Notable features:

• Can record phone calls. Enable the feature from Settings⇒ Auxiliary function ⇒ Call recording.
• Blue/red LED for notifications and charging.
• The FM Radio is non functional because there is no 3.5 mm socket and it is not possible to connect the earphones cable.
• Aggressive power saving kills background apps. Widgets in several apps have trouble initializing themself after reboot; may stop working or may not update contents. Exposed settings (permissions, pause app if unused, unrestricted battery, battery manager. etc.) are not sufficient to overcome the problem. Internet syncs and notifications of less-known apps are lagging or stopped.

The rooting method that actually worked is resumed here:

1. On the smartphone enable the Developer options, USB debugging and OEM unlocking.
2. Unlock the bootloader using the fastboot mode (does a factory reset!).
3. After the factory reset, re-enable the Developer options and the USB debugging.
4. Download (read-back) the boot.img and vbmeta.img images from the phone using SP Flash Tool.
5. Install the Magisk v26.4 app into the phone and patch the stock boot.img file on the phone itself.
6. On the PC, sign the patched boot image with an RSA public/private key.
7. On the PC, create a custom vbmeta image where the the public key of the boot image is the one used in the previous step.
8. Flash (write) the patched boot and custom vbmeta images on the phone using the fastboot mode.

NOTICE: If you don't want to follow the full procedure and you just need the scatter file, here it is the file that I produced: MT6765_Android_scatter-bv5300-pro.txt.

A Scatter File is a text file which is used to describe parts of flash memory in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the SP Flash Tool. The file is required also to backup the stock images from the Android device, (the Readback operation in SP Flash Tool).

Generally you find the scatter file for your specific device included into the firmware archive, but for the BV5300 Pro I did not find any official firmware to download, nor the simple scatter file. Using the following procedure I managed to create my MT6765_Android_scatter-bv5300-pro.txt (download below).

• SP Flash Tool v5.2228 for Linux: https://spflashtool.com/
• WwR MTK V2.51 for Windows (runs also in Wine): https://androidmtk.com/wwr-mtk-tool

To create the scatter file you need to exctract two memory regions from the smartphone flash: the preloader and the partition table. You can use the SP Flash Tool to read them directly from the phone:

• Using SP_Flash_Tool_v5.2228_Linux:
  • Run flash_tool.sh
  • In the Download tab, Scatter-loading File: choose any scatter file for the MT6765 chip you have on your hard disk (this step is required to unlock the Readback function below).
  • Click on the Readback tab and delete all the partitions defined by the scatter file you loaded.
  • Add two regions to be read-back:
    • Filename: preloader.bin
      • Region: EMMC_BOOT1
      • Start Address: 0x0
      • Length: 0x100000 (1 Mb, but 256 kb should suffice)
    • Filename: pgpt.bin
      • Region: EMMC_USER
      • Start Address: 0x0
      • Length: 0x8000
  • Click on the Readback button.
  • Turn off the phone and connect it to the USB cable; the read-back should start automatically.

The WwR MTK (Working with Rom MediaTek) program can create the scatter file by reading the partition table and the preloader image extracted in the previous step. The program is for the Windows operating system, but it runs also under the GNU/Linux Wine environment:

• Using WwR MTK v2.51:
  • If you use GNU/Linux and Wine: install the wine32:i386 and wine64 packages, clean any Wine settings by removing the $HOME/.wine/ and $HOME/.wine64/ directories. Run winecfg and set Windows 7 emulation.
  • Unpack the program archive and enter the WwR_MTK_v2.51 directory. Execute wine WwR_MTK_2.51.exe (wait the 120 seconds pause or pay for the program).
  • Beside The file to be used, click Select file and open the pgpt.bin file. The Table of sections (Table chart of GPT) will be shown.
  • Right click on the Table of sections and select Create scatter file from the context menu (wait the pause).
  • The program requires to read the preloader image (the EMMC_BOOT1 region saved with SP Flash Tool); select the preloader.bin from the files.
  • When prompted Enter the platform (CPU type), reply with MT6765; the progam will propose to save the scatter file as MT6765_Android_scatter.txt (the program tries to launch the notepad editor to show the newly created scatter file).

WARNING: The scatter file created above have the attribute is_download: false for several partitions, you need to edit the file for the partitions that you want to readback, defining is_download and file_name:

- partition_index: SYS30
  partition_name: vbmeta_system_a
  file_name: vbmeta_system_a.img
  is_download: true
  ...

Rooting the BV5300 Pro phone basically means overwriting (flashing) the boot and vbmeta partitions with patched versions. For backup purpose and to prepare the custom partitions, you must firstly read-back some of the stock partitions from the phone. You can use the SP Flash Tool program for this task, I used SP Flash Tool v5.2228 for Linux.

This phone uses the A/B (seamless) system updates feature, so you have actually two copies of each partitions: boot_a, boot_b, vbmeta_a and vbmeta_b. In my case the active slot was A, so I worked with boot_a and vbmeta_a partitions. Putting the device in fastboot mode you can check the current active slot with the command fastboot getvar current-slot.

WARNING: In my case the current slot was A and it turned out that the partitions *_b were empty (all zeroes).

Beware that if you want to receive operating system updates on-the-air (OTA updates for the stock software), you must re-flash the stock partitions, allow the update to install, and then re-do the rooting process.

Execute the SP Flash Tool on your GNU/Linux PC launching the flash_tool.sh script. You must have the permissions to access the /dev/ttyACM0 device, usually granted to the dialout group).

Into the program, load the scatter file of the Blackview BV5300 Pro using Scatter-loading file box.

Click the Readback tab: gathering the info from the the scatter file you must add the data to read the following partitions:

Once entered the data, click the Read Back button. Turn off the phone and connect the USB cable: the reading of the partitions should start automatically and the files will be saved.

The only two partitions that must be actually patched are boot_a and vbmeta_a.

Patching the boot partition means actually let the Magisk app add the required software to get root privileges (the su program, etc.). The partition, once patched, must be cryptographically signed with an RSA key.

Patching the vbmeta parition means actually re-create the whole partition replacing the entry about the boot parition with the new signing key.

To patch the stock boot image we use the Magisk app installed into the smartphone iteself. So we have to copy the Magisk-v26.4.apk file and the downloaded boot_a.img file to the smartphone (I used the adb push command). Install the Magisk apk.

Launch the Magisk app on the phone and select Magisk ⇒ Install ⇒ Select and Patch a File: point the program to the boot_a.img file that you uploaded into the phone storage. After a little of work you should obtain a modified boot image saved into a file like /sdcard/Download/magisk_patched-26400_AFhJf.img. The image should contain a modified ramdisk, which will provide the su command (superuser) when the Android system is running, but actually without modifying the system partition.

Download the patched boot image to your PC using the adb pull command.

The Blackview BV5300 Pro is based on Android 13 and the Android Verified Boot process cannot be disabled. So the patched boot_a.img must be signed with an RSA public/private key and the public part must be included into the vbmeta_a.img partition.

Transfer the patched image magisk_patched-26400_AFhJf.img from the smartphone to the PC. Then you need the avbtool.py tool (it is a Python 3 script, so you must have Python 3 installed); with that script you can get some info from the original boot_a.img:

python3 avbtool.py info_image --image 'boot_a.img'

The output will reveal the Image size (33554432 bytes, which is exactly the size of the file) and that the public key algorithm is SHA256_RSA2048.

Then you need a 2048 bit RSA key; you can create your own, but it is common practice to use the one included into the Android SDK. Download the RSA key named testkey_rsa2048.pem.

With all this information, you can sign the file (actually add an hash footer inside the file). Beware that the file will be patched in-place, so make a backup copy before running the command:

cp 'magisk_patched-26400_AFhJf.img' 'magisk_patched-26400_AFhJf-signed.img'
 
python3 avbtool.py add_hash_footer \
    --image 'magisk_patched-26400_AFhJf-signed.img' \
    --partition_name 'boot' --partition_size '33554432' \
    --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048'

The vbmeta partition contains verification data (e.g. cryptographic digests) for verifying required Android images to boot. Generally, in modern Android devices, it is not possibile to disable the verification and the dm-verity (Device Mapper verity), so we have to sign the custom boot partition with a key and build a new vbmeta partition with all the correct data.

Using the avbtool.py script we can inspect the content of the stock vbmeta_a partition:

python3 avbtool.py info_image --image 'vbmeta_a.img'

This is the output:

Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     320 bytes
Auxiliary Block:          2816 bytes
Public key (sha1):        cdbb77177f731920bbe0a0f94f84d9038ae0617d
Algorithm:                SHA256_RSA2048
Rollback Index:           0
Flags:                    0
Rollback Index Location:  0
Release String:           'avbtool 1.2.0'
Descriptors:
    Chain Partition descriptor:
      Partition Name:          boot
      Rollback Index Location: 3
      Public key (sha1):       9d808b0995768d0677fccb1efcddb7cf9e153d99
    Chain Partition descriptor:
      Partition Name:          vbmeta_system
      Rollback Index Location: 2
      Public key (sha1):       fa41159a5d696abdef93176a07d0b0d001263f01
    Chain Partition descriptor:
      Partition Name:          vbmeta_vendor
      Rollback Index Location: 4
      Public key (sha1):       9577bc6c0772975ecce93c4d8a178662c728dadf
    Prop: com.android.build.dtbo.fingerprint -> 'Blackview/BV5300_Pro_13_EEA/BV5300_Pro:12/SP1A.210812.016/1695812099:user/release-keys'
    Hash descriptor:
      Image Size:            65328 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtbo
      Salt:                  004063897606313a609b19f2e9eefc5142de27213cb8d79c078f8f0d3146e66e
      Digest:                d77b2bf9160ff4132c2df0a90d24c77388cc524ecc51f3b35bc7d2dd4b17f08e
      Flags:                 0

The descriptors contained into the image are:

• The chain partition descriptor of boot.
• The chain partition descriptor of vbmeta_system.
• The chain partition descriptor of vbmeta_vendor.
• A prop descriptor.
• The hash footer descriptor of the dtbo partition.

We have to re-generate the chain partition descriptor for the boot image, because we modified the image and signed it with a different key. The descriptors for the vbmeta_system and vbmeta_vendor partitions must remain unaltered. The prop and the hash footer descriptors are contained into the dtbo image and must be read back from it.

Keep note also of the Rollback Index Location for each partition, we need them when creating the custom vbmeta.

Using an hex viewer over the vbmeta_a.img file, we discovered the starting offset of each key (the byte just after the name), using dd it is possibile to extract them. They are 520 bytes long:

dd if='vbmeta_a.img' of='key_boot.bin'           bs=1 skip='672'  count='520'
dd if='vbmeta_a.img' of='key_vbmeta_system.bin'  bs=1 skip='1297' count='520'
dd if='vbmeta_a.img' of='key_vbmeta_vendor.bin'  bs=1 skip='1929' count='520'

With the following command we extract the public part of the RSA key we used to sign the boot image. The public key will be inserted into the vbmeta image:

python3 avbtool.py extract_public_key \
    --key 'testkey_rsa2048.pem' \
    --output 'testkey_rsa2048_pub.bin'

The final command to assemble the custom vbmeta image is the following. Notice that we specified the rollback index for each partition and the size of the whole stock vbmeta file:

python3 avbtool.py make_vbmeta_image \
    --key 'testkey_rsa2048.pem' --algorithm 'SHA256_RSA2048' --flag 0 \
    --chain_partition boot:3:'testkey_rsa2048_pub.bin' \
    --chain_partition vbmeta_system:2:'key_vbmeta_system.bin' \
    --chain_partition vbmeta_vendor:4:'key_vbmeta_vendor.bin' \
    --include_descriptors_from_image 'dtbo_a.img' \
    --padding_size '8388608' --output 'vbmeta-custom-signed.img'

Once you have the boot partition image with root enabled and the vbmeta partition image with the updated signing data, you can flash the images into the smartphone and gain root privileges. Boot the phone in normal system, attach the USB cable to the PC and execute the following on the PC:

adb reboot bootloader

The phone will reboot into the => FASTBOOT mode... prompt.

fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img'
fastboot flash vbmeta 'vbmeta-custom-signed.img'
fastboot reboot

The full output will be:

$ fastboot flash boot 'magisk_patched-26400_AFhJf-signed.img'
Sending 'boot_a' (32768 KB)                        OKAY [  1.033s]
Writing 'boot_a'                                   OKAY [  0.435s]
Finished. Total time: 1.470s
$ fastboot flash vbmeta 'vbmeta-custom-signed.img'
Sending 'vbmeta_a' (8192 KB)                       OKAY [  0.265s]
Writing 'vbmeta_a'                                 OKAY [  0.106s]
Finished. Total time: 0.373s
$ fastboot reboot
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.101s

: check root and manage permissions.

