[spam][crazy][fiction][random] Non-Canon MCBoss Spinoffs

Undescribed Horrific Abuse, One Victim & Survivor of Many gmkarl at gmail.com
Wed Feb 7 17:53:19 PST 2024 

20240207 1330-0800 1630-0500

i've bought hovatek's mediatek phone course. i am writing notes below.
i hope to get through the whole course, but you know me.

01 introduction
01-01 getting started

mediatek devices are a little harder than qualcomm devices.

links
mtk vcom drivers:
https://drive.google.com/file/d/0B9srKhKuVIMnalFkV3EzWjVXdUE/view
adb & fastbot[ibid] drivers: https://androidfilehost.com/?fid=95855108297851314
Wwr_MTK: https://mega.nz/#!W8lwmC7b!98r6ttK9hATkZpW5vJ-JS7-qQ8Hp7PCRdRT2bGoYuGY
Miracle box: https://mega.nz/#!6PZkxIJS!JVlJkweSsj77qUOHvQ977qkMD2E4eApRA6k9uUkUX7w
NCK Pro box MTK:
https://mega.nz/#!GP50wIoQ!kQxh9SsMJBQqKoh-q4Aks7FHARHWLyIVUBVzLCj-MaQ
Infinity CM2: https://forum.hovatek.com/thread-21773.html
SP flash tool: https://mega.nz/#!f11WEIrQ!KWFnNEe6GbFgcQtoZcYZ5zBKqrvqvSOLT3amnGU-Yso
Software Download (transsion Aftersale) tool:
https://mega.nz/#!ylFmlIAI!-lbOX0cAMKxGotE0vpedNQDw74cyZWU9BwSd6cYQsYk
SP Multiport: https://mega.nz/#!y1N0FQLK!nLLLjWqX_FXrkIIBkMLt9EIGf3PN3aD_qwn0aHjMy3g
SN Writer / Write tool:
http://www.mediafire.com/file/94vbv8n3zpbcjlj/SN_Write_Tool_v2.1504.00.zip
Maui Meta: https://drive.google.com/file/d/0B4S-Z726VJ2SZ0R1MHpDY3JISkU/view
GSM Aladdin: https://mega.nz/#!Dk0WGJJL!LCR6ua1BDitYycE1sm-1SzvdwcvKxHie8hAjtd5Om2k
Magisk Manager: https://bit.ly/2w2oQZz
MTK TWRP Porter (GUI) v1.4:
https://mega.nz/#!UTBFyS6Y!LrvJrJ7__HBn0_IDoFRnhwFe1Srv_jMCc1K5fm84YyA
MTK TWRP Porter (GUI) v1.6:
https://mega.nz/#!Ufxh0AIA!t6QvP3VWhrg0Lq39tcXrOwAJCUvuWtnUUN3PiFCiDBg
MTK Philz porter (GUI):
https://mega.nz/#!1HY03SLZ!al1OyLv_j_kSeLPFhn7K_OfRqe0sjpjHlP5V-iIbZR0
Z3X MST box: https://mega.nz/#!dT4j0RRb!iv4msg39ZbpiatKuImwQoo5wNO1HhtkugBOQ0cQGris
CheckSum generator:
https://mega.nz/#!pSZW3KYI!JYrOcMFkVYO_ZIYgTXkzTI9dwHbDhzZjhzv0TlvazF8
Blank vbmeta.img:
https://mega.nz/#!dnAS3AhD!g5PnSg-0UKFvyhZSZ8Em6gKO2Do7avaUepPmsH75-Bg
Mi Unlock tool: https://en.miui.com/unlock/download_en.html
CDC driver: https://drive.google.com/file/d/0B4S-Z726VJ2Sc2hXaDhaRDFCb28/view

i would ideally like to mirror at least the mega.nz files as i have
trouble downloading from mega.nz . unsure if this will happen.

1636-0500 1336-0800
01-02,03 How to Identify a Mediatek device, 3 ways to find out your
device's chipset
1. try an online search e.g. on hovatek site, but note the device
could be a clone/fake
2. install Hardware Info or CPU-Z android app to reveal chipset
3. use a flashing program like miracle box and cable to read the info

well i had no idea there was a general purpose flashing tool like
miracle box and i think i could make a lot of progress just
downloading it and trying it out. probably runs on windows. i think i
could still get a lot from the course though, unsure :S :S :S :S

maybe i'll take advantage of this to mirror some the mega.nz files

1734-0500 chrome says it wants to delete the nck dongle file because
it is "dangerous" but it doesn't give a link to a virus id or
anything, which is frustrating. it says the site could be hacked and
to download later, but it's the kind of tool that could often get
marked wrongly. it should say what flag was raised so the user can
look it up :S

1804 I've uploaded most of the course files (a bunch of phone
flashers!) to arweave. I've tarred their indices with a download
script at https://arweave.net/lLbBWwRthEAn-LFHSaAOUq29cZUJV7d_TlofzKPW8oQ/hovatek-mtk.tar
. The download script requires gnu parallel and jq, and takes a .json
file on input and produces the stored file on output. if
https://arweave.net is blocked, change the GW variable in the script.

whew !

01-04 Identifying Mediatek firmware / rom formats

If you have a ROM for your device, it can be in different formats.
- update.zip / Tcard
: : contains META-INF/ and scatter.txt
: : flash in stock recovery mode NOT with scatter flash tool
- .img / Scatter
: : contains MT****_Android_scatter.img, .img files, .bin files
: : flash with SP Flash tool, NCK, Infinity CM2, SP Multiport, ...
- Single .bin
: : single raw file
: : flash with GSM Aladdin, Miracle, Infinity CM2
- .bin / Scatter
: : contains MT****_Android_scatter and all .bin files
: : created and flashed with Miracle
- TWRP backup
: : contains .win/.win.md5 files, other recoveries might have .ext4.tar or .img
: : flash with the recovery type they were made with
- Custom rom
: : device specific
: : flash with custom recovery like TWRP, Phiz, CWM

1814
01-05 Common Mediatek partitions and issues associated with them
Secro /secro: baseband info. "Unknown Baseband" if corrupt.
Preloader: initializes device, won't even charge if corrupt
Nvram: radio info, imei, wifi, bluetooth mac addresses
Boot /boot: kernel and ramdisk, won't boot to OS if corrupt
System /system: OS and apps, stuck at logo if corrupt
Lk or Uboot: kernel code, corrupt -> white,black,multicolored screen
Logo: controls boot logo image
Userdata /userdata: user apps, contacts, etc. userspace errors or lag if corrupt

1818-0500
01-06 Intro to boxes & dongles
These are bread and butter.
https://journal.hovatek.com/you-might-have-to-buy-a-box-dongle-heres-why/
The hardware dongle is DRM protection for the software.

Partial List: Infinity CM2, Miracle box, Miracle Thunder, EFT dongle,
NCK Pro box, UMT dongle, Medusa Pro box, XTC 2 Clip, BST dongle, IP
box, Octopus box, Sigma box, Riff box, Octoplus Pro box

1820-0500
01-07 How to setup NCK Pro box
0. Get the dongle -> unless it is a loader version that works without?
1. Connect box to pc with cable
2. Download suppor access and smart card drivers from
https://www.nckbox.com/DownloadArea/
3. install smart card then run support access. pass thru antivirus if raises.
4. click 'download installers' in support access
5. browser launches, download main module setup
6. extract main module setup, launch ncbox main
7. card updater dashboard. click update card
8. should confirm ready to use. relaunch.
9. main nckbox dashboard

- with a loader version, it works without a hardware box
- install the modules you need
- uninstall older version before updating

1824-0500
01-08 How to setup Infinity CM2
0. Get the dongle
1. Connect dongle to usb port
2. download dongle/smart-card manager at
https://www.infinity-box.com/support/?s=3
3. Extract, open, run donglemanager.exe
4. click update firmware
5. click update
6. click yes to register if not registered
7. register
8. updates

- click Serial Numbre S/N tab
- select Read Online Service Username / Password 'from the dropdown
the click Process'
- IOS creds appear
- login at https://user.infinity-box.com/

- download modules at http://dl1.infinity-box.com/00/index-1.php?dir=software/

1827-0500
01-09 How to setup NCK Pro box for UMT
video
- umtv2 support access says firmware is out of date
- extract umt firmware updater archive, run firmware updater
- disconnect other flashing devices, click update card
- card is programmed, close dialog
- ultimate multi tool support access now runs

At the end of 01 is a quiz.
1832

02 Installing Mediatek drivers
I'll write the headings and skip this section.
02-10 What's covered in this section
02-11 How to disable driver signature verification on Windows 8 & above
02-12 How to manually install Mediatek USB VCOM drivers
02-13 How to install Mediatek CDC driver
02-14 How to setup ADB & Fastboot
02-15 How to fix ADB or Fastboot detection problems
02-16 How to install Mediatek smartwatch drivers
02-17 How to update Android drivers in Windows

I'll do 02-15
02-15 How to fix ADB or Fastboot detection problems
video
- fastboot and adb don't see the device?
- for adb, debugging must be enabled and the phone connected with usb
- `adb devices` to detect
- `adb reboot-bootloader` to get from adb to fastboot
- `fastboot devices` to detect
1. download latest binaries, these are hosted by hovatek
2. update the phone's drivers (on the system)
on windows, you can see the phone in device manager [on linux, dmesg]
- reconnect phone while still in fastboot to review how it is seen by OS
- download updated google usb drivers
- in windows, manually install using device manager (have disk, etc)
- install the 'android bootloader interface' to detect fastboot devices
- no need to reboot after install

1839-0500
03 Booting into various modes on Android MTK
03-18 What's covered in this section
modes: recovery, factory, safe, fastboot
recovery mode: for flashing activities
factory mode: diagnostic, run tests, clear emmc, reset touch calibration
safe mode: disables installed apps
fastboot (bootloader) mode: flash firmwares if bootloader is unlocked

03-19 How to boot into recovery mode
For most devices:
1. power off device
2. Hold volume-up
3. Hold power while volume-up is held
4. Release both when boot logo appears

For some devices ! you must hold the power button first, not second.
Some devices have steps 2 and 3 reversed.

This may enter a boot selection mode where recovery can then be selected.

03-20 How to boot into factory mode
For most devices:
1. Power off the device
2. Hold volume-down
3. Hold power while volume-down is held
4. Release both when boot logo appears

For some devices, again you must hold the power button first, not second.

03-21 How to boot into safe mode

This is good for troubleshooting lag or misbehavior between system and user.

1. Long-press power button like you intend to reboot
2. Long-press the reboot option in android.
3. A dialog prompts regarding safe mode, select OK
4. Allow the device to reboot
5. It should say 'safe mode' in the lower left during operation when booted.

04 Backing up a Mediatek device's rom
04-22 What's covered in this section
Backup firmware on bricked and working devices before making any change.
Note: tools that say 'box' or 'dongle' require purchased hardware.
1. Wwr_MTK + SP flash tool
2. Miracle box
3. NCK Pro box
4. Infinity CM2 dongle
Also: Secure Boot and DA files

04-23 What is Secure Boot and DA files?
- With Secure Boot enabled, a custom Download Agent file is usually
needed for data access (in bootrom or preloader mode).
Errors when missing include: Boot Error! S_INVALID_DA_FILE,
S_FT_DOWNLOAD_FAIL (2004), S_BROM_DOWNLOAD_DA_FAIL,
S_SECURITY_SECURE_USB_DL_DA_RETURN_INVALID_TY PE (6104), MSP ERROR
CODE: 0X00, S_AUTH_HANDLE_IS_NOT_READY (5000),
STATUS_SEC_AUTH_FILE_NEEDED (0xC0030012) and many more
- Never format a Secure Boot device that needs a DA file. This
escalates the situation to requiring an Authentication file.
- DA files can speak different protocols and be tool-specific. Try all
the tools.
- community DA collection: https://forum.hovatek.com/forum-112.html
- Tecno, Infinix, and Itel / Transsion devices can use tools that do
not need DA files

