Seva's notes

Wisdom, Awareness, Responsibility :)

Archive for December 2018

Xiomi POCO F1 Locked with Numeric Keyboard (solved)

leave a comment »

I’ve got my Xiaomi Pocophone F1 Global version in September 2018. The main pros were the price, the feature set, the responsiveness of the development team, the speed of releasing the software updates, and especially the sweet security compliance with my employer’s policies.

Speaking of which, one of the security requirements was that the device must be locked with a complex password. Pattern or PIN was not enough. Nevertheless, I needed to type the password only after reboots, which were very rare, thanks to phone and OS stability.

Yesterday I was excited to find that a new version of MIUI based on Android Pie (9.0) has been launched globally and landed on my phone. I upgraded the phone with no hesitations, as always…

The unpleasant surprise hit me when the installation was complete. My employer’s security team has not yet certified Android Pie, so the phone kept rebooting after logging in. My obvious reaction was to wipe out the data and remove the employer’s software until it’s certified. Ouch, that was a mistake.

After wiping out the data, the device was left locked to the existing Google account. And the Google account was locked with the phone protection password. Wiping the data did not annihilate that relation. So when proceeded with the fresh MIUI setup of the phone, it asked to confirm the phone protection password. I had the password memorized password perfectly, but there was a roadblock: the text field to type the password was numeric. Meaning, it allowed only to tap numbers. And here my saga began.

My 1st approach was to find an open a text field, type my password there and then paste it to the protection password field. I found my way via the WiFi setup wizard, where I hit “show password” button and could type and copy the unlock password. However that didn’t help, since the numeric field was not only disallowing typing non-numeric characters but also filtering them out on pasting.

The 2nd approach was to follow the conventional phone unlock process with MiFlash Unlock utility. However, that required linking the device to account retroactively in Developer Options, which I could not complete since device Settings were not accessible. For the same reason, full firmware reinstall would not work – it required changing “OEM Unlocking” flag in Developer Options.

The 3rd approach was the less straightforward “FRP bypass” method. In few words, the method is to exploit a variety of sideways in the setup process to access external sites and install specific APKs that help triggering system APIs to run system calls directly. I managed to reach Youtube, Google and even download a few different apps with that method, but none of them really helped.

Finally, after a few more random frictions, I found my way through. In very brief, I reached out from WiFi setup to Phone Calling app to Contacts to GMail to Exchange account setup to Certificate storage, that allowed me to change the device password-locking properties without entering the password. Posted my step-by-step guide here:

After resetting the password protection to Pattern, I went back and successfully finalized the MIUI setup process.

Written by Seva

2018-12-16 (December 16) at 12:14:30

Posted in hardware, mobile, past, software