众所周知,不在小米强制验证账号 Bootloader 解锁权限的名单中(即 设备出产系统非 HyperOS),而且运行 HyperOS,无法直接的设备,可以通过劫持绑定请求来绕过验证。在较早期的 HyperOS 的版本中,这是可行的。
后来,小米修改了设置应用的绑定设备的加密算法,使得无法通过 logcat 劫持绑定请求。但是可以通过覆盖安装早期版本设置(早期 HyperOS 的设置,非 MIUI 的;升级到 Android 15 后此办法可能失效,毕竟 API level 更高了)。
Redmi Note 11T Pro (代号: xaga) 在 OS1.0.1.0.ULOCNXM 时是可以这样绑定的。而在我升级 OS1.0.2.0.ULOCNXM 后,覆盖安装旧版设置(来自 Redmi Note 12 Turbo (代号: marble),版本号 OS1.0.5.0.UMRCNXM)后开发者选项无法进入。
我暂时没找到原因,我降级到了 OS1.0.1.0 试了下,能够绑定的。
这是个不好的迹象,虽然以你米在这件事上的上心程度,这不意外。
更新1:HMA 在这个版本上导致 bootloop。
更新2:关闭蓝牙后,开发者设置就不闪退了,原因未知。
It is well-known that Xiaomi devices not on the list for enforced Bootloader unlock permission validation (i.e., devices not shipped with HyperOS) and running HyperOS, which cannot directly bind devices, can bypass validation by hijacking the binding request. This was feasible in earlier versions of HyperOS.
Later, Xiaomi modified the encryption algorithm for device binding in the Settings app, making it impossible to hijack the binding request through logcat. However, it was still possible by overriding the Settings app with an earlier version(from early HyperOS, not MIUI; this method may not work on Android 15, as the API level is changed).
The Redmi Note 11T Pro (codename: xaga) could be bound successfully in this way during OS1.0.1.0.ULOCNXM. However, after upgrading to OS1.0.2.0.ULOCNXM, it failed. By overriding the Settings app with an old version (in this case, from the Redmi Note 12 Turbo, codename: marble, version OS1.0.5.0.UMRCNXM), I could no longer enter the Developer Options.
I haven’t determine the cause yet. I tried to downgrade to OS1.0.1.0, and I was still able to bind on that version.
This is a indication of something bad, although it’s not surprising considering Xiaomi’s level of concern regarding Bootloader unlocking.
Update 1: Hide My Applist led to bootloop on this verison too.
Update 2: Turning off Bluetooth before overriding the Settings app would prevent the Developer Options from crashing. Wondering why.
#Xiaomi #Bootloader
后来,小米修改了设置应用的绑定设备的加密算法,使得无法通过 logcat 劫持绑定请求。但是可以通过覆盖安装早期版本设置(早期 HyperOS 的设置,非 MIUI 的;升级到 Android 15 后此办法可能失效,毕竟 API level 更高了)。
Redmi Note 11T Pro (代号: xaga) 在 OS1.0.1.0.ULOCNXM 时是可以这样绑定的。而在我升级 OS1.0.2.0.ULOCNXM 后,覆盖安装旧版设置(来自 Redmi Note 12 Turbo (代号: marble),版本号 OS1.0.5.0.UMRCNXM)后开发者选项无法进入。
我暂时没找到原因,我降级到了 OS1.0.1.0 试了下,能够绑定的。
这是个不好的迹象,虽然以你米在这件事上的上心程度,这不意外。
更新1:HMA 在这个版本上导致 bootloop。
更新2:关闭蓝牙后,开发者设置就不闪退了,原因未知。
It is well-known that Xiaomi devices not on the list for enforced Bootloader unlock permission validation (i.e., devices not shipped with HyperOS) and running HyperOS, which cannot directly bind devices, can bypass validation by hijacking the binding request. This was feasible in earlier versions of HyperOS.
Later, Xiaomi modified the encryption algorithm for device binding in the Settings app, making it impossible to hijack the binding request through logcat. However, it was still possible by overriding the Settings app with an earlier version(from early HyperOS, not MIUI; this method may not work on Android 15, as the API level is changed).
The Redmi Note 11T Pro (codename: xaga) could be bound successfully in this way during OS1.0.1.0.ULOCNXM. However, after upgrading to OS1.0.2.0.ULOCNXM, it failed. By overriding the Settings app with an old version (in this case, from the Redmi Note 12 Turbo, codename: marble, version OS1.0.5.0.UMRCNXM), I could no longer enter the Developer Options.
I haven’t determine the cause yet. I tried to downgrade to OS1.0.1.0, and I was still able to bind on that version.
This is a indication of something bad, although it’s not surprising considering Xiaomi’s level of concern regarding Bootloader unlocking.
Update 1: Hide My Applist led to bootloop on this verison too.
Update 2: Turning off Bluetooth before overriding the Settings app would prevent the Developer Options from crashing. Wondering why.
#Xiaomi #Bootloader
