Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff.
Once the mtk script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.
- These chipsets use a new protocol called V6 and the bootrom is patched, thus you need a valid da via --loader option.
- On some devices, preloader is deactivated, but you still use it by running "adb reboot edl".
- This only works with UNFUSED devices currently.
- For all devices with DAA, SLA and Remote-Auth activated no public solution currently exists (for various reasons).
- kamakiri [xyzz]
- linecode exploit [chimera]
- Chaosmaster
- Geert-Jan Kreileman (GUI, design & fixes)
- All contributors
apt install python3 git libusb-1.0 python3-pip
git clone https://github.com/RohitVerma882/termux-mtkclient
cd mtkclient
pip3 install -r requirements.txt
pip3 install .
python mtk script run.example
See the file "run.example" on how to structure the script file
- Dump boot and vbmeta
python mtk r boot,vbmeta boot.img,vbmeta.img
- Reboot the phone
python mtk reset
-
Download patched magisk for mtk: Download latest Magisk here
-
Install on target phone
- you need to enable usb-debugging via Settings/About phone/Version, Tap 7x on build number
- Go to Settings/Additional settings/Developer options, enable "OEM unlock" and "USB Debugging"
- Install magisk apk
adb install app-release.apk
- accept auth rsa request on mobile screen of course to allow adb connection
- Upload boot to /sdcard/Download
adb push boot.img /sdcard/Download
- Start magisk, tap on Install, select boot.img from /sdcard/Download, then:
adb pull /sdcard/Download/[displayed magisk patched boot filename here]
mv [displayed magisk patched boot filename here] boot.patched
-
Do the steps needed in section "Unlock bootloader below"
-
Flash magisk-patched boot and empty vbmeta
python mtk w boot,vbmeta boot.patched,vbmeta.img.empty
- Reboot the phone
python mtk reset
- Disconnect usb cable and enjoy your rooted phone :)
Example:
python mtk payload --metamode FASTBOOT
Example:
python mtk da efuse
- Erase metadata and userdata (and md_udc if existing):
python mtk e metadata,userdata,md_udc
- Unlock bootloader:
python mtk da seccfg unlock
for relocking use:
python mtk da seccfg lock
- Reboot the phone:
python mtk reset
and disconnect usb cable to let the phone reboot.
If you are getting a dm-verity error on Android 11, just press the power button, then the device should boot and show a yellow warning about unlocked bootloader and then the device should boot within 5 seconds.
Dump boot partition to filename boot.bin via preloader
python mtk r boot boot.bin
Dump boot partition to filename boot.bin via bootrom
python mtk r boot boot.bin [--preloader=Loader/Preloader/your_device_preloader.bin]
Dump preloader partition to filename preloader.bin via bootrom
python mtk r preloader preloader.bin --parttype=boot1 [--preloader=Loader/Preloader/your_device_preloader.bin]
Read full flash to filename flash.bin (use --preloader for brom)
python mtk rf flash.bin
Read full flash to filename flash.bin (use --preloader for brom) for IoT devices (MT6261/MT2301):
python mtk rf flash.bin --iot
Read flash offset 0x128000 with length 0x200000 to filename flash.bin (use --preloader for brom)
python mtk ro 0x128000 0x200000 flash.bin
Dump all partitions to directory "out". (use --preloader for brom)
python mtk rl out
Show gpt (use --preloader for brom)
python mtk printgpt
(use --preloader for brom)
Write filename boot.bin to boot partition
python mtk w boot boot.bin
Write filename flash.bin as full flash (currently only works in da mode)
python mtk wf flash.bin
Write all files in directory "out" to the flash partitions
python mtk wl out
write file flash.bin to flash offset 0x128000 with length 0x200000 (use --preloader for brom)
python mtk wo 0x128000 0x200000 flash.bin
Erase boot partition
python mtk e boot
Erase boot sectors
python mtk es boot [sector count]
Peek memory
python mtk da peek [addr in hex] [length in hex] [optional: -filename filename.bin for reading to file]
Poke memory
python mtk da poke [addr in hex] [data as hexstring or -filename for reading from file]
Read rpmb (Only xflash for now)
python mtk da rpmb r [will read to rpmb.bin]
Write rpmb [Currently broken, xflash only]
python mtk da rpmb w filename
Generate and display rpmb1-3 key
python mtk da generatekeys
Unlock / Lock bootloader
python mtk da seccfg [lock or unlock]
python mtk payload
If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB".
- Device has to be in bootrom mode and preloader has to be intact on the device
python mtk dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]] [--filename=preloader.bin]
- Device has to be in bootrom mode, or da mode has to be crashed to enter damode
- if no option is given, either kamakiri or da will be used (da for insecure targets)
- if "kamakiri" is used as an option, kamakiri is enforced
- Valid options are : "kamakiri" (via usb_ctrl_handler attack), "amonet" (via gcpu) and "hashimoto" (via cqdma)
python mtk dumpbrom --ptype=["amonet","kamakiri","hashimoto"] [--filename=brom.bin]
For to dump unknown bootroms, use brute option :
python mtk brute
If it's successful, please add an issue over here and append the bootrom in order to add full support.
python mtk crash [--vid=vid] [--pid=pid] [--interface=interface]
- Boot in Brom or crash to Brom
python mtk peek [addr] [length] --preloader=patched_preloader.bin
python mtk payload --payload=payload.bin [--var1=var1] [--wdt=wdt] [--uartaddr=addr] [--da_addr=addr] [--brom_addr=addr]
python mtk stage
python mtk plstage
- Boot in Brom or crash to Brom
python mtk plstage --preloader=preloader.bin
python stage2 reboot
python stage2 rpmb
python stage2 preloader
python stage2 memread [start addr] [length]
python stage2 memread [start addr] [length] --filename filename.bin
python stage2 memwrite [start addr] --data [data as hexstring]
python stage2 memwrite [start addr] --filename filename.bin
python stage2 keys --mode [sej, dxcc]
For dxcc, you need to use plstage instead of stage
- Run the mtk tool with --debugmode. Log will be written to log.txt (hopefully)
- Go to config/brom_config.py
- Unknown usb vid/pids for autodetection go to config/usb_ids.py