Bypass bootloader lock of Redmi 5A(riva) without permission from xiaomi.

Search This thread
By:
Advanced…
A

adityam0338

Senior Member
Aug 10, 2018
72
9
Lucknow
fxsheep said:
Try reboot phone, PC, reinstall driver, also try another PC, or an older windows version.
If still doesn't work then try a much older EDL rom.
Click to expand...
Click to collapse

Thanks a ton! Rolling back to miui 9.5 worked for me. I am using Los 16 at the moment. I can't thank you and @saurabh6377 enough for your help. But yeah I'm very happy and elated at the moment. I am very grateful to @xaacnz as well for finding out this amazing loophole.
 
  • Like
Reactions: saurabh6377
D

dengerouz

New member
Oct 17, 2010
4
0
Its worked dude! Bypass and flash pixe experience on Pie!

P.S. Can we do same on other phones? Like redmi 5 (rosy) and so on...
 
S

sayhitonoob

New member
Dec 28, 2019
1
0
PAID : I want to unlock my old redmi 2s prime device which is 4 digit pin locked

I want to unlock my old redmi 2s prime device which is 4 digit pin locked
I can pay for it too
 
alecxs

alecxs

Forum Moderator
Staff member
Feb 17, 2016
5,097
8
5,326
gitlab.com
sayhitonoob said:
I want to unlock my old redmi 2s prime device which is 4 digit pin locked
I can pay for it too
Click to expand...
Click to collapse
wrong thread. unlocking device bootloader is completely not what you want - it will wipe your data.
you can remotely set a temporary screen lock from Find My Device. read here for more information: Help with Data Recovery

btw we don't accept payments for hacking. please don't post here, this thread is not for n00bs. kindly ask you to open your own thread in Questions and Answers section
 
Last edited:
ahmadnurkabib

ahmadnurkabib

Member
Jan 3, 2015
8
0
Semarang
lavishkumar said:
Modified files.

I am not responsible for any kind of damage happens in your device.
For qsahara and fhloader download miflash and extract it. You will get the files from there.
prog emmc firehouse - https://drive.google.com/open?id=1p9FInJS6mlbj5RvCzXRBgdX1Sn9WcEnM

Recovery (twrp 3.2.3)- https://drive.google.com/open?id=1KMQ60TsR1HanJtW-ljlJ63tTK0aC1uSO

Splash (from miui 8.5)- https://drive.google.com/open?id=1RaaRVmgIa2KM-rPkvSTwyq_ROKHK8oLl

Now don't ask for upload files anymore.

View attachment 4737725

View attachment 4737726
Click to expand...
Click to collapse
very thanks man , it working
 
J

jonny789

Senior Member
Oct 18, 2012
235
21
I just tried the official method explained here today [07-20-2021]. It worked for me without any problem.
I flashed riva_global_images_V10.1.1.0.NCKMIFI_20181029.0000.00_7.1_global_f444c158ed.tgz. Then after completing miui setup, I created new miui account using new phone number. Followed all steps. No account binding errors.
 
  • Like
Reactions: alecxs
You must log in or register to reply here.

Similar threads

androwide
Google Pixel 2 Ported Camera Working on SD 425, Redmi 5A
Replies
11
Views
58K
ProudRed
ProudRed
S
[GUIDE][Newbie friendly] ALL IN ONE Bypass bootloader lock guide of Redmi 5A
Replies
43
Views
33K
bharat555
bharat555
androwide
Google Pixel 2 Ported Camera Working on Redmi 5A, SD 425
Replies
53
Views
35K
arsenok45
arsenok45
S
  • Poll
[TOOL][riva] Appender for Redmi 5A
Replies
22
Views
18K
yongyek
yongyek
I
Working Google Pixel Camera (updated on 23rd June)
Replies
14
Views
30K
derickke8
derickke8

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    X
    xaacnz
    Recently I have reverse engineered aboot (emmc_appsboot.mbn) from ROM riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn ( en.miui.com/thread-1026306-1-1.html )(because this is my first post and I don't have permission to post outside link, you have to add http in those url), and discovered a way to bypass bootloader lock by using several bugs in Xiaomi customized aboot.
    Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/quic/le/kernel/lk/ , so I will use function name inside those source file in discussion below even though some of those function have been modified by Xiaomi.
    Relevant function to verify and boot linux is boot_linux_from_mmc, so I'll start from here:

    boot_linux_from_mmc: call boot_verifier_init()

    boot_verifier_init: set device state to GREEN​
    boot_linux_from_mmc: call verify_signed_bootimg()

    verify_signed_bootimg: call boot_verify_image()

    boot_verify_image: call read_der_message_length() to get length of signature
    boot_verify_image: if length of signature is too large, then boot_verify_image will return false to indicate verification failure
    boot_verify_image: otherwise call and return verification result of verify_image_with_sig(inlined)

    verify_image_with_sig: set device state to RED if image is not signed by Xiaomi.​
    verify_signed_bootimg: call splash_screen_mmc() to show "The system has been destroyed" if verification failed
    verify_signed_bootimg: shoudown device if splash_screen_mmc() succeed, otherwise continue boot​
    boot_linux_from_mmc: call send_rot_command()

    send_rot_command: check device state, if it's YELLOW or RED, than boot will failed because it try to read embedded cert which is not initialized by Xiaomi​

