Bypass bootloader lock of Redmi 5A(riva) without permission from xiaomi.

Search This thread
By:
Advanced…
X

xaacnz

Member
Apr 2, 2018
9
32
Recently I have reverse engineered aboot (emmc_appsboot.mbn) from ROM riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn ( en.miui.com/thread-1026306-1-1.html )(because this is my first post and I don't have permission to post outside link, you have to add http in those url), and discovered a way to bypass bootloader lock by using several bugs in Xiaomi customized aboot.
Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/quic/le/kernel/lk/ , so I will use function name inside those source file in discussion below even though some of those function have been modified by Xiaomi.
Relevant function to verify and boot linux is boot_linux_from_mmc, so I'll start from here:

boot_linux_from_mmc: call boot_verifier_init()

boot_verifier_init: set device state to GREEN​
boot_linux_from_mmc: call verify_signed_bootimg()

verify_signed_bootimg: call boot_verify_image()

boot_verify_image: call read_der_message_length() to get length of signature
boot_verify_image: if length of signature is too large, then boot_verify_image will return false to indicate verification failure
boot_verify_image: otherwise call and return verification result of verify_image_with_sig(inlined)

verify_image_with_sig: set device state to RED if image is not signed by Xiaomi.​
verify_signed_bootimg: call splash_screen_mmc() to show "The system has been destroyed" if verification failed
verify_signed_bootimg: shoudown device if splash_screen_mmc() succeed, otherwise continue boot​
boot_linux_from_mmc: call send_rot_command()

send_rot_command: check device state, if it's YELLOW or RED, than boot will failed because it try to read embedded cert which is not initialized by Xiaomi​

To successfully bypass bootloader lock we need:
1. make sure device state is GREEN so that send_rot_command won't failed, this can be achieved by making read_der_message_length return a large value to avoid calling verify_image_with_sig.
one way to do this is to append[NOTE1] image with a large length encoded in der (eg. 0x30, 0x83, 0x19, 0x89, 0x64)
2. make sure splash_screen_mmc() failed so that booting process can be continued.
this can be achieved by change the magic number in the header of splash partition from "SPLASH!!" to any other value (eg. "19890604")

Steps to bypass:
0 note that all those steps can be done offline, so no information will send to Xiaomi or anyone
0 in this tutorial I'll demonstrate how to use twrp recovery with locked bootloader
1 using test point to enter EDL mode(will void your warranty!!!)
2 unzip MiFlash, you should see QSaharaServer.exe and fh_loader.exe
3 create a sub folder called "tmp"
4 extract prog_emmc_firehose_8917_ddr.mbn & rawprogram0.xml & splash.img from riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn and put them into "tmp"
5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
6 change the first 8 byte in splash.img to "19890604"
7 create "hack_splash.xml" inside "tmp", then copy&paste relevant section from rawprogram0.xml to "hack_splash.xml", the resulting file should look like this:
Code: 
<?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash.img" label="splash" num_partition_sectors="40960" physical_partition_number="0" size_in_KB="20480.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
</data>
8 create "twrp.xml" inside "tmp", then copy&paste relevant recovery section from rawprogram0.xml to "twrp.xml", the resulting file should look like this:
Code: 
<?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
</data>
9 run "QSaharaServer.exe -p \\.\COM10 -s 13:prog_emmc_firehose_8917_ddr.mbn -b tmp" to initialize firehose. (replace COM10 with the COM port of you phone, the same as below)
10 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=hack_splash.xml" to flash modified splash
11 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=twrp.xml" to flash twrp recovery
12 done

If you want flash custom ROM, you just need to append[NOTE1] boot.img

NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
Code: 
struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];
    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */
    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */
    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */
    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */
    ....
};
and then calculate:
Code: 
        if (hdr->page_size && (hdr->page_size != page_size)) {
                page_size = hdr->page_size;
                page_mask = page_size - 1;
        }
        kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
        ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
        second_actual  = ROUND_TO_PAGE(hdr->second_size, page_mask);
        dt_size = hdr->dt_size;
        dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
        imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
imagesize_actual is the place to write

NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
 
Last edited:
  • Like
Reactions: VD171, langithitam, Poison-Fang and 18 others
X

xaacnz

Member
Apr 2, 2018
9
32
abdihaikal said:
Did you meant: source.codeaurora.org/quic/le/kernel/lk
Click to expand...
Click to collapse

Yes, they must have removed the original url.
Code: 
debian@debian:~/lk$ git remote show origin | head
* remote origin
  Fetch URL: https://source.codeaurora.org/kernel/lk/
  Push  URL: https://source.codeaurora.org/kernel/lk/
  HEAD branch (remote HEAD is ambiguous, may be one of the following):
    aosp/master
    github-kernel_lk/aosp/master
  Remote branches:
    APSS.FSM.3.0                                                    tracked
    APSS.FSM.3.0.r5.1.1                                             tracked
    APSS.FSM.3.0.r6                                                 tracked
 
U

utumno00

Member
Apr 28, 2018
7
0
Thank you for the method.

I tried ot and flashed TWRP only, but when I use it to flash custom ROMS, the device wont boot. It will show for a millisecond a picture of penguin and then goes off.
Any ideas??

Thanks

xaacnz said:
Recently I have reverse engineered aboot....
If you want flash custom ROM, you just need to append[NOTE1] boot.img
NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:.
Click to expand...
Click to collapse
 
X

xaacnz

Member
Apr 2, 2018
9
32
You need to patch boot.img inside those ROMS by appending 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64

utumno00 said:
Thank you for the method.

I tried ot and flashed TWRP only, but when I use it to flash custom ROMS, the device wont boot. It will show for a millisecond a picture of penguin and then goes off.
Any ideas??

Thanks
Click to expand...
Click to collapse
 
X

xaacnz

Member
Apr 2, 2018
9
32
Let's say you want flash https://xdaforums.com/android/development/rom-crdroid-v3-8-5-redmi-5a-t3752066
1 download crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
2 extract boot.img from crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
3 patch the extracted boot.img just like what you did with twrp-3.2.1-0-riva.img
4 put the patched boot.img back in crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
5 flash the modified crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip

utumno00 said:
I am amazed and I dont know how to tell that I thank you. Can you help me? I patch and i flash what?
Click to expand...
Click to collapse
 
  • Like
Reactions: alecxs
U

utumno00

Member
Apr 28, 2018
7
0
Success!!

I tried with Viper ROM though, as it was the one I had already downloaded.
Is the crDroid the one that you suggest?
Have you tried the Oreo one?

I want to thank you one more time for the help.

Greetings from Greece and Colombia.

xaacnz said:
Let's say you want flash https://xdaforums.com/android/development/rom-crdroid-v3-8-5-redmi-5a-t3752066
1 download crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
2 extract boot.img from crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
3 patch the extracted boot.img just like what you did with twrp-3.2.1-0-riva.img
4 put the patched boot.img back in crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
5 flash the modified crDroidAndroid-7.1.2-20180218-riva-v3.8.5.zip
Click to expand...
Click to collapse
 
X

xaacnz

Member
Apr 2, 2018
9
32
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1

utumno00 said:
Success!!

I tried with Viper ROM though, as it was the one I had already downloaded.
Is the crDroid the one that you suggest?
Have you tried the Oreo one?

I want to thank you one more time for the help.

Greetings from Greece and Colombia.
Click to expand...
Click to collapse
 
SkandaH

SkandaH

XDA Portal Supporter
Jun 8, 2013
1,035
2,667
Xiaomi Poco F1
OnePlus 7T
@xaacnz

That's a very informative post :good:

Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.

I'm tagging @osm0sis to take part in the discussion.
 
  • Like
Reactions: osm0sis
X

xaacnz

Member
Apr 2, 2018
9
32
Titokhan said:
@xaacnz

That's a very informative post :good:

Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.

I'm tagging @osm0sis to take part in the discussion.
Click to expand...
Click to collapse

All stages of bootloader except PBL can be found in fastboot ROM, and PBL can be obtained by using testpoint: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

The 'official' unlocking process is:
1 submit cpuid which is eFused in soc to Xiaomi.
2 Xiaomi sign the cpuid with it's private RSA key.
3 write the signature to 'devinfo' partition at offset 0xE4.

