Join us on Tl   Wh

Hovatek Forum MOBILE Android [Tutorial] How to use MTK Bypass to backup or flash secure boot MTK

[Tutorial] How to use MTK Bypass to backup or flash secure boot MTK

[Tutorial] How to use MTK Bypass to backup or flash secure boot MTK

Pages (19): 1 2 3 4 519 Next
hovatek
hovatek
hovatek
Administrator
49,753
29-01-2021, 07:22 PM
#1



This is a step-by-step guide showing how to flash or backup a Mediatek (MTK) secure boot device without using a custom download agent (DA). This tool disables the SLA / DAA bootrom protection

A little history


Secure Boot Mediatek devices require loading a specific Download Agent (DA) file to permit flashing / backup operations. You can read more about Secure Boot, DA and Auth in this article. Up until this exploit was discovered, We'd been providing free Mediatek DA files @ https://www.hovatek.com/forum/thread-23784.html so feel free to check it out if this exploit doesn't yet support your secure boot MTK device's chipset.

Very Important Notice
  • You can also use mtkclient + SP flash tool to backup and flash secure boot devices.
  • This MTK-bypass procedure can be used to backup firmware, flash firmware or even format partitions on Mediatek secure boots without a custom DA
  • If you download the latest version of mtk bypass tool, then skip steps 3-6 in our guide (libusb-win32 is no longer needed), simply download & install USBdk @ https://github.com/daynix/UsbDk/releases
  • If you get a module not found error then uninstall all Python versions (and paths in environmental variables) on your PC and restart the process


Requirements


How to backup / flash a MediaTek (MTK) secure boot device using MTK Bypass Utility


The steps below explain how to backup / flash a Mediatek (MTK) secure boot device without using a custom download agent (DA)


See the video below or @ https://youtu.be/Qoj162WW1So


  1. Install Python and ensure to tick the checkbox Add Python x.x to PATH

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-1.webp]

  2. Once successful, open a CMD prompt or powershell window and type the command below then press the Enter key. To confirm installation success, you can run the command a second time and you should get a requirement satisfied message seen below
    Code:

    pip install pyusb json5

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-2.webp]

  3. Launch libusb-win32, tick Install a device filter then click Next

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-3.webp]

  4. At this point (depending on your model), you need to hold both volume buttons, the volume up or the volume down button then connect the phone to the PC. In the case for Nokia 3, it's volume down
  5. You should see MediaTek USB port, quickly select it and click "Install"

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-4.webp]

  6. You'll get a message as seen below if successful, click Ok then you can exit the libusb tool. If not successful, then retry the previous step again

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-5.webp]

  7. From the exploit collection folder, copy the payloads folder along with default_config.json5 file into the bypass utility folder

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-6.webp]

  8. In the bypass utility folder, hold the shift key then right-click and select Open CMD or Powershell window here

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-7.webp]

  9. In the powershell / cmd window, type the command below and press Enter. Use the second command if you get an error using the first. You should get a message, "Waiting for bootrom"
    Code:

    python main.py

    Code:

    py -3 main.py

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-8.webp]

  10. At this point, either hold the volume up or volume down button on the phone then connect to the PC using a USB cable
  11. Your device should be detected and you should see Protection disabled if it's successful. You can minimize the CMD / Powershell window

    [Image: How-to-backup-flash-or-format-a-mediatek...-DA-9.webp]

  12. Leave the phone connected, launch SP flash tool, and click Options > Option

    [Image: How-to-backup-flash-or-format-a-mediatek...DA-10.webp]

  13. In the new window, click Connection

    [Image: How-to-backup-flash-or-format-a-mediatek...DA-11.webp]

  14. Select UART, select the com port, change baudrate to 921600 then close the window (you could also use USB high-speed connection)

    [Image: How-to-backup-flash-or-format-a-mediatek...DA-12.webp]

  15. You can now proceed to flash or backup firmware using tools like WWR MTK or SP flash tool and the default download DA

