User Tools

Site Tools


Sidebar

No ai soldati italiani all'estero

Indice

Eventi

Energia

Rigacci.Org usa energia elettrica da fonti rinnovabili, grazie al gruppo di acquisto Merci Dolci.

Merci Dolci - Energia Rinnovabile

Software libero!

Petizione contro i brevetti software

Faunalia: Soluzioni GIS professionali

Debian

www.gnu.org www.kernel.org

Altre libertà

MoVimento 5 Stelle Campi Bisenzio

doc:appunti:hardware:xiaomi_mi_a1

Xiaomi Mi A1 Android Phone

How to Gain root Privileges

There are several recipes on the net on how to root this phone, many of them does not apply to my phone, may be because they are plain wrong, or may be because they apply to phones with firmware older than mine. The recipe I report here was applied with success on a Xiaomi Mi A1 purchased in October 2018. At the factory it has an Android Oreo 8.0.0, after the phone received an OTA update to Android Oreo 8.1.0 with Android security patch level October 5, 2018.

The process of rooting this phone can be broken down in some steps:

  1. Install on your PC the adb and fastboot command line tools.
  2. Unlock the Bootloader.
  3. Backup.
  4. Install a custom Recovery program (we used TWRP).
  5. Install the su binary and an app to manage superuser privileges (we used Magisk).

It seems that the process can be reverted leaving no tracks (the unlock step is the main concern for warranty, etc.). Unfortunately - at least in my case - the unlock procedure started also a factory reset, which means loosing all customization (installed apps. etc.) and user data.

For this procedure to work, we need two programs installed on our PC: adb and fastboot. They are command line tools from the Android SDK. Whenever we need to use adb or fastboot tools, we need to enable Developer options, enable USB debugging, connect the USB cable to the PC and tap “allow” on the phone pop-up. See below or search on the internet for a step-by-step guide.

Required Downloads (and Trust)

In this process we used some binary files downloaded from the internet. Beware that we are downloading binary-compiled software that will run with root privileges on our phone! We have to trust the people which provide that, we cannot inspect the source code and there is not an easy step-by-step guide to compile from the sources by ourself. So we trusted the following internet pages (and people):

The official TWRP for Xiaomi Mi A1 page has only the bare TWRP Recovey image. We need an installer instead, because the recovery partition does not exist, the image must be embedded into the boot partition.

In order of appearance, we need:

OEM Unlock

Xiaomi Mi OEM Unlock Warning Xiaomi Mi Logo Unlocked

Questa procedura necessaria ad ottenere i privilegi di root, non comporta modifiche irreversibili allo smartphone. Tuttavia quando viene eseguita comporta un factory reset, cioè il ripristino del telefono alle impostazioni di fabbrica con la perdita di tutte le personalizzazioni utente (app installate, configurazioni, ecc.).

  1. Impostazioni ⇒ Sistema ⇒ Informazioni sul telefono ⇒ Tap 7 volte su “Numero build”. In questo modo si attivano le Opzioni sviluppatore.
  2. Impostazioni ⇒ Sistema ⇒ Opzioni sviluppatore ⇒ Attivare “Debug USB”.
  3. Impostazioni ⇒ Sistema ⇒ Opzioni sviluppatore ⇒ Attivare “Sblocco OEM”.
  4. Mettere il telefono in Fastboot Mode (dal Recovery Menu oppure usando il programma adb da un PC connesso, vedi più avanti).
  5. Eseguire da un PC conesso il comando fastboot oem unlock. Il telefono si riavvia, mostra alcuni messaggi di avvertimento. Durante il boot successivo esegue un factory reset del telefono (cancellazione di tutti i dati, nuova crittografia del filesystem, ecc.). Durante il boot, nella schermata con il logo Mi compare in basso la scritta unlocked.

La procedura di ripristino di fabbrica dura diversi minuti, alla fine viene avviata la procedura di prima accensione (configurazione account Google, ecc.). Le applicazioni scaricate in precedenza e le configurazioni utente vengono perse, rimane invece l'eventuale aggiornamento del sistema operativo (es. Android 8.1.0 scaricato in precedenza invece di Android 8.0.0 installato alla vendita).

