mouseos
commented
3 weeks ago Dump the frp partition. Then open it in a binary editor and change the last bit from 00 to 01. Flash the modified frp.img to the frp partition. Then run fastboot flashing unlock to unlock the bootloader. This method has been tested on TAB-A05-BD and TAB-A05-BA1 with mt8168. This method is not available if the device is Amazon fire.
I am trying to unlock the bootloader on an e-fused mt8168 with SBC enabled. Under most common circumstances, this would be impossible. However, I have direct read/write access to the eMMC using an offline adapter.
Is it possible to pull necessary information from the SoC, without bypassing the DA, to write a valid seccfg which unlocks the bootloader? I can read the seccfg, and I can write zeroes over the whole partition, but it just regenerates.
To be clear, I am able to modify the system storage while the SoC is off, by hardwiring a secondary system for power and data transmission.
I apologize if my ignorance is overwhelming. I am trying to learn how seccfg works and am not finding many resources.