← All Articles
Power & Money

Primary-Source Investigations

The Bootloader Lock Is a Billing Feature

Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. Pub. L. 93-637. Enacted January 4, 1975. Signed by Gerald R. Ford.

I am reading a statute enacted on January 4, 1975, that makes it unlawful for a warrantor to condition warranty coverage on the consumer's use of any article or service identified by brand name, and I am telling you that this statute is not obsolete. It is ignored.

Section 102(c) — 15 U.S.C. § 2302(c) — contains the tying-arrangement prohibition. It makes it unlawful for a warrantor to condition warranty coverage on the consumer's use of any article or service identified by brand name unless the warrantor provides that article or service free of charge, or unless the Federal Trade Commission has issued a waiver finding the tying restriction serves the public interest. No FTC waiver exists for carrier bootloader tying. None requested. None granted.

It is a filed document. It is public. It is dated.

I know how this works because I built the system that tracks how this works. TELOS. The pipeline. The substrate. I built it because I got tired of reading "widely reported" and "many believe" in every article about right-to-repair, and I wanted a machine that would only accept claims with a filing number and an archive location. The machine does not care about my opinion. The machine only cares whether the source is named and filed. But I am the operator, and I am sitting here at 3:47 AM reading a statute from 1975, and I am telling you that the carrier's published policy on a bricked bootloader is a four-hundred-dollar replacement because the carrier's contractual posture treats a bricked bootloader as a customer-induced failure outside the device warranty, technically defensible under the contract the customer signed at activation, except the customer never read the contract, was never given a chance to read it before paying for the device, and was certainly never told that the bootloader lock the carrier sold him as a security feature is a billing feature, and that the same MediaTek SoC the carrier sourced from a Hsinchu fabrication line through a Shenzhen ODM through a Korean handset OEM through a Taiwanese logistics broker through a US carrier procurement contract has a publicly documented BootROM bypass that an open-source engineer in Germany named bkerler will give you for free on a GitHub repository continuously maintained for longer than the current generation of carrier-locked Helio P22 handsets have been on retail shelves, which means the carrier knew about the BROM bypass before the carrier built the SKU around the lock, which means the carrier priced the four-hundred-dollar replacement on the assumption that the customer would not find the bypass, which means the lock is not a security feature it is an information-asymmetry tax.

The statute is fifty-one years old. The FTC interpretation rules sit at 16 CFR Part 700 through 703. Part 700 is the Interpretations of the Magnuson-Moss Warranty Act — the agency's own gloss, regulatory force binding on warrantors. Part 701 governs disclosure of written warranty terms. Part 702 governs pre-sale availability. Part 703 governs informal-dispute-settlement procedures. The rules have been on the books since 1975, amended periodically, and they apply on their face to the carrier transaction the customer signs at activation. The rules require the warrantor to disclose the warranty before sale, to make the terms available for pre-sale review, to refrain from tying the warranty to brand-name articles or services without an FTC waiver, and to provide an informal-dispute-settlement procedure meeting the agency's minimum standards.

The carrier offers a manufacturer's warranty on the device. The carrier's service contract is technically distinct from the device warranty — the seam the carrier uses to claim the contract terms are not warranty terms and therefore not Magnuson-Moss territory. The seam holds in practice because no one has litigated it. The statute exists. The interpretation rules exist. The enforcement, for software locks, does not.

I buy the bricked phone from the returns bin at thirty-eight dollars cash. No receipt. No box. No charger. The clerk slides it across the counter, brief eye contact, then nothing. The shrink wrap was gone before he got the unit. The previous owner attempted a half-researched unlock off a forum thread and bricked the bootloader badly enough that the manufacturer's reverse-logistics rules disqualified the unit from refurbishment. The store had two options. Charge the previous owner four hundred for the replacement and absorb the brick into the quarterly write-down. Or sell the brick to the next walk-in for thirty-eight dollars cash and pretend the transaction did not happen. The store chose the second. I was the next walk-in.