The verification process is:
1 read the signature from 'devinfo' partition.
2 verify it using public key embedded in aboot.
3 decode the verification result as base64.
4 compare the decoded value with cpuid read from soc, bootloader is unlocked if it's the same.

There are some bugs in verification process:
1 signature is padded using PKCS #1 v1.5, but verification process didn't check plaintext size, thus any plaintext starts with desired prefix will unlock bootloader, effectively reducing the complexity of brute force.
2 any value outside of base64's 64 characters table is treated as 'A', this reduce brute force complexity further.
3 base64 decode will not terminate until '=' is encountered, this create opportunity for buffer overrun, though input(RSA verification result) is hard to control.
4 base64 decode is skipped if first byte of PKCS #1 v1.5 payload is zero, this resulting in comparison of uninitialized stack value to cpuid and maybe exploitable to unlock phone.

I'm shocked that one can write so many bugs in such short function.
 
  • Like
Reactions: ThaJay, Elinx and Titokhan
LordShenron

LordShenron

Senior Member
Apr 21, 2018
191
330
New delhi
Asus ZenFone Max Pro M1
xaacnz said:
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
Click to expand...
Click to collapse
Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
 
  • Like
Reactions: guluks22
3

33bca

Recognized Developer
Jun 5, 2013
948
3,928
Basel
OnePlus 8 Pro
OPPO Find X5 Pro
xaacnz said:
I'm glad I was able to help.
I have used neither of them, so I can't speak for them.
Currently, I'm using a custom build ROM based on LineageOS 15.1
Click to expand...
Click to collapse

Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
It would be great for development on Redmi 5A in general if you could share your sources with the community.

If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
 
X

xaacnz

Member
Apr 2, 2018
9
32
boyrobbie said:
Can you share your own rom base on LOS 15.1? Please :)
Click to expand...
Click to collapse
LordShenron said:
Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
Click to expand...
Click to collapse
33bca said:
Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
It would be great for development on Redmi 5A in general if you could share your sources with the community.

If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
Click to expand...
Click to collapse

Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917

I tried to post this ROM on https://xdaforums.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
 
  • Like
Reactions: alecxs, muhallilahnaf, boyrobbie and 4 others
LordShenron

LordShenron

Senior Member
Apr 21, 2018
191
330
New delhi
Asus ZenFone Max Pro M1
  • Like
Reactions: guluks22
S

SaiFeRr

New member
Aug 9, 2009
2
1
xaacnz said:
5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"

If you want flash custom ROM, you just need to append[NOTE1] boot.img

NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
Code: 
struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];
    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */
    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */
    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */
    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */
    ....
};
and then calculate:
Code: 
        if (hdr->page_size && (hdr->page_size != page_size)) {
                page_size = hdr->page_size;
                page_mask = page_size - 1;
        }
        kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
        ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
        second_actual  = ROUND_TO_PAGE(hdr->second_size, page_mask);
        dt_size = hdr->dt_size;
        dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
        imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
imagesize_actual is the place to write

NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
Click to expand...
Click to collapse

Hello!

I am not very familliar with programming or ROM development.
Could you please explain a bit more specific about NOTE1, how to append 4K block?
I don't quite understand where should I add it. At the beginning of the image, at the end or at the specific place in that file?
And 4k block means 4 kilobytes? Like 4096 bytes?
And if I need to flash custom room should I change something in xml files to? Or just append will be sufficient?
Please help, I need to flash that Riva finally!
 
You must log in or register to reply here.

Similar threads

androwide
Google Pixel 2 Ported Camera Working on SD 425, Redmi 5A
Replies
11
Views
58K
ProudRed
ProudRed
S
[GUIDE][Newbie friendly] ALL IN ONE Bypass bootloader lock guide of Redmi 5A
Replies
43
Views
33K
bharat555
bharat555
androwide
Google Pixel 2 Ported Camera Working on Redmi 5A, SD 425
Replies
53
Views
35K
arsenok45
arsenok45
S
  • Poll
[TOOL][riva] Appender for Redmi 5A
Replies
22
Views
18K
yongyek
yongyek
I
Working Google Pixel Camera (updated on 23rd June)
Replies
14
Views
30K
derickke8
derickke8

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    X
    xaacnz
    Recently I have reverse engineered aboot (emmc_appsboot.mbn) from ROM riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn ( en.miui.com/thread-1026306-1-1.html )(because this is my first post and I don't have permission to post outside link, you have to add http in those url), and discovered a way to bypass bootloader lock by using several bugs in Xiaomi customized aboot.
    Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/quic/le/kernel/lk/ , so I will use function name inside those source file in discussion below even though some of those function have been modified by Xiaomi.
    Relevant function to verify and boot linux is boot_linux_from_mmc, so I'll start from here:

    boot_linux_from_mmc: call boot_verifier_init()

    boot_verifier_init: set device state to GREEN​
    boot_linux_from_mmc: call verify_signed_bootimg()

    verify_signed_bootimg: call boot_verify_image()

    boot_verify_image: call read_der_message_length() to get length of signature
    boot_verify_image: if length of signature is too large, then boot_verify_image will return false to indicate verification failure
    boot_verify_image: otherwise call and return verification result of verify_image_with_sig(inlined)

    verify_image_with_sig: set device state to RED if image is not signed by Xiaomi.​
    verify_signed_bootimg: call splash_screen_mmc() to show "The system has been destroyed" if verification failed
    verify_signed_bootimg: shoudown device if splash_screen_mmc() succeed, otherwise continue boot​
    boot_linux_from_mmc: call send_rot_command()

    send_rot_command: check device state, if it's YELLOW or RED, than boot will failed because it try to read embedded cert which is not initialized by Xiaomi​

    To successfully bypass bootloader lock we need:
    1. make sure device state is GREEN so that send_rot_command won't failed, this can be achieved by making read_der_message_length return a large value to avoid calling verify_image_with_sig.
    one way to do this is to append[NOTE1] image with a large length encoded in der (eg. 0x30, 0x83, 0x19, 0x89, 0x64)
    2. make sure splash_screen_mmc() failed so that booting process can be continued.
    this can be achieved by change the magic number in the header of splash partition from "SPLASH!!" to any other value (eg. "19890604")

    Steps to bypass:
    0 note that all those steps can be done offline, so no information will send to Xiaomi or anyone
    0 in this tutorial I'll demonstrate how to use twrp recovery with locked bootloader
    1 using test point to enter EDL mode(will void your warranty!!!)
    2 unzip MiFlash, you should see QSaharaServer.exe and fh_loader.exe
    3 create a sub folder called "tmp"
    4 extract prog_emmc_firehose_8917_ddr.mbn & rawprogram0.xml & splash.img from riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn and put them into "tmp"
    5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
    6 change the first 8 byte in splash.img to "19890604"
    7 create "hack_splash.xml" inside "tmp", then copy&paste relevant section from rawprogram0.xml to "hack_splash.xml", the resulting file should look like this:
    Code: 
    <?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash.img" label="splash" num_partition_sectors="40960" physical_partition_number="0" size_in_KB="20480.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
</data>
    8 create "twrp.xml" inside "tmp", then copy&paste relevant recovery section from rawprogram0.xml to "twrp.xml", the resulting file should look like this:
    Code: 
    <?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
</data>
    9 run "QSaharaServer.exe -p \\.\COM10 -s 13:prog_emmc_firehose_8917_ddr.mbn -b tmp" to initialize firehose. (replace COM10 with the COM port of you phone, the same as below)
    10 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=hack_splash.xml" to flash modified splash
    11 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=twrp.xml" to flash twrp recovery
    12 done

    If you want flash custom ROM, you just need to append[NOTE1] boot.img

    NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:
    Code: 
    struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];
    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */
    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */
    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */
    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */
    ....
};
    and then calculate:
    Code: 
            if (hdr->page_size && (hdr->page_size != page_size)) {
                page_size = hdr->page_size;
                page_mask = page_size - 1;
        }
        kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
        ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
        second_actual  = ROUND_TO_PAGE(hdr->second_size, page_mask);
        dt_size = hdr->dt_size;
        dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
        imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
    imagesize_actual is the place to write

    NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
    NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.
    View
    7
    X
    xaacnz
    boyrobbie said:
    Can you share your own rom base on LOS 15.1? Please :)
    Click to expand...
    Click to collapse
    LordShenron said:
    Bro! we have been using the build you uploaded on android file host on may 16 2018. The build you uploaded has all bugs fixed in lineage OS 15.1. Some developers of Redmi 5a(RIVA) has been trying to contact you. They need the source of your ROM and kernel you uploaded on 16 may. Please reply.
    Click to expand...
    Click to collapse
    33bca said:
    Would you mind sharing your device and kernel sources which you are using? We all have issues with audio which are related to kernel.
    It would be great for development on Redmi 5A in general if you could share your sources with the community.

    If you don't want to share them for any reason, you could maybe help us fixing the speaker bug on our sources: https://github.com/redmidevs/android_kernel_xiaomi_msm8917
    Click to expand...
    Click to collapse

    Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
    Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917

    I tried to post this ROM on https://xdaforums.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.
    View
    6
    lavishkumar
    lavishkumar
    Modified files.

    I am not responsible for any kind of damage happens in your device.
    For qsahara and fhloader download miflash and extract it. You will get the files from there.
    prog emmc firehouse - https://drive.google.com/open?id=1p9FInJS6mlbj5RvCzXRBgdX1Sn9WcEnM

    Recovery (twrp 3.2.3)- https://drive.google.com/open?id=1KMQ60TsR1HanJtW-ljlJ63tTK0aC1uSO

    Splash (from miui 8.5)- https://drive.google.com/open?id=1RaaRVmgIa2KM-rPkvSTwyq_ROKHK8oLl

    Now don't ask for upload files anymore.

    View attachment hack_splash.xml

    View attachment twrp.xml
    View
    4
    S
    saurabh6377
    Sonu1123 said:
    Can i flash latest miui global stable recovery rom by
    appending 4k block to boot.img of miui recovery rom will it work?
    Click to expand...
    Click to collapse

    No, it will reset splash and will also replace twrp. Use firmware less rom or xiaomi.eu rom. If recovery is not wiped then due to dm-verity you need to flash lazyflasher too which will brick your device and there is no other way to disable dm-verity. Better to unlock first.
    View
    3
    X
    xaacnz
    Titokhan said:
    @xaacnz

    That's a very informative post :good:

    Perhaps you can dump the firmware related partitions before and after unlocking the bootloader 'officially', so that it can be easier for us to find (possible) ways to unlock (not bypass) devices based on Xiaomi's implementation of Qualcomm LK.

    I'm tagging @osm0sis to take part in the discussion.
    Click to expand...
    Click to collapse

    All stages of bootloader except PBL can be found in fastboot ROM, and PBL can be obtained by using testpoint: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

    The 'official' unlocking process is:
    1 submit cpuid which is eFused in soc to Xiaomi.
    2 Xiaomi sign the cpuid with it's private RSA key.
    3 write the signature to 'devinfo' partition at offset 0xE4.

    The verification process is:
    1 read the signature from 'devinfo' partition.
    2 verify it using public key embedded in aboot.
    3 decode the verification result as base64.
    4 compare the decoded value with cpuid read from soc, bootloader is unlocked if it's the same.

    There are some bugs in verification process:
    1 signature is padded using PKCS #1 v1.5, but verification process didn't check plaintext size, thus any plaintext starts with desired prefix will unlock bootloader, effectively reducing the complexity of brute force.
    2 any value outside of base64's 64 characters table is treated as 'A', this reduce brute force complexity further.
    3 base64 decode will not terminate until '=' is encountered, this create opportunity for buffer overrun, though input(RSA verification result) is hard to control.
    4 base64 decode is skipped if first byte of PKCS #1 v1.5 payload is zero, this resulting in comparison of uninitialized stack value to cpuid and maybe exploitable to unlock phone.

    I'm shocked that one can write so many bugs in such short function.
    View

New posts