Flash firmware, repair IMEI, unlock bootloaders, dump partitions, and bypass auth on Xiaomi, MediaTek and Qualcomm devices. EDL · BROM · Fastboot · Meta Mode · QDiag — one workflow.
Three vendors cover ~90 % of Android devices in the wild. Phantom handles every one of them in EDL, BROM, fastboot, and recovery — without firmware files you don't have rights to ship.
Mi-account / authorized-mode bypass on Qualcomm and MediaTek SoCs, EDL/auth loader signing, anti-rollback handling, factory reset protection removal.
Kamakiri BROM exploit, legacy + xflash Download Agents, Meta mode IMEI / NV repair, seccfg unlock and re-lock, eFuse-aware bootloader workflows.
Sahara + Firehose full stack, raw partition read/write/erase, GPT parsing, QCN backup/restore, QDiag IMEI & cert repair, partition dump in EDL.
No more juggling four tools to flash one device. Phantom rolls every step into a single, audited pipeline that talks straight to the chip.
Per-partition writes, full GPT rewrites, raw NAND/eMMC/UFS access. Handles SBL, modem, boot, system, vendor.
MediaTek Meta mode write & NV data, Qualcomm QCN restore, dual-SIM lun-aware patching, persistent EFS slots.
Factory Reset Protection bypass, Mi-account removal, Samsung Knox-aware paths, Huawei DEMO mode workflows.
seccfg edits on MTK, oem_seccfg writes on Qualcomm, eFuse-aware so you don't brick what you can't recover.
Read back any partition to a file, even on locked devices in EDL/BROM. EXT4 / EROFS / F2FS mounted read-only client-side.
QDiag/QMSL packet decode, MediaTek BROM trace, USB descriptor sniffer — everything you need to diagnose a refusing-to-boot device.
Static-port Meta protocol for MTK NV/EFS reads, IMEI sets, calibration writes — without needing the full preloader path.
Single TLS-pinned WebSocket. Files never hit disk, never leak URLs to HTTP debuggers. ChaCha20-Poly1305 frames end-to-end.
Every flash, every repair, every dump — all on one authenticated socket. Here's the loop.
The desktop tool opens a single WSS to wss://phantomtool.com/api/ws with SPKI cert pinning baked into the binary. Any MITM proxy with a local CA gets rejected before bytes flow.
Email + password + hardware ID, signed by an RSA-SHA256 challenge. Server derives a per-session ChaCha20 key tied to your account + machine; replays are dead on arrival.
Plug the device in. The tool detects the SoC, fetches the right Download Agent or Firehose loader as encrypted chunks, and runs the job. Files never touch disk — they're streamed straight to the device.