Table of Contents
Xiaomi Mi A1 Android Phone
RAM | 3.8 Gb |
---|---|
Internal Memory | 32 Gb |
CPU | Qualcomm Snapdragon 625 2.0GHz 8-core |
Architecture | arm64-v8a |
Screen | 5.5 Inches, 1920 x 1080 |
Connector | USB Type C |
Audio jack | 3.5 mm |
A/B (Seamless) System Updates | Yes |
How to Gain root Privileges
There are several recipes on the net on how to root this phone, many of them does not apply to my phone, may be because they are plain wrong, or may be because they apply to phones with firmware older than mine. The recipe I report here was applied with success on a Xiaomi Mi A1 purchased in October 2018. At the factory it has an Android Oreo 8.0.0, after the phone received an OTA update to Android Oreo 8.1.0 with Android security patch level October 5, 2018.
The process of rooting this phone can be broken down in some steps:
- Install on your PC the adb and fastboot command line tools.
- Backup.
- Unlock the Bootloader.
- Install a custom Recovery program (we used TWRP).
- Install the su binary and an app to manage superuser privileges (we used Magisk).
It seems that the process can be reverted leaving no tracks (the unlock step is the main concern for warranty, etc.). Unfortunately - at least in my case - the unlock procedure started also a factory reset, which means loosing all customization (installed apps. etc.) and user data.
For this procedure to work, we need two programs installed on our PC: adb and fastboot. They are command line tools from the Android SDK. Whenever we need to use adb or fastboot tools, we need to enable Developer options, enable USB debugging, connect the USB cable to the PC and tap “allow” on the phone pop-up. See below or search on the internet for a step-by-step guide.
Required Downloads (and Trust)
In this process we used some binary files downloaded from the internet. Beware that we are downloading binary-compiled software that will run with root privileges on our phone! We have to trust the people which provide that, we cannot inspect the source code and there is not an easy step-by-step guide to compile from the sources by ourself. So we trusted the following internet pages (and people):
- Xiaomi Mi A1 tissot TWRP 3.2.1-2 (Oreo) Recovery, the post where the TWRP Recovery/installer are announced.
- Magisk GitHub Repository, the repository for the Magisk superuser program.
The official TWRP for Xiaomi Mi A1 page has only the bare TWRP Recovey image. We need an installer instead, because the recovery partition does not exist, the image must be embedded into the boot partition.
In order of appearance, we need:
- recovery-3.2.1-2-oreo.img, this is a TWRP Recovery image, used to boot on-the-fly.
- Twrp-recoveryInstaller-3.2.1-2-oreo.zip, this is an installer program, which will install the TWRP Recovery into the boot partition.
- Magisk-v17.3.zip, this is an installer program, which will install the su (superuser) program into the system.
- MagiskManager-v6.0.1.apk, this is an app, which will be used to manage superuser privileges during normal phone usage.
OEM Unlock
Questa procedura necessaria ad ottenere i privilegi di root, non comporta modifiche irreversibili allo smartphone. Tuttavia quando viene eseguita comporta un factory reset, cioè il ripristino del telefono alle impostazioni di fabbrica con la perdita di tutte le personalizzazioni utente (app installate, configurazioni, ecc.).
- Impostazioni ⇒ Sistema ⇒ Informazioni sul telefono ⇒ Tap 7 volte su “Numero build”. In questo modo si attivano le Opzioni sviluppatore.
- Impostazioni ⇒ Sistema ⇒ Opzioni sviluppatore ⇒ Attivare “Debug USB”.
- Impostazioni ⇒ Sistema ⇒ Opzioni sviluppatore ⇒ Attivare “Sblocco OEM”.
- Mettere il telefono in Fastboot Mode (dal Recovery Menu oppure usando il programma adb da un PC connesso, vedi più avanti).
- Eseguire da un PC conesso il comando fastboot oem unlock. Il telefono si riavvia, mostra alcuni messaggi di avvertimento. Durante il boot successivo esegue un factory reset del telefono (cancellazione di tutti i dati, nuova crittografia del filesystem, ecc.). Durante il boot, nella schermata con il logo Mi compare in basso la scritta unlocked.
La procedura di ripristino di fabbrica dura diversi minuti, alla fine viene avviata la procedura di prima accensione (configurazione account Google, ecc.). Le applicazioni scaricate in precedenza e le configurazioni utente vengono perse, rimane invece l'eventuale aggiornamento del sistema operativo (es. Android 8.1.0 scaricato in precedenza invece di Android 8.0.0 installato alla vendita).
Backup
The first step will be to change the boot partition to replace the stock Recovery program with a custom one; so it is advisable to backup it first. Many Android devices have a dedicated partition to store the Recovery program, in this device we have instead the A/B system updates machanism, introduced by Google with Android 7.0 Nougat. So we don't have a recovery partition, but we have boot_a and boot_b partitions.
To ensure that the device has the A/B system updates instead of the recovery partition, we use the following command into the adb shell:
adb shell tissot_sprout:/ $ ls -l /dev/block/bootdevice/ ... lrwxrwxrwx 1 root root 21 1970-07-10 05:23 boot_a -> /dev/block/mmcblk0p22 lrwxrwxrwx 1 root root 21 1970-07-10 05:23 boot_b -> /dev/block/mmcblk0p23 ...
The meaning is: search into /dev/block/bootdevice/ for symbolic links boot_a and boot_b and take note of the actual partition names. You can see also that the recovery name does not exists.
Now we need to boot into an environment where we have root privileges, otherwise we cannot read the entire partitions. This means booting into the Fastboot Mode bootloader and load and run the TWRP Recovery program.
adb reboot bootloader
Wait several seconds untill the Fastboot logo appers, then execute this command on the PC:
fastboot boot recovery-3.2.1-2-oreo.img
This will load the TWRP Recovery program on the phone (it just upload in RAM, does not write to flash) and boot from that. If the phone is not unlocked, the command will fail. The TWRP running on the phone will allow the adb program from the PC to access the system with root privileges, so we can finally backup the partitions on our PC:
adb pull /dev/block/mmcblk0p22 boot_a.img adb pull /dev/block/mmcblk0p23 boot_b.img
Install the TWRP Recovery
With the phone booted in standard system mode, upload the TWRP installer to the storage. As explained above, this phone has the A/B system partitions, so it is not possible to flash an image file to the Recovery partition (which does not exists), we need an installer which will modify the boot_a or boot_b partition (which one is active at the moment).
We upload also the Magisk program (the su binary stuff and the management app), which we will use later.
adb push Twrp-recoveryInstaller-3.2.1-2-oreo.zip /sdcard/Twrp-recoveryInstaller-3.2.1-2-oreo.zip adb push Magisk-v17.3.zip /sdcard/Magisk-v17.3.zip adb push MagiskManager-v6.0.1.apk /sdcard/MagiskManager-v6.0.1.apk
As seen above, we have to reboot in Fastboot Mode and load the TWRP Recovery from RAM (allow the required time to the phone to start into Fastboot):
adb reboot bootloader fastboot boot recovery-3.2.1-2-oreo.img
Once that TWRP is started on the phone, swipe to allow writing to the partitions, then choose Install and browse to the Twrp-recoveryInstaller-3.2.1-2-oreo.zip archive.
After the installation, the procedure will ask us if we want to install the TWRP App, we answered no.You can answer yes, but it is not strictly required, the TWRP Recovery is a stand-alone program, it runs when requested without an underlying Android system and it does not require any App. The TWRP App may be used to install or upgrade the TWRP Recovery and to backup the existing Recovery, but it seems that the current version (1.19) is not able to handle the A/B system updates mechanism, it searches for the recovery partition, which does not exist in Xiaomi Mi A1 Oreo 8.1.0. So it's best not to use it.
Beware of this:
- Do not swap Slot A and Slot B. Some recipes found on the internet say to do that in TWRP (it is from the Reboot menu). I tried it and it was a nightmare! The Reboot menu was stating that the Slot B were active, so I switched to Slot A and installed TWRP. At the next reboot I got a non-working environment: plenty of pop-up with Android Phone force close, pop-up for Factory reset, boot loop, etc. May be the Slot A contained the boot code for Android 8.0.0, whereas my phone already had received 8.1.0. Fortunately enough I was able to
adb reboot bootloader
and switch again to Slot B. - Do not veryfy the ZIP archive. The archive does not have the required info to check.
- Do not wipe the Dalvik cache after the install. Don't know if it was the culprit, but after installing TWRP, I clicked the button to wipe Dalvik cache, at the next reboot I had a damaged system. The home button did not work, the Developer options were no longer availables (Developer options are not available for this user), the top status bar did not swipe down, etc. I had to Factory reset the phone (see a possible fix for this problem here: Xiaomi Mi A1 Home Key Problem).
Install Magisk, the SuperUser Tool
When rooting an Android device we generally need the su binary program (the actual Unix tool used to switch from normal user to root), plus an app to manage superuser permissions granted (or denied) to other applications. Historically the most known app for this purpose was SuperSU by Chainfire, but something changed. Chainfire retired from SuperSU development in October 2017 and new protecting schemas were introduced by Google into Android, mainly SafetyNet and dm-verity. The new leading-edge app for su management appears to be Magisk.
The first step is to install the ZIP archive which provides the su binary, we already copied the Magisk-v17.3.zip file to the phone storage. Let's reboot into TWRP Recovery executing from the connected PC the following command:
adb reboot recovery
Alternatively we can power-off the phone, then power it on using the button combination VolumeUp + Power. From the TWRP main screen, choose Install and browse the filesystem to the Magisk-v17.3.zip file. After the install succeeded, reboot into normal system.
The su binary by itself is not sufficient to use root privileges, we need to install also the management app. Use the phone's file manager to find the MagiskManager-v6.0.1.apk and install it, granting the install unknown apps permission as requested. We have root permission, finally! Check via adb:
adb shell tissot_sprout:/ $ su tissot_sprout:/ # id uid=0 gid=0
When an app requires root privileges, the Magisk management app will show a pop-up on the phone, allowing to grant or deny the permission, so be sure that the phone is not in screen-locked mode.
Recovery Mode
Android devices have a feature called Android Recovery Mode, which allows users to fix some problems. Technically, Recovery Mode refers to a special bootable partition, which contains a recovery application installed in it. The Xiaomi Mi A1 does not actually have a recovery partition, the recovery program is installed into the boot A and boot B partitions instead. You can use the Recovery from official stock ROM, or you can install a custom recovery, as the famous (and very rich in features) TWRP Recovery.
To enter the Recover mode you can follow one of this ways:
- Power Off the phone.
- Press VolumeUp + Power, wait about 3 seconds for the Mi logo screen.
If you have installed the TWRP Recovery, its main screen will appear. If you have the stock ROM Recovery you have to:
- Wait for the Broken Droid logo with the No command message.
- Press Power + VolumeUp shortly, the Recovery menu will appear.
When the phone is booted in normal system, you can reboot in Recovery mode by issuing the following command from an attached PC:
adb reboot recovery
Fastboot Mode
In Android, fastboot is a special diagnostic protocol that you can boot your Android device into. While in fastboot, you can modify the file system images from a computer over a USB connection.
You can start fastboot mode in severl ways:
- Power off the phone, then press VolumeDown + Power buttons together, untill vibration.
- Executing the adb reboot bootloader command on a PC when the phone is booted normally and connected via the USB cable. It is required to enable USB debugging on the phone and to authorize the PC on the phone pop-up, once connected.
- From the stock Recovery menu, choosing the entry Reboot to bootloader.
- From the TWRP Recovery, choosing Reboot menu, then Bootloader.
The Xiaomi Mi A1 will show the following image when in fastboot mode:
To control the fastboot mode of the phone, you have to install the fastboot command on your PC. On a Debian GNU/Linux install the fastboot 8.1.0 package. NOTICE: Version 7.0.0 is not reccomended, e.g. the command fastboot set_active b
does not work on the Mi A1.
Here are some commands that can be used in fastboot mode:
fastboot help fastboot devices fastboot boot recovery-3.2.1-2-oreo.img fastboot flash boot_b boot_b.img fastboot oem unlock fastboot set_active b fastboot reboot
Screenshot Capture
By keypress: VolumeDown + Power simultaneously for few seconds.
Using a connected PC and adb:
adb shell screencap -p /sdcard/screen.png adb pull /sdcard/screen.png
Files and Directories
/data/misc/wifi/WifiConfigStore.xml | WiFi passwords. |
---|---|
/data/misc/wifi/softap.conf | Hotspot WiFi (Tethering) configuration. |
/system/etc/mkshrc | Run commands for the ADB shell. |
/mnt/expand/<id> | microSD mounting point. |
/sdcard → /storage/emulated/0 | User's space into the microSD. |
/system/xbin | Preferred directory for BusyBox installation (binary and synlinks). |
Control and Privacy Settings
- Settings ⇒ System, Developer options ⇒ OEM unlocking
- Settings ⇒ System, Developer options ⇒ Automatic system updates
- Settings ⇒ System, Developer options ⇒ USB debugging
- Settings ⇒ Apps & notifications ⇒ Any app ⇒ Install unknown apps
- Settings ⇒ Users & accounts ⇒ Google ⇒ Account sync
- Calendario
- Contatti
- Dati Google Fit
- Dettagli persone
- Drive
- Gmail
- Google Play Film, …
- Impostazioni ⇒ Sicurezza e posizione
- App di amministrazione dispositivo
- Crittografia e credenziali (Telefono criptato)
- Impostazioni ⇒ Google
- Backup ⇒ Backup su Google Drive
- Sicurezza ⇒ Trova il mio dispositivo
- Posizione ⇒ Modalità (Alta precisione, Basso consumo, Solo dispositivo)
- Posizione ⇒ Cronologia delle posizioni Google
- Smart Lock per password ⇒ Smart Lock per password (salvare le password nel tuo Account Google)
- Altro (menu in alto a destra) ⇒ Utilizzo e diagnostica (off)
- Settings ⇒ Mi Services
- User Experience Program (Programma Esperienza Utente)
- Send diagnostic data automatically (Invia i dati diagnostici automaticamente)
- Google Play ⇒ Settings ⇒ Auto-update apps
- Google Play ⇒ Settings ⇒ Notification settings ⇒ Updates
- Contacts ⇒ Settings ⇒ Default account for new contacts
Battery Otimization and Background Sync
Some app requires special settings to run properly, e.g. DAVdroid needs to sync contacts and calendar events in background and does not like battery optimization enforced by Xiaomi's Android. You can control this setting from here:
- Settings ⇒ Apps & notifications ⇒ Advanced ⇒ Special app access ⇒ Battery optimization
Upgrading Android maintaining root privileges
In November 2019 my phone still was running the following:
- Android 8.1.0 - Patch 2018-10-05
- Magisk v17.3 (the su binary, etc.)
- MagiskManager v6.0.1 (the superuser rights management app)
- TWRP 3.2.1-2
MagiskManager warns about the availability of Magisk v20.1, the operating system too warns about the availability of Nov 2018 Android System Update. Also MagiskManager can be upgraded to v7.4.0 (but don't upgrade it before upgrading Magisk, the app must follow exactly the su binary package contained in Magisk).
Upgrade Magisk and MagiskManager
- Copy the Magisk-v20.1.zip archive to the smartphone. TWRP will search by default into the internal storage, so I copied it into /data/media/0/Download/, but you can use the microSD storage.
- Copy the MagiskManager-v7.4.0.apk app into the same /data/media/0/Download/ directory, or into the microSD.
- Reboot into TWRP recovery. I used the adb reboot recovery command from the PC, but you can use the VolumeUp + Power trick.
- From the TWRP menu, choose Install and search for the Magisk-v20.1.zip archive.
- I choosed not to verify the zip archive and not to reboot the phone, so I had time to read the output of the command. Everything seemed OK, so I finally rebooted.
- Once rebooted in normal system, install MagiskManager-v7.4.0.apk from the file manager of your choice (it will require the permission System ⇒ App ⇒ <File manager> ⇒ Unknown sources).
Upgrading the Operating System
The phone automatically warns about the availability of an OTA (On The Air) Upgrade. You can also check for upgrades availability by tapping Settings ⇒ System ⇒ System Updates.
If you allow downloading and installing the upgrade, a check will be performed about the integrity of the boot image and the system image, before the actual install. The check will fail and the upgrade will be aborted if one or both of these two conditions is true:
- You have installed Magisk SU or TWRP Recovery. These software are installed into the boot partition, either boot_a or boot_b partition. The installation of Magisk patches only the active boot partition, whereas TWRP will patches (install itself) both boot partitions.
- You have used su to modify the /system partition. If you have re-mounted /system in read/write mode and you have altered it, the upgrade process will detect this and will refuse to proceed.
The upgrade process will fail with a warning message Couldn’t update - Installation problem (in Italian: Impossibile aggiornare - Problema di installazione).
To escape from the first condition, it is sufficient to restore the boot partition from the original backup. You will loose root and TWRP Recovery, but you can reinstall them after the upgrade. If you have just installed Magisk, uninstalling it should be sufficient and rather simple. Start the Magisk Manager app, disable and uninstall all the modules (if any) and reboot. Then run Magisk Manager again and choose to uninstall it completely. But if you have installed also TWRP you have to recover from a backup image. This is the recipe to run from a PC command line (supposing that active partition is B and that you have the original boot_b.img dump):
adb reboot bootloader fastboot flash boot_b boot_b.img fastboot reboot
Allowing automatic OTA upgrade after tampering the /system partition is more painful: you have to restore system partition by flashing it in fastboot mode. Obviously you need the original system.img file, either from your own backup or from factory ROM archive. Fortunately enough Xiaomi provides full stock ROM archives of the various versions. Look at this forum post and search for your version.
Once you extracted the system.img file from the archive, boot in fastboot mode and execute the following from an attached PC (once again your active partition is B):
fastboot flash system_b system.img fastboot reboot
The OTA Update
When the phone downloads an OTA upgrade, it will save it into the /data/ota_package/update.zip file, but it will be removed after the installation and even if the installation fails.
The file is actualy a Jar archive. The jar executable is provided by the Debian package openjdk-8-jdk-headless (or whatever version of Java you have), and you can use it in this way:
mkdir update cd update jar -xf ../update.zip
The main content is a payload.bin, in our case it was an incremental update (November 2018 Security patches), with size of about 66 Mb. It seems that there is a tool able to extract the content of that payload files, see Extract files from OTA payload.bin full and incremental.
March 2020 security update
In March 2020 Xiaomi released a new security update, according to this post Mi A1 Android 10 update dream keeps fading, it is another AndroidOne v.9 relase, build number V10.0.19.0.PDHMIXM.
I performed the upgrade re-installing TWRP and Magisk afterward. The starting conditions were:
- A/B System Updates status: Current Slot: B (checked via TWRP ⇒ Reboot screen).
- Bootloader is unlocked.
- Installed O.S.: Android: 9, Build number: PKQ1.180917.001.V10.0.14.0.PDHMIXM (check from Impostazioni ⇒ Sistema ⇒ Informazioni sul telefono).
- From Impostazioni ⇒ Sistema ⇒ Avanzate ⇒ Aggiornamento di sistema we get informed about Aggiornamento sistema disponibile, March 2020 security update (1100.3 Mb). The file is already downloaded and the phone suggests to reboot to install.
- Magisk v20.1 and TWRP 3.3.0 were installed into boot partition (Slot B).
- System partition was the stock one: root privileges were never used to tamper the /system hierarchy.
The system upgrade will verify the boot and the system partitions before attempting the installation, refusing to proceed if they were tampered. So I had to restore the stock boot image (loosing TWRP and Magisk).
