Manufactured by Mobiwire, the phone runs Android 9 Go edition on Mediatek MT6739 chipset. It's probably a phone based on mobiwire's S32 NFC platform. This documentation can therefore be applied to many other phones, such as the Altice S32 ...
(bootloader) version-baseband: MOLY.LR12A.R2.MP.V91.25.P7
(bootloader) version-bootloader: k39tv1_bsp_1g-9778ec91576-2021082716411
I found one of these phones in the trash a while back, but I couldn't unlock it at the time. I hope this guide can help some people, so please don't hesitate to give feedback.
Since Orange doesn't supply a stockrom, that's where BROM mode comes in: it lets you perform a wide range of operations as soon as the phone boots up, bypassing all protection even before the bootloader. Use mtkclient to dump the partitions. For the rest, we'll need the boot, recovery and system partitions.
If you're using the GUI, which is perfectly suited to dump, I recommend launching it from a terminal, so you can observe debug messages easily (sometimes a problem with the USB stack means it doesn't work/no longer works), you should see the following message when the software is up and running:
Preloader - Status: Waiting for PreLoader VCOM, please reconnect mobile to brom mode
Then, power on your phone or reboot, mtkclient should catch your phone at pre-loader level, and there you go.
volume up then power 2 sec and let volup
classic lk menu :
- [recovery mode]
- [fastboot mode]
- [normal boot]
if you go recovery with stock recovery, power then vol up to skip "no command logo"
If you need to unlock, go fastboot mode, then on PC :
$ fastboot flashing unlock
$ fastboot reboot
But you will get this advise on every boot until you'll lock it.
your device has been unlocked and can't be trusted
your device will boot in 5 seconds
You could now install Magisk, and provided the recovery.bin dumped image (this one use ramdisk), then use it to flash the boot partition (using mtkclient or fastboot). Magisk's trick is to use the ramdisk to add superuser capabilities, in order to avoid having to modify the system partition.
see https://android.stackexchange.com/questions/213167/how-does-magisk-work
Since you're not expecting any more updates for these phones anyway, you might as well modify the system partition directly. [TODO]
Parameters => system => a propos du telephone => numero de build => click 7 times on Parameters => system => options pour les developpeurs => debogage USB
Like a large number of mobiles built in these years, it is compromised by the spyware adups fota. I'd recommand to use to uda-ng to clean up the rom on your PC via adb connection.
This repository provides a list of packages.
diff <(adb shell pm list packages) <(adb shell pm list packages -u) -n | grep ^package: | cut -c 9- > packages_uninstall.lst
download latest image on https://eu.dl.twrp.me/seedmtk/
unpack_bootimg --boot_img twrp-3.5.0_9-0-seedmtk.img --format mkbootimg --out recovery-twrp
fix fstab
mkdir -p twrp_ramdisk
cd twrp_ramdisk
gunzip -c ../ramdisk | cpio -idm
rg --files-with-matches mtk-msdc.0 | xargs sed -i 's/mtk-msdc.0/bootdevice/g'
find | cpio --create --format='newc' -R +0:+0 | gzip > ../ramdisk
$ unpack_bootimg --boot_img recovery.img --format mkbootimg --out recovery-eom
--header_version 1 --os_version 9.0.0 --os_patch_level 2021-08 --kernel out/kernel --ramdisk out/ramdisk --recovery_dtbo out/recovery_dtbo --pagesize 0x00000800 --base 0x00000000 --kernel_offset 0x40008000 --ramdisk_offset 0x45000000 --second_offset 0x40f00000 --tags_offset 0x44000000 --board '' --cmdline 'bootopt=64S3,32S1,32S1 buildvariant=user veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f'
$ mv ramdisk out/
$ mkbootimg --header_version 1 --os_version 9.0.0 --os_patch_level 2021-08 --kernel out/kernel --ramdisk out/ramdisk --recovery_dtbo out/recovery_dtbo --pagesize 0x00000800 --base 0x00000000 --kernel_offset 0x40008000 --ramdisk_offset 0x45000000 --second_offset 0x40f00000 --tags_offset 0x44000000 --board '' --cmdline 'bootopt=64S3,32S1,32S1 buildvariant=user veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f' --output twrp-nevastart.bin
=> yet not very functionnal ? anyway, this twrp doesn't offer much since we have mtkclient...
see https://www.rigacci.org/wiki/doku.php/doc/appunti/android/logo_bootanimation
https://www.mediafire.com/file/j1i3wu842onj212/Bootanimations%252BPreviews_229.zip/file
mount -o rw,remount / /system/media/bootanimation.zip $ cat desc.txt 480 960 15 p 1 25 folder1 p 0 2 folder2
The phone has a NXP pn553 chipset, this could be exploitable via https://github.com/Iskuri/PN553-Signature-Bypass to add features.
Bignaux Ronan