Rooting Sunmi V2s
Short story about turning a Bolt Food POS into something slightly more useful
In this modern age of slop, silly human-written notes are more valuable than ever, so without further ado...
What even is it?
Sunmi V2s, aka T5940, is a "wireless point of sale system"; basically, a rugged Android phone, with half its internals removed and a silly thermal printer tacked onto its head.
It may not have an accelerometer, a front camera, or even a front speaker, but! It's still got a screen, a dual SIM modem, a 3.5mm audio jack (rarity in this day and age), and a truly massive battery (27 watt-hours!), easily lasting a few days without charging.
In Europe, Sunmi devices have mostly been sold by companies in the food delivery business, such as Glovo or Bolt, to restaurants that want to receive orders through their platform. And well, since they don't really offer buying them back from you when you close the food venue, it's relatively easy to pick up a used device like this, either from random offers on the internet, or a pawn shop — the latter is how I got mine, for which I paid a mere ~60 EUR.
Unfortunately, there's a small issue with it. It's still connected to the company device management, and as such, any shitposts are at the whim of Bolt Technology OÜ, who can remotely wipe my device at any time:
This all is thanks to "Remote Assistance" (com.sunmi.remotecontrol.pro), a system app that's installed by default as a "device admin",
with ungodly privileges to mess up the device, and ability to call back home — both to Bolt and the manufacturer.
So, how do we take it over?
Enter mtkclient: a Mediatek "flash and repair" utility that uses bootrom exploits to achieve full device control.
Fortunately, our device's equipped with MT8766B, a chipset that's very well within support, so we can begin messing with it.
First, the preparations. Plug the device into a Linux machine, git clone the mtkclient repo. Enable developer tools on the device, USB debugging, and possibly also OEM unlocking (though I'm not sure whether it's actually needed?). From your host, run adb shell getprop ro.boot.slot_suffix — this will tell us the current boot slot, which we'll need later.
With that, run something like ./mtk.py printgpt, and reboot the device. Ideally, you can also open dmesg -w in a side window, just so you can see what's happening. Right after powering off, it should show back up:
[20287.622694] usb 1-2: Product: MT65xx Preloader
[20287.622698] usb 1-2: Manufacturer: MediaTek
..and you can see mtkclient doing its magic:
Mtk - We're not in bootrom, trying to crash da...
Exploitation - Crashing da...
[... snip ...]
PLTools - Loading payload from mt6761_payload.bin, 0x264 bytes
Exploitation - Kamakiri Run
Exploitation - Done sending payload...
PLTools - Successfully sent payload: /home/patrycja/Downloads/mtkclient/mtkclient/payloads/mt6761_payload.bin
Port - Device detected :)
[... snip ...]
Main - Handling da commands ...
GPT Table:
-------------
*hacker voice* we're in.
With this, we can now pull the current boot partition (e.g. boot_a, using the prefix we got earlier) with ./mtk.py r boot_a boot.img.
Put that file onto another device, and using the Magisk app patch it to install Magisk on it. With that, it's as simple as:
# Unlock the bootloader
./mtk.py da seccfg unlock
# Erase the current user data (unfortunately necessary)
./mtk.py e userdata,metadata,md_udc
# Disable verity + verification
./mtk.py da vbmeta 3
# Write new boot partition
./mtk.py w boot_a boot_a_magisk.img
# Reboot
./mtk.py reset
If all goes well, you'll see the "Orange State" warning on the device; click the power button once to continue booting. Once it boots, install the Magisk app, and continue the setup — one more reboot required, but we're almost done!
After booting, there's one more critical step: actually taking it over. Connect to USB debugging again, allowing it root access via Magisk, and run the following in the device shell:
V2s:/ $ su
V2s:/ # ls -la /data/data/com.sunmi.remotecontrol.pro
total 42
drwx------ 7 u0_a130 u0_a130 3488 2025-06-30 07:11 .
drwxrwx--x 223 system system 24576 2026-05-17 17:02 ..
drwxrws--x 3 u0_a130 u0_a130_cache 3488 2026-05-17 02:07 cache
drwxrws--x 2 u0_a130 u0_a130_cache 3488 2025-06-30 07:10 code_cache
drwxrwx--x 2 u0_a130 u0_a130 3488 2025-06-30 07:11 databases
drwxrwx--x 2 u0_a130 u0_a130 3488 2025-06-30 07:11 files
drwxrwx--x 2 u0_a130 u0_a130 3488 2026-05-17 02:15 shared_prefs
Note down the file owner, then proceed to disabling the app:
V2s:/ # su - u0_a130
V2s:/ $ pm disable --user 0 com.sunmi.remotecontrol.pro
Package com.sunmi.remotecontrol.pro new state: disabled
Realistically, you could probably uninstall it in some way, but disabling is enough here — the policies don't actually block you from doing fun stuff, they're only effective when the app does something, and it can't do anything now :3
With this, you can now go wild! Install any random app (as long as it doesn't need the Play Store), put Thermer on it and print random shit, you can even turn it into a proper phone with Linphone and a SIP account.
Further steps
Even after rooting, printing is quite miserable. The only way we got it to work was with aforementioned Thermer, and Sunmi's own demo apps. Annoyingly, anything besides that either fails to find the printer over the weird emulated Bluetooth, or outright refuses to work. Sunmi has a Flutter SDK though, and it seems relatively simple to get working, so I'd love to make some print server, accepting all sorts of formats and printing either from device or over the network; that's for part two though (if it ever comes out).
Besides that, getting full Google Play Services could also be a fun challenge, since the device only seems to have very minimal services by default. Or maybe figure out a way to actually remove the Sunmi Remote Assistance app? We'll see what the future brings!
*shameless plug* To get updates, make sure to follow the feed in your favourite feed reader: https://ptrcnull.me/feed.atom