xiaomi-bootloader
xiaomi-bootloader copied to clipboard
mc-17
hey; have you figured out a way to decipher the encryption?
i've tried "debugging" (but it ain't as good as yours); and ended up with the following network calls
GET https://account.xiaomi.com/pass/serviceLogin?sid=unlockApi&_json=true&passive=true&hidden=false
← 200 application/json 311b 346ms
POST https://account.xiaomi.com/pass/serviceLoginAuth2?_json=true
← 200 application/json 958b 685ms
GET https://unlock.update.miui.com/sts?pwd=1&d=xxx
← 200 application/json 17b 1.53s
GET http://api.account.xiaomi.com/pass/usersCard?ids=584009343
← 200 application/json 139b 175ms
POST https://unlock.update.miui.com/api/v2/nonce
← 200 application/json 280b 1.54s
POST https://unlock.update.miui.com/api/v2/unlock/userinfo
← 200 application/json 128b 1.56s
POST https://unlock.update.miui.com/api/v2/nonce
← 200 application/json 280b 1.52s
POST https://unlock.update.miui.com/api/v1/unlock/device/clear
← 200 application/json 152b 1.56s
POST https://unlock.update.miui.com/api/v2/nonce
← 200 application/json 280b 1.53s
>> POST https://unlock.update.miui.com/api/v2/ahaUnlock
← 200 application/json 1.04k 1.63s
at this point, you have the <<device>>_sig.data file; (note; i made a small c++ program that acts as fastboot, without actually running any fastboot commands on my device, so that's all the network log i have).
however, any request after the https://unlock.update.miui.com/api/v2/unlock/userinfo call seem to be encrypted using something; in case that can be figured out, maybe the process can be replicated :stuck_out_tongue_winking_eye:
also note; the https://unlock.update.miui.com/sts?pwd= call seems to be just the location field from the previous call https://account.xiaomi.com/pass/serviceLoginAuth2 however, it adds a new field named clientSign which i haven't figured how to generate yet.
random googling led me to the following code fragments; which may or may not be useful;
- https://searchcode.com/codesearch/view/48806388/
- http://max.book118.com/html/2015/1123/30011050.shtm
- http://www.programcreek.com/java-api-examples/index.php?source_dir=icu2-master/app/src/main/java/com/xiaomi/xms/sales/xmsf/miui/utils/CloudCoder.java
- https://github.com/stevezuoli/OriginApp/blob/64d4bf26cb16f962d01710859e5be79e45a65f70/XiaoMi/XiaoMiSecureRequest.cpp
- https://github.com/stevezuoli/OriginApp/blob/64d4bf26cb16f962d01710859e5be79e45a65f70/XiaoMi/CloudCoder.cpp
(it all seems to be named
generateSignature)
(p.s. grr. github messed up my markup. again.)
Hey
Thanks for this! I didn't catch /device/clear nor nonce so it's quite interesting - Do you have any details about the parameters sent during these requests?
I'm particularly interested in nonce, if you know any about that :)
P.S I fixed your markdown a bit :)
I'm getting a _sign param on the serviceLogin, is clientSign the same length?
hmm, yes; clientSign is the same length as the _sign param on serviceLogin. however, the contents are different.
i don't have much more info about nonce but it first seems to be a param in serviceLoginAuth2;
in https://searchcode.com/codesearch/view/48806388/ ; there seems to be the getClientSign method which takes nonce and security as arguments.
here's the mitmdump of all the requests made. it does include my password, but that has been reset, so i guess it's safe.
mitmdump file: https://transfer.sh/PT9aU/xiaomi-bl
use mitmproxy -r xiaomi-bl to read the flow
I checked Unlock Tool log
DEBUG <15:05:25.581,T:9620> : getvar token -s 469171ce0304
DEBUG <15:05:25.608,T:9620> : token: x5gV+ClLUfwoyMmkrzGpfgAA
finished. total time: 0.001s
DEBUG <15:05:25.608,T:9620> : -s 469171ce0304 oem device-info
DEBUG <15:05:25.688,T:9620> : ...
(bootloader) Device tampered: false
(bootloader) Device unlocked: false
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: false
(bootloader) Display panel:
OKAY [ 0.055s]
finished. total time: 0.055s
DEBUG <15:05:26.081,T:10504> : 10
DEBUG <15:05:26.581,T:10504> : 15
DEBUG <15:05:27.081,T:10504> : 20
DEBUG <15:05:27.582,T:10504> : 25
DEBUG <15:05:28.081,T:10504> : 30
DEBUG <15:05:28.582,T:10504> : 35
DEBUG <15:05:29.083,T:10504> : 40
DEBUG <15:05:29.584,T:10504> : 45
DEBUG <15:05:30.084,T:10504> : 50
DEBUG <15:05:30.582,T:10504> : 55
DEBUG <15:05:30.582,T:9620> : VerifyDeviceInfo
INFO <15:05:30.582,T:9620> : product:mido
DEBUG <15:05:30.582,T:9620> : getvar token -s 469171ce0304
DEBUG <15:05:30.608,T:9620> : token: x5gV+ClLUfwoyMmkrzGpfgAA
finished. total time: 0.001s
DEBUG <15:05:30.609,T:9620> : to sign token with key for device:mido
DEBUG <15:05:30.995,T:9620> : sign result:{
"code" : 20036,
"data" : {
"waitHour" : 68
},
"description" : "您的账号跟设备的绑定时间太短, 请 68 个小时后再解锁. Please unlock 68 hours later.",
"uid" : 194651172
}
DEBUG <15:05:30.995,T:9620> : unlock return:20036 msg:您的账号跟设备的绑定时间太短, 请 68 个小时后再解锁. Please unlock 68 hours later.
It looks like use fastboot.exe to check your device info, fastboot_unlock.exe getvar token to get a token
C:\Users\wb\Desktop\miflash_unlock-2.3.724.7>fastboot_unlock getvar token
token: wivtrz0kUW4Ac1v8rzGpfgAA
finished. total time: 0.002s
and fastboot_unlock.exe getvar product to get your device code.
C:\Users\wb\Desktop\miflash_unlock-2.3.724.7>fastboot_unlock getvar product
product: mido
finished. total time: 0.002s
I extracted some of the certificates from a firmware image but they probably aren't going to be much use without the signing key. Does someone have a copy of <<device>>_sig.data I'm wondering if it's the same?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Attestation CA
Validity
Not Before: Jun 24 08:01:51 2017 GMT
Not After : Jun 19 08:01:51 2037 GMT
Subject: C=US, CN=SecTools Test User, L=San Diego, O=SecTools, ST=California, OU=01 0000000000000009 SW_ID, OU=02 0004F0E100000000 HW_ID, OU=04 0000 OEM_ID, OU=05 000000A8 SW_SIZE, OU=06 0000 MODEL_ID, OU=07 0001 SHA256, OU=03 0000000000000002 DEBUG
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c2:5b:85:69:c5:2d:2f:cd:01:67:84:fa:8b:d4:
43:c5:b5:55:26:aa:4b:c2:24:ab:52:1a:73:a9:28:
cc:6d:57:c9:a9:29:0c:57:81:8a:28:0f:3d:1c:b0:
d2:1e:61:cd:e9:27:d8:ca:cf:fd:b8:36:86:e6:a6:
fb:82:6b:cd:69:ff:60:fb:b4:3d:ed:2e:9d:b0:37:
9c:6d:f1:b1:64:3e:0f:3f:6c:e5:98:31:09:99:87:
7a:de:f0:70:51:51:dd:42:91:a8:b9:df:c0:06:49:
bf:ad:fa:42:1f:79:f4:9e:50:55:b4:7f:59:c7:a2:
ce:e3:af:5f:16:60:d4:35:e7:66:a5:f6:0b:b2:b4:
2e:c8:91:4c:07:b8:b2:92:18:bb:2a:5d:09:62:dc:
f9:f7:17:df:6f:d9:8e:f3:03:19:d2:04:6d:01:7b:
90:bf:36:53:74:75:e5:da:e5:93:e6:91:89:c6:db:
48:43:38:07:a9:93:13:9c:eb:07:5f:d3:ce:53:dd:
06:93:13:b8:30:d7:3d:d3:26:ec:01:9c:91:2e:56:
5d:07:b8:1d:05:b2:b5:b2:65:ec:9f:cd:76:a6:61:
73:01:0f:ff:31:c0:cb:4e:0a:b8:8e:bb:2f:bd:47:
c1:38:9e:cf:8f:95:28:4d:fb:92:4e:6f:9d:88:61:
9e:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
URI:http://crl.qdst.com/crls/qctdevattest.crl
X509v3 Authority Key Identifier:
keyid:0C:82:DD:0F:A4:2A:73:67:AC:DE:A1:A7:B0:45:54:30:D7:6F:C0:D4
X509v3 Basic Constraints:
CA:FALSE, pathlen:0
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha256WithRSAEncryption
00:7d:f0:ff:31:04:07:ac:53:28:c1:07:bd:a9:94:b6:46:6d:
ec:ad:59:20:85:3a:5d:68:fe:b4:ba:37:18:82:b4:8a:80:eb:
52:81:10:46:6c:4d:e7:70:41:8d:06:99:82:ed:4c:f0:b5:36:
6e:44:4c:3d:35:8c:92:cb:6d:fd:eb:49:f7:45:fb:0c:63:84:
59:c0:9e:3e:46:44:5a:46:d4:0b:33:24:8e:84:a6:74:34:ea:
b3:d6:96:64:13:69:b5:62:f1:f8:6f:a1:7d:35:f5:f9:32:d3:
a6:9d:0e:2f:fa:10:b1:6b:44:de:7b:55:50:d2:c1:25:5f:db:
03:4b:1d:15:4b:4d:a2:1e:4b:c3:a2:99:b5:3c:74:ba:b5:cc:
a1:8f:b0:3a:54:66:f4:d9:4a:a9:a1:d2:f0:63:53:1d:84:61:
19:65:a8:30:c4:05:b7:fb:27:36:81:bc:4f:00:3b:13:c3:95:
56:5e:93:d4:97:81:38:fe:46:2d:9a:68:47:cc:69:e1:99:b7:
57:46:55:14:ca:5a:3a:c1:df:29:4d:ec:d9:7e:83:89:26:5a:
49:91:45:ea:fb:6e:b5:32:28:dc:24:2e:cd:32:72:08:7e:cf:
12:d3:82:62:c0:68:54:08:02:64:1b:a8:2b:8a:52:64:b6:d8:
7f:df:b9:62
-----BEGIN CERTIFICATE-----
MIIEpzCCA4+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxHjAcBgNVBAMTFVhpYW9taSBBdHRlc3RhdGlv
biBDQTAeFw0xNzA2MjQwODAxNTFaFw0zNzA2MTkwODAxNTFaMIIBPTELMAkGA1UE
BhMCVVMxGzAZBgNVBAMTElNlY1Rvb2xzIFRlc3QgVXNlcjESMBAGA1UEBxMJU2Fu
IERpZWdvMREwDwYDVQQKEwhTZWNUb29sczETMBEGA1UECBMKQ2FsaWZvcm5pYTEi
MCAGA1UECxQZMDEgMDAwMDAwMDAwMDAwMDAwOSBTV19JRDEiMCAGA1UECxQZMDIg
MDAwNEYwRTEwMDAwMDAwMCBIV19JRDEXMBUGA1UECxQOMDQgMDAwMCBPRU1fSUQx
HDAaBgNVBAsUEzA1IDAwMDAwMEE4IFNXX1NJWkUxGTAXBgNVBAsUEDA2IDAwMDAg
TU9ERUxfSUQxFzAVBgNVBAsTDjA3IDAwMDEgU0hBMjU2MSIwIAYDVQQLExkwMyAw
MDAwMDAwMDAwMDAwMDAyIERFQlVHMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwluFacUtL80BZ4T6i9RDxbVVJqpLwiSrUhpzqSjMbVfJqSkMV4GKKA89
HLDSHmHN6SfYys/9uDaG5qb7gmvNaf9g+7Q97S6dsDecbfGxZD4PP2zlmDEJmYd6
3vBwUVHdQpGoud/ABkm/rfpCH3n0nlBVtH9Zx6LO469fFmDUNedmpfYLsrQuyJFM
B7iykhi7Kl0JYtz59xffb9mO8wMZ0gRtAXuQvzZTdHXl2uWT5pGJxttIQzgHqZMT
nOsHX9POU90GkxO4MNc90ybsAZyRLlZdB7gdBbK1smXsn812pmFzAQ//McDLTgq4
jrsvvUfBOJ7Pj5UoTfuSTm+diGGeeQIDAQABo3oweDA6BgNVHR8EMzAxMC+gLaAr
hilodHRwOi8vY3JsLnFkc3QuY29tL2NybHMvcWN0ZGV2YXR0ZXN0LmNybDAfBgNV
HSMEGDAWgBQMgt0PpCpzZ6zeoaewRVQw12/A1DAMBgNVHRMEBTADAgEAMAsGA1Ud
DwQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAQEAAH3w/zEEB6xTKMEHvamUtkZt7K1Z
IIU6XWj+tLo3GIK0ioDrUoEQRmxN53BBjQaZgu1M8LU2bkRMPTWMkstt/etJ90X7
DGOEWcCePkZEWkbUCzMkjoSmdDTqs9aWZBNptWLx+G+hfTX1+TLTpp0OL/oQsWtE
3ntVUNLBJV/bA0sdFUtNoh5Lw6KZtTx0urXMoY+wOlRm9NlKqaHS8GNTHYRhGWWo
MMQFt/snNoG8TwA7E8OVVl6T1JeBOP5GLZpoR8xp4Zm3V0ZVFMpaOsHfKU3s2X6D
iSZaSZFF6vtutTIo3CQuzTJyCH7PEtOCYsBoVAgCZBuoK4pSZLbYf9+5Yg==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Root CA 1
Validity
Not Before: Jan 7 13:59:04 2015 GMT
Not After : Jan 2 13:59:04 2035 GMT
Subject: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Attestation CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d1:ad:50:ec:04:69:fb:cf:84:87:62:d6:da:b0:
6f:65:ad:24:e3:20:e2:dc:e2:3a:ce:0b:f4:82:c5:
0c:20:33:63:7d:4c:3c:12:52:29:7c:5e:f7:e2:b2:
59:2f:a7:2e:db:99:d5:31:db:68:0f:35:12:49:c9:
a3:9b:44:18:ed:9f:ee:3d:32:27:24:15:6c:55:3f:
10:88:13:df:56:07:e5:1b:31:ea:22:b3:b1:d6:ca:
4b:22:fa:67:a6:16:6e:44:6f:cf:a1:2b:78:5c:d8:
56:88:95:1c:2c:9a:0c:0f:f9:14:19:09:61:6f:31:
6a:57:ad:95:cb:47:23:d4:1a:19:8e:b4:08:20:3d:
2f:34:aa:02:8d:82:03:55:6f:3c:e0:88:cc:6e:23:
fb:1d:68:d9:62:28:26:91:95:31:f1:4b:0f:32:f4:
ef:c0:52:09:86:c4:93:e3:74:d0:77:5a:28:5f:e6:
d8:0e:44:b9:12:16:d9:58:c2:8f:3d:a0:37:eb:8a:
ec:ef:c7:ee:2d:bd:75:4d:3c:93:71:ea:2a:23:96:
11:79:bb:d5:b4:58:04:ce:ce:c7:ca:ad:92:12:29:
0e:4e:0d:ba:46:7d:bb:d3:69:45:3e:00:2d:1d:70:
dc:7d:e3:2f:ac:78:9f:c5:5a:2d:9b:25:63:ea:38:
17:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:63:A1:0B:7D:D2:22:5D:D8:26:75:23:C2:E8:0A:09:21:B6:08:B9:73
X509v3 Subject Key Identifier:
0C:82:DD:0F:A4:2A:73:67:AC:DE:A1:A7:B0:45:54:30:D7:6F:C0:D4
X509v3 Basic Constraints:
CA:TRUE, pathlen:0
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
65:59:b3:e5:0b:0c:08:f7:d4:9f:01:41:65:6f:71:28:e1:bf:
62:34:65:4e:5a:d1:e4:4a:62:f1:b0:fc:74:fa:6c:b7:4a:04:
e4:7c:15:c8:57:ac:39:fc:c7:53:db:fc:2a:bf:4b:a6:0a:6d:
9d:85:9d:e4:3d:b8:1a:22:4c:a1:03:9a:39:5d:d4:3c:21:b9:
b9:85:80:6f:04:9b:2c:06:42:13:f6:af:a3:e2:8e:aa:f2:83:
f8:c2:df:64:b0:c6:a5:a4:08:28:fb:59:ed:fe:af:90:9b:73:
ca:78:79:c7:a1:d7:a9:3c:6d:1e:c6:2f:fe:3b:5a:d9:09:e5:
c2:e4:40:b0:02:65:a9:fc:bc:56:fe:e3:ce:98:95:6b:bd:83:
2d:52:1d:82:11:18:0f:2d:73:35:df:02:1d:a6:28:b7:db:6a:
4a:e5:78:ed:4c:f7:bf:85:1c:8a:ed:cd:4c:0c:2f:1d:7f:bd:
95:f8:1d:fa:21:50:66:c0:c4:c0:f1:f4:43:7b:74:ab:39:02:
1f:33:74:48:e6:da:ce:41:5a:4e:96:9d:19:73:39:f0:9e:9d:
ec:b9:d1:1b:74:10:41:16:15:3b:0d:7a:b6:a6:92:67:aa:b9:
72:ae:2b:45:30:67:be:17:22:f5:21:93:60:b2:4a:d7:cb:5d:
cf:1f:db:d6
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBuMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxGTAXBgNVBAMTEFhpYW9taSBSb290IENBIDEw
HhcNMTUwMTA3MTM1OTA0WhcNMzUwMTAyMTM1OTA0WjBzMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxHjAcBgNVBAMTFVhpYW9taSBBdHRlc3RhdGlv
biBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGtUOwEafvPhIdi
1tqwb2WtJOMg4tziOs4L9ILFDCAzY31MPBJSKXxe9+KyWS+nLtuZ1THbaA81EknJ
o5tEGO2f7j0yJyQVbFU/EIgT31YH5Rsx6iKzsdbKSyL6Z6YWbkRvz6EreFzYVoiV
HCyaDA/5FBkJYW8xaletlctHI9QaGY60CCA9LzSqAo2CA1VvPOCIzG4j+x1o2WIo
JpGVMfFLDzL078BSCYbEk+N00HdaKF/m2A5EuRIW2VjCjz2gN+uK7O/H7i29dU08
k3HqKiOWEXm71bRYBM7Ox8qtkhIpDk4NukZ9u9NpRT4ALR1w3H3jL6x4n8VaLZsl
Y+o4F78CAwEAAaNgMF4wHwYDVR0jBBgwFoAUY6ELfdIiXdgmdSPC6AoJIbYIuXMw
HQYDVR0OBBYEFAyC3Q+kKnNnrN6hp7BFVDDXb8DUMA8GA1UdEwQIMAYBAf8CAQAw
CwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBlWbPlCwwI99SfAUFlb3Eo
4b9iNGVOWtHkSmLxsPx0+my3SgTkfBXIV6w5/MdT2/wqv0umCm2dhZ3kPbgaIkyh
A5o5XdQ8Ibm5hYBvBJssBkIT9q+j4o6q8oP4wt9ksMalpAgo+1nt/q+Qm3PKeHnH
odepPG0exi/+O1rZCeXC5ECwAmWp/LxW/uPOmJVrvYMtUh2CERgPLXM13wIdpii3
22pK5XjtTPe/hRyK7c1MDC8df72V+B36IVBmwMTA8fRDe3SrOQIfM3RI5trOQVpO
lp0Zcznwnp3sudEbdBBBFhU7DXq2ppJnqrlyritFMGe+FyL1IZNgskrXy13PH9vW
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Root CA 1
Validity
Not Before: Jan 7 13:55:56 2015 GMT
Not After : Jan 2 13:55:56 2035 GMT
Subject: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:df:de:4d:af:cc:82:84:99:65:ec:75:ca:ee:df:
a8:95:c5:3f:d2:eb:05:b7:13:32:e1:ab:74:19:0d:
10:d8:10:18:a3:47:65:b9:57:19:3d:10:12:ac:28:
e4:34:90:0e:0b:17:9a:84:fc:7c:c0:13:8d:64:6b:
3f:d4:3f:98:c4:92:05:2f:ab:8f:bc:9b:7a:4e:47:
12:86:c4:ca:e7:40:70:d9:4a:0c:64:ba:16:93:c4:
63:d6:11:eb:66:49:36:77:02:24:cc:fa:ff:8f:b9:
36:01:2f:89:f8:0a:99:f4:a3:71:ea:bb:47:f9:1c:
fa:a0:fe:e0:a9:0e:36:31:f3:17:f5:23:e6:67:47:
30:fd:c4:40:80:a5:5f:61:50:15:27:85:5c:2a:aa:
84:29:27:09:c8:36:a3:4e:c2:18:44:fc:89:5e:bf:
fd:67:2d:36:ea:29:b9:23:78:2a:92:db:35:44:2d:
44:71:d9:d1:1e:dc:f0:06:ab:e0:fd:c6:d8:dc:d5:
06:8b:fd:be:00:1f:69:1f:57:90:0b:82:35:61:66:
39:61:4a:fb:a8:b0:3d:5d:85:ac:b6:57:54:ea:5a:
b6:3d:7e:d9:0f:2e:f9:d6:d3:74:17:d9:80:89:e4:
0a:f5:a6:7a:3b:fc:ba:39:21:40:56:35:33:7f:5c:
c2:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
63:A1:0B:7D:D2:22:5D:D8:26:75:23:C2:E8:0A:09:21:B6:08:B9:73
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a6:63:09:7e:cd:27:fa:9c:61:37:82:c3:d7:f6:77:0a:35:c0:
d9:40:e1:f1:5c:34:10:59:a0:74:d3:2f:e2:94:56:ed:12:41:
d9:f5:b5:43:0f:39:e4:94:a9:e4:fd:c1:6a:2d:83:11:b6:e0:
2c:a0:d5:b7:9f:ef:8e:a5:8d:18:eb:53:fe:09:de:5f:99:2f:
8f:27:07:21:a5:57:aa:2c:24:eb:6b:62:e1:48:b4:2f:65:a9:
d1:a3:5b:20:7f:7d:28:80:cf:77:eb:15:92:1e:c7:48:03:7b:
72:a9:50:48:a6:00:30:45:ce:88:f2:1c:98:87:f2:eb:8e:4c:
9a:53:f3:d2:05:01:83:49:fa:e3:bd:12:53:75:0e:3c:62:ee:
58:bf:47:ad:93:29:6a:e9:7b:c8:75:5d:e6:ec:e0:ed:52:15:
40:2b:21:a6:06:b8:d8:a9:34:80:5d:79:c3:b0:7a:2a:1a:83:
36:da:45:62:44:08:ef:ba:62:11:df:bc:0a:5c:86:66:67:47:
2a:9a:13:72:7c:f9:d5:50:c2:da:41:4c:69:e1:4b:ab:6a:59:
12:7d:76:d3:51:5f:e5:c5:9a:83:d0:81:19:1b:03:28:16:d4:
d6:ad:a4:91:29:6e:57:c4:6c:69:41:a4:3b:ba:7c:87:a0:cf:
81:bc:4c:ad
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIBATANBgkqhkiG9w0BAQsFADBuMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxGTAXBgNVBAMTEFhpYW9taSBSb290IENBIDEw
HhcNMTUwMTA3MTM1NTU2WhcNMzUwMTAyMTM1NTU2WjBuMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxGTAXBgNVBAMTEFhpYW9taSBSb290IENBIDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf3k2vzIKEmWXsdcru36iV
xT/S6wW3EzLhq3QZDRDYEBijR2W5Vxk9EBKsKOQ0kA4LF5qE/HzAE41kaz/UP5jE
kgUvq4+8m3pORxKGxMrnQHDZSgxkuhaTxGPWEetmSTZ3AiTM+v+PuTYBL4n4Cpn0
o3Hqu0f5HPqg/uCpDjYx8xf1I+ZnRzD9xECApV9hUBUnhVwqqoQpJwnINqNOwhhE
/Ilev/1nLTbqKbkjeCqS2zVELURx2dEe3PAGq+D9xtjc1QaL/b4AH2kfV5ALgjVh
ZjlhSvuosD1dhay2V1TqWrY9ftkPLvnW03QX2YCJ5Ar1pno7/Lo5IUBWNTN/XMLZ
AgMBAAGjPDA6MB0GA1UdDgQWBBRjoQt90iJd2CZ1I8LoCgkhtgi5czAMBgNVHRME
BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEApmMJfs0n+pxh
N4LD1/Z3CjXA2UDh8Vw0EFmgdNMv4pRW7RJB2fW1Qw855JSp5P3Bai2DEbbgLKDV
t5/vjqWNGOtT/gneX5kvjycHIaVXqiwk62ti4Ui0L2Wp0aNbIH99KIDPd+sVkh7H
SAN7cqlQSKYAMEXOiPIcmIfy645MmlPz0gUBg0n6470SU3UOPGLuWL9HrZMpaul7
yHVd5uzg7VIVQCshpga42Kk0gF15w7B6KhqDNtpFYkQI77piEd+8ClyGZmdHKpoT
cnz51VDC2kFMaeFLq2pZEn1201Ff5cWag9CBGRsDKBbU1q2kkSluV8RsaUGkO7p8
h6DPgbxMrQ==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, OU=Xiaomi, O=Xiaomi, CN=Xiaomi Attestation CA
Validity
Not Before: Jun 20 15:37:45 2017 GMT
Not After : Jun 15 15:37:45 2037 GMT
Subject: C=US, CN=SecTools Test User, L=San Diego, O=SecTools, ST=California, OU=01 000000000000000C SW_ID, OU=02 0004F0E100000000 HW_ID, OU=04 0000 OEM_ID, OU=05 00000108 SW_SIZE, OU=06 0000 MODEL_ID, OU=07 0001 SHA256, OU=03 0000000000000002 DEBUG, OU=08 0000000000000666 APP_ID
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bb:89:2a:56:3c:c9:4e:69:85:5f:e7:d6:c7:b4:
c3:c2:0e:31:79:44:91:4c:e6:83:86:b9:a9:66:a8:
7f:ee:a1:ac:34:eb:1b:69:d4:1c:e3:14:40:5b:fe:
36:29:1c:a8:d5:ad:7e:5d:a0:59:d5:3b:fd:33:c6:
79:08:52:8d:9f:16:73:d0:6e:8b:a3:26:0d:23:cc:
5a:34:cd:19:8e:17:1d:2e:50:50:ae:2c:86:cc:78:
4d:fe:fd:74:44:14:9a:89:cc:70:df:f9:5f:d7:a4:
b1:9d:ee:5e:2b:15:be:57:a3:5b:24:f2:61:d4:b8:
a0:08:58:1b:3a:77:b4:3b:75:c8:b2:e1:9e:fe:8f:
6b:13:42:a0:7a:c2:18:c7:58:cd:19:3b:19:b5:75:
61:b3:1c:89:51:f8:0f:38:ff:c8:bd:d8:b1:ec:5f:
81:07:1b:b5:09:da:df:10:ca:7b:d5:34:59:29:06:
3c:eb:0c:73:b8:9a:47:41:fa:7a:af:ca:cc:14:64:
d3:e1:08:47:75:4d:92:d4:ed:7e:3f:aa:40:b6:e5:
39:33:8c:90:98:73:76:00:b9:aa:da:67:0c:3d:4a:
6e:98:17:25:8b:09:66:f7:c9:e2:b0:46:11:46:15:
ba:b5:1d:1a:51:85:e5:d7:7a:d3:49:ed:5d:bf:50:
a6:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
URI:http://crl.qdst.com/crls/qctdevattest.crl
X509v3 Authority Key Identifier:
keyid:0C:82:DD:0F:A4:2A:73:67:AC:DE:A1:A7:B0:45:54:30:D7:6F:C0:D4
X509v3 Basic Constraints:
CA:FALSE, pathlen:0
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha256WithRSAEncryption
84:48:69:3e:3c:48:bb:60:61:11:49:50:a1:63:38:62:25:73:
53:8e:b9:95:3d:17:b9:c9:60:f1:76:89:32:7a:1a:c3:a8:86:
df:f9:44:20:2b:ec:83:5c:dc:8f:ce:04:30:50:1d:d0:a6:2e:
7a:8a:a9:86:92:78:40:31:72:52:12:34:50:58:2d:f1:b6:f4:
7c:26:1a:2c:9b:11:e4:24:17:8e:42:6e:3d:35:3c:32:f1:ff:
02:da:54:0e:10:c1:ac:1b:a8:6a:f5:fd:51:29:5e:18:bd:ce:
dd:50:6f:10:3f:40:74:dd:44:a0:1e:1b:4e:51:f7:4e:43:53:
c3:a9:0e:22:9a:59:cb:2c:85:48:7f:3d:84:32:13:92:12:48:
70:4e:de:de:17:0f:d9:2c:92:56:94:07:e3:3a:ca:75:e8:4e:
39:61:54:b3:52:0d:68:53:e7:c3:60:da:a4:c0:41:f3:33:6b:
a1:b2:ec:63:b3:f8:08:27:f6:a7:9b:80:09:08:d6:a3:84:16:
0f:ff:45:5b:b7:49:df:29:ae:53:17:6a:f4:3a:ef:17:95:af:
46:dc:54:11:d5:2e:82:9a:4a:8d:be:15:2c:74:5e:ec:6d:53:
a8:70:68:94:bf:0d:6b:a8:76:37:56:61:9b:f6:cf:be:29:d8:
8e:bd:7e:1c
-----BEGIN CERTIFICATE-----
MIIEzDCCA7SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UECxMGWGlh
b21pMQ8wDQYDVQQKEwZYaWFvbWkxHjAcBgNVBAMTFVhpYW9taSBBdHRlc3RhdGlv
biBDQTAeFw0xNzA2MjAxNTM3NDVaFw0zNzA2MTUxNTM3NDVaMIIBYjELMAkGA1UE
BhMCVVMxGzAZBgNVBAMTElNlY1Rvb2xzIFRlc3QgVXNlcjESMBAGA1UEBxMJU2Fu
IERpZWdvMREwDwYDVQQKEwhTZWNUb29sczETMBEGA1UECBMKQ2FsaWZvcm5pYTEi
MCAGA1UECxQZMDEgMDAwMDAwMDAwMDAwMDAwQyBTV19JRDEiMCAGA1UECxQZMDIg
MDAwNEYwRTEwMDAwMDAwMCBIV19JRDEXMBUGA1UECxQOMDQgMDAwMCBPRU1fSUQx
HDAaBgNVBAsUEzA1IDAwMDAwMTA4IFNXX1NJWkUxGTAXBgNVBAsUEDA2IDAwMDAg
TU9ERUxfSUQxFzAVBgNVBAsTDjA3IDAwMDEgU0hBMjU2MSIwIAYDVQQLExkwMyAw
MDAwMDAwMDAwMDAwMDAyIERFQlVHMSMwIQYDVQQLFBowOCAwMDAwMDAwMDAwMDAw
NjY2IEFQUF9JRDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALuJKlY8
yU5phV/n1se0w8IOMXlEkUzmg4a5qWaof+6hrDTrG2nUHOMUQFv+NikcqNWtfl2g
WdU7/TPGeQhSjZ8Wc9Bui6MmDSPMWjTNGY4XHS5QUK4shsx4Tf79dEQUmonMcN/5
X9eksZ3uXisVvlejWyTyYdS4oAhYGzp3tDt1yLLhnv6PaxNCoHrCGMdYzRk7GbV1
YbMciVH4Dzj/yL3YsexfgQcbtQna3xDKe9U0WSkGPOsMc7iaR0H6eq/KzBRk0+EI
R3VNktTtfj+qQLblOTOMkJhzdgC5qtpnDD1KbpgXJYsJZvfJ4rBGEUYVurUdGlGF
5dd600ntXb9QpskCAwEAAaN6MHgwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2Ny
bC5xZHN0LmNvbS9jcmxzL3FjdGRldmF0dGVzdC5jcmwwHwYDVR0jBBgwFoAUDILd
D6Qqc2es3qGnsEVUMNdvwNQwDAYDVR0TBAUwAwIBADALBgNVHQ8EBAMCBPAwDQYJ
KoZIhvcNAQELBQADggEBAIRIaT48SLtgYRFJUKFjOGIlc1OOuZU9F7nJYPF2iTJ6
GsOoht/5RCAr7INc3I/OBDBQHdCmLnqKqYaSeEAxclISNFBYLfG29HwmGiybEeQk
F45Cbj01PDLx/wLaVA4QwawbqGr1/VEpXhi9zt1QbxA/QHTdRKAeG05R905DU8Op
DiKaWcsshUh/PYQyE5ISSHBO3t4XD9ksklaUB+M6ynXoTjlhVLNSDWhT58Ng2qTA
QfMza6Gy7GOz+Agn9qebgAkI1qOEFg//RVu3Sd8prlMXavQ67xeVr0bcVBHVLoKa
So2+FSx0XuxtU6hwaJS/DWuodjdWYZv2z74p2I69fhw=
-----END CERTIFICATE-----
@jameshilliard I could try get one again tomorrow for you, though it won't be of much use - <<device>>_sig.data without signing capabilities will fail token verification.
Had a quick look at MiFlashUnlock 2.3.803.10 - the package is a lot larger on account of a move to embedded Chrome. I'll make a proper post in the coming week once I have an in-depth look.
Hey guys I have successfully decrypted and encrypted the data transfer to the API But it seem depend on the server, can't bypass without the token from server :(
@testanull can you share how you decrypted the data? @wbsdty331 how did you capture the log for unlock tool?
@thewisenerd
Your analysis looks very interesting. How have you analysed the bootloader? Something like IDA? Also, what version of the bootloader are you referring to? (i.e. which xiaomi phone?) I saw that different xiaomi phones with different processors use a quite different boot sequence.
@jameshilliard ya i have a copy of _sig.data file its encrypted , md5 hash is always same but the content inside it get changed everytime , i compared with 4 files and its md5 hash is same but the content inside was different
If the md5 matches the files should be identical(unless they are deliberately generating md5 collisions), if you want to check for sure use sha256 which is a cryptograhpically secure hash function where collisions are essentially impossible.
A427CF6DECE560F2F4D0E132889E164CB89A1A3F1561B093555B4B300A5EFBC60A45E3EF3718C1D5C3D379CBFD10BE1405D774C9117A918417BADE20E3FE209DA2171EF5625FBE924E8446CBDF42812D5FF516331BA74868EB487E78D2C4A518548117BA874B14663A7376E819EAEB1D42F301CCB0BA2C88AEE57A45E872C5A115158F79188026AD041CDBFDE90C4A84117938283337B88CAD4D7C3C5B4CAA87D8AAA249D2B870A3FA47A7A58C4D6569EF183132AD7B3ED910E5B272EBE31B3B98C30037309F8B5E009CE2F4F9B490D3AAF6C8D62603E3CFDEA522A0CE544B2B428D946071A8F510A07E3A4005D8130AB46E25E1C62AF7ABDC9988BF0F9317A9
AD652DA9C4722A24FBC2E325BE37C1A83D28C4D6A09A6CE0BB494365C68A906CCA2F5AD67A8A11C95094E0F581FC7E70F297F4576E04ADA4E86D209543D858E00414E3C2BEDAFC66D0FF36DC68AFC24655B68C2124FC4A9B0F2C724BBA7542A9845073B3C2E5A7ADD28FCF4A776B756D4BCCFDC32EFBB4CFAB9A778E5BB93B932333C934F12EAF098A4145FF038C6C6F651DFADF3684926BC13C66D223B5B8B52BF61CC638F6E5AC9078217D0D08B2228F92551040A779586CD290D9BDA9533328D3DB5D3B4875AC9EA3C7E1CB60866520453CDBE4EB50878728F75051A3ADB6F1A315797C68725DF7D4D37DB6013C9CD3D81A6B21CD2C9883DBC3CA91AAD397
(above two encrypted data )
the log shows the encrypted data and thats what is in the sig.data file, i manually pasted the encrypted data from the log into the hex editor and saved it and ran the unlock command and it succesfully unlocked. (i replaced fastboot.exe with fake fastboot so it will not unlock using the app becasue to unlock manually using the ecnrypted data field ).
i think the ecnrypted data is generated using the ahaUnlock , in wireshark that is the last request that makes
in wireshark it shows json line, i dont know how the json lines get changed it encrypted data here is the json line based text data
Voq1V4omnBvL7TpD7bcTs1RDK424nYFrlRRBNNKpMRc55VJNPzFbJFiNXf/HAyjmcNiS3BaiKnEjI7sRTlv2xyboXmqW34l/LsSt2mrlpJSEvwrQ3DRWFMATsvsZZj/rflNhyoPaJ9SDrj/Vc4ANbgsg4SdZCUs358TQAZmuH0KPGHlPiwC/1joyR6ESbFEcaDmLdkAIJkcEKjGH88n+Xq1j9mU+Jdj2cwDx9LHBdEoeJrmKxatsbffI3W1Ihk8KK4QdHN79ySLdoMc5t565g+ukIegSm9iTtJjljBvnTWXaJuFcJzLlN1Z1KD/PSro5YOhho0d8jaDYHmvBAUI24On+ttqWnnX/Kc+uxoLJ3LPqlk9D0mLGvtIat+up/oofXfp46wsx6EFKbm6Vo6CjPs0eOxE/3MhUZwvG6dOfjpjxRWOw6vQ4E4KcDC7P9RVa6qSXvOtf/u5c78gOD4JOPczQvoHmeNyiNjh2mvFKd9e5oc+cIWzao1vkthRpRmszyv/b0mnZ2XKjihMx53r41Nu73/UtmT6RYQczf5e8kJAC4IKb5WD+lcWbQKWhYc3t6ar010Xhixgqjs74JCL5ogS6qXj0WNjv1QeaQxcqYr961MXt+t/PrF/YEzCM+eOzyLHsaYWhoEWxy4Fe6lKVTgNbNuYicelaTXhbsUMePEJYRUsEnuhiboARRCQoCxgLIMls3+yIDJkoVn2fGSK9/xNnoIAdFURrQxQfcXWS0l7Lxc+fOi8UbCrxhjpMhX5KzapCcMV0fuExNsDp7ew+7ERm0q5YrkFlma5Hc6U5VTh1sFItZuQZU7z+4YY6Avv/24jBM3BFhE0iaXSxRCJJ/1gyYLYAMNcd3lgwTnoF4xvo+M+bvMOjDqqce59bd50FDZWsMqXDZpVfMNE61Abgr30Ub5NGSlCyFB6Zeb2+KiJ2vGtnmshNVekRCERU6cWkcB6w0Dun96XSRSn4Ajlu8MvOcC6xqcDiH94pGEJIwMSlM7HdNYWvVOjD3pJuZk7W6SzQBDVDp71yFb5mG1Hs6Tl8vAfzCGaDI4C1BwxJHDk=
@FaArIsH yeah exactly, But the points is, the encrypted data you got is generated from the server. It was generated base on the serial number + random noise data. So everytime you reload, the encrypted data changed because of the random noise data. I am sure that there is no way to regenerated that data from the client, without master key or something like that! May you guys want to read this: https://medium.com/nightst0rm/xiaomi-phone-unlock-bootloader-without-any-permission-dc7e5f1741a2 This is my blog post about "how to unlock redmi note 5 bootloader without permission", it is in Vietnamese, you can use google translate to read it!
@testanull I changes the token with a other phone token and the tool said you have to wait 30 days to unlock other device , than I tried from a new account this time it said account is not bound.
So this server identifies the phone by using the last digits of the token.
Do you know how to change the serial number to a customer number Or have you found the way to bound an account to a serial number without using the phone just by sending a Post request, I could not capture what was happening when I pressed add account to bind
Yes, I have captured and decrypted the bond request, unlock request. I already tried to change the serial number but no hope. They use some kind of token to verify the serial number.
Hey guys, I have succeed in find out the way to decrypt the sig.data. This is how it work:
- When receive the sig.data from server, the device decrypt sig.data using miui keystore (public key)
- After that, it compares the token decrypted with the current token of the device For example: The token paste by @FaArIsH above, I have decrypt into this value:
- first sig.data: "Uu2GYqiEdLPXxEtgfkY9AAAA"
- second sig.data: "F8xyPBooegYVj+RefkY9AAAA" => which mean this device 's cpu id is: 7e463d Rights? @FaArIsH p/s: inspite of having decrypted the sig.data, the public key can not encrypt the data, we need the private key. We still stuck here ¯_(ツ)_/¯
@testanull Hello, may you tell me how did you managed to convert (decrypt) the encrypted string (token) to a "readable" value, if you dont mind?
For example, how would you convert this string?
031B3C0CD681432BD896BD30C8CC8F66573EBC9FE7614878733355C0712033C769A71BC4AB88ED8191B67E0632ED508222AF4694CB870E67576E846A253A0CA8657C549AFF229E4C8CEE4D0B4F6DC31833128CE4132CBF63FA1A8104610797FE8D636437281C2C2836ECEE57C0A93C8412DAC76A7D96D4B178D2E082FB11D90582737CD538DAB8E886EDD5EB863A015D50493FAAF70CA52DE7E2AED0760A3CFB5263C06E90A97B5F3366C04C4748399E4530DBACB4B7DC70C701EC8AD477F727CBDFC795297158D7330398B0F36FB3BA498EF68BD2547157704EB3CDE7534A15527F99719E2160C29837090A9431B7EC1B6D96E2746A22348D1C6739DA2F4F23
Thank You, have a nice day
PS: what is meant by fake fastboot?
@xderalt Yeah sure, I can, This is the decrypted string: VQEBIgEQW+oZUK8O4Oa11LkB1EtpuQMIbGF2ZW5kZXICBF2MWvM= I used the public key inside the bootloader to decrypt it
@testanull Thank you for your help!
Is the key common to all devices because i got that string from my redmi note 7 and tried to unlock it using the string you provided me, shouldnt it allow me to unlock my bootloader? Did i get something wrong? Also the decrypted strings looks a lot like the token i got from my bootloader: VQEBIgEQnuk9tUx2/nU1fRZTCCw8KwMIbGF2ZW5kZXICBF2MWvM=
Thank you!
This string is decrypted INSIDE the bootloader, and used for comparing with the token generated by bootloader. Everytime the phone reboot, it generates new token (that 's why the token you gave me is a little bit different from new token you give above), so it cant be reused! Btw: This public key is hard-coded inside every xiaomi phone, you can find the same key as mine in others devices like Redmi Note 4, 5 ...
@testanull ah ok, but how do you decrypt it if its a public key, should not it be private?
And how could i extract the key from my device? Sorry to bother you with all these question :(
Or could you share your also in private?
Thank You
@xderalt if it is called "public key", probably is because it is meant to be "public", don't you think?
You can extract the key from the bootloader image
Hi, can you tell the first some bytes of public key ? I found something not sure if it is public key or not :) https://i.ibb.co/hLP4hwV/Mi.jpg
Yes, I have done it. This code doesn't work (final request fails with '参数异常') but it gets very close, and handles all the encryption. request.py
I doubt you can crack the token encryption key, as it is probably a high RSA denomination.
Once token is acquired, it is flashed to signature virtual partition, and possibly also a command is run
You can't... what? Crack the token encryption? I know that, I'm just trying to make a FOSS CLI unlock tool
Xiaomi have changed the format of the serviceLogin API, does anyone have the mitm dumps from before?
I'm attaching my unlocked devinfo. It's a bit weird, do a hex diff with /dev/zero devinfo.zip
Thanks for this - I'm working on something I might release soon that is able to write to this partition - so in theory, this should allow me to unlock without touching Xiaomi's servers. I'm still working out a couple of bugs and it needs a tidy up, but I hope to have it out soon.
https://github.com/penn5/miunlock It works.
Nice work!
Thanks for this - I'm working on something I might release soon that is able to write to this partition - so in theory, this should allow me to unlock without touching Xiaomi's servers. I'm still working out a couple of bugs and it needs a tidy up, but I hope to have it out soon.
Wow, that's pretty cool! Does it use EDL? Or perhaps you use CVE-2019-2215 (if you don't, I just realised that's a good idea)
Thanks for this - I'm working on something I might release soon that is able to write to this partition - so in theory, this should allow me to unlock without touching Xiaomi's servers. I'm still working out a couple of bugs and it needs a tidy up, but I hope to have it out soon.
Wow, that's pretty cool! Does it use EDL? Or perhaps you use CVE-2019-2215 (if you don't, I just realised that's a good idea)
It uses EDL - I'm still ironing out some kinks but your devinfo file might've spawned a theory on why my tool can't unlock the device yet
Could you confirm the following, please:
- The model that devinfo is from
- The output of "fastboot oem device-info"?
Thanks for this - I'm working on something I might release soon that is able to write to this partition - so in theory, this should allow me to unlock without touching Xiaomi's servers. I'm still working out a couple of bugs and it needs a tidy up, but I hope to have it out soon.
Wow, that's pretty cool! Does it use EDL? Or perhaps you use CVE-2019-2215 (if you don't, I just realised that's a good idea)
It uses EDL - I'm still ironing out some kinks but your devinfo file might've spawned a theory on why my tool can't unlock the device yet
Could you confirm the following, please:
- The model that devinfo is from
- The output of "fastboot oem device-info"?
The devinfo is from the Cepheus I'm holding right now (EEA, Pie) Haven't got a PC nearby till after Christmas, but I'll see if I can get my laptop out. Don't get your hopes up though
@mc-17 got the info: Model: cepheus_eea / Mi 9 Region: Britain Verity mode: true Device unlocked: true Device critical unlocked: true Charger screen enabled: false
Can you elaborate on how your arbitrary write works? I would assume that the devinfo has a signature (although perhaps not encryption, judging by the frequency of NULLs), and probably a device specific identifier too, to prevent people doing exactly what you're doing. Do you have any source code published?
My telegram is t.me/hackintosh5, drop me a PM if you like.
Happy Hacking and Merry Christmas :P
@mc-17 got the info: Model: cepheus_eea / Mi 9 Region: Britain Verity mode: true Device unlocked: true Device critical unlocked: true Charger screen enabled: false
Awesome! Thank you :)
Can you elaborate on how your arbitrary write works? I would assume that the devinfo has a signature (although perhaps not encryption, judging by the frequency of NULLs), and probably a device specific identifier too, to prevent people doing exactly what you're doing. Do you have any source code published?
My telegram is t.me/hackintosh5, drop me a PM if you like.
Happy Hacking and Merry Christmas :P
From what I can tell, devinfo is basically unprotected - this might not transpire to be the case, but I can boot with a modified devinfo with verity active (confirmed by using the r/w to write onto system, and causing a bootloop). In my limited tests, nothing is protecting it at an attack during the edl stage.
My tests so far have been limited on the devices and they're fairly old, so some things might've changed, but its looking good so far.
No source code published yet - I'm about half way through a rewrite into a code standard I'd be comfortable publishing - I'll be sure to let you know as soon as I have something I'm willing to put out for beta testing
@mc-17 got the info: Model: cepheus_eea / Mi 9 Region: Britain Verity mode: true Device unlocked: true Device critical unlocked: true Charger screen enabled: false
Awesome! Thank you :)
Can you elaborate on how your arbitrary write works? I would assume that the devinfo has a signature (although perhaps not encryption, judging by the frequency of NULLs), and probably a device specific identifier too, to prevent people doing exactly what you're doing. Do you have any source code published? My telegram is t.me/hackintosh5, drop me a PM if you like. Happy Hacking and Merry Christmas :P
From what I can tell, devinfo is basically unprotected - this might not transpire to be the case, but I can boot with a modified devinfo with verity active (confirmed by using the r/w to write onto system, and causing a bootloop). In my limited tests, nothing is protecting it at an attack during the edl stage.
My tests so far have been limited on the devices and they're fairly old, so some things might've changed, but its looking good so far.
No source code published yet - I'm about half way through a rewrite into a code standard I'd be comfortable publishing - I'll be sure to let you know as soon as I have something I'm willing to put out for beta testing
Awesome! But you didn't mention if you have Telegram
@mc-17 got the info: Model: cepheus_eea / Mi 9 Region: Britain Verity mode: true Device unlocked: true Device critical unlocked: true Charger screen enabled: false
Awesome! Thank you :)
Can you elaborate on how your arbitrary write works? I would assume that the devinfo has a signature (although perhaps not encryption, judging by the frequency of NULLs), and probably a device specific identifier too, to prevent people doing exactly what you're doing. Do you have any source code published? My telegram is t.me/hackintosh5, drop me a PM if you like. Happy Hacking and Merry Christmas :P
From what I can tell, devinfo is basically unprotected - this might not transpire to be the case, but I can boot with a modified devinfo with verity active (confirmed by using the r/w to write onto system, and causing a bootloop). In my limited tests, nothing is protecting it at an attack during the edl stage. My tests so far have been limited on the devices and they're fairly old, so some things might've changed, but its looking good so far. No source code published yet - I'm about half way through a rewrite into a code standard I'd be comfortable publishing - I'll be sure to let you know as soon as I have something I'm willing to put out for beta testing
Awesome! But you didn't mention if you have Telegram
I don't have Telegram, but if you need to get in touch privately I can work something out
Okay, well there's no need, just I can communicate faster with tg. Well, tell me when you got something!
A little demo of writing custom devinfo partitions:
https://www.youtube.com/watch?feature=youtu.be&v=Br7lCUtFWqo&app=desktop
Still not got the unlocking down /quite/ yet, and I might've just bricked my dev phone...
That's pretty cool. Does edl mode actually try to be secure, or is it just a matter of working out the protocol?
A little demo of writing custom devinfo partitions:
https://www.youtube.com/watch?feature=youtu.be&v=Br7lCUtFWqo&app=desktop
Still not got the unlocking down /quite/ yet, and I might've just bricked my dev phone...
Apparently EDL can't be entered any more without special authentication. Also devinfo is signed and secured with the cpuid, and EDL is signed since 845
That's pretty cool. Does edl mode actually try to be secure, or is it just a matter of working out the protocol?
It's mostly just working out the protocol - I imagine there's some bugs in the programmers, however, given how easy it is to get it to accidentally reboot.
A little demo of writing custom devinfo partitions: https://www.youtube.com/watch?feature=youtu.be&v=Br7lCUtFWqo&app=desktop Still not got the unlocking down /quite/ yet, and I might've just bricked my dev phone...
Apparently EDL can't be entered any more without special authentication. Also devinfo is signed and secured with the cpuid, and EDL is signed since 845
Damn! That's annoying, and something I was somewhat concerned with given the age of my device. Hopefully what I've been working on can become an unlock for older devices. Speaking of which, I may end up releasing it soon (without unlock capability, but I believe the pieces are all there) due to my research device getting bricked.
That's pretty cool. Does edl mode actually try to be secure, or is it just a matter of working out the protocol?
It's mostly just working out the protocol - I imagine there's some bugs in the programmers, however, given how easy it is to get it to accidentally reboot.
A little demo of writing custom devinfo partitions: https://www.youtube.com/watch?feature=youtu.be&v=Br7lCUtFWqo&app=desktop Still not got the unlocking down /quite/ yet, and I might've just bricked my dev phone...
Apparently EDL can't be entered any more without special authentication. Also devinfo is signed and secured with the cpuid, and EDL is signed since 845
Damn! That's annoying, and something I was somewhat concerned with given the age of my device. Hopefully what I've been working on can become an unlock for older devices. Speaking of which, I may end up releasing it soon (without unlock capability, but I believe the pieces are all there) due to my research device getting bricked.
Bricked = edl not working? Oof!
Pls help with public key - where i can find it. Idea - generate own keys, replace public key in img and write back to device by ISP or EDL mode, after get token, encrypt by own key and get hash, input result to fastboot oem unlock.
@xderalt Yeah sure, I can, This is the decrypted string: VQEBIgEQW+oZUK8O4Oa11LkB1EtpuQMIbGF2ZW5kZXICBF2MWvM= I used the public key inside the bootloader to decrypt it
Pls send me your key in hex - compare with my and try unlock how write up.
The base keys are fused into the cpu - they cannot be changed and they are used by the bootrom to verify the pbl.
On Wed, 7 Oct 2020, 23:27 PCherUsr, [email protected] wrote:
@xderalt https://github.com/xderalt Yeah sure, I can, This is the decrypted string: VQEBIgEQW+oZUK8O4Oa11LkB1EtpuQMIbGF2ZW5kZXICBF2MWvM= I used the public key inside the bootloader to decrypt it
Pls send me your key in hex - compare with my and try unlock how write up.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705226322, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKXNQX3JGVPIJVUAQCMG5DSJTTNTANCNFSM4DNG25TQ .
I know it. What public key used to decrypt sig.data? In soc or in emmc (sbl, aboot, tz, etc)? If from emmc - dump it, replace by own, write back to emmc, load in to fastboot and unlock by own generated sig.data How you think? For example i have two redme x4 - one locked and one unlocked. I replace (compare diff - find wich changed by hex editor) Aboot Devinfo Rpm Keymaster Lksecapp
And load locked device in fastboot - nothing changed, but when i read back all these partritions in devinfo changed 0x10 and 0x18 bytes from 1 to 0 and nothing else.
So only one way i see - replace public key in emmc by own and try unlock by vendor way.
I need help to find public key whic used to decrypt sig.data when unlocking normal way.
