Skip to content

Instantly share code, notes, and snippets.

@javashin

javashin/gist:e3d3d38f1ed96d9df3423469b0fc36cd

Created December 26, 2022 17:47
Show Gist options
  • Save javashin/e3d3d38f1ed96d9df3423469b0fc36cd to your computer and use it in GitHub Desktop.
Save javashin/e3d3d38f1ed96d9df3423469b0fc36cd to your computer and use it in GitHub Desktop.
Download ZIP
mtkclient - mtkbypass adventures
Raw
gistfile1.txt
[root@igloo bypass_utility]# ./main.py
[2022-12-26 08:49:50.357670] Waiting for device
[2022-12-26 08:50:00.561775] Found device = 0e8d:2000
[2022-12-26 08:50:00.903874] Device hw code: 0x766
[2022-12-26 08:50:00.904187] Device hw sub code: 0x8a00
[2022-12-26 08:50:00.904352] Device hw version: 0xca00
[2022-12-26 08:50:00.904482] Device sw version: 0x0
[2022-12-26 08:50:00.904622] Device secure boot: True
[2022-12-26 08:50:00.904759] Device serial link authorization: False
[2022-12-26 08:50:00.904896] Device download agent authorization: True
[2022-12-26 08:50:00.905053] Found device in preloader mode, trying to crash...
[2022-12-26 08:50:00.907292] status is 7024
[2022-12-26 08:50:02.859502] Waiting for device
[2022-12-26 08:50:02.860216] Found device = 0e8d:0003
[2022-12-26 08:50:03.179913] Device hw code: 0x766
[2022-12-26 08:50:03.180246] Device hw sub code: 0x8a00
[2022-12-26 08:50:03.180380] Device hw version: 0xca00
[2022-12-26 08:50:03.180514] Device sw version: 0x0
[2022-12-26 08:50:03.180649] Device secure boot: True
[2022-12-26 08:50:03.180777] Device serial link authorization: False
[2022-12-26 08:50:03.180907] Device download agent authorization: True
[2022-12-26 08:50:03.181056] Disabling watchdog timer
[2022-12-26 08:50:03.182621] Disabling protection
[2022-12-26 08:50:03.213399] Protection disabled
[root@igloo bypass_utility]# ./main.py
[2022-12-26 08:50:26.601605] Waiting for device
[2022-12-26 08:50:26.604333] Found device = 0e8d:0003
[2022-12-26 08:50:28.252135] Device hw code: 0x766
[2022-12-26 08:50:28.252715] Device hw sub code: 0x8a00
[2022-12-26 08:50:28.252904] Device hw version: 0xca00
[2022-12-26 08:50:28.253026] Device sw version: 0x0
[2022-12-26 08:50:28.253157] Device secure boot: False
[2022-12-26 08:50:28.253280] Device serial link authorization: False
[2022-12-26 08:50:28.253704] Device download agent authorization: False
[2022-12-26 08:50:28.254093] Disabling watchdog timer
[2022-12-26 08:50:28.255807] Insecure device, sending payload using send_da
[2022-12-26 08:50:28.304690] Found send_dword, dumping bootrom to bootrom_766.bin
[root@igloo bypass_utility]# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 006: ID 5986:0367 Acer, Inc Integrated Camera
Bus 001 Device 005: ID 8087:07dc Intel Corp. Bluetooth wireless interface
Bus 001 Device 004: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 001 Device 003: ID 0bda:0177 Realtek Semiconductor Corp. USB2.0-CRW
Bus 001 Device 002: ID 10c4:8108 Silicon Labs USB OPTICAL MOUSE
Bus 001 Device 107: ID 0e8d:0003 MediaTek Inc. MT6227 phone
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[root@igloo mtkclient]# cd -
/ntfs/TAB-A7-LITE-STOCK-ROMS/Samfw.com_SM-T220_XAR_T220XXS1BVJ2_fac/FIRMWARE_UNPACKED
[root@igloo FIRMWARE_UNPACKED]# ./mtkclient-1.52/mtk w grd_fw,tzar,dtbo,vbmeta,param,up_param,boot,recovery,vbmeta_system,efuse,super,prism,optics,cache,omr,userdata grd_fw.img,tzar.img,dtbo.img,vbmeta.img,param.img,up_param.img,boot.img,recovery.img,vbmeta_system.img,efuse.img,super.img,prism.img,optics.img,cache.img,omr.img,userdata.img --preloader preloader_ot8.bin ; ./mtkclient-1.52/mtk reset
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Hint:
Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
...........
Port - Device detected :)
Preloader - CPU: MT6765(Helio P35/G35)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x766
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 969E54D01246234FEF784175E755B78D
