准备工作

Python

你需要 Python 工作环境并且设置好环境变量

Bypass utility

Bypass utility 这个项目克隆到本地

1
git clone https://github.com/MTK-bypass/bypass_utility.git

Install

1
pip install pyusb json5

Payloads

exploits_collection 克隆到本地

1
git clone https://github.com/MTK-bypass/exploits_collection.git

UsbDk

安装UsbDk (64-bit) 我电脑是64位的(要根据你自己电脑位数)

开始

将 exploits_collection 项目里面的 payloads 文件夹 和 default_config.json5 文件复制到 bypass_utility 根目录下 

1
2
3
4
5
6
7
8
9
10
11
12
13
bypass_utility
│  .gitignore
│  default_config.json5 
│  libusb-1.0.dll
│  LICENSE
│  main.py
│  README.md

├─payloads
│   │....很多文件

└─src
   │  ....很多文件

再修改 Bypass utility 的 main.py

1
2
3
4
DEFAULT_CONFIG = "default_config.json5"
PAYLOAD_DIR = "payloads/"
DEFAULT_PAYLOAD = "mt6771_payload.bin" // 这里要根据你的SOC来设置,请综合 default_config.json5 找到你的SOC填写对应填写
DEFAULT_DA_ADDRESS = 0x200D00

修改好之后,手机关机,运行main.py 同时按住 音量键+ 和 音量- 等待 1~2秒连接电脑

如果程序没有报错,像这样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[2023-07-04 10:13:14.264616] Waiting for device
[2023-07-04 10:13:52.960004] Found device = 0e8d:0003

[2023-07-04 10:13:53.397352] Device hw code: 0x788
[2023-07-04 10:13:53.402365] Device hw sub code: 0x8a00	
[2023-07-04 10:13:53.402365] Device hw version: 0xca00
[2023-07-04 10:13:53.403721] Device sw version: 0x0
[2023-07-04 10:13:53.403721] Device secure boot: True
[2023-07-04 10:13:53.403721] Device serial link authorization: False
[2023-07-04 10:13:53.404720] Device download agent authorization: True

[2023-07-04 10:13:53.404720] Disabling watchdog timer
[2023-07-04 10:13:53.407718] Disabling protection
[2023-07-04 10:13:53.446036] Protection disabled

运行完直接退出了,那就是成功了,现在使用 MTKClient 就可以直接连接了

踩坑

如果 MTKClient 显示握手失败,请长按三件(音量+-)直到手机振动,即可重启