mtk-bypass / exploits_collection Goto Github PK

This is very important for me, I really hope someone can add it ;(

Hi,
I know its not implement yet. But did not see section to add suggestion/ or feature request. So adding as issue . I am trying with my phone " Xiaomi 11T" mtk mt 6893 (dimensity 1200 soc) device to use the exploits with BROM bypass. And being it is not implemented so getting below error , device Can't find 0x950 hw_code in config . Please support to implement it. Thanks

Models like OPPO A83 A1 use MT6763 cpu, and new security is enabled after 2018, which causes the device to display the driver as OPPO Preloader after pressing the volume and insert the data cable, and after installing the driver, it displays as MediaTek Preloader USB VCOM, but the PID and VID of the driver are not the same as the ordinary mtk device. The VID of the device is 22D9 and the PID is 0006. Bypass_utility cannot detect the device. When I change the pid and vid in device.py in src, I got such an error. I think the port is still a bootrom port, so can we support oppo's preloader port?

Please add payload for MT6853
I want this SOC

MT8382 is tablet variant of MT6582.

A number of devices one of which - HP 7 Voice Tab 1351ra. This one have secure DA. I know it's bit old but support to these device will be nice.

im tryna acces bootloader with no succes so im following this guide but my SoC isn't in the list for the supported soc's so may it can change?

Hi, i'm getting this error when executing bypass.bat. Is there any way i can fix it?

Is the phone either supported or is support coming to this specific chip?
The phone has been proved to not be possible to be put in BROM without either getting into recovery and flashing and/or disassembling the phone and shortening the kcol0 test point.
As a stupid accident, I have flashed recovery to boot since as of Google's intent "boot" and "recovery" have been put into one, and we thought it'll work (?)
Running bypass showed the DAA_SIG_VERIFY_FAIL error, a fellow XDA thread also resigned, saying that it's done with test point.

Is the phone done for or is the bypass going to work on it anytime soon?

(these tests may be flawed because the windows install is quite broken)

python main.py -t
[2024-01-10 11:38:07.265005] Waiting for device
[2024-01-10 11:38:11.848018] Found device = 0e8d:2000

[2024-01-10 11:38:20.251010] Device hw code: 0x707
[2024-01-10 11:38:20.254966] Device hw sub code: 0x8a00
[2024-01-10 11:38:20.255994] Device hw version: 0xca00
[2024-01-10 11:38:20.257986] Device sw version: 0x0
[2024-01-10 11:38:20.260027] Device secure boot: True
[2024-01-10 11:38:20.263974] Device serial link authorization: False
[2024-01-10 11:38:20.265965] Device download agent authorization: True

[2024-01-10 11:38:20.267965] Found device in preloader mode, trying to crash...

[2024-01-10 11:38:20.271965] status is 7024

..........Preloader
Preloader - [LIB]: ←[31mStatus: Handshake failed, retrying...←[0m

(now linux)

user@livedvd:/opt/mtkclient$ python mtk payload --metamode FASTBOOT
MTK Flash/Exploit Client V1.57 (c) B.Kerler 2018-2022

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - CPU: MT6768(Helio P65/G85 k68v1)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x707
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Mtk - We're not in bootrom, trying to crash da...
PLTools - Crashing da...
Preloader
Preloader - [LIB]: upload_data failed with error: DAA_SIG_VERIFY_FAILED (0x7024)
Preloader
Preloader - [LIB]: Error on uploading da data
Preloader - Jumping to 0x0
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
< big line of failing handshakes >
Port - Device detected :)
Preloader - CPU: MT6768(Helio P65/G85 k68v1)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x25
Preloader - Disabling Watchdog...
Preloader - HW code: 0x707
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
PLTools - Loading payload from mt6768_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
DeviceClass - USBError(5, 'Input/Output Error')
DeviceClass - USBError(19, 'No such device (it may have been disconnected)')
Traceback (most recent call last):
File "/opt/mtkclient/mtk", line 740, in
mtk = Main(args).run()
File "/opt/mtkclient/mtkclient/Library/mtk_main.py", line 524, in run
self.cmd_payload(mtk=mtk, payloadfile=payloadfile)
File "/opt/mtkclient/mtkclient/Library/mtk_main.py", line 586, in cmd_payload
plt.runpayload(filename=payloadfile)
File "/opt/mtkclient/mtkclient/Library/pltools.py", line 102, in runpayload
if self.kama.payload(payload, addr, True, exploittype):
File "/opt/mtkclient/mtkclient/Library/kamakiri.py", line 139, in payload
if self.exploit2(payload, addr):
File "/opt/mtkclient/mtkclient/Library/kamakiri.py", line 117, in exploit2
ptr_send = unpack("<I", self.da_read(self.mtk.config.chipconfig.send_ptr[0][1], 4))[0] + 8
TypeError: a bytes-like object is required, not 'NoneType'

if this isn't possible, I would like to get a recommendation for an EDL cable to purchase (in Russia), because I am not touching the insides of this thing. I'm still a teen, I shouldn't be allowed to, neither should I try doing it myself.