Preloader - SOC_ID: 28E1F4096CBDB601F1DCF97DD20EEB4A01ACC1BEF528C0E20B0E069D8D8161D0
Main - Device is unprotected.
PLTools - Loading payload from mt6765_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /ntfs/TAB-A7-LITE-STOCK-ROMS/Samfw.com_SM-T220_XAR_T220XXS1BVJ2_fac/FIRMWARE_UNPACKED/mtkclient-1.52/mtkclient/payloads/mt6765_payload.bin
Port - Device detected :)
DAXFlash - Uploading stage 1 from MTK_AllInOne_DA_5.2136.bin
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 1501004758364241
DAXFlash - Sending emi data ...
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer: 0x0
DAXFlash - EMMC ID: GX6BAB
DAXFlash - EMMC CID: 15010047583642414200af50079b59c3
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size: 0x0
DAXFlash - EMMC GP2 Size: 0x0
DAXFlash - EMMC GP3 Size: 0x0
DAXFlash - EMMC GP4 Size: 0x0
DAXFlash - EMMC RPMB Size: 0x1000000
DAXFlash - EMMC USER Size: 0x747c00000
DAXFlash - DA-CODE : 0x666D0
DAXFlash - DA Extensions successfully added
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1BB of 0x1BB, ) 1.00 MB/s
Wrote grd_fw.img to sector 186368 with sector count 4096.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x2000 of 0x2000, ) 2.25 MB/s61 MB/s
Wrote tzar.img to sector 194560 with sector count 8192.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x52 of 0x52, ) 0.56 MB/s
Wrote dtbo.img to sector 239616 with sector count 16384.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x11 of 0x11, ) 0.19 MB/s
Wrote vbmeta.img to sector 256000 with sector count 128.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xF1 of 0xF1, ) 0.99 MB/s
Wrote param.img to sector 1052880 with sector count 8192.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x10F5 of 0x10F5, ) 1.46 MB/s
Wrote up_param.img to sector 1061072 with sector count 8192.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x10000 of 0x10000, ) 1.71 MB/s1 MB/s
Wrote boot.img to sector 1167568 with sector count 65536.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x12800 of 0x12800, ) 2.46 MB/s59 MB/s
Wrote recovery.img to sector 1233104 with sector count 75776.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x7 of 0x7, ) 0.13 MB/s
Wrote vbmeta_system.img to sector 1308880 with sector count 128.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x2 of 0x2, ) 0.02 MB/s
Wrote efuse.img to sector 1309136 with sector count 1024.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x338000 of 0x338000, ) 2.47 MB/s99 MB/sMB/s
Wrote super.img to sector 1327104 with sector count 3375104.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0xC2A31 of 0xC2A31, ) 2.69 MB/s54 MB/sMB/s
Wrote prism.img to sector 4702208 with sector count 1073152.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x519 of 0x519, ) 2.12 MB/s
Wrote optics.img to sector 5775360 with sector count 40960.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x81 of 0x81, ) 1.33 MB/s
Wrote cache.img to sector 5816320 with sector count 409600.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x69 of 0x69, ) 0.99 MB/s
Wrote omr.img to sector 6225920 with sector count 49152.
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x1D5E72 of 0x1D5E72, ) 1.17 MB/s41 MB/sMB/s
Wrote userdata.img to sector 6377472 with sector count 54693855.
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
[root@igloo FIRMWARE_UNPACKED]# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 006: ID 5986:0367 Acer, Inc Integrated Camera
Bus 001 Device 005: ID 8087:07dc Intel Corp. Bluetooth wireless interface
Bus 001 Device 004: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 001 Device 003: ID 0bda:0177 Realtek Semiconductor Corp. USB2.0-CRW
Bus 001 Device 002: ID 10c4:8108 Silicon Labs USB OPTICAL MOUSE
Bus 001 Device 010: ID 0e8d:2001 MediaTek Inc.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment