Introduction to Mediatek BROM Mode

Mediatek processors power a vast array of Android devices, smart TVs, and IoT gadgets. Central to their security architecture is the Boot ROM (BROM) – a small, immutable piece of code embedded directly into the SoC’s hardware. BROM is the very first code executed upon device power-on, making it the root of trust. Its primary role is to initialize essential hardware components, identify the boot device (e.g., eMMC, UFS), and load the next stage bootloader, typically the Preloader.bin, into RAM for execution.

A vulnerability in the BROM or the subsequent stages it loads, such as the Download Agent (DA) that runs during BROM mode, can grant an attacker unparalleled control over the device. This includes bypassing authentication, reading/writing arbitrary memory, and ultimately injecting malicious code to achieve persistent compromise. This article delves into the techniques for exploiting Mediatek BROM mode, focusing on how to leverage these vulnerabilities for custom code injection.

Understanding Mediatek BROM Vulnerabilities

Mediatek devices often expose a USB-based Device Firmware Upgrade (DFU) mode, which is the BROM mode. When a device is connected in BROM mode, it communicates with the host PC via specific USB endpoints. This mode is critical for initial device flashing during manufacturing and for disaster recovery. However, the BROM’s design often includes features like the Serial Link Authenticator (SLA) and Download Agent Authentication (DAA), which are intended to prevent unauthorized access. Exploits often target weaknesses in these authentication mechanisms or buffer overflows within the BROM’s USB communication handlers or the DA itself.

Historically, a common vulnerability, dubbed ‘BROM exploit’ or ‘preloader bypass’, allowed attackers to circumvent SLA/DAA checks by sending malformed commands or exploiting logic flaws, thereby enabling arbitrary code execution or memory operations in BROM mode. This level of access permits modification of the Preloader – the crucial first stage bootloader that initializes more complex hardware and prepares for the Android boot process.

Entering Mediatek BROM Mode

Accessing BROM mode typically involves specific hardware manipulations, as it’s not usually user-accessible:

• Test Point (TP): The most common method involves shorting a specific pin on the device’s PCB to ground while connecting the USB cable. This forces the SoC into a low-level USB DFU state.
• Button Combination: Some devices might enter BROM mode by holding specific volume buttons (e.g., Vol Up + Vol Down) while connecting the USB cable.
• Software Trigger: In some cases, if you have root access or a kernel exploit, you might be able to reboot the device into BROM mode via software commands.

Once in BROM mode, the device will appear as a Mediatek USB VCOM port in your operating system’s device manager, often under a generic name like