Xiaomi Mi BOX - CE and DRM


#24

The bootloader is completely locked.

aml log : R1024 check ..

The RSA signatures BL30, 31, 32, 33 are checked.
Next - BL33 checks the signature dtb, kernel.img and recovery.img.


#25

But if the bootloader is locked, how do Armbian work?


#26

Yeah, that’s the thing I don’t get. I never expected to boot anything other than the signed Xiaomi firmware, but that Armbian image does boot… so I’m stumped


#27

One thing I noticed (mind you, the amlogic platform is new to me) is that the armbian builds don’t ship a dtb.img on the root. It is referenced in the autoload script (and fails to load), but I think it might be loaded later by the initrd instead of uboot.

That’s the only obvious difference I see.


#28

hi, boot.img is normally signed by activating the function CONFIG_AML_CRYPTO_IMG in uboot. Before compiling, copy boot.img to board /amlogic/gxl_skt_v1 and build uboot. Then you get boot.img.encrypt in uboot/fip. I’m not sure why the Armbian kernel could be loaded yet. Has the manufacturer not regenerated the RSA / AES key and used default key? Is only a guess.


#29

Secure boot requires a kernel image to be signed using an AMLogic tool called secureTool which we have available and if this is the case we could create an image specific to Xiaomi boxes.

Other options…

Replace u-boot with one from a standard gxl box?

Bypass secure boot as per … link ?


#30

There are several possibilities, here in 4.2


#31

From what I can make out there BL is burned/flashed to efuse and secure boot flag is then set which is irreversible then.

boot.img is then signed and this is used to boot the system.

Without the keys that Xiaomi used we obviously can’t build signed images unless Xiaomi used the standard certificates but it’s been a while since any OEM did this.

Strange still that Armbian can boot because they are not using signed boot images.


#32

Hi, i have a Mi box 3 mdz 16-ab totaly bricked, can this method with armbian img works on my mi box 3 mdz 16-ab bricked and how ?


#33

I managed to replicate this behaviour on my mdz-22-ab.
more info here: https://forum.xda-developers.com/android-stick--console-computers/amlogic/xiaomi-mi-box-s-uart-boot-log-uboot-env-t3884685
It also boots armbian 5.34, but I was not able to boot libreelec usb builds by 150balbes because of locked bootloader. I have feeling that amlogic has bug in secure boot check, so some images boot, but others fail.

here is uboot log for armbian: https://pastebin.com/Apw3vnP5


#34

Yes, there are some flaws and options :wink:
see link posted above by @adamg: https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html