Data for you to build an unlocking tool about mtkclient HOT 11 CLOSED

Just read the code.... or wait for an automated solution.

from mtkclient.

Feel free to improve my script to add unlocking :)

from mtkclient.

How to use this seccfg cmd for unlocking

cmd == "seccfg":
with open("seccfg.bin", "wb") as wf:
seccfg_ver = 4
seccfg_size = 0x3C
lock_state = 3
"""
LKS_DEFAULT = 0x01
LKS_MP_DEFAULT = 0x02
LKS_UNLOCK = 0x03
LKS_LOCK = 0x04
LKS_VERIFIED = 0x05
LKS_CUSTOM = 0x06
"""
critical_lock_state = 1
"""
LKCS_UNLOCK = 0x01
LKCS_LOCK = 0x02
"""
sboot_runtime = 0
"""
SBOOT_RUNTIME_OFF = 0
SBOOT_RUNTIME_ON = 1
"""
seccfg_data = pack("<IIIIIII", 0x4D4D4D4D, seccfg_ver, seccfg_size, lock_state,
critical_lock_state, sboot_runtime, 0x45454545)
dec_hash = hashlib.sha256(seccfg_data).digest()
enc_hash = st2.keys(data=dec_hash, mode="sej_aes_encrypt")
data = seccfg_data + enc_hash
data += b"\x00" * (0x200 - len(data))
wf.write(data)
print("Successfully wrote seccfg.")
st2.close()

st2.close()

if name == "main":
main()

from mtkclient.

How to use this seccfg cmd for unlocking

cmd == "seccfg":
with open("seccfg.bin", "wb") as wf:
seccfg_ver = 4
seccfg_size = 0x3C
lock_state = 3
"""
LKS_DEFAULT = 0x01
LKS_MP_DEFAULT = 0x02
LKS_UNLOCK = 0x03
LKS_LOCK = 0x04
LKS_VERIFIED = 0x05
LKS_CUSTOM = 0x06
"""
critical_lock_state = 1
"""
LKCS_UNLOCK = 0x01
LKCS_LOCK = 0x02
"""
sboot_runtime = 0
"""
SBOOT_RUNTIME_OFF = 0
SBOOT_RUNTIME_ON = 1
"""
seccfg_data = pack("<IIIIIII", 0x4D4D4D4D, seccfg_ver, seccfg_size, lock_state,
critical_lock_state, sboot_runtime, 0x45454545)
dec_hash = hashlib.sha256(seccfg_data).digest()
enc_hash = st2.keys(data=dec_hash, mode="sej_aes_encrypt")
data = seccfg_data + enc_hash
data += b"\x00" * (0x200 - len(data))
wf.write(data)
print("Successfully wrote seccfg.")
st2.close()

st2.close()

if name == "main":
main()

Looks like you found some secret gem. Read the code and it should be perfectly clear how to use ;)

from mtkclient.

I'm not advanced enough in writing script to do that, but I will ask a few for help to do so as I don't want to release this data to just anyone that's why I don't post it here, if you would like to chat personally you might be able to help me if you aren't too busy

from mtkclient.

How to generate unlock config sir
sent me need data and solution please
this mail address [email protected]

from mtkclient.

Can you explain in detail?

from mtkclient.

Just read the code.... or wait for an automated solution.

Ok Thank You Waiting for you this solution 😍😍

from mtkclient.

C:\mtkclient-main>python stage2 seccfg
Capstone library is missing (optional).
Keystone library is missing (optional).
sej - HACC init
sej - HACC run
sej - HACC terminate
Traceback (most recent call last):
File "C:\mtkclient-main\stage2", line 616, in
main()
File "C:\mtkclient-main\stage2", line 606, in main
data = seccfg_data + enc_hash
TypeError: can't concat str to bytes

C:\mtkclient-main>

from mtkclient.

Closing now, as this feature is now implemented and will be enhanced soon.

from mtkclient.

I am not phone dev so I have only a little bit of understanding what is happening.
But if may I ask about something cause I have no idea how to bypass time waiting for my xiaomi redmi note 12 pro...
of course I can just wait... but why? :D

seccfg_ver = 4
how exactly i can know what version i've got?
seccfg_size = 0x3C
just size .. i've got it
lock_state = 3
how to understand other states? how you know what it shoud be?
LKS_DEFAULT = 0x01
LKS_MP_DEFAULT = 0x02
LKS_UNLOCK = 0x03
LKS_LOCK = 0x04
LKS_VERIFIED = 0x05
LKS_CUSTOM = 0x06
what is that?
critical_lock_state = 1
what is that? :D
LKCS_UNLOCK = 0x01
LKCS_LOCK = 0x02
understand that they're switches
sboot_runtime = 0
what is that?
SBOOT_RUNTIME_OFF = 0
SBOOT_RUNTIME_ON = 1
is it about when is it fired up?
seccfg_data = pack("<IIIIIII", 0x4D4D4D4D, seccfg_ver, seccfg_size, lock_state, critical_lock_state, sboot_runtime, 0x45454545)
packing that combo in hex
dec_hash = hashlib.sha256(seccfg_data).digest()
bytes from hash from combo
enc_hash = st2.keys(data=dec_hash, mode="sej_aes_encrypt")
not sure how this kv pairs work...
data = seccfg_data + enc_hash
something like salting data?? or wtf?
data += b"\x00" * (0x200 - len(data))
filling rest of 512 values by zeroes
so why you name value seccfg_size why is 60?

how to interpret my seccfg?

4D 4D 4D 4D 04 00 00 00 3C 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 45 45 45 45 1E 09 9F 5B FF A7 C3 8D 2D 89 F2 BE FB E8 5F DC E6 FD 08 0D E9 A8 3F B5 CC 7F 91 E8 5F 42 E7 CC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 79 09 22 00 00 00 01

why rest of file is enormously lot of x00

from mtkclient.