[Guide] [Mediatek] Mi Authorized Account : Sad fate of Xiaomi Devices !

TechyMinati

Senior Member
May 1, 2017
70
24
18
Guna
techyminati.weebly.com
Hey Guys, This is Aryan (TechyMinati @An ASP) as We know, These days everyone is keen to install Custom ROMs & Recovery in their Devices, Sometimes the thing goes well and sometimes the devices HardBricks. Here we are basically talking about the Xiaomi Mediatek Devices & Their Fate.

Mediatek Devices have Download Mode or DA Mode, Which allows you to revive your devices even if it is hardbricked, So whats the error now ?
The case with Xiaomi Mediatek devices is entirely different, you cant flash your device without Mi Authorized Account or can be simply called Server Side SLA(Serial Link Authorization)

Lets Take a Deep Insight into working of this Mi Authorized Account


For those unaware, SP Flash Tools, short for SmartPhone Flash Tool is a tool that MediaTek distributes that allows flashing the OEM firmware back onto a MediaTek device, in case something goes wrong. Now, in this “hard-brick” condition, the device is able to enter the BROM “emergency-download” mode (EDL, for short). If you remember, BROM may implement security to prevent unauthorized modification to the device.
Most manufacturers implement very basic security; there are 2 main BROM security implementations:
SLA (Serial Link Authorization)
DAA (Download Agent Authorization)

A MediaTek device can have none, either or both. Usually a slightly modified version of the flash tool which contains a few secrets is enough to let anyone re-flash the device. Let’s quickly understand what these implementations are like and how they differ.
BROM exposes UART to communicate. In both cases, the device will generate a few random bytes which must be “decrypted” or simply processed to create a new string. If BROM validates the string, it’ll allow the host to issue many more instructions without errors, such as jumping to addresses or writing partitions. The difference between the two is, in SLA, BootROM performs the checks and in DAA, Download Agent (DA) performs the check. Download Agent is loaded by SP Flash Tool. On devices that implement SLA, you cannot load a DA file without completing the SLA challenge. On devices that implement DAA, the challenge is done by DA and a modified DA file is enough to bypass security (That is, assuming you manage to reverse things or have the BSP).


Whats Worse Now? Xiaomi Mediatek Devices Have SLA !

Xiaomi has special accounts (called Mi Authorized Accounts) that are given to service centers for repairing devices. These accounts are capable of requesting Authorization tokens to unlock BROM download on MediaTek devices (and other EDL equivalents for Qualcomm devices). Something that can be very easily fixed by a consumer and/or developer, is locked to service centers.

So How This Mi Authorized Account Work? How data exchange takes place to allow BROM to Proceed ?

Well with Mi Auth, The device generates 16 bytes of data and sends it to the server. The server checks if your account has authorization and returns 256 bytes of data. If the data is correct, BROM continues. Else it traps itself in an infinite loop, until it times-out due to no-command and reboots.

Our Beloved Friend @Agent_fabulous created a python script that imitates the same way the Mi Auth Works, But Sadly it doesnt work as of now. Your Can find the script here

A Ray Of Hope : Modified Preloader
Back in March 2020, When I got my Redmi 6A Bricked , I tried alot of ways to revive it , I ended up paying some bucks to shady guys on internet who revived my device via Mi Auth Over Remote Session Using TeamViewer. And More Sad part is most Xiaomi Service Centers don't know a single thing about Mi Auth, All they know is to replace motherboard LOL. Ah Noobs Everywhere.
After I revived my device , I began to think of making Antibrick that begonia already have ( Ah again thanks to @Agent_fabulous for his works) , Meanwhile, I found out the factory firmware for Redmi 6 & 6A., You see, every OEM receives a BSP for their platform of choice from the SoC manufacturer. Usually, the OEM will boot a clean version of this BSP on their hardware to get everything working, before the product team can start porting out the “skin” of Android that they advertise and ship their products with. This clean-version of the BSP build is often referred to as the “final factory firmware”.

We have factory firmware now ! Whats Next ?

After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.


Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.

After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth.


Hope You Understood that What is Mi Auth & How it works on Mediatek Devices & How you can prepare a AntiBrick.

Press Thanks On this Thread xD


Credits:-
@Agent_fabulous (Mr. Kshitij ) for making me aware about Antibrick and How to prepare it. [He is developer from begonia Who Implemented VoLTE on Mediatek Chipset Based Device Redmi Note 8Pro ; He made antibrick too ; His Article Here (from which I've learned alot about Mi Auth)]
@An ASP (Aryan Sinha ; also known as TechyMinati) Making this article & Gathering info about Mi Auth .


I recommend you to give this XDA article a read, too!
 
Last edited:

adi4ntn

New member
Oct 6, 2016
1
0
0
We have factory firmware now ! Whats Next ?

After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.

Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.

After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth
Can you please make an "easy-to-understand" step-by-step guide for noob like me? With download link of course xD, like this one https://forum.xda-developers.com/redmi-note-8-pro/development/rom-crdroid-6-x-t4124805/amp/

Thanks
 
Last edited:

TechyMinati

Senior Member
May 1, 2017
70
24
18
Guna
techyminati.weebly.com
  • Like
Reactions: HemanthJabalpuri

sarthak_iitd23

New member
Dec 23, 2020
1
0
1
Hey Guys, This is Aryan (TechyMinati @An ASP) as We know, These days everyone is keen to install Custom ROMs & Recovery in their Devices, Sometimes the thing goes well and sometimes the devices HardBricks. Here we are basically talking about the Xiaomi Mediatek Devices & Their Fate.

Mediatek Devices have Download Mode or DA Mode, Which allows you to revive your devices even if it is hardbricked, So whats the error now ?
The case with Xiaomi Mediatek devices is entirely different, you cant flash your device without Mi Authorized Account or can be simply called Server Side SLA(Serial Link Authorization)

Lets Take a Deep Insight into working of this Mi Authorized Account

For those unaware, SP Flash Tools, short for SmartPhone Flash Tool is a tool that MediaTek distributes that allows flashing the OEM firmware back onto a MediaTek device, in case something goes wrong. Now, in this “hard-brick” condition, the device is able to enter the BROM “emergency-download” mode (EDL, for short). If you remember, BROM may implement security to prevent unauthorized modification to the device.
Most manufacturers implement very basic security; there are 2 main BROM security implementations:
SLA (Serial Link Authorization)
DAA (Download Agent Authorization)

A MediaTek device can have none, either or both. Usually a slightly modified version of the flash tool which contains a few secrets is enough to let anyone re-flash the device. Let’s quickly understand what these implementations are like and how they differ.
BROM exposes UART to communicate. In both cases, the device will generate a few random bytes which must be “decrypted” or simply processed to create a new string. If BROM validates the string, it’ll allow the host to issue many more instructions without errors, such as jumping to addresses or writing partitions. The difference between the two is, in SLA, BootROM performs the checks and in DAA, Download Agent (DA) performs the check. Download Agent is loaded by SP Flash Tool. On devices that implement SLA, you cannot load a DA file without completing the SLA challenge. On devices that implement DAA, the challenge is done by DA and a modified DA file is enough to bypass security (That is, assuming you manage to reverse things or have the BSP).


Whats Worse Now? Xiaomi Mediatek Devices Have SLA !

Xiaomi has special accounts (called Mi Authorized Accounts) that are given to service centers for repairing devices. These accounts are capable of requesting Authorization tokens to unlock BROM download on MediaTek devices (and other EDL equivalents for Qualcomm devices). Something that can be very easily fixed by a consumer and/or developer, is locked to service centers.

So How This Mi Authorized Account Work? How data exchange takes place to allow BROM to Proceed ?

Well with Mi Auth, The device generates 16 bytes of data and sends it to the server. The server checks if your account has authorization and returns 256 bytes of data. If the data is correct, BROM continues. Else it traps itself in an infinite loop, until it times-out due to no-command and reboots.

Our Beloved Friend @Agent_fabulous created a python script that imitates the same way the Mi Auth Works, But Sadly it doesnt work as of now. Your Can find the script here

A Ray Of Hope : Modified Preloader
Back in March 2020, When I got my Redmi 6A Bricked , I tried alot of ways to revive it , I ended up paying some bucks to shady guys on internet who revived my device via Mi Auth Over Remote Session Using TeamViewer. And More Sad part is most Xiaomi Service Centers don't know a single thing about Mi Auth, All they know is to replace motherboard LOL. Ah Noobs Everywhere.
After I revived my device , I began to think of making Antibrick that begonia already have ( Ah again thanks to @Agent_fabulous for his works) , Meanwhile, I found out the factory firmware for Redmi 6 & 6A., You see, every OEM receives a BSP for their platform of choice from the SoC manufacturer. Usually, the OEM will boot a clean version of this BSP on their hardware to get everything working, before the product team can start porting out the “skin” of Android that they advertise and ship their products with. This clean-version of the BSP build is often referred to as the “final factory firmware”.

We have factory firmware now ! Whats Next ?

After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.


Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.

After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth.


Hope You Understood that What is Mi Auth & How it works on Mediatek Devices & How you can prepare a AntiBrick.

Press Thanks On this Thread xD


Credits:-
@Agent_fabulous (Mr. Kshitij ) for making me aware about Antibrick and How to prepare it. [He is developer from begonia Who Implemented VoLTE on Mediatek Chipset Based Device Redmi Note 8Pro ; He made antibrick too ; His Article Here (from which I've learned alot about Mi Auth)]
@An ASP (Aryan Sinha ; also known as TechyMinati) Making this article & Gathering info about Mi Auth .


I recommend you to give this XDA article a read, too!
Thank you for this information. I have hard bricked my Redmi 6. It requires 'Authorized Mi Account' while flashing. Can you please help me out by providing a solution with steps and links?