This page is intended to explain how to hack pre-Android Chinese phones based on the MediaTek MT62xx platform, running the ‘Nucleus’ operating system. The hacks focus on watch phones, but the principles are the same for all phones based on the same hardware platform. If it is not obvious from the length of the page and the amount of technical terms in the descriptions, hacking these phones is not easy. You cannot just download some easy-to-use app, you cannot really ‘root’ the phone like on Android, and you cannot just edit a few files to make groundbreaking changes.
This Hackaday article, as well as this bunniestudios blog post, give a hint at why hacking this platform is so frustrating: the Chinese do their best to keep it a gated community only accessible to Chinese companies. Only within China, there is quite a bit of openness about the hardware even though officially it is all supposed to be confidential. (This practice is called ‘Gongkai’ or 公开 in the bunniestudios article.) In the West, all we can do is use the scarce leaked documents we can find (possibly after translating them), and for the rest it is a matter of tedious reverse engineering.
Please do not waste your and my time by mailing me with vague and general questions about how to hack any generic Chinese phone, I won't even reply to such mails. All the essential information I can tell you is already in this page, and more clarification can often be found by using a search engine. Some examples of good reasons to mail me are asking clarification for something explained here, or asking how to find a particular file inside the ROM dump.
Also, please do not ask me to perform one of these hacks for you. I will not do it. Not even if you're willing to pay for it. Any mail containing such a request will be ignored, so don't waste your time and hope on this. I have grown so sick of hacking this god awful proprietary MTK platform, that I refuse to touch it anymore. In general I recommend to avoid these Nucleus OS-based phones and use an Android-based phone instead. Not that doing any random Android hack is easy, but at least the platform is much more open, there is a much larger community and know-how pool around it, and for many things you can actually just write a regular app with widely available tools, and install it with just a few clicks. You cannot do that on a Nucleus phone!
Now that we got that out of the way, we can get a bit more technical. To do the simplest hacks, it suffices that you are entirely familiar with how to use computers. To do the most difficult hacks, you need to be familiar with electronics and low-level software concepts, in other words you must understand how computers work down to the low-level details. You have been warned.
Caution: there is a new series of cheap smartwatches based on the MT626xDA. The ‘D’ in the model number seems to signify that these chips are incapable of using more than 4MiB of ROM. To compensate for this, the ROM seems to be compressed, which makes these watches pretty much unhackable. The ROM can be downloaded, but looks like random junk. Do not buy these things, because they will still be full of bugs and there will be no possibility whatsoever to fix them. Yet another motivation to move to Android-based (watch) phones.
Everything written here is based on the experiences I had with hacking two models thoroughly. The first was the S9110 based on the MT6225 platform, the second is the MQ668 based on the MT6253 platform. The good news is that almost all older watch phones were based on MT6225, and many newer ones are based on MT6253, so the information on this page should help you out to hack many older and current watch phones.
You may have bumped into some Russian software (like ChinaResMan, China Editor, MTKMediaEditor, MTKore, MTK Rom Studio, …) that allows some pretty advanced hacks on Chinese phones, with a user interface that is relatively easy to use. You may also have noticed that these programs are quite expensive and protected with extensive encryption systems. The reason is that making those programs takes an enormous amount of time and those people do not want to see their work being copied for free. The problem with those programs is that they get outdated very quickly and will no longer work on any recent phone because MediaTek keeps on changing the firmware format, so do not waste your time looking for these programs. This document describes methods to hack these phones for free… but only if you ignore the “time is money” proverb.
Before you start, it is essential to know the general structure of the device you are going to hack. A typical MT62xx-based phone roughly consists of the following hardware:
The only thing we really care about here is the on-board flash memory. It is divided into three main parts:
All the hacks described here will either be performed inside the hidden system file partition, or the operating system chunk. The first are the easier hacks, because all you need to perform them is the USB cable and the right software. Hacks within the OS are much harder, because first of all you need to be able to download the firmware image, which requires a special cable and a serial adaptor. And once you have this image, you have one big monolithic chunk of data that requires considerable skill to edit. Let me make one thing clear: hacking these phones is not for the faint of heart. Do not expect to just download a magical hacking tool that turns any crappy phone into a tiny iPhone on your wrist. You will need to get your hands dirty and require huge amounts of spare time.
Most of the MTK-based phones have an ‘Engineer mode’ that can be accessed by entering a special phone number. The number typically looks like *#36466336#
or a variation with fewer or more digits, but it can be entirely different (e.g. on my MQ668 it was *#503#
). Unfortunately the only reliable way to find the code for Engineer mode for a particular phone, is by downloading the ROM image and looking for strings that match the pattern: “*#[digits]#”. Do not be tempted to try all kinds of codes in a trial-and-error manner: there is generally also a particular code that disables Engineer mode, so if you would accidentally enter that code, you'd be locked out forever unless you can restore a previous backup of your ROM image.
Engineer mode is interesting because it may allow to perform some basic tweaks without requiring the types of hacks described below. How useful Engineer mode is on your particular phone, depends on what the makers of its ROM decided to put into it. It may be possible to adjust audio levels in it, or change the user-agent string of the browser. On my MQ668 however, Engineer mode was stripped of almost everything useful, so it is a bit of a matter of luck.
One thing you should remember when trying to change anything inside Engineer mode, is to stay clear of options you do not understand. It is possible to perform actions that will brick your phone, e.g. the ‘High speed SIM’ option is rumoured to cause instant brick (I never tried it, obviously). It is highly recommended to first make a ROM backup before trying anything special.
Next to Engineer mode, there is also Factory Mode, which offers all kinds of tests for the hardware of the phone. It is generally safe to play around in this, although some tests may cause you to get stuck and require a reboot of the phone. Again, the code for Factory mode may vary between phones, on my S9110 it was *#666*#
, on the MQ668 it was *#504#
.
When I said that these are the easier
hacks, I did not mean they are easy, only that they are less difficult than the horribly difficult OS hacks. They are still hard and they require some knowledge about mounting file systems and editing binary data files. If you do not even know what ‘mounting’ means or what a file system is, then I suggest you give up right now and buy an iPhone while waiting until someone builds a decent non-frustrating watch phone. I will only provide the basics here and assume you can figure out how to do the technical stuff yourself. Mind that I am providing all this info here voluntarily and this is already taking a lot of my time I'd rather use for something else. If you mail me with questions, be patient. I will try to answer them but it could take time (a week will not be unusual).
The clue to these hacks lies within mounting the hidden system FAT partition. For Windows there are a few programs that allow to mount this partition (look for “Chinese Phone Suite”). There is a general method however that should always work for any operation system. I have only done it in Linux and Mac OS X, so any example commands I give below will be for those operating systems only. Please do not ask how to do this in Windows. After having gained experience with various different operating systems, my vision of Windows has become that it is a toy operating system only good for games, and that is the only thing I use it for.
mount
’ command). Then, unmount it again but do not unplug the phone.dd if=/dev/sdb of=phone.dat
”. By all means keep a backup copy of the very first dump you create this way, or the last one that worked flawlessly. If you mess things up, you can always restore this one.losetup
and mount
commands.dd if=phone.dat of=/dev/sdb
”.If you are hoping that you can overwrite the partition table on the phone itself such that it always mounts the two partitions: nice try, but no cigar. The phone will overwrite your changes and always return the single-partition table, therefore the kludge described above is unavoidable.
In Linux there is a caveat with usb_modeswitch, which is something that tries to work around crap that manufacturers embed in some USB devices like modems to make them have multiple personalities. Phones will typically present themselves as a CD-ROM drive offering Windows drivers. It is possible that this will prevent the data partitions on the phone from mounting in Linux. Sometimes even weirder things may happen, like button press commands being sent to the phone.
If this happens, a quick but ugly workaround is to disable automatic switching in /etc/usb_modeswitch.conf.
A better fix is to add an exception rule for the USB vendor and device ID of your specific phone. To do this, create a file /etc/usb_modeswitch.d/0e8d:0002, replacing “0e8d:0002” with the vendor/product ID of your particular device (this example ID is a typical one for certain MediaTek devices). Inside this file, write the following line:
Configuration=0
Before you do any of these hacks, it is important to note that all the binary files end with a checksum calculated over the rest of the file. If the checksum is incorrect, the phone will replace the entire file with default values. So if you're going to modify these files without recalculating the checksum, your hacks will have no effect. Obviously, you will want to use a program to compute this checksum.
The checksum is stored in the last two bytes of every file. Assuming that the first byte in the file has an even index (0) and the second byte an odd index (1), the algorithm to compute the checksum is pretty simple. The second to last byte contains the sum of all preceding odd bytes modulo 256. The last byte contains the sum of all even bytes modulo 256. Or, in (straightforward but inefficient) code:
checksum = unsigned char[2]; checksum[0] = checksum[1] = 0; for( i=0; i<filesize-2; i++ ) { if( i & 0x1 ) checksum[0] += data[i]; else checksum[1] += data[i]; }
Sorry, but I do not have a ready-to-use program that you can download. If you have basic programming skills in any language that allows low-level data operations (e.g. Python), you should be able to implement something that reads a file, performs the above loop, and either writes the checksum back to the file or prints it out so you can manually update it in a hex editor. If this looks scary already, you may want to consider throwing your Chinese phone in the trash and buying one of the newer rootable Android-based models which will not have stupid bugs and are much easier to customise.
MTK phones have the following audio modes (newer phones may have additional modes for Bluetooth etc.):
Each mode has several separate volume settings that are used in specific situations. Each setting has 7 levels. They also define a ‘maximum analog gain’ and step size that are used inside the music and movie player (which offers a more fine-grained volume adjustment than 7 steps). The microphone also has a gain value. Even though it seems you can define a different microphone gain for each of the 7 loudspeaker gains, I believe only one value is actually used. It also makes almost no sense to vary the microphone gain, therefore I recommend using the same value for each of the 7 settings.
The Chinese have a tendency to mess up the volume and sensitivity settings. Mostly they don't seem to know what they are doing, and often they will turn down the microphone out of fear that it could cause feedback howl. It is often safe to boost the microphone level considerably or even set it to the maximum. If you do get a howling sound, turn down the Microphone values until it no longer occurs. For Normal and LoudSp, you should definitely set the “sidetone” values to zero. Sidetone determines how much of your own voice is played through your own speakers, and is useful for the Headset profile to better hear yourself speaking.
If you're lucky, these settings can be modified in the Engineer mode of your phone, but this is not always the case. The alternative is to directly edit them in the NVDATA file MP05_001. On the phones that I hacked, the structure of this file is as below. Each of the 7 volume levels is a single byte, as are the media max gain and step size.
MP05_001 file structure: 0x00-0x06: unknown, all 7F 0x07-0x0D: Normal Key Tone 0x0E-0x14: Normal Microphone 0x15-0x1B: Normal FM Radio 0x1C-0x22: Normal Speech 0x23-0x29: Normal Sidetone 0x2A-0x30: Normal Melody 0x31-0x37: unknown, all 7F 0x38-0x3E: Headset Key Tone 0x3F-0x45: Headset Microphone 0x46-0x4C: Headset FM Radio 0x4D-0x53: Headset Speech 0x54-0x5A: Headset Sidetone 0x5B-0x61: Headset Melody 0x62-0x68: unknown, all 7F 0x69-0x6F: LoudSp Key Tone 0x70-0x76: LoudSp Microphone 0x77-0x7D: LoudSp FM Radio 0x7E-0x84: LoudSp Speech 0x85-0x8B: LoudSp Sidetone 0x8C-0x92: LoudSp Melody 0x93-0xA7: unknown 0xA8: Normal Max Analog Gain 0xA9: Headset Max Analog Gain 0xAA: LoudSp Max Analog Gain 0xAB: unknown 0xAC: Normal Step 0xAD: Headset Step 0xAE: LoudSp Step 0xAF-0xB6: unknown 0xB7-0xB8: checksum
The pre-Android phones use a simple table that maps battery voltage to the battery indicator on the screen. The number of different levels that can be shown in the indicator, differs per phone firmware. However, the voltage-to-level map is most likely stored in the NVDATA file MP01_001, around 0x168 to 0x18F. The lowest voltage comes first. The first few levels all map to the ‘empty’ indicator but could trigger different kinds of low battery warning pop-ups. Each value is a 32-bit unsigned integer in little Endian format, representing microvolts (e.g. D8 15 35 00
is 3.479 Volts). It is not trivial to get good values for this table, check out my MQ668 review to get an idea of how it can be done. Basically, you should cause a steady drain on the battery (e.g. by looping a movie) and read out the voltage in Engineer mode at regular intervals to obtain the kind of curve shown there.
The photo and video counter values can be in a file called either CT01_010 or MM01_001. The photo counter is at bytes 0x5C,0x5D
and the video counter at 0x60-0x61
.
The address book seems to be distributed across two files: MP0c_000 and MP0h_001. Telephone numbers are encoded with two digits per byte: the last four bits represent the first digit, and the first four bits the second digit.
Quick dial or voicemail settings are stored in MP13_001. This may be useful if you accidentally configured this on a phone that does not allow to undo this setting, as was the case on my MQ668. Just write some garbage to the file to cause it to be reverted to default.
These hacks involve downloading the binary ROM image, editing the ROM dump, and then re-uploading it to the phone. The bad news is that the binary format tends to change between different phone models, which is why it is pointless to describe in detail how to perform a particular hack. Instead, I will explain the general way of working and give a few examples.
Whatever you want to do, be it trying to simply flash another firmware or making some small hack, make a backup of your current ROM image first! It is a good idea anyhow because it allows to check whether the serial connection is reliable, but the most important thing is that you can go back to your old image if anything fails. Please don't mail me asking where you can find a ROM image to restore your random obscure smartwatch because you forgot to make a backup, I cannot help you with that.
First, you need to figure out how to make a direct serial connection to the phone. This could involve soldering your own cable, or disassembling the phone and probing contacts on the PCB (look for contacts marked ‘TX’ and ‘RX’. Only on very recent phones it might be possible to download through the standard USB cable.
If the phone has one of those typical 12-pin connectors as pictured on the right, or some other connector with more than 4 pins, there is a method that can be used to figure out what pins are likely to be the TX and RX of the serial connection. Both TX and RX pins will typically be at a specific voltage when the phone is turned on. If you short the pins to ground with a resistor of reasonable value, the RX pins will drop to near-zero Volts while the TX pins will keep their voltage. For more details, google around. You can find pin-outs for the S9110 and MQ668 in their respective reviews.
If you have found the TX and RX pins on either the connector or PCB, you need to connect them to your PC through a TTL-to-USB adaptor (not a RS232 serial port if your PC still has one of those, because it does not use TTL levels). I recommend using a TTL-to-USB adaptor based on the CP2102 chip. Once you have this hardware part figured out, you can move to the software:
These steps skip various important details, so if you have no idea yet how to hack the firmware, they will be of little help. Like I said above, hacking these phones is not as simple as downloading an app or watching a YouTube video. There are almost no free tools. The binary formats inside the firmware are often proprietary and can change between firmware versions. You're pretty much on your own here. You need tons of patience. I pretty much burned up my entire lifetime stockpile of patience on these kinds of hacks, you have been warned.
Nevertheless, a lot of hacks simply involve searching for certain strings inside the ROM dump, and editing them with a hex editor. For instance, to avoid that the WAP browser has a preference for Chinese webpages, look for a string like “zh-tw, zh-cn, en” and replace it with anything that starts with “en” or your language code of choice, but make sure the new string is exactly as long as the original, pad it with spaces if necessary. This is essential: whatever you do, make sure to not delete or insert any bytes: everything must stay at the same address locations in the ROM.
Of course, the ROM image is not just a blob of random data. It has a logical structure and in theory it is possible to reverse engineer this structure and pull the ROM neatly apart into all its components. Some of the Russian programs partially allow to do this, but this functionality often breaks between different versions of the firmware.
One essential fact is that every data block in the ROM must be aligned to a multiple of 4 bytes (because this is a 32-bit platform). If you are looking for something in the big blob of binary data, and it is at an address divisible by 4, then it has a better chance of being the thing you're looking for than if it is at a random place. Parts of the ROM consist of tables that contain addresses pointing to data blocks. If you find a chunk in the ROM with a bunch of numbers that are divisible by 4, it is likely to be such table. The addresses may have an offset w.r.t. the actual data. One important lesson to remember from this, is that it is often possible to relocate data in a limited manner inside the ROM.
