MediaTek Device Extraction With Boot ROM Interface Disabled

by Christoffer Maliniemi, Security Researcher, MSAB

Finding that you have a MediaTek device which has its Boot ROM interface disabled land on your desk?

Access to MediaTek’s Boot ROM interface is the best way to extract the maximum amount of data from any device with a MediaTek chipset. The Boot ROM is always there, and it will not change. Because of this, we do not have to worry about different vendors, firmware, or security patches. It just works.

Earlier this year we released a blog post titled “How to Use XRY to Extract Data from MTK-Based Devices” which showed our solution to recover all data, BFU.

Since then, some vendors have decided that access to the Boot ROM is not necessary and released a patch that caused our solution to stop working. Which, of course, was frustrating for us and prevents you, our customers, from creating a successful extraction from MTK based devices.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


However, there is still a way to access it…

Some Disassembly Required

Luckily for us, MediaTek’s Boot ROM is written in a way that during the boot process it will read the storage (eMMC or UFS) and, depending on the content, it will decide what to do next. Usually the Android operating system is then loaded. But the keyword here is “read”. If there is no storage to read, there is no Android to boot and instead the much-appreciated interface we want boots that then allows access.

We could remove the storage chip but that would prevent us from being able to read the data ourselves. If we instead, short the storage CLK or DATA to ground during the boot process it cannot be read, and the door opens. After connection is established, we release the short immediately and our loader can access everything like normal.

There is just one small caveat. Just like Intel, the storage chips are on the inside and some disassembly is required to get physical access. We consider this as a last resort and because of that we would recommend using our Access Services who can assist with the disassembly and extraction. Access Services are delivered in one of our secure MSAB forensic facilities using forensically sound techniques with written documentation of every step.

For the Brave

With access to the right equipment, or if you feel MacGyver is more your style, it is not too hard to disassemble a device and locate the storage chip.

Devices today usually use adhesive; for disassembly, you may need a heating element to loosen and remove the case for it to be successful. When the device is open, it is time to locate the storage chip, usually on the rear of the motherboard, behind RF shields. With a little bit of luck, you will find just snap-on shields or metallic tape covering the components. If unlucky, you will have to desolder the shields or try to prize them off, potentially risking damage to the motherboard.

With the shields removed you should see the MediaTek SoC and eMMC/UFS chip. Located between and/or around the chips there are usually some test points for storage CLK and DATA. They might be covered with paint and/or epoxy which would then require delicate scraping to remove before we can short them to ground during the boot process.

The following example is from an Oppo A16s CPH2271 where the test points were covered with paint.

In our Customer Portal you will have access to a document named “MSAB – MTK Boot ROM Exploit Test Point Guide.” It includes pictures of known test points for many different devices and hints on how to open them.

End of Life

For forensics sake, be careful taking things apart, or contact Access Services for complete peace of mind. We will gladly help with complex extractions and/or help locate the correct test points for your case.

MSAB, we do what we must, because we can.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles