mtk芯片全机型解锁平台TFT-MTK-v1.0

共1509个文件

bin：881个

py：224个

pyc：222个

版权申诉

5星 · 超过95%的资源 105 浏览量 2022-01-19 09:26:04 上传评论 7 收藏 23.5MB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

mtk芯片全机型解锁平台TFT-MTK-v1.0 （1509个子文件）

preloader_yuanda6580_weg_l.bin.AF162DA769 2KB

kill.bat 101B

Command.bat 61B

MTK_AllInOne_DA_5.2136.bin 17.41MB

MTK_AllInOne_DA_5.1824.bin 10.7MB

MTK_AllInOne_DA_5.1420.bin 2.25MB

misc.bin 1024KB

para.bin 512KB

pl.bin 17KB

stage2.bin 16KB

da_x.bin 7KB

preloader_k62v1_64_mex_a32.bin 5KB

preloader_k62v1_64_mexico_jat.bin 5KB

preloader_k62v1_64_mexico.bin 5KB

preloader_vanzo82_cwet_kk.bin 5KB

preloader_k69v1_64.bin 4KB

preloader_k71v1_64_bsp_zteS02.bin 4KB

preloader_magc6570_cweg_m.bin 3KB

preloader_oppo6771_19350_OPPO_A91.bin 3KB

OPPO_A91_preloader_oppo6771_19350.bin 3KB

Reno_2F_preloader_oppo6771.bin 3KB

preloader_oppo6771_18311__.bin 3KB

preloader_oppo6771_A7x_18011.bin 3KB

A7x_preloader_oppo6771_18011.bin 3KB

preloader_oppo6771_18011.bin 3KB

preloader_oppo6771_18311.bin 3KB

preloader_ke5k.bin 3KB

preloader_oppo6771_18311_F9Pro.bin 3KB

preloader_oppo6771_18311_v9.bin 3KB

preloader_yuanda72_cwet_kk.bin 3KB

preloader_oppo6771_17331_F7_010520.bin 3KB

preloader_kd7_h6211.bin 3KB

preloader_k62v1_64_bsp_vivo_y15.bin 3KB

preloader_cd6_camon_16s.bin 3KB

preloader_oppo6769_Nazro_20.bin 3KB

preloader_kd7_h6211_Techno_spark_5.bin 3KB

preloader_k71v1_64_bsp_vivV15.bin 3KB

preloader_x680b_h6215.bin 3KB

preloader_oppo6763_17031_.bin 3KB

preloader_k61v1_64_mexico_amn.bin 3KB

preloader_camon_15_air.bin 3KB

preloader_oppo6771_17061.bin 3KB

preloader_kd7_spark5_pro.bin 3KB

preloader_full_oppo6763_17031.bin 3KB

preloader_k61v1_64_mexico_mrdlx3.bin 2KB

preloader.bin 2KB

preloader_oppo6763_17031.bin 2KB

preloader_oppo6763_17101.bin 2KB

preloader_k62v1_64_mexico_mrd.bin 2KB

preloader_PDA.bin 2KB

preloader_k61v1_64_mexico_mrd.bin 2KB

preloader_cd8_camon15_pro.bin 2KB

preloader_oppo6763_17101_A83_100519.bin 2KB

preloader_k79v1_64_MT6779_Generic.bin 2KB

preloader_cd7_h6214.bin 2KB

preloader_camon_15_cd7.bin 2KB

preloader_k61v1_64_mexico.bin 2KB

OPPO_A3_preloader_oppo6771_17331.bin 2KB

preloader_oppo6771_17331_.bin 2KB

preloader_k61v1_64_mexico_ksa.bin 2KB

preloader_oppo6771_17197.bin 2KB

preloader_ld7_h694.bin 2KB

preloader_ce7_camon_16.bin 2KB

preloader_k62v1_64_bsp_viv1901.bin 2KB

preloader_x692_h694.bin 2KB

preloader_fih_mt6771_64.bin 2KB

preloader_oppo6771_17331.bin 2KB

preloader_oppo6769.bin 2KB

preloader_oppo6785_Realme_7.bin 2KB

preloader_k62v1_64_bsp_zteS02.bin 2KB

preloader_oppo6779_F17_Pro.bin 2KB

preloader_oppo6769_Realme_6i.bin 2KB

0699_preloader_dura_BFE22C5E88.bin 2KB

preloader_dura.bin 2KB

preloader_dura64.bin 2KB

preloader_j7209.bin 2KB

preloader_k62v1_32_bsp_zteF02.bin 2KB

preloader_oppo6779.bin 2KB

preloader_cc6_h627.bin 2KB

preloader_k68v1_64_titan.bin 2KB

preloader_camon_12_air_cc6.bin 2KB

preloader_ke7_spark_6.bin 2KB

preloader_oppo6785.bin 2KB

preloader_muse6762_dh30x_q.bin 2KB

preloader_x683_h694.bin 2KB

preloader_bb4k_spark_4lite.bin 2KB

preloader_ce8_camon_16pro.bin 2KB

0766_preloader_k62v1_64_bsp_45762BFACF.bin 2KB

preloader_yk737_go_wcdma_sm02-24.bin 2KB

preloader_bali.bin 2KB

preloader_bsp_h8025.bin 2KB

preloader_q812_v03_37m_fdd_35g_u50a.bin 2KB

preloader_Hisense_U965_3G_yk737_go_wcdma.bin 2KB

preloader_yk737_go_wcdma_sm02-30.bin 2KB

preloader_nicklaus.bin 2KB

preloader_q812_v03_37m_fdd_35g_u50aplus.bin 2KB

preloader_cro_go.bin 2KB

preloader_e2001v21_v89_jbl1a698_2g.bin 2KB

preloader_oppo6771_18531_F11_PRO.bin 2KB

preloader_cc7_h626.bin 2KB

共 1509 条

