FORUMS
Remove All Ads from XDA

[WARNING] (Amazfit) HUAMI LOCKS BOOTLOADER IN 1.2.13 AND 1.3.2b

1,090 posts
Thanks Meter: 2,519
 
By Neuer_User, Senior Member on 26th March 2017, 01:03 PM
Post Reply Email Thread
Huami started to lock the bootloader of the Amazfit watch in their official release 1.2.13 and 1.3.2b onwards.

If you want to keep the possibilty to flash custom software on your watch, DO NOT UPGRADE TO THESE VERSIONS. You will not be able to flash any other firmware afterwards.

PACEfied firmware is safe, and does NOT lock your bootloader.

UPDATE 14.07.17:
We have heard several times now via inofficial sources that Huami is working on an official bootloader unlocking service. So far, we, however, have no official information here.

On the other hand, Olivier (french developer on xda) has spent a significant amount of time to understand the unlocking process and we have succeeded to successfully unlock two watches. We are currently in the process of setting up a (free) unlocking web service, allowing individual xda users to unlock their watches for private usage (and accepting loss of warranty from Huami).

In case, Huami may ever come out with their service, we will stop our service, as we do not want to compete with Huami here, just filling the gap if Huami doesn't move forward with their unlocking service.

Please give us some time (we expect 2-3 weeks) to setup the unlock service.


UPDATE 7.08.17:
The unlock service is live now. Head over to https://forum.xda-developers.com/sma...-void-t3654011, if you want your bootloader unlocked!
The Following 20 Users Say Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
27th March 2017, 07:48 AM |#2  
scrubber's Avatar
Senior Member
Flag Moscow
Thanks Meter: 383
 
Donate to Me
More
Fastboot oem unlock
And the command to unlock the bootloader does not work?*

Code:
Fastboot oem unlock
27th March 2017, 08:20 AM |#3  
OP Senior Member
Thanks Meter: 2,519
 
More
Quote:
Originally Posted by scrubber

And the command to unlock the bootloader does not work?*

Code:
Fastboot oem unlock

No, neither does
Code:
fastboot flashing unlock
I wouldn't expect Huami to put efforts into locking the bootloader and at the same time making it that easy to unlock it again. This is no coincidence. They saw our work and reacted. That's what happened. Very sad
The Following User Says Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
27th March 2017, 11:37 AM |#4  
scrubber's Avatar
Senior Member
Flag Moscow
Thanks Meter: 383
 
Donate to Me
More
Quote:
Originally Posted by Neuer_User

No, neither does

Code:
fastboot flashing unlock
I wouldn't expect Huami to put efforts into locking the bootloader and at the same time making it that easy to unlock it again. This is no coincidence. They saw our work and reacted. That's what happened. Very sad

Perhaps we need to find the Fastboot oem command, they can be different for different devices

https://www.xda-developers.com/how-t...boot-commands/
27th March 2017, 11:57 AM |#5  
OP Senior Member
Thanks Meter: 2,519
 
More
Quote:
Originally Posted by scrubber

Perhaps we need to find the Fastboot oem command, they can be different for different devices

https://www.xda-developers.com/how-t...boot-commands/

Well, the strings dump shows that the "oem unlock" command seems to exist, but it indicates that an unlock code is necessary, probably based on the serial number of the watch:

strings dump extract:
Code:
oem:
unlock
serial no length is null
magic_serialno:%s
, len:%d
%02x
uncrypted_str_serialno:%s
Unlocked code sucess
Unlocked code is error
Unsupport oem cmd
FAILED: The command is not recongized
The Following 2 Users Say Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
27th March 2017, 12:02 PM |#6  
OP Senior Member
Thanks Meter: 2,519
 
More
So, we have three possibilities:
  • We find the method on how the code is calculated based on the serial of the watch
  • We find the location, where u-boot stores the variable, if the device is locked or not (EDIT: I would expect that in the Misc partition.)
  • We just reflash the old bootloader (easiest, but only temporary until next OTA update)
The Following User Says Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
27th March 2017, 12:33 PM |#7  
scrubber's Avatar
Senior Member
Flag Moscow
Thanks Meter: 383
 
Donate to Me
More
Quote:
Originally Posted by Neuer_User

So, we have three possibilities:

  • We find the location, where u-boot stores the variable, if the device is locked or not (EDIT: I would expect that in the Misc partition.)

Drop me stock ota 1.2.11c and 1.2.13
The Following User Says Thank You to scrubber For This Useful Post: [ View ] Gift scrubber Ad-Free
27th March 2017, 12:51 PM |#8  
OP Senior Member
Thanks Meter: 2,519
 
More
Quote:
Originally Posted by scrubber

Drop me stock ota 1.2.11c and 1.2.13

You will only need the bootloaders (rest of the OTA is just modified apks). I will send them both (old and new one) to you via PM. It would be necessary to disassemble and understand the new bootloader (the old one does not have any OEM commands and also did not read the serial no at all, instead displayed always a dummy serial).
The serial is stored on the misc partition, so the bootloader now needs to read this partition. That's why I believe they probably stored the lock/unlock flag also there. We just need to know which byte.
Of course, if there were someone with a functioning unlock code, he could dump his misc partition before and after unlocking. That would make it pretty clear
The Following User Says Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
29th March 2017, 12:59 PM |#9  
Member
Flag Parma
Thanks Meter: 198
 
Donate to Me
More
so I now have no way to flash a stable version starting from 1.2.13?
29th March 2017, 04:22 PM |#10  
Member
Thanks Meter: 3
 
More
It's safe to update 1.3.2b ? English version
30th March 2017, 08:30 AM |#11  
OP Senior Member
Thanks Meter: 2,519
 
More
Quote:
Originally Posted by zbuh

It's safe to update 1.3.2b ? English version

No, also locks bootloader. But there is a good chance that we can unlock or reflash the bootloader, if someone wants to switch firmware later.
The Following User Says Thank You to Neuer_User For This Useful Post: [ View ] Gift Neuer_User Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes