Monday, November 13, 2017

Reverse Engineering Xiaomi OTA Updates to Find Unreleased Updates

In an attempt to gain access Xiaomi devices’ nightlies– the unreleased, in-house versions of Xiaomi’s MIUI operating system — XDA Senior Member duraaraa reverse-engineer Xiaomi’s over-the-air (OTA) update system. The two work-in-progress exploits force Xiaomi devices to pull a nightly build instead of the latest commercial firmware, which in theory could be installed on off-the-shelf devices if (1) MIUI’s OTA application was reverse engineered and (2) the test builds were signed with the same keys as the official builds.

Method 1: Crafting a Xiaomi OTA Update URL

The simpler of the two methods involves accessing the OTA update URL, which sends instructions to the client device on how to download said update. This URL, for example, contains flags that tell Xiaomi’s OTA update app where to find version 7.9.21 of MIUI 9, an internal test build.

{"UserLevel":9,"LatestVersion":{"type":"rom","device":"chiron_global","name":"XM-MIMIX2-GLOBAL 7.9.21","description":"MIUI\u5347\u7ea7","descriptionUrl":"http:\/\/update.miui.com\/updates\/updateinfo\/7.9.21\/chiron_global_0_7.9.21_4494ccfcc506caca9904efb74b489e0a.html","md5":"7f94ca393fae77c6171e6c7a551bea2e","filename":"miui_MIMIX2Global_7.9.21_7f94ca393f_7.1.zip","filesize":"1.6G","codebase":"7.1","version":"7.9.21","branch":"X"},"UpdateList":[{"type":"rom","device":"chiron_global","name":"XM-MIMIX2-GLOBAL 7.9.21","description":"","descriptionUrl":"http:\/\/update.miui.com\/updates\/updateinfo\/7.9.21\/chiron_global_0_7.9.21_4494ccfcc506caca9904efb74b489e0a.html","md5":"7f94ca393fae77c6171e6c7a551bea2e","filename":"miui_MIMIX2Global_7.9.21_7f94ca393f_7.1.zip","filesize":"1.6G","codebase":"7.1","version":"7.9.21","branch":"X"}],"IncrementalUpdateList":[],"MirrorList":["http:\/\/bigota.d.miui.com"],"Signup":{"version":"","total":"","rank":""},"AuthResult":0,"ForceUpdate":0

When a stable release was beginning to roll out in China recently — 8.5.7.0.NDECNEF — duraara used the exploit to find the firmware’s upgrade URL.

Method 2: Crafting a Xiaomi OTA Update Request

The second method, which is a bit more complex, involves grabbing the Xiaomi update server’s decryption key. That requires decompiling the updater application and using Xposed to capture and analyze network traffic.

When the decryption key (“miuiotavalided11”, for example) is in place, any user could, in theory, generate a fake upgrade request.

Forcing Xiaomi OTA Upgrades

duraaraa used the two methods to find unreleased MIUI builds on Xiami’s servers, but hasn’t managed
download and install a nightly on a Xiaomi device yet. He’s asking for members of the development community to pitch in on the effort.

To keep track of new developments and/or volunteer your expertise, check out the XDA Forums thread.


Reverse engineering Xiaomi OTAs

HostGator Web Hosting

0 comments:

Post a Comment