Related
Hey Guys, This is Aryan (TechyMinati @An ASP) as We know, These days everyone is keen to install Custom ROMs & Recovery in their Devices, Sometimes the thing goes well and sometimes the devices HardBricks. Here we are basically talking about the Xiaomi Mediatek Devices & Their Fate.
Mediatek Devices have Download Mode or DA Mode, Which allows you to revive your devices even if it is hardbricked, So whats the error now ?
The case with Xiaomi Mediatek devices is entirely different, you cant flash your device without Mi Authorized Account or can be simply called Server Side SLA(Serial Link Authorization)
Lets Take a Deep Insight into working of this Mi Authorized Account
For those unaware, SP Flash Tools, short for SmartPhone Flash Tool is a tool that MediaTek distributes that allows flashing the OEM firmware back onto a MediaTek device, in case something goes wrong. Now, in this “hard-brick” condition, the device is able to enter the BROM “emergency-download” mode (EDL, for short). If you remember, BROM may implement security to prevent unauthorized modification to the device.
Most manufacturers implement very basic security; there are 2 main BROM security implementations:
SLA (Serial Link Authorization)
DAA (Download Agent Authorization)
A MediaTek device can have none, either or both. Usually a slightly modified version of the flash tool which contains a few secrets is enough to let anyone re-flash the device. Let’s quickly understand what these implementations are like and how they differ.
BROM exposes UART to communicate. In both cases, the device will generate a few random bytes which must be “decrypted” or simply processed to create a new string. If BROM validates the string, it’ll allow the host to issue many more instructions without errors, such as jumping to addresses or writing partitions. The difference between the two is, in SLA, BootROM performs the checks and in DAA, Download Agent (DA) performs the check. Download Agent is loaded by SP Flash Tool. On devices that implement SLA, you cannot load a DA file without completing the SLA challenge. On devices that implement DAA, the challenge is done by DA and a modified DA file is enough to bypass security (That is, assuming you manage to reverse things or have the BSP).
Whats Worse Now? Xiaomi Mediatek Devices Have SLA !
Xiaomi has special accounts (called Mi Authorized Accounts) that are given to service centers for repairing devices. These accounts are capable of requesting Authorization tokens to unlock BROM download on MediaTek devices (and other EDL equivalents for Qualcomm devices). Something that can be very easily fixed by a consumer and/or developer, is locked to service centers.
So How This Mi Authorized Account Work? How data exchange takes place to allow BROM to Proceed ?
Well with Mi Auth, The device generates 16 bytes of data and sends it to the server. The server checks if your account has authorization and returns 256 bytes of data. If the data is correct, BROM continues. Else it traps itself in an infinite loop, until it times-out due to no-command and reboots.
Our Beloved Friend @Agent_fabulous created a python script that imitates the same way the Mi Auth Works, But Sadly it doesnt work as of now. Your Can find the script here
A Ray Of Hope : Modified Preloader
Back in March 2020, When I got my Redmi 6A Bricked , I tried alot of ways to revive it , I ended up paying some bucks to shady guys on internet who revived my device via Mi Auth Over Remote Session Using TeamViewer. And More Sad part is most Xiaomi Service Centers don't know a single thing about Mi Auth, All they know is to replace motherboard LOL. Ah Noobs Everywhere.
After I revived my device , I began to think of making Antibrick that begonia already have ( Ah again thanks to @Agent_fabulous for his works) , Meanwhile, I found out the factory firmware for Redmi 6 & 6A., You see, every OEM receives a BSP for their platform of choice from the SoC manufacturer. Usually, the OEM will boot a clean version of this BSP on their hardware to get everything working, before the product team can start porting out the “skin” of Android that they advertise and ship their products with. This clean-version of the BSP build is often referred to as the “final factory firmware”.
We have factory firmware now ! Whats Next ?
After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.
Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.
After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth.
Hope You Understood that What is Mi Auth & How it works on Mediatek Devices & How you can prepare a AntiBrick.
Press Thanks On this Thread xD
Credits:-
@Agent_fabulous (Mr. Kshitij ) for making me aware about Antibrick and How to prepare it. [He is developer from begonia Who Implemented VoLTE on Mediatek Chipset Based Device Redmi Note 8Pro ; He made antibrick too ; His Article Here (from which I've learned alot about Mi Auth)]
@An ASP (Aryan Sinha ; also known as TechyMinati) Making this article & Gathering info about Mi Auth .
I recommend you to give this XDA article a read, too!
We have factory firmware now ! Whats Next ?
After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.
Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.
After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth
Click to expand...
Click to collapse
Can you please make an "easy-to-understand" step-by-step guide for noob like me? With download link of course xD, like this one https://forum.xda-developers.com/redmi-note-8-pro/development/rom-crdroid-6-x-t4124805/amp/
Thanks
adi4ntn said:
Can you please make an "easy-to-understand" step-by-step guide for noob like me? With download link of course xD, like this one https://forum.xda-developers.com/redmi-note-8-pro/development/rom-crdroid-6-x-t4124805/amp/
Thanks
Click to expand...
Click to collapse
Hey There, Here I'm talking about all Mediatek Devices, Creating Antibrick for all devices is a tough task. And I cannot do it alone. Show this guide to your respective device related developer. He will understand it for sure. Thanks
TechyMinati said:
Hey Guys, This is Aryan (TechyMinati @An ASP) as We know, These days everyone is keen to install Custom ROMs & Recovery in their Devices, Sometimes the thing goes well and sometimes the devices HardBricks. Here we are basically talking about the Xiaomi Mediatek Devices & Their Fate.
Mediatek Devices have Download Mode or DA Mode, Which allows you to revive your devices even if it is hardbricked, So whats the error now ?
The case with Xiaomi Mediatek devices is entirely different, you cant flash your device without Mi Authorized Account or can be simply called Server Side SLA(Serial Link Authorization)
Lets Take a Deep Insight into working of this Mi Authorized Account
For those unaware, SP Flash Tools, short for SmartPhone Flash Tool is a tool that MediaTek distributes that allows flashing the OEM firmware back onto a MediaTek device, in case something goes wrong. Now, in this “hard-brick” condition, the device is able to enter the BROM “emergency-download” mode (EDL, for short). If you remember, BROM may implement security to prevent unauthorized modification to the device.
Most manufacturers implement very basic security; there are 2 main BROM security implementations:
SLA (Serial Link Authorization)
DAA (Download Agent Authorization)
A MediaTek device can have none, either or both. Usually a slightly modified version of the flash tool which contains a few secrets is enough to let anyone re-flash the device. Let’s quickly understand what these implementations are like and how they differ.
BROM exposes UART to communicate. In both cases, the device will generate a few random bytes which must be “decrypted” or simply processed to create a new string. If BROM validates the string, it’ll allow the host to issue many more instructions without errors, such as jumping to addresses or writing partitions. The difference between the two is, in SLA, BootROM performs the checks and in DAA, Download Agent (DA) performs the check. Download Agent is loaded by SP Flash Tool. On devices that implement SLA, you cannot load a DA file without completing the SLA challenge. On devices that implement DAA, the challenge is done by DA and a modified DA file is enough to bypass security (That is, assuming you manage to reverse things or have the BSP).
Whats Worse Now? Xiaomi Mediatek Devices Have SLA !
Xiaomi has special accounts (called Mi Authorized Accounts) that are given to service centers for repairing devices. These accounts are capable of requesting Authorization tokens to unlock BROM download on MediaTek devices (and other EDL equivalents for Qualcomm devices). Something that can be very easily fixed by a consumer and/or developer, is locked to service centers.
So How This Mi Authorized Account Work? How data exchange takes place to allow BROM to Proceed ?
Well with Mi Auth, The device generates 16 bytes of data and sends it to the server. The server checks if your account has authorization and returns 256 bytes of data. If the data is correct, BROM continues. Else it traps itself in an infinite loop, until it times-out due to no-command and reboots.
Our Beloved Friend @Agent_fabulous created a python script that imitates the same way the Mi Auth Works, But Sadly it doesnt work as of now. Your Can find the script here
A Ray Of Hope : Modified Preloader
Back in March 2020, When I got my Redmi 6A Bricked , I tried alot of ways to revive it , I ended up paying some bucks to shady guys on internet who revived my device via Mi Auth Over Remote Session Using TeamViewer. And More Sad part is most Xiaomi Service Centers don't know a single thing about Mi Auth, All they know is to replace motherboard LOL. Ah Noobs Everywhere.
After I revived my device , I began to think of making Antibrick that begonia already have ( Ah again thanks to @Agent_fabulous for his works) , Meanwhile, I found out the factory firmware for Redmi 6 & 6A., You see, every OEM receives a BSP for their platform of choice from the SoC manufacturer. Usually, the OEM will boot a clean version of this BSP on their hardware to get everything working, before the product team can start porting out the “skin” of Android that they advertise and ship their products with. This clean-version of the BSP build is often referred to as the “final factory firmware”.
We have factory firmware now ! Whats Next ?
After getting the factory rom, The thing you need to do first is boot that ROM safely in your devices (Note : If your phone is already hardbricked than this factory fw doesnt help, its for creating antibricks and other stuffs. ).
-You can boot your device to fastboot and fastboot flash all partitions from factory ROM
-after that turn off the device, attach it to your PC or Linux Machine)
-And Run dmesg on your device
-And Let device automatically power On.
Now if you see it register a cdc_acm device with description as MT65XX Preloader, Man You have Succeeded & Can flash without Mi Auth on that preloader.
After that try installing Any Other ROM, Say MemeUi 11, (Remember Dont Flash MIUI Preloader), Now extract Preloader & You Can Make a Flashable Zip xD. As Long as You are on that preloader, You have no worries , You can flash any ROM via SP Flash tool without any fancy auth.
Hope You Understood that What is Mi Auth & How it works on Mediatek Devices & How you can prepare a AntiBrick.
Press Thanks On this Thread xD
Credits:-
@Agent_fabulous (Mr. Kshitij ) for making me aware about Antibrick and How to prepare it. [He is developer from begonia Who Implemented VoLTE on Mediatek Chipset Based Device Redmi Note 8Pro ; He made antibrick too ; His Article Here (from which I've learned alot about Mi Auth)]
@An ASP (Aryan Sinha ; also known as TechyMinati) Making this article & Gathering info about Mi Auth .
I recommend you to give this XDA article a read, too!
Click to expand...
Click to collapse
Thank you for this information. I have hard bricked my Redmi 6. It requires 'Authorized Mi Account' while flashing. Can you please help me out by providing a solution with steps and links?
sarthak_iitd23 said:
Thank you for this information. I have hard bricked my Redmi 6. It requires 'Authorized Mi Account' while flashing. Can you please help me out by providing a solution with steps and links?
Click to expand...
Click to collapse
Hey since You were on MIUI Preloader , You'll need Mi Authorised Account to flash it , Or Visit Service Center ! Thanks
TechyMinati said:
Hey since You were on MIUI Preloader , You'll need Mi Authorised Account to flash it , Or Visit Service Center ! Thanks
Click to expand...
Click to collapse
where can i find a trusted user?
Thx
UPDATE!
We can disable SLA and DAA with https://github.com/MTK-bypass/bypass_utility
See It’s now easy to bypass MediaTek’s SP Flash Tool authentication
Dev thread is at MediaTek / MTK - Auth Bypass (SLA/DAA) - Utility
https://megafon929.github.io/mtk
A tutorial can be found at [Tutorial] How to flash an MTK secure boot device without a custom DA
and tutorial for Xiaomi Redmi Note 9(merlin) can be found at https://forum.xda-developers.com/t/...d-flash-in-edl-with-no-auth-for-free.4229683/
Thanks
Please I have my redmi 8 hard Bricked and I cannot found any firehose patched for my device. Anyone know if there is one? Thanks.
Collection of Xiaomi Qualcomm Programmer EMMC Firehose Files
In this post, we have made available a collection of Qualcomm Programmer EMMC Firehose Files for some Xiaomi smartphones to help you un-brick or unlock FRP on your phone with ease. Be sure to download and use only the right file for your device; as whatever you do with the files provided below...
www.leakite.com
Literally first google result..
Do you mind me asking how did you get to EDL mode? it's supposed to be locked.
Xiaomi Mi 8 (Dipper) Firehose File [No Need Auth]
@XDHx86 Redmi 8 (SDM439) not listed
@DZ-DEVELOPER Mi 8 (dipper) is different from Redmi 8 (olive)
(btw OP ask for patched factory loader)
the boot.img file was loaded into my phone in order to get root after that it could not detect imei numbers. Although they are in fastboot. I tried many different firmwares for this phone, but there is no result! I ask for your help. I was left without communication (sorry for not being very clear. I don't understand Russian and don't understand English at all, that's why I'm writing through a translator
The first thing you want to do is STOP FLASHING random images. It sounds like you are going to cause more harm than good if you keep going.
Figure out which firmware you started on (WW, EU, CN) and get the raw firmware for it. Follow the instructions to flash the raw firmware.
If that doesn't work, then you may need to contact the manufacturer, BUT at least you will be restored to stock. I cannot promise they will help you, but it sounds like you did more than flash a boot image. The IMEI is not stored there.
twistedumbrella said:
The first thing you want to do is STOP FLASHING random images. It sounds like you are going to cause more harm than good if you keep going.
Figure out which firmware you started on (WW, EU, CN) and get the raw firmware for it. Follow the instructions to flash the raw firmware.
If that doesn't work, then you may need to contact the manufacturer, BUT at least you will be restored to stock. I cannot promise they will help you, but it sounds like you did more than flash a boot image. The IMEI is not stored there.
Click to expand...
Click to collapse
Tell me where you can find the pure CN firmware? This phone was presented to me in this form already. And they told what happened to him. I doubt that ASUS support will help me, since in addition to everything according to the owner, the EMMCCDL_GUI utility was used. So I ask for help from knowledgeable people here.
And most importantly, what to flash and how?
Repair your ASUS ROG Phone 5 with EDL mode
If your phone can only enter EDL mode (9008 mode) this firmware is glad to help you. It can be flashed in through the miflash tool. The firmware is made through the official package...
forum.xda-developers.com
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
twistedumbrella said:
Repair your ASUS ROG Phone 5 with EDL mode
If your phone can only enter EDL mode (9008 mode) this firmware is glad to help you. It can be flashed in through the miflash tool. The firmware is made through the official package...
forum.xda-developers.com
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
Click to expand...
Click to collapse
did not help(
What? So no one will help ???
Return the phone or wait until the methods exist.
Those are the only quick answers left.
twistedumbrella said:
Return the phone or wait until the methods exist.
Those are the only quick answers left.
Click to expand...
Click to collapse
It was opened. This is not an option either
If you purchased it used and the seller refused a return, it sounds like they were trying to recover what they could by selling their problem to someone else. It's likely they knew there wasn't a self-service fix right now.
Just to be clear, what you need is a low-level EDL restore. As it stands, one of the files required is not available to the public. If you have a local repair shop, they may be able to do it (and will likely charge a fee).
Do NOT pay someone over the internet. It CANNOT be done remotely.
Hello guys, I'd like to ask if Poco X3 Pro will ever get a Patched (No Auth) Firehose file?
I'm not new to modding however it has been a couple of years since I last installed custom roms on my phone (Way back Android 6.0 days) and based on experience, unbricking has always been easy and accessible.
But with my new Poco X3 Pro, I read that Xiaomi requires Authorized Account when flashing with EDL. I've seen in some forums that some managed to patch the Firehose (Loader) file of other Xiaomi devices. Hence, I'm asking if there would ever be a possibility that someone could patch a Firehose file to bypass Auth.
I also looking for the patched
prog_ufs_firehose_sm7150_ddr.elf
the original (non patched) file is attached
prog_ufs_firehose_sm7150_ddr
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
lyqas said:
I also looking for the patched
prog_ufs_firehose_sm7150_ddr.elf
the original (non patched) file is attached
prog_ufs_firehose_sm7150_ddr
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Click to expand...
Click to collapse
This kinda confused me a bit after downloading the official firmware. As far as I know (correct me if I'm wrong) our device should be SM8150 (not sure if it is SM8150AC) but I'm confused as to why it ks SM7150 in the firmware of our device.
But regardless, it would be nice if someone is able to modify the firehose file to no longer require authorization when it comes to flashing through edl.
It would be nice to save a lot of bricked Poco X3 Pros in the community without having people be at risk of getting scammed by "people with auth accounts."
Via hex-mode we can see in the elf file:
IMAGE_VARIANT_STRING=SDM855LA
OEM_IMAGE_VERSION_STRING=c5-xm-ota-bd031.bj
QC_IMAGE_VERSION_STRING=BOOT.XF.3.0-00571-SM8150LZB-4
just found our files here
GitHub - Chernobylll/FireHouse_UFS
Contribute to Chernobylll/FireHouse_UFS development by creating an account on GitHub.
github.com
but no success with them yet
and all elfs there are identical
lyqas said:
just found our files here
GitHub - Chernobylll/FireHouse_UFS
Contribute to Chernobylll/FireHouse_UFS development by creating an account on GitHub.
github.com
but no success with them yet
and all elfs there are identical
Click to expand...
Click to collapse
I've been really busy with school lately and can't really focus efforts on understanding the programmer file, let alone patching them. Wish someone would take a dip into patching it (which is difficult as the flash tool checks for the signatures of the programmer file).
jalter1213 said:
Hello guys, I'd like to ask if Poco X3 Pro will ever get a Patched (No Auth) Firehose file?
I'm not new to modding however it has been a couple of years since I last installed custom roms on my phone (Way back Android 6.0 days) and based on experience, unbricking has always been easy and accessible.
But with my new Poco X3 Pro, I read that Xiaomi requires Authorized Account when flashing with EDL. I've seen in some forums that some managed to patch the Firehose (Loader) file of other Xiaomi devices. Hence, I'm asking if there would ever be a possibility that someone could patch a Firehose file to bypass Auth.
Click to expand...
Click to collapse
Hi
You Can Request Bootloader Unlock and after 7 days unlock your phone you can flash everything in fastboot mode.
as alternative i can suggest you Xiaomi Pro tool it cost 5 credits and flash what you want to your phone
I have Unbricked My poco X3 pro From EDL with this tool 3 Days Ago
jalter1213 said:
I've been really busy with school lately and can't really focus efforts on understanding the programmer file, let alone patching them. Wish someone would take a dip into patching it (which is difficult as the flash tool checks for the signatures of the programmer file).
Click to expand...
Click to collapse
This is 64-bit arm ELF static stripped executable with vxworks RTOS signature, maybe it executed in that OS. It will be rather hard to understand how it works. I think firstly you need to get symbols names from vxworks symbol table, which is included in firehose, according to binwalk output
But still there can be firehose verification on the phone side(likely there is, because I cant load edited firehose with one edited byte in one of strings)
dashti.95 said:
Hi
You Can Request Bootloader Unlock and after 7 days unlock your phone you can flash everything in fastboot mode.
as alternative i can suggest you Xiaomi Pro tool it cost 5 credits and flash what you want to your phone
I have Unbricked My poco X3 pro From EDL with this tool 3 Days Ago
Click to expand...
Click to collapse
Where buy credit with PayPal for this tool?
ajanco said:
Where buy credit with PayPal for this tool?
Click to expand...
Click to collapse
Google this *Xiaomi Pro tool credit*
dashti.95 said:
Hi
You Can Request Bootloader Unlock and after 7 days unlock your phone you can flash everything in fastboot mode.
as alternative i can suggest you Xiaomi Pro tool it cost 5 credits and flash what you want to your phone
I have Unbricked My poco X3 pro From EDL with this tool 3 Days Ago
Click to expand...
Click to collapse
it depends on the exact case. For ex. if integrity of low-level systems such as chain loaders is broken, you MUST flash all this things in edl mode and then you will be able to boot to fastboot and flash other components
.
I need patched firehose (without auth account) for x3 nfc.
dashti.95 said:
Hi
You Can Request Bootloader Unlock and after 7 days unlock your phone you can flash everything in fastboot mode.
as alternative i can suggest you Xiaomi Pro tool it cost 5 credits and flash what you want to your phone
I have Unbricked My poco X3 pro From EDL with this tool 3 Days Ago
Click to expand...
Click to collapse
I'm not able to register to xiaomi pro tool
Can I borrow your pro tool.I'll refill the credits please.
I need to unbricked my poco x3 pro.
I also have a bricked poco x3 pro. are you able to find a patched firehose?
Dear all,
I've been chasing on every single website for a XML firmware of Samsung J415G.
Apparently the only way is using QFIL to flash the main boot.
Does anyone have that kind of firmware? The firmware could be "Flat build" or "Meta build" or a ".mbn" file.
Thanks in advance.
Unfortunately, most manufacturers do not make these files available. If they did, I'd be able to recover my bricked Pixel 2.
V0latyle said:
Unfortunately, most manufacturers do not make these files available. If they did, I'd be able to recover my bricked Pixel 2
Click to expand...
Click to collapse
Shame on them!
I've tried so many things...
There are many paid """solutions""" out there. I am afraid it would not help either.
xamadatech said:
Shame on them!
I've tried so many things...
There are many paid """solutions""" out there. I am afraid it would not help either.
Click to expand...
Click to collapse
And a lot of it is snake oil, honestly. I do think there needs to be a bigger market for de-bricking, but most OEMs and repair centers don't bother attempting low level flashing; they just replace the mainboard, after programming it with the original IMEI.
V0latyle said:
And a lot of it is snake oil, honestly. I do think there needs to be a bigger market for de-bricking, but most OEMs and repair centers don't bother attempting low level flashing; they just replace the mainboard, after programming it with the original IMEI.
Click to expand...
Click to collapse
Exacty. I totally agree with you.
And because of this, tons of smartphones become a garbage. Often not worth repairing. I think is a waste.
I just found a list of firehose files, organised by brand. It might help someone out there:
GitHub - bkerler/Loaders at b39741a9b96160755b963819d52dfe589f7a3a62
EDL Loaders. Contribute to bkerler/Loaders development by creating an account on GitHub.
github.com
And another list of Qualcomm Prog eMMC Firehose file:
Collection of All Qualcomm EMMC Programmer file Download
Qualcomm EMMC Prog Firehose files download for all Qualcomm Chipsets Devices.You can Download and Use it for remove Screen lock on Qualcomm Supports Devices
www.gadgetsdr.com
PS: None of those files worked on the device J415G.
Yeah, those lists are barely organized and no information is provided. I would assume you'd need one corresponding to your SoC but I'm not sure.