mtk-bypass / bypass_utility Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
device: Unihertz Jelly 2
cpu: MT6771
Device is bootlooping, as it loops it reveals the PreLoader VCOM port (COM4) for about 2s then the Mediatek USB Port (COM3) for about 2s, then repeats. Below is the output from main.py.
I'm not sure if I'm not timing running the script correctly or if I'm missing something else.
[2021-05-10 10:34:38.066595] Waiting for device
[2021-05-10 10:34:43.900307] Found port = COM4
[2021-05-10 10:34:44.201610] Device hw code: 0x788
[2021-05-10 10:34:44.204604] Device hw sub code: 0x8a00
[2021-05-10 10:34:44.214576] Device hw version: 0xca00
[2021-05-10 10:34:44.215573] Device sw version: 0x0
[2021-05-10 10:34:44.216572] Device secure boot: False
[2021-05-10 10:34:44.219570] Device serial link authorization: False
[2021-05-10 10:34:44.221557] Device download agent authorization: False
[2021-05-10 10:34:44.228539] Found device in preloader mode, trying to crash...
[2021-05-10 10:34:44.255468] Waiting for device
[2021-05-10 10:34:45.559325] Found port = COM3
[2021-05-10 10:34:45.623156] Device hw code: 0x788
[2021-05-10 10:34:45.627145] Device hw sub code: 0x8a00
[2021-05-10 10:34:45.637120] Device hw version: 0xca00
[2021-05-10 10:34:45.639114] Device sw version: 0x0
[2021-05-10 10:34:45.650090] Device secure boot: False
[2021-05-10 10:34:45.651082] Device serial link authorization: False
[2021-05-10 10:34:45.652080] Device download agent authorization: False
[2021-05-10 10:34:45.653077] Disabling watchdog timer
[2021-05-10 10:34:45.657066] Insecure device, sending payload using send_da
[2021-05-10 10:34:45.698954] Found send_dword, dumping bootrom to bootrom_788.bin
Hi, When i'm running the script with python main.py
and plugging-in my phone (an Honor 7S), i'm getting this error
NotImplementedError: Operation not supported or unimplemented on this platform
Complete stack trace:
[2021-08-22 21:25:46.383137] Waiting for device
[2021-08-22 21:25:50.948190] Found port = COM8
[2021-08-22 21:25:51.007191] Device hw code: 0x699
[2021-08-22 21:25:51.007191] Device hw sub code: 0x8a00
[2021-08-22 21:25:51.008193] Device hw version: 0xcb00
[2021-08-22 21:25:51.009193] Device sw version: 0x2
[2021-08-22 21:25:51.009193] Device secure boot: True
[2021-08-22 21:25:51.010193] Device serial link authorization: True
[2021-08-22 21:25:51.010193] Device download agent authorization: False
[2021-08-22 21:25:51.011192] Disabling watchdog timer
[2021-08-22 21:25:51.012193] Disabling protection
Traceback (most recent call last):
File "C:\Users\alex6\Downloads\bypass\main.py", line 213, in <module>
main()
File "C:\Users\alex6\Downloads\bypass\main.py", line 58, in main
result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
File "C:\Users\alex6\Downloads\bypass\src\exploit.py", line 41, in exploit
udev.ctrl_transfer(0xA1, 0, 0, var_1, 0)
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 1071, in ctrl_transfer
self._ctx.managed_open()
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 131, in managed_open
self.handle = self.backend.open_device(self.dev)
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
return _DeviceHandle(dev)
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 600, in _check
raise NotImplementedError(_strerror(ret))
NotImplementedError: Operation not supported or unimplemented on this platform
Thanks
MT8167S variant, mt8167 payload seemingly works but SP Tool still reporting STATUS_SEC_AUTH_FILE_NEEDED on readback.
Any thoughts?
Firstly, thanks for that tool, it already helped a lot of people and gives me hope.
Now a question, I have a Redmi 9, it's a MT6768. Unfortunaly I bricked the device while flashing Custom Recovery. To flash the stock firmware with SP Flashtool I want to bypass the bootrom protection with your tool.
As soon as I connect it detects the port, but at the end I do not get Protection disabled, instead it stops with the line:
NotImplementedError("Can't find {} hw_code in config".format(hw_code))
and gives me the final error:
NotImplementedError: Can't find 0x707 hw_code in config
Maybe you know something and could say me if I did something wrong or is my device completely irreparable and hard bricked?
basically a repost from the xda thread:
it's just stuck on waiting for device, i've tried everything like cmd in admin, restarting, all the debug parameters, even class filters. i dont see mtk6785t but 6785 is there so i think that shouldnt be an issue? idk but any help would be great, i have the payloads in the payloads/ folder and the default_config.json5 file in the dir with main.py in it
i'm running it on a pc w ryzen 5 3600 so that could be why? i've checked the code it seems to just not find the serial port. if i should try on an intel cpu, how would i use it with a mac? because i dont have any other pcs. maybe through vm but i doubt that'd work.
[2021-04-05 18:02:52.838734] Found port = COM3
[2021-04-05 18:02:53.388704] Device hw code: 0x699
[2021-04-05 18:02:53.391786] Device hw sub code: 0x8a00
[2021-04-05 18:02:53.393353] Device hw version: 0xcb00
[2021-04-05 18:02:53.461577] Device sw version: 0x2
[2021-04-05 18:02:53.476695] Device secure boot: True
[2021-04-05 18:02:53.513285] Device serial link authorization: False
[2021-04-05 18:02:53.531479] Device download agent authorization: True
[2021-04-05 18:02:53.571434] Found device in preloader mode, trying to crash...
[2021-04-05 18:02:53.623019] status is 7024
what I show here is only repeated infinitely
I can't really provide more info.
Can you help me solve this?
Waiting for bootrom...[2021-04-05 10:35:12.303609] Waiting for bootrom
Traceback (most recent call last):
[2021-04-05 10:35:33.746503] Found port = COM3
File "C:\ProgramData\obexs\Data\main.py", line 169, in
main()
File "C:\ProgramData\obexs\Data\main.py", line 63, in main
raise e
File "C:\ProgramData\obexs\Data\main.py", line 56, in main
config = Config().default(hw_code)
File "C:\ProgramData\obexs\Data\src\config.py", line 14, in default
self.from_file(config, hw_code)
File "C:\ProgramData\obexs\Data\src\config.py", line 27, in from_file
raise NotImplementedError("Can't find {} hw_code in config".format(hw_code))
NotImplementedError: Can't find 0x816 hw_code in config
Hello dear and god programmer, is there a any chance / possibility that there will be possible a bypass for the MT6889Z { Mediatek Dimensity 1000+ } chipset in the future?
so that we can lift realme phones and other branded devices with this chipset from the world of the dead, I mean, with our devices in a state of hard bricked?
I'm testing this tool on MT6739 but I receive only dump bootrom
[2021-09-27 20:19:23.926875] Waiting for device
[2021-09-27 20:19:33.989230] Found device = 0e8d:2000
[2021-09-27 20:19:34.057909] Device hw code: 0x699
[2021-09-27 20:19:34.057999] Device hw sub code: 0x8a00
[2021-09-27 20:19:34.058033] Device hw version: 0xcb00
[2021-09-27 20:19:34.058060] Device sw version: 0x2
[2021-09-27 20:19:34.058088] Device secure boot: True
[2021-09-27 20:19:34.058115] Device serial link authorization: False
[2021-09-27 20:19:34.058141] Device download agent authorization: False
[2021-09-27 20:19:34.058176] Found device in preloader mode, trying to crash...
[2021-09-27 20:19:34.059344] status is 7024
[2021-09-27 20:19:36.032828] Waiting for device
[2021-09-27 20:19:36.033289] Found device = 0e8d:0003
[2021-09-27 20:19:36.100812] Device hw code: 0x699
[2021-09-27 20:19:36.100911] Device hw sub code: 0x8a00
[2021-09-27 20:19:36.100948] Device hw version: 0xcb00
[2021-09-27 20:19:36.100978] Device sw version: 0x2
[2021-09-27 20:19:36.101016] Device secure boot: True
[2021-09-27 20:19:36.101046] Device serial link authorization: False
[2021-09-27 20:19:36.101081] Device download agent authorization: False
[2021-09-27 20:19:36.101116] Disabling watchdog timer
[2021-09-27 20:19:36.101762] Insecure device, sending payload using send_da
[2021-09-27 20:19:36.148062] Found send_dword, dumping bootrom to bootrom_699.bin
I tried to force but doesn't work, flash_tool got error
Connecting to BROM...
Connect BROM failed: STATUS_ERR(-1073676287)
Disconnect!
BROM Exception! ( ERROR : STATUS_ERR (-1073676287) , MSP ERROE CODE : 0x00.
add support with other tools apart from sp flashtool
I disabled a protection by using this utility and than tried to readback using SP Flash Tool (UART mode) but constantly getting ERROR: STATUS_ERR (0xC0010001)
According to this https://forum.hovatek.com/thread-439.html
Error 0xC0010001)
Message: ERROR: STATUS_ERR (0xC0010001)
Meaning DA or Auth verification failed
Solution: Ensure to load a custom DA or Auth for the device or bypass DA / Auth check
Does it mean that the device is still protected even this tool showed it's successfully disabled?
[2021-04-21 21:50:53.296370] Waiting for device
[2021-04-21 21:51:00.679548] Found port = COM5 [2021-04-21 21:51:00.751481] Device hw code: 0x8167
[2021-04-21 21:51:00.752482] Device hw sub code: 0x8a00
[2021-04-21 21:51:00.753479] Device hw version: 0xcb00
[2021-04-21 21:51:00.753479] Device sw version: 0x1
[2021-04-21 21:51:00.753479] Device secure boot: True
[2021-04-21 21:51:00.754478] Device serial link authorization: False
[2021-04-21 21:51:00.754478] Device download agent authorization: True [2021-04-21 21:51:00.755477] Disabling watchdog timer
[2021-04-21 21:51:00.756476] Disabling protection
[2021-04-21 21:51:00.813923] Protection disabled
There's a list of supported SoCs and according to it, the MT6769 isn't supported. I have a device which has the MT6769T SoC, I've run the bypass, and I got the following output:
# ./main.py
[2021-08-28 09:25:21.403348] Waiting for device
[2021-08-28 09:25:42.562931] Found device = 0e8d:0003
[2021-08-28 09:25:42.680552] Device hw code: 0x707
[2021-08-28 09:25:42.680741] Device hw sub code: 0x8a00
[2021-08-28 09:25:42.680882] Device hw version: 0xca00
[2021-08-28 09:25:42.681008] Device sw version: 0x0
[2021-08-28 09:25:42.681129] Device secure boot: True
[2021-08-28 09:25:42.681228] Device serial link authorization: True
[2021-08-28 09:25:42.681323] Device download agent authorization: True
[2021-08-28 09:25:42.681422] Disabling watchdog timer
[2021-08-28 09:25:42.682623] Disabling protection
[2021-08-28 09:25:42.711964] Protection disabled
So, is it supported or not?
Unfortunately I can't test it with spflashtool, because the current version doesn't support this MT6769T/MT6769 SoC.
Hi,
Thanks for your great work.
When using the latest bypass_utility with the latest exploits_collection on FireISO 2.0 on real hardware (not a VM):
The device does not respond to the initial commands 0xFD and 0xFC. However we can read the device code using 0xA2 (READ16) 0x80000008 and it returns 0x6261 telling us the device is mt6261.
Given 0x80000008 says device is a 6261 we hard code it in device.get_hw_code() and not call device.get_hw_dict()
From that point, the rest seems to run properly however the payload doesn't run. The test mode has runs of "Pipe Error" followed by runs of "Operation timed out" and it reboots every time making me think the device is probably vulnerable but we aren't loaded at the right address so it just breaks.
How did you find the payload load address? Any other suggestions most welcome!
Hi, any chance to see this tool support MT8516 (hw 0x8167)?
Does it make sense to try to play with currently supported hw 0x8163?
Device hw code: 0x8167
Device hw sub code: 0x8a00
Device hw version: 0xcb00
Device sw version: 0x1
Device secure boot: True
Device serial link authorization: False
Device download agent authorization: True
When I run main.py, happens this:
Traceback (most recent call last):
File "C:\Users\lvsit\Desktop\bypass_utility\main.py", line 237, in
main()
File "C:\Users\lvsit\Desktop\bypass_utility\main.py", line 38, in main
raise RuntimeError("Default config is missing")
RuntimeError: Default config is missing
Is suposed to have a file called DEFALT_CONFIG?
Thanks in advance
@chaosmaster @bkerler
my mtk question is like this issues
#25
i have changed device.py in line126 and line 132,replace them with:
assert from_bytes(self.dev.read(2), 2) <= 0xff
i use test mode to dump bootrom
PS D:\Mtk\ByPass\bypass_utility-master> py -3 main.py -t -v CC
[2021-04-27 18:32:11.095373] Waiting for device
[2021-04-27 18:32:15.311557] Found port = COM10
[2021-04-27 18:32:15.351974] Device hw code: 0x8167
[2021-04-27 18:32:15.354967] Device hw sub code: 0x8a00
[2021-04-27 18:32:15.355964] Device hw version: 0xcb00
[2021-04-27 18:32:15.356962] Device sw version: 0x1
[2021-04-27 18:32:15.357959] Device secure boot: True
[2021-04-27 18:32:15.357959] Device serial link authorization: False
[2021-04-27 18:32:15.358956] Device download agent authorization: True
[2021-04-27 18:32:15.359953] Disabling watchdog timer
[2021-04-27 18:32:15.360950] Disabling protection
[2021-04-27 18:32:15.429767] Found send_dword, dumping bootrom to bootrom_8167.bin
use the payload and var value make by @bkerler,get this error:
D:\Mtk\ByPass\bypass_utility-master> py -3 main.py
[2021-04-27 18:35:50.567474] Waiting for device
[2021-04-27 18:35:55.670430] Found port = COM10
[2021-04-27 18:35:55.722294] Device hw code: 0x8167
[2021-04-27 18:35:55.725285] Device hw sub code: 0x8a00
[2021-04-27 18:35:55.727279] Device hw version: 0xcb00
[2021-04-27 18:35:55.728277] Device sw version: 0x1
[2021-04-27 18:35:55.729274] Device secure boot: True
[2021-04-27 18:35:55.730271] Device serial link authorization: False
[2021-04-27 18:35:55.734260] Device download agent authorization: True
[2021-04-27 18:35:55.737252] Disabling watchdog timer
[2021-04-27 18:35:55.740246] Disabling protection
[2021-04-27 18:36:11.886113] Payload did not reply
i have uploaded the log and bootrom dump here
https://drive.google.com/drive/folders/12sI7XFmPlmzPRPV8pIudXdUKor-g-gdR
can someone help me make the right payload and right var value please? Thanks!
[2021-04-08 16:42:12.089461] Waiting for device
[2021-04-08 16:42:49.975887] Found port = COM11
[2021-04-08 16:43:53.670724] Waiting for device
[2021-04-08 16:43:57.472503] Found port = COM11
[2021-04-08 16:44:21.098240] Waiting for device
[2021-04-08 16:44:30.329271] Found port = COM11
[2021-04-08 16:44:30.413203] Can't find 0x996 hw_code in config
[2021-04-08 16:44:30.417193] Device hw code: 0x996
[2021-04-08 16:44:30.418191] Device hw sub code: 0x8a00
[2021-04-08 16:44:30.419188] Device hw version: 0xca00
[2021-04-08 16:44:30.420253] Device sw version: 0x0
[2021-04-08 16:44:30.421239] Device secure boot: True
[2021-04-08 16:44:30.422236] Device serial link authorization: False
[2021-04-08 16:44:30.423459] Device download agent authorization: True
[2021-04-08 16:44:30.425444] Disabling watchdog timer
[2021-04-08 16:44:30.427438] Disabling protection
EDIT: Solved, I let the phone die on a shelf for two weeks, happened to be on a fresher install of windows 10 and hadn't installed any drivers yet. so with only the material I know had worked at hand, and a little more knowledge into the bootrom itself, I was able to recover the phone with a couple NVRAM errors, but I fixed those after I figured out how to.
_**This device amongst other things has an erased boot partition. The device loops and doesn't have the ability to enter fastboot, it seems only the first part? of the MTK BROM driver is being loaded now if I'm interpreting that correctly. I constantly get this response back once the device is seen, as well as a couple others I will also add as I come across them again.
Essentially I'm under the impression that the phone isn't responding back correctly the info it's looking for because it seems to be something different every time. Not sure how to get it to pick back up again.**_
[2021-03-27 07:33:46.580863] Waiting for device
[2021-03-27 07:34:06.551479] Found port = COM5
Traceback (most recent call last):
File "main.py", line 212, in <module>
main()
File "main.py", line 43, in main
config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments)
File "main.py", line 174, in get_device_info
log("Device hw code: {}".format(hex(hw_code)))
NameError: name 'log' is not defined
Press any key to continue . . .
Hello. I installed everything as instructions but it seems that the python scripts can't find my COM port. I also tried passing it as an argument:
python .\main.py -s COM4
And it gives me this error:
RuntimeError: Unexpected output, expected 0xfd got 0x4
I also tried to check the code by myself but I sincerely don't understand how I should fix this.
I also tried to pass a non-existent COM port and it gives me another kind of error:
serial.serialutil.SerialException: could not open port 'COM5': FileNotFoundError(2, 'The system cannot find the file specified.', None, 2)
root@latitude-e6430 /home/kayshinonome/Code/bypass_utility # python3 ./main.py
[2021-08-19 11:15:10.093980] Waiting for device
[2021-08-19 11:15:10.094984] Found device = 0e8d:201c
Traceback (most recent call last):
File "/home/kayshinonome/Code/bypass_utility/./main.py", line 237, in <module>
main()
File "/home/kayshinonome/Code/bypass_utility/./main.py", line 40, in main
device = Device().find()
File "/home/kayshinonome/Code/bypass_utility/src/device.py", line 109, in find
self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN)
File "/root/.local/lib/python3.9/site-packages/usb/util.py", line 192, in find_descriptor
return _interop._next(desc_iter(**args))
File "/root/.local/lib/python3.9/site-packages/usb/_interop.py", line 68, in _next
return next(iter)
File "/root/.local/lib/python3.9/site-packages/usb/util.py", line 183, in desc_iter
for d in desc:
TypeError: 'NoneType' object is not iterable
Host: Linux debian 5.10.0-kamakiri-amd64 # 1 SMP Debian 5.10.4-1a~test (2021-01-21) x86_64 GNU/Linux
Target: Redmi 6A MT6761
I followed every step in the README.md, but still have a problem.
I issued ./main.py as root and got this output:
[2021-06-17 07:35:06.447885] Waiting for device
[2021-06-17 07:35:26.171471] Found port = /dev/ttyACM0
[2021-06-17 07:35:26.226004] Device hw code: 0x766
[2021-06-17 07:35:26.226065] Device hw sub code: 0x8a00
[2021-06-17 07:35:26.226111] Device hw version: 0xca00
[2021-06-17 07:35:26.226153] Device sw version: 0x0
[2021-06-17 07:35:26.226195] Device secure boot: True
[2021-06-17 07:35:26.226235] Device serial link authorization: True
[2021-06-17 07:35:26.226274] Device download agent authorization: True
[2021-06-17 07:35:26.226317] Disabling watchdog timer
[2021-06-17 07:35:26.226713] Disabling protection
[Errno 110] Operation timed out
[2021-06-17 07:35:28.246661] Payload did not reply
I did everything as explained in the documentation. When I run python main.py
I get Waiting for device
.
I hole power down button and plug in the device, it detects the port: Found port = COM6
. But then, it remains there and doesn't move further.
Device to be unbricked (in red state): Tecno KD7h
MTK version: MT6761
Device I'm flashing from: Windows 10 x64
Any help will be greatly appreciated. Thanks
I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.
It doesn't want to work on my device at all.
[2021-06-18 19:27:33.235679] Waiting for device
[2021-06-18 19:27:43.037656] Found port = COM6
[2021-06-18 19:27:43.104233] Device hw code: 0x6580
[2021-06-18 19:27:43.105210] Device hw sub code: 0x8a00
[2021-06-18 19:27:43.106187] Device hw version: 0xca00
[2021-06-18 19:27:43.107166] Device sw version: 0x0
[2021-06-18 19:27:43.107166] Device secure boot: True
[2021-06-18 19:27:43.108142] Device serial link authorization: False
[2021-06-18 19:27:43.108142] Device download agent authorization: False
[2021-06-18 19:27:43.109120] Disabling watchdog timer
[2021-06-18 19:27:43.110097] Disabling protection
[2021-06-18 19:28:00.174894] Payload did not reply
bapass sla and daa works good, any progress in bypassing the sbc?
Hi there, when I try to unlock my device I get this error. I have tried doing this one on two separate machines and the error has remained the same.
I noticed when I install a device filter on my device in Device manager it shows a little yellow triangle around it and my device won't get detected by the utility. But if I right click and update drivers to the MTK Signed drivers it detects my device and I get the error above.
All help would be greatly apricated as I'm trying to unbrick my device.
Thanks !
Disabling protection
Traceback (most recent call last):
File "./main.py", line 234, in
main()
File "./main.py", line 75, in main
result = exploit(device, config, payload, arguments)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 77, in exploit
ptr_send = from_bytes(da_read(config.ptr_usbdl, 4), 4, '<') + 8;
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 11, in da_read
return da_read_write(0, address, length, None, check_result)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 36, in da_read_write
return device.cmd_da(direction, address - 0x40, length, data, check_result)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\device.py", line 322, in cmd_da
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d1a
I'm trying to unbrick my Redmi 9 (lancelot) on a freshly installed windows 10, but this happens:
[2021-08-22 21:33:16.379242] Waiting for device
[2021-08-22 21:33:36.752713] Found device = 0e8d:0003
Traceback (most recent call last):
File "C:\Users\aronk\bypass_utility\src\device.py", line 84, in find
self.configuration = self.udev.get_active_configuration()
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 921, in get_active_configuration
return self._ctx.get_active_configuration(self)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 249, in get_active_configuration
self.managed_open()
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 131, in managed_open
self.handle = self.backend.open_device(self.dev)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 804, in open_device
return _DeviceHandle(dev)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 652, in __init__
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 604, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Users\aronk\bypass_utility\main.py", line 237, in <module>
main()
File "C:\Users\aronk\bypass_utility\main.py", line 40, in main
device = Device().find()
File "C:\Users\aronk\bypass_utility\src\device.py", line 93, in find
self.udev.set_configuration()
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 915, in set_configuration
self._ctx.managed_set_configuration(self, configuration)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 158, in managed_set_configuration
self.managed_open()
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
return f(self, *args, **kwargs)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 131, in managed_open
self.handle = self.backend.open_device(self.dev)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 804, in open_device
return _DeviceHandle(dev)
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 652, in __init__
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 604, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error
Thanks in advance if you could help me out.
~/.../Bypass Tools Pack/Bypass $ sudo python main.py -c mt6785_config.json -p mt6785_payload.bin
[2021-01-30 17:37:55.210194] Waiting for bootrom
[2021-01-30 17:38:22.389656] Found port = /dev/ttyACM0
[2021-01-30 17:38:22.392249] Device hw code: 0x813
[2021-01-30 17:38:22.392455] Device hw sub code: 0x8a00
[2021-01-30 17:38:22.392621] Device hw version: 0xca00
[2021-01-30 17:38:22.392800] Device sw version: 0x0
[2021-01-30 17:38:22.392959] Device secure boot: True
[2021-01-30 17:38:22.393108] Device serial link authorization: False
[2021-01-30 17:38:22.393256] Device download agent authorization: True
[2021-01-30 17:38:22.393411] Disabling watchdog timer
[2021-01-30 17:38:22.394320] Disabling protection
[Errno 5] Input/Output Error
Traceback (most recent call last):
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 65, in <module
main()
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 60, in main
exploit(device, watchdog_address, var_0, var_1, arguments.payload)
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/exploit.py", line 44, in
raise RuntimeError("received {} instead of expected pattern".format(pattern.hex()))
RuntimeError: received instead of expected pattern
I tried to run sp flash anyway and got:
Connect BROM failed: STATUS_BROM_CMD_STARTCMD_FAIL(-1073348607)
Before that, I had a bootloop. Now just a black screen.
Running the utility again shows this:
[2021-01-30 21:04:50.102713] Waiting for bootrom
[2021-01-30 21:04:54.196286] Found port = /dev/ttyACM0
Traceback (most recent call last):
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 65, in <module>
main()
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 35, in main
device.handshake()
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/device.py", line 88, in handshake
self.check(self.read(1), to_bytes(0x5F))
File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/device.py", line 84, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x5f got 0xa0
lsusb shows:
0e8d:0003 MediaTek Inc. MT6227 phone
Trying to run this on a MT6737T device (Galaxy Grand Prime+), and I'm getting this:
$ ./main.py
[2021-08-31 07:26:26.592030] Waiting for device
[2021-08-31 07:26:32.107721] Found device = 0e8d:2000
Traceback (most recent call last):
File "/home/$USER/Code/Source/bypass_utility/./main.py", line 237, in <module>
main()
File "/home/$USER/Code/Source/bypass_utility/./main.py", line 42, in main
config, serial_link_authorization, download_agent_authorization, hw_code = get_device_info(device, arguments)
File "/home/$USER/Code/Source/bypass_utility/./main.py", line 160, in get_device_info
hw_code = device.get_hw_code()
File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 265, in get_hw_code
self.echo(0xFD)
File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 176, in echo
self.check(from_bytes(self.read(size), size), words)
File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 132, in check
raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0xfd got 0xa0
There's this line in lsusb:
Bus 001 Device 009: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
I'm using the patched kernel from https://github.com/amonet-kamakiri/prebuilt-kernels/tree/master/arch
PS C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass> python main.py
[2021-03-01 18:41:04.635143] Waiting for device
Traceback (most recent call last):
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\main.py", line 213, in
main()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\main.py", line 42, in main
device = Device().find()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\src\device.py", line 28, in find
new = self.serial_ports()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\src\device.py", line 69, in serial_ports
result.add(port)
TypeError: unhashable type: 'ListPortInfo'
Hello, I have a bricked Redmi Note 8 Pro with Helio G90 chip (begonia), I'm currently on Fireiso liveCD and I've downloaded the two .zip packages from MTK-bypass : bypass_utility-1.4.1 & exploits_collection-1.5.
When I launch the following command :
[root@sysresccd ~/Downloads/bypass_utility-1.4.1]# ./main.py -c default_config.json5 -p mt6785_payload.bin
I get this error message :
[2021-02-19 07:26:35.072777] Waiting for device
Traceback (most recent call last):
File "./main.py", line 213, in <module>
main()
File "./main.py", line 42, in main
device = Device().find()
File "/root/Downloads/bypass_utility-1.4.1/src/device.py", line 28, in find
new = self.serial_ports()
File "/root/Downloads/bypass_utility-1.4.1/src/device.py", line 69, in serial_ports
result.add(port)
TypeError: unhashable type: 'SysFS'
Can you help me please ? Thank you.
Models like OPPO A83 A1 use MT6763 cpu, and new security is enabled after 2018, which causes the device to display the driver as OPPO Preloader after pressing the volume and insert the data cable, and after installing the driver, it displays as MediaTek Preloader USB VCOM, but the PID and VID of the driver are not the same as the ordinary mtk device. The VID of the device is 22D9 and the PID is 0006. Bypass_utility cannot detect the device. When I change the pid and vid in device.py in src, I got such an error. I think the port is still a bootrom port, so can we support oppo's preloader port?
I'm getting S_DL_GET_DRAM_SETTING_FAIL
after 11 seconds from starting a readback. I've set SPFT to UART connection on port /dev/ttyACM0 with baud rate 115200.
this version have some iusses and have dual init. not work spflashtool and modem meta old version very good working without iusses
*.ofp has *. Auth file after unpacking. Is this step unnecessary?But sp_flash_tool_v5.2052 download error?
Ran script with 'python3 main.py
'. Device is a MT6761.
Following error received:
Traceback (most recent call last):
File "C:\Users\nj\Downloads\bypass_utility-master\main.py", line 213, in <module>
main()
File "C:\Users\nj\Downloads\bypass_utility-master\main.py", line 42, in main
device = Device().find()
File "C:\Users\nj\Downloads\bypass_utility-master\src\device.py", line 45, in find
self.dev = serial.Serial(port.device, BAUD, timeout=TIMEOUT)
File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialwin32.py", line 33, in __init__
super(Serial, self).__init__(*args, **kwargs)
File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialutil.py", line 244, in __init__
self.open()
File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialwin32.py", line 64, in open
raise SerialException("could not open port {!r}: {!r}".format(self.portstr, ctypes.WinError()))
serial.serialutil.SerialException: could not open port 'COM5': PermissionError(13, 'The device is not ready.', None, 21)
Hi! I'm trying to utilize your exploit for bypassing secure boot on a proprietary device, and then doing a readback so I can generate an appropriate scatter file, as shown here. However, it doesn't seem to pick up the device when I try to do a readback. Here's a screenshot:
2021-09-29 11:34:31.001508] Waiting for device
[2021-09-29 11:34:31.001979] Found device = 0e8d:201c
Traceback (most recent call last):
File "main.py", line 237, in
main()
File "main.py", line 40, in main
device = Device().find()
File "/home/p0txky/Documents/bypass_utility/src/device.py", line 109, in find
self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN)
File "/usr/local/lib/python3.8/site-packages/usb/util.py", line 192, in find_descriptor
return _interop._next(desc_iter(**args))
File "/usr/local/lib/python3.8/site-packages/usb/_interop.py", line 68, in _next
return next(iter)
File "/usr/local/lib/python3.8/site-packages/usb/util.py", line 183, in desc_iter
for d in desc:
TypeError: 'NoneType' object is not iterable
Message I received that I need help with:
[2021-09-18 15:17:53.615059] Waiting for device
Traceback (most recent call last):
File "main.py", line 213, in
main()
File "main.py", line 42, in main
device = Device().find()
File "/home/mcuser/Downloads/bypass_utility-v.1.4.2/src/device.py", line 28, in find
new = self.serial_ports()
File "/home/mcuser/Downloads/bypass_utility-v.1.4.2/src/device.py", line 69, in serial_ports
result.add(port)
TypeError: unhashable type: 'SysFS'
When I try to run (sudo or not) I receive the message:
Traceback (most recent call last):
File "./main.py", line 213, in
main()
File "./main.py", line 37, in main
raise RuntimeError("Default config is missing")
RuntimeError: Default config is missing
Main - Kamakiri / DA Bruteforce run
Main
Main - [LIB]: Trying var1 of 0A, please reconnect/connect device into
bootrom mode
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
.....................
....................
....................
....................
Port - Device detected :)
Preloader - CPU: MT6853()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Disabling Watchdog...
Preloader - HW code: 0x996
Preloader - BROM mode detected.
Preloader - ME_ID: 09566713B2E3ACCB45961EB1E96E1F4C
PLTools - Kamakiri / DA Run
PLTools - Loading payload from payloads/generic_dump_payload.bin, 0x130
bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri..
[Errno 5] Input/Output Error
Kamakiri - Done sending payload...
PLTools - Error, payload answered instead:
PLTools
PLTools - [LIB]: Error on sending payload: brom_MT6853_996.bin
PLTools
PLTools - [LIB]: Error on dumping Bootrom.
Like thats new mtk chips
Dimesity 700
Dimesity 800U
Dimesity 1000
Dimesity 1200
Becasue some paid tools added bypass funtion for dimesity chips
Please check developers and add new dimesity chips payload
Actually,this utility can dump the bootrom.But SP_flash_tool can't readback some devices without suitable preloader.bin,only throw a 4032 error.
So can we dump the preloader.bin in this way?
Just my guess,maybe it's wrong.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.