Tuesday, September 11, 2018

Xiaomi’s Anti-Rollback Protection Explained: How to avoid bricking your phone

Xiaomi Anti-rollback protection

Back in July, Xiaomi rolled out MIUI 10 Global Beta 8.7.5 for eight Xiaomi devices. When users installed the update on their Xiaomi Redmi Note 5 Pro, they unknowingly flashed a build with anti-rollback protection enabled. Users who didn’t like MIUI 10 Global Beta found a nasty surprise when they tried to re-install the latest MIUI 9 Global Stable ROM: their phones were bricked! This wasn’t the kind of brick that you could fix by restoring a TWRP backup, flashing a new ROM, or using MiFlash to restore to a factory image. This is a hard, unrecoverable brick that requires the use of EDL mode to fix. But EDL mode isn’t accessible unless you have an authorized account, so many users were left with no way to fix their phone except sending it in to an authorized service center or paying to use someone’s account with EDL access. In this article, we’re going to explain everything you need to know about Xiaomi’s new anti-rollback protection so you can avoid bricking your new phone.


Why does Xiaomi require long bootloader unlock wait times, EDL authorization, and Anti-Rollback Protection?

Chinese electronics giant Xiaomi is the most popular smartphone brand in India thanks to their wide selection of budget and mid-range devices. Like Huawei, Xiaomi also sells a ton of smartphones in their home market of China. Many of these devices are never sold outside of China, but that doesn’t stop people from importing them. Unofficial retailers for Xiaomi products have sprung up on Aliexpress, Gearbest, and other plenty of other websites, allowing anyone from outside China to buy the latest Xiaomi products. This has posed a challenge for the company as the software they ship on their Chinese devices, called “MIUI China,” does not contain Google Play Services, the Google Play Store, or languages other than English or Mandarin. Thus, anyone who imports a Xiaomi device from China shouldn’t be getting Google apps and services outside of the box.

However, third-party retailers figured out a way around this so they could convince customers they were selling Xiaomi devices with an “official” MIUI Global ROM. The retailers would buy Xiaomi devices in bulk, unlock the bootloader, change the software themselves or flash a custom ROM like Xiaomi.eu (unofficial ROMs based on MIUI China but with more languages and features), and then sell the device. Most consumers would have no way of knowing they’re running unofficial/modified software, and would instead blame Xiaomi for a lack of updates or bugs they encounter. Even worse, some retailers would intentionally bundle malware or adware so they could make a bit of extra money. Xiaomi’s reputation was actively being harmed by this practice as tech reviewers and consumers were caught up in the schemes of these unofficial retailers, and so they needed to come up with a way to stop shady retailers from selling modified devices in bulk.

One solution is to completely block bootloader unlocking, which is a drastic move that Huawei recently took. Seeing their brand’s success among enthusiasts, Xiaomi hasn’t moved to block bootloader unlocking just yet. Instead, they’ve implemented a few roadblocks to safeguard users against the actions of malicious third-party retailers.

Bootloader Unlock Wait Times

First, they implemented a waiting period for bootloader unlocking. Xiaomi devices, save for the Xiaomi Mi A1, Xiaomi Mi A2, and Xiaomi Mi A2 Lite which run stock Android under the Android One program, require the use of Xiaomi’s proprietary Mi Unlock tool to unlock the bootloader. After sending your request to unlock the bootloader, Mi Unlock forces you to wait before it validates your request and unlocks the bootloader. The waiting time used to be 3 days before increasing to 15 days in early 2018, and recently, the waiting time has increased to 30 or as high as 60 days in some instances. (Xiaomi’s new sub-brand, Poco, lowered the waiting time to 3 days after receiving feedback from the community, although nearly everyone else still has to wait a long time.) Adding a wait time to the bootloader unlock process was effective in slowing down the operations of third-party retailers, but it is also understandably annoying for enthusiasts who want to unlock the bootloader to root their device, flash custom ROMs, and flash custom kernels.

EDL Authorization

Next, the company began to lock down EDL mode on their devices. EDL stands for Emergency Download Mode, and it’s an alternative boot-mode on all Qualcomm devices that’s commonly used to unbrick your device. In order to make use EDL mode, you need to find what’s called a “programmer” that has been authorized by the OEM (Xiaomi) for use on your device. EDL mode is very powerful and very low-level, and it’s routinely used by service centers to repair devices. However, EDL mode was also commonly used to flash both official and modified MIUI Global ROMs on Chinese Xiaomi devices without unlocking the bootloader. In essence, EDL mode became another way that third-party retailers could bypass Xiaomi. Xiaomi doesn’t want consumers buying Chinese versions of their hardware with Global ROMs installed, so they did two things: Made it impossible to boot a Global ROM if the device isn’t a Global version (with the warning message “This MIUI can’t be installed on this device”), and made it so EDL mode can’t be used unless you have an authorized Mi account.

Xiaomi Anti-rollback protection Xiaomi anti-rollback

Anti-Rollback Protection

Finally, they implemented anti-rollback protection in the latest versions of MIUI for the latest Xiaomi devices. You may have heard of anti-rollback protection before. Google added support for the feature in Android 8.0 Oreo and made it mandatory for devices launching with Android Pie. Google’s anti-rollback protection is a feature of Android Verified Boot 2.0 (also known as Verified Boot) and it prevents the device from booting if it detects that the device has been downgraded to an older, unapproved software build. Anti-rollback protection is necessary to prevent attackers from loading older software on a device that’s susceptible to an exploit. The biggest difference between Google and Xiaomi’s implementation is that Google’s anti-rollback protection is disabled if you unlock the bootloader while Xiaomi’s can’t be disabled. Once you install a build with anti-rollback protection enabled on a Xiaomi device, there’s no going back. For instance, anti-rollback protection is enabled for the Xiaomi Mi 8 and Xiaomi Redmi Note 5 Pro starting in MIUI 10 China 8.9.6 and MIUI 10 Global Beta 8.7.5 respectively.

Xiaomi Anti-rollback protection

List of devices which currently have anti-rollback protection enabled. Source: Xiaomi.eu.

Anti-rollback protection will stop any unauthorized retailer from taking advantage of exploits in older MIUI versions, thus protecting users from exploitation. However, it has also caught many off guard because Xiaomi rolled it out to the Redmi Note 5 Pro without informing users beforehand. Because TWRP does not have any checks in place to stop users from installing older, unauthorized MIUI versions, many people accidentally bricked their devices when they downgraded from a MIUI beta ROM to a MIUI stable ROM. All currently supported Xiaomi devices will eventually gain anti-rollback protection, so it’s incredibly important that you understand how to check for it before downgrading and what you can do if anti-rollback protection is enabled.


How to check for Anti-Rollback Protection

When we talked about anti-rollback protection prevents a device from booting older, insecure software, we said that Verified Boot “detects” the presence of older software. How this detection works is that Verified Boot has a rollback index that is compared with the rollback index of the images to be installed. Depending on how the rollback indices compare, the following will happen:

  • If the current rollback index is less than the rollback index in the images to be flashed, then the images will be flashed and the current rollback index will be incremented to match the new rollback index.
  • If the current rollback index is equal to the rollback index in the images to be flashed, then the images will be flashed and the rollback index won’t change.
  • If the current rollback index is greater than the rollback index in the images to be flashed, then the images will be rejected if you’re flashing via fastboot or Mi Flash. (TWRP does not check the rollback indices before flashing, which is why nearly all bricks were the result of downgrading via TWRP.)

Now that you have a better understanding of the rollback index, here’s how to actually check the current rollback index on your device and the image you want to flash.

How to find current rollback index

  1. Reboot to fastboot mode
  2. Enter the following command: fastboot getvar anti
  3. If the output is blank, then anti-rollback has not yet been enabled. If you get a number in the output, then that’s your current rollback index.
Xiaomi Anti-rollback protection

Current anti-rollback index of the device is 4.

How to find rollback index of images

  1. Download the “fastboot” ROM equivalent of the recovery ROM you are trying to install. The recovery ROM always has the device’s marketing name in the filename and ends in .zip. The fastboot ROM always has the device’s code-name in the filename and ends in .tar.gz.
  2. Extract flash-all.bat from the .tar.gz archive. 7Zip can easily handle this.
  3. Open flash-all.bat in a text editor like Notepad++ and look for the following line: set CURRENT_ANTI_VER=#
  4. That number (#) is the rollback index of the MIUI version you want to flash. If that number is equal to or greater than your current rollback index, then it’s safe to flash in TWRP, Mi Flash, etc. If that number is less than your current rollback index, then DO NOT FLASH THIS ROM VIA TWRP.
Xiaomi Anti-rollback protection

Snippet from the flash-all script of a fastboot ROM

Avoiding a full, unrecoverable brick should be simple so long as you check the rollback indices before downgrading via TWRP. Just to be safe, you should stick with Mi Flash or fastboot to flash MIUI ROMs as your phone’s bootloader has built-in protections to prevent you from downgrading to a version with a lower rollback index.


How does Anti-Rollback Protection affect Custom ROMs?

If you plan on never flashing MIUI again, then not much will change for you. If you want to flash an AOSP ROM like LineageOS, Pixel Experience, Resurrection Remix, Carbon ROM, etc., you’ll still need to unlock the bootloader via Mi Unlock, boot TWRP, and then flash the custom ROM. The only notable difference is how you install TWRP via fastboot. Since anti-rollback protection blocks you from flashing the TWRP image, you need to flash a “dummy” image first. The dummy image is an empty file that serves no other purpose than sending a command to the bootloader so it knows that afterward, it can accept other flashes. (If you look at the flash-all script from the previous section, this is actually how Xiaomi officially does it.) Alternatively, you can “fastboot boot” the TWRP image, move the TWRP image to your device’s storage, then flash the TWRP image from within TWRP. I’m not providing detailed instructions on either method as I urge you to visit your device’s forum for device-specific instructions.

XDA Forum Index for all Xiaomi devices

There is one caveat, however. There’s no way to tell beforehand if the rollback index has been incremented due to an updated bootloader, modem, vendor, or other partitions. Keep in mind that custom ROMs usually only change the system and boot partitions, but to keep your device truly secure with the latest security patch updates, you’ll occasionally need to flash the latest images that are contained in the latest official MIUI ROMs. Developers of custom ROMs will have to manually check the rollback index of these builds before they recommend you to update—that way, you’ll know when a new update locks you into certain MIUI versions if you plan on going back to MIUI from an AOSP ROM.


What do I do if I bricked my phone?

If you bricked your phone by triggering anti-rollback protection, you have very few options.

  1. Send your device to an authorized service center for repair. The service centers have access to restore your device via EDL mode.
  2. Hope that there’s somehow a way to bypass EDL authorization (essentially, an exploit) so you can manually restore your device with the right programmer.

As you can see, bricking your phone by triggering anti-rollback protection is no joke. You really need to be careful before you flash any older MIUI version.


Frequently Asked Questions (FAQs)

  1. What do I avoid if I don’t want to brick my device?
    • Don’t flash a MIUI version with a rollback index less than your device’s current rollback index. See above for instructions.
    • Don’t flash an official MIUI Global ROM on Chinese Xiaomi hardware with a locked bootloader.
  2. Can I still install custom AOSP ROMs, kernels, Magisk, Xposed, Substratum, ARISE, and other mods?
    • Yes.
  3. Can I still switch between MIUI Global Stable, MIUI Global Developer, MIUI China Stable, and MIUI China Developer?
    • Yes, but you need to compare the rollback indices before you install an older MIUI version.
  4. Why doesn’t Xiaomi disable anti-rollback protection when you unlock the bootloader?
    • That’s a good question.
  5. Why does Xiaomi hard brick your phone if anti-rollback protection is triggered, which Google doesn’t do?
    • That’s another good question.
  6. Why doesn’t Xiaomi display the standard Verified Boot warning to show the user the software has been tampered with?
    • You’re on a roll with these great questions! In all seriousness, this one can be somewhat justified because it’s possible to disable this splash screen – at least on some devices.

Special thanks to XDA Recognized Developer yshalsager and XDA Junior Member franztesca for their assistance in this article!

HostGator Web Hosting

0 comments:

Post a Comment