Safe jailbreak for Sigma S3500 sKai and other MediaTek-based devices (confirmed)

[Luxferre]

Hi again folks,

So, a safe jailbreak for MediaTek-based KaiOS phones (without tampering any boot or system partitions) has been made possible thanks to the cache injection method. Unlike others, it doesn't even require factory reset and gives full privileged developer access (allowing to use, for instance, OmniSD and so on).

Use this archive: https://cloud.disroot.org/s/JBTFz7DZ6D4Gspt/download (SHA256: b54321675b458166cb6b561955821aa5fa6a576c675064829ef2857c987c1a63)

Steps:

1. Install ADB and Fastboot. Install necessary drivers if on Windows.
2. Put the phone into the Fastboot mode. Do the following steps (2.1 to 2.3) if your phone does not have Fastboot key combination:
2.1. Install Python 3 and pyserial as the dependency. Install necessary MediaTek serial port drivers if on Windows.
2.2. Determine which port appears in /dev (on Linux/Mac) or in COMx (on Windows) when you connect the turned-off device to PC and repeatedly short-press the End key.
2.3. Put the phone into the Fastboot mode with the following command (the script is in the archive): python3 mtk-bootseq.py FASTBOOT your_port (where your_port is the port you detected at the previous step)
3. Flash the prepared cache image (the image is in the archive): fastboot flash cache cache-jb.img -u
4. Reconnect the USB cable and perform NORMAL reboot: fastboot reboot
5. Verify that the Developer menu is in place (Settings - Device - Developer).
6. Verify that you can get into ADB by first selecting the "ADB only" and then "ADB and DevTools" debug mode.
7. Reboot the system into recovery - use the combination for your device to get into it, or enable ADB+DevTools access and run: adb reboot recovery
8. Reset the cache partition: find and select the "wipe cache partition" item in your stock recovery menu.
9. Reboot back into the system and you'll have full developer access until the next factory reset!

P.S. Theoretically, this method can also work on non-MediaTek devices (Spreadtrum or even Qualcomm) as long as you can put them into Fastboot mode and run the fastboot flash cache cache-jb.img -u command.

Have fun!

[TEACH DOWN]

This nmethod can also works on lyf f61f spreadtrum model?

[TEACH DOWN]

I asked because many people said that adb root is not possible in jio phone spreadtrum models.

[Luxferre]

Please don't confuse jailbreaking and rooting the device.

Jailbreaking is a process that enables the development menu and allows installing third-party apps.

Rooting is a process that allows root-level of ADB console access.

This method is about jailbreaking only. It will not give you rooted ADB console access.

On Thursday, June 18, 2020 at 7:01:54 AM UTC+3, G Power wrote:

Sir Luxferre you should bring a video on your vimeo or youtube channel with trick or without trick but atleast show the root access victory

[TEACH DOWN]

By the way is there have any method to get adb root access using fastboot?

[Luxferre]

Alternative way of stable bootport detection is to insert the cable while having # key pressed.

[Omerch]

Great Job Luxferre!

I tried using it on Jazz Digit 4G and after some facing issues got the Developer menu enabled.

1- Fastboot didn't accept the "-u" argument and I had removed.

2- I got an error saying that the device is in lock state, therefore, I used "fastboot oem unlock" which wiped my device clean, but at least I got the image flashed afterward.

3- after the reboot I enabled ADB and when I tried to use it got the following error message saying that device is unauthorized: "adb server's $ADB_VENDOR_KEYS is not set"

[Luxferre]

You got it working with MT6739? Wow.

I'm not sure what kind of protection they might use but AFAIK the ADB_VENDOR_KEYS is the host issue, not the phone's one: https://www.androidexplained.com/adb-vendor-keys-not-set/

[Luxferre]

A WebUSB-based helper for this jailbreaking method has been created: https://cain.bananahackers.net/

This requires using Chrome, Opera (or other Chrome-based browser) or the most recent Edge (Firefox and Safari don't support WebUSB yet).

Other than that, no other installations are needed.

Essentially, this is mtk-bootseq + fastboot combined over WebUSB. It uses the USBIO helper class in JS I recently created for such purposes.

The project is highly experimental - use at your own risk, no complaints are accepted but if you're ready to test, please tell if it worked for your device.

P.S. "ca.in." stands for "cache injection" :)

[mangrio...@gmail.com]

Hello guy I am trying to do the same with Jazz Digit 4g but its not detecting device at the time of fastboot. So, I can't move forward please help @Omerch @  @Luxferre

[Taimoor Haider]

Hi folks,

Please help me out on this. Thanks in Advance

I just got a Jazz Digit 4g which I plan to use for development. Following are the device details

Model: Digit4G

OS Version: 2.5.2 

Software Tag: Kaios_2_5_R2_modric_20190829_17

Hardware Revision: mt6731

I just followed the above-mentioned steps to enable debug mode/developer menu. But I managed to get into fastboot without doing python stuff (i.e steps 2.1 to 2.3). I am sharing this as it may help future readers  

1. Turn on device by pressing Power + # key simultaneously, a black screen with three options will appear [Recovery Mode], [Fastboot Mode] & [Normal boot].
2.  Use # key to navigate over [Recovery Mode], [Fastboot Mode] & [Normal boot]. Use asterisk * to select [Fastboot Mode]. Once selected fastboot commands will work. For example  fastboot devices  //will list your device

So, as I was able to get the fastboot commands working, I unlocked the oem using fastboot oem unlock, flashed the cache-jb.img file & wiped the cache from recovery. Developer menu is turned on along with the bug icon appeared on the top. But like others I got my device unauthorized using adb. 

What I did so far:

• Switched 3 PC's but same result (seems like not a host issue)
• Used latest versions of adb and few older
• Deleted adbkey & adbkey.pub file from C:/Users/MyPcName/.android folder but no "Allow USB Debugging" RSA popup appeared on device. 
• Tried to access adb in recovery mode to manually put adbkey.pub file in /data/misc/adb/adb_keys inside the device but adb didn't responded even on sideloading screen

I came to the conclusion that until I find a way to get into device internal storage there is no way to get this working. As this XDA Dev Link says.

Please suggest any solution

Again Thanks

 

[md rafi (BD) t15]

i want to jon this project using my geo t15

O

 

[Luxferre]

Just visit https://w2d.bananahackers.net from the KaiOS browser.