Scribd
Upload
4K views3 pages

Read ScreenLock Code MTK Exploit MTKClient Dump Method IAASTEAM

This tutorial provides a method for generating keys for MTK devices without using Oxygen, applicable to various models including Redmi and Samsung devices. It outlines the requirements, steps for generating keys, and instructions for reading full flash and creating an Oxygen project. The guide emphasizes that it is for research purposes only and encourages users to respect legal and ethical guidelines in device security.

Uploaded by

Damith Milan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views3 pages

Read ScreenLock Code MTK Exploit MTKClient Dump Method IAASTEAM

This tutorial provides a method for generating keys for MTK devices without using Oxygen, applicable to various models including Redmi and Samsung devices. It outlines the requirements, steps for generating keys, and instructions for reading full flash and creating an Oxygen project. The guide emphasizes that it is for research purposes only and encourages users to respect legal and ethical guidelines in device security.

Uploaded by

Damith Milan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

MTK Exploit Tutorial: Generating Keys

without Oxygen
This tutorial is for research purposes only. It explains how to generate keys for MTK devices
without the need for Oxygen. This can be useful in situations where Oxygen cannot boot some
devices or when there are problems connecting the device to Oxygen to receive keys.

Applicability
This solution is applicable for the following models:

• Redmi 12 MT6769 (Fire)


• Redmi Note 12 Pro Plus (Ruby)
• Redmi Note 12 Pro 5G (sweet)
• Redmi 11 Prime 5G
• Redmi Note 11S
• Xiaomi Poco M4 Pro
• Xiaomi Poco X3 GT
• Xiaomi 11T
• OnePlus Nord 2 5G
• Samsung A05 A055F
• Samsung A34 A346B
• Samsung A32 A325B
• Samsung A32 5G A326B
• Samsung A14 A145P
• Realme 7 5G
• Redmi 12C
• Alcatel TCL 306
• BlackView BV4900

Requirements
1. MTKClient: Clone from GitHub here.
2. The device must be in BROM mode.
3. Libusb-win32 must be installed.

How to Generate Keys


The keys generated via Oxygen look like this:

{
"MTK_HRID": "69b33af17876de894015b468595a9b10",
"MTK_SOCID":
"1a43d39dbe1fd7fdde6035b3a910d1205dd7ce87ff65daa1c09b57cc804ac200",
"MTK_FDEKEY": "4050573b8678485f79626c643b404813",
"MTK_RPMB2KEY": "fbf665459a83ba5ee4df28679e685527",
"MTK_CHID": "34313938",

"MTK_ITRUSTEE":"56f542cd6e051c2dd3df8be17f0c16e7ed8a1f098a2792f1cd5e2f7b135d5
d9c",
"MTK_ME_ID": "93c7c35b1c7b3eb6ad8827012dcc248c",
"MTK_RID": "6088591bd34e6750cfc3b683b7a847db",
"MTK_CID": "4d54303634474153414f325532312020",
"MTK_RPMBKEY":
"bd9faa64ace8d199eb4355e68f075dc502ba0d0914c5111fc367f382096205c9"
}

For Windows users, follow these steps:

1. Download and install Python installer (v3.11).


2. Download and install Git.
3. Download and install libusb-win32.
4. Make a new folder named “Iaasteam”.
5. Open CMD in the Iaasteam folder and run the following commands:

git clone https://github.com/bkerler/mtkclient


cd mtkclient
pip3 install -r requirements.txt

6. Ensure libusb-win32 is installed on your system.


7. Run this command to generate keys:

python mtk da generatekeys

After running the command, you will have all parameters that exist in the keys file of Oxygen.
Copy and paste these fields into your keys file.

Reading Full Flash and Creating Oxygen Project


If you are using MTKClient, use this command for reading full flash:

shell python mtk rf flash.bin

When you read the dump from the device, change the name of the dump to userdata.bin (we
use this name in device.ewc). Now we have to get keys from the device. You can get these keys
by MTKClient without Oxygen (try python mtk da generatekeys), but if it’s hard for you, try
via Oxygen via the following steps:
1. Open Oxygen, then Extractor and in “MTK Android” choose the option “Extract
Hardware Keys”. The tool will ask you to connect and reconnect the device in MTK
mode. In this case, Oxygen will read keys from the device.
2. Copy userdata.bin to the Oxygen generate key folder (keygenerate operation).
3. Now we have to create device.ewc. Create a file with device.ewc name and type then
open via Notepad++. Insert the following code in Notepad (userdata.bin is your dumped
file name):

[BaseInfo]
ExtractionEndUtc=
ExtractionMethod=
ExtractionStartUtc=
[ExtendedInfo]
KeyBagFile=keys.json
Partition 1 File=userdata.img
Partition Name=userdata
PartitionsCount=1

4. Save the file and replace it in the Oxygen dumped folder. Now you have a folder with
three files: userdata.bin, keys.json and device.ewc. This is the Oxygen project
(generated manually) and ready to parse.
5. You can open Oxygen and choose options: Android/Physical-JTAG image and now
choose file device.ewc. Oxygen will ask you for a password or allow to brute force it
and then will extract files as normal.

Enjoy!

Please note that this guide is for educational purposes only. Always respect the legal and ethical
guidelines when dealing with device security. This solution is for sale for MediaTek MCU and is
a brute force passcode service only for devices not supported by Oxygen Forensic Detective. A
CM2 Dongle or Pandora Box is not required. This solution has been tested on the models listed
above. Always ensure to test and verify the solution on your specific device model. Let me know
if you have any other questions.

Useful Links:
https://iaasteam.com/mtk-client-tool-v2-2022-free-mtk-exploit-tool/

https://github.com/bkerler/mtkclient/

You might also like