    [Image: How-to-backup-flash-or-format-a-mediatek...DA-13.webp]


Important Notice
  • Before proceeding, ensure that a payload exists for your phone's chipset. For this, you can check the list @ https://github.com/MTK-bypass/exploits_c...r/payloads
  • If you happen to be using libusb standalone version and your device isn't getting detected properly then ensure to use the installer version listed under the requirements section
  • If at any point you disconnect the phone while flashing, you'll need to rerun the python main.py command to disable protection before you proceed again
  • If you wish to carry out multiple processes on a particular device e.g readback then format a partition, or failed flash and a reflash then you don't need to reboot the device for each process. After performing the first process, simply run main.py with the phone still connected then hold the boot key(s) + power key for about 15 seconds (it may vary on your device), your device should reboot back into mtk usb port and main.py will bypass protection allowing you proceed with the next process
  • Credits goes to the developers of the MTK-bypass tool chaosmaster , Dinolek as well as other contributors to the exploits
  • If you encounter an error like
    Code:

    Traceback (most recent call last):
      File "main.py", line 3, in <module>
        from src.exploit import exploit
    ImportError: No module named src.exploit
    then ensure you're running the right main.py command for your installed python version (e.g py -3 main.py)
  • You're to run python main.py or py -3 main.py before every operation in whatever tool you're using

Video Transcript
Quote:In this video tutorial, I'm going to be showing how to backup firmware or flash firmware to a Mediatek secure boot device without using a custom download agent. Now, for the sake of this tutorial, I'm going to be using Nokia 3. Its a secure boot device and we're also going to be making use of these tools. Actually, these tools, the download links for them will be in the description. So we're going to start off by installing python. When installing python, ensure to click Add Python to path then click Install Now. The tool we're going to be using is called MTK bypass. What you need to download is bypass utility and exploit connection. You can download python and libusb. Links will be in the description. To download from Github, just click on the item you wish to download then click Code. Download Zip. By the way, the developer and contributors to this tool, full credit goes to them. Python is still installing. Successful. You can now close. Quickly open the command prompt window. Now in command prompt, type and Enter this command. You can right-click to paste then press Enter. Ensure you have an internet connection while running this command. You should get this message; you're using PIP version 20. Once you get this message, you're good to go. You can now close. Install LIbusb, launch. Now, you need to install Mediatek drivers. I'm using a signed driver, the link is at the forum. This is the manual Mediatek signed driver. Just right-click on the inf file and install. Successful. OK. Lastly, you'll need to extract these two items, the files you downloaded from Github. Now, open exploit, copy payload folder and default config. Paste them into the MTK bypass utility folder and you should have something like this. Now, return back to libusb , install a device filter, next. At this point, what you want to do now is to connect the phone to Mediatek MTK USB Port mode. To do this, on some devices, you hold volume up. On some devices, you hold volume down. Now, in the case of Nokia 3, volume down works so I'm going to hold volume down button and connect the USB port. Now, once I do this, I'll need to quickly select Mediatek USB port and install. Lets see how it goes. Volume down button and then I connect the USB. MTK USB port. OK, it says here successful. Your phone might power on, its all good and fine. Just switch it back off it it does. Now, once that is done, you can minimize or close. Now, we need to open a command prompt window here or power shell window. You can do this by holding Shift key then right-click. Now, you need to type python main.py. Basically, we're trying to launch this file. Hit Enter. You might get an error message; python was not found. If you get this message, you need to launch python 3 launcher by typing py -3 then the file you want to run which is main.py. Now you'll get this message; waiting for bootrom. At this point, you're going to re-connect the phone using the same volume down button and connect the USB cable. Now, if successful, you should see this message; protection disabled. You can see Secure Boot device is true. Now, don't disconnect the phone, simply minimize then launch SP flash tool. Now, for the sake of this tutorial, I'm just going to be flashing boot and recovery only but of course you can backup, you can format partitions, whatever you wish to do. Now, go to options.. OK I've selected (scatter) file. I want to flash only boot and recovery so I select boot and recovery. Now, you need to configure SP flash tool connection settings. Option , Option, Connection. Set it to UART. COM port depends on what you have here; Mediatek COM port 10 and finally the speed. You can now close and click the Download button. Now, if all goes well, the device should start flashing using the default download agent. You should get a successful message once you're done. You can now disconnect the device and power it on. Basically, this is how you flash or backup firmware from a Mediatek secure boot device without using a custom Download Agent. All you just need to do is make sure that the MTK bypass has exploit for your chipset which you'll find under the payload folder. You'll find different chipsets. Right now, this is what they have as at the time of creating this guide. Thank you for watching, ensure to subscribe for more tutorials.         
This post was last modified: 08-11-2023, 07:28 PM by hovatek.
XRed_CubeX
XRed_CubeX
XRed_CubeX
Junior Member
29
30-01-2021, 11:01 AM
#2
Tested on Meizu M5c (MT6737m) and works perfectly.
Also tested on Meizu m3s (MT6750) and gave no problems.
This post was last modified: 30-01-2021, 09:08 PM by XRed_CubeX.
a4Abhi
a4Abhi
a4Abhi
Junior Member
15
30-01-2021, 12:59 PM
#3
Will it be able to connect Meta Mode in Xiaomi Poco c3 or Redmi 9 ??
Actually Iam having Poco C3but unable to Boot it into Meta Mode even after Boot loader unlocked on MIUI 12.
thabitu
thabitu
thabitu
Techie Member
71
30-01-2021, 02:23 PM
#4
Can we use miracle box instead of spft?
XRed_CubeX
XRed_CubeX
XRed_CubeX
Junior Member
29
30-01-2021, 04:31 PM
#5



