Guide: Reverse-engineering Xiaomi OTA Updates to Find Unreleased Versions

[duraaraa]

@duraaraa were you able to figure this out? Will we be seeing a funkyxiaomi maybe in the near future?

Sent from my [device_name] using XDA-Developers Legacy app

Haha, no. No FunkyXIaomi, and I haven't been able to get anything unreleased or new so I've given up.

 

[jr313]

How are you liking the phone? I just recently ordered mine and am waiting for it to it arrive. I do have the original mi mix and like it very much so I decided to purchase the mix 2

Sent from my [device_name] using XDA-Developers Legacy app

 

[punkmonkey1984]

@duraaraa Have you had a look to see if you can find the Oreo global beta?

 

[Jeconias Santos]

I get this value from my device:

DyuFSvBCI8E6Pfk34pDZv+xWMGS2MDrdDi3L0SCX+DPVmPrNnNgtF72gYsZaukI/cwhx026E6JXzB/P2sZN129zTbantAAgeuEwl2xjP98hzEM5H1rl83RKGT7atiWDEuvc+gaSgTDKG46YJ29ZTrSQbwdIq/nxtIT/zasoK3A2mujymNxjL/oSDJaPCoaLBkDNcpeItd3gn5SSw7tUFLHkhgewsLjIjrNzYRIaJci4/8KxPhRtnsMhQgchEGtv62kvCtV05GkFwHIB0KtunnRbYJMuy4BDDGSuDnIrCfwBSXhLpiiyIEny3Wc1zRlkUvIYScF4YVldJp4Wb+FsZhO402bDmdK2rnQ2TvK/iIF7q3w5X1F07AiLU0HWqR0x/ZSHuuRgLoA7dsrSFTgmd5/G/WcfU/PxDQUdLVTZ5z9IiiFeJSi5SJYy2zAxSa3Rh5KCrQ0RVGYG5V+On65uO9s61LY1QB7ppgrM5LQkEwSvSZzeEkhVQnLoiEfc7l+CLuVDNBimbHvBtWkPaviuIAA==

and the key "miuiotavalided11" does not work. Any idea?

 

[ketya4u]

This worked flawlessly for me. I was able to capture oreo global beta recovery zip for MI MIX 2 using this. Downloading now

 

[Pimmeke1989]

This worked flawlessly for me. I was able to capture oreo global beta recovery zip for MI MIX 2 using this. Downloading now

Can you upload it when you are ready? Or share the download link?

 

[punkmonkey1984]

This worked flawlessly for me. I was able to capture oreo global beta recovery zip for MI MIX 2 using this. Downloading now

Can you post the decrypted result.

 

[DanDroidOS]

:good:

This worked flawlessly for me. I was able to capture oreo global beta recovery zip for MI MIX 2 using this. Downloading now

Yes, please share the link.

 

[RicardoMullion]

I am try to capture mi 5s plus but not work:

from decrypt import *
import urllib2, base64, json, threading, sys, urllib
global checkurl
checkurl = 'http://update.miui.com/updates/miotaV3.php'

default = {
    "n":"",  # I don't know what this parameter is
    "unlock":"1",  # 1 means bootloader is unlocked. 0 means locked.
    "g":"00000000000000000000000000000000", # This seems to be the android_id of the device. Maybe encoded somehow.
    "sn":"0x00000000", # Probably the serial number of the device, maybe encoded somehow.
    "a":"0", # Don't know what this is.
    "v":"MIUI-V9.2.1.0.NBGMIEK", # The version of MIUI installed.
    "l":"en_US", # The locale.
    "i":"0000000000000000000000000000000000000000000000000000000000000000", # This seems to be the imei of the device, obviously encoded somehow.
    "b":"F", # Same as above, 'X' for weekly build.
    "c":"7.0", # Same as 'c' above, it's the Android version.
    "sys":"0", # I don't know what this is.
    "p":"msm8996", # The chipset
    "id":"", # I don't' know what this is.
    "cts":"0", # I don't know what this is.
    "d":"natrium_global", # The device name, same as above, chiron for Chinese, chiron_global for global.
    "f":"1", # I don't know what this is.
    "bv":"9", # I don't know what this is.
    "isR":"0", # I don't know what this is.
    "r":"CN" # I don't know what this is, maybe region of device?
} 

def makeRequest(inp, tval="", sval="1"):
    js = json.dumps(inp, separators=(',', ':'))
    global svalue
    postdata = "q="+urllib.quote_plus(encrypt(js))+"&t="+tval+"&s=" + sval
    print postdata
    global checkurl
    try:
        response = urllib2.urlopen(checkurl, postdata)
        ret = response.read()
        r = decrypt(ret)
        json.loads(r)
    except:
        print "Problem"
        
print(makeRequest(default))

