Bypass bootloader lock of Redmi 5A(riva) without permission from xiaomi.

[boyrobbie]

Here it is: lineage-15.1-20180515-UNOFFICIAL-riva.zip
Kernel source: https://github.com/xaacnz/android_kernel_xiaomi_msm8917

I tried to post this ROM on https://xdaforums.com/xiaomi-redmi-5a/development , but my account don't have permission to do that, so I have to post it here in case anyone is interested.

Thank you so much, im facing a few bugs :
- Can't install magisk (cannot mount /vendor)
- Screen recorder laggy, sometimes can't record
- Audio have some noise on the first launch
- GPS config must be manually write out

 

[jasonhelene]

Can someone please create a tool that unlocks xiaomi redmi 5a? or something? because man their new unlock system is totally bad and i cant unlock mine no matter what.

 

[Ripper1412]

Need a video guide •-•

Can you make a video guide? I am not a dev and cuz of that I've no idea where I've to put these commands to use :')

 

[yeutaodi]

you need file UNBL redmi 5a riva . You can share for me ?

 

[lz4]

Good day!
Thanks for your job. Please tell what recovery you use? How you flash it? A have a problem phone with locked b.loader and bloked miacc.

 

[glasseffects]

To the developer, please offer us some assitance with unlocking bootloader of Redmi 5A. If its possible to post a tutorial or a video, it would be a great help!

Thanks for sharing.

 

[ash_pipaliya]

Can you make modded emmc_appsboot.mbn like in redmi note 3 like this ?
???????????????
http://en.miui.com/thread-253680-1-1.html
Bcoz I can not unlock my redmi 5A (86012 while account bind)

 

[dakocha]

Append where? At the end of the file?? Because it didn't work. It maybe because I'm on MIUI 9.5?? Please update the post with some relevant answers.

P.S I'd be really glad if you uploaded MIUI 8.5 files (aboot and boot)

TIA

 

[ArbaniZain]

NOTE1: append should work in most case, but not always. the corrected place to write

still i cant understand man, do you mean editing pagesize from 2048 to 13072 or how ?
please reply

 

[ArbaniZain]

bypass bootloader redmi 5a

Did you meant: source.codeaurora.org/quic/le/kernel/lk

bro , have you done with this ? please teach me

 

[abdihaikal]

bro , have you done with this ? please teach me

I hope and i'm sure you have time to learn about low-level programming language.
So we can discuss more deeply about this

 

[ArbaniZain]

I hope and i'm sure you have time to learn about low-level programming language.
So we can discuss more deeply about this

Okay bro, but atleast, what should i do and how please tell me

 

[SileneliS]

Unsuccessful

Hi there.
First, thank you xaacnz for sharing the reverse engineering process. Very interesting !

There is a tiny typo, this command requires a backslash at the end :

QSaharaServer.exe -p \\.\COM10 -s 13:prog_emmc_firehose_8917_ddr.mbn -b tmp[B]\[/B]

All steps went without any error, flashing via edl seems to work:

23:48:21: INFO: ==============================================================
23:48:21: INFO: Files used and their paths
23:48:21: INFO:   1 'C:\...\port_trace.txt'
23:48:21: INFO:   2 'C:\...\twrp.xml'
23:48:21: INFO:   3 'C:\...\recovery.img'

23:48:21: INFO:      _             (done)
23:48:21: INFO:     | |
23:48:21: INFO:   __| | ___  _ __   ___
23:48:21: INFO:  / _` |/ _ \| '_ \ / _ \
23:48:21: INFO: | (_| | (_) | | | |  __/
23:48:21: INFO:  \__,_|\___/|_| |_|\___|
23:48:21: INFO: {All Finished Successfully}

23:48:21: INFO: Overall to target  2.324 seconds (14.53 MBps)

btw, you are 10 years younger than me, from the date you put into the spashscreen first bytes

But when starting in recovery mode, the phone is stuck with the penguin splash image.
An "adb reboot recovery" sends it into MI-recovery tool, not twrp.

As I get penguin splash screen, I guess splash screen modification is OK.
Maybe I did something wrong with the twrp image ?
I added 4096 bytes to twrp-3.2.1-0-riva.img , beginning with 0x30, 0x83, 0x19, 0x89, 0x64, and then only 0x00. Resulting in a 35,409,920 bytes file (still a multiple a 4096 bytes).

Here are my files (temporary 30 days links)
twrp: dl.free.fr/j5bfYspMC
splash: dl.free.fr/q1bYPAEoU

Any help to figure out what is wrong with these files is welcome !

Note: my redmi 5a is brand new. Maybe Xiaomi fixed some bugs into aboot ?

 

[r6680jc]

Recently I have reverse engineered aboot (emmc_appsboot.mbn) from ROM riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn ( en.miui.com/thread-1026306-1-1.html )(because this is my first post and I don't have permission to post outside link, you have to add http in those url), and discovered a way to bypass bootloader lock by using several bugs in Xiaomi customized aboot.
Xiaomi's aboot is based on Qualcomm's little kernel which is open sourced and can be download at source.codeaurora.org/quic/le/kernel/lk/ , so I will use function name inside those source file in discussion below even though some of those function have been modified by Xiaomi.
Relevant function to verify and boot linux is boot_linux_from_mmc, so I'll start from here:

boot_linux_from_mmc: call boot_verifier_init()

boot_verifier_init: set device state to GREEN​

boot_linux_from_mmc: call verify_signed_bootimg()

verify_signed_bootimg: call boot_verify_image()

boot_verify_image: call read_der_message_length() to get length of signature
boot_verify_image: if length of signature is too large, then boot_verify_image will return false to indicate verification failure
boot_verify_image: otherwise call and return verification result of verify_image_with_sig(inlined)

verify_image_with_sig: set device state to RED if image is not signed by Xiaomi.​

verify_signed_bootimg: call splash_screen_mmc() to show "The system has been destroyed" if verification failed
verify_signed_bootimg: shoudown device if splash_screen_mmc() succeed, otherwise continue boot​

boot_linux_from_mmc: call send_rot_command()

send_rot_command: check device state, if it's YELLOW or RED, than boot will failed because it try to read embedded cert which is not initialized by Xiaomi​

To successfully bypass bootloader lock we need:
1. make sure device state is GREEN so that send_rot_command won't failed, this can be achieved by making read_der_message_length return a large value to avoid calling verify_image_with_sig.
one way to do this is to append[NOTE1] image with a large length encoded in der (eg. 0x30, 0x83, 0x19, 0x89, 0x64)
2. make sure splash_screen_mmc() failed so that booting process can be continued.
this can be achieved by change the magic number in the header of splash partition from "SPLASH!!" to any other value (eg. "19890604")

Steps to bypass:
0 note that all those steps can be done offline, so no information will send to Xiaomi or anyone
0 in this tutorial I'll demonstrate how to use twrp recovery with locked bootloader
1 using test point to enter EDL mode(will void your warranty!!!)
2 unzip MiFlash, you should see QSaharaServer.exe and fh_loader.exe
3 create a sub folder called "tmp"
4 extract prog_emmc_firehose_8917_ddr.mbn & rawprogram0.xml & splash.img from riva_images_V8.5.7.0.NCKCNED_20171025.0000.00_7.1_cn and put them into "tmp"
5 append a 4k block which begins with 0x30, 0x83, 0x19, 0x89, 0x64 to twrp-3.2.1-0-riva.img then put the resulting file to "tmp" and rename it to "recovery.img"
6 change the first 8 byte in splash.img to "19890604"
7 create "hack_splash.xml" inside "tmp", then copy&paste relevant section from rawprogram0.xml to "hack_splash.xml", the resulting file should look like this:

<?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash.img" label="splash" num_partition_sectors="40960" physical_partition_number="0" size_in_KB="20480.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
</data>

8 create "twrp.xml" inside "tmp", then copy&paste relevant recovery section from rawprogram0.xml to "twrp.xml", the resulting file should look like this:

<?xml version="1.0" ?>
<data>
 <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
</data>

9 run "QSaharaServer.exe -p \\.\COM10 -s 13rog_emmc_firehose_8917_ddr.mbn -b tmp" to initialize firehose. (replace COM10 with the COM port of you phone, the same as below)
10 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=hack_splash.xml" to flash modified splash
11 run "fh_loader.exe --search_path=tmp --port=\\.\COM10 --sendxml=twrp.xml" to flash twrp recovery
12 done

If you want flash custom ROM, you just need to append[NOTE1] boot.img

NOTE1: append should work in most case, but not always. the corrected place to write 0x30, 0x83, 0x19, 0x89, 0x64 is calculate from image header, it's defined as:

struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];
    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */
    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */
    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */
    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */
    ....
};

and then calculate:

        if (hdr->page_size && (hdr->page_size != page_size)) {
                page_size = hdr->page_size;
                page_mask = page_size - 1;
        }
        kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);
        ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
        second_actual  = ROUND_TO_PAGE(hdr->second_size, page_mask);
        dt_size = hdr->dt_size;
        dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
        imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);

imagesize_actual is the place to write

NOTE2: There may be a easier way to enter EDL considering there are so many bug(eg. uninitialized stack variable, buffer overrun, missing bound check) in Xiaomi's modification, but I haven't bothered to check since my goal is achieved.
NOTE3: I suspect other model from Xiaomi may have similar bugs that bootloader lock can be bypassed using this method, but I don't have other phones to confirm my belief.

Isn't it possible to just patch/ modify the bootloader itself (emmc_appsboot) to ignore/ skip the check altogether?
Or maybe just get bootloader (emmc_aboot) dump/ backup from an unlocked Redmi 5A then flash it to a locked Redmi 5A to get "instant" bootloader unlock?
EDL mode can be accessed without test point; by using modified USB cable, reboot to EDL from fastboot mode.

 

[SileneliS]

Isn't it possible to just patch/ modify the bootloader itself (emmc_appsboot) to ignore/ skip the check altogether?
Or maybe just get bootloader (emmc_aboot) dump/ backup from an unlocked Redmi 5A then flash it to a locked Redmi 5A to get "instant" bootloader unlock?
EDL mode can be accessed without test point; by using modified USB cable, reboot to EDL from fastboot mode.

I guess aboot is write protected one way or another, even from EDL ?
Copying stuff from an unlock phone would not help : When Xiaomi unlock bootloader, they sign the *unique* phone identifier fused in the chip with their private key. Each signature is specific to one phone and won't work for any other.

I am so disappointed not being able to unlock this phone: I "get a error[-1]:unknown error" with the official unlocker tool immediately after connection (tried 2 accounts, 2 labptops, a bunch of VPN, all guides).
And this exploit does not work for me neither.
I am considering reselling it for a more hackable one.


Note: always the same same issue with the unlocker, connecting is fine, retreiving info from the phone is fine, and then fail to connect to "unlockApi" :

DEBUG  <12:19:01.759,T:9484> : product: riva
finished. total time: 0.002s
DEBUG  <12:19:23.150,T:23428> : check right function start
DEBUG  <12:19:23.155,T:23428> : Begin login unlockApi
ERROR  <12:19:33.171,T:23428> : curl error[56]: Failure when receiving data from the peer
ERROR  <12:19:33.171,T:23428> : Fail to login unlockApi
ERROR  <12:19:33.171,T:14088> : code:-1 error:Couldn't get info[-1:Unknown error]

 

[r6680jc]

I guess aboot is write protected one way or another, even from EDL ?

Aboot isn't really write protected, that's why we can relock Xiaomi phones by flashing official ROMs that contain aboot image file.

Copying stuff from an unlock phone would not help : When Xiaomi unlock bootloader, they sign the *unique* phone identifier fused in the chip with their private key. Each signature is specific to one phone and won't work for any other.

I'm aware of that, with unlocked aboot from other phones or even patched aboot we would also need patched SBL (or is it XBL on Redmi 5A?) so the signature of aboot won't matter.

I am so disappointed not being able to unlock this phone: I "get a error[-1]:unknown error" with the official unlocker tool immediately after connection (tried 2 accounts, 2 labptops, a bunch of VPN, all guides).
And this exploit does not work for me neither.

I haven't try this exploit, but it could possibly be patched on newer MIUI version.

I am considering reselling it for a more hackable one.


Note: always the same same issue with the unlocker, connecting is fine, retreiving info from the phone is fine, and then fail to connect to "unlockApi" :

DEBUG  <12:19:01.759,T:9484> : product: riva
finished. total time: 0.002s
DEBUG  <12:19:23.150,T:23428> : check right function start
DEBUG  <12:19:23.155,T:23428> : Begin login unlockApi
ERROR  <12:19:33.171,T:23428> : curl error[56]: Failure when receiving data from the peer
ERROR  <12:19:33.171,T:23428> : Fail to login unlockApi
ERROR  <12:19:33.171,T:14088> : code:-1 error:Couldn't get info[-1:Unknown error]

So you've waited 360 hours (15 days) and end up cannot unlocking your phone?

I'm still waiting about 280 hours (waiting time got reset because I tried stupid things).

 

[arwazpasha786]

any one videos tutorials for this ...help...i want to unlock my bootloder...without permission....i open back cover for edl ponit

 

[R00f]

it is possible?

 

[adityam0338]

Will this method work with MIUI 10?? Or the latest build?? I cant seem to overcome this error in the MI flash tool "Current Account can not unlock this device." Its so frustating!!! Plz provide some instructions if possible!

 

[gyarados025]

"Current Account can not unlock this device." Its so frustating!!! Plz provide some instructions if possible!

Is ut still on MIUI20 developer rom..? I am stable build , and my mi account cant bide to my device (checkt all the things and find my device show online). MI Unlock tool gives this error at 99%.

Sent from my Moto Z2 Force using XDA Labs