MediaTek fabs system-on-chip silicon for the lower and middle tiers of the global handset market. The MT6765 — marketing-named Helio P22 — ships in entry-level Android at industrial volume. Octa-core ARM Cortex-A53. Twelve-nanometer process. PowerVR GE8320 GPU. A part the customer never sees by name. A part the carrier prefers not to discuss.

Every MediaTek SoC ships with a hardware boot mode called the BootROM, shortened to BROM. Lowest stage in the boot stack. Executes before the preloader. Before the bootloader. Before the kernel. Mask-programmed into the silicon at the foundry — read-only by design, unpatchable after the wafer leaves the fab. BROM loads and authenticates the preloader. BROM listens on a USB endpoint when the chip enters engineering mode. Engineering mode is entered by holding a specific volume button during power-on, USB cable seated, before any higher-stage code has run.

On the MT6765, the BROM authentication handshake carries a vector the open-source bootloader community discovered, documented, and published. The vector lets an unsigned preloader payload be accepted by the BROM as if vendor-signed. The unlocked preloader writes a corrected bootloader partition to flash. The device reboots. The bootloader-locked state the carrier sold the customer becomes the bootloader-unlocked state the silicon was always capable of.

bkerler is the developer of record. The repository is `mtkclient` on GitHub. Python. The runtime dependency is a USB driver, a serial port, and a power cable.

The carrier knows about the vector. The carrier reads the same advisories. The carrier ships the device locked anyway.

I drive the device home. I install Python. I run `pip install pyusb` and the rest of the dependencies. I clone the repository. I cd in. I read the README.

I power the device down. I hold volume-down. I seat the USB-C cable. I watch `lsusb` enumerate a new device at the MediaTek vendor ID. I run `python mtk printgpt` to dump the GUID partition table. I run `python mtk r preloader preloader.bin` to back up the preloader. I run `python mtk r boot boot.bin` to back up the boot partition. I run the unlock sequence the README documents for the MT6765 family. The tool patches the lock state in the bootloader partition. I write the patched bootloader back. I disconnect the cable. I hold volume-up plus power. The device boots. The lock state is unlocked.

I flash LineageOS 21 from the lineageos.org build. I sideload Termux from F-Droid. I install `tailscale` from the LineageOS-compatible binary. I run `tailscale up`. The node joins the tailnet. Magic DNS resolves `zombie` inside thirty seconds.

Total elapsed time, from USB plug-in to first ping out of the node over the mesh: under thirty minutes.

Cash outlay: thirty-eight dollars.

Carrier alternative: four hundred dollars at the counter, plus a re-locked replacement device.

The spread: three hundred sixty-two dollars.

That is the sentence the entire article is built toward. The carrier priced the four-hundred-dollar replacement on the assumption that the customer would not find the bypass. The cost-transfer mechanism is identical: the vendor engineers scarcity into a product whose underlying technology cannot sustain the scarcity, then sells the customer the relief at a markup the customer cannot benchmark because the customer does not know the relief exists.

The MT6765 is not alone in the family. The mtkclient issue tracker catalogues SoC coverage wider than any single chip. The MT6779 — Helio P90 — ships in mid-range Android from 2018 forward. The MT6885 — Dimensity 1000, flagship class, four Cortex-A77 at 2.6 GHz — sits in the public build with the vector functional on production handsets. The MT6873 — Dimensity 800, upper mid-range — supported at the same patch level. Four chipsets. Four price tiers. One bypass family. The same hardware boot vector the foundry mask-programs into the entry-level MT6765 is mask-programmed into the flagship MT6885 because the BootROM design is reused across the family for cost reasons. Reusing the BROM saves wafer-mask cost. Reusing the BROM standardizes the engineering-mode handshake. Reusing the BROM means the bypass published against one chip is structurally available against the others. The carrier knows. The OEM knows. The MediaTek documentation does not advertise.