    To successfully bypass bootloader lock we need:
    1. make sure device state is GREEN so that send_rot_command won't failed, this can be achieved by making read_der_message_length return a large value to avoid calling verify_image_with_sig.
    one way to do this is to append[NOTE1] image with a large length encoded in der (eg. 0x30, 0x83, 0x19, 0x89, 0x64)
    2. make sure splash_screen_mmc() failed so that booting process can be continued.
    this can be achieved by change the magic number in the header of splash partition from "SPLASH!!" to any other value (eg. "19890604")

    Steps to bypass:
    0 note that all those steps can be done offline, so no information will send to Xiaomi or anyone
    0 in this tutorial I'll demonstrate how to use twrp recovery with locked bootloader
    1 using test point to enter EDL mode(will void your warranty!!!)
    2 unzip MiFlash, you should see QSaharaServer.exe and fh_loader.exe
    3 create a sub folder called "tmp"
    4 extract prog_emmc_firehose_8917_ddr.mbn & rawprogram0.xml & splash.img from riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn and put them into "tmp"
    5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
    6 change the first 8 byte in splash.img to "19890604"
    7 create "hack_splash.xml" inside "tmp", then copy&paste relevant section from rawprogram0.xml to "hack_splash.xml", the resulting file should look like this:
    Code: 
    <?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash.img" label="splash" num_partition_sectors="40960" physical_partition_number="0" size_in_KB="20480.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
</data>
    8 create "twrp.xml" inside "tmp", then copy&paste relevant recovery section from rawprogram0.xml to "twrp.xml", the resulting file should look like this:
    Code: 
    <?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
</data>
    9 run "QSaharaServer.exe -p \\.\COM10 -s 13:prog_emmc_firehose_8917_ddr.mbn -b tmp" to initialize firehose. (replace COM10 with the COM port of you phone, the same as below)
    10 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=hack_splash.xml" to flash modified splash
    11 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=twrp.xml" to flash twrp recovery
    12 done

    If you want flash custom ROM, you just need to append[NOTE1] boot.img

    NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
    Code: 
    struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];
    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */
    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */
    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */
    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */
    ....
};
    and then calculate:
    Code: 
            if (hdr->page_size && (hdr->page_size != page_size)) {
                page_size = hdr->page_size;
                page_mask = page_size - 1;
        }
        kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
        ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
        second_actual  = ROUND_TO_PAGE(hdr->second_size, page_mask);
        dt_size = hdr->dt_size;
        dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
        imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
    imagesize_actual is the place to write

    NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
    NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
    View
    7
    X
    xaacnz
    boyrobbie said:
    Can you share your own rom base on LOS 15.1? Please :)
    Click to expand...
    Click to collapse
    LordShenron said:
    Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
    Click to expand...
    Click to collapse
    33bca said:
    Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
    It would be great for development on Redmi 5A in general if you could share your sources with the community.

    If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
    Click to expand...
    Click to collapse

    Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
    Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917

    I tried to post this ROM on https://xdaforums.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
    View
    6
    lavishkumar
    lavishkumar
    Modified files.

    I am not responsible for any kind of damage happens in your device.
    For qsahara and fhloader download miflash and extract it. You will get the files from there.
    prog emmc firehouse - https://drive.google.com/open?id=1p9FInJS6mlbj5RvCzXRBgdX1Sn9WcEnM

    Recovery (twrp 3.2.3)- https://drive.google.com/open?id=1KMQ60TsR1HanJtW-ljlJ63tTK0aC1uSO

    Splash (from miui 8.5)- https://drive.google.com/open?id=1RaaRVmgIa2KM-rPkvSTwyq_ROKHK8oLl

    Now don't ask for upload files anymore.

    View attachment hack_splash.xml

    View attachment twrp.xml
    View
    4
    S
    saurabh6377
    Sonu1123 said:
    Can i flash latest miui global stable recovery rom by
    appending 4k block to boot.img of miui recovery rom will it work?
    Click to expand...
    Click to collapse

    No, it will reset splash and will also replace twrp. Use firmware less rom or xiaomi.eu rom. If recovery is not wiped then due to dm-verity you need to flash lazyflasher too which will brick your device and there is no other way to disable dm-verity. Better to unlock first.
    View
    3
    X
    xaacnz
    Titokhan said:
    @xaacnz

    That's a very informative post :good:

    Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.

    I'm tagging @osm0sis to take part in the discussion.
    Click to expand...
    Click to collapse

    All stages of bootloader except PBL can be found in fastboot ROM, and PBL can be obtained by using testpoint: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

    The 'official' unlocking process is:
    1 submit cpuid which is eFused in soc to Xiaomi.
    2 Xiaomi sign the cpuid with it's private RSA key.
    3 write the signature to 'devinfo' partition at offset 0xE4.

    The verification process is:
    1 read the signature from 'devinfo' partition.
    2 verify it using public key embedded in aboot.
    3 decode the verification result as base64.
    4 compare the decoded value with cpuid read from soc, bootloader is unlocked if it's the same.

    There are some bugs in verification process:
    1 signature is padded using PKCS #1 v1.5, but verification process didn't check plaintext size, thus any plaintext starts with desired prefix will unlock bootloader, effectively reducing the complexity of brute force.
    2 any value outside of base64's 64 characters table is treated as 'A', this reduce brute force complexity further.
    3 base64 decode will not terminate until '=' is encountered, this create opportunity for buffer overrun, though input(RSA verification result) is hard to control.
    4 base64 decode is skipped if first byte of PKCS #1 v1.5 payload is zero, this resulting in comparison of uninitialized stack value to cpuid and maybe exploitable to unlock phone.

    I'm shocked that one can write so many bugs in such short function.
    View

New posts