This post was edited by SharmaVJ at 10:46, Oct-18-2018 |
Xiaomi’s Anti-Rollback Protection Explained: How to avoid bricking your phone
Back in July, Xiaomi rolled out MIUI 10 Global Beta 8.7.5 for eight Xiaomi devices. When users installed the update on their Xiaomi Redmi Note 5 Pro, they unknowingly flashed a build with anti-rollback protection enabled. Users who didn’t like MIUI 10 Global Beta found a nasty surprise when they tried to re-install the latest MIUI 9 Global Stable ROM: their phones were bricked! This wasn’t the kind of brick that you could fix by restoring a TWRP backup, flashing a new ROM, or using MiFlash to restore to a factory image. This is a hard, unrecoverable brick that requires the use of EDL mode to fix. But EDL mode isn’t accessible unless you have an authorized account, so many users were left with no way to fix their phone except sending it in to an authorized service center or paying to use someone’s account with EDL access. In this article, we’re going to explain everything you need to know about Xiaomi’s new anti-rollback protection so you can avoid bricking your new phone.
Why does Xiaomi require long bootloader unlock wait times, EDL authorization, and Anti-Rollback Protection?
Chinese electronics giant Xiaomi is the most popular smartphone brand in India thanks to their wide selection of budget and mid-range devices. Like Huawei, Xiaomi also sells a ton of smartphones in their home market of China. Many of these devices are never sold outside of China, but that doesn’t stop people from importing them. Unofficial retailers for Xiaomi products have sprung up on Aliexpress, Gearbest, and other plenty of other websites, allowing anyone from outside China to buy the latest Xiaomi products. This has posed a challenge for the company as the software they ship on their Chinese devices, called “MIUI China,” does not contain Google Play Services, the Google Play Store, or languages other than English or Mandarin. Thus, anyone who imports a Xiaomi device from China shouldn’t be getting Google apps and services outside of the box.
However, third-party retailers figured out a way around this so they could convince customers they were selling Xiaomi devices with an “official” MIUI Global ROM. The retailers would buy Xiaomi devices in bulk, unlock the bootloader, change the software themselves or flash a custom ROM like Xiaomi.eu (unofficial ROMs based on MIUI China but with more languages and features), and then sell the device. Most consumers would have no way of knowing they’re running unofficial/modified software, and would instead blame Xiaomi for a lack of updates or bugs they encounter. Even worse, some retailers would intentionally bundle malware or adware so they could make a bit of extra money. Xiaomi’s reputation was actively being harmed by this practice as tech reviewers and consumers were caught up in the schemes of these unofficial retailers, and so they needed to come up with a way to stop shady retailers from selling modified devices in bulk.
One solution is to completely block bootloader unlocking, which is a drastic move that Huawei recently took. Seeing their brand’s success among enthusiasts, Xiaomi hasn’t moved to block bootloader unlocking just yet. Instead, they’ve implemented a few roadblocks to safeguard users against the actions of malicious third-party retailers.Bootloader Unlock Wait Times
First, they implemented a waiting period for bootloader unlocking. Xiaomi devices, save for the Xiaomi Mi A1, Xiaomi Mi A2, and Xiaomi Mi A2 Lite which run stock Android under the Android One program, require the use of Xiaomi’s proprietary Mi Unlock tool to unlock the bootloader. After sending your request to unlock the bootloader, Mi Unlock forces you to wait before it validates your request and unlocks the bootloader. The waiting time used to be 3 days before increasing to 15 days in early 2018, and recently, the waiting time has increased to 30 or as high as 60 days in some instances. (Xiaomi’s new sub-brand, Poco, lowered the waiting time to 3 days after receiving feedback from the community, although nearly everyone else still has to wait a long time.) Adding a wait time to the bootloader unlock process was effective in slowing down the operations of third-party retailers, but it is also understandably annoying for enthusiasts who want to unlock the bootloader to root their device, flash custom ROMs, and flash custom kernels.EDL Authorization
Next, the company began to lock down EDL mode on their devices. EDL stands for Emergency Download Mode, and it’s an alternative boot-mode on all Qualcomm devices that’s commonly used to unbrick your device. In order to make use EDL mode, you need to find what’s called a “programmer” that has been authorized by the OEM (Xiaomi) for use on your device. EDL mode is very powerful and very low-level, and it’s routinely used by service centers to repair devices. However, EDL mode was also commonly used to flash both official and modified MIUI Global ROMs on Chinese Xiaomi devices without unlocking the bootloader. In essence, EDL mode became another way that third-party retailers could bypass Xiaomi. Xiaomi doesn’t want consumers buying Chinese versions of their hardware with Global ROMs installed, so they did two things: Made it impossible to boot a Global ROM if the device isn’t a Global version (with the warning message “This MIUI can’t be installed on this device”), and made it so EDL mode can’t be used unless you have an authorized Mi account.
Pro-tip: Always uncheck “clean all and lock” before flashing with Mi Flash. This will prevent your bootloader from being locked when flashing.This is what happens if you try to flash a MIUI Global ROM on Chinese Xiaomi hardware with a locked bootloader. Credits: physicien007
Update: We have more details on the recent restrictions Xiaomi made regarding flashing an out-of-region MIUI version. If you are considering importing a Xiaomi smartphone or tablet, you should really read over this article to be safe!Anti-Rollback Protection
Finally, they implemented anti-rollback protection in the latest versions of MIUI for the latest Xiaomi devices. You may have heard of anti-rollback protection before. Google added support for the feature in Android 8.0 Oreo and made it mandatory for devices launching with Android Pie. Google’s anti-rollback protection is a feature of Android Verified Boot 2.0 (also known as Verified Boot) and it prevents the device from booting if it detects that the device has been downgraded to an older, unapproved software build. Anti-rollback protection is necessary to prevent attackers from loading older software on a device that’s susceptible to an exploit. The biggest difference between Google and Xiaomi’s implementation is that Google’s anti-rollback protection is disabled if you unlock the bootloader while Xiaomi’s can’t be disabled. Once you install a build with anti-rollback protection enabled on a Xiaomi device, there’s no going back. For instance, anti-rollback protection is enabled for the Xiaomi Mi 8 and Xiaomi Redmi Note 5 Pro starting in MIUI 10 China 8.9.6 and MIUI 10 Global Beta 8.7.5 respectively.
List of devices which currently have anti-rollback protection enabled. Source: Xiaomi.eu.
Anti-rollback protection will stop any unauthorized retailer from taking advantage of exploits in older MIUI versions, thus protecting users from exploitation. However, it has also caught many off guard because Xiaomi rolled it out to the Redmi Note 5 Pro without informing users beforehand. Because TWRP does not have any checks in place to stop users from installing older, unauthorized MIUI versions, many people accidentally bricked their devices when they downgraded from a MIUI beta ROM to a MIUI stable ROM. All currently supported Xiaomi devices will eventually gain anti-rollback protection, so it’s incredibly important that you understand how to check for it before downgrading and what you can do if anti-rollback protection is enabled.
How to check for Anti-Rollback Protection
When we talked about anti-rollback protection prevents a device from booting older, insecure software, we said that Verified Boot “detects” the presence of older software. How this detection works is that Verified Boot has a rollback index that is compared with the rollback index of the images to be installed. Depending on how the rollback indices compare, the following will happen:
Now that you have a better understanding of the rollback index, here’s how to actually check the current rollback index on your device and the image you want to flash.How to find current rollback index
Current anti-rollback index of the device is 4.
How to find rollback index of images
Snippet from the flash-all script of a fastboot ROM
Avoiding a full, unrecoverable brick should be simple so long as you check the rollback indices before downgrading via TWRP. Just to be safe, you should stick with Mi Flash or fastboot to flash MIUI ROMs as your phone’s bootloader has built-in protections to prevent you from downgrading to a version with a lower rollback index.
How does Anti-Rollback Protection affect Custom ROMs?
If you plan on never flashing MIUI again, then not much will change for you. If you want to flash an AOSP ROM like LineageOS, Pixel Experience, Resurrection Remix, Carbon ROM, etc., you’ll still need to unlock the bootloader via Mi Unlock, boot TWRP, and then flash the custom ROM. The only notable difference is how you install TWRP via fastboot. Since anti-rollback protection blocks you from flashing the TWRP image, you need to flash a “dummy” image first. The dummy image is an empty file that serves no other purpose than sending a command to the bootloader so it knows that afterward, it can accept other flashes. (If you look at the flash-all script from the previous section, this is actually how Xiaomi officially does it.) Alternatively, you can “fastboot boot” the TWRP image, move the TWRP image to your device’s storage, then flash the TWRP image from within TWRP. I’m not providing detailed instructions on either method as I urge you to visit your device’s forum for device-specific instructions.
There is one caveat, however. There’s no way to tell beforehand if the rollback index has been incremented due to an updated bootloader, modem, vendor, or other partitions. Keep in mind that custom ROMs usually only change the system and boot partitions, but to keep your device truly secure with the latest security patch updates, you’ll occasionally need to flash the latest images that are contained in the latest official MIUI ROMs. Developers of custom ROMs will have to manually check the rollback index of these builds before they recommend you to update—that way, you’ll know when a new update locks you into certain MIUI versions if you plan on going back to MIUI from an AOSP ROM.
What do I do if I bricked my phone?
If you bricked your phone by triggering anti-rollback protection, you have very few options.
As you can see, bricking your phone by triggering anti-rollback protection is no joke. You really need to be careful before you flash any older MIUI version.
In order to fulfill the basic functions of our service, the user hereby agrees to allow Xiaomi to collect, process and use personal information which shall include but not be limited to written threads, pictures, comments, replies in the Xiaomi Community, and relevant data types listed in Xiaomi's Private Policy. By selecting "Agree", you agree to Xiaomi's Private Policy and Content Policy .