How To Unlock Mediatek Bootloader Using MtkClient Any Device

Table of Contents

Unlock Mediatek bootloader using mtkclient

Just some mtk tool for exploitation, reading/writing flash, and doing crazy stuff. For windows, you need to install the stock mtk port and the usbdk driver (see instructions below). For Linux, a patched kernel is only needed when using old kamakiri (see Setup folder) (except for reading/writing to flash).

Once the mtk script is running, boot into Brom mode by powering off the device, press and hold either vol up + power or vol down + power and connect the phone. Once detected by the tool, release the buttons.

How to unlock mediatek bootloader using mtkclient any device

Credits::

kamakiri [xyzz]

linecode exploit [chimera]

Chaosmaster

All contributors

This guide will explain how to unlock a Mediatek device’s bootloader using MTKclient. This will come in handy for those who can’t unlock the bootloader using fastboot. This was tested on the LG K51

Install Mediatek drivers:: CLICK HERE
Download and install USBDK @ https://github.com/daynix/UsbDk/releases/
Download and install python @ https://www.python.org/downloads/ (ensure to tick the checkbox Add Python x.x to PATH)
Download MTKClient @ https://github.com/bkerler/mtkclient/arc…s/main.zip and extract

Open the mtkclient folder, right-click the address bar at the top and copy the address
Launch Command prompt and type cd <space> then paste the address you copied and tap enter
You’re set to run commands
1. Run the following commands –
2. “python setup.py install”
3. “pip3 install -r requirements.txt”
4. Run the data wipe command then connect your device in BROM Mode
5. “python mtk e metadata,userdata,md_udc”
6. Run the bootloader unlock command then re-connect your device in BROM Mode
7. “python mtk xflash seccfg unlock”
8. Disconnect and boot
Credits
Credits to Warlockguitarman for the groundwork and discovering the exploit (from Chimera), also to the developer of mtkclient for integrating the exploit.
Important Notice
How you boot into BROM varies with the device so look it up for your model.
To re-lock Bootloader wipe seccfg or run
python mtk xflash seccfg lock
If you encounter an error using python in commands then try py -3
MTKClient Version 1.42::
- Fixed wrong registers for some targets (mt6572,mt6735,mt6768,mt6785,mt8695)
- Fixed libusb0 backport compatibility issue
- Improved handshake speed
- Added basic mt2601 smartwatch support