1856-0500
04-24 How to load DA files
video
1. SP Flash Tool
- launch, click to browse for download agent, select .bin file
2. NCK Pro Box
- launch (very slow), click to select custom loader, select .bin file
3. Infinity Chinese Miracle (CM) 2
- launch CM2MT2 (very slow), enable custom settings, click DA button,
select .bin file

04-25 How to dump firmware using WWR MTK + SP flash tool
video
- on windows
- launch WWR
- the free version is ad-supported, requires wait for ad
- video uses Wwr MTK 2.51
- if screen is too small, settings->font size to reduce font size and restart
- go to auto mode, select chipset and memory type. if not there then
go to hovatek forum and download latest template
- click create and save as. this creates a temporary scatter file for
the device.
- we will dump raw preloader, pgpt, and full rom dump
- launch sp flash tool. ensure to load DA file if using secure boot device.
- select scatter file made by WWR
- to get the address informaiton, open the scatter file. use the
physical address and length.
- go to readback tab, click add, double click the entry
- you could name the image EMMC_BOOT1, then PGPT
- initiate transfer
- remove battery from device, then connect
- the length of the full dump is stored in the PGPT. it's the same
length as boot_1 but is in the user region.
- WWR can load the preloader PGPT. click 'select file' in upper right
and open the preloader from emmc_boot_1.
- then head to the table of sections tab, and load the pgpt to populate it
- "Full volume of GPT" field shows entire size of data.
[note: i would recommend finding a more direct approach as the PGPT
data can be changed.]
- partition offsets and lengths are shown to perform partial dumps
- once a large region of the phone is dumped it can also be imported into WWR
- WWR can then identify platform etc of device in the auto mode tab.
the presenter used the binary search option only, which is a little
slow.
- WWR can then produce firmware for other flashers to use or cut the
image into partitions

04-26 How to backup MTK firmware using NCK Pro box
video
- run as admin to avoid permission issues (windows)
- can be done under main or backup tab; output format differs, bin or scatter
- main does scatter
- leave first option as 0-by cpu
- select chipset
...
so, these options all involve DA firmware as far as i can tell. i
think my issues are lower level. first the bootrom loads the da
firmware before anything happens. i'm going to skip forward for now.
04-27 How to fix inactive Start Button in Miracle Box
04-28 How to backup MTK firmware using Miracle box
04-29 How ot backup MTK firmware using Infinity CM2 dongle

05 Flashing firmware
05-30 What's covered in this section
flashing with sp flash, sp multiport, miracle box, infinity chinese
miracle ii, nck pro box
05-31 Build Number is everything!
Settings -> About -> Build Number
Variants
- variants are two phones of the same model with a slight difference,
hardware or software
example build number
X557-H807-A1-M-160815V57
=> [Hot 4 phone]-[H807 group]-[A1 sub-group]-[Android 6
Marshmallow]-[date 15/08/2016][variant V57]
you may or may not be able to interflash firmware across variants.
flashing firmware for the wrong group may require a motherboard jumper
to recover

sometimes the same exact build number may be running on different chips!

05-32 How to get the build number of a bricked MTK device
importance of build number:
https://journal.hovatek.com/your-phone-model-is-nothing-build-number-is-everything/
build number is for firmware: https://forum.hovatek.com/forum-89.html
Method 1: recovery mode
https://forum.hovatek.com/thread-479.html
The Build Number may be written at the top of the Stock Recovery.
Method 2: build.prop
Use ADB to pull /system/build.prop and check ro.build.display
Method 3: Miracle Box ReadInfo
Use ReadInfo in Miracle Box https://forum.hovatek.com/thread-15700.html
the Build Number is ID: xxxxx
Method 4: System.img
Dump system partition and unpack
https://forum.hovatek.com/thread-15855.html and access Build.prop .
Method 5: Mother Board
Disassemble the phone. The Build Number may be inscribed on the mother board.
An example image is shown showing the information next to a 2D barcode.
In the example the motherboard has been fully removed from other components.
Method 6: Factory Mode
Boot phone into factory mode
https://forum.hovatek.com/thread-12935.html scroll to "version" and
select, see SW ver.
Method 7: Recovery.img
Dump recovery partition and unpack https://forum.hovatek.com/thread-15817.html
Review defaulkt.prop in Ramdisk folder for ro.build.display.id