I restored the stock boot_b.img image (saved before TWRP and Magisk), using the ADB commands from a connected PC:
adb reboot bootloader fastboot flash boot_b boot_b.img fastboot reboot
I got a problem during this step: may be the boot_b.img was saved from version 9.6.8.0, not from the currently installed 10.0.14.0. Luckily enough, the only negative effect was that the WiFi was not working. This is a logcat excerpt:
android.hardware.wifi@1.0-service: finit_module return: -1: Required key not available android.hardware.wifi@1.0-service: Failed to load WiFi driver android.hardware.wifi@1.0-service: Failed to initialize firmware mode controller android.hardware.wifi@1.0-service: Wifi HAL start failed
I proceeded with the standard upgrade path, trusting that the boot partition would be recognized as original and therefore upgraded to the new one. Remember: the update ZIP archive were already downloaded into the phone, so I just launched the reboot and install action. After some minutes and a few reboots, the system was upgraded to Android v.9 build number PKQ1.180917.001.V10.0.19.0.PDHMIXM. Fortunately enough the WiFi were recovered.
To complete the upgrade:
- Copy twrp-installer-3.3.0-2-tissot.zip and Magisk-v20.1.zip into the phone internal storage.
- Backup the stock boot partitions.
- Reinstall TWRP.
- Reinstall Magisk.
- Backup the rooted boot partitions.
First of all run the TWRP recovery fastbooting the image directly from the PC hard disk (i.e. without installing it into the phone):
adb reboot bootloader fastboot boot twrp-3.3.0-2-tissot.img
From TWRP ⇒ Reboot menu, I verified that the Current Slot is A: it is normal that the upgrade procedure swaps the boot partition during the upgrade. Using ADB from the connected PC, I backed up the stock boot images:
adb pull /dev/block/mmcblk0p22 boot_a.img adb pull /dev/block/mmcblk0p23 boot_b.img
Now I installed the TWRP recovery into the boot partitions: from TWRP ⇒ Install ⇒ twrp-installer-3.3.0-2-tissot.zip. The installation warns about Running boot image patcher on slot A and B, and spit some harmless warnings about the /vendor mounting point. It is necessary to install TWRP before Magisk, otherwise TWRP will unroot the phone during its install.
After a system reboot, and another boot into Recovery, I did TWRP ⇒ Install ⇒ Magisk-v20.1.zip. This will install root on the phone(the su program). Once again I got some harmless warnings about the /vendor mounting point.
Finally I repeated the procedure to backup the patched boot_a and boot_b partitions.
NOTICE: the ADB client required to perform the adb pull
command is active when I boot TWRP using fastboot boot twrp-3.3.0-2-tissot.img
. If instead I boot TWRP from the phone, the ADB client is not active.
Once rebooted the phone into normal system, I installed the root permissions manager: MagiskManager-v7.5.1.apk.
August 2020 security update
This is a new update from Xiaomi, still featuring AndroidOne v.9 relase, build PKQ1.180917.001.V10.0.24.0.PDHMIXM. The upgrade was downloaded nightly over the WiFi. It seems impossibile to prevent such automatic download: I did not find any settings to prevent automatic upgrade download. After downloading, the phone asks to reboot to complete the upgrade.
The starting conditions were:
- A/B System Updates status: Current Slot: ? (may be it was A, because after installation it is B).
- Bootloader is unlocked.
- Magisk and TWRP were installed, but may be they were hidden by accident. Infact the installation of the upgrade went OK after a reboot, whereas it should fail because the boot sector is tampered with Magisk su.
- System partition was the stock one: root privileges were never used to tamper the /system hierarchy.
After the upgrade, I did the following to get root again:
- adb reboot bootloader
- fastboot boot twrp-3.3.0-2-tissot.img
- Verified from TWRP ⇒ Reboot: Current slot: B
- adb pull /dev/block/mmcblk0p22 boot_a.img
- adb pull /dev/block/mmcblk0p23 boot_b.img
- TWRP ⇒ Install ⇒ twrp-installer-3.3.0-2-tissot.zip
Running boot image patcher on slot a and b. - system reboot
- adb reboot bootloader
- fastboot boot twrp-3.3.0-2-tissot.img
- TWRP ⇒ Install ⇒ Magisk-v20.4.zip
Current boot slot: _b, unpacking, patching, repacking, flashing new boot image.