Xiaomi Mi BOX - CE and DRM

anon88919003 · 20 July 2018 01:36

150balbes does not use git properly so he has made it extremely difficult to see what changes he has made in Armbian.

if you have access to UART by soldering a header then you should be able to interrupt the u-boot process and enter the commands in aml_autoscript and boot CE.

I don’t believe the bootloader is locked, they have probably just disabled booting from external unless you use the above method but without a device to hand then I would not be able to confirm this, I have been able to do this on another device though that was similar.

JPS · 20 July 2018 09:42

Maybe you are right, but I thought a locked bootloader is a requirement for getting DRM keys - and after unlocking the bootloader you will lose your DRM keys.

Would be great to have booth: CE with DRM keys and Mi Box would be the best 905 Box you can buy

anon88919003 · 20 July 2018 09:51

I’m not sure on that but the Minix U9-H doesn’t have a locked bootloader and you don’t lose the DRM keys by installing CE or any other O/S as they are saved on a separate partition dedicated for them as are most if not all Amlogic devices.

JPS · 20 July 2018 10:00

Ah, I did not know that Box. But Mi Box has also Play Ready 3.0 + Google Widevine Level 1 and is half of the price. If it would be work with CE I would buy this Box instant

anon88919003 · 20 July 2018 10:08

It certainly ticks the right boxes… S905X which I believe is the best CPU to buy at present, aesthetically pleasing and 802.11ac.

Without one to hand though to see what’s going on with it then it’s difficult to add support unless 150balbes sheds some light on what he did.

diogosena · 20 July 2018 16:40

Well, I contacted 150balbes, he wants to help but needs a tester. PM me who wants to help.

andybz · 21 July 2018 22:52

I’m keen. Let me know how I can help.

I’m going to post the uboot logs later today too.

andybz · 23 July 2018 10:54

Here’s a couple of logs from some builds I’ve tried.

CoreELEC-S905.arm-8.90.5.img:
https://paste.ubuntu.com/p/jS6tBmcdT8/

Armbian_5.34_S9xxx_Debian_stretch_4.9.40_server_20171112.img:
https://paste.ubuntu.com/p/z8g8PVB66H/ <— success!!

NOTE: I believe other Armbian builds do successfully load the kernel, but it fails from there, so I assume some sort of kernel/hardware problem and not a fault of the bootloader

coolbreeze · 24 July 2018 01:37

WRT rooting Xiaomi MDZ-16-AB or accessing the bootloader, I submit you are all chasing your tails.

Don’t foresee a successful outcome for this endeavor.

Willing to be surprised by some enterprising folks!!

bumerc · 24 July 2018 07:55

The bootloader is completely locked.

aml log : R1024 check ..

The RSA signatures BL30, 31, 32, 33 are checked.
Next - BL33 checks the signature dtb, kernel.img and recovery.img.

TheCoolest · 24 July 2018 08:04

But if the bootloader is locked, how do Armbian work?

andybz · 24 July 2018 09:22

Yeah, that’s the thing I don’t get. I never expected to boot anything other than the signed Xiaomi firmware, but that Armbian image does boot… so I’m stumped

andybz · 24 July 2018 09:33

One thing I noticed (mind you, the amlogic platform is new to me) is that the armbian builds don’t ship a dtb.img on the root. It is referenced in the autoload script (and fails to load), but I think it might be loaded later by the initrd instead of uboot.

That’s the only obvious difference I see.

bumerc · 24 July 2018 13:20

hi, boot.img is normally signed by activating the function CONFIG_AML_CRYPTO_IMG in uboot. Before compiling, copy boot.img to board /amlogic/gxl_skt_v1 and build uboot. Then you get boot.img.encrypt in uboot/fip. I’m not sure why the Armbian kernel could be loaded yet. Has the manufacturer not regenerated the RSA / AES key and used default key? Is only a guess.

anon88919003 · 24 July 2018 14:26

Secure boot requires a kernel image to be signed using an AMLogic tool called secureTool which we have available and if this is the case we could create an image specific to Xiaomi boxes.

Other options…

Replace u-boot with one from a standard gxl box?

Bypass secure boot as per … link ?

bumerc · 24 July 2018 18:44

There are several possibilities, here in 4.2

anon88919003 · 24 July 2018 23:50

From what I can make out there BL is burned/flashed to efuse and secure boot flag is then set which is irreversible then.

boot.img is then signed and this is used to boot the system.

Without the keys that Xiaomi used we obviously can’t build signed images unless Xiaomi used the standard certificates but it’s been a while since any OEM did this.

Strange still that Armbian can boot because they are not using signed boot images.

venioni · 15 November 2018 20:06

Hi, i have a Mi box 3 mdz 16-ab totaly bricked, can this method with armbian img works on my mi box 3 mdz 16-ab bricked and how ?

recrof · 30 December 2018 23:46

I managed to replicate this behaviour on my mdz-22-ab.
more info here: https://forum.xda-developers.com/android-stick--console-computers/amlogic/xiaomi-mi-box-s-uart-boot-log-uboot-env-t3884685
It also boots armbian 5.34, but I was not able to boot libreelec usb builds by 150balbes because of locked bootloader. I have feeling that amlogic has bug in secure boot check, so some images boot, but others fail.

here is uboot log for armbian: https://pastebin.com/Apw3vnP5

rho-bot · 31 December 2018 00:38

Yes, there are some flaws and options
see link posted above by @anon88919003: https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html