B85074FD69" +
"87F315A7492E003D03C57FC83D3B889F2D4F136D0989E515A08628A7B16A300217162DC" +
"35C340B1127046AA86649B763AF97F7C9871964483DE6695CDA2E8CCE82E1F6A0F701AF" +
"8BE767BB16927489524F8FC9A2C280F5692E850E4C4E2606436CF2E253147AFAB32E6B9" +
"2A19FA180C43CF480619B71B3D6A7863C7CC376C0A36BCF8BA3DA89CBF3E6DAA4691DCD" +
"769C0AE4535E502A9966AFF3F123C7A0EDA2DF04593B0E1FC60DC688F2BA7617DFE67D3" +
"1854443ED95D2645323728C594CA49DAA9351A572E3182D0A1B3146C92CEF87380CBD2D" +
"EFFEBC4E8F420D3")),
# D
bytes_to_long(bytes.fromhex("AEAC47CD11A5DD6C5EEEC43D8F2C536A2917CEF95AD02F5A7C978E88C35702B590F7A72" +
"A2AF28AEB9B5F5B2D8056D03F916595D189C9B6927AC0874980537178AACE8E1831DD65" +
"4E0B72FF2F44670196A57A43C340355CAF828B331A5715AED4E06D5D18896BCF25B201A" +
"0DC9760B0B2EF1CFB4EAB6940D7F8E2EBD86DC1E678AA69F6B0BBF55C688BF72C2123CF" +
"42E367F789E2592CE281C7C4752E14F6FD00D54610977DEF753E3890F12F704688537E8" +
"60D81142805750B805E7CAE3AACDE1CD7A272D227E9F8CCAADCB4D06489664627BAC46C" +
"AF5DA0F0740CEEDEBC7ED1C1D1EB1E37C6A8A9E6A0454F742B3248448B20C93D5FF6E5C" +
"789907A862C90A1")),
)
]
if isbrom:
# e, n, d

View file

@ -40,10 +40,13 @@ def main():
da_setup = []
loaders = []
pc = pathconfig()
for root, dirs, files in os.walk(pc.get_loader_path(), topdown=False):
for file in files:
if "MTK_AllInOne" in file:
loaders.append(os.path.join(root, file))
if len(sys.argv)>1:
loaders.append(sys.argv[1])
else:
for root, dirs, files in os.walk(pc.get_loader_path(), topdown=False):
for file in files:
if "MTK_DA_V5.bin" in file:
loaders.append(os.path.join(root, file))
if not os.path.exists("loaders"):
os.mkdir("loaders")
dadb = {}

View file

@ -38,8 +38,14 @@ keywords = ["mediatek", "mtk", "flashing", "reverse engineering", "firmware"]
Repository = "https://github.com/bkerler/mtkclient.git"
Issues = "https://github.com/bkerler/mtkclient/issues"
[project.scripts]
mtk = "mtk:main"
stage2 = "stage2:main"
[project.gui-scripts]
mtk_gui = "mtk_gui:main"
[tool.setuptools]
# See also the MANIFEST.in file.
# We want to install all the files in the package directories...
include-package-data = true
script-files = ["mtk", "stage2", "mtk_gui"]