msab sells mobile forensics tools to government enforcement groups and has blogs on this topic. notes:
- mtk boot rom is best way to image device and does not change
- in 2023 some vendors have disabled mediatek boot rom
- boot rom checks emmc to decide whether to run
- can be re-enabled by removing emmc chip or grounding CLK or DATA. this is undone once boot rom connects to flasher.
- ideally disassembly is done with professional service using forensically sound techniques and written documentation of every step
- emmc is usually on rear of motherboard behind rf shields or metallic tape, next to mtk soc
- storage CLK and DATA usually have test points between or around the chips. might be painted or epoxied which would be scraped off to short them.
in their example photo the test points appear unlabeled and are quite obscure with the paint over them. they say customers can refer to visual indexes they have made in a document called “MSAB – MTK Boot ROM Exploit Test Point Guide” and that additionally their professional services are happy to help their clients with this.
their catchphrase is “do what we must because we can” ;p
- regards xry product, which supports my chipset among its few
- the boot rom protocols are not specified, just gui use
so an enforcement body would be able to image this device using this product. []