A portable, single-file command-line tool for directly managing MediaTek (MTK) Android devices at the hardware level via BROM (Boot ROM) mode. Supports dumping, flashing, formatting, verifying, rooting, forensic analysis, and hardware exploit execution — all before the Android OS or bootloader starts.
Inspired by mtkclient and SP Flash Tool.
- Partition Dumping — Extract single or all partitions with sector-level resume (
--dump,--dump-all) - Partition Flashing — Write images with automatic sparse-to-raw conversion (
--flash-only,--batch-flash,--scatter) - Partition Formatting — Hardware erase via DA_CMD_FORMAT, zero-fill fallback (
--format,--wipe-userdata) - Partition Verification — SHA256 readback comparison between local files and device (
--verify-partition) - Partition Map — ASCII proportional bar-chart visualizer with backup status (
--partition-map)
- A/B Slot Management — Read and switch Android A/B boot slots (
--slot-info,--switch-slot) - AVB Patcher — Disable AVB verification on both A/B slots (
--disable-avb) - Guided Magisk Root — Step-by-step root workflow with auto-backup at every stage (
--root-device) - Reboot Control — Reboot into normal, recovery, fastboot, or download modes (
--reboot)
- Security Diagnostics — Read SBC, SLA, DAA flags from BROM register (
--target-config) - Hardware Exploit Engine — Kamakiri v1/v2 and Amonet SRAM-patch exploit execution (auto-selected)
- BROM Memory Explorer — Live SRAM hex viewer and dword writer (
--brom-explorer) - RPMB Dump — Read raw RPMB sectors: rollback counters, DRM keys, TEE data (
--rpmb-dump) - eFuse / OTP Read — Read chip OTP registers at BROM layer, no payload needed (
--efuse-read) - DA2 Two-Stage Loader — Upload a secondary DA via the running DA1 (
--da2) - UART Serial Fallback — BROM communication over UART1 test pads via pyserial (
--uart-port)
- Device Info Export — Export chipset, storage type, slot config, GPT, ME-ID, exploit class to JSON (
--device-info) - Boot Image Inspector — Parse Android boot.img (v0–v3 GKI), detect Magisk injection (
--inspect-boot) - NVRAM Parser — Extract IMEI and WiFi/BT MAC from raw NVRAM dumps (
--nvram-parse) - NVRAM Writer — Patch IMEI/MAC back into a dump with Luhn validation; optionally re-flash (
--nvram-write) - OTA Payload Extractor — Extract partition images from Android OTA .zip or payload.bin (
--ota-extract)
- JSON Recipe Runner — Automate multi-step operations from a script file (
--recipe) - USB Watch Mode — Poll for BROM device and auto-trigger actions on detection (
--watch) - Session Cache — Reuses BROM/payload session across back-to-back operations (skips re-upload)
- Audit Log — JSON Lines forensic trail of every operation saved to
backup/<chipset>/ - Chipset Search — Built-in database of 50+ chipsets and known device examples (
--search) - Confirmation Gates — All destructive operations require explicit typed confirmation
| Platform | Notes |
|---|---|
| Windows | Install MTK USB drivers from MediaTek, or use Zadig to bind WinUSB to VID=0x0E8D |
| Linux | Add a udev rule for VID 0e8d or run with sudo |
| macOS | Run with sudo; may need kernel extension approval in Security & Privacy |
| Termux (Android OTG) | pkg install python libusb + Termux:USB from F-Droid, grant USB host permission |
- Python 3.8 or newer (Python 3.11 recommended)
- A MediaTek device in BROM mode (PID
0x0001,0x0003, or0x3000)
pyusb>=1.0.0
pyserial>=3.5
colorama>=0.4.6
tqdm>=4.65.0
git clone https://github.com/projectgtp/androidForgeofficial.git
cd androidForgeofficial
pip install -r requirements.txt
python androidForge.py --check-depsLinux udev rule (run once):
echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="0e8d", MODE="0666"' \
| sudo tee /etc/udev/rules.d/99-mtk.rules
sudo udevadm control --reloadBROM (Boot ROM) is the lowest-level USB mode on MediaTek devices. This tool only works in BROM mode.
Standard method:
- Fully power off the device
- Hold Vol-Down (some devices use Vol-Up)
- While holding, connect the USB cable to your computer
- Do not release until the device is detected
Test Point method (if Vol-Down doesn't work):
- Locate the BROM test point on the PCB, short it to GND while connecting USB
Verify detection:
# Linux/macOS
lsusb | grep "0e8d"
# Windows
Device Manager -> Universal Serial Bus -> MediaTek USB PortKnown USB PIDs:
| PID | Mode | Status |
|---|---|---|
0x0001 |
BROM legacy | Accepted |
0x0003 |
BROM standard | Accepted |
0x3000 |
BROM v2 (Dimensity) | Accepted |
0x2000 |
Preloader | Wrong mode — power off and retry |
0x2001 |
DA v1 | Wrong mode — power off and retry |
python androidForge.py [command] [options]
Run with no arguments to launch the interactive menu (options A–V).
python androidForge.py --list-partitions
python androidForge.py --target-config
python androidForge.py --slot-info
python androidForge.py --device-info
python androidForge.py --device-info --out device.json
python androidForge.py --search mt6765
python androidForge.py --check-deps
python androidForge.py --list-chipsets
python androidForge.py --partition-map
python androidForge.py --brom-explorerpython androidForge.py --dump
python androidForge.py --dump --partitions boot,recovery,vbmeta
python androidForge.py --dump-allpython androidForge.py --flash-only --flash-partition boot --flash-image magisk_boot.img
python androidForge.py --batch-flash ./firmware/
python androidForge.py --scatter scatter_MT6765.txt
python androidForge.py --scatter scatter_MT6765.txt --scatter-flashpython androidForge.py --format cache
python androidForge.py --wipe-userdatapython androidForge.py --disable-avb
python androidForge.py --root-devicepython androidForge.py --inspect-boot boot.img
python androidForge.py --nvram-parse backup/MT6765/nvram.img
python androidForge.py --ota-extract OTA_update.zippython androidForge.py --rpmb-dump
python androidForge.py --rpmb-dump --rpmb-sectors 128
python androidForge.py --efuse-read
python androidForge.py --efuse-read 0x11C10000
python androidForge.py --nvram-write backup/MT6765/nvram.img
python androidForge.py --da2 ./DA_SWSEC.bin --rpmb-dump
python androidForge.py --uart-port /dev/ttyUSB0 --list-partitionspython androidForge.py --recipe my_recipe.json
python androidForge.py --watch
python androidForge.py --watch --watch-action backup| Flag | Description |
|---|---|
--force |
Skip typed confirmation prompts |
--verbose |
Verbose USB I/O output |
--debug |
Full debug output with stack traces |
--out FILE |
Output file or directory path |
--payload FILE |
Custom bypass payload binary |
--wait-timeout N |
Seconds to wait for BROM device (default: 60) |
--partitions LIST |
Comma-separated partition list (used with --dump) |
--uart-port PORT |
Use UART serial instead of USB |
--rpmb-sectors N |
Number of RPMB sectors to read (default: 64) |
--efuse-count N |
Number of eFuse dwords to read (default: 16) |
| Key | Action |
|---|---|
| A | List Partitions (GPT table) |
| B | Dump Partitions |
| C | Flash Partition |
| D | A/B Slot Management |
| E | Reboot Device |
| F | Check Dependencies |
| G | List All Chipsets |
| H | Download All Payloads |
| I | Disable AVB (vbmeta patcher) |
| J | Root Device (guided Magisk workflow) |
| K | Backup Critical Partitions |
| L | Restore Boot / Un-root |
| M | BROM Memory Explorer |
| N | Boot Image Inspector |
| O | NVRAM Parser |
| P | Partition Map (ASCII visualizer) |
| Q | OTA Payload Extractor |
| R | Run Recipe (JSON automation) |
| S | Watch for Device (USB auto-detect) |
| T | RPMB Dump |
| U | eFuse Read (OTP registers) |
| V | NVRAM Write (patch IMEI/MAC) |
androidForge/
├── androidForge.py Main tool (~11,912 lines — all logic in one file)
├── encrypt_tool.py 3-layer Marshal+Zlib+Base64 obfuscation tool
├── enc.py Encrypted distribution copy of androidForge.py
├── requirements.txt Python dependencies
├── commands.txt Full command reference and user manual
├── AboutProject.txt Full project documentation and architecture
├── tests.py Unit tests
├── payloads/ Chipset-specific BROM bypass payload binaries
├── backup/ Default output for dumped images + audit logs
└── logs/ Timestamped execution logs (last 20 kept)
- Protected partitions —
preloader,lk,tee1/2/a/b,seccfg,nvram,proinfo,pgpt,sgptare blocked unconditionally; use--forceto override non-critical ones - Confirmation gates — Write operations require typing a specific phrase (
ERASE <NAME>,YES,WIPE USERDATA) before any bytes are sent - SHA256 verification — All flash operations verify data integrity after writing
- Sector-level resume — Interrupted dumps continue from the last flushed sector via
.partialfiles - Sparse image auto-conversion — Detected and converted inline; no
simg2imgneeded - Audit log — Every operation recorded to
backup/<chipset>/forge_audit_<ts>.jsonl - URL allowlist — All network requests validated against a trusted HTTPS host list
- Key access control — Hardware-locked developer key gates USB write operations
Run the built-in search to check compatibility:
python androidForge.py --search <chipset_or_model>
python androidForge.py --list-chipsetsCoverage includes MT6572–MT6985 across 32-bit classic, 64-bit Helio, Dimensity 700/800/900/1000/1200/8000/9000 series, and MT81xx tablet SoCs.
androidForge uses a device-locked key system. On first run, a unique key is derived from your machine hardware and checked against an approved whitelist. If not yet approved, the tool opens a Telegram request to the developer.
Contact for key approval: Telegram @GOODxVAMPIRE
GOODxVAMPIRE
This tool is intended for legitimate forensic, development, and personal device recovery use only. Misuse to bypass security on devices you do not own is illegal. The author assumes no liability for damages caused by improper use.