Xiaomi Mi BOX - CE and DRM

bumerc · 24 July 2018 07:55

The bootloader is completely locked.

aml log : R1024 check ..

The RSA signatures BL30, 31, 32, 33 are checked.
Next - BL33 checks the signature dtb, kernel.img and recovery.img.

TheCoolest · 24 July 2018 08:04

But if the bootloader is locked, how do Armbian work?

andybz · 24 July 2018 09:22

Yeah, that’s the thing I don’t get. I never expected to boot anything other than the signed Xiaomi firmware, but that Armbian image does boot… so I’m stumped

andybz · 24 July 2018 09:33

One thing I noticed (mind you, the amlogic platform is new to me) is that the armbian builds don’t ship a dtb.img on the root. It is referenced in the autoload script (and fails to load), but I think it might be loaded later by the initrd instead of uboot.

That’s the only obvious difference I see.

bumerc · 24 July 2018 13:20

hi, boot.img is normally signed by activating the function CONFIG_AML_CRYPTO_IMG in uboot. Before compiling, copy boot.img to board /amlogic/gxl_skt_v1 and build uboot. Then you get boot.img.encrypt in uboot/fip. I’m not sure why the Armbian kernel could be loaded yet. Has the manufacturer not regenerated the RSA / AES key and used default key? Is only a guess.

anon88919003 · 24 July 2018 14:26

Secure boot requires a kernel image to be signed using an AMLogic tool called secureTool which we have available and if this is the case we could create an image specific to Xiaomi boxes.

Other options…

Replace u-boot with one from a standard gxl box?

Bypass secure boot as per … link ?

bumerc · 24 July 2018 18:44

There are several possibilities, here in 4.2

anon88919003 · 24 July 2018 23:50

From what I can make out there BL is burned/flashed to efuse and secure boot flag is then set which is irreversible then.

boot.img is then signed and this is used to boot the system.

Without the keys that Xiaomi used we obviously can’t build signed images unless Xiaomi used the standard certificates but it’s been a while since any OEM did this.

Strange still that Armbian can boot because they are not using signed boot images.

venioni · 15 November 2018 20:06

Hi, i have a Mi box 3 mdz 16-ab totaly bricked, can this method with armbian img works on my mi box 3 mdz 16-ab bricked and how ?

recrof · 30 December 2018 23:46

I managed to replicate this behaviour on my mdz-22-ab.
more info here: https://forum.xda-developers.com/android-stick--console-computers/amlogic/xiaomi-mi-box-s-uart-boot-log-uboot-env-t3884685
It also boots armbian 5.34, but I was not able to boot libreelec usb builds by 150balbes because of locked bootloader. I have feeling that amlogic has bug in secure boot check, so some images boot, but others fail.

here is uboot log for armbian: https://pastebin.com/Apw3vnP5

rho-bot · 31 December 2018 00:38

Yes, there are some flaws and options
see link posted above by @anon88919003: https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html