# mtkclient Just some mtk tool for exploitation, reading/writing flash and doing crazy stuff. For windows, you need to install the stock mtk port and the usbdk driver (see instructions below). For linux, a patched kernel is only needed when using old kamakiri (see Setup folder) (except for read/write flash). Once the mtk script is running, boot into brom mode by powering off device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons. ## Credits - kamakiri [xyzz] - linecode exploit [chimera] - Chaosmaster - cygnusx (GUI) - All contributors ## Installation ### Use Re LiveDVD (everything ready to go, based on Ubuntu): [Download Re Live DVD V3](https://drive.google.com/file/d/1OoGWFSZTqWqwfU35W6UAUwc20CJrK95t/view?usp=sharing) User: user, Password:user (based on Ubuntu 22.04 LTS) ## Install ### Linux - (Ubuntu recommended, no patched kernel needed except for kamakiri) #### Install python >=3.8, git and other deps ``` sudo apt install python3 git libusb-1.0-0 python3-pip ``` #### Grab files ``` git clone https://github.com/bkerler/mtkclient cd mtkclient pip3 install -r requirements.txt python3 setup.py build python3 setup.py install ``` #### Install rules ``` sudo usermod -a -G plugdev $USER sudo usermod -a -G dialout $USER sudo cp Setup/Linux/*.rules /etc/udev/rules.d sudo udevadm control -R ``` Make sure to reboot after adding the user to dialout/plugdev. --------------------------------------------------------------------------------------------------------------- ### Windows #### Install python + git - Install python 3.9 and git - If you install python from microsoft store, "python setup.py install" will fail, but that step isn't required. - WIN+R ```cmd``` #### Grab files and install ``` git clone https://github.com/bkerler/mtkclient cd mtkclient pip3 install -r requirements.txt ``` #### Get latest UsbDk 64-Bit - Install normal MTK Serial Port driver (or use default Windows COM Port one, make sure no exclamation is seen) - Get usbdk installer (.msi) from [here](https://github.com/daynix/UsbDk/releases/) and install it - Test on device connect using "UsbDkController -n" if you see a device with 0x0E8D 0x0003 - Works fine under Windows 10 and 11 :D --------------------------------------------------------------------------------------------------------------- ### Use kamakiri (optional, only needed for mt6260 or older) - For linux (kamakiri attack), you need to recompile your linux kernel using this kernel patch : ``` sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev libdw-dev git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git cd pahole && mkdir build && cd build && cmake .. && make && sudo make install sudo mv /usr/local/libdwarves* /usr/local/lib/ && sudo ldconfig ``` ``` wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-`uname -r`.tar.xz tar xvf linux-`uname -r`.tar.xz cd linux-`uname -r` patch -p1 < ../Setup/kernelpatches/disable-usb-checks-5.10.patch cp -v /boot/config-$(uname -r) .config make menuconfig make sudo make modules_install sudo make install ``` - These aren't needed for current ubuntu (as make install will do, just for reference): ``` sudo update-initramfs -c -k `uname -r` sudo update-grub ``` See Setup/kernels for ready-to-use kernel setups - Reboot ``` sudo reboot ``` --------------------------------------------------------------------------------------------------------------- ## Usage ### Root the phone (Tested with android 9 - 12) 1. Dump boot and vbmeta ``` python mtk r boot,vbmeta boot.img,vbmeta.img ``` 2. Reboot the phone ``` python mtk reset ``` 3. Download patched magisk for mtk: Download (here)[https://raw.githubusercontent.com/vvb2060/magisk_files/44ca9ed38c29e22fa276698f6c03bc1168df2c10/app-release.apk] 4. Install on target phone - you need to enable usb-debugging via Settings/About phone/Version, Tap 7x on build number - Go to Settings/Additional settings/Developer options, enable "OEM unlock" and "USB Debugging" - Install magisk apk ``` adb install app-release.apk ``` - accept