How to use a patched BROM dump in the next steps (MT8163 device, BetterSPACE tablet in kiosk mode) #1540
Unanswered
jokanpan-eng
asked this question in
Q&A
How to use a patched BROM dump in the next steps (MT8163 device, BetterSPACE tablet in kiosk mode)
#1540
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I successfully dumped the BROM of my MT8163-based tablet and patched it (disabled SLA, DAA, etc.). The patching worked in Ghidra and I exported a modified binary.
Now I am unsure about the next step:
• Should the patched BROM be written back to the device (e.g. Boot1/Boot2 or another partition)?
• Or is it only used temporarily during runtime via mtkclient payload?
• My goal is to repair/modify my own firmware so that I can flash it back and have the device boot without the kiosk restrictions (FRP / MDM).
What I already did:
• Dumped BROM (r brom)
• Patched binary in Ghidra
• Full firmware dump (~15 GB) with mtkclient rl
• Flashed back system / boot images, but device still stuck in kiosk mode
• Tried FRP and userdata erase (successful but no clean boot afterwards)
Questions:
Is there a written tutorial (step-by-step) on how to use a patched BROM dump with mtkclient?
Which partition is usually the correct place to write the patched BROM (Boot1, Boot2, preloader, …)?
Or is the BROM patch only intended for temporary exploitation, not permanent flashing?
Has anyone here worked with BetterSPACE tablets (Lanix E8 / Illidium X8 variants) and managed to bypass or disable the kiosk mode?
Any hints, docs or examples would be really appreciated 🙏
Thanks!
Jad
Beta Was this translation helpful? Give feedback.
All reactions