search

bkerler / mtkclient

MTK reverse engineering and flash tool
GNU General Public License v3.0
2.67k stars 525 forks source link

Redmi Note 11S : incorrect critical_lock_state in seccfg #1236

Open pierre-durand opened 4 weeks ago

pierre-durand commented 4 weeks ago

My phone is a Redmi Note 11S. The seccfg partition is V4.

In unlock mode, field critical_lock_state is incorrectly set to 1 (instead of 0). It has no effect with Android 11, but with Android 13, dm-verity complains at startup!

This can be fixed in bootloader mode: fastboot oem cdms fix This simply sets critical_lock_state to 0 in seccfg partition (+rehashing...).

This patch works for me:

--- mtkclient/mtkclient/Library/Hardware/seccfg.py  2024-10-03 15:36:45.159499963 +0200
+++ mtkclient/mtkclient/Library/Hardware/seccfg.py  2024-10-03 15:38:02.693707339 +0200
@@ -87,7 +87,7 @@
             return False, "Device is already unlocked"
         if lockflag == "unlock":
             self.lock_state = 3
-            self.critical_lock_state = 1
+            self.critical_lock_state = 0
         elif lockflag == "lock":
             self.lock_state = 1
             self.critical_lock_state = 0

If this is specific to my hardware, maybe there could be a flag to set critical_lock_state with a custom value?

pierre-durand commented 4 weeks ago

Of course, I disabled verification flags in vbmeta. But it seems flags in seccfg has a precedence there.