Unlocking the Poco F1
by Badri Sunderarajan · Tue 22 October 2024
My Nokia 2720 flip phone has been serving me well, but I recently wanted to get a device on which I could try Mobian. The development experience for Android and iOS apps isn't great, and apparently declining by the day, but Mobian is different because I can just write a desktop app using whatever programming language I want and have it run on the phone as well. It helps that my laptop has a touchscreen, so I can easily test out the touch interactions too.
All that was somewhat of a moot point when I didn't have a phone to actually run things on. I could have saved up for the PinePhone by Pine64 or Purism's Librem 5 (which is currently at the cheapest it's ever been), or one of the Droidian alternatives like the Volla Phone, F(x)tec Pro, or Furi Labs' newly released FLX1. But rather than waiting for something in the future, I decided to go for something less expensive that I could get my hands on right away: the Xiaomi Poco F1.
Purchasing the Poco
Known internationally as the Pocophone F1, this device was first released back in 2018, but is still on sale in the secondhand market. It also happens to be one of two "originally Android" phones that are officially supported by Mobian (with some caveats such as incomplete drivers for the sensors and camera).
I found a 6GB RAM variant for sale at ₹6,500 on OLX, the peer-to-peer secondhand marketplace sometimes used by scammers but also frequented by potentially legitimate people. "Turn your phone into a sellphone" was a marketing line of theirs I remember, although ironically the only thing I'd bought on there was the Nokia cellphone that was incapable of running their app. OLX warns buyers not to make payments until they have the product in their hands, an instruction that is often ignored by people opting for the convenience of home delivery (I ignored it too, the first time around, but that's a different story).
This time, I opted for the official method: meet the seller in person to pick up the purchase. In my case, the seller was Ram, a freelance artist who had put off upgrading phones as long as he possibly could, but eventually had to make the switch in order to exerience the design patterns of later versions of Android. Before the Poco, Ram used to use various button phones; his Nokia XpressMusic phone is still alive and currently functioning as his alarm clock.
Back home (or rather, my cousin home), I started going through the unlock instructions—which I realised I should have done earlier, because Xiaomi requires you to have a Mi account that is more than 7 days old in order to unlock one of their devices. A common tip is to create your Mi account in advance and keep it ready before you even buy the device.
A note on unlocking
Unlike computers, where you can generally install anything you want, whenever you want, smartphones usually have to have their bootloader "unlocked" before they allow you to install other operating systems (or "ROMs" as they call them). Except for "good guys" like Purism, Pine64, and Fairphone, manufacