mtk-bypass / bypass_utility Goto Github PK

View Code? Open in Web Editor NEW

444.0 444.0 111.0 122 KB

License: MIT License

Python 100.00%

bypass_utility's People

Contributors

Stargazers

Watchers

Forkers

chaosmaster themethode fawazahmed0 sanny168603 mdssuddin zibri kjay23 833m0l3 dibyanugraha anurupr feiser2016 kenya20018 kritagya009 ticg vxer-lee gmf98 aliakbarazizi 99degree ugobest1 fooxx crackercat jeffsonko yingkee vanipm rony-21 afrocheese armcommunity android-build-team cribolix longxiangjie melek-saidani minkione bots-developer haise0 sova1748 ckexploits imwangwang romaniumch tenwx hobbit19 nanakelvin fragusan maisawaung coretweaks bodplov136 orthemes mengjacky saddam1999 nagle91 arzam16 kristaps11 power535 soar1989 the-methode aryankaran bju2000 domso2003 phillip-hodges-ncc cmdtealphatigrez laguna1015 pyfundation grizlikoff ketaminekid danielayomidedaniel vsslab zzzzfeng koyuyesil hejoin andra297 matze-s diablo0822 beetle1981 habibzadeh soldevelop essoojay hustlehandboy90 lhacpt623 anwerslow arry-eng trickery710 rootjunky lhouston65 rellikjaeger jepraaa cewatkins kyawnyeinthant0 hk-yxm fatbound minkhantkyawmdy wubalems githangar msgpo gastergold jmarks8762 rubencarneiro kocleo ez-302 kulkatt elderarcade nickestrand

bypass_utility's Issues

main.py exits with "Found send_dword, dumping bootrom to bootrom_788.bin"

device: Unihertz Jelly 2
cpu: MT6771

Device is bootlooping, as it loops it reveals the PreLoader VCOM port (COM4) for about 2s then the Mediatek USB Port (COM3) for about 2s, then repeats. Below is the output from main.py.

I'm not sure if I'm not timing running the script correctly or if I'm missing something else.

[2021-05-10 10:34:38.066595] Waiting for device
[2021-05-10 10:34:43.900307] Found port = COM4

[2021-05-10 10:34:44.201610] Device hw code: 0x788
[2021-05-10 10:34:44.204604] Device hw sub code: 0x8a00
[2021-05-10 10:34:44.214576] Device hw version: 0xca00
[2021-05-10 10:34:44.215573] Device sw version: 0x0
[2021-05-10 10:34:44.216572] Device secure boot: False
[2021-05-10 10:34:44.219570] Device serial link authorization: False
[2021-05-10 10:34:44.221557] Device download agent authorization: False


[2021-05-10 10:34:44.228539] Found device in preloader mode, trying to crash...

[2021-05-10 10:34:44.255468] Waiting for device
[2021-05-10 10:34:45.559325] Found port = COM3

[2021-05-10 10:34:45.623156] Device hw code: 0x788
[2021-05-10 10:34:45.627145] Device hw sub code: 0x8a00
[2021-05-10 10:34:45.637120] Device hw version: 0xca00
[2021-05-10 10:34:45.639114] Device sw version: 0x0
[2021-05-10 10:34:45.650090] Device secure boot: False
[2021-05-10 10:34:45.651082] Device serial link authorization: False
[2021-05-10 10:34:45.652080] Device download agent authorization: False

[2021-05-10 10:34:45.653077] Disabling watchdog timer
[2021-05-10 10:34:45.657066] Insecure device, sending payload using send_da
[2021-05-10 10:34:45.698954] Found send_dword, dumping bootrom to bootrom_788.bin

Error when using the script on MT-6739

Hi, When i'm running the script with python main.py and plugging-in my phone (an Honor 7S), i'm getting this error

NotImplementedError: Operation not supported or unimplemented on this platform

Complete stack trace:

[2021-08-22 21:25:46.383137] Waiting for device
[2021-08-22 21:25:50.948190] Found port = COM8

[2021-08-22 21:25:51.007191] Device hw code: 0x699
[2021-08-22 21:25:51.007191] Device hw sub code: 0x8a00
[2021-08-22 21:25:51.008193] Device hw version: 0xcb00
[2021-08-22 21:25:51.009193] Device sw version: 0x2
[2021-08-22 21:25:51.009193] Device secure boot: True
[2021-08-22 21:25:51.010193] Device serial link authorization: True
[2021-08-22 21:25:51.010193] Device download agent authorization: False

[2021-08-22 21:25:51.011192] Disabling watchdog timer
[2021-08-22 21:25:51.012193] Disabling protection
Traceback (most recent call last):
  File "C:\Users\alex6\Downloads\bypass\main.py", line 213, in <module>
    main()
  File "C:\Users\alex6\Downloads\bypass\main.py", line 58, in main
    result = exploit(device, config.watchdog_address, config.payload_address, config.var_0, config.var_1, payload)
  File "C:\Users\alex6\Downloads\bypass\src\exploit.py", line 41, in exploit
    udev.ctrl_transfer(0xA1, 0, 0, var_1, 0)
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 1071, in ctrl_transfer
    self._ctx.managed_open()
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\core.py", line 131, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 804, in open_device
    return _DeviceHandle(dev)
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 652, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "C:\Users\alex6\AppData\Local\Programs\Python\Python39\lib\site-packages\usb\backend\libusb1.py", line 600, in _check
    raise NotImplementedError(_strerror(ret))
NotImplementedError: Operation not supported or unimplemented on this platform

Thanks

Protection Disabled but still getting STATUS_SEC_AUTH_FILE_NEEDED

MT8167S variant, mt8167 payload seemingly works but SP Tool still reporting STATUS_SEC_AUTH_FILE_NEEDED on readback.

Any thoughts?

bootrom_8167.bin.zip

NotImplementedError: Can't find 0x707 hw_code in config

Firstly, thanks for that tool, it already helped a lot of people and gives me hope.

Now a question, I have a Redmi 9, it's a MT6768. Unfortunaly I bricked the device while flashing Custom Recovery. To flash the stock firmware with SP Flashtool I want to bypass the bootrom protection with your tool.

As soon as I connect it detects the port, but at the end I do not get Protection disabled, instead it stops with the line:
NotImplementedError("Can't find {} hw_code in config".format(hw_code))
and gives me the final error:
NotImplementedError: Can't find 0x707 hw_code in config

Maybe you know something and could say me if I did something wrong or is my device completely irreparable and hard bricked?

it doesnt work on my redmi note 8 pro global

basically a repost from the xda thread:

it's just stuck on waiting for device, i've tried everything like cmd in admin, restarting, all the debug parameters, even class filters. i dont see mtk6785t but 6785 is there so i think that shouldnt be an issue? idk but any help would be great, i have the payloads in the payloads/ folder and the default_config.json5 file in the dir with main.py in it

i'm running it on a pc w ryzen 5 3600 so that could be why? i've checked the code it seems to just not find the serial port. if i should try on an intel cpu, how would i use it with a mac? because i dont have any other pcs. maybe through vm but i doubt that'd work.

Moto e6 play MT6739

[2021-04-05 18:02:52.838734] Found port = COM3

[2021-04-05 18:02:53.388704] Device hw code: 0x699
[2021-04-05 18:02:53.391786] Device hw sub code: 0x8a00
[2021-04-05 18:02:53.393353] Device hw version: 0xcb00
[2021-04-05 18:02:53.461577] Device sw version: 0x2
[2021-04-05 18:02:53.476695] Device secure boot: True
[2021-04-05 18:02:53.513285] Device serial link authorization: False
[2021-04-05 18:02:53.531479] Device download agent authorization: True

[2021-04-05 18:02:53.571434] Found device in preloader mode, trying to crash...

[2021-04-05 18:02:53.623019] status is 7024

what I show here is only repeated infinitely

Is it possible to flash the smartphone, even if the bootloader is locked?

Unable to create process using '/bin/python3 .\main.py'

I can't really provide more info.
Can you help me solve this?

MT6889Z

Waiting for bootrom...[2021-04-05 10:35:12.303609] Waiting for bootrom
Traceback (most recent call last):
[2021-04-05 10:35:33.746503] Found port = COM3
File "C:\ProgramData\obexs\Data\main.py", line 169, in
main()
File "C:\ProgramData\obexs\Data\main.py", line 63, in main
raise e
File "C:\ProgramData\obexs\Data\main.py", line 56, in main
config = Config().default(hw_code)
File "C:\ProgramData\obexs\Data\src\config.py", line 14, in default
self.from_file(config, hw_code)
File "C:\ProgramData\obexs\Data\src\config.py", line 27, in from_file
raise NotImplementedError("Can't find {} hw_code in config".format(hw_code))
NotImplementedError: Can't find 0x816 hw_code in config

Hello dear and god programmer, is there a any chance / possibility that there will be possible a bypass for the MT6889Z { Mediatek Dimensity 1000+ } chipset in the future?
so that we can lift realme phones and other branded devices with this chipset from the world of the dead, I mean, with our devices in a state of hard bricked?

mt6739 only dump bootrom but not Protection disabled

I'm testing this tool on MT6739 but I receive only dump bootrom

[2021-09-27 20:19:23.926875] Waiting for device
[2021-09-27 20:19:33.989230] Found device = 0e8d:2000

[2021-09-27 20:19:34.057909] Device hw code: 0x699
[2021-09-27 20:19:34.057999] Device hw sub code: 0x8a00
[2021-09-27 20:19:34.058033] Device hw version: 0xcb00
[2021-09-27 20:19:34.058060] Device sw version: 0x2
[2021-09-27 20:19:34.058088] Device secure boot: True
[2021-09-27 20:19:34.058115] Device serial link authorization: False
[2021-09-27 20:19:34.058141] Device download agent authorization: False


[2021-09-27 20:19:34.058176] Found device in preloader mode, trying to crash...

[2021-09-27 20:19:34.059344] status is 7024

[2021-09-27 20:19:36.032828] Waiting for device
[2021-09-27 20:19:36.033289] Found device = 0e8d:0003

[2021-09-27 20:19:36.100812] Device hw code: 0x699
[2021-09-27 20:19:36.100911] Device hw sub code: 0x8a00
[2021-09-27 20:19:36.100948] Device hw version: 0xcb00
[2021-09-27 20:19:36.100978] Device sw version: 0x2
[2021-09-27 20:19:36.101016] Device secure boot: True
[2021-09-27 20:19:36.101046] Device serial link authorization: False
[2021-09-27 20:19:36.101081] Device download agent authorization: False

[2021-09-27 20:19:36.101116] Disabling watchdog timer
[2021-09-27 20:19:36.101762] Insecure device, sending payload using send_da
[2021-09-27 20:19:36.148062] Found send_dword, dumping bootrom to bootrom_699.bin

I tried to force but doesn't work, flash_tool got error

Connecting to BROM...
Connect BROM failed: STATUS_ERR(-1073676287)
Disconnect!
BROM Exception! ( ERROR : STATUS_ERR (-1073676287) , MSP ERROE CODE : 0x00.

Work with other tools

add support with other tools apart from sp flashtool

SP Flash Tool 0xC0010001 error with MT8516 (hw 0x8167)

I disabled a protection by using this utility and than tried to readback using SP Flash Tool (UART mode) but constantly getting ERROR: STATUS_ERR (0xC0010001) According to this https://forum.hovatek.com/thread-439.html

Error 0xC0010001)

Message: ERROR: STATUS_ERR  (0xC0010001)

Meaning DA or Auth verification failed

Solution: Ensure to load a custom DA or Auth for the device or bypass DA / Auth check

Does it mean that the device is still protected even this tool showed it's successfully disabled?

[2021-04-21 21:50:53.296370] Waiting for device                                                                                                      
[2021-04-21 21:51:00.679548] Found port = COM5                                                                                                                                                                                                                                                            [2021-04-21 21:51:00.751481] Device hw code: 0x8167                                                                                                 
[2021-04-21 21:51:00.752482] Device hw sub code: 0x8a00                                                                                              
[2021-04-21 21:51:00.753479] Device hw version: 0xcb00                                                                                               
[2021-04-21 21:51:00.753479] Device sw version: 0x1                                                                                                 
[2021-04-21 21:51:00.753479] Device secure boot: True                                                                                               
[2021-04-21 21:51:00.754478] Device serial link authorization: False
[2021-04-21 21:51:00.754478] Device download agent authorization: True                                                                                                                                                                                                                                    [2021-04-21 21:51:00.755477] Disabling watchdog timer                                                                                               
[2021-04-21 21:51:00.756476] Disabling protection                                                                                                   
[2021-04-21 21:51:00.813923] Protection disabled

Is MT6769 supported?

There's a list of supported SoCs and according to it, the MT6769 isn't supported. I have a device which has the MT6769T SoC, I've run the bypass, and I got the following output:

# ./main.py
[2021-08-28 09:25:21.403348] Waiting for device
[2021-08-28 09:25:42.562931] Found device = 0e8d:0003

[2021-08-28 09:25:42.680552] Device hw code: 0x707
[2021-08-28 09:25:42.680741] Device hw sub code: 0x8a00
[2021-08-28 09:25:42.680882] Device hw version: 0xca00
[2021-08-28 09:25:42.681008] Device sw version: 0x0
[2021-08-28 09:25:42.681129] Device secure boot: True
[2021-08-28 09:25:42.681228] Device serial link authorization: True
[2021-08-28 09:25:42.681323] Device download agent authorization: True

[2021-08-28 09:25:42.681422] Disabling watchdog timer
[2021-08-28 09:25:42.682623] Disabling protection
[2021-08-28 09:25:42.711964] Protection disabled

So, is it supported or not?

Unfortunately I can't test it with spflashtool, because the current version doesn't support this MT6769T/MT6769 SoC.

mt6261 device wierdness

Hi,

Thanks for your great work.

When using the latest bypass_utility with the latest exploits_collection on FireISO 2.0 on real hardware (not a VM):

The device does not respond to the initial commands 0xFD and 0xFC. However we can read the device code using 0xA2 (READ16) 0x80000008 and it returns 0x6261 telling us the device is mt6261.
Given 0x80000008 says device is a 6261 we hard code it in device.get_hw_code() and not call device.get_hw_dict()
From that point, the rest seems to run properly however the payload doesn't run. The test mode has runs of "Pipe Error" followed by runs of "Operation timed out" and it reboots every time making me think the device is probably vulnerable but we aren't loaded at the right address so it just breaks.

How did you find the payload load address? Any other suggestions most welcome!

MT8516 (hw 0x8167)?

Hi, any chance to see this tool support MT8516 (hw 0x8167)?
Does it make sense to try to play with currently supported hw 0x8163?

Device hw code: 0x8167
Device hw sub code: 0x8a00
Device hw version: 0xcb00
Device sw version: 0x1
Device secure boot: True
Device serial link authorization: False
Device download agent authorization: True

Runtime Error

When I run main.py, happens this:
Traceback (most recent call last):
File "C:\Users\lvsit\Desktop\bypass_utility\main.py", line 237, in
main()
File "C:\Users\lvsit\Desktop\bypass_utility\main.py", line 38, in main
raise RuntimeError("Default config is missing")
RuntimeError: Default config is missing

Is suposed to have a file called DEFALT_CONFIG?

Thanks in advance

Payload did not reply

@chaosmaster @bkerler
my mtk question is like this issues
#25

i have changed device.py in line126 and line 132,replace them with:
assert from_bytes(self.dev.read(2), 2) <= 0xff

i use test mode to dump bootrom

PS D:\Mtk\ByPass\bypass_utility-master> py -3 main.py -t -v CC
[2021-04-27 18:32:11.095373] Waiting for device
[2021-04-27 18:32:15.311557] Found port = COM10
[2021-04-27 18:32:15.351974] Device hw code: 0x8167
[2021-04-27 18:32:15.354967] Device hw sub code: 0x8a00
[2021-04-27 18:32:15.355964] Device hw version: 0xcb00
[2021-04-27 18:32:15.356962] Device sw version: 0x1
[2021-04-27 18:32:15.357959] Device secure boot: True
[2021-04-27 18:32:15.357959] Device serial link authorization: False
[2021-04-27 18:32:15.358956] Device download agent authorization: True
[2021-04-27 18:32:15.359953] Disabling watchdog timer
[2021-04-27 18:32:15.360950] Disabling protection
[2021-04-27 18:32:15.429767] Found send_dword, dumping bootrom to bootrom_8167.bin

use the payload and var value make by @bkerler,get this error:

D:\Mtk\ByPass\bypass_utility-master> py -3 main.py
[2021-04-27 18:35:50.567474] Waiting for device
[2021-04-27 18:35:55.670430] Found port = COM10
[2021-04-27 18:35:55.722294] Device hw code: 0x8167
[2021-04-27 18:35:55.725285] Device hw sub code: 0x8a00
[2021-04-27 18:35:55.727279] Device hw version: 0xcb00
[2021-04-27 18:35:55.728277] Device sw version: 0x1
[2021-04-27 18:35:55.729274] Device secure boot: True
[2021-04-27 18:35:55.730271] Device serial link authorization: False
[2021-04-27 18:35:55.734260] Device download agent authorization: True
[2021-04-27 18:35:55.737252] Disabling watchdog timer
[2021-04-27 18:35:55.740246] Disabling protection
[2021-04-27 18:36:11.886113] Payload did not reply

i have uploaded the log and bootrom dump here
https://drive.google.com/drive/folders/12sI7XFmPlmzPRPV8pIudXdUKor-g-gdR

can someone help me make the right payload and right var value please? Thanks!

Hi i have some issues when i use command "python main.py" i getting this

Traceback (most recent call last):
File "C:\Users\jakub\Desktop\bypass_utility-master\main.py", line 237, in
main()
File "C:\Users\jakub\Desktop\bypass_utility-master\main.py", line 38, in main
raise RuntimeError("Default config is missing")
RuntimeError: Default config is missing

mt6853 test failed

device: realme Q2
cpu: mt 6853

[2021-04-08 16:42:12.089461] Waiting for device
[2021-04-08 16:42:49.975887] Found port = COM11
[2021-04-08 16:43:53.670724] Waiting for device
[2021-04-08 16:43:57.472503] Found port = COM11
[2021-04-08 16:44:21.098240] Waiting for device
[2021-04-08 16:44:30.329271] Found port = COM11
[2021-04-08 16:44:30.413203] Can't find 0x996 hw_code in config
[2021-04-08 16:44:30.417193] Device hw code: 0x996
[2021-04-08 16:44:30.418191] Device hw sub code: 0x8a00
[2021-04-08 16:44:30.419188] Device hw version: 0xca00
[2021-04-08 16:44:30.420253] Device sw version: 0x0
[2021-04-08 16:44:30.421239] Device secure boot: True
[2021-04-08 16:44:30.422236] Device serial link authorization: False
[2021-04-08 16:44:30.423459] Device download agent authorization: True
[2021-04-08 16:44:30.425444] Disabling watchdog timer
[2021-04-08 16:44:30.427438] Disabling protection

MT6768 not responding correctly

EDIT: Solved, I let the phone die on a shelf for two weeks, happened to be on a fresher install of windows 10 and hadn't installed any drivers yet. so with only the material I know had worked at hand, and a little more knowledge into the bootrom itself, I was able to recover the phone with a couple NVRAM errors, but I fixed those after I figured out how to.

_**This device amongst other things has an erased boot partition. The device loops and doesn't have the ability to enter fastboot, it seems only the first part? of the MTK BROM driver is being loaded now if I'm interpreting that correctly. I constantly get this response back once the device is seen, as well as a couple others I will also add as I come across them again.

Essentially I'm under the impression that the phone isn't responding back correctly the info it's looking for because it seems to be something different every time. Not sure how to get it to pick back up again.**_

[2021-03-27 07:33:46.580863] Waiting for device
[2021-03-27 07:34:06.551479] Found port = COM5

Traceback (most recent call last):
  File "main.py", line 212, in <module>
    main()
  File "main.py", line 43, in main
    config, serial_link_authorization, download_agent_authorization, hw_code  = get_device_info(device, arguments)
  File "main.py", line 174, in get_device_info
    log("Device hw code: {}".format(hex(hw_code)))
NameError: name 'log' is not defined
Press any key to continue . . .

Stuck at "Waiting for bootrom" stage - Redmi Note 5

Hello. I installed everything as instructions but it seems that the python scripts can't find my COM port. I also tried passing it as an argument:
python .\main.py -s COM4
And it gives me this error:
RuntimeError: Unexpected output, expected 0xfd got 0x4
I also tried to check the code by myself but I sincerely don't understand how I should fix this.
I also tried to pass a non-existent COM port and it gives me another kind of error:
serial.serialutil.SerialException: could not open port 'COM5': FileNotFoundError(2, 'The system cannot find the file specified.', None, 2)

Cannot use this tool

root@latitude-e6430 /home/kayshinonome/Code/bypass_utility # python3 ./main.py
[2021-08-19 11:15:10.093980] Waiting for device
[2021-08-19 11:15:10.094984] Found device = 0e8d:201c
Traceback (most recent call last):
  File "/home/kayshinonome/Code/bypass_utility/./main.py", line 237, in <module>
    main()
  File "/home/kayshinonome/Code/bypass_utility/./main.py", line 40, in main
    device = Device().find()
  File "/home/kayshinonome/Code/bypass_utility/src/device.py", line 109, in find
    self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN)
  File "/root/.local/lib/python3.9/site-packages/usb/util.py", line 192, in find_descriptor
    return _interop._next(desc_iter(**args))
  File "/root/.local/lib/python3.9/site-packages/usb/_interop.py", line 68, in _next
    return next(iter)
  File "/root/.local/lib/python3.9/site-packages/usb/util.py", line 183, in desc_iter
    for d in desc:
TypeError: 'NoneType' object is not iterable

Payload did not reply

Host: Linux debian 5.10.0-kamakiri-amd64 # 1 SMP Debian 5.10.4-1a~test (2021-01-21) x86_64 GNU/Linux
Target: Redmi 6A MT6761

I followed every step in the README.md, but still have a problem.
I issued ./main.py as root and got this output:

[2021-06-17 07:35:06.447885] Waiting for device
[2021-06-17 07:35:26.171471] Found port = /dev/ttyACM0

[2021-06-17 07:35:26.226004] Device hw code: 0x766
[2021-06-17 07:35:26.226065] Device hw sub code: 0x8a00
[2021-06-17 07:35:26.226111] Device hw version: 0xca00
[2021-06-17 07:35:26.226153] Device sw version: 0x0
[2021-06-17 07:35:26.226195] Device secure boot: True
[2021-06-17 07:35:26.226235] Device serial link authorization: True
[2021-06-17 07:35:26.226274] Device download agent authorization: True

[2021-06-17 07:35:26.226317] Disabling watchdog timer
[2021-06-17 07:35:26.226713] Disabling protection
[Errno 110] Operation timed out
[2021-06-17 07:35:28.246661] Payload did not reply

Stuck at Found port

I did everything as explained in the documentation. When I run python main.py I get Waiting for device.
I hole power down button and plug in the device, it detects the port: Found port = COM6. But then, it remains there and doesn't move further.

Device to be unbricked (in red state): Tecno KD7h
MTK version: MT6761
Device I'm flashing from: Windows 10 x64

Any help will be greatly appreciated. Thanks

Error: Bypassing

The exploit does not work on the chipset MT6580

I'm researching Mediatek protection, and I still can't figure out which function uses the var_1 variable in BootROM to understand exactly how the exploit works.

It doesn't want to work on my device at all.

[2021-06-18 19:27:33.235679] Waiting for device
[2021-06-18 19:27:43.037656] Found port = COM6

[2021-06-18 19:27:43.104233] Device hw code: 0x6580
[2021-06-18 19:27:43.105210] Device hw sub code: 0x8a00
[2021-06-18 19:27:43.106187] Device hw version: 0xca00
[2021-06-18 19:27:43.107166] Device sw version: 0x0
[2021-06-18 19:27:43.107166] Device secure boot: True
[2021-06-18 19:27:43.108142] Device serial link authorization: False
[2021-06-18 19:27:43.108142] Device download agent authorization: False

[2021-06-18 19:27:43.109120] Disabling watchdog timer
[2021-06-18 19:27:43.110097] Disabling protection
[2021-06-18 19:28:00.174894] Payload did not reply

bootrom_6580_ca00.zip

Hopefully can add bypass the sbc

bapass sla and daa works good, any progress in bypassing the sbc?

NotImplenmentedError: Can't find 08176 hw_config in config

Hi there, when I try to unlock my device I get this error. I have tried doing this one on two separate machines and the error has remained the same.

I noticed when I install a device filter on my device in Device manager it shows a little yellow triangle around it and my device won't get detected by the utility. But if I right click and update drivers to the MTK Signed drivers it detects my device and I get the error above.

All help would be greatly apricated as I'm trying to unbrick my device.

Thanks !

hi, friend, why do I get status is 1d1a running main.py, please help

Disabling protection
Traceback (most recent call last):
File "./main.py", line 234, in
main()
File "./main.py", line 75, in main
result = exploit(device, config, payload, arguments)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 77, in exploit
ptr_send = from_bytes(da_read(config.ptr_usbdl, 4), 4, '<') + 8;
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 11, in da_read
return da_read_write(0, address, length, None, check_result)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\exploit.py", line 36, in da_read_write
return device.cmd_da(direction, address - 0x40, length, data, check_result)
File "C:\Users\Administrator\Desktop\bypass_utility-master\src\device.py", line 322, in cmd_da
raise RuntimeError("status is {}".format(status.hex()))
RuntimeError: status is 1d1a

Stuck at found device, cannot make sense of errors

I'm trying to unbrick my Redmi 9 (lancelot) on a freshly installed windows 10, but this happens:

[2021-08-22 21:33:16.379242] Waiting for device
[2021-08-22 21:33:36.752713] Found device = 0e8d:0003
Traceback (most recent call last):
  File "C:\Users\aronk\bypass_utility\src\device.py", line 84, in find
    self.configuration = self.udev.get_active_configuration()
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 921, in get_active_configuration
    return self._ctx.get_active_configuration(self)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 249, in get_active_configuration
    self.managed_open()
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 131, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 804, in open_device
    return _DeviceHandle(dev)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 652, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 604, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\aronk\bypass_utility\main.py", line 237, in <module>
    main()
  File "C:\Users\aronk\bypass_utility\main.py", line 40, in main
    device = Device().find()
  File "C:\Users\aronk\bypass_utility\src\device.py", line 93, in find
    self.udev.set_configuration()
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 915, in set_configuration
    self._ctx.managed_set_configuration(self, configuration)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 158, in managed_set_configuration
    self.managed_open()
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 113, in wrapper
    return f(self, *args, **kwargs)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\core.py", line 131, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 804, in open_device
    return _DeviceHandle(dev)
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 652, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "C:\Users\aronk\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\usb\backend\libusb1.py", line 604, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error

Thanks in advance if you could help me out.

Realme 6 unbricking problem

~/.../Bypass Tools Pack/Bypass $ sudo python main.py -c mt6785_config.json -p mt6785_payload.bin
[2021-01-30 17:37:55.210194] Waiting for bootrom
[2021-01-30 17:38:22.389656] Found port = /dev/ttyACM0

[2021-01-30 17:38:22.392249] Device hw code: 0x813
[2021-01-30 17:38:22.392455] Device hw sub code: 0x8a00
[2021-01-30 17:38:22.392621] Device hw version: 0xca00
[2021-01-30 17:38:22.392800] Device sw version: 0x0
[2021-01-30 17:38:22.392959] Device secure boot: True
[2021-01-30 17:38:22.393108] Device serial link authorization: False
[2021-01-30 17:38:22.393256] Device download agent authorization: True

[2021-01-30 17:38:22.393411] Disabling watchdog timer
[2021-01-30 17:38:22.394320] Disabling protection
[Errno 5] Input/Output Error
Traceback (most recent call last):
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 65, in <module
    main()
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 60, in main
    exploit(device, watchdog_address, var_0, var_1, arguments.payload)
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/exploit.py", line 44, in
    raise RuntimeError("received {} instead of expected pattern".format(pattern.hex()))
RuntimeError: received  instead of expected pattern

I tried to run sp flash anyway and got:
Connect BROM failed: STATUS_BROM_CMD_STARTCMD_FAIL(-1073348607)
Before that, I had a bootloop. Now just a black screen.
Running the utility again shows this:

[2021-01-30 21:04:50.102713] Waiting for bootrom
[2021-01-30 21:04:54.196286] Found port = /dev/ttyACM0
Traceback (most recent call last):
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 65, in <module>
    main()
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/main.py", line 35, in main
    device.handshake()
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/device.py", line 88, in handshake
    self.check(self.read(1), to_bytes(0x5F))
  File "/home/kiv/dev/tmp/realme/unbrick/Bypass Tools Pack/Bypass/src/device.py", line 84, in check
    raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0x5f got 0xa0

lsusb shows:
0e8d:0003 MediaTek Inc. MT6227 phone

Unexpected output, expected 0xfd got 0xa0

Trying to run this on a MT6737T device (Galaxy Grand Prime+), and I'm getting this:

$ ./main.py
[2021-08-31 07:26:26.592030] Waiting for device
[2021-08-31 07:26:32.107721] Found device = 0e8d:2000
Traceback (most recent call last):
  File "/home/$USER/Code/Source/bypass_utility/./main.py", line 237, in <module>
    main()
  File "/home/$USER/Code/Source/bypass_utility/./main.py", line 42, in main
    config, serial_link_authorization, download_agent_authorization, hw_code  = get_device_info(device, arguments)
  File "/home/$USER/Code/Source/bypass_utility/./main.py", line 160, in get_device_info
    hw_code = device.get_hw_code()
  File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 265, in get_hw_code
    self.echo(0xFD)
  File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 176, in echo
    self.check(from_bytes(self.read(size), size), words)
  File "/home/$USER/Code/Source/bypass_utility/src/device.py", line 132, in check
    raise RuntimeError("Unexpected output, expected {} got {}".format(gold, test))
RuntimeError: Unexpected output, expected 0xfd got 0xa0

There's this line in lsusb:

Bus 001 Device 009: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader

I'm using the patched kernel from https://github.com/amonet-kamakiri/prebuilt-kernels/tree/master/arch

ошибка bypass

PS C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass> python main.py
[2021-03-01 18:41:04.635143] Waiting for device
Traceback (most recent call last):
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\main.py", line 213, in
main()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\main.py", line 42, in main
device = Device().find()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\src\device.py", line 28, in find
new = self.serial_ports()
File "C:\Driver+SP_FlashTool+brom.bat (3.02.2021)\Bypass\src\device.py", line 69, in serial_ports
result.add(port)
TypeError: unhashable type: 'ListPortInfo'

[mt6785] TypeError: unhashable type: 'SysFS'

Hello, I have a bricked Redmi Note 8 Pro with Helio G90 chip (begonia), I'm currently on Fireiso liveCD and I've downloaded the two .zip packages from MTK-bypass : bypass_utility-1.4.1 & exploits_collection-1.5.

When I launch the following command :
[root@sysresccd ~/Downloads/bypass_utility-1.4.1]# ./main.py -c default_config.json5 -p mt6785_payload.bin
I get this error message :

[2021-02-19 07:26:35.072777] Waiting for device
Traceback (most recent call last):
  File "./main.py", line 213, in <module>
    main()
  File "./main.py", line 42, in main
    device = Device().find()
  File "/root/Downloads/bypass_utility-1.4.1/src/device.py", line 28, in find
    new = self.serial_ports()
  File "/root/Downloads/bypass_utility-1.4.1/src/device.py", line 69, in serial_ports
    result.add(port)
TypeError: unhashable type: 'SysFS'

Can you help me please ? Thank you.

oppo_preloader

Models like OPPO A83 A1 use MT6763 cpu, and new security is enabled after 2018, which causes the device to display the driver as OPPO Preloader after pressing the volume and insert the data cable, and after installing the driver, it displays as MediaTek Preloader USB VCOM, but the PID and VID of the driver are not the same as the ordinary mtk device. The VID of the device is 22D9 and the PID is 0006. Bypass_utility cannot detect the device. When I change the pid and vid in device.py in src, I got such an error. I think the port is still a bootrom port, so can we support oppo's preloader port?

Getting S_DL_GET_DRAM_SETTING_FAIL from SPFT after using bypass_utility

I'm getting S_DL_GET_DRAM_SETTING_FAIL after 11 seconds from starting a readback. I've set SPFT to UART connection on port /dev/ttyACM0 with baud rate 115200.

Redmi 6/6a bypass

old version working prefectly

this version have some iusses and have dual init. not work spflashtool and modem meta old version very good working without iusses

MT6853 test was not successful

*.ofp has *. Auth file after unpacking. Is this step unnecessary?But sp_flash_tool_v5.2052 download error?

camellian redmi note 5g stuck reading emmc

stopping reads after 14 mb reading

Windows 10, scrypt don't work with mt6261

Is it bypass script issue or efuse protected ?

Ran script with 'python3 main.py'. Device is a MT6761.

Following error received:

Traceback (most recent call last):
  File "C:\Users\nj\Downloads\bypass_utility-master\main.py", line 213, in <module>
    main()
  File "C:\Users\nj\Downloads\bypass_utility-master\main.py", line 42, in main
    device = Device().find()
  File "C:\Users\nj\Downloads\bypass_utility-master\src\device.py", line 45, in find
    self.dev = serial.Serial(port.device, BAUD, timeout=TIMEOUT)
  File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialwin32.py", line 33, in __init__
    super(Serial, self).__init__(*args, **kwargs)
  File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialutil.py", line 244, in __init__
    self.open()
  File "C:\Users\nj\AppData\Local\Programs\Python\Python39\lib\site-packages\serial\serialwin32.py", line 64, in open
    raise SerialException("could not open port {!r}: {!r}".format(self.portstr, ctypes.WinError()))
serial.serialutil.SerialException: could not open port 'COM5': PermissionError(13, 'The device is not ready.', None, 21)

Issue doing readback dump with spflash tool after using bypass_utility

Hi! I'm trying to utilize your exploit for bypassing secure boot on a proprietary device, and then doing a readback so I can generate an appropriate scatter file, as shown here. However, it doesn't seem to pick up the device when I try to do a readback. Here's a screenshot:

Update main

2021-09-29 11:34:31.001508] Waiting for device
[2021-09-29 11:34:31.001979] Found device = 0e8d:201c
Traceback (most recent call last):
File "main.py", line 237, in
main()
File "main.py", line 40, in main
device = Device().find()
File "/home/p0txky/Documents/bypass_utility/src/device.py", line 109, in find
self.ep_in = usb.util.find_descriptor(cdc_if, custom_match=lambda x: usb.util.endpoint_direction(x.bEndpointAddress) == usb.util.ENDPOINT_IN)
File "/usr/local/lib/python3.8/site-packages/usb/util.py", line 192, in find_descriptor
return _interop._next(desc_iter(**args))
File "/usr/local/lib/python3.8/site-packages/usb/_interop.py", line 68, in _next
return next(iter)
File "/usr/local/lib/python3.8/site-packages/usb/util.py", line 183, in desc_iter
for d in desc:
TypeError: 'NoneType' object is not iterable

[mtk8127] Help! Unhashable type SysFS

Message I received that I need help with:

[2021-09-18 15:17:53.615059] Waiting for device
Traceback (most recent call last):
File "main.py", line 213, in
main()
File "main.py", line 42, in main
device = Device().find()
File "/home/mcuser/Downloads/bypass_utility-v.1.4.2/src/device.py", line 28, in find
new = self.serial_ports()
File "/home/mcuser/Downloads/bypass_utility-v.1.4.2/src/device.py", line 69, in serial_ports
result.add(port)
TypeError: unhashable type: 'SysFS'

flash

RuntimeError: Default config is missing

When I try to run (sudo or not) I receive the message:

Traceback (most recent call last):
File "./main.py", line 213, in
main()
File "./main.py", line 37, in main
raise RuntimeError("Default config is missing")
RuntimeError: Default config is missing

6853 fail

Main - Kamakiri / DA Bruteforce run
Main
Main - [LIB]: Trying var1 of 0A, please reconnect/connect device into
bootrom mode
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
.....................
....................
....................
....................

Port - Device detected :)
Preloader - CPU: MT6853()
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Disabling Watchdog...
Preloader - HW code: 0x996
Preloader - BROM mode detected.
Preloader - ME_ID: 09566713B2E3ACCB45961EB1E96E1F4C
PLTools - Kamakiri / DA Run
PLTools - Loading payload from payloads/generic_dump_payload.bin, 0x130
bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri..
[Errno 5] Input/Output Error
Kamakiri - Done sending payload...
PLTools - Error, payload answered instead:
PLTools
PLTools - [LIB]: Error on sending payload: brom_MT6853_996.bin
PLTools
PLTools - [LIB]: Error on dumping Bootrom.

Can possible daa & sla bypass/development payload for new mtk dimensity chips ?

Like thats new mtk chips

Dimesity 700
Dimesity 800U
Dimesity 1000
Dimesity 1200

Becasue some paid tools added bypass funtion for dimesity chips

Please check developers and add new dimesity chips payload

Is it possible to dump the preloader by this utility?

Actually,this utility can dump the bootrom.But SP_flash_tool can't readback some devices without suitable preloader.bin,only throw a 4032 error.
So can we dump the preloader.bin in this way?
Just my guess,maybe it's wrong.