BLU G91 Pro (bootloader unlocked/rooted)

Search This thread


Senior Member
Nov 16, 2020
I have realized that there isn't a guide to root the G91 PRO (not the max, for whatever reason that got rooted before the pro...) anyway, I figured out how to do it, and I'm probably not the first one. Since I haven't been able to find the stock rom on the internet, I strongly advise you backup your stock rom with mtkclient.

This is an A/B device, so we need to flash to both slots.

First, dump your stock rom with this tool:

This is mtkclient. It reverse engineers BROM or Preloader mode so that we can pull down the flash. Once you put your phone in BROM mode, use this command to back up the whole flash. (To put your phone in BROM mode, power off your phone and hold down volume up, down, and power and the same time while plugging in a USB-C cable)

python3 mtk rf flash.bin

Now that we've made a backup, we can start screwing around with the phone. If you ever need to restore your backup then all you need to do is:

python3 mtk w flash.bin

Inside of that flash bin you can find all the partitions inside of it. I use 7zip to look inside of the archive. Look for boot_a.img. After you find it, use magisk manager to root the stock boot.img.

If you don't want to look inside of the archive and would prefer to just dump the boot images, then just run these commands instead.

python3 mtk r boot_a boot_a.img
python3 mtk r boot_b boot_b.img

Now we can also use this mtkclient software to unlock the bootloader. We don't have to use mtkclient, we could use bootloader mode after enabling oem unlocking in developer options, but we can do this too.

We first have to erase metadata, userdata, and md_udc.

python3 mtk e metadata, userdata, md_udc

Now we can unlock the bootloader.

python3 mtk da seccfg unlock

After unlocking the bootloader, you can now flash partitions. Flash your patched boot.img in bootloader mode.

fastboot flash boot_a (patched boot.img)
fastboot flash boot_b (patched boot.img)

Inside of the mtkclient folder, you will find a file called vbmeta.img.empty. This is a patched vbmeta (its blank haha) so that we can disable verified boot. we need to flash it to both slots.

fastboot flash vbmeta_a (vbmeta.img.empty)
fastboot flash vbmeta_b (vbmeta.img.empty)

That's all! :)

Edit: I decided to attach my rooted and non rooted boot img for those who want to do it quickly. I caution you though, only flash my provided boot.img if your build number and custom build number matches the one in the screenshot I provided. Build number can be checked in Settings>About Device>Build Number and Custom Build Info. Make sure to also flash the empty vbmeta so you don't have any dm verity errors!


  • Screenshot_20220516-141657.png
    56.7 KB · Views: 30
  • magiskboot_a.img
    32 MB · Views: 19
  • boot_a.img
    32 MB · Views: 10
  • vbmeta_empty.img
    4 KB · Views: 6
Last edited:


New member
May 23, 2022
is build id same as build number?and can i flash that boot_a.img in bugjaeger app?