chipmunkmc/mtkclient
1
0
Fork 0
mirror of https://github.com/bkerler/mtkclient.git synced 2024-11-14 11:14:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
mtkclient/Tools/patch_preloader.py
Bjoern Kerler f13dbd02a1
Restructure and minor bug fix
2024-06-29 16:48:59 +02:00

127 lines
4.2 KiB
Python
Executable file
Raw Permalink Blame History

#!/usr/bin/env python3
import sys
import hashlib
from mtkclient.Library.utils import find_binary
patches = [
("B3F5807F01D1", "B3F5807F01D14FF000004FF000007047"), # rsa_verify / usbdl_vfy_da
("B3F5807F04BF4FF4807305F011B84FF0FF307047", "B3F5807F04BF4FF480734FF000004FF000007047"),
# rsa_verify / usbdl_vfy_da
("2DE9F746802B", "4FF000007047"), # rsa_verify / usbdl_vfy_da
("802B2DE9", "4FF000007047"),
("8023BDE8", "4FF000007047"), # DA verify fail
("800053E3F344", "0000A0E31EFF2FE1")
]
def patch_preloader_security(data):
if data[:4] != b"\x4D\x4D\x4D\x01":
return data
patched = False
for patchval in patches:
pattern = bytes.fromhex(patchval[0])
idx = data.find(pattern)
if idx != -1:
patch = bytes.fromhex(patchval[1])
data[idx:idx + len(patch)] = patch
patched = True
break
if patched:
# with open(sys.argv[1]+".patched","wb") as wf:
# wf.write(data)
# print("Patched !")
print("Patched preloader security")
else:
print(f"Failed to patch preloader security: {sys.argv[1]}")
return data
def patch_da2(da2):
# open("da2.bin","wb").write(da2)
da2patched = bytearray(da2)
# Patch security
is_security_enabled = find_binary(da2, b"\x01\x23\x03\x60\x00\x20\x70\x47")
if is_security_enabled is not None:
da2patched[is_security_enabled:is_security_enabled + 2] = b"\x00\x23"
else:
print("Security check not patched.")
# Patch hash check
authaddr = find_binary(da2, b"\x04\x00\x07\xC0")
if authaddr:
da2patched[authaddr:authaddr + 4] = b"\x00\x00\x00\x00"
elif authaddr is None:
authaddr = find_binary(da2, b"\x4F\xF0\x04\x09\xCC\xF2\x07\x09")
if authaddr:
da2patched[authaddr:authaddr + 8] = b"\x4F\xF0\x00\x09\x4F\xF0\x00\x09"
else:
authaddr = find_binary(da2, b"\x4F\xF0\x04\x09\x32\x46\x01\x98\x03\x99\xCC\xF2\x07\x09")
if authaddr:
da2patched[authaddr:authaddr + 14] = b"\x4F\xF0\x00\x09\x32\x46\x01\x98\x03\x99\x4F\xF0\x00\x09"
else:
print("Hash check not patched.")
# Patch write not allowed
# open("da2.bin","wb").write(da2patched)
idx = 0
patched = False
while idx != -1:
idx = da2patched.find(b"\x37\xB5\x00\x23\x04\x46\x02\xA8")
if idx != -1:
da2patched[idx:idx + 8] = b"\x37\xB5\x00\x20\x03\xB0\x30\xBD"
patched = True
else:
idx = da2patched.find(b"\x0C\x23\xCC\xF2\x02\x03")
if idx != -1:
da2patched[idx:idx + 6] = b"\x00\x23\x00\x23\x00\x23"
idx2 = da2patched.find(b"\x2A\x23\xCC\xF2\x02\x03")
if idx2 != -1:
da2patched[idx2:idx2 + 6] = b"\x00\x23\x00\x23\x00\x23"
"""
idx3 = da2patched.find(b"\x2A\x24\xE4\xF7\x89\xFB\xCC\xF2\x02\x04")
if idx3 != -1:
da2patched[idx3:idx3 + 10] = b"\x00\x24\xE4\xF7\x89\xFB\x00\x24\x00\x24"
"""
patched = True
if not patched:
print("Write not allowed not patched.")
return da2patched
def fix_hash(da1, da2, hashpos, hashmode):
da1 = bytearray(da1)
dahash = None
if hashmode == 1:
dahash = hashlib.sha1(da2).digest()
elif hashmode == 2:
dahash = hashlib.sha256(da2).digest()
da1[hashpos:hashpos + len(dahash)] = dahash
return da1
def compute_hash_pos(da1, da2):
hashdigest = hashlib.sha1(da2).digest()
hashdigest256 = hashlib.sha256(da2).digest()
idx = da1.find(hashdigest)
hashmode = 1
if idx == -1:
idx = da1.find(hashdigest256)
hashmode = 2
if idx != -1:
return idx, hashmode
return None, None
def main():
"""
with open(sys.argv[1],"rb") as rf:
data=bytearray(rf.read())
data=patch_preloader_security(data)
"""
da1 = open("loaders/8167_200000MTK_AllInOne_DA_5.2136.bin", "rb").read()
da2 = open("loaders/8167_40000000MTK_AllInOne_DA_5.2136.bin", "rb").read()
hp, hm = compute_hash_pos(da1, da2[:-0x100])
da2 = patch_da2(da2)
fix_hash(da1, da2, hp, hm)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink