kaeru is an ARMv7 payload that provides arbitrary code execution on MediaTek bootloaders (LK) with full permissions, initiated post-hardware initialization and before the main LK function (app) execution. For more details about it, visit and read my blog.
- Python 3
liblkgcc-arm-none-eabi
The payload needs to be built before injecting it:
git clone git@github.com:R0rt1z2/kaeru.git
cd kaeru
makeDebugging can be enabled by with
export KAERU_DEBUG=1.
After successfully building the payload, it must be injected into your LK image with the provided script:
python3 inject_payload bin/lk.bin build/payload.bin <payload_address> <caller_address>Both the payload address and the caller address can be found in
common.h.
This project is licensed under the GPLv3 license - see the LICENSE file for details.