XDA Developers is where the field walkthroughs live. Threads dating to 2019 document the bypass on the MT6765 with screenshots, terminal transcripts, step-by-step instructions calibrated for a non-expert with a USB cable. The carrier reads the threads. The OEM reads the threads. The threads do not stop the lock from shipping.

The Federal Trade Commission published Nixing the Fix: An FTC Report to Congress on Repair Restrictions in May 2021. Fifty-six pages. The report acknowledges manufacturers routinely use software locks, parts pairing, and proprietary diagnostic tools to restrict repair. The report acknowledges these restrictions impose costs on consumers and small shops. The report acknowledges the Magnuson-Moss tying prohibition is rarely enforced against software-lock cases. The report does not recommend new enforcement against carrier bootloader tying. The report recommends additional study.

The FTC has the authority. The FTC has the documented harm. The FTC has the statute on the books for fifty years. The carrier has the lock.

The state-level fight picks up where federal enforcement does not. New York signed the Digital Fair Repair Act in 2022. Senate bill S4104A. Governor Kathy Hochul signed it December 28, 2022, codified at General Business Law § 399-nn. The signed version exempts enterprise electronics. Exempts motor vehicles. Exempts home appliances. Exempts medical devices. Exempts public safety equipment. Exempts agricultural equipment. The bootloader-unlock provisions were stripped from the bill text the activist coalition originally circulated.

Colorado passed HB 23-1011 in 2023. Agricultural equipment only. Bootloader access on consumer handsets is not in the text. Massachusetts voters approved Question 1 in November 2020. Motor vehicles only. Maine passed LD 1981 in 2022. Motor vehicles only. Minnesota passed HF 1337 in 2023. Covers consumer electronics with carve-outs for motor vehicles, medical devices, farm equipment, video game consoles, and cybersecurity tools. Does not address bootloader locks on consumer handsets. The carve-outs map, jurisdiction by jurisdiction, to the lobbying apparatus's priority list. The consoles are exempt because Sony and Microsoft asked. The medical devices are exempt because the device manufacturers asked. The farm equipment is exempt because John Deere asked. The bootloader on the consumer handset is exempt because nobody named it.

Five statutes. Five jurisdictions. Five coalitions. Five rounds of activist labor against five rounds of industry lobbying. In every case the bill that came out of the legislative process was narrower than the bill the coalition introduced. In every case the bootloader on a consumer handset was left alone.

You sign a twenty-four-month service contract. The contract bundles the device. The device is financed against the service plan at a monthly installment running concurrently with the service charge. The carrier records the bundled payment on the bill as one line item, occasionally two, never as the itemized cost-of-goods breakdown that would let you benchmark the device against an unlocked equivalent on a third-party channel.

You read the contract. You find the early-termination fee schedule. Exiting before month twenty-four triggers a fee approximating the unamortized device balance plus a recovery surcharge. The recovery surcharge is non-itemized. The typical ETF on a postpaid smartphone line in the US carrier market sits at three hundred fifty dollars plus the prorated balance of the financed device, structured so that exiting at month six costs roughly the same as buying the device outright at retail, structured so the customer who has paid into the contract for any length of time has already paid the carrier more in service charges plus device installments than an equivalent unlocked device at a third-party retailer. The ETF is the lock in financial form. The bootloader lock is the ETF in firmware form. The two locks reinforce.

You read the SIM lock provision. The SIM is locked to the carrier for a minimum period, after which you may request a SIM unlock the carrier may grant or deny at its discretion. The discretion is not auditable. The 2014 CTIA Consumer Code for Wireless Service — the voluntary industry commitment the four major US carriers adopted under FCC encouragement — sets out unlocking principles. The CTIA Consumer Code is voluntary. The CTIA Consumer Code does not address bootloader locks. The Code treats the SIM lock as the mechanism the customer is allowed to ask about; the bootloader lock sits outside scope.