today with mtkclient mtk_gui
mtk_gui log:
[10:01:47]: Device is unprotected.
[10:01:47]: Device is in BROM-Mode. Bypassing security.
[10:01:47]: Loading payload from mt6771_payload.bin, 0x264 bytes
[10:01:47]: Kamakiri / DA Run
[10:01:47]: Trying kamakiri2..
[10:01:47]: Done sending payload...
[10:01:47]: Successfully sent payload: C:\mtkclient-main\mtkclient\payloads\mt6771_payload.bin
[10:01:47]: Device is in BROM mode. No preloader given, trying to dump preloader from ram.
[10:01:48]: Patched "Patched loader msg" in preloader
[10:01:48]: Patched "Patched loader msg" in preloader
[10:01:48]: Patched "get_vfy_policy" in preloader

Phone detected: MT6771,
Jumping to 0x200000: ok

...and stopped.

In same time terminal-log:
Port - Device detected :)
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0x0
Preloader - SBC enabled: False
Preloader - SLA enabled: False
Preloader - DAA enabled: False
Preloader - SWJTAG enabled: False
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 5649224A4BD6F0263F7ABC130DCE05AA
Preloader - SOC_ID: 67EB8D8456F3D36A30C5801507195F549290F216EF032600F78136D5E0D540D5
Port - Device detected :)
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA.bin
xflashext - Patching da1 ...
xflashext
xflashext - [LIB]: Error on patching da1 version check...
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: KM2V8001CM-B70
DAXFlash - UFS MID: 0xce
DAXFlash - UFS CID: ce014b4d325638303031434d2d423730
DAXFlash - UFS FWVer: 31303030
DAXFlash - UFS Serial: 343963633266653031363164
DAXFlash - UFS LU0 Size: 0x1dcb000000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : ce014b4d325638303031434d2d423730
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending emi: unpack requires a buffer of 12 bytes
None

What is the problem inside the Device?

Please add support for mtk6889

hw sub code: 0x8a00
hw version is: 0xcb00
sw version is: 0x1

If you need any more information please do let me know

Hi would it be possible to get MT6769 added as a payload.

Would be much appreciated.

Pls add MT6893 chipset i cant bypass it

Please share Full list source code

Hi how can i make payload for my device? is there any documentation??
i think this project is not developed anymore, so recent devices will not supported including mine with hw code 0x1208, and here is log

Microsoft Windows [Version 10.0.22621.963]
(c) Microsoft Corporation. All rights reserved.

C:\Users\alawi\Documents\Dataku\program\ANDROIDSS\bypass_utility>python main.py -t
[2022-12-18 07:46:23.792998] Waiting for device
[2022-12-18 07:46:31.864132] Found device = 0e8d:0003
[2022-12-18 07:46:32.081253] Can't find 0x1208 hw_code in config

[2022-12-18 07:46:32.081253] Device hw code: 0x1208
[2022-12-18 07:46:32.081253] Device hw sub code: 0x8a00
[2022-12-18 07:46:32.081253] Device hw version: 0xca00
[2022-12-18 07:46:32.081253] Device sw version: 0x0
[2022-12-18 07:46:32.081253] Device secure boot: True
[2022-12-18 07:46:32.081253] Device serial link authorization: False
[2022-12-18 07:46:32.081253] Device download agent authorization: True

[2022-12-18 07:46:32.081253] Disabling watchdog timer
[2022-12-18 07:46:32.081253] Test mode, testing 0x9900...

Please add support for helio g99 mt6789 processor urgently need a bypass.

Plz add 6833,Thank You!

when i run the bypass.bat script while pressing volumedown button in poweroff state then i get thi error

usb.core.NoBackendError : No backend available
I'll be grateful if someone can help

MT6779
MT6797

[2022-06-29 15:47:08.009170] Waiting for device
[2022-06-29 15:47:12.777843] Found device = 0e8d:0003
NotImplementedError: Can't find 0x1172 hw_code in config

Can someone tell me what I need to do to make a payload for this device?
I have Asus z500m and somehow with SPFT using z300m DA I was able to readback full emmc content, but when I tried to flash system.img it was asking me for some authentication...

So this is what I have:
full emmc content
preloader.bin
scatter file
kernel-source for 13.6.10.15 but my firmware is 13.6.10.16

This is what I need:
-to be able to flash sys, rec, boot, etc...

Please Add MT6853

Device hw code: 0x816
Device hw sub code: 0x8a00
Device hw version: 0xca00
Device sw version: 0x0

Hello,
If this is not a dead project, please add mt6789/mt1208
Helio G99

Many thanks in advance.
I offer a financial reward, according to the agreement

Plz add MT6779 brom and meta mode

Hi sir, please add payload for MT6853
we will need it...