Older versions of Magisk had the MagiskHide feature, i.e. the ability to hide the rooted status of the phone to selected apps. This is because some apps, like home banking, OTP managers, etc. refuse to operate or show warnings if they find that the device was tampered; the hide function allows these apps to run flawlessy. The MagiskHide feature is available e.g. in Magisk v23.0, but it does not exist in Magisk 26.x. It was speculated that the author John Wu removed the MagiskHide feature because he started to work for Android security team in 2021.

The reality is that Magisk 26.4 has the Zygisk feature, which you can enable in the Magisk Settings menu. If you enable this feature, some parts of Magisk runs at an higher level of privilege into the zygote daemon (i.e. the process which is responsible of launching Android applications). If you enable this, you can enable the Enforce DenyList option and configure the DenyList, selecting which applications cannot see the rooting status of the device.

Generally it is mandatory to run the same version of the Magisk app as the one used to patch the boot image, i.e. you cannot patch the boot image with Magisk v26.x to get root, and then run the Magisk v23.x app to manage the root permissions and the hide function.

• Power off the phone
• Press Power + Volume UP keys and keep them pressed untill the Blackview logo appears.

The phone should enter the Android Recovery menu:

Android Recovery
Blackview/BV5300_Pro_13_EEA/BV5300_Pro
12/SP1A.210812.016/1695812099
user/release-keys
Use volume up/down and power.
--------------------------------------
Reboot system now
Reboot to bootloader
Enter fastboot
Apply update from ADB
Apply update from SD card
Wipe data/factory reset
Mount /system
View recovery logs
Run graphics test
Run locale test
Power off
--------------------------------------

It is possibile to reboot the phone into fastboot mode from normal system, just connect a PC via the USB cable and issue the command on the PC (must have enabled the USB debugging option):

adb reboot bootloader

Alternatively you can reach fastboot mode operating the phone buttons only:

1. Power off the phone
2. Press Power + Volume UP keys and keep them pressed untill the Blackview logo appears.
3. The Android Recovery menu appears, select the Enter fastboot item with Volume DOWN and confirm with Power.
4. The Android Fastboot menu appears, select the Reboot to bootloader item with Volume DOWN and configrm with Power.
5. The prompt ⇒ FASTBOOT Mode… appears in the lower left corner of the screen.

Once you have unlocked the bootloader, the device will show at every bootstrap the warning message:

Orange State

Your device has been unlocked and can't be trusted
Your device will boot in 5 seconds

It is easy to hide that message: just patch the lk partition replacing the ASCII strings with a newline (0x0A char) and zeroes. Use your preferred hex editor for that. Then boot the phone in fastboot mode and write (flash) the patched partition:

fastboot flash lk 'lk-orange-state-hidden.img'
fastboot reboot

On this smartphone the battery and power management operated by the Android o.s. is very aggressive. There are several settings that can be adjusted, but it seems that some apps and widgets does not run as expected.

• Battery Manager (system setting): Settings ⇒ Battery ⇒ Battery Manager ⇒ Manage apps automatically.
• Battery Saver (system setting): Settings ⇒ Battery ⇒ Battery Saver ⇒ Use Battery Saver.
• Pause app if unused (per-app setting): Settings ⇒ Apps & notifications ⇒ App info ⇒ App permissions ⇒ Pause app activity if unused.
• Battery (per-app setting): Settings ⇒ Apps & notifications ⇒ App info ⇒ Battery ⇒ Unrestricted, Optimized or Restricted.

When you add an SD card to the smartphone, you can use it as:

If you use the SD card as internal storage all the compatible apps will be moved to that storage (if you tell so) and new installed apps will follow the same destination. You can check if an app is installed into the SD by tapping Settings ⇒ Storage ⇒ SD card ⇒ Apps ⇒ (select the app) ⇒ Storage used. In this menu you can tap the CHANGE button to move the app into the other storage.

I found a problem on my Blackview BV5300 Pro, because some apps installed into the SD card were not seen as widget providers, i.e. I was not able to add the widget on the home screen, just because the app was not shown into the list. Moving the app to the internal storage, the problem was resolved.

• Rooting the BlackView BV5300 Pro
• Android Verified Boot 2.0
• What is Zygisk in Magisk?
• How to remove Orange, Yellow & Red state warnings on MTK