You read the DMCA exemption. The Digital Millennium Copyright Act of 1998, codified at 17 U.S.C. § 1201, prohibits circumventing technological protection measures. Cell-phone unlocking — removing the carrier's SIM lock — was the subject of a 2006 Library of Congress rulemaking that granted a temporary exemption. Congress restored it legislatively in the Unlocking Consumer Choice and Wireless Competition Act, Pub. L. 113-144, signed by President Obama on August 1, 2014. The exemption covers SIM unlocking for the purpose of connecting to a wireless network of the consumer's choosing. The exemption does not cover bootloader unlocking for installing alternative system software. The Section 1201 wall between the two unlocks runs through the firmware: the SIM lock is exempted because Congress recognized the consumer interest; the bootloader lock is not exempted because no rulemaking comment cycle has formally requested coverage for the category.

You read the bootloader lock provision. You do not find one. The bootloader lock is not in the contract you signed. The bootloader lock is in the device firmware. The firmware was loaded by the carrier or the OEM before the SKU was sealed. The customer was never asked. Never told. The customer cannot find a contract clause to challenge because the contract does not mention the clause.

The carrier value-extraction stack is the bundle. The bundle is the SIM lock plus the bootloader lock plus the contract plus the financing plus the early-termination fee plus the discretionary unlock request plus the four-hundred-dollar replacement-counter fallback when the customer attempts the unlock and bricks the firmware. Any one of those, alone, is a small friction. The aggregate is a moat. The moat is the business model. The business model is what the activist coalition in three states tried to legislate against and what the lobbying apparatus in three states surgically narrowed back down to motor vehicles, tractors, and home appliances.

The bootloader lives in a jurisdictional gap. The jurisdictional gap is the product.

Capital has no state. The MT6765 was designed by MediaTek, a fabless semiconductor company in Hsinchu, Taiwan. The die is fabricated by TSMC, also Hsinchu. The reference design is licensed to handset OEMs in South Korea, China, Vietnam, India. The completed assemblies are imported into the United States by carrier procurement subsidiaries headquartered in Dallas, Bellevue, Basking Ridge. The firmware that loads onto the silicon includes preloader code authored at MediaTek, bootloader code authored at the OEM, vendor partitions inserted by the US carrier, update channels routed through Cupertino, Mountain View, or Beijing depending on which app store the device is bound to. The retail counter is in any strip mall in the United States. The replacement fee is set by the US carrier. The lock state is enforced by code written and signed across four sovereign jurisdictions.

The lock is the same regardless of supply-chain geography. The economic mechanism is the same whether the OEM is Korean or Chinese or Vietnamese, whether the carrier is Dallas or Bellevue, whether the foundry is Hsinchu or Phoenix, whether the firmware is signed in Cupertino or Beijing. The mechanism does not care which capital extracts the rent. It cares that the rent is extractable.

I did the unlock myself. The unlock worked. The marginal cost was zero. The unlock is the rebuttal.

The rebuttal is a Python repository, a USB cable, a thirty-eight-dollar returns-bin device, a federal statute on the books since 1975, an FTC interpretation-rule package at 16 CFR Part 700-703, five state statutes narrowed before passage, a DMCA exemption that covers the SIM lock but not the bootloader, a CTIA voluntary code that names the SIM lock but not the bootloader, and one Tailscale node that came up on the mesh thirty minutes after the lock came down.

The lock is on. The repository is up.

The system is not broken. The system is working exactly as designed.

Primary sources: mtkclient repository (github.com/bkerler/mtkclient); MediaTek MT6765/MT6779/MT6885/MT6873 product briefs (mediatek.com); Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. (Pub. L. 93-637); 16 CFR Parts 700-703; New York General Business Law § 399-nn (S4104A); Colorado HB 23-1011; Massachusetts G.L. c. 93K; Maine LD 1981; Minnesota HF 1337; FTC Nixing the Fix report (May 2021); CTIA Consumer Code for Wireless Service (2014); Unlocking Consumer Choice and Wireless Competition Act (Pub. L. 113-144); 37 CFR § 201.40; LineageOS 21 release notes (lineageos.org); Tailscale audit log for node `zombie` at 100.81.36.31.