20240207 1330-0800 1630-0500 i've bought hovatek's mediatek phone course. i am writing notes below. i hope to get through the whole course, but you know me. 01 introduction 01-01 getting started mediatek devices are a little harder than qualcomm devices. links mtk vcom drivers: https://drive.google.com/file/d/0B9srKhKuVIMnalFkV3EzWjVXdUE/view adb & fastbot[ibid] drivers: https://androidfilehost.com/?fid=95855108297851314 Wwr_MTK: https://mega.nz/#!W8lwmC7b!98r6ttK9hATkZpW5vJ-JS7-qQ8Hp7PCRdRT2bGoYuGY Miracle box: https://mega.nz/#!6PZkxIJS!JVlJkweSsj77qUOHvQ977qkMD2E4eApRA6k9uUkUX7w NCK Pro box MTK: https://mega.nz/#!GP50wIoQ!kQxh9SsMJBQqKoh-q4Aks7FHARHWLyIVUBVzLCj-MaQ Infinity CM2: https://forum.hovatek.com/thread-21773.html SP flash tool: https://mega.nz/#!f11WEIrQ!KWFnNEe6GbFgcQtoZcYZ5zBKqrvqvSOLT3amnGU-Yso Software Download (transsion Aftersale) tool: https://mega.nz/#!ylFmlIAI!-lbOX0cAMKxGotE0vpedNQDw74cyZWU9BwSd6cYQsYk SP Multiport: https://mega.nz/#!y1N0FQLK!nLLLjWqX_FXrkIIBkMLt9EIGf3PN3aD_qwn0aHjMy3g SN Writer / Write tool: http://www.mediafire.com/file/94vbv8n3zpbcjlj/SN_Write_Tool_v2.1504.00.zip Maui Meta: https://drive.google.com/file/d/0B4S-Z726VJ2SZ0R1MHpDY3JISkU/view GSM Aladdin: https://mega.nz/#!Dk0WGJJL!LCR6ua1BDitYycE1sm-1SzvdwcvKxHie8hAjtd5Om2k Magisk Manager: https://bit.ly/2w2oQZz MTK TWRP Porter (GUI) v1.4: https://mega.nz/#!UTBFyS6Y!LrvJrJ7__HBn0_IDoFRnhwFe1Srv_jMCc1K5fm84YyA MTK TWRP Porter (GUI) v1.6: https://mega.nz/#!Ufxh0AIA!t6QvP3VWhrg0Lq39tcXrOwAJCUvuWtnUUN3PiFCiDBg MTK Philz porter (GUI): https://mega.nz/#!1HY03SLZ!al1OyLv_j_kSeLPFhn7K_OfRqe0sjpjHlP5V-iIbZR0 Z3X MST box: https://mega.nz/#!dT4j0RRb!iv4msg39ZbpiatKuImwQoo5wNO1HhtkugBOQ0cQGris CheckSum generator: https://mega.nz/#!pSZW3KYI!JYrOcMFkVYO_ZIYgTXkzTI9dwHbDhzZjhzv0TlvazF8 Blank vbmeta.img: https://mega.nz/#!dnAS3AhD!g5PnSg-0UKFvyhZSZ8Em6gKO2Do7avaUepPmsH75-Bg Mi Unlock tool: https://en.miui.com/unlock/download_en.html CDC driver: https://drive.google.com/file/d/0B4S-Z726VJ2Sc2hXaDhaRDFCb28/view i would ideally like to mirror at least the mega.nz files as i have trouble downloading from mega.nz . unsure if this will happen. 1636-0500 1336-0800 01-02,03 How to Identify a Mediatek device, 3 ways to find out your device's chipset 1. try an online search e.g. on hovatek site, but note the device could be a clone/fake 2. install Hardware Info or CPU-Z android app to reveal chipset 3. use a flashing program like miracle box and cable to read the info well i had no idea there was a general purpose flashing tool like miracle box and i think i could make a lot of progress just downloading it and trying it out. probably runs on windows. i think i could still get a lot from the course though, unsure :S :S :S :S maybe i'll take advantage of this to mirror some the mega.nz files 1734-0500 chrome says it wants to delete the nck dongle file because it is "dangerous" but it doesn't give a link to a virus id or anything, which is frustrating. it says the site could be hacked and to download later, but it's the kind of tool that could often get marked wrongly. it should say what flag was raised so the user can look it up :S 1804 I've uploaded most of the course files (a bunch of phone flashers!) to arweave. I've tarred their indices with a download script at https://arweave.net/lLbBWwRthEAn-LFHSaAOUq29cZUJV7d_TlofzKPW8oQ/hovatek-mtk.... . The download script requires gnu parallel and jq, and takes a .json file on input and produces the stored file on output. if https://arweave.net is blocked, change the GW variable in the script. whew ! 