Skip to content

Commit

Permalink
MT6781 fixes, read speed improvements, dxcc improvements, minor bug f…
Browse files Browse the repository at this point in the history
…ixes
  • Loading branch information
bkerler committed Jul 22, 2024
1 parent c5bc57d commit 1ffb152
Show file tree
Hide file tree
Showing 22 changed files with 397 additions and 173 deletions.
122 changes: 57 additions & 65 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -171,25 +171,30 @@ sudo reboot
### Using MTKTools via the graphical user interface:
For the 'basics' you can use the GUI interface. This supports dumping partitions or the full flash for now. Run the following command:
```
python mtk_gui
python mtk_gui.py
```

### Using stock mtk functionality without exploits :
```
python mtk.py --stock
```

### Run multiple commands
```bash
python mtk script run.example
python mtk.py script run.example
```
See the file "[run.example](https://github.com/bkerler/mtkclient/blob/main/run.example)" on how to structure the script file

### Root the phone (Tested with android 9 - 12)

1. Dump boot and vbmeta
```
python mtk r boot,vbmeta boot.img,vbmeta.img
python mtk.py r boot,vbmeta boot.img,vbmeta.img
```

2. Reboot the phone
```
python mtk reset
python mtk.py reset
```

3. Download patched magisk for mtk:
Expand Down Expand Up @@ -219,12 +224,12 @@ mv [displayed magisk patched boot filename here] boot.patched

8. Flash magisk-patched boot and empty vbmeta
```
python mtk w boot,vbmeta boot.patched,vbmeta.img.empty
python mtk.py w boot,vbmeta boot.patched,vbmeta.img.empty
```

9. Reboot the phone
```
python mtk reset
python mtk.py reset
```

10. Disconnect usb cable and enjoy your rooted phone :)
Expand All @@ -235,36 +240,36 @@ python mtk reset
Example:

```
python mtk payload --metamode FASTBOOT
python mtk.py payload --metamode FASTBOOT
```

### Read efuses

Example:

```
python mtk da efuse
python mtk.py da efuse
```

### Unlock bootloader

1. Erase metadata and userdata (and md_udc if existing):
```
python mtk e metadata,userdata,md_udc
python mtk.py e metadata,userdata,md_udc
```

2. Unlock bootloader:
```
python mtk da seccfg unlock
python mtk.py da seccfg unlock
```
for relocking use:
```
python mtk da seccfg lock
python mtk.py da seccfg lock
```

3. Reboot the phone:
```
python mtk reset
python mtk.py reset
```

and disconnect usb cable to let the phone reboot.
Expand All @@ -279,57 +284,57 @@ then the device should boot within 5 seconds.
Dump boot partition to filename boot.bin via preloader

```
python mtk r boot boot.bin
python mtk.py r boot boot.bin
```

Dump boot partition to filename boot.bin via bootrom

```
python mtk r boot boot.bin [--preloader=Loader/Preloader/your_device_preloader.bin]
python mtk.py r boot boot.bin [--preloader=Loader/Preloader/your_device_preloader.bin]
```


Dump preloader partition to filename preloader.bin via bootrom

```
python mtk r preloader preloader.bin --parttype=boot1 [--preloader=Loader/Preloader/your_device_preloader.bin]
python mtk.py r preloader preloader.bin --parttype=boot1 [--preloader=Loader/Preloader/your_device_preloader.bin]
```

Read full flash to filename flash.bin (use --preloader for brom)

```
python mtk rf flash.bin
python mtk.py rf flash.bin
```

Read full flash to filename flash.bin (use --preloader for brom) for IoT devices (MT6261/MT2301):

```
python mtk rf flash.bin --iot
python mtk.py rf flash.bin --iot
```

Read flash offset 0x128000 with length 0x200000 to filename flash.bin (use --preloader for brom)

```
python mtk ro 0x128000 0x200000 flash.bin
python mtk.py ro 0x128000 0x200000 flash.bin
```

Dump all partitions to directory "out". (use --preloader for brom)

```
python mtk rl out
python mtk.py rl out
```

Show gpt (use --preloader for brom)

```
python mtk printgpt
python mtk.py printgpt
```


Mount the flash as a filesystem

```
python mtk fs /mnt/mtk
python mtk.py fs /mnt/mtk
```

### Write flash
Expand All @@ -338,83 +343,83 @@ python mtk fs /mnt/mtk
Write filename boot.bin to boot partition

```
python mtk w boot boot.bin
python mtk.py w boot boot.bin
```

Write filename flash.bin as full flash (currently only works in da mode)

```
python mtk wf flash.bin
python mtk.py wf flash.bin
```

Write all files in directory "out" to the flash partitions

```
python mtk wl out
python mtk.py wl out
```

write file flash.bin to flash offset 0x128000 with length 0x200000 (use --preloader for brom)

```
python mtk wo 0x128000 0x200000 flash.bin
python mtk.py wo 0x128000 0x200000 flash.bin
```

### Erase flash

Erase boot partition
```
python mtk e boot
python mtk.py e boot
```

Erase boot sectors
```
python mtk es boot [sector count]
python mtk.py es boot [sector count]
```