auth rsa request on mobile screen of course to allow adb connection 5. Upload boot to /sdcard/Download ``` adb push boot.img /sdcard/Download ``` 6. Start magisk, tap on Install, select boot.img from /sdcard/Download, then: ``` adb pull /sdcard/Download/[displayed magisk patched boot filename here] mv [displayed magisk patched boot filename here] boot.patched ``` 7. Do the steps needed in section "Unlock bootloader below" 8. Flash magisk-patched boot and empty vbmeta ``` python mtk w boot,vbmeta boot.patched,vbmeta.img.empty ``` 9. Reboot the phone ``` python mtk reset ``` 10. Disconnect usb cable and enjoy your rooted phone :) ### Boot to meta mode via payload Example: ``` python mtk payload --metamode FASTBOOT ``` ### Unlock bootloader 1. Erase metadata and userdata (and md_udc if existing): ``` python mtk e metadata,userdata,md_udc ``` 2. Unlock bootloader: ``` python mtk da seccfg unlock ``` for relocking use: ``` python mtk da seccfg lock ``` 3. Reboot the phone: ``` python mtk reset ``` and disconnect usb cable to let the phone reboot. If you are getting a dm-verity error on Android 11, just press the power button, then the device should boot and show a yellow warning about unlocked bootloader and then the device should boot within 5 seconds. ### Read flash Dump boot partition to filename boot.bin via preloader ``` python mtk r boot boot.bin ``` Dump boot partition to filename boot.bin via bootrom ``` python mtk r boot boot.bin [--preloader=Loader/Preloader/your_device_preloader.bin] ``` Dump preloader partition to filename preloader.bin via bootrom ``` python mtk r preloader preloader.bin --parttype=boot1 [--preloader=Loader/Preloader/your_device_preloader.bin] ``` Read full flash to filename flash.bin (use --preloader for brom) ``` python mtk rf flash.bin ``` Read flash offset 0x128000 with length 0x200000 to filename flash.bin (use --preloader for brom) ``` python mtk ro 0x128000 0x200000 flash.bin ``` Dump all partitions to directory "out". (use --preloader for brom) ``` python mtk rl out ``` Show gpt (use --preloader for brom) ``` python mtk printgpt ``` ### Write flash (use --preloader for brom) Write filename boot.bin to boot partition ``` python mtk w boot boot.bin ``` Write filename flash.bin as full flash (currently only works in da mode) ``` python mtk wf flash.bin ``` Write all files in directory "out" to the flash partitions ``` python mtk wl out ``` write file flash.bin to flash offset 0x128000 with length 0x200000 (use --preloader for brom) ``` python mtk wo 0x128000 0x200000 flash.bin ``` ### Erase flash Erase boot partition ``` python mtk e boot ``` Erase boot sectors ``` python mtk es boot [sector count] ``` ### DA commands: Peek memory ``` python mtk da peek [addr in hex] [length in hex] [optional: -filename filename.bin for reading to file] ``` Poke memory ``` python mtk da peek [addr in hex] [data as hexstring or -filename for reading from file] ``` Read rpmb (Only xflash for now) ``` python mtk da rpmb r [will read to rpmb.bin] ``` Write rpmb [Currently broken, xflash only] ``` python mtk da rpmb w filename ``` Generate and display rpmb1-3 key ``` python mtk da generatekeys ``` Unlock / Lock bootloader ``` python mtk da seccfg [lock or unlock] ``` --------------------------------------------------------------------------------------------------------------- ### Bypass SLA, DAA and SBC (using generic_patcher_payload) `` python mtk payload `` If you want to use SP Flash tool afterwards, make sure you select "UART" in the settings, not "USB". ### Dump preloader - Device has to be in bootrom mode and preloader has to be intact on the device ``` python mtk dumppreloader [--ptype=["amonet","kamakiri","kamakiri2","hashimoto"]] [--filename=preloader.bin] ``` ### Dump brom - Device has to be in bootrom mod

评论收藏

内容反馈

版权申诉