Android Hardware Reverse Engineering

Building Custom BROM Payloads: A Guide for MediaTek Device Hacking

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to MediaTek BROM Mode and Its Significance

The Boot ROM (BROM) is the first piece of code executed on a MediaTek System-on-Chip (SoC) upon power-on. It’s an immutable, hardware-protected read-only memory block containing the absolute minimal instructions necessary to initialize the SoC and interact with external memory or storage devices. Critically, BROM mode also facilitates firmware flashing, debugging, and recovery. For security researchers and device enthusiasts, BROM mode represents a critical attack surface, as vulnerabilities within it can grant unparalleled control over the device, bypassing Secure Boot, signature checks, and even enabling forensic data extraction or custom firmware injection.

Understanding and exploiting BROM vulnerabilities allows for the creation of custom payloads capable of altering device behavior at its lowest level. This guide delves into the methodology of identifying these vulnerabilities, developing bespoke payloads, and deploying them to achieve advanced device control on MediaTek platforms.

Understanding MediaTek BROM Vulnerabilities

MediaTek SoCs often implement a Security Lifecycle (SLA) and Download Agent (DA) authentication process within BROM to prevent unauthorized firmware modifications. However, historically, various vulnerabilities have been discovered:

  • Buffer Overflows: Malformed commands or oversized data inputs during the BROM handshake can trigger buffer overflows, allowing arbitrary code execution.
  • Signature Bypass: Flaws in the cryptographic verification process for Download Agents (DA.bin) can allow unsigned or specially crafted DAs to be loaded.
  • Handshake Protocol Issues: Weaknesses in the communication protocol between the host PC and the device in BROM mode can be exploited to inject commands or data.
  • Read/Write Vulnerabilities: Specific BROM versions might have unpatched read/write memory primitives, allowing attackers to dump or modify critical memory regions.

The goal of a custom BROM payload is often to bypass these security mechanisms, gain code execution in a privileged context, and then either dump firmware, unlock bootloaders, or flash custom images.

The BROM Handshake and Communication Protocol

When a MediaTek device enters BROM mode (typically by holding a specific key combination during power-up or via USB connection without a preloader), it exposes a serial interface (usually USB-VCOM) for communication. A host PC then initiates a handshake, often involving:

  1. Connection Handshake: Sending specific byte sequences to synchronize communication.
  2. Chip ID Read: Requesting the SoC’s unique identifier.
  3. SLA/DA Authentication: The device presents a challenge, and the host (or a Download Agent) responds, attempting to authenticate itself.
  4. Command Execution: If authentication succeeds, the host can send commands to read/write memory, flash partitions, or execute code.

Tools like mtkclient leverage reverse-engineered knowledge of this protocol to interact with devices, even bypassing certain security measures directly from the host. For example, some vulnerabilities allow mtkclient to ‘force-send’ a custom Download Agent even when the device expects a signed one, effectively taking control.

Essential Tools and Setup

To embark on custom BROM payload development, you’ll need a robust toolkit:

  • mtkclient: A powerful open-source tool for MediaTek BROM operations, offering a Python interface for various exploits.
  • SP Flash Tool: MediaTek’s official flashing utility, useful for understanding standard flashing procedures.
  • IDA Pro/Ghidra: Disassemblers/decompilers for analyzing firmware binaries, especially the preloader (preloader.bin) to understand memory maps and peripheral initialization.
  • ARM Cross-Compiler (e.g., GCC ARM Embedded): To compile custom C/Assembly payloads for ARM/ARM64 architectures.
  • USB-to-TTL Adapter (Optional): For direct serial communication or debugging if USB drivers are problematic.
  • Test Device: A MediaTek-powered device that you’re willing to risk bricking.

Setting up your Development Environment:

# Install mtkclient (requires Python 3)git clone https://github.com/bkerler/mtkclient.gitcd mtkclientpip3 install -r requirements.txt# Install ARM cross-compilercd ~sudo apt update && sudo apt install gcc-arm-none-eabi

Crafting Your First BROM Payload (Conceptual)

A custom BROM payload is typically a small, self-contained piece of code designed to be loaded directly into the device’s RAM and executed. Its purpose is often to achieve a primitive like:

  • Bypassing an authentication check in a subsequent boot stage.
  • Dumping a specific region of memory (e.g., bootloader, secure data).
  • Modifying a critical flag in RAM to disable security features.
  • Redirecting execution flow to custom code stored elsewhere.

Let’s consider a highly simplified, conceptual payload to dump the first 0x1000 bytes of a specific RAM address (e.g., where the preloader might load). This code would typically be written in ARM assembly or a minimal C program compiled for the target architecture.

Example: Conceptual Memory Dump Payload (ARM Assembly)

; Assuming payload is loaded at a known address (e.g., 0x20000000)@ entry point. We want to dump a specific RAM region.start:    LDR     R0, =0x10000000  ; Source address to dump (e.g., beginning of DRAM)    LDR     R1, =0x20000000  ; Destination address (where our payload is loaded, a safe scratchpad)    LDR     R2, =0x1000      ; Size of data to dump (4096 bytes)    BL      memcpy_custom    ; Call our custom memcpy function    B       .                ; Loop indefinitely after dumping (or jump to original BROM code)memcpy_custom:    ; Custom implementation of memcpy, simplified for example    ; R0 = src, R1 = dst, R2 = size    CMP     R2, #0    BEQ     memcpy_endloop:    LDRB    R3, [R0]         ; Load byte from source    STRB    R3, [R1]         ; Store byte to destination    ADD     R0, R0, #1       ; Increment source pointer    ADD     R1, R1, #1       ; Increment destination pointer    SUB     R2, R2, #1       ; Decrement size    BNE     loopmemcpy_end:    BX      LR               ; Return

This payload would then be extracted from the device’s RAM after execution using a host-side tool like mtkclient to read the `0x20000000` region.

Practical Example: Bypassing SLA/DA Authentication with mtkclient

mtkclient provides a powerful way to interact with MediaTek devices. One of its key features is exploiting known BROM vulnerabilities to bypass security measures.

Step 1: Connect the Device in BROM Mode

Ensure your MediaTek device is powered off. Hold the Volume Up + Volume Down buttons simultaneously while connecting it to your PC via a USB cable. Release the buttons once the device is detected (no screen activity, but a new USB device appears).

Step 2: Identify and Bypass Authentication

Use mtkclient to identify the device and attempt an exploit. For many devices, mtkclient can automatically detect and exploit common BROM vulnerabilities to bypass SLA (Security Lifecycle Authentication) and DA (Download Agent) authentication.

# Scan for the device and attempt bypasspython3 mtk eboot --disable-security --memory-test

If successful, mtkclient will report

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #BROM #Device Hacking #MediaTek #Payloads #Reverse Engineering

Related Technical Guides

UFS Data Recovery Failures: Common Pitfalls and Advanced Troubleshooting Scripts

May 29, 2026

Deep Dive: Google Tensor Root of Trust (RoT) Extraction & Verification

May 30, 2026

Live Debugging Exynos S-Boot: Hooking JTAG/SWD for Real-time Analysis

May 30, 2026