CACHE INJECTION: Patch to the cache partition, no factory reset is needed

by Luxferre

A safe jailbreak for MediaTek-based KaiOS phones (without tampering any boot or system partitions) has been made possible thanks to the cache injection method. Unlike others, it doesn't even require factory reset and gives full privileged developer access (allowing to use, for instance, OmniSD and so on). This has also been tested on Qualcomm and Spreadtrum devices, becoming the best jailbreak method!

Note that debug-enabled devices can install applications using ADB and WebIDE directly, and they are all based on Qualcomm or Spreadtrum and can use codes absent in Mediatek-based devices, which instead can take advantage of other connections via shell or browser:

For all the methods listed above, the only goal is to be able to insert a file into the /cache partition, called __post_reset_cmd__ with the word "root" inside. Here are the procedures, listed in order of difficulty, from the simplest to the most complex:

Using Wallace Toolbox (Qualcomm/Spreadtrum)

Wallace Toolbox is an Universal toolbox for KaiOS internal tweaking, with 14 useful functions packed in one small app, based on LibWallace and several independent researches. You can learn more about on the dedicated section:

From the version 0.0.5, Wallace Toolbox has full support for direct cache injection with both /cache and /persist partitions where applicable.

The sideload of apps is possible for Qualcomm/Spreadtrum devices that have working debug codes:

  • *#*#33284#*#* for Qualcomm;

  • *#*#33284#*#* and *#*#0574#*#* for Spreadtrum

MediaTek-based devices can instead rely on the other cache injection methods on this page.

Requirements

Proceedings

  1. Just sideload Wallace-Toolbox like any other KaiOS / Firefox OS app;

  2. open the app and press the # key, then confirm the reboot.

The app enables the Developer Menu automatically, without having to perform a privileged reset.

Using a chromium-based browser (ca.in.)

A WebUSB-based helper for this jailbreaking method has been created, named "ca.in. (stands for "cache injection").

It's possible to use it by connecting to cain.bananahackers.net using a chromium-based like Chromium, Google Chrome, Opera or Microsoft Edge (other browsers like Firefox and Safari don't support WebUSB yet). Other than that, no other installations are needed.

Essentially, this is mtk-bootseq + fastboot combined over WebUSB. It uses the USBIO helper class in javascript.

NOTE: the project is highly experimental - use at your own risk, no complaints are accepted but if you're ready to test, please tell if it worked for your device.

Proceedings

If you have a MediaTek-based KaiOS phone and can't enter Fastboot with a combo:

  1. Press "Enter Fastboot (MTK);

  2. Insert the cable;

  3. Quickly connect to MTK preloader port once it appears in the browser USB menu.

Once you're in Fastboot mode, do the following:

  1. Press "Jailbreak";

  2. Connect to "Android" port once it appears in the browser USB menu.

After reboot, the Developer menu should appear in the Settings - Device section.

If the flashing doesn't succeed:

  1. Reconnect in Fastboot mode;

  2. Press "Attempt OEM unlock";

  3. Repeat the whole procedure.

Using an "adb shell" as root

Requirements

  • Install a root app (safe) using ADB or WebIDE, if your device have not "busybox", also install OmniBB.

  • If your phone is unable to install apps, you need to patch the /boot partition (unsafe).

Proceedings

Use the following commands from (rooted) ADB shell:

adb shell

echo 'root' > /cache/__post_reset_cmd__

reboot

After that, the Developer menu should appear.

In theory, you can also just modify /cache partition to include this __post_reset_cmd__file with root string and get the same result after next booting.

Using Python and Fastboot (original method)

Requirements


Proceedings

1. Install ADB and Fastboot. Install necessary drivers if on Windows.

2. Put the phone into the Fastboot mode. Do the following steps (2.1 to 2.3) if your phone does not have Fastboot key combination:

  • 2.1. Install Python 3 and pyserial as the dependency. Install necessary MediaTek serial port drivers if on Windows.

  • 2.2. Determine which port appears in /dev (on Linux/Mac) or in COMx (on Windows) when you connect the turned-off device to PC and repeatedly short-press the End key.

  • 2.3. Put the phone into the Fastboot mode with the following command (the script is in the archive):

python3 mtk-bootseq.py FASTBOOT your_port

(where your_port is the port you detected at the previous step)

3. Flash the prepared cache image (the image is in the archive):

fastboot flash cache cache-jb.img -u

4. Reconnect the USB cable and perform NORMAL reboot:

fastboot reboot

5. Verify that the Developer menu is in place (Settings > Device > Developer).

6. Verify that you can get into ADB by first selecting the "ADB only" and then "ADB and DevTools" debug mode.

7. Reboot the system into recovery - use the combination for your device to get into it, or enable ADB+DevTools access and run:

adb reboot recovery

8. Reset the cache partition: find and select the "wipe cache partition" item in your stock recovery menu.

9. Reboot back into the system and you'll have full developer access until the next factory reset!


NOTE: Theoretically, this method can also work on non-MediaTek devices (Spreadtrum or even Qualcomm) as long as you can put them into Fastboot mode and run the fastboot flash cache cache-jb.img -u command. Have fun!