MTKClient Compatibility with MT6765 (2023 Handset)

[RobertHerreraEECS]

Hi there,

I am currently having some issues triggering BROM mode on a Galaxy Handset (2023) A03s SM-S135DL. In short, what I'm noticing is this version of the MT6765 does not seem vulnerable to a wide variety of different attacks: MTKClient using auth file or alternate DA's, MTKClient fails to initially crash the DA in first place, test point shorting does not default to BROM mode but defaults to the preloader. Grounding or otherwise tampering with the SD line between the SoC and eMMC does not trigger BROM as originally anticipated.

Do you have any insight as to whether these newer variants may have a hardware-based mitigation such as a fuse that disable download (BROM) mode?

[R0rt1z2]

Hi there,

I am currently having some issues triggering BROM mode on a Galaxy Handset (2023) A03s. In short, what I'm noticing is this version of the MT6765 does not seem vulnerable to a wide variety of different attacks: MTKClient using auth file or alternate DA's, MTKClient fails to initially crash the DA in first place, test point shorting does not default to BROM mode but defaults to the preloader. Grounding or otherwise tampering with the SD line between the SoC and eMMC does not trigger BROM as originally anticipated.

Do you have any insight as to whether these newer variants may have a hardware-based mitigation such as a fuse that disable download (BROM) mode?

Based on the description you provided, I wouldn't be surprised if Samsung has disabled BROM mode using fuses, similar to what some OEMs like Xiaomi, Amazon, and others have done.

If that’s the case, unfortunately, there’s not much you can do, as there isn’t a known Preloader-based exploit for the MT6765 that gives you arbitrary code execution at all.

Apparently, someone reported an issue (regarding connection issues) with the same phone model (I think?) not too long ago: #251.