| Artifact | Location | Persistence | |----------|----------|--------------| | Modified seccfg | eMMC boot partition | Yes (until re-lock) | | Custom DA loaded | RAM (volatile) | No | | USB vendor ID 0x0e8d (MTK) + anomalous bRequest | Host OS logs | Yes (Windows/Mac/Linux) | | Changed ro.oem_unlock_supported | Build.prop | Yes (if system mounted) |
Older MTK chips (MT67xx, MT81xx, MT65xx) have a brom bug where sending a specific length of data over USB causes the bootrom to jump to an attacker-controlled region. Offline tools embed this exploit + a custom download agent (DA). The DA writes a modified seccfg partition to disable secure boot. mtk unlock offline tool
As of 2025, MediaTek has closed many BROM exploits in their newer chips (Dimensity 8000 series and above). Newer devices use and AVB 2.0 (Android Verified Boot) , making offline brute-force difficult. As of 2025, MediaTek has closed many BROM
Some “offline” tools contain hardcoded RSA keys extracted from leaked MediaTek engineering builds. These keys sign a custom DA as if it came from an authorized service center — no internet required. These keys sign a custom DA as if