Skip to main content

Bootloader

info

[Updated 18.09.2025]

A way to unlock bootloader FOR FREE with mtkclient has been found

Unlock bootloader​

warning

Never flash the stock bootloader (lk) as it will automatically lock the bootloader.

This may turn the device into a β€œbrick”, especially if modifications have been made previously.

info

This guide can also be found on third-party resources
XDA | 4PDA

Free method​

For this method, you'll need this mtkclient fork which includes Carbonara exploit.

  1. Download the latest pre-built version of chouchou
  2. Install the mtkclient fork from here, and follow the setup instructions
  3. Get the DA file from fuckyoumoto-utils repo
  4. Run the following commands IN ORDER WITHOUT DISCONNECTING THE PHONE BETWEEN EACH ONE
$ python mtk.py w lk_a,lk_b chouchou.img,chouchou.img --loader  DA_fogorow.bin
$ python mtk.py da seccfg unlock --loader DA_fogorow.bin

mtkclient unlock

For this method you need an AMT Tool license in order to utilize the engineering DA they have stored on the servers.

I recommend you rent it from someone for an hour

  1. Download the latest pre-built version of Custom Bootloader (ChouChou) that matches your firmware version.

  2. Open the AMT tool and flash the ChouChou to save the unlocked bootloader state after unlocking it

    2.jpg 3.jpg 4.jpg 5.jpg

  3. Open the AMT tool and click the β€œUnlock bootloader” button

    1_2.jpg

Archive (Old information)​

Official way​

The official way to unlock the bootloader does not work on Moto g24, as the fastboot oem unlock command does not exist. It's possible to use fastboot flashing unlock command only to get greeted by the [secure] not allow message.

Through the reverse engineering of the bootloader, we were able to conclude that the phone does not require any key (compared to penangf). Instead, it only requires secure boot to be disabled, and the bootloader will get unlocked.

The phone seem to have a modified version of lk, developed by Tinno. This bootloader has a feature to relock right away if the phone is not a development unit, making it mandatory to develop a patched LK in case of success in unlocking the bootloader.

mtkclient​

MTKClient didn't work at first with moto g24, as the Download Agent had DA SLA enabled with Tinno keys. Thanks to Shomy, the keys needed for one of the two DA files of g24 was found and merged into mtkclient (git, not stable release).

Trying to unlock the bootloader with mtkclient, get us the same error there was on moto g23:


...
XFlashExt - [LIB]: Unsupported ctrl code
...

We were able to figure out the issue to come from the fact that mtkclient tries to get the seccfg partition through the partition list, which in this case is not possible.

So, the alternative way was dumping seccfg with offsets and try to write it back:

$ mtk ro 0x12000000 0x800000 seccfg,bin --loader DA_SWSEC_2316_p325a_dl_forbidden3.bin

...
Progress: |β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ| 100.0% Read (0x4000/0x4000, ) 7.26 MB/s0 MB/s
Dumped offset 0x12000000 with length 0x800000 as seccfg,bin.

$ mtk wo 0x12000000 0x800000 seccfg,bin

...
DaHandler - Writing offset 0x12000000 with length 0x800000
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: Write data not allowed (0xc002000c)
Failed to write seccfg,bin to offset 0x12000000 with length 0x800000.

We are still investigating the possibility of using DA_SWSEC_2316_p325a.bin, which is blocked by another pair of DA SLA keys.

Contribute​

If you want to contribute to the research, write a post in the github discussion