Android Phones Are Good Again
Recently, I came across MTKCLIENT, a fascinating reverse engineering project that aims to hack MediaTek SOCs at a low level. It provides direct access to a device’s memory, enabling you to edit partitions, memory, and other critical aspects of the device. The project uses clever exploits within the SOC itself to achieve this.
MTKCLIENT works perfectly with older MediaTek processors, but when it comes to newer chips (like the 70, 80, and 90 series), it starts to struggle. These newer chips use a completely new protocol called v6, which is still less understood and developed compared to the older v5 protocol.
Why, you may ask?
Well, here’s the thing: phone manufacturers have decided that letting users install whatever OS they want isn’t “safe” anymore. They’ll try to tell you it’s for your own protection, especially when it comes to kids or whatever other reasons they come up with to make you believe that restricting your options is the right call.
It wasn’t that long ago—7 or 8 years, maybe—that you could buy any phone, set it up, and unlock the bootloader in 0 days of the purchasing it, take that you with your 7 days restriction. Fast forward to today, and try doing that with a Samsung. Good luck. Unlocking the bootloader on most modern phones is a pain, and with some brands, it’s just flat-out impossible. This whole situation is what led me to discover MTKClient, which is honestly an awesome tool.
Until phone makers fix this problem and let users have more control, I’ll stick to devices that make it easy to unlock the bootloader.
What’s the Deal with V6?
The latest MediaTek processors (such as the 70, 80, and 90 series) have introduced the v6 protocol, which makes things trickier for those trying to modify the system. Unlike older chips, you can’t just flash these devices in the usual way. The bootrom (the code that runs during device startup) is patched, so you need to use a special DA (Download Agent) file and load it via the --loader option. This is essential if you’re aiming to modify anything on these newer devices.
In some cases, the preloader (the software responsible for booting the device) might be disabled. However, you can work around this by using the ADB reboot edl command, which forces the device into Emergency Download Mode (EDL), allowing you to flash or fix the device.
Not all devices are created equally. If your device is UNFUSED, you’re in luck, as there are no hardware security locks in place. However, if your device has extra security features like DAA (Device Authentication Algorithm), SLA (Secure Loader Authentication), or Remote-Auth (Remote Authentication), things get significantly more complicated. These protocols make it much harder to modify the firmware without specialized tools or knowledge.
Currently, there’s no public method to bypass these security measures for devices with DAA, SLA, or Remote-Auth enabled. If you have one of these devices, you’re pretty much stuck unless you have access to advanced tools or some obscure communication methods. Telegram you might have never heard it, yeah. telegram is the holy grale of all custom rom bootloader unlock adn what not say goodbye to XDA form and say Hello to Telegram.
For the typical user, the MTK GUI should suffice, but when dealing with v6, the command-line (CLI) is your only option.
Using the MTKCLIENT (v5 devices)
Requirements
- A MediaTek device with an unlocked bootloader (or one that supports bootloader unlocking).
- MTKClient tool installed on your system.
- USB Debugging enabled on the device.
- OEM Unlocking enabled in Developer Options.
Step-by-Step Guide to Unlocking the Bootloader
1. Install MTKClient
First, clone the MTKClient repository:
1git clone https://github.com/bkerler/mtkclient 2cd mtkclient 3pip3 install -r requirements.txt 4pip3 install .On Linux, ensure that your user is added to the
plugdevanddialoutgroups:1sudo usermod -a -G plugdev $USER 2sudo usermod -a -G dialout $USER 3sudo cp mtkclient/Setup/Linux/*.rules /etc/udev/rules.d 4sudo udevadm control -R 5sudo udevadm triggerOn Windows, make sure UsbDk and the appropriate MTK USB drivers are installed.
2. Boot Your Device into BROM Mode
To interact with the device at a low level, you must boot it into BROM (Boot ROM) mode:
- For most devices: Power off the device, then press and hold Volume Up + Power or Volume Down + Power while connecting it to your computer.
- Once in BROM mode, release the buttons. MTKClient should now detect the device.
3. Unlock the Bootloader
To unlock the bootloader, you need to erase specific partitions and adjust security configurations:
Erase Metadata and User Data:
- Unlocking the bootloader may require erasing critical partitions like metadata and user data. Run the following commands:
1python mtk.py e metadata,userdata
- Unlocking the bootloader may require erasing critical partitions like metadata and user data. Run the following commands:
Unlock the Bootloader:
- To unlock the bootloader, execute:
1python mtk.py da seccfg unlock
- To unlock the bootloader, execute:
Reboot the Device:
- Finally, reboot your device to apply the changes:
1python mtk.py reset
- Finally, reboot your device to apply the changes:
And like magic you the bootloader is unlock no need to wait for manufacture to give you a code (motorola) or wait weeks to unlock the device no one would do that, Right.
Reading the Entire Storage
Once the bootloader is unlocked, you can begin reading the device’s storage, including partitions and full flash dumps.
Read Boot Partition:
- Dump the boot partition with:
1python mtk.py r boot boot.bin
- Dump the boot partition with:
Read Preloader Partition (if needed):
- If you need to dump the preloader, use:
1python mtk.py r preloader preloader.bin --parttype=boot1
- If you need to dump the preloader, use:
Dump Entire Flash:
- To dump the entire flash memory (including all partitions), run:
1python mtk.py rf flash.bin
- To dump the entire flash memory (including all partitions), run:
Read Specific Flash Offsets:
- To read specific offsets, use:
1python mtk.py ro 0x128000 0x200000 flash.bin
- To read specific offsets, use:
Read All Partitions:
- To dump all partitions into a folder, use:
1python mtk.py rl out
- To dump all partitions into a folder, use:
Working with File Systems
MTKClient also allows you to mount the device’s flash memory as a file system and interact with it directly.
Mount Flash as a File System:
1python mtk.py fs /mnt/mtkBrowse or Modify Files:
- Once mounted, you can browse directories, read files, or even modify them directly on the device.
These are just a few of the things you can do with MTKClient. If you have the right skillset and knowledge, you might even be able to design your own custom payload.