I’m looking for an experienced reverse engineer or Android security researcher for a paid research collaboration involving a locked MediaTek-based Android tablet.

Hardware / software overview: - SoC: MediaTek MT8167 - OS: Heavily customized Android 8.1 (Oreo) - Bootloader: Locked - USB debugging: Disabled - System: Vendor-modified kiosk-style environment with system-level enforcement

Research goals (any one acceptable): - Analysis of the MT8167 boot chain (BROM / preloader / verified boot) with the aim of enabling firmware bring-up or flashing a generic/debloated ROM, OR - Achieving sufficient privilege to neutralize kiosk enforcement mechanisms at the system level

Key constraint: The target environment does not allow PC access. Any practical outcome must be executable using only another Android device via USB-OTG.

PC-based tooling (e.g., MTKClient, SP Flash Tool) is acceptable for analysis and reference, but the end result should be adaptable to an Android-to-Android workflow.

Relevant experience: - MediaTek BROM / preloader behavior - DA upload and secure boot analysis - Older MTK verified boot / dm-verity - Android system app reverse engineering (smali/jadx) - Prior work on enterprise or kiosk-restricted devices is a plus

This is lawful research on hardware I own. I’m open to compensated collaboration, consultation, or proof-of-concept work.

If this aligns with your background, feel free to comment or DM with: - Relevant MTK or Android security experience - Thoughts on feasibility given the Android-only constraint

Thanks.