Introduction - R0rt1z2/kaeru GitHub Wiki
Kaeru is a powerful tool that provides arbitrary code execution on MediaTek bootloaders. It is designed for devices that use ARMv7-based LK (Little Kernel) bootloaders, regardless of whether the device itself is ARMv7 or ARMv8. This utility gives you full control over the bootloader, enabling extensive customization of the boot process.
You can add your own fastboot commands, remap key combinations, remove those annoying bootloader warnings, and more. It's essentially a gateway into the earliest stages of your device's boot sequence.
Origin
You might be wondering why this project is called kaeru. I'm a bit obsessed with frogs, they're my favorite animals. Kaeru means "frog" in Japanese, and I thought it was a fitting name for a project where you keep jumping between the bootloader and the payload, back and forth, like a frog in motion.
The project began in 2023, inspired by amonet, a powerful two-stage exploit originally developed by xyzz and chaosmaster to unlock Amazon Fire tablets.
Amonet consists of a bootrom payload, which leverages low-level vulnerabilities to gain memory access, and an LK payload, which runs within the bootloader context to patch critical security functions on the fly.
My project, kaeru, specifically draws from the LK stage of amonet where unsigned code is executed to modify memory and bypass restrictions, while dropping the exploit chain entirely in favor of targeting unfused devices that already allow unsigned images to boot.
After two years of development, kaeru was completely rewritten into its current form; cleaner, more generic, and capable of supporting a much wider range of devices.
Who is kaeru for?
Kaeru isn’t exactly your average plug-and-play utility, it’s meant for people who enjoy getting their hands dirty. If you’re a firmware developer, a reverse engineer poking at the MediaTek boot chain, or just an enthusiast who loves pushing hardware past its limits, you’ll probably feel right at home.
This project assumes you’ve already dipped your toes into the low-level stuff. At the very least, you should have some idea of:
- ARM internals, especially ARMv7
- How bootloaders work (particularly LK, aka Little Kernel)
- Tools like Ghidra,
arm-none-eabi-gcc, and hex editors
If you know what a function prologue looks like in disassembly, how to follow a ROP chain, or what happens when the bootloader stack goes out of bounds, you’re good to go.
That said, I also tried to make kaeru as educational as possible. The payload is modular, the code is well-documented (I swear I tried), and the entire thing is hackable by design. You don’t need to reverse-engineer the whole thing just to add a fastboot command or patch a boot check.
So while kaeru definitely targets more advanced users, I’d argue it’s still for everyone, as long as you’re curious and willing to learn. The included tools make porting to new devices much easier than you’d expect, and with just some basic C knowledge and Ghidra-fu, you can get pretty far.
[!WARNING] This isn’t a toy. Flash the wrong image, and you will brick your device. Recoveries aren't guaranteed. Be smart, make backups, and don’t say I didn’t warn you.
Continue here
The next page explains which devices are eligible for kaeru and how to check their eligibility.
Continue: Can I use kaeru on my device?