Download the official build of this tool via...
- MeowSMP.net Mirror (Recommended)
- GitHub release
Note
This repo only upload the latest version (v2.x.x), because previous versions are saved locally, without a proper Git repo. Therefore, I cannot upload previous works here.
Back then, I mainly made bypass to use it myself, but then I realized many people also struggling to flash the ROM due to the new terms. Furthermore, starting from January 2026, TN ROM seems to go Subscription only, leaving even more users behind.
Imagine paying $3/device just to flash a ROM that has an AI vibecoded toolbox app to install keyboxes for Play Integrity and some game tweaks stuff, and a UI that looks like stock ROM with some weird bugs.
There are better FREE alternatives like xiaomi.eu and ProjectZK, or you can also support ported ROM devs to help them find bugs and improve the ROM !
But Meow, I have a MTK device :(
Well then next time get a Snapdragon one, MTK doesn't want you to have custom ROMs. To build a custom ROM, developers need the Kernel Source Code. They don't public it. If the manufacturer doesn't pay for the code, they can't release it to the public, leaving developers with nothing to work with. Even if the kernel source is released, it is often missing blobs and drivers to function properly. For most developers, the effort required to fix one bug on MTK device is better spent building ten ROMs for Snapdragon devices =)
If you really want MTK, next time don't choose Xiaomi.
One more thing that contributes to let me making it Open source is I no longer use TN ROM anymore. Thats it.
- Windows 10/11
- Python 3.x
- TNFlash 3.2
Note
This tool only bypass the verification steps in the exe app, it does neither modify, change any codes of the exe file nor the ROM files.
Warning
I am not responsible for bricked, voided warranty devices. This tool is provided as-is, use as your own risk.
To run the tool, simply open a terminal/command prompt window as admin, and cd to tool location. Then use python to run it:
python TNFBypass.py
Since ROM version 3.1, TN have added a blacklist function in the TNToolbox.apk app (installed by default). It will verify if the device is in the database or not. If you used this tool, your serial will not appear on the database (ofc lol), then the app will soft-brick your device. To prevent this, you must add an DNS server to block the connection to TN servers:
- Open the
Settingsapp; - Click
More connectivity options(found under the VPN option); - Click
Private DNS(found under the Airplane mode); - Select the last option, and add
9d6f1c.dns.nextdns.ioas the DNS; - Save then you done.
Note
If you don't want to add a DNS, use the crackedtoolbox.apk in the repo. This APK was made by a group member, so use it as your own risk.
Contributions to this project are all welcomed. Feel free to make PRs to introduce new features and/or new bypass methods. However, to save time, I highly recommend you to study how TNFlash decrypt and unpack the ROM files and improve the current Universal TNFlash(utnf.py), rather than chasing with Thang Nguyen's AI models (yes, he uses AI to vibe the flash tools and toolbox app, so that he can fix our methods so damn fast).
In this section, I will only explain the workaround for TN 3.2 as this version required to implement a new bypass method.
Again, Thang Nguyen has found the method and now the bypass DOES work but TNFlash refuses to call fastboot when detected memory modified serial then kill itself.
Further digging, I found:
It uses libcurl.
+ User-Agent: HyperTN-FlashTool/3.2
+ Header: x-api-key: `something_here`
+ HMAC-SHA256 key (anti-relay protection): `something_here`
+ Response server respond includes: status, signature, subscriptionData, nonce, codename, expiry, hello, serial
+ AES-256-CTR key is retrieved from field "hello" in the respond
New method ongoing... (hopefully)
So Thang Nguyen has finally figured out the method, and quickly released a patch a day after.
In this new version, he embedded all the necessary libs into the TNFlash.exe itself. So replacing 7z.exe no longer work. Instead, TNFlash extracts fastboot and 2 other dlls AdbWinApi.dll and AdbWinUsbApi.dll to a random named folder at bin\lib\arm64\. Both the folder and fastboot filenames are randomized, and assigned Hidden attributes to completely hide from File Explorer and cmd. So this time I will search for a new exe creation in that folder when TNFlash starts up, then quickly use pymem to hook to the fastboot subprocess and modify the real serial to the legit one to flash.
Note
Did you know: You can use Process Monitor to see where TNFlash drops their files ? To do that, set the filter to Process Name is TNFlash.exe then Include; Operation is WriteFile then Include.
