[MOD][DEV] MediaTek / MTK - Auth Bypass (SLA/DAA) - Utility

k4y0z

Senior Member
Nov 27, 2015
1,401
1,790
143
As some of you have already noticed, a couple of weeks ago @Dinolek and I published a utility, that allows bypassing authentication on MTK devices.
The tool is based on an exploit dubbed kamakiri, which was originally found by @xyz` and released for the Amazon FireTV Stick 4K (mantis)

What does this mean?
You can use this utility to bypass Serial Link Authentication and Download Agent Authentication on supported devices to use software such as SP Flash Tool to unbrick devices that would otherwise require authentication (AUTH-file).

The tool has since been expanded to support more SOCs by contributions from @viperbjk, @Rortiz2 and others.

It currently supports the following SOCs (and their variations):
  • mt6261
  • mt6572
  • mt6580
  • mt6582
  • mt6735
  • mt6737
  • mt6739
  • mt6755
  • mt6757
  • mt6761
  • mt6763
  • mt6765
  • mt6768
  • mt6771
  • mt6785
  • mt6799
  • mt6873
  • mt8127
  • mt8163
  • mt8173
  • mt8695
There are two parts to this project, the Utility itself and the Exploit Collection.

Please refer to the projects README how to set up your environment to use this utility successfully.

Please note, this project has already been incorporated in multiple commercial tools without even a mention.
This software is free to use, but the courtesy of at least mentioning the original authors is expected.

If you like this software and would like to support us, you can donate
 
Last edited:

hikari_calyx

Senior Member
Jul 20, 2016
457
661
113
Wuhan
hikaricalyx.com
Nice work!
This will work on MTK devices that misconfigured on preloader, like this one:
Code:
MTK_SEC_CHIP_SUPPORT=yes
MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
MTK_SEC_BOOT=ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
MTK_SECURITY_SW_SUPPORT=yes
CUSTOM_SEC_AUTH_SUPPORT=no
Which means the phone was secured but no authentication file is generated, and impossible to revive without some sort of programmer back then. An example is Nokia 3.
 
  • Like
Reactions: tran_1903

Tech0308

Senior Member
Oct 22, 2016
253
112
43
Alfreton
Wow! Amazing work! Quick question, is there any chance in the future of expanding this exploit to support MTK6762? My Redmi 6 has been bricked for two years now because I can't get access to a Xiaomi Auth account...
Same! Spent days a few weeks ago trying to get around the authentication. Is it possible for MT6750?
 

XRed_CubeX

Senior Member
Sep 6, 2018
354
50
38
Wow! Amazing work! Quick question, is there any chance in the future of expanding this exploit to support MTK6762? My Redmi 6 has been bricked for two years now because I can't get access to a Xiaomi Auth account...
It depends, if the developers will have a device with the same soc or a device with a similar soc then it is possible that they port it, or even another person who is good at decompilers who wants to port can do it, you can also but you always depend on whether you can do it
 

k4y0z

Senior Member
Nov 27, 2015
1,401
1,790
143
Wow! Amazing work! Quick question, is there any chance in the future of expanding this exploit to support MTK6762? My Redmi 6 has been bricked for two years now because I can't get access to a Xiaomi Auth account...
MT6762 should be the same as MT6761, so that should already be supported.

For unsupported devices you can try running the utility in testmode.
Code:
./main.py -t
If you can get a bootrom-dump, we can see what we can do about support.
 
  • Like
Reactions: Kramar111

XRed_CubeX

Senior Member
Sep 6, 2018
354
50
38
MT6762 should be the same as MT6761, so that should already be supported.

For unsupported devices you can try running the utility in testmode.
Code:
./main.py -t
If you can get a bootrom-dump, we can see what we can do about support.
Can you create a guide on how to port (for noobs though)? I also have an unsupported device and would like to try porting.
 

k4y0z

Senior Member
Nov 27, 2015
1,401
1,790
143
Can you create a guide on how to port (for noobs though)? I also have an unsupported device and would like to try porting.
I can't really create a porting guide.
As said, first step is to get a bootrom-dump.
This may be achieved using testmode.

What SOC do you have?
 

Yoss Roness

Member
Jan 8, 2019
17
2
3
MT6762 should be the same as MT6761, so that should already be supported.

For unsupported devices you can try running the utility in testmode.
Code:
./main.py -t
If you can get a bootrom-dump, we can see what we can do about support.
I tried, but when I ran your command I recieved this error: Unable to create process using '/bin/python3
 

wentaas

Member
May 17, 2019
20
4
3
firstly this is huge, soon enough we'll probably get rid of oems' dumb restrictions and paywalls for having permission over your own device but it doesnt work on my redmi note 8 pro global

it's just stuck on waiting for device, i've tried everything like cmd in admin, restarting, all the debug parameters, even class filters. i dont see mtk6785t but 6785 is there so i think that shouldnt be an issue? idk but any help would be great, i have the payloads in the payloads/ folder and the default_config.json5 file in the dir with main.py in it

i'm running it on a pc w ryzen 5 3600 so that could be why? i've checked the code it seems to just not find the serial port. if i should try on an intel cpu, how would i use it with a mac? because i dont have any other pcs. maybe through vm but i doubt that'd work. anyways amazing work just wait for someone to make a gui for it (maybe me but.. cries in tkinter) and it'll be an end to all the stupid oem stuff

again any help would be really appreciated i dont wanna get a realme or something just because i hate miui :(
 

k4y0z

Senior Member
Nov 27, 2015
1,401
1,790
143
it's just stuck on waiting for device, i've tried everything like cmd in admin, restarting, all the debug parameters, even class filters. i dont see mtk6785t but 6785 is there so i think that shouldnt be an issue?
I don't know if mt6785 and mt6785t are the same.
If it doesn't even see your device your issue is something else.
Make sure your device is in bootrom-mode.