Note: overwriting the device with new firmware can change some of these.
Not every method will work on every device.
05-33 How to Generate checksum.ini for an MTK scatter file Rom
05-34 How to flash using SP Flash tool
05-35 How to flash using SP Multiport tool
video
Smartphone Multiport Download tool
this tool requires a checksum file to flash
...
05-36 How to flash using NCK Pro box
05-37 How to flash using Miracle box (scatter)
05-38 How to flash using Miracle box (.bin)
05-39 How to flash using Infinity CM2 MTK
05-40 How to flash using Software Download tool
05-41 How to flash a smartwatch using Flashtool
05-42 How a flash a Feature or Basic phone using Miracle box
05-43 How to flash a smartwatch using SP flash tool

1941
06 Bypassing various Android security locks & features
06-44 What's covered in this section
Factory Reset Protection (FRP) and Privacy Protection Password
- FRP is the prompt to login to google as owner after resetting
ideally the account is removed before the reset
- Privacy Protection Password is an anti-theft feature to lock the
device to a SIM card to deter theft, but can also be triggered if sim
card is jostled

given these are high-level security features i am skipping the section
06-45 How to bypass To start Android, enter your password
06-46 How to bypass FRP using SP Flash tool
06-47 How to bypass FRP using NCK Pro box
06-48 How to bypass FRP using Infinity CM2 MTK
06-49 How to bypass FRP using apk
06-50 How to bypass FRP using Miracle box
06-51 How to bypass Privacy Protection Password using NCK Pro box
06-52 How to bypass Privacy Protection Password using Miracle box
06-53 How to bypass or remove pattern and PIN lock using Miracle box
06-54 How to read a feature phone's unlock code using Miracle box

07 How to fix null IMEI and NVRAM issues on Mediatek devices
07-55 What's covered in this section
The device can be disconnected from hte network if secro or nvram get corrupt.
To check Baseband (Secro), go to Setting -> About -> Baseband.
To check IMEI (NVRAM), dial *#06#

First fix unknown Baseband by reflashing the firmware or at least secro,
then fix null IMEI.

My issues are presently lower level than radio access, so I'm skipping
this for now.

07-56 How to enable / unhide IMEI menu in Infinity CM2
07-57 How to write IMEI usin gInfinity CM2 MTK
07-58 How to write IMEI usin gGSM Aladdin
07-59 How to use SN Writer
07-60 How to use GSM Aladdin to write IMEI to an MTK Smartwatch
07-61 How to backup and restore NVRAM + Nvdata using SP flash tool
07-62 How to use SN Writer to write IMEI to a smartwatch
07-63 How to use Maui Meta
07-64 How to use Modem Meta
07-65 How to write IMEI using NCK dongle
07-66 How to write IMEI using Miracle Box

08 Android Mods
08-67 What's covered in this section
Dip into android development world. Bootloader unlock, rooting, custom
recoveries and DM_Verity.
The fastboot bootloader needs to be unlocked to flash.
- fastboot oem unlock
- fastboot oem unlock-go
- fastboot flashing unlock
Some devices may require an unlock token / key included in the
bootloader unlock command.
Root with either a custom recovery or magisk and a patched boot.img .
The system partition is untouched.
Magisk can patch a boot.img from the firmware. Otherwise, the custom
recovery is flashed first and then SuperSU.zip or Magisk.zip via it.
The hovatek tool can port the stock recovery.img to a custom one.

Hovatek says rooting voids the warranty. Unroot by flashing backed-up
partitions (the different approaches modify different partitions)
before installing an OTA update.

