In an attempt to gain access to Xiaomi's nightlies—the unreleased, in-house versions of Xiaomi's MIUI operating system -- XDA Senior Member duraaraa reverse-engineer the China-based company's over-the-air (OTA) update framework. The two work-in-progress exploits force Xiaomi devices to pull a nightly build instead of the latest commercial firmware, which in theory could be installed on off-the-shelf devices if (1) MIUI's OTA application was reverse engineered and (2) the test builds were signed with the same keys as the official builds.

Method 1: Crafting a Xiaomi OTA Update URL

The simpler of the two methods involves accessing the OTA update URL, which sends instructions to the client device on how to download said update. This URL, for example, contains flags that tell Xiaomi's OTA update app where to find version 7.9.21 of MIUI 9, an internal test build.

        {"UserLevel":9,"LatestVersion":{"type":"rom","device":"chiron_global","name":"XM-MIMIX2-GLOBAL 7.9.21","description":"MIUI\u5347\u7ea7","descriptionUrl":"http:\/\/update.miui.com\/updates\/updateinfo\/7.9.21\/chiron_global_0_7.9.21_4494ccfcc506caca9904efb74b489e0a.html","md5":"7f94ca393fae77c6171e6c7a551bea2e","filename":"miui_MIMIX2Global_7.9.21_7f94ca393f_7.1.zip","filesize":"1.6G","codebase":"7.1","version":"7.9.21","branch":"X"},"UpdateList":[{"type":"rom","device":"chiron_global","name":"XM-MIMIX2-GLOBAL 7.9.21","description":"","descriptionUrl":"http:\/\/update.miui.com\/updates\/updateinfo\/7.9.21\/chiron_global_0_7.9.21_4494ccfcc506caca9904efb74b489e0a.html","md5":"7f94ca393fae77c6171e6c7a551bea2e","filename":"miui_MIMIX2Global_7.9.21_7f94ca393f_7.1.zip","filesize":"1.6G","codebase":"7.1","version":"7.9.21","branch":"X"}],"IncrementalUpdateList":[],"MirrorList":["http:\/\/bigota.d.miui.com"],"Signup":{"version":"","total":"","rank":""},"AuthResult":0,"ForceUpdate":0
    

When a stable release was beginning to roll out in China recently -- 8.5.7.0.NDECNEF -- duraara used the exploit to find the firmware's upgrade URL.

Method 2: Crafting a Xiaomi OTA Update Request

The second method, which is a bit more complex, involves grabbing the Xiaomi update server's decryption key. That requires decompiling the updater application and using Xposed to capture and analyze network traffic.

When the decryption key ("miuiotavalided11", for example) is in place, any user could, in theory, generate a fake upgrade request.

Forcing Xiaomi OTA Upgrades

duraaraa used the two methods to find unreleased MIUI builds on Xiaomi's servers, but hasn't managed to download and install a nightly on a Xiaomi device yet. He's asking for members of the development community to pitch in on the effort.

To keep track of new developments and/or volunteer your expertise, check out the XDA Forums thread.


Discussion on reverse engineering Xiaomi OTAs