I bought a second hand lavender and want to share my adventure so far trying to unlock from mi cloud. I will update this post when something changes.
- Mi cloud is locked with another account
- bootloader is locked
- oem unlock status is unknown
- Mi recovery mode is possible (from there you only can wipe data, connect to mi cloud or reboot)
- fastboot is possible (from there you can reboot and read some phone vars)
- booting to system is possible but the lock screen only lets you connect to wifi and unlock via account
- miui 11 seems to be installed (you see it sometimes behind the lock screen)
- adb is disabled
- The former owner doesn't know the credentials (he says he got it from another person and lost the password.. who knows..)
- Xiaomi doesn't want to help (if the phone was stolen I would give it back for free, else they should please unlock, but they don't want to..)
- Local police can't help (IMEI is unknown, only parts of the phone number are known from the lock screen but they can't search for it)
- codes like *#06# don't work with emergency call in lock screen
- 'Check "Find device" status' on mi.com after entering the lock number (tap several times in the lock icon) says that the status is enabled
- I have no chance to find out who enabled it (maybe when I have the IMEI, local police can help). IMEI might have been changed already..
- I don't want to open the phone case yet
If someone knows a shortcut to my tries, please let me know!
the lock screen
With miui 11 it seems not possible to circumvent the lockscreen with any method I found in the net (pressing volume buttons, add network, switch between wifi and lock screen).
You can only connect to existing networks. 'Add network' switches back to lock screen immediately.
fastboot
You can read variables via 'fastboot getvars all'. You may need the info that the current rom has ARB4. I will try to flash the lowest possible version with ARB4. From mi.com I found global rom V10.2.7.0.PFGMIXM to have ARB4.
(bootloader) crc:1
(bootloader) anti:4
(bootloader) DP:0x0
(bootloader) token: ......
(bootloader) hw-revision:10000
(bootloader) unlocked:no
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4338
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x200
(bootloader) logical-block-size: 0x200
(bootloader) variant:SDM EMMC
(bootloader) partition-type:userdata:ext4
...
(bootloader) partition-type:vendor:raw
...
(bootloader) secure:yes
(bootloader) serialno:...
(bootloader) product:lavender
(bootloader) kernel:uefi
test point
Finally the cable worked, so probably no need to open the phone
deep flash cable
I soldered a deep flash cable with a button. Please don't try without button, the effort is worth it. Or buy a cable for some bucks.
Test it for example in fastboot: press the button and fastboot doesn't work
switching off phone
Is not that easy or not possible via buttons and fastboot has no shutdown mode.
I found that waiting some minutes in fastboot mode with disconnected cable switches the phone off
(actually from there you can go nowhere, as the battery must be empty or disconnected)
(not) switching to EDL mode with battery (at least not empty battery)
In Windows I installed Qualcomm drivers (64bit exe package), it reboots and Windows is in 'test mode' then because of test certificates.
So far, when fastboot shuts down the phone, I am in 'Mass Storage' mode.
From there I tried to go into EDL mode via cable in 2 variants: pressing button, then plug in phone first and plug in PC first.
Windows device manager and linux see the same 05c6:f000 device, which seems to be some modem (for LTE-Sticks,..) according to net.
QFIL and QPST don't see anything.
Trying things found in the net:
- USB 2.0 only (already tested with USB2 hub and Raspberry USB2 port) / edit: eventually USB3 worked fine
- Wait x seconds (all possible x tested, it's always the charging mode) / edit: yes, you have to wait some seconds, but that doesn't help with 'charging mode'
- 'when charging mode appears, try again' or so.. well.. yes
/ edit: retrying doesn't seem to help getting out of 'charging mode'
- 'EDL timeout', 'hello packet': I think, that doesn't apply in my current state, there should be some xxxx:9008 device first
- 'only works when battery disconnected' or when battery is empty (because of EDL timeout or so) / edit: for me it really only works this way
- usb_modeswitch isn't able to switch from f000 to some other mode.
Finally, after draining the battery, it worked!
draining the battery
- flood pinging the phone (no ports open)
- USB-OTG stick on the phone
- Keep display active (tap on your connected wifi, the 'Share Wi-Fi network' window doesn't deactivate screen, also it seems to be the brightest level)
switching to EDL mode with empty battery
The phone shut down and I retried with the cable.
When the battery is too empty, the led is blinking. Wait some seconds or a minute until the screen turns on and shows loading icon, then try again. The led should turn off and the phone seems dead.
The phone is in 9008 now and actually seems to stay there even when pressing power button or reconnecting USB.
ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
If the battery is too empty, charge it until it tries to start system. Then disconnect charger and try to switch mode.
I found that _only_ via "draining the battery" it is possible to get to the 9008 mode. Pressing power button, even with already empty battery does not work. While draining, android tries to shut down the phone (which could lead to non-9008 mode). As Xiaomi has locked the shutdown (it wrote "Can't power off, the device is locked" sometimes..) it can happily drain.
When you leave 9008 mode, you have to charge until system starts and then drain again.
Further, there seems to be some other mode, which "edl.py" recognizes as "memory dump mode". The USB ID is correct, but EDL commands are not possible.
Interestingly, I have no problems with the second hand device but my other lavender device bought from a..zon returns "Only nop and sig tag can be recevied before authentication" when trying, for example, "edl.py --loader=prog_emmc_firehose_Sdm660_ddr.mbn printgpt". As both should have the same PBL, I don't yet understand it..
There seems to be some timeout (seconds..) when switching to EDL mode, after that no commands are accepted.
I will stop here, as there are already tutorials how to unlock the mi lock in EDL mode and currently I don't want to just reflash via QFIL or QPST. I'm trying some reverse engineering meanwhile.
- Mi cloud is locked with another account
- bootloader is locked
- oem unlock status is unknown
- Mi recovery mode is possible (from there you only can wipe data, connect to mi cloud or reboot)
- fastboot is possible (from there you can reboot and read some phone vars)
- booting to system is possible but the lock screen only lets you connect to wifi and unlock via account
- miui 11 seems to be installed (you see it sometimes behind the lock screen)
- adb is disabled
- The former owner doesn't know the credentials (he says he got it from another person and lost the password.. who knows..)
- Xiaomi doesn't want to help (if the phone was stolen I would give it back for free, else they should please unlock, but they don't want to..)
- Local police can't help (IMEI is unknown, only parts of the phone number are known from the lock screen but they can't search for it)
- codes like *#06# don't work with emergency call in lock screen
- 'Check "Find device" status' on mi.com after entering the lock number (tap several times in the lock icon) says that the status is enabled
- I have no chance to find out who enabled it (maybe when I have the IMEI, local police can help). IMEI might have been changed already..
- I don't want to open the phone case yet
If someone knows a shortcut to my tries, please let me know!
the lock screen
With miui 11 it seems not possible to circumvent the lockscreen with any method I found in the net (pressing volume buttons, add network, switch between wifi and lock screen).
You can only connect to existing networks. 'Add network' switches back to lock screen immediately.
fastboot
You can read variables via 'fastboot getvars all'. You may need the info that the current rom has ARB4. I will try to flash the lowest possible version with ARB4. From mi.com I found global rom V10.2.7.0.PFGMIXM to have ARB4.
(bootloader) crc:1
(bootloader) anti:4
(bootloader) DP:0x0
(bootloader) token: ......
(bootloader) hw-revision:10000
(bootloader) unlocked:no
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4338
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x200
(bootloader) logical-block-size: 0x200
(bootloader) variant:SDM EMMC
(bootloader) partition-type:userdata:ext4
...
(bootloader) partition-type:vendor:raw
...
(bootloader) secure:yes
(bootloader) serialno:...
(bootloader) product:lavender
(bootloader) kernel:uefi
test point
Finally the cable worked, so probably no need to open the phone
deep flash cable
I soldered a deep flash cable with a button. Please don't try without button, the effort is worth it. Or buy a cable for some bucks.
Test it for example in fastboot: press the button and fastboot doesn't work
switching off phone
Is not that easy or not possible via buttons and fastboot has no shutdown mode.
I found that waiting some minutes in fastboot mode with disconnected cable switches the phone off
(actually from there you can go nowhere, as the battery must be empty or disconnected)
(not) switching to EDL mode with battery (at least not empty battery)
In Windows I installed Qualcomm drivers (64bit exe package), it reboots and Windows is in 'test mode' then because of test certificates.
So far, when fastboot shuts down the phone, I am in 'Mass Storage' mode.
From there I tried to go into EDL mode via cable in 2 variants: pressing button, then plug in phone first and plug in PC first.
Windows device manager and linux see the same 05c6:f000 device, which seems to be some modem (for LTE-Sticks,..) according to net.
QFIL and QPST don't see anything.
Trying things found in the net:
- USB 2.0 only (already tested with USB2 hub and Raspberry USB2 port) / edit: eventually USB3 worked fine
- Wait x seconds (all possible x tested, it's always the charging mode) / edit: yes, you have to wait some seconds, but that doesn't help with 'charging mode'
- 'when charging mode appears, try again' or so.. well.. yes
/ edit: retrying doesn't seem to help getting out of 'charging mode'- 'EDL timeout', 'hello packet': I think, that doesn't apply in my current state, there should be some xxxx:9008 device first
- 'only works when battery disconnected' or when battery is empty (because of EDL timeout or so) / edit: for me it really only works this way
- usb_modeswitch isn't able to switch from f000 to some other mode.
Finally, after draining the battery, it worked!
draining the battery
- flood pinging the phone (no ports open)
- USB-OTG stick on the phone
- Keep display active (tap on your connected wifi, the 'Share Wi-Fi network' window doesn't deactivate screen, also it seems to be the brightest level)
switching to EDL mode with empty battery
The phone shut down and I retried with the cable.
When the battery is too empty, the led is blinking. Wait some seconds or a minute until the screen turns on and shows loading icon, then try again. The led should turn off and the phone seems dead.
The phone is in 9008 now and actually seems to stay there even when pressing power button or reconnecting USB.
ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
If the battery is too empty, charge it until it tries to start system. Then disconnect charger and try to switch mode.
I found that _only_ via "draining the battery" it is possible to get to the 9008 mode. Pressing power button, even with already empty battery does not work. While draining, android tries to shut down the phone (which could lead to non-9008 mode). As Xiaomi has locked the shutdown (it wrote "Can't power off, the device is locked" sometimes..) it can happily drain.
When you leave 9008 mode, you have to charge until system starts and then drain again.
Further, there seems to be some other mode, which "edl.py" recognizes as "memory dump mode". The USB ID is correct, but EDL commands are not possible.
Interestingly, I have no problems with the second hand device but my other lavender device bought from a..zon returns "Only nop and sig tag can be recevied before authentication" when trying, for example, "edl.py --loader=prog_emmc_firehose_Sdm660_ddr.mbn printgpt". As both should have the same PBL, I don't yet understand it..
There seems to be some timeout (seconds..) when switching to EDL mode, after that no commands are accepted.
I will stop here, as there are already tutorials how to unlock the mi lock in EDL mode and currently I don't want to just reflash via QFIL or QPST. I'm trying some reverse engineering meanwhile.
Last edited:
