This article consist of an introduction of how I got my phone, a walkthrough of what I did to make my phone great again, and a brief discourse on security implications.

If you are unfamiliar with the terms below at any point in time, check out any generic rooting guide, like this one. They should cover most of the terminology.

Part one: getting the phone

It started when my one plus one (OPO) got sluggish after using it for two years. Expecting it to die soon, I began my search for a replacement phone.

Using your phone to search for a new phone is like asking it to dig its own grave.

Going with the best bang for buck philosophy, I bought a XiaoMi note 3 pro prime (XN3). For £150, it packed a hexa core processor, 4000mah battery, 3GB RAM, 12mp camera. It was a pretty good drop-in replacement for the OPO.

With the OPO, I was perfectly happy with the stock ROM. It was fast, intuitive, clean, and lean. The XN3, on the other hand, came with MiUI. It wasn’t bad per se, just something new to get used to; they have various different default apps, the soft keys behave differently, etc.

I thought I could live with the stock firmware since I am not that much of a power user and I don’t need all the bells and whistles that custom ROM provide. All was good until two months later when I bought another XiaoMi device, the Mi Band 2, and accidentally installed a bloatware app.

The problem with big brands these days is they try to build a walled garden around their devices, and try to introduce their own ecosystem.

In order to use the band, I had to install the Mi Fit app, which requires a Mi account. Up till then, I hadn’t associated nor created a Mi account for my phone, which apparently has great integration with Mi’s cloud services. Trusting one giant, Google, with my privacy data, is already too much for me and I didn’t want to worry about another Chinese cloud provider.

The last straw came when I installed a random app that I found on my news feed and ended up having ads shown to me every single time I unlocked my phone. Shocking but that is the current economy of how free apps, remember that we consumers are the product. See here and here. Even after uninstalling those new apps, the issue still persisted. It got very distressing when it started showing racy ads whenever I unlocked my screen.

I clearly could not live with that and I decided to spend an evening (it took two evenings in the end) fixing my phone.

Part II: The journey to having CM13 on XN3

Rooting the phone is not a new affair for me. The trick is really to find the right guide. I happened to find this guide and a video tutorial which is pretty holds your hand through the process.

The process from a new phone to CM13 is as follows:

  • Unlock the bootloader
  • Install and/or boot into a custom recovery
  • Wipe and flash necessary files
  • Profit

Rather than making a list of things to do, I will share the issues I faced and how to overcome them specifically for my XN3.

Unlocking the bootloader

The bootloader is the first thing that the phone starts, a locked bootloader means that the phone will always start the installed ROM, or the recovery ROM. The bootloader needs to be unlocked in order to boot into something different (e.g. fastboot) to do what we want.

There is an official way which involves making a case to XiaoMi and getting them to send you an unlocked code. I didn’t bother because the page took too long to do, and they want me to make a Mi account.

There is also an unofficial way, which is to use the MiFlash tool to overwrite the installed ROM with this and with the unlocked bootloader patch so we can boot into fastboot.1

Once in fastboot, we can use fastboot oem unlock to finish unlocking the bootloader.

Installing a custom recovery

In the fastboot, we can use fastboot boot <img> to to boot a different image. Here we want to boot into some custom recovery that allows us to install other ROMs. The famous one is TWRP. This guide explains the different flavours. I originally installed TWRP safe because it seems like the safest choice. However, I experienced issues with flashing the ROM; hardware like camera and fingerprint kept force closing. In the end, I went with TWRP Alka which was recommended for the ROM I wanted to install.

Wipe and flash

Once we are in the custom recovery, we can wipe and flash any zip files we want. For me I chose CM13 because it seems to have everything working. The ROM doesn’t come with default system apps such as the play store, so I also had to flash gapps-pico. There is also a camera fix and a fingerprint fix if things aren’t working.

Help

When things are going south, calm down and MiFlash the unlocked ROM from previous step and restart.

Security concerns and how to mitigate them

Having an unlocked bootloader can compromise security. Afterall, a locked bootloader means there is no way of booting a different ROM. Couple that with a secure password for unlocking the screen, most phones can mitigate damage when the phone is stolen. This relies on the fact that unlucking the bootloader causes the phone to be wiped.

Let me put a black hat on for now. Suppose I find a phone, I can simply wipe the phone and sell it on the market, or I can extract all the data, snoop around for further compromise, on top of wiping the phone and selling it.

If the android debugger was turned on, I would simply use adb to bypass the lock screen, and I now have access to all the pictures taken, email account, saved browsing session. You get the point.

Suppose the debugging mode was not enabled. If there was a custom recovery, I would boot into that, flash another ROM, which preserves the data folder, and I have full access to the data as if the lock screen was not there.

Now suppose there was no custom recovery, but the bootloader was unlocked. Then I could boot into a custom recovery and do the step above.

It sounds like not flashing the custom recovery (at the cost of making life more inconvenient for future updates) and relocking the bootloader can prevent the above scenario but I am unsure.

Another way is to encrypt the phone’s data, a feature that is provided in newer Android versions. This requires a decryption key on bootup and this means even if someone bypasses the lockscreen, they still can’t read the data. This seems to be the best way of having an awesome custom ROM while keeping your private data secure. I have yet to try this long enough to recommend it. It is interesting to note that researchers have found a way to extract the decrpytion key if the malicious user gets hold of the phone when it is powered on (which is usually true when phones are lost/stolen) by putting it in the freezer to persist the data in the RAM.


  1. If the link dies, google the file kenzo_global_images_V7.1.8.0.LHOMICL_20160129.0000.14_5.1_global_9706e12561.tgz ↩︎