Redmi Note 5 the required file firehose - GSM-Forum

vaterpahk · 09-04-2018, 14:40

From the program:
Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash}
QDL USB Com: Vid_05c6&Pid_9008 (COM22)
SAHARA VERS: 2.1
SAHARA HWID: 000CC0E100000000 [SDM636]
SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370
SAHARA SERN: F1585ED5 (4049100501)
SAHARA PROG: prog_emmc_firehose_Sdm660_ddr_xiaomi1.elf.
SAHARA Upload Failed: -2
Possible Wrong FireHose Attestation
Restart/Reconnect Device, Battery before Next Boot
Last USB Exception: 0x001F .
Can be Cable Problem or Battery Low !

From the latest firmware:
Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash}
QDL USB Com: Vid_05c6&Pid_9008 (COM22)
SAHARA VERS: 2.1
SAHARA HWID: 000CC0E100000000 [SDM636]
SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370
SAHARA SERN: F1585ED5 (4049100501)
SAHARA PROG: prog_emmc_firehose_Sdm660_ddr.elf
FHPROG SZFT: 0
FHPROG SZTT: 0
FHPROG SPTT: 0
FHPROG XSIZ: 0
FHPROG VERS:
FHPROG PLTF:
FHPROG CHSN: 0x7FFFFFFF
FHPROG MEMT:
FHINFO Failed
FHPROG Read Fail: -2,
Path: C:\Program Files\SarasSoft\UFS\UFS_SAMs\ANDROID_UFS_1057\XIAO MI-Redmi Note 5 Pro Whyred\
FHREST DONE: Ok
Read Flash Done in: 00:00.686

vaterpahk · 09-04-2018, 17:54

Here is the log:

Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash}
QDL USB Com: Vid_05c6&Pid_9008 (COM22)
SAHARA VERS: 2.1
SAHARA HWID: 000CC0E100000000 [SDM636]
SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370
SAHARA SERN: F1585ED5 (4049100501)
SAHARA PROG: prog_emmc_firehose_Sdm660_ddr.elf
FHPROG FAIL: This Firehose Need Authentication
SAHARA SIGR: "blob" value="_7___7rVCGXHeeXdKiQOhubzXNw"
FHPROG FAIL: This Firehose Need Authentication
SAHARA SIGR: "blob" value="_7___-HAA48MGD6MR4GZSpohO8M"
SAHARA Config Fail: -3

Sha · 09-04-2018, 19:58

Hi
these phones have new authentication system (done by Xiaomi)
i call it SIG, because them added new command to his Firehose programmer's.

Things to need to know:
1. QC was always implemented SW_VERSION (RollBack) tag in his certificate
validation schema, but nobody was used it before (Except Samsung and LG)
2. After FireHose is Validated, OEM manufacturer is free to add his own
secondary authentication (First was introduced in old SE phones which was need
SE validation card, now old golden idea was taken by Xiaomi and auth protocol
moved to server)

So what in fact we can do:
1. Need to Have FireHose Programmer signed to current eFuse Value
with sme HW_ID and Higher or Same SW_ID (Included RollBack Version)
tags without a SIG authentication extension.
Here is importan RollBack Version, is activated then tag value is > 0

How we can recognize it:
Unfortunatelly Sahara Protocol, not let us to read SW_ID tag and
choose right RollBack Satisfied Firehose Automatically

Fast boot "getvar:all" will show "RollBack Version" or "Anti" Variable
who reflects RollBack (SW_VERSION) value

How to check is FireHose Ready to do jobs:
Jus Open it wih notepad and look for "SW_ID"
Here You will see Hex Value string: 0000000200000003 SW_ID
Here You see RollBack (SW Version) = 2
So with this FireHose can serve : RB: 0, 1, 2 and cannot work with 3, 4, ...

How to see is FireHose Need Xiaomi Authentication or not
is same open with note pad and search for this string: "sig "
(white space is important here)
if not found "sig " - you are lucky: this FireHose not need it.

And for sure do not forget that Root CA HASH must be same as is in eFuse (QFPROM)

jmr · 09-04-2018, 20:42

:\Adb>fastboot getvar all
NFOcrc:1
NFOanti:4
NFOtoken:h8Xrv1K2lN33DAdbD9OeKtHGwNA=
NFOunlocked:no
NFOoff-mode-charge:0
NFOcharger-screen-enabled:0
NFObattery-soc-ok:yes
NFObattery-voltage:3905
NFOversion-baseband:
NFOversion-bootloader:
NFOvariant:SDM EMMC
NFOpartition-type:cache:ext4
NFOpartition-size:cache: 0x10000000
NFOpartition-type:userdata:ext4
NFOpartition-size:userdata: 0xCD77F7E00
NFOpartition-type:system:ext4
NFOpartition-size:system: 0xC0000000
NFOsecure:yes
NFOserialno:49970530
NFOproduct:whyred
NFOmax-download-size:536870912
NFOkernel:uefi
ll:

Sha · 09-04-2018, 20:47

Yor Roll back:
NFOanti:4
so You need at least
000000040000000x SW_ID

I forget to say,
SW_ID (Version Tag) eFuse is "INCREMENTAL" (Like TaxoPhone Card

vaterpahk · 09-04-2018, 21:13

Thank!

In my case, unfortunately, the anti-rollback 4, and even included Find device.
Only one file: prog_emmc_firehose_Sdm660_ddr.elf
have California1"0 0000000300000003 SW_ID, 4 none.

So while waiting and smoke bamboo!

Another question: in the second space there is a possibility to unlock the bootloader. Will this method work?

vaterpahk · 09-04-2018, 21:40

My case:
C:\adb>fastboot getvar all
(bootloader) crc:1
(bootloader) anti:4
(bootloader) token:2M0M5zQR4YejQZIcAxSegNVeWPE=
(bootloader) unlocked:no
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4015
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) variant:SDM EMMC
(bootloader) partition-type:cache:ext4
(bootloader) partition-size:cache: 0x10000000
(bootloader) partition-type:userdata:ext4
(bootloader) partition-size:userdata: 0xCD77F7E00
(bootloader) partition-type:system:ext4
(bootloader) partition-size:system: 0xC0000000
(bootloader) secure:yes
(bootloader) serialno:8fc69018
(bootloader) product:whyred
(bootloader) max-download-size:536870912
(bootloader) kernel:uefi
all:
finished. total time: 0.252s

C:\adb>fastboot reboot
rebooting...

finished. total time: 0.025s

C:\adb>

ferouz kassim · 09-05-2018, 22:54

i 100% agree with this "now old golden idea was taken by Xiaomi and auth protocol
moved to server)
" coz if u try using latest mi flashtool this is implemented already phone is recognised in edl mode sends programmer horse then connects to server and asks for mi account if wasnt loged in befre then server checks if ur mi account is viable then if result is positive then continues flashing if not then get this error

Quote:

file C:\Users\FERZ\Desktop\whyred_global_images_8.7.26_ 20180726.0000.00_8.1_global\images\prog_emmc_fireh ose_Sdm660_ddr.elf transferred successfully
[8:18:42 PM COM57]:send nop command
[8:18:42 PM COM57]:send command:<?xml version="1.0" ?><data><nop verbose="0" value="ping"/></data>
[8:18:42 PM COM57]:get response from target
[8:18:42 PM COM57]:dump:<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Binary build date: Jul 26 2018 @ 01:39:39"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Chip serial num: 4290637791 (0xffbdefdf)"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Supported Functions: program configure sig nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke "/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Binary build date: Jul 26 2018 @ 01:39:39
"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="fh.attrs.Verbose is set to 0"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Chip serial num: 4290637791 (0xffbdefdf)"/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="Supported Functions: program configure sig nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke "/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="ACK" />
</data>

[8:18:43 PM COM57]:send configure command
[8:18:43 PM COM57]:send command:<?xml version="1.0" ?><data><configure verbose="0" ZlpAwareHost="1" MaxPayloadSizeToTargetInBytes="131072" MemoryName="emmc" SkipStorageInit="0"/></data>
[8:18:43 PM COM57]:get response from target
[8:18:43 PM COM57]:dump:<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Only nop and sig tag can be recevied before authentication."/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" />
</data>