### DA commands:

Peek memory
```
python mtk da peek [addr in hex] [length in hex] [optional: -filename filename.bin for reading to file]
python mtk.py da peek [addr in hex] [length in hex] [optional: -filename filename.bin for reading to file]
```

Poke memory
```
python mtk da poke [addr in hex] [data as hexstring or -filename for reading from file]
python mtk.py da poke [addr in hex] [data as hexstring or -filename for reading from file]
```

Read rpmb (Only xflash for now)
```
python mtk da rpmb r [will read to rpmb.bin]
python mtk.py da rpmb r [will read to rpmb.bin]
```

Write rpmb [Currently broken, xflash only]
```
python mtk da rpmb w filename
python mtk.py da rpmb w filename
```

Generate and display rpmb1-3 key
```
python mtk da generatekeys
python mtk.py da generatekeys
```

Unlock / Lock bootloader
```
python mtk da seccfg [lock or unlock]
python mtk.py da seccfg [lock or unlock]
```

---------------------------------------------------------------------------------------------------------------

### Bypass SLA, DAA and SBC (using generic_patcher_payload)
``
python mtk payload
python mtk.py payload
``
If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".

### Dump preloader
- Device has to be in bootrom mode and preloader has to be intact on the device
```
python mtk dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]] [--filename=preloader.bin]
python mtk.py dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]] [--filename=preloader.bin]
```

### Dump brom
Expand All @@ -425,12 +430,12 @@ python mtk dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]]
and "hashimoto" (via cqdma)

```
python mtk dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]
python mtk.py dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]
```

For to dump unknown bootroms, use brute option :
```
python mtk brute
python mtk.py brute
```
If it's successful, please add an issue over here and append the bootrom in order to add full support.

Expand All @@ -439,82 +444,82 @@ If it's successful, please add an issue over here and append the bootrom in orde
### Crash da in order to enter brom

```
python mtk crash [--vid=vid] [--pid=pid] [--interface=interface]
python mtk.py crash [--vid=vid] [--pid=pid] [--interface=interface]
```

### Read memory using patched preloader
- Boot in Brom or crash to Brom
```
python mtk peek [addr] [length] --preloader=patched_preloader.bin
python mtk.py peek [addr] [length] --preloader=patched_preloader.bin
```

### Run custom payload

```
python mtk payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]
python mtk.py payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]
```

---------------------------------------------------------------------------------------------------------------
## Stage2 usage
### Run python mtk stage (brom) or mtk plstage (preloader)
### Run python mtk.py stage (brom) or mtk plstage (preloader)

#### Run stage2 in bootrom
``
python mtk stage
python mtk.py stage
``

#### Run stage2 in preloader
``
python mtk plstage
python mtk.py plstage
``

#### Run stage2 plstage in bootrom
- Boot in Brom or crash to Brom
```
python mtk plstage --preloader=preloader.bin
python mtk.py plstage --preloader=preloader.bin
```

### Use stage2 tool


### Leave stage2 and reboot
``
python stage2 reboot
python stage2.py reboot
``

### Read rpmb in stage2 mode
``
python stage2 rpmb
python stage2.py rpmb
``

### Read preloader in stage2 mode
``
python stage2 preloader
python stage2.py preloader
``

### Read memory as hex data in stage2 mode
``
python stage2 memread [start addr] [length]
python stage2.py memread [start addr] [length]
``

### Read memory to file in stage2 mode
``
python stage2 memread [start addr] [length] --filename filename.bin
python stage2.py memread [start addr] [length] --filename filename.bin
``

### Write hex data to memory in stage2 mode
``
python stage2 memwrite [start addr] --data [data as hexstring]
python stage2.py memwrite [start addr] --data [data as hexstring]
``

### Write memory from file in stage2 mode
``
python stage2 memwrite [start addr] --filename filename.bin
python stage2.py memwrite [start addr] --filename filename.bin
``

### Extract keys
``
python stage2 keys --mode [sej, dxcc]
python stage2.py keys --mode [sej, dxcc]
``
For dxcc, you need to use plstage instead of stage

Expand All @@ -529,16 +534,3 @@ For dxcc, you need to use plstage instead of stage
### Chip details / configs
- Go to config/brom_config.py
- Unknown usb vid/pids for autodetection go to config/usb_ids.py

## Learning Resources
[MTK Preloader](https://o0xmuhe.github.io/2022/03/05/MTK-Preloader-踩坑/)

[MOSEC-2022](https://o0xmuhe.github.io/2022/11/23/议题解读-MOSEC2022-MediAttack-break-the-boot-chain-of-MediaTek-SoC/)

[Dissecting MTK BROM Exploit](https://tinyhack.com/2021/01/31/dissecting-a-mediatek-bootrom-exploit/)

[Dumping Exynos BROM](https://fredericb.info/2020/06/exynos8890-bootrom-dump-dump-exynos-8890-bootrom-from-samsung-galaxy-s7.html)

[Rev Exynos BROM USB STACK ](https://fredericb.info/2020/06/reverse-engineer-usb-stack-of-exynos-bootrom.html#reverse-engineer-usb-stack-of-exynos-bootrom)

[Buffer Overflow In Huawei BROM USB STACK](https://labs.taszk.io/blog/post/bootrom_usb/)
Loading

0 comments on commit 1ffb152

Please sign in to comment.