08-68 How to unlock Bootloader (General)
- enable usb debugging and oem unlocking (in developer settings after
repeatedly tapping build number in settings)
- test adb devices, adb reboot-bootloader
- test fastboot devices
- the unlock command may vary from device to device
fastboot oem unlock
- confirm with fastboot getvar unlocked

08-69 How to unlock Xiaomi MIUI Bootloader
- a Mi account must be associated with the device, and there is an
additional option in the develop options
- Mi Unlock tool is used from host, use same account
...(i don't have one of these phones atm)

08-70 How to root an MTK device using Magisk Manager + Boot.img
- get boot.img from firmware or backup
- install magisk
- copy boot.img to phone, it must match the device build variant
- launch magisk
- for samsung devices using odin, go into settings and change the
output format to .img.tar
- install magisk using patched boot file approach
- locate boot.img and proceed
- after some time, magisk produces patched boot.img and gives
locaiton, in a b+w terminal view
- copy patched_boot.img to host
- flash new boot.img to device. you can use fastboot or any flasher.
ACONTEXTUAL NOTE: backup your stuff before unlocking the bootloader
because it can wipe the device. hovatek has an unlocking guide.
... it's normal flashing
the presenter has some way of broadcasting the phone display via adb
- check root status with root checker application

08-71 Custom recovery and DM verity
- auto twrp porter: https://forum.hovatek.com/thread-21839.html
- auto philz porter: https://forum.hovatek.com/thread-21495.html
for mediatek
DM_Verity can prevent a custom recovery from working. It is intended
to deter persistent rootkits. It uses the device-mapper-verity kernel
feature.
It performs an sha256 hash of 4k blocks of storage devices in a merkle tree.
It checks the system and recovery partitions.
TWRP porter v1.2 checks for this and relates the need to patch
boot.img [which i presume hacks the kernel to evade dm_verity].
Magisk can perform this hack: https://forum.hovatek.com/thread-21427.html
If you don't need root hovatek will patch it for you by hand:
https://forum.hovatek.com/

VBMETA is also a verity check. This can be bypassed by flashing an
empty vbmeta.img . To use fastboot, this can be done with one of the
below:
fastboot flash vbmeta vbmeta.img
fastboot --disable-verity flash vbmeta vbmeta.img
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img

BROM flashers do not need the bootloader unlocked.

08-72 3 ways to disable DM Verity
1. manual hex edit
replace all occurrences of 2C 76 65 72 69 66 79 with nuls (00 00 00 00 00 00 00)
verify there are no occurences of the string "verify" after this
2. magisk manager
tell it to install, but have it patch a file when it prompts how
3. custom vbmeta.img
fastboot flash vbmeta vbmeta.img

08-73 How to port TWRP recovery
video uses v1.3
first engage the recovery check tab, then the android version tab
minimal output, slow progress
flash recovery.img

08-74 How to fix TWRP 0MB Internal Storage
this means userdata is encrypted. disabling encryption with root
access will remove the error
encryption can be checked in settings -> security & location ->
encryption & credentials -> encrypt phone
use a root browser or explorer to view the device
go to vendor/etc and edit the fstab file. thi susually has the chipset
in its name.
find the /data mount, there may be more than one
change the mount option fileencryption= to encryptable=
check it was correctly saved
flash back stock recovery and boot into stock recovery mode
select 'Wipe data/factory reset' to reformat userdata
reboot the system
now encryption should be disabled (in settings)
flash back custom recovery

08-75 How to port Philz recovery
video uses version 1.5
like twrp, works with stock recovery img, place it in same folder, launchtool
engage recovery check, then android version
select yes if you have an external sd card slot
flash recovery.img in output folder

08-76 How to unsign *-sign.img files
There are tools to do this.
FbWinTools can do some of these.
hovatek has IMG Unsign Tool, navigates similar to their other tools.
converts for example boot-sign.img to boot.img or system-sign.img to system.img
video uses Carliv Image Kitchen (terminal script, windows) to show
boot.img can be extracted but boot-sign.img couldn't be.
then MTK EXTRACTOR to show signed system image does not extract but
unsigned system image does
It looks like the hovatek app might only handle the partitions that
fbwintools does not, unsure.


I found a string 'etc' that went above somewhere, likely in a section
i left early.

that was the course! mostly instructoins on how to use apps. but a
little informative!

it sounds like my issues are mostly related to the DA information.

sending this as it's big.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hovatek-mtk.tar
Type: application/x-tar
Size: 81920 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20240207/27913fe6/attachment-0001.tar>

More information about the cypherpunks mailing list