[8:18:43 PM COM57]:[8:18:43 PM COM57]:dump:<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Only nop and sig tag can be recevied before authentication."/>
</data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" />
</data>

09-04-2018, 14:40	#1 (permalink)
vaterpahk Freak Poster Join Date: Jun 2011 Posts: 295 Member: 1596913 Status: Offline Thanks Meter: 107	Redmi Note 5 the required file firehose From the program: Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash} QDL USB Com: Vid_05c6&Pid_9008 (COM22) SAHARA VERS: 2.1 SAHARA HWID: 000CC0E100000000 [SDM636] SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370 SAHARA SERN: F1585ED5 (4049100501) SAHARA PROG: prog_emmc_firehose_Sdm660_ddr_xiaomi1.elf. SAHARA Upload Failed: -2 Possible Wrong FireHose Attestation Restart/Reconnect Device, Battery before Next Boot Last USB Exception: 0x001F . Can be Cable Problem or Battery Low ! From the latest firmware: Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash} QDL USB Com: Vid_05c6&Pid_9008 (COM22) SAHARA VERS: 2.1 SAHARA HWID: 000CC0E100000000 [SDM636] SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370 SAHARA SERN: F1585ED5 (4049100501) SAHARA PROG: prog_emmc_firehose_Sdm660_ddr.elf FHPROG SZFT: 0 FHPROG SZTT: 0 FHPROG SPTT: 0 FHPROG XSIZ: 0 FHPROG VERS: FHPROG PLTF: FHPROG CHSN: 0x7FFFFFFF FHPROG MEMT: FHINFO Failed FHPROG Read Fail: -2, Path: C:\Program Files\SarasSoft\UFS\UFS_SAMs\ANDROID_UFS_1057\XIAO MI-Redmi Note 5 Pro Whyred\ FHREST DONE: Ok Read Flash Done in: 00:00.686

09-04-2018, 19:58	#3 (permalink)
Sha Product Supporter Join Date: Nov 2002 Location: usd Age: 64 Posts: 1,152 Member: 17804 Status: Offline Sonork: 100.27310 Thanks Meter: 1,075	Hi these phones have new authentication system (done by Xiaomi) i call it SIG, because them added new command to his Firehose programmer's. Things to need to know: 1. QC was always implemented SW_VERSION (RollBack) tag in his certificate validation schema, but nobody was used it before (Except Samsung and LG) 2. After FireHose is Validated, OEM manufacturer is free to add his own secondary authentication (First was introduced in old SE phones which was need SE validation card, now old golden idea was taken by Xiaomi and auth protocol moved to server) So what in fact we can do: 1. Need to Have FireHose Programmer signed to current eFuse Value with sme HW_ID and Higher or Same SW_ID (Included RollBack Version) tags without a SIG authentication extension. Here is importan RollBack Version, is activated then tag value is > 0 How we can recognize it: Unfortunatelly Sahara Protocol, not let us to read SW_ID tag and choose right RollBack Satisfied Firehose Automatically Fast boot "getvar:all" will show "RollBack Version" or "Anti" Variable who reflects RollBack (SW_VERSION) value How to check is FireHose Ready to do jobs: Jus Open it wih notepad and look for "SW_ID" Here You will see Hex Value string: 0000000200000003 SW_ID Here You see RollBack (SW Version) = 2 So with this FireHose can serve : RB: 0, 1, 2 and cannot work with 3, 4, ... How to see is FireHose Need Xiaomi Authentication or not is same open with note pad and search for this string: "sig " (white space is important here) if not found "sig " - you are lucky: this FireHose not need it. And for sure do not forget that Root CA HASH must be same as is in eFuse (QFPROM) Last edited by Sha; 09-04-2018 at 20:27.

09-04-2018, 21:13	#6 (permalink)
vaterpahk Freak Poster Join Date: Jun 2011 Posts: 295 Member: 1596913 Status: Offline Thanks Meter: 107	Thank! In my case, unfortunately, the anti-rollback 4, and even included Find device. Only one file: prog_emmc_firehose_Sdm660_ddr.elf have California1"0 0000000300000003 SW_ID, 4 none. So while waiting and smoke bamboo! Another question: in the second space there is a possibility to unlock the bootloader. Will this method work? Last edited by vaterpahk; 09-04-2018 at 21:23.

09-04-2018, 17:54	#2 (permalink)
vaterpahk Freak Poster Join Date: Jun 2011 Posts: 295 Member: 1596913 Status: Offline Thanks Meter: 107	Here is the log: Var XIAOMI-Redmi Note 5 Pro Whyred (Note 5 Pro LTE DS) at Auto Select Flash Port [SAHARA] {Read Flash} QDL USB Com: Vid_05c6&Pid_9008 (COM22) SAHARA VERS: 2.1 SAHARA HWID: 000CC0E100000000 [SDM636] SAHARA HASH: A7B8B82545A98ECA23D6E9105FB464568D1B5828264903441B DEF0CD57E3C370 SAHARA SERN: F1585ED5 (4049100501) SAHARA PROG: prog_emmc_firehose_Sdm660_ddr.elf FHPROG FAIL: This Firehose Need Authentication SAHARA SIGR: "blob" value="_7___7rVCGXHeeXdKiQOhubzXNw" FHPROG FAIL: This Firehose Need Authentication SAHARA SIGR: "blob" value="_7___-HAA48MGD6MR4GZSpohO8M" SAHARA Config Fail: -3

09-04-2018, 20:42	#4 (permalink)
jmr No Life Poster Join Date: Oct 2007 Location: Colombia Posts: 1,812 Member: 614683 Status: Offline Sonork: 100.1605379 Thanks Meter: 370	:\Adb>fastboot getvar all NFOcrc:1 NFOanti:4 NFOtoken:h8Xrv1K2lN33DAdbD9OeKtHGwNA= NFOunlocked:no NFOoff-mode-charge:0 NFOcharger-screen-enabled:0 NFObattery-soc-ok:yes NFObattery-voltage:3905 NFOversion-baseband: NFOversion-bootloader: NFOvariant:SDM EMMC NFOpartition-type:cache:ext4 NFOpartition-size:cache: 0x10000000 NFOpartition-type:userdata:ext4 NFOpartition-size:userdata: 0xCD77F7E00 NFOpartition-type:system:ext4 NFOpartition-size:system: 0xC0000000 NFOsecure:yes NFOserialno:49970530 NFOproduct:whyred NFOmax-download-size:536870912 NFOkernel:uefi ll:

09-04-2018, 20:47	#5 (permalink)
Sha Product Supporter Join Date: Nov 2002 Location: usd Age: 64 Posts: 1,152 Member: 17804 Status: Offline Sonork: 100.27310 Thanks Meter: 1,075	Yor Roll back: NFOanti:4 so You need at least 000000040000000x SW_ID I forget to say, SW_ID (Version Tag) eFuse is "INCREMENTAL" (Like TaxoPhone Card

09-04-2018, 21:40	#7 (permalink)
vaterpahk Freak Poster Join Date: Jun 2011 Posts: 295 Member: 1596913 Status: Offline Thanks Meter: 107	My case: C:\adb>fastboot getvar all (bootloader) crc:1 (bootloader) anti:4 (bootloader) token:2M0M5zQR4YejQZIcAxSegNVeWPE= (bootloader) unlocked:no (bootloader) off-mode-charge:0 (bootloader) charger-screen-enabled:0 (bootloader) battery-soc-ok:yes (bootloader) battery-voltage:4015 (bootloader) version-baseband: (bootloader) version-bootloader: (bootloader) variant:SDM EMMC (bootloader) partition-type:cache:ext4 (bootloader) partition-size:cache: 0x10000000 (bootloader) partition-type:userdata:ext4 (bootloader) partition-size:userdata: 0xCD77F7E00 (bootloader) partition-type:system:ext4 (bootloader) partition-size:system: 0xC0000000 (bootloader) secure:yes (bootloader) serialno:8fc69018 (bootloader) product:whyred (bootloader) max-download-size:536870912 (bootloader) kernel:uefi all: finished. total time: 0.252s C:\adb>fastboot reboot rebooting... finished. total time: 0.025s C:\adb>