No longer work, because TNFlash now have certificate pinning, we cannot capture and spoof the server responds via Flask anymore :(
I have been trying to figure out the process of validating and flashing of TNFlash, and I found some interesting gores:
- It has 2 fastboots in
bin\lib\x86folder, with one being7z.exeand another isfastboot.exe. You can try calling7z.exein terminal and check. - It checks for
7z.exefile integrity on startup. - It only uses
7z.exefor flashing.fastboot.exe,7za.exe,curl.exeand other dlls are UNUSED. - It randomized the super flash order (hardcoded, not at runtime) to make it a bit harder for normal user to try to flash on their own.
- The correct order is
[7,14,2,13,9,12,0,10,6,5,15,3,11,8,1,16,17,18,19,20,21,22,23] superTN.img.4is encrypted with AES-256-CTR method, can no longer unpack using 7zip.- TNFlash will then decrypt and extract
superTN.img.4file to thefirmware-updatefolder under the namemodernmfw.img(it is NOT Qualcomm Modem !!!) - That file will flash first, when done it will delete immediately.
So our work is to write a dummy fastboot to always return a valid serial with Supporter Subscription, then use python function to replace it with the dummy 7z.exe payload when it detected TNFlash.exe started to run. On quit, it will replace back the 7z.exe with original file.
During the flashing method, the replaced dummy fastboot (7z.exe) will forward all flashing commands to real device using fastboot.exe file we discussed earlier.
TN server used to have data breaches back then, with open APIs used for mass dumping serials from their database. I then save them into a JSON file User.json.
With the serials dumped, I then write an automated script to only filter serials that have year 2238, then pipe them to autoSerialQuery.py to mass query the API to check for serial status. Then, I use the result generated by autoSerialQuery.py` to craft a massive serial pool, used randomly on each run.
TN Verification step is not stoopic like previous versions. It now cache the IP used to flash alongside with that serial, so other IPs cannot use the same serial to flash.
If you try to do so, it will return error: Server Verification Failed(4)!.
This tool bypasses the subscription checker process, using the famous MITM (Man-in-The-Middle) attack by exploiting vulnerability found in the verification steps. In this section, I will explain the workaround for TN 3.1.
For API to check and verify subscriptions, it uses Supabase provider, located at vkhojreqmombazfazhup.supabase.co using a POST request at address /functions/v1/check_tnflash.
The TNFlash.exe will then send this query to the API: {"serial": "EUUWU8WG5DP7RCXC"} with {"Content-Type": "application/json"} header.
The new version also use a new API scheme, with a new response layout. It includes 4 different status: A, B, C, and X:
A - Donator sub
B - Valid sub
C - Expired sub
X - Blacklisted serial
And the full response look like this:
"status": "passTN",
"subscriptionData": {
"serial": "EUUWU8WG5DP7RCXC",
"codename": "zircon",
"expiry": "2036-11-19",
"status": "A"
},
"message": "Serial found with status A, B",
"serial": "EUUWU8WG5DP7RCXC"
}
"status": "passTN",
"subscriptionData": {
"serial": "EUUWU8WG5DP7RCXC",
"codename": "zircon",
"expiry": "2025-08-22",
"status": "B"
},
"message": "Serial found with status B",
"serial": "EUUWU8WG5DP7RCXC"
}
{
"status": "passC",
"message": "Serial found with status C",
"subscriptionData": {
"serial": "EUUWU8WG5DP7RCXC",
"codename": "zircon",
"expiry": "2025-07-22",
"status": "C"
},
"serial": "EUUWU8WG5DP7RCXC"
}
{
"status": "blacklist",
"message": "Serial found with status X",
"serial": "EUUWU8WG5DP7RCXC"
}
For unregistered serials, it will return an error message, nothing interesting here.
In TN 3.1, tool version 2.1 initilizes a new certification injector. Unlike TN 3.0 flasher app, the new TNFlash.exe will reject any self-signed mkcert SSL certificates you throw to it:
> Error: Failed to get response from Edge Function or empty response.
> Press any key to exit...
Further digging, I found it also self-signed certs using openssl, and that certificate must be installed on the Windows Certificate Storage. The workaround here is to use openssl and generate a cert and a key, and import it to Local User's Certificate Storage on Windows, using certutil command:
certutil.exe -addstore Root bypassCert.pem
With the certificate injected correctly, we can trick the TNFlash.exe into thinking that the certitifcate is legitimate, then we can modify the response from the server to our valid response by using Flask with Certificate we created earlier:
{
"status": "passTN",
"subscriptionData": {
"serial": "bypassed by meowice for",
"codename": zircon,
"expiry": "8386-08-22",
"status": "A"
},
"message": "Serial found with status A, B",
"serial": "bypassed by meowice for"
}
Now, all you have to do is open TNFlash.exe and enjoy flashing !