Backup

The first step will be to change the boot partition to replace the stock Recovery program with a custom one; so it is advisable to backup it first. Many Android devices have a dedicated partition to store the Recovery program, in this device we have instead the A/B system updates machanism, introduced by Google with Android 7.0 Nougat. So we don't have a recovery partition, but we have boot_a and boot_b partitions.

To ensure that the device has the A/B system updates instead of the recovery partition, we use the following command into the adb shell:

adb shell
tissot_sprout:/ find /dev -name 'by-name' 2> /dev/null
/dev/block/platform/soc/7824900.sdhci/by-name
cd /dev/block/platform/soc/7824900.sdhci/by-name
ls -l
...
lrwxrwxrwx 1 root root 21 1970-07-10 05:23 boot_a -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root 21 1970-07-10 05:23 boot_b -> /dev/block/mmcblk0p23
...

The meaning is: search into /dev/ for a directory named “by-name”, look for the names boot_a and boot_b and take note of the actual partition names. You can see also that the recovery name does not exists.

Now we need to boot into an environment where we have root privileges, otherwise we cannot read the entire partitions. This means booting into the Fastboot Mode bootloader and load and run the TWRP Recovery program.

adb reboot-bootloader

Wait several seconds untill the Fastboot logo appers, then execute this command on the PC:

fastboot boot recovery-3.2.1-2-oreo.img

This will load the TWRP Recovery program on the phone (it just upload in RAM, does not write to flash) and boot from that. If the phone is not unlocked, the command will fail. The TWRP running on the phone will allow the adb program from the PC to access the system with root privileges, so we can finally backup the partitions on our PC:

adb pull /dev/block/mmcblk0p22 boot_a.img
adb pull /dev/block/mmcblk0p23 boot_b.img

Install the TWRP Recovery

With the phone booted in standard system mode, upload the TWRP installer to the storage. As explained above, this phone has the A/B system partitions, so it is not possible to flash an image file to the Recovery partition (which does not exists), we need an installer which will modify the boot_a or boot_b partition (which one is active at the moment).

We upload also the Magisk program (the su binary stuff and the management app), which we will use later.

adb push Twrp-recoveryInstaller-3.2.1-2-oreo.zip /sdcard/Twrp-recoveryInstaller-3.2.1-2-oreo.zip
adb push Magisk-v17.3.zip /sdcard/Magisk-v17.3.zip
adb push MagiskManager-v6.0.1.apk /sdcard/MagiskManager-v6.0.1.apk

As seen above, we have to reboot in Fastboot Mode and load the TWRP Recovery from RAM (allow the required time to the phone to start into Fastboot):

adb reboot-bootloader
fastboot boot recovery-3.2.1-2-oreo.img

Once that TWRP is started on the phone, swipe to allow writing to the partitions, then choose Install and browse to the Twrp-recoveryInstaller-3.2.1-2-oreo.zip archive.

After the installation, the procedure will ask us if we want to install the TWRP App. You can answer yes, but it is not strictly required, the TWRP Recovery is a stand-alone program, it runs when requested without an underlying Android system and it does not require any App. The TWRP App may be used to install or upgrade the TWRP Recovery and to backup the existing Recovery, but it seems that the current version (1.19) is not able to handle the A/B system updates mechanism, it searches for the recovery partition, which does not exist in Xiaomi Mi A1 Oreo 8.1.0. So it's best not to use it.

Beware of this:

System Corruption, Factory Reset Needed

  • Do not swap Slot A and Slot B. Some recipes found on the internet say to do that in TWRP (it is from the Reboot menu). I tried it and it was a nightmare! The Reboot menu was stating that the Slot B were active, so I switched to Slot A and installed TWRP. At the next reboot I got a non-working environment: plenty of pop-up with Android Phone force close, pop-up for Factory reset, boot loop, etc. May be the Slot A contained the boot code for Android 8.0.0, whereas my phone already had received 8.1.0. Fortunately enough I was able to adb reboot-bootloader and switch again to Slot B.
  • Do not veryfy the ZIP archive. The archive does not have the required info to check.
  • Do not wipe the Dalvik cache after the install. Don't know if it was the culprit, but after installing TWRP, I clicked the button to wipe Dalvik cache, at the next reboot I had a damaged system. The home button did not work, the Developer options were no longer availables (Developer options are not available for this user), the top status bar did not swipe down, etc. I had to Factory reset the phone!

Install Magisk, the SuperUser Tool

Magisk Install from TWRP Recovery When rooting an Android device we generally need the su binary program (the actual Unix tool used to switch from normal user to root), plus an app to manage superuser permissions granted (or denied) to other applications. Historically the most known app for this purpose was SuperSU by Chainfire, but something changed. Chainfire retired from SuperSU development in October 2017 and new protecting schemas were introduced by Google into Android, mainly SafetyNet and dm-verity. The new leading-edge app for su management appears to be Magisk.

The first step is to install the ZIP archive which provides the su binary, we already copied the Magisk-v17.3.zip file to the phone storag. Let's reboot into TWRP Recovery executing from the connected PC the following command:

adb reboot recovery

Alternatively we can power-off the phone, then power it on using the button combination VolumeUp + Power. From the TWRP main screen, choose Install and browse the filesystem to the Magisk-v17.3.zip file. After the install succeeded, reboot into normal system.

The su binary by itself is not sufficient to use root privileges, we need to install also the management app. Use the phone's file manager to find the MagiskManager-v6.0.1.apk and install it, granting the install unknown apps permission as requested. We have root permission, finally! Check via adb:

adb shell
tissot_sprout:/ $ su
tissot_sprout:/ # id
uid=0 gid=0

When an app requires root privileges, the Magisk management app will show a pop-up on the phone, allowing to grant or deny the permission, so be sure that the phone is not in screen-locked mode.

Recovery Mode

  • Power Off the phone.
  • Press VolumeUp + Power, wait about 3 seconds for the Mi logo screen.
  • Wait for the Broken Droid logo with the No command message
  • Press Power + VolumeUp shortly, the Recovery menu will appear.

Mi-A1 Stock ROM Recovery Menu Recovery Supported API

Fastboot Mode

Once in Recovery Menu, you can boot into the Fastboot Mode using the menu entry Reboot to bootloader. Otherwise you can execute the adb command on a PC when the phone is booted normally and connected via the USB cable (it is required to enable USB debugging on the phone and to authorize the PC on the phone pop-up, once connected):

adb reboot bootloader

Mi-A1 Fastboot Logo

adb devices
List of devices attached
574524d99913    device

Screenshot Capture

By keypress: VolumeDown + Power simultaneously for few seconds.

Using a connected PC and adb:

adb shell screencap -p /sdcard/screen.png
adb pull /sdcard/screen.png

Files and Directories

/data/misc/wifi/WifiConfigStore.xml WiFi passwords.
/data/misc/wifi/softap.conf Hotspot WiFi (Tethering) configuration.
/system/etc/mkshrc Run commands for the ADB shell.
/mnt/expand/<id> microSD mounting point.
/sdcard → /storage/emulated/0 User's space into the microSD.
/system/xbin Preferred directory for BusyBox installation (binary and synlinks).

Control and Privacy Settings

  • Settings ⇒ System, Developer options ⇒ OEM unlocking
  • Settings ⇒ System, Developer options ⇒ Automatic system updates
  • Settings ⇒ System, Developer options ⇒ USB debugging
  • Settings ⇒ Apps & notifications ⇒ Any appInstall unknown apps
  • Settings ⇒ Users & accounts ⇒ Google ⇒ Account sync
  • Settings ⇒ Mi Services ⇒ User Experience Program
  • Settings ⇒ Mi Services ⇒ Send diagnostic data automatically
  • Google Play ⇒ Settings ⇒ Auto-update apps
  • Google Play ⇒ Settings ⇒ Notification settings ⇒ Updates
  • Contacts ⇒ Settings ⇒ Default account for new contacts

Battery Otimization and Background Sync

Some app requires special settings to run properly, e.g. DAVdroid needs to sync contacts and calendar events in background and does not like battery optimization enforced by Xiaomi's Android. You can control this setting from here:

  • Settings ⇒ Apps & notifications ⇒ Advanced ⇒ Special app access ⇒ Battery optimization

Web References

doc/appunti/hardware/xiaomi_mi_a1.txt · Last modified: 2018/11/15 12:14 by niccolo