This guide is by Luxferre as a safe guide for Sigma S3500 sKai and other MediaTek-based devices(confirmed)
A safe jailbreak for MediaTek-based KaiOS phones(without tampering any boot or system partitions) has been made possible thanks to the cache injection method. Unlike others, it doesn't even require factory reset and gives full privileged developer access (allowing to use, for instance, OmniSD and so on). This has also been tested on Qualcomm and Spreadtrum devices, becoming the best jailbreak method!
Note that debug-enabled devices can install applications using ADB and WebIDE directly, and they are all based on Qualcomm or Spreadtrum and can use codes absent in Mediatek-based devices, which instead can take advantage of other connections via shell or browser:
For all the methods listed above, the only goal is to be able to insert a file into the /cache
partition, called __post_reset_cmd__
with the word "root" inside. Here are the procedures, listed in order of difficulty, from the simplest to the most complex:
Wallace Toolbox is an Universal toolbox for KaiOS internal tweaking, with 14 useful functions packed in one small app, based on LibWallace and several independent researches. You can learn more about on TEMPORARY ROOT / WALLACE TOOLBOX section.
From the version 0.0.5, Wallace Toolbox has full support for direct cache injection with both /cache
and /persist
partitions where applicable.
The sideload of apps is possible for Qualcomm/Spreadtrum devices that have working debug codes:
**#*#33284#*#**
for Qualcomm
*#*#33284#*#*
and *#*#0574#*#*
in order for Spreadtrum
MediaTek-based devices can instead rely on the other cache injection methods on this page.
Wallace Toolbox from the official repository, https://gitlab.com/suborg/wallace-toolbox
WebIDE and ADB (if you're using Windows, macOS or Linux), or just KaiosRT Emulator if you're using some Linux distro.
Just sideload Wallace-Toolbox like any other KaiOS / Firefox OS app.
Open the app and press the # key, then confirm the reboot.
The app enables the Developer Menu automatically, without having to perform a privileged reset.
A WebUSB-based helper for this jailbreaking method has been created, named "ca.in." which stands for "cache injection".
It's possible to use it by connecting to https://cain.bananahackers.net using a Chromium-based like Chromium, Google Chrome, Opera or Microsoft Edge (other browsers like Firefox and Safari don't support WebUSB yet). Other than that, no other installations are needed.
Essentially, this is mtk-bootseq + fastboot combined over WebUSB. It uses the USBIO helper class in javascript.
The project is highly experimental - use at your own risk, no
complaints are accepted but if you're ready to test, please tell if it worked for your device.
If you have a MediaTek-based KaiOS phone and can't enter Fastboot with a combo:
Press "Enter Fastboot (MTK)".
Insert the cable.
Quickly connect to MTK preloader port once it appears in the browser USB menu.
Once you're in Fastboot mode, do the following:
Press "Jailbreak".
Connect to "Android" port once it appears in the browser USB menu.
After reboot, the Developer menu should appear in the Settings - Device section.
If the flashing doesn't succeed:
Reconnect in Fastboot mode.
Press "Attempt OEM unlock".
Repeat the whole procedure.
adb shell
as rootInstall a root app (safe) using* ADB or WebIDE. If your device have not "busybox", also install OmniBB.
If your phone is unable to install apps, you need to patch the /boot
partition (unsafe).
Use the following commands from (rooted) ADB shell:
adb shell
echo 'root' > /cache/__post_reset_cmd__
reboot
After that, the Developer menu should appear.
In theory, you can also just modify /cache
partition to include this __post_reset_cmd__
file with root string and get the same result after next booting.
Use this archive: https://cloud.disroot.org/s/JBTFz7DZ6D4Gspt/download (SHA256: b54321675b458166cb6b561955821aa5fa6a576c675064829ef2857c987c1a63)
If necessary, additional drivers on Windows
Install ADB and Fastboot. Install necessary drivers if on Windows.
Put the phone into the Fastboot mode. Do the following steps (2.1 to 2.3) if your phone does not have Fastboot key combination:
2.1. Install Python 3 and pyserial as the dependency. Install necessary MediaTek serial port drivers if on Windows.
2.2. Determine which port appears in /dev
(on Linux/Mac) or in COMx (on Windows) when you connect the turned-off device to PC and repeatedly short-press the End key.
2.3. Put the phone into the Fastboot mode with the following command (the script is in the archive):
python3 mtk-bootseq.py FASTBOOT your_port
(where your_port
is the port you detected at the previous step)
fastboot flash cache cache-jb.img -u
fastboot reboot
Verify that the Developer menu is in place (Settings > Device > Developer).
Verify that you can get into ADB by first selecting the "ADB only" and then "ADB and DevTools" debug mode.
Reboot the system into recovery - use the combination for your device to get into it, or enable ADB+DevTools access and run:
adb reboot recovery
Reset the cache partition: find and select the "wipe cache partition" item in your stock recovery menu.
Reboot back into the system and you'll have full developer access until the next factory reset!
Theoretically, this method can also work on non-MediaTek devices (Spreadtrum or even Qualcomm) as long as you can put them into Fastboot mode and run the
fastboot flash cache cache-jb.img -u
command. Have fun!