01-04 Identifying Mediatek firmware / rom formats If you have a ROM for your device, it can be in different formats. - update.zip / Tcard : : contains META-INF/ and scatter.txt : : flash in stock recovery mode NOT with scatter flash tool - .img / Scatter : : contains MT****_Android_scatter.img, .img files, .bin files : : flash with SP Flash tool, NCK, Infinity CM2, SP Multiport, ... - Single .bin : : single raw file : : flash with GSM Aladdin, Miracle, Infinity CM2 - .bin / Scatter : : contains MT****_Android_scatter and all .bin files : : created and flashed with Miracle - TWRP backup : : contains .win/.win.md5 files, other recoveries might have .ext4.tar or .img : : flash with the recovery type they were made with - Custom rom : : device specific : : flash with custom recovery like TWRP, Phiz, CWM 1814 01-05 Common Mediatek partitions and issues associated with them Secro /secro: baseband info. "Unknown Baseband" if corrupt. Preloader: initializes device, won't even charge if corrupt Nvram: radio info, imei, wifi, bluetooth mac addresses Boot /boot: kernel and ramdisk, won't boot to OS if corrupt System /system: OS and apps, stuck at logo if corrupt Lk or Uboot: kernel code, corrupt -> white,black,multicolored screen Logo: controls boot logo image Userdata /userdata: user apps, contacts, etc. userspace errors or lag if corrupt 1818-0500 01-06 Intro to boxes & dongles These are bread and butter. https://journal.hovatek.com/you-might-have-to-buy-a-box-dongle-heres-why/ The hardware dongle is DRM protection for the software. Partial List: Infinity CM2, Miracle box, Miracle Thunder, EFT dongle, NCK Pro box, UMT dongle, Medusa Pro box, XTC 2 Clip, BST dongle, IP box, Octopus box, Sigma box, Riff box, Octoplus Pro box 1820-0500 01-07 How to setup NCK Pro box 0. Get the dongle -> unless it is a loader version that works without? 1. Connect box to pc with cable 2. Download suppor access and smart card drivers from https://www.nckbox.com/DownloadArea/ 3. install smart card then run support access. pass thru antivirus if raises. 4. click 'download installers' in support access 5. browser launches, download main module setup 6. extract main module setup, launch ncbox main 7. card updater dashboard. click update card 8. should confirm ready to use. relaunch. 9. main nckbox dashboard - with a loader version, it works without a hardware box - install the modules you need - uninstall older version before updating 1824-0500 01-08 How to setup Infinity CM2 0. Get the dongle 1. Connect dongle to usb port 2. download dongle/smart-card manager at https://www.infinity-box.com/support/?s=3 3. Extract, open, run donglemanager.exe 4. click update firmware 5. click update 6. click yes to register if not registered 7. register 8. updates - click Serial Numbre S/N tab - select Read Online Service Username / Password 'from the dropdown the click Process' - IOS creds appear - login at https://user.infinity-box.com/ - download modules at http://dl1.infinity-box.com/00/index-1.php?dir=software/ 1827-0500 01-09 How to setup NCK Pro box for UMT video - umtv2 support access says firmware is out of date - extract umt firmware updater archive, run firmware updater - disconnect other flashing devices, click update card - card is programmed, close dialog - ultimate multi tool support access now runs At the end of 01 is a quiz. 1832 02 Installing Mediatek drivers I'll write the headings and skip this section. 02-10 What's covered in this section 02-11 How to disable driver signature verification on Windows 8 & above 02-12 How to manually install Mediatek USB VCOM drivers 02-13 How to install Mediatek CDC driver 02-14 How to setup ADB & Fastboot 02-15 How to fix ADB or Fastboot detection problems 02-16 How to install Mediatek smartwatch drivers 02-17 How to update Android drivers in Windows I'll do 02-15 02-15 How to fix ADB or Fastboot detection problems video - fastboot and adb don't see the device? - for adb, debugging must be enabled and the phone connected with usb - `adb devices` to detect - `adb reboot-bootloader` to get from adb to fastboot - `fastboot devices` to detect 1. download latest binaries, these are hosted by hovatek 2. update the phone's drivers (on the system) on windows, you can see the phone in device manager [on