MEDIATEK-BASED

Mediatek-based KaiOS devices differ from others in that they use the "Fastboot protocol (a mechanism for communicating with bootloaders over USB or ethernet)" to allow you to better write the partitions that interest us most to enable developer options and unlock the bootloader.

This procedure for enabling debugging and development tools, often requires to modify two partitions:

  1. cache, all you have to do is place a single file on it, using the Cache injection method (SAFE);

  2. boot, because ADB will most likely not be authorized on your device (UNSAFE).

All devices with Mediatek chipsets able to get the Developer menu in Settings using the "cache injection" method will be added on this page. Although this point is the easiest to put into practice, to work on the boot partition requires more effort, and a series of tools.

Mediatek-based KaiOS phones

Mediatek devices are all "debug-locked", but easier to free than any locked Qualcomm-based KaiOS phone. Here is a list of all the models that people in our community have worked on:

Advan Hape Online

Jazz Digit 4G

Sigma X-Style S3500 sKai

Thanks to Mus Tofa (Indosat Ooredoo Hape Online), Шрек KEK and Luxferre (Sigma X-Style S3500 sKai), Omerch and Taimoor Haider (Jazz Digit 4G) for the feedback!

From the studies carried out by our researchers, these devices make everything seem simpler. I am very optimistic about other Mediatek devices on which we have no researchers, such as Ghia KOX1, HAMMER 5 Smart, Telma Wi-Kif 4G +, TNM Smart 4G and Vodacom Smart Kitochi.

Now let's take a closer look at how jailbreak and root work.

Jailbreak of Mediatek-based KaiOS phones

In some respects, jailbreaking these devices is much easier than other Qualcomm and Spreadtrum chipset-based KaiOS phones, but it is also often necessary to unlock the bootloader to take advantage of the necessary development tools.

The diagram shown here has been modified to summarize the behavior of Mediatek-based devices during our users' experiments.

On all it is possible to test the site W2D.bananahackers.net to enable debugging, or alternatively we can use Fastboot, a command line that allows you to write partitions, provided with the installation of the Android Platform Tools;

In addition to Fastboot, you can consider using other tools to flash partitions (learn more in the next paragraph).

To enable the Developer menu, simply use the "cache injection method", which consists of placing a single file in the cache partition.

There are various ways to do it, but the quickest way to Jailbreak these devices is provided by Luxferre, the foundation member of our community: ca.in.

ca.in. (stands for "cache injection") is a WebUSB-based helper for this jailbreaking method, just connect to the website cain.bananahackers.net using a chromium-based web browser like Chromium, Google Chrome, Opera or Microsoft Edge (other browsers like Firefox and Safari don't support WebUSB yet).

Other than that, no other installations are needed.

NOTE: the project is highly experimental - use at your own risk, no complaints are accepted but if you're ready to test, please tell if it worked for your device.

You can find other cache injection methods on the related page:

If all this is not enough and you receive an "ADB not authorized" message while you try to connect your phone to the shell, then you need to root your phone. Read the next paragraph for more details.

Root of Mediatek-based KaiOS phones

Now its time to use flash tools to get a backup copy of the boot partition:

Once you have chosen a flash tool (see above), you can proceed as follows:

  1. Get two backup-copies of your boot partition;

  2. Unpack the image and use a text editor to change the following values in the "default.prop" file:

  • ro.debuggable must be 1 (in this way the device is able to use debug);

  • ro.adb.secure must be 0 (needed to enable ADB).

  1. Repack the "boot-new.img" file (you can use any name you want);

  2. Use Fastboot to flash the modified "boot.img" using these commands:

fastboot oem unlock

fasboot flash boot boot-new.img

  1. Now you can finally use the Developer menu as well.

If you want to know more, go to the following guide:

Extra: common secret codes for Mediatek

A list of common working codes for Mediatek-base KaiOS phones was provided by Mus Tofa, from its Advan Hape Online:

  • Deacativate call barring: *#33# call button
  • Deactivate call waiting: *#43# call button
  • Check IMEI: *#06#
  • SAR Info: *#07#
  • MTK Logger: *#*#0574#*#*
  • Enginering mode: *#364# with call button, or *#7788#, or *#*#2637643#*#* with call button, or *#*#3646633#*#* with call button, or *#8378269#
  • MMI Test: *#2886#, or *#5566#, or *#8888# with call button, or *#8301#
  • Hardware info: *#68140#, or *#8802# with call button
  • Factory reset: *#5701#
  • SW Version: *#8808# with call button, or *#*#1212#
  • Aging Test: *#8816#
  • Version: *#87# with call button, or *#29864#* with call button

As you can see, there is no debug code, which is characteristic of debug-enabled devices based on Qualcomm and Spreadtrum. Learn more here: