It’s now easy to bypass MediaTek’s SP Flash Tool authentication

It’s now easy to bypass MediaTek’s SP Flash Tool authentication

Devices with MediaTek chipsets have a BROM (boot read-only memory), which typically loads the preloader executable and subsequently boots the Android system, but also houses an alternative boot mode known as Download mode. It is strictly intended for OEM servicing and can be used to unbrick a device, just like Qualcomm’s Emergency Download Mode (EDL). A MediaTek-made proprietary program called “SP Flash Tool” can utilize this interface to force flash the system software on a device. Since the low-level download mode effectively has full control over the device’s storage, many OEMs including Xiaomi and Realme have started obfuscating the flashing process. Because of this practice, firmware flashing via download mode can only be performed by a signed “Download Agent” program that has been authorized by the corresponding OEM, essentially meaning that you can’t flash or unbrick your own smartphone unless you have permission from the device maker to do so.

Well, XDA’s fantastic developer community has once again come to the rescue. Based on a boot ROM-exploit originally discovered by XDA Senior Member xyz`, developers Dinolek and k4y0z have come up with a generic bypass method, which is compatible with a wide variety of MediaTek-powered devices that would otherwise require authentication while flashing. The method, which makes use of SoC-specific exploit payloads, intercepts the pre-flash queries made by SP Flash Tool and forcefully set the values of two crucial parameters (“Serial Link Authentication” and “Download Agent Authentication“) as false in order to continue the flashing process without any kind of authorization.


Bypassing SP Flash Tool authentication

It’s important to note that the exploit payloads require a specially-tweaked USB driver for a successful interception. If you’re running Windows, you have to install a libusb-based filter driver to override the default driverset. Linux users, on the other hand, need to apply a specific patch to the kernel. In case you don’t want to touch your primary operating system, you can make use of FireISO – a bootable GNU/Linux ISO designed specifically for this purpose.

When it comes to accessing the MediaTek download mode, you just need to turn off the target device, hold down the Volume Up button (Volume Down for Xiaomi phones), and plug your phone into your PC. You should see a new serial device listed under Device Manager (Windows) or in the output of dmesg | grep usb (Linux).

At this point, follow this simple, 5 step process to disable bootrom protection:

  1. Download and install Python. Windows users should select “Add Python X.X to PATH” when prompted.
  2. Install the required dependencies using pip:
    pip install pyusb pyserial json5
  3. Download the bypass utility.
  4. Extract the archive, execute the utility, and connect your phone in MediaTek Download mode. You should get “Protection disabled” at the end of the log.
    • Windows:
      python main.py
    • Linux:
      ./main.py

      MediaTek SP Flash Tool Authentication Bypass

  5. After that, without disconnecting your phone, run SP Flash Tool in UART Connection mode.
    MediaTek SP Flash Tool Connection UART

And that’s it! The authentication routine is bypassed and you are now ready to flash/unbrick your phone. If someone more experienced wishes to take this a step further, they can flash a modified partition backup to repair a botched IMEI, but this is beyond the scope of this article.

Which MediaTek SoCs are supported by this method?

The list of SoCs that are currently supported can be found below. The bypass method is theorized to work the same way on other MediaTek chipsets, but someone needs to code a suitable payload first to disable the bootrom protection routine.

List of supported SoCs

  • mt6261
  • mt6572
  • mt6580
  • mt6582
  • mt6735
  • mt6737
  • mt6739
  • mt6755
  • mt6757
  • mt6761
  • mt6763
  • mt6765
  • mt6768
  • mt6771
  • mt6785
  • mt6799
  • mt6873
  • mt8127
  • mt8163
  • mt8173
  • mt8695

Conclusion

If you remember, MediaTek chipsets were previously found to be susceptible to a dangerous rootkit nearly a year ago, and it was actively exploited by hackers to gain root access. Considering that, it is unknown why the Taiwanese chip design company still hasn’t patched the flaw in its chipsets that allows defeating the chain of trust while flashing. Although we have only seen the good side of the situation, it is even worse from a security perspective when you consider the hundreds of lesser-known device models using these MediaTek chips.

There is another aspect of the situation from the standpoint of the custom development community, whose interests we represent. A majority of MediaTek devices find themselves in an unsustainable combination of easy-to-brick and difficult-to-revive. On top of that, the forced authorization requirement really limits the potential of aftermarket development on them. The bypass method is nothing but a glimmer of hope for MediaTek device owners, who just want to take the hassle related to unbricking out of the modding scene.

Those interested in exploring the codebase of the bypass method should take a look at the GitHub link below. You can also interact with the developers by visiting the discussion thread.

MediaTek SP Flash Tool Authentication Bypass GitHub Repo

About author

Skanda Hazarika
Skanda Hazarika

DIY enthusiast (i.e. salvager of old PC parts). An avid user of Android since the Eclair days, Skanda also likes to follow the recent development trends in the world of single-board computing.