чт, 8 окт. 2020 г., 14:11 penn5 [email protected]:
The base keys are fused into the cpu - they cannot be changed and they are used by the bootrom to verify the pbl.
On Wed, 7 Oct 2020, 23:27 PCherUsr, [email protected] wrote:
@xderalt https://github.com/xderalt Yeah sure, I can, This is the decrypted string: VQEBIgEQW+oZUK8O4Oa11LkB1EtpuQMIbGF2ZW5kZXICBF2MWvM= I used the public key inside the bootloader to decrypt it
Pls send me your key in hex - compare with my and try unlock how write up.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705226322 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ABKXNQX3JGVPIJVUAQCMG5DSJTTNTANCNFSM4DNG25TQ
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705499936, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANCG5R44KYCQCLPE65BYI4DSJWM7HANCNFSM4DNG25TQ .
The key used to verify abl is in efuse. Still.
On Thu, 8 Oct 2020, 12:53 PCherUsr, [email protected] wrote:
I know it. What public key used to decrypt sig.data? In soc or in emmc (sbl, aboot, tz, etc)? If from emmc - dump it, replace by own, write back to emmc, load in to fastboot and unlock by own generated sig.data How you think? For example i have two redme x4 - one locked and one unlocked. I replace (compare diff - find wich changed by hex editor) Aboot Devinfo Rpm Keymaster Lksecapp
And load locked device in fastboot - nothing changed, but when i read back all these partritions in devinfo changed 0x10 and 0x18 bytes from 1 to 0 and nothing else.
So only one way i see - replace public key in emmc by own and try unlock by vendor way.
I need help to find public key whic used to decrypt sig.data when unlocking normal way.
чт, 8 окт. 2020 г., 14:11 penn5 [email protected]:
The base keys are fused into the cpu - they cannot be changed and they are used by the bootrom to verify the pbl.
On Wed, 7 Oct 2020, 23:27 PCherUsr, [email protected] wrote:
@xderalt https://github.com/xderalt Yeah sure, I can, This is the decrypted string: VQEBIgEQW+oZUK8O4Oa11LkB1EtpuQMIbGF2ZW5kZXICBF2MWvM= I used the public key inside the bootloader to decrypt it
Pls send me your key in hex - compare with my and try unlock how write up.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <
https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705226322
, or unsubscribe <
https://github.com/notifications/unsubscribe-auth/ABKXNQX3JGVPIJVUAQCMG5DSJTTNTANCNFSM4DNG25TQ
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705499936 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ANCG5R44KYCQCLPE65BYI4DSJWM7HANCNFSM4DNG25TQ
.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mc-17/xiaomi-bootloader/issues/1#issuecomment-705517957, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKXNQUIYDLVDTUOARQNZW3SJWRZ7ANCNFSM4DNG25TQ .
Yes, I have captured and decrypted the bond request, unlock request. I already tried to change the serial number but no hope. They use some kind of token to verify the serial number.
Pls pls pls help me - from what image in firmware you get public key??????
A427CF6DECE560F2F4D0E132889E164CB89A1A3F1561B093555B4B300A5EFBC60A45E3EF3718C1D5C3D379CBFD10BE1405D774C9117A918417BADE20E3FE209DA2171EF5625FBE924E8446CBDF42812D5FF516331BA74868EB487E78D2C4A518548117BA874B14663A7376E819EAEB1D42F301CCB0BA2C88AEE57A45E872C5A115158F79188026AD041CDBFDE90C4A84117938283337B88CAD4D7C3C5B4CAA87D8AAA249D2B870A3FA47A7A58C4D6569EF183132AD7B3ED910E5B272EBE31B3B98C30037309F8B5E009CE2F4F9B490D3AAF6C8D62603E3CFDEA522A0CE544B2B428D946071A8F510A07E3A4005D8130AB46E25E1C62AF7ABDC9988BF0F9317A9
AD652DA9C4722A24FBC2E325BE37C1A83D28C4D6A09A6CE0BB494365C68A906CCA2F5AD67A8A11C95094E0F581FC7E70F297F4576E04ADA4E86D209543D858E00414E3C2BEDAFC66D0FF36DC68AFC24655B68C2124FC4A9B0F2C724BBA7542A9845073B3C2E5A7ADD28FCF4A776B756D4BCCFDC32EFBB4CFAB9A778E5BB93B932333C934F12EAF098A4145FF038C6C6F651DFADF3684926BC13C66D223B5B8B52BF61CC638F6E5AC9078217D0D08B2228F92551040A779586CD290D9BDA9533328D3DB5D3B4875AC9EA3C7E1CB60866520453CDBE4EB50878728F75051A3ADB6F1A315797C68725DF7D4D37DB6013C9CD3D81A6B21CD2C9883DBC3CA91AAD397(above two encrypted data ) the log shows the encrypted data and thats what is in the sig.data file, i manually pasted the encrypted data from the log into the hex editor and saved it and ran the unlock command and it succesfully unlocked. (i replaced fastboot.exe with fake fastboot so it will not unlock using the app becasue to unlock manually using the ecnrypted data field ).i think the ecnrypted data is generated using the ahaUnlock , in wireshark that is the last request that makes
in wireshark it shows json line, i dont know how the json lines get changed it encrypted data here is the json line based text data
Voq1V4omnBvL7TpD7bcTs1RDK424nYFrlRRBNNKpMRc55VJNPzFbJFiNXf/HAyjmcNiS3BaiKnEjI7sRTlv2xyboXmqW34l/LsSt2mrlpJSEvwrQ3DRWFMATsvsZZj/rflNhyoPaJ9SDrj/Vc4ANbgsg4SdZCUs358TQAZmuH0KPGHlPiwC/1joyR6ESbFEcaDmLdkAIJkcEKjGH88n+Xq1j9mU+Jdj2cwDx9LHBdEoeJrmKxatsbffI3W1Ihk8KK4QdHN79ySLdoMc5t565g+ukIegSm9iTtJjljBvnTWXaJuFcJzLlN1Z1KD/PSro5YOhho0d8jaDYHmvBAUI24On+ttqWnnX/Kc+uxoLJ3LPqlk9D0mLGvtIat+up/oofXfp46wsx6EFKbm6Vo6CjPs0eOxE/3MhUZwvG6dOfjpjxRWOw6vQ4E4KcDC7P9RVa6qSXvOtf/u5c78gOD4JOPczQvoHmeNyiNjh2mvFKd9e5oc+cIWzao1vkthRpRmszyv/b0mnZ2XKjihMx53r41Nu73/UtmT6RYQczf5e8kJAC4IKb5WD+lcWbQKWhYc3t6ar010Xhixgqjs74JCL5ogS6qXj0WNjv1QeaQxcqYr961MXt+t/PrF/YEzCM+eOzyLHsaYWhoEWxy4Fe6lKVTgNbNuYicelaTXhbsUMePEJYRUsEnuhiboARRCQoCxgLIMls3+yIDJkoVn2fGSK9/xNnoIAdFURrQxQfcXWS0l7Lxc+fOi8UbCrxhjpMhX5KzapCcMV0fuExNsDp7ew+7ERm0q5YrkFlma5Hc6U5VTh1sFItZuQZU7z+4YY6Avv/24jBM3BFhE0iaXSxRCJJ/1gyYLYAMNcd3lgwTnoF4xvo+M+bvMOjDqqce59bd50FDZWsMqXDZpVfMNE61Abgr30Ub5NGSlCyFB6Zeb2+KiJ2vGtnmshNVekRCERU6cWkcB6w0Dun96XSRSn4Ajlu8MvOcC6xqcDiH94pGEJIwMSlM7HdNYWvVOjD3pJuZk7W6SzQBDVDp71yFb5mG1Hs6Tl8vAfzCGaDI4C1BwxJHDk=
hi, did you still have remember corresponding SN to this sig.data ?
Any Update ? Will I be able to unlock boot-loader without XiaoMi boot-loader unlock.