Example: you want to replace an image currently at address 0x931F38 with something larger. First, find some unused space in the ROM with room for the larger data: the last part right before the user data partition is a good candidate. Paste your image there at an address that is a multiple of 4. Next, search for the old address bytes in reverse order: 38 1F 93. If you find nothing, try again with 4 added or subtracted from the address. If you find occurrences of this address inside a regular-looking table, replace them with the new address of your image, again bytes reversed (and with offset if necessary). Now the phone will either work and use your new image, or do strange things and crash badly. The latter will happen if either what you modified was not really the address table, or the space where you have put your image was not unused. Unfortunately this method does not always work, sometimes the addresses in the tables are too different from the actual ROM positions, or the phone computes the address of the data without going through a table altogether.
To give you a taste of how these kind of low-level hacks are performed, I'll make all the information available that I gathered to perform the custom keyboard layout hack on the MQ668. I consider that hack the most difficult I have ever done. Because I suspect that the way in which the keyboards are represented might differ slightly or severely between different firmwares, it is pointless to make a step-by-step recipe for this kind of hack. Instead, I just provide my notes here for download, as well as a Perl script that is required to decode and encode the RLE background format. This is not for the faint of heart, but if you read through the notes and look at the examples, you should be able to perform the same kind of fix, even on other phones where the format differs somewhat.
Older phones like the S9110 use a much simpler bitmap format for the keyboard backgrounds. It starts with 0x28 0x01
, then a 16-bit integer indicating the size of the file minus 8, then 50 bytes of header data (including colour table, haven't reverse-engineered this). Then the actual bitmap follows, which is represented by 4 bits per pixel in little Endian, e.g. a byte 0xC1
means a pixel of colour index 1, followed by one of colour index C.
It seems relatively unknown that despite the primitive nature of these Nucleus OS-based phones, they are quite usable for basic internet browsing, at least when one has managed to configure the data connection. The main problem is that the built-in browser has to make do with very little RAM and other limitations. A solution is to browse through Google's ‘Wireless Transcoder’ as explained in the S9110 review. This will only work well if the browser identifies itself with an appropriate User-Agent HTTP header (and if Google haven't terminated their transcoder in the meantime).
If you are lucky, Engineer mode allows to change the User-Agent like on the S9110. Otherwise, you must edit the hard-coded string in the ROM itself, as I did with the MQ668. To do this, you must know where the User-Agent header string is in the ROM, in other words what string it is. This is easy if you have a web server reachable through the Internet: visit one of its webpages through the phone, then look in the server logs what user-agent it was. Or try to load a website that shows request headers in the phone's browser. Otherwise, try a case-insensitive search for “Maui Browser”, chances are good this is the default. Once you have found the current User-Agent string, you can modify it. I recommend the following string; beware that this will most likely be longer than the original and will therefore need to be relocated:
SonyEricssonK700i/R2AG SEMC-Browser/4.0.3 Profile/MIDP-1.0 MIDP-2.0 Configuration/CLDC-1.1
Here's another example of a hack: on the MQ668, the browser proved to have decent CSS support. This allowed to work around some of the most annoying problems like the ridiculously thick horizontal scroll bar appearing for no good reason. The browser has a master CSS file stored somewhere in the ROM. Finding this is relatively easy: just search for typical CSS syntax like “font-size”. When editing the CSS, the only thing you need to take care of, is to keep the file the exact same size as the original. Just pad it with newlines if your modified file is smaller, and ensure it is not larger. If it really needs to be larger, again you could try to move it to an unused section of the ROM.
In this particular case, I imposed some restrictions on the width of certain elements, such that they would never be wider than the available space in the tiny display. This prevented the horizontal scroll bar from appearing in e.g. the Google wap transcoder pages. Obviously, you must know something about CSS to do this kind of tweak. If you want to see how I tweaked the MQ668 CSS file, here is the original file versus my hacked file.