And just show me this :

q=6Lx%2FLwJ03fj0SAHc64gdDB5Hp%2Bf0srDTFYG7HpUttq9aVHWxuVNVGhpKJtyMQfiOXuyc66Ull%2F2TLCyISaUhVzxX9OdtDlXgyiNyzLSe5Sqpuxc0qO%2FBJEt%2BqZ7I%2FLkjUIVjq16zYYIEae6ZP3BKWeiQQzIMeEMg3v%2FQNdw7AGjGJ0cabSwTioxLfvPMaGzxL8iNkVMuDiyPSswwWwNrmYR9pDBqmaqlmR9wvsvRXCBMKjj0cbXjIWjoCxzpp8ekQp0c7Y%2BLZqZaN835gW9wWPe3tMelkgDfZM1txMYNrCnRBHfJ4beKnAa5snaY1cZ8wKC7tHevRsoJ19fCZlAfaZs7LL5%2BHHzPJgHYrjiXa1kp91p2G7IjFXT7Twfzh1aAyCkSPeRdWVX5JUPVLwfkAd2Vyqb9NiFRVgAJfx5QSQs%3D&t=&s=1
None

Please help

 

[namasteji1]

Both of these methods don't seem to work right now.

 

[palexis06]

Hi, I'm trying to find a new way to find new rom and after search I try with this link :

http://update.miui.com/updates/v1/fullromdownload.php?d=chiron_global&b=F&r=global&n= to download beta china rom, if you use like that the link not work but if you add Referer: http://en.miui.com/ the php send you a response with link of the .tgz

Maybe we need to search in this way, maybe Xiaomi securise his website with the referer

 

[raupe]

Hi, I'm trying to find a new way to find new rom and after search I try with this link :

http://update.miui.com/updates/v1/fullromdownload.php?d=chiron_global&b=F&r=global&n= to download beta china rom, if you use like that the link not work but if you add Referer: http://en.miui.com/ the php send you a response with link of the .tgz

Maybe we need to search in this way, maybe Xiaomi securise his website with the referer

Thanks for that great hint!

The URL for the chinese ROM download is corresponding to the one you posted:
http://update.miui.com/updates/v1/fullromdownload.php?d=chiron&b=F&r=cn&n=

Chrome users: There is an little nice extension called "Referer Control" that can simulate the referer you need ...
See attachment for config example.

 

[namasteji1]

Could you guys please post step by step guide to get .tgz links as you mentioned above in chrome extension. I can't seem to get the URL of tgz, the same web address is displayed on querying it.

 

[raupe]

Could you guys please post step by step guide to get .tgz links as you mentioned above in chrome extension. I can't seem to get the URL of tgz, the same web address is displayed on querying it.

Hi @namasteji1,

I'm sorry but i've not the ressources to write all those steps because they are dependent from what you like to download :-/
I don't want to offend you, but you also need some basic knowledge about internet protocols and how to use them to understand what a referer is and how/why to handle them.

Maybe some other skilled forum member like/could step in here.

 

[palexis06]

New link found :

http://update.miui.com/updates/miota-fullrom.php?d=chiron&b=X&r=cn&n=&l=en_en

 

[RGarridi]

Hello! There is a new Mi A1 unreleased version: 8.5.21 . Can anyone tell me the link? I have already tried what's in these posts, but I couldn't catch the link. Thank you!

 

[palexis06]

Hello! There is a new Mi A1 unreleased version: 8.5.21 . Can anyone tell me the link? I have already tried what's in these posts, but I couldn't catch the link. Thank you!

Hi, this post dosn't work now, I'm searching a new way to find unreleased version

 

[RGarridi]

Hi, this post dosn't work now, I'm searching a new way to find unreleased version

Oh ok, I'll follow this thread to be always up-to-date. Thank you anyway!

 

[palexis06]

I hope found a new way

But I need help : when the phone ask mi server for a new rom, It send a request to http://updates.miui.com/updates/miotaV3.php with this chain for my phone : q=RMnOGd%2Be0NNG2DwH7PkO1Wsudgf7Ss0CgFCRv5iTrpWO46ODkEI%2FQ9%2B9udjXENxgdcpwRKYiiGJW6Ov39q2eOUZtP%2BhwvQ4daM2Jd0wxBkWSuNYVfRIsZZMJyaPAtxnWP6whLNUi1DE%2F3zm%2BNX947TAAwJ%2BwisR031Am8nJDsHNv%2F22dtzK3XRJNCF9j2zhdriYDs5lIfV2R1CLKN6mlBKZ8%2Br8nROK5oXd1ji%2FW%2BdsY%2BsxSoaMyR221oMQYwg%2Flxw8nUX1ZQqyBd1Qtipr7L9QKPJYnwEnyVZqw3qG6nVI%3D&t=&s=1

But I don't understand this ? Somebody can decode this ?

Thanks

 

[punkmonkey1984]

New link found :

http://update.miui.com/updates/miota-fullrom.php?d=chiron&b=X&r=cn&n=&l=en_en

This version is 8.5.8.
Which will be miui 9.5