(30-01-2021, 02:23 PM)thabitu Can we use miracle box instead of spft?
In theory, yes.
This exploit mainly deals with disabling the need for the download agent but for only one session so every time the phone restarts you should rerun the exploit, with the miracle box I'm not 100% sure if it would work but I'm pretty sure it would need a few more settings to work perfectly
Maaz Khalid
Maaz Khalid
Maaz Khalid
Junior Member
21
31-01-2021, 10:23 AM
#6
I'm getting this when i try to disable protection (See attachment)
Attached Files
.png
Screenshot (3).png
Size: 60.04 KB / Downloads: 387
XRed_CubeX
XRed_CubeX
XRed_CubeX
Junior Member
29
31-01-2021, 10:31 AM
#7
(31-01-2021, 10:23 AM)Maaz Khalid I'm getting this when i try to disable protection (See attachment)

Install libusb-win32 filter to Mediatek USB Port
hovatek
hovatek
hovatek
Administrator
49,753
31-01-2021, 11:07 AM
#8
(30-01-2021, 11:01 AM)XRed_CubeX Tested on Meizu M5c (MT6737m) and works perfectly.
Also tested on Meizu m3s (MT6750) and gave no problems.

thanks for testing & confirming
hovatek
hovatek
hovatek
Administrator
49,753
31-01-2021, 11:09 AM
#9
(30-01-2021, 12:59 PM)a4Abhi Will it be able to connect Meta Mode in Xiaomi Poco c3 or Redmi 9 ??
Actually Iam having Poco C3but unable to Boot it into Meta Mode even after Boot loader unlocked on MIUI 12.

unlikely, this bypass uses the mtk usb port (brom), to get to meta mode, the device needs to first be detected as mtk vcom preloader before whatever tool you use will attempt to reboot to meta mode
hovatek
hovatek
hovatek
Administrator
49,753
31-01-2021, 11:10 AM
#10
(30-01-2021, 02:23 PM)thabitu Can we use miracle box instead of spft?

i'd say no, not unless you know a way to set miracle box / thunder to use UART instead of USB
i don't think miracle has such a settings but i maybe wrong
Pages (19): 1 2 3 4 519 Next
Users browsing this thread:
 2 Guest(s)
Users browsing this thread:
 2 Guest(s)
Join us
WhTlYt