Can I root Secure Boot Mediatek Android without a DA file?

A few weeks back, one of my mentors in Tech. sent me a Bluboo S1a to be rooted. It was a Mediatek MT6757 device running on Android 7 so one-click root apps were definitely off the table.

The plan was to backup the firmware using NCK Pro box then root using the boot.img + Magisk. Its always a good idea to backup the firmware before attempting to root because you:

  1. Know the build number and rom the device was running on before modification
  2. Have a safety net to flash back should the rooting attempt go sideways
  3. Don’t have to waste data on downloading even if the firmware is available online (this one wasn’t)

…then I hit a brick wall.

I got the dreaded Boot Error in NCK Box and ERROR: STATUS_BROM_CMD_SEND_DA_FAIL (0XC0060003) while attempting to backup using wwr. This was a Secure Boot Mediatek device and I would need a DA file.

This left me with two choices:

  1. Find a working DA file
  2. Use the fastboot approach

Option 1 wasn’t much of an option

The problem with option 1 was that there wasn’t even a firmware for this model online, let alone a secure boot da file. I found only one post talking about the Bluboo S1a, and the OP was asking for help. Many views, zero response – go figure!

Based on online comments, the other variant of the phone (Bluboo S1) didn’t seem to have secure boot. I was on my own.

Option 2 was very risky

I normally avoid option 2 for several reasons. This was a device whose firmware I couldn’t even find, let alone its DA file. With nothing and no way to flash, I would be doomed should the device get bricked.

There was also the Orange State Your devices has been unlocked and can’t be trusted error to contend with after unlocking the bootloader – if it was even unlockable.

I din’t have any file for the Bluboo S1a so I would be using a file from the Bluboo S1’s firmware I’d downloaded. What if they weren’t compatible?

Option 2 it was, but with calculated risks

After unsuccessfully trying a few random DA files from the Hovatek Forum, it was clear that option 2 was the way to go but I needed to be smart about it.

First off, I would go with a TWRP + Magisk flashable zip instead of the Magisk patched boot method. The logic behind this was simple. Bluboo S1 and S1a ought to be somewhat related but it doesn’t mean one could inter-flash their firmware without problems.

If I flashed an incompatible boot.img then I would end up with a bootloop; end of the road. If I flashed an incompatible recover.img, I would lose access to the stock recovery but still be able to boot up.

That wasn’t all. I also decided it would be best to boot the TWRP instead of flashing. This way, my stock recovery would still be intact even if the TWRP recovery was incompatible. I also had to ensure I had copied Magisk zip to both phone and SD card because booting TWRP without rooting with either Magisk or SuperSU could result in a brick…yup!

Good To Go

The first task was to unlock the bootloader, but then I hit another brick wall; the phone wasn’t getting detected in fastboot. I fixed that as explained in the video below:

Next up, I copied magisk zip to both phone storage and SD card after which I ported TWRP using our TWRP Porter.

Once I had detection in fastboot, magisk copied to the phone and the TWRP recovery.img in the fastboot folder, I ran:

fastboot boot recover.img

Voila! I was in TWRP recovery and touch was working. I went ahead to backup first then root by flashing the magisk zip.

The first reboot took quite a while but once booted up, I had root access.

Have you had any experience rooting an MTK Secure Boot device without a DA file?