Fingerprint reader MI4s on CM Mi4c ROMs

[serkoon]

Dear sirs, madams,

I'm trying to get the fingerprint-reader on my Xiaomi MI4s working on a(ny) Cyanogenmod ROM and could use some help. Since I'm new to XDA, I couldn't post in the developer form, even though that's probably a better place. My apologies. Currently I'm testing on a Mokee ROM for MI4c (2016-09-16, MOB31E).

I've tried various combinations of fingerprintd, fingerprint-msm5992.so, lib_fpc_tac_shared.so and fingerprint firmware files of other ROMs such as Cyanogenmod kenzo (Redmi Note 3), Nextbit, Gemini (MI5), MIUI8, et cetera. Results:
1) Firmware files (trustlets) load correctly
2) fingerprintd starts and loads the HAL libraries correctly
3) HAL libraries find the fpc1020 device
4) HAL libraries call into the keymaster trustlet, which fails:

10-08 19:59:21.695  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key begin
10-08 19:59:21.695  1732  1732 D QSEECOMAPI: : QSEECom_get_handle sb_length = 0x400
10-08 19:59:21.696  1732  1732 D QSEECOMAPI: : App is already loaded QSEE and app id = 3
10-08 19:59:21.699  1732  1732 E fpc_tac : fpc_km_tac_get_encapsulated_key KEYMASTER_GET_AUTH_TOKEN_KEY returned status=-16773124
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_dealloc_memory
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_shutdown_app, app_id = 3
10-08 19:59:21.702  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key end

The MIUI8 ROM contains a tool 'keymaster_test' which tests the keymaster trustlet. All tests that use the keymaster to create keys fail, which lead me to believe that the problem lies with the keymaster trustlet and not the fingerprint software.

Reverse engineering of the keymaster trustlet shows a call into 'qsee_get_secure_state()', which if it fails logs a failure and exits. I don't see this logging, so am not sure if this path is triggered, but it could be.

My hypothesis is that the keymaster trustlet (which is the MIUI8 original) checks the boot state and 'doesn't like it' on the Mokee ROM and therefore doesn't allow the fingerprint trustlet to generate key material necessary for the fingerprint software to work.

Is there anyone who could shed some light on this topic? Is there a way I could test my hypothesis? Would signing the boot.img help? The MIUI8 boot.img appears to contain an embedded signature/certificate of Yoyodyne Inc., which I think is a default Android certificate. The Mokee boot.img does not appear to contain something like this. Any ideas??

 

[Imamsakul]

Dear sirs, madams,

I'm trying to get the fingerprint-reader on my Xiaomi MI4s working on a(ny) Cyanogenmod ROM and could use some help. Since I'm new to XDA, I couldn't post in the developer form, even though that's probably a better place. My apologies. Currently I'm testing on a Mokee ROM for MI4c (2016-09-16, MOB31E).

I've tried various combinations of fingerprintd, fingerprint-msm5992.so, lib_fpc_tac_shared.so and fingerprint firmware files of other ROMs such as Cyanogenmod kenzo (Redmi Note 3), Nextbit, Gemini (MI5), MIUI8, et cetera. Results:
1) Firmware files (trustlets) load correctly
2) fingerprintd starts and loads the HAL libraries correctly
3) HAL libraries find the fpc1020 device
4) HAL libraries call into the keymaster trustlet, which fails:

10-08 19:59:21.695  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key begin
10-08 19:59:21.695  1732  1732 D QSEECOMAPI: : QSEECom_get_handle sb_length = 0x400
10-08 19:59:21.696  1732  1732 D QSEECOMAPI: : App is already loaded QSEE and app id = 3
10-08 19:59:21.699  1732  1732 E fpc_tac : fpc_km_tac_get_encapsulated_key KEYMASTER_GET_AUTH_TOKEN_KEY returned status=-16773124
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_dealloc_memory
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_shutdown_app, app_id = 3
10-08 19:59:21.702  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key end

The MIUI8 ROM contains a tool 'keymaster_test' which tests the keymaster trustlet. All tests that use the keymaster to create keys fail, which lead me to believe that the problem lies with the keymaster trustlet and not the fingerprint software.

Reverse engineering of the keymaster trustlet shows a call into 'qsee_get_secure_state()', which if it fails logs a failure and exits. I don't see this logging, so am not sure if this path is triggered, but it could be.

My hypothesis is that the keymaster trustlet (which is the MIUI8 original) checks the boot state and 'doesn't like it' on the Mokee ROM and therefore doesn't allow the fingerprint trustlet to generate key material necessary for the fingerprint software to work.

Is there anyone who could shed some light on this topic? Is there a way I could test my hypothesis? Would signing the boot.img help? The MIUI8 boot.img appears to contain an embedded signature/certificate of Yoyodyne Inc., which I think is a default Android certificate. The Mokee boot.img does not appear to contain something like this. Any ideas??

i'm using mi4s (CM 14.1 mi4c) and fingerprint didn't work, how to fix it ? please help me

 

[BlackXhorneT]

Would love to see this working. It's the Achilles heel in our otherwise terrific device. Any testing or logs you might need, I'm your man.

For what it's worth, @AndropaX and @ketut.kumajaya have both tried (unsuccessfully) to achieve this. Although they didn't manage it, they may well have insight that you haven't looked into yet. Perhaps send an them a quick message to see if they have anything that might help you get a little further or some ideas you haven't looked into.

Keep up the good work

 

[BlackXhorneT]

Any progress mate?

Sent from my Pixel XL using XDA-Developers mobile app

 

[Edgrr000]

Dear sirs, madams,

I'm trying to get the fingerprint-reader on my Xiaomi MI4s working on a(ny) Cyanogenmod ROM and could use some help. Since I'm new to XDA, I couldn't post in the developer form, even though that's probably a better place. My apologies. Currently I'm testing on a Mokee ROM for MI4c (2016-09-16, MOB31E).

I've tried various combinations of fingerprintd, fingerprint-msm5992.so, lib_fpc_tac_shared.so and fingerprint firmware files of other ROMs such as Cyanogenmod kenzo (Redmi Note 3), Nextbit, Gemini (MI5), MIUI8, et cetera. Results:
1) Firmware files (trustlets) load correctly
2) fingerprintd starts and loads the HAL libraries correctly
3) HAL libraries find the fpc1020 device
4) HAL libraries call into the keymaster trustlet, which fails:

10-08 19:59:21.695  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key begin
10-08 19:59:21.695  1732  1732 D QSEECOMAPI: : QSEECom_get_handle sb_length = 0x400
10-08 19:59:21.696  1732  1732 D QSEECOMAPI: : App is already loaded QSEE and app id = 3
10-08 19:59:21.699  1732  1732 E fpc_tac : fpc_km_tac_get_encapsulated_key KEYMASTER_GET_AUTH_TOKEN_KEY returned status=-16773124
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_dealloc_memory
10-08 19:59:21.700  1732  1732 D QSEECOMAPI: : QSEECom_shutdown_app, app_id = 3
10-08 19:59:21.702  1732  1732 D fpc_tac : fpc_km_tac_get_encapsulated_key end

The MIUI8 ROM contains a tool 'keymaster_test' which tests the keymaster trustlet. All tests that use the keymaster to create keys fail, which lead me to believe that the problem lies with the keymaster trustlet and not the fingerprint software.

Reverse engineering of the keymaster trustlet shows a call into 'qsee_get_secure_state()', which if it fails logs a failure and exits. I don't see this logging, so am not sure if this path is triggered, but it could be.

My hypothesis is that the keymaster trustlet (which is the MIUI8 original) checks the boot state and 'doesn't like it' on the Mokee ROM and therefore doesn't allow the fingerprint trustlet to generate key material necessary for the fingerprint software to work.

Is there anyone who could shed some light on this topic? Is there a way I could test my hypothesis? Would signing the boot.img help? The MIUI8 boot.img appears to contain an embedded signature/certificate of Yoyodyne Inc., which I think is a default Android certificate. The Mokee boot.img does not appear to contain something like this. Any ideas??

I've been looking into this as well, tried various combinations of drivers, firmware, from Nubia Z11, redmi note3, nextbit, gemeni, etc. I think we pretty much followed the same path and no luck. I was just about to look into the MIUI rom and i came across your thread, and it seems like you might be on to something any updates?
I'll look into what you mentioned and see what i find.

 

[chriswu420]

If you can share your qsee_log that can find out what caused the KEYMASTER_GET_AUTH_TOKEN_KEY failed.
It's really easy to debug.

Thanks.

---------- Post added at 07:51 AM ---------- Previous post was at 07:34 AM ----------

If you can share your qsee_log that can find out what caused the KEYMASTER_GET_AUTH_TOKEN_KEY failed.
It's really easy to debug.

Thanks.

It can be see from your log, the returned errno 16773124 which means "QSEE_MESSAGE_ERROR_BAD_DEST_APPNAME".
It shows that your fingerprint TA might not be in the keymaster.
Please check the keymaster_oem_config.xml in your environment and make sure that your device is in the list.

Hope it will help you.

 

[aasrasra]

The keymaster has a whitelist that should contain 'fpctzappfingerprint'. Instead, it will probably contain just 'fingerprint', which is the name of the default QC fingerprint TA. Run strings through some compatible keymaster TAs and look for 'fingerprint'. If you find 'fpctzappfingerprint', use that keymaster instead. Keep your fingers crossed when you reboot. HTH

 

[BlackXhorneT]

The keymaster has a whitelist that should contain 'fpctzappfingerprint'. Instead, it will probably contain just 'fingerprint', which is the name of the default QC fingerprint TA. Run strings through some compatible keymaster TAs and look for 'fingerprint'. If you find 'fpctzappfingerprint', use that keymaster instead. Keep your fingers crossed when you reboot. HTH

Any chance we could apply this to a rom and test it? Would love to see the fpr working

Sent from my Mi-4s using XDA-Developers Legacy app