linux, dmesg] - reconnect phone while still in fastboot to review how it is seen by OS - download updated google usb drivers - in windows, manually install using device manager (have disk, etc) - install the 'android bootloader interface' to detect fastboot devices - no need to reboot after install 1839-0500 03 Booting into various modes on Android MTK 03-18 What's covered in this section modes: recovery, factory, safe, fastboot recovery mode: for flashing activities factory mode: diagnostic, run tests, clear emmc, reset touch calibration safe mode: disables installed apps fastboot (bootloader) mode: flash firmwares if bootloader is unlocked 03-19 How to boot into recovery mode For most devices: 1. power off device 2. Hold volume-up 3. Hold power while volume-up is held 4. Release both when boot logo appears For some devices ! you must hold the power button first, not second. Some devices have steps 2 and 3 reversed. This may enter a boot selection mode where recovery can then be selected. 03-20 How to boot into factory mode For most devices: 1. Power off the device 2. Hold volume-down 3. Hold power while volume-down is held 4. Release both when boot logo appears For some devices, again you must hold the power button first, not second. 03-21 How to boot into safe mode This is good for troubleshooting lag or misbehavior between system and user. 1. Long-press power button like you intend to reboot 2. Long-press the reboot option in android. 3. A dialog prompts regarding safe mode, select OK 4. Allow the device to reboot 5. It should say 'safe mode' in the lower left during operation when booted. 04 Backing up a Mediatek device's rom 04-22 What's covered in this section Backup firmware on bricked and working devices before making any change. Note: tools that say 'box' or 'dongle' require purchased hardware. 1. Wwr_MTK + SP flash tool 2. Miracle box 3. NCK Pro box 4. Infinity CM2 dongle Also: Secure Boot and DA files 04-23 What is Secure Boot and DA files? - With Secure Boot enabled, a custom Download Agent file is usually needed for data access (in bootrom or preloader mode). Errors when missing include: Boot Error! S_INVALID_DA_FILE, S_FT_DOWNLOAD_FAIL (2004), S_BROM_DOWNLOAD_DA_FAIL, S_SECURITY_SECURE_USB_DL_DA_RETURN_INVALID_TY PE (6104), MSP ERROR CODE: 0X00, S_AUTH_HANDLE_IS_NOT_READY (5000), STATUS_SEC_AUTH_FILE_NEEDED (0xC0030012) and many more - Never format a Secure Boot device that needs a DA file. This escalates the situation to requiring an Authentication file. - DA files can speak different protocols and be tool-specific. Try all the tools. - community DA collection: https://forum.hovatek.com/forum-112.html - Tecno, Infinix, and Itel / Transsion devices can use tools that do not need DA files 1856-0500 04-24 How to load DA files video 1. SP Flash Tool - launch, click to browse for download agent, select .bin file 2. NCK Pro Box - launch (very slow), click to select custom loader, select .bin file 3. Infinity Chinese Miracle (CM) 2 - launch CM2MT2 (very slow), enable custom settings, click DA button, select .bin file 04-25 How to dump firmware using WWR MTK + SP flash tool video - on windows - launch WWR - the free version is ad-supported, requires wait for ad - video uses Wwr MTK 2.51 - if screen is too small, settings->font size to reduce font size and restart - go to auto mode, select chipset and memory type. if not there then go to hovatek forum and download latest template - click create and save as. this creates a temporary scatter file for the device. - we will dump raw preloader, pgpt, and full rom dump - launch sp flash tool. ensure to load DA file if using secure boot device. - select scatter file made by WWR - to get the address informaiton, open the scatter file. use the physical address and length. - go to readback tab, click add, double click the entry - you could name the image EMMC_BOOT1, then PGPT - initiate transfer - remove battery from device, then connect - the length of the full dump is stored in the PGPT. it's the same length as boot_1 but is in the user region. - WWR can load the preloader PGPT. click 'select file' in upper right and open the preloader from emmc_boot_1. - then head to the table of sections tab, and load the pgpt to populate it - "Full volume of GPT" field shows entire size of data. [note: i would recommend finding a more direct approach as the PGPT data can be changed.] - partition offsets and lengths are shown to perform partial dumps - once a large region of the phone is dumped it can also be imported into WWR - WWR can then identify platform etc of device in the auto mode tab. the presenter used the binary search option only, which is a little slow. - WWR can then produce firmware for other flashers to use or cut the image into partitions 04-26 How to backup MTK firmware using NCK Pro box video - run as admin to avoid permission issues (windows) - can be done under main or backup tab; output format differs, bin or scatter - main does scatter - leave first option as 0-by cpu - select chipset ... so, these options all involve DA firmware as far as i can tell. i think my issues are lower level. first the bootrom loads the da firmware before anything happens. i'm going to skip forward for now. 04-27 How to fix inactive Start Button in Miracle Box 04-28 How to backup MTK firmware using Miracle box 04-29 How ot backup MTK firmware using Infinity CM2 dongle 05 Flashing firmware 05-30 What's covered in this section flashing with sp flash, sp multiport, miracle box, infinity chinese miracle ii, nck pro box 05-31 Build Number is everything! Settings -> About -> Build Number Variants - variants are two phones of the same model with a slight difference, hardware or software example build number X557-H807-A1-M-160815V57 => [Hot 4 phone]-[H807 group]-[A1 sub-group]-[Android 6 Marshmallow]-[date 15/08/2016][variant V57] you may or may not be able to interflash firmware across variants. flashing firmware for the wrong group may require a motherboard jumper to recover sometimes the same exact build number may be running on different chips! 05-32 How to get the build number of a bricked MTK device importance of build number: https://journal.hovatek.com/your-phone-model-is-nothing-build-number-is-ever... build number is for firmware: https://forum.hovatek.com/forum-89.html Method 1: recovery mode https://forum.hovatek.com/thread-479.html The Build Number may be written at the top of the Stock Recovery. Method 2: build.prop Use ADB to pull /system/build.prop and check ro.build.display Method 3: Miracle Box ReadInfo Use ReadInfo in Miracle Box https://forum.hovatek.com/thread-15700.html the Build Number is ID: xxxxx Method 4: System.img Dump system partition and unpack https://forum.hovatek.com/thread-15855.html and access Build.prop . Method 5: Mother Board Disassemble the phone. The Build Number may be inscribed on the mother board. An example image is shown showing the information next to a 2D barcode. In the example the motherboard has been fully removed from other components. Method 6: Factory Mode Boot phone into factory mode https://forum.hovatek.com/thread-12935.html scroll to "version" and select, see SW ver. Method 7: Recovery.img Dump recovery partition and unpack https://forum.hovatek.com/thread-15817.html Review defaulkt.prop in Ramdisk folder for ro.build.display.id Note: overwriting the device with new firmware can change some of these. Not every method will work on every device. 05-33 How to Generate checksum.ini for an MTK scatter file Rom 05-34 How to flash using SP Flash tool 05-35 How to flash using SP Multiport tool video Smartphone Multiport Download tool this tool requires a checksum file to flash ... 05-36 How to flash using NCK Pro box 05-37 How to flash using Miracle box (scatter) 05-38 How to flash using Miracle box (.bin) 05-39 How to flash using Infinity CM2 MTK 05-40 How to flash using Software Download tool 05-41 How to flash a smartwatch using Flashtool 05-42 How a flash a Feature or Basic phone using Miracle box 05-43 How to flash a smartwatch using SP flash tool 1941 06 Bypassing various Android security locks & features 06-44 What's covered in this section Factory Reset Protection (FRP) and Privacy Protection Password - FRP is the prompt to login to google as owner after resetting ideally the account is removed before the reset - Privacy Protection Password is an anti-theft feature to lock the device to a SIM card to deter theft, but can also be triggered if sim card is jostled given these are high-level security features i am skipping the section 06-45 How to bypass To start Android, enter your password 06-46 How to bypass FRP using SP Flash tool 06-47 How to bypass FRP using NCK Pro box 06-48 How to bypass FRP using Infinity CM2 MTK 06-49 How to bypass FRP using apk 06-50 How to bypass FRP using Miracle box 06-51 How to bypass Privacy Protection Password using NCK Pro box 06-52 How to bypass Privacy Protection Password using Miracle box 06-53 How to bypass or remove pattern and PIN lock using Miracle box 06-54 How to read a feature phone's unlock code using Miracle box 07 How to fix null IMEI and NVRAM issues on Mediatek devices 07-55 What's covered in this section The device can be disconnected from hte network if secro or nvram get corrupt. To check Baseband (Secro), go to Setting -> About -> Baseband. To check IMEI (NVRAM), dial *#06# First fix unknown Baseband by reflashing the firmware or at least secro, then fix null IMEI. My issues are presently lower level than radio access, so I'm skipping this for now. 07-56 How to enable / unhide IMEI menu in Infinity CM2 07-57 How to write IMEI usin gInfinity CM2 MTK 07-58 How to write IMEI usin gGSM Aladdin 07-59 How to use SN Writer 07-60 How to use GSM Aladdin to write IMEI to an MTK Smartwatch 07-61 How to backup and restore NVRAM + Nvdata using SP flash tool 07-62 How to use SN Writer to write IMEI to a smartwatch 07-63 How to use Maui Meta 07-64 How to use Modem Meta 07-65 How to write IMEI using NCK dongle 07-66 How to write IMEI using Miracle Box 08 Android Mods 08-67 What's covered in this section Dip into android development world. Bootloader unlock, rooting, custom recoveries and DM_Verity. The fastboot bootloader needs to be unlocked to flash. - fastboot oem unlock - fastboot oem unlock-go - fastboot flashing unlock Some devices may require an unlock token / key included in the bootloader unlock command. Root with either a custom recovery or magisk and a patched boot.img . The system partition is untouched. Magisk can patch a boot.img from the firmware. Otherwise, the custom recovery is flashed first and then SuperSU.zip or Magisk.zip via it. The hovatek tool can port the stock recovery.img to a custom one. Hovatek says rooting voids the warranty. Unroot by flashing backed-up partitions (the different approaches modify different partitions) before installing an OTA update. 08-68 How to unlock Bootloader (General) - enable usb debugging and oem unlocking (in developer settings after repeatedly tapping build number in settings) - test adb devices, adb reboot-bootloader - test fastboot devices - the unlock command may vary from device to device fastboot oem unlock - confirm with fastboot getvar unlocked 08-69 How to unlock Xiaomi MIUI Bootloader - a Mi account must be associated with the device, and there is an additional option in the develop options - Mi Unlock tool is used from host, use same account ...(i don't have one of these phones atm) 08-70 How to root an MTK device using Magisk Manager + Boot.img - get boot.img from firmware or backup - install magisk - copy boot.img to phone, it must match the device build variant - launch magisk - for samsung devices using odin, go into settings and change the output format to .img.tar - install magisk using patched boot file approach - locate boot.img and proceed - after some time, magisk produces patched boot.img and gives locaiton, in a b+w terminal view - copy patched_boot.img to host - flash new boot.img to device. you can use fastboot or any flasher. ACONTEXTUAL NOTE: backup your stuff before unlocking the bootloader because it can wipe the device. hovatek has an unlocking guide. ... it's normal flashing the presenter has some way of broadcasting the phone display via adb - check root status with root checker application 08-71 Custom recovery and DM verity - auto twrp porter: https://forum.hovatek.com/thread-21839.html - auto philz porter: https://forum.hovatek.com/thread-21495.html for mediatek DM_Verity can prevent a custom recovery from working. It is intended to deter persistent rootkits. It uses the device-mapper-verity kernel feature. It performs an sha256 hash of 4k blocks of storage devices in a merkle tree. It checks the system and recovery partitions. TWRP porter v1.2 checks for this and relates the need to patch boot.img [which i presume hacks the kernel to evade dm_verity]. Magisk can perform this hack: https://forum.hovatek.com/thread-21427.html If you don't need root hovatek will patch it for you by hand: https://forum.hovatek.com/ VBMETA is also a verity check. This can be bypassed by flashing an empty vbmeta.img . To use fastboot, this can be done with one of the below: fastboot flash vbmeta vbmeta.img fastboot --disable-verity flash vbmeta vbmeta.img fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img BROM flashers do not need the bootloader unlocked. 08-72 3 ways to disable DM Verity 1. manual hex edit replace all occurrences of 2C 76 65 72 69 66 79 with nuls (00 00 00 00 00 00 00) verify there are no occurences of the string "verify" after this 2. magisk manager tell it to install, but have it patch a file when it prompts how 3. custom vbmeta.img fastboot flash vbmeta vbmeta.img 08-73 How to port TWRP recovery video uses v1.3 first engage the recovery check tab, then the android version tab minimal output, slow progress flash recovery.img 08-74 How to fix TWRP 0MB Internal Storage this means userdata is encrypted. disabling encryption with root access will remove the error encryption can be checked in settings -> security & location -> encryption & credentials -> encrypt phone use a root browser or explorer to view the device go to vendor/etc and edit the fstab file. thi susually has the chipset in its name. find the /data mount, there may be more than one change the mount option fileencryption= to encryptable= check it was correctly saved flash back stock recovery and boot into stock recovery mode select 'Wipe data/factory reset' to reformat userdata reboot the system now encryption should be disabled (in settings) flash back custom recovery 08-75 How to port Philz recovery video uses version 1.5 like twrp, works with stock recovery img, place it in same folder, launchtool engage recovery check, then android version select yes if you have an external sd card slot flash recovery.img in output folder 08-76 How to unsign *-sign.img files There are tools to do this. FbWinTools can do some of these. hovatek has IMG Unsign Tool, navigates similar to their other tools. converts for example boot-sign.img to boot.img or system-sign.img to system.img video uses Carliv Image Kitchen (terminal script, windows) to show boot.img can be extracted but boot-sign.img couldn't be. then MTK EXTRACTOR to show signed system image does not extract but unsigned system image does It looks like the hovatek app might only handle the partitions that fbwintools does not, unsure. I found a string 'etc' that went above somewhere, likely in a section i left early. that was the course! mostly instructoins on how to use apps. but a little informative! it sounds like my issues are mostly related to the DA information. sending this as it's big.