Please add support for MediaTek MT6853 Dimensity 800U Chipset

MT6789

I have a generic android tablet with a mt8163 chipset. When attempting to flash via mtkclient I'm unable to get a handshake. I believe it is the preloader. Any ideas?

im having this error

File "D:\Descargas\VD171_MTK-bypass-v1.5\Bypass\src\device.py", line 67, in serial_ports
s = serial.Serial(port_device, timeout=TIMEOUT)
^^^^^^^^^^^^^
AttributeError: module 'serial' has no attribute 'Serial'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\Descargas\VD171_MTK-bypass-v1.5\Bypass\main.py", line 213, in
main()
File "D:\Descargas\VD171_MTK-bypass-v1.5\Bypass\main.py", line 42, in main
device = Device().find()
^^^^^^^^^^^^^^^
File "D:\Descargas\VD171_MTK-bypass-v1.5\Bypass\src\device.py", line 28, in find
new = self.serial_ports()
^^^^^^^^^^^^^^^^^^^
File "D:\Descargas\VD171_MTK-bypass-v1.5\Bypass\src\device.py", line 70, in serial_ports
except (OSError, serial.SerialException):
^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'serial' has no attribute 'SerialException'

add mt5763 and mt6779

MT6893 Can't dump bootrom

Hello sir, may I ask something sir? I have redmi note 8 Pro. and It is hardbrick, totally dead...and I want to bypass but I lawas fail...This is my erro..

Please add MT6762G

Devices - Xiaomi Redmi 9A

[Errno 5] Input/Output Error Payload did not reply

[2022-10-23 19:17:37.730650] Found port = COM3
[2022-10-23 19:17:38.051155] Device hw code: 0x766
[2022-10-23 19:17:38.053154] Device hw sub code: 0x8a00
[2022-10-23 19:17:38.054151] Device hw version: 0xca00
[2022-10-23 19:17:38.055154] Device sw version: 0x0
[2022-10-23 19:17:38.055154] Device secure boot: True
[2022-10-23 19:17:38.056153] Device serial link authorization: False
[2022-10-23 19:17:38.057151] Device download agent authorization: True
[2022-10-23 19:17:38.059154] Found device in preloader mode, trying to crash...
[2022-10-23 19:17:38.062153] status is 7024
[2022-10-23 19:17:38.106307] Waiting for device
[2022-10-23 19:17:40.260387] Found port = COM3
[2022-10-23 19:17:40.573363] Device hw code: 0x766
[2022-10-23 19:17:40.576366] Device hw sub code: 0x8a00
[2022-10-23 19:17:40.577365] Device hw version: 0xca00
[2022-10-23 19:17:40.577365] Device sw version: 0x0
[2022-10-23 19:17:40.578366] Device secure boot: True
[2022-10-23 19:17:40.579364] Device serial link authorization: False
[2022-10-23 19:17:40.579364] Device download agent authorization: True
[2022-10-23 19:17:40.580364] Found device in preloader mode, trying to crash...
[2022-10-23 19:17:40.583364] status is 7024
[2022-10-23 19:17:40.620509] Waiting for device

This is the result on Windows. On linux, the message is different, but the meaning is the same.

[2023-07-22 21:46:01.667131] Waiting for device
[2023-07-22 21:46:07.760194] Found port = COM13

[2023-07-22 21:46:08.088411] Device hw code: 0x6572
[2023-07-22 21:46:08.089413] Device hw sub code: 0x8a00
[2023-07-22 21:46:08.090414] Device hw version: 0xca01
[2023-07-22 21:46:08.093416] Device sw version: 0x0
[2023-07-22 21:46:08.094416] Device secure boot: False
[2023-07-22 21:46:08.095417] Device serial link authorization: False
[2023-07-22 21:46:08.096418] Device download agent authorization: False

[2023-07-22 21:46:08.098419] Disabling watchdog timer
[2023-07-22 21:46:08.101421] Insecure device, sending payload using send_da
[2023-07-22 21:46:08.683809] Payload did not reply

bootrom_6572.zip

My Redmi 10X Pro 5G was bricked last week, and thanks to this project I have managed to read the BROM, and found the offsets needed for my phone, and managed to revive it.

https://github.com/yohanes/exploit_mt6873

Do you mind if do a write-up on my blog so that others can also add their own MTK SOC?

I also have a question about var_0 and var_1 (which happens to be not needed for my phone), can you explain the use of var_0 and var_1?

python main.py -t -v 0
[2021-05-19 08:40:46.280018] Test mode, testing 0xa...
[2021-05-19 08:40:46.280018] Waiting for device
[2021-05-19 08:40:51.717110] Found port = COM4
[Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: \xd3\xc9\xd3\xda\xcf\xdf\xb3\xcc\xcd\xcb\xb3\xf6\xbb\xf2\xd3\xa6\xd3\xc3\xb3\xcc\xd0\xf2\xc7\xeb\xc7\xf3\xa3\xac\xd2\xd1\xd6\xd0\xd6\xb9 I/O \xb2\xd9\xd7\xf7\xa1\xa3\r\n\n'
[2021-05-19 08:40:52.764448] Found send_dword, dumping bootrom to bootrom_6595.bin

bootrom_6595.zip

What should I do after get bootrom, please help

Hi,
I came across this project after failing in literally everything else. I am curious to know if you guys got any plans for mt6769 since mt6768 is already there. I bought a new phone(Tecno Spark 7 Pro) with this chipset and now I'm patient enough to wait for an exploit in the near future if possible. Just wanted to get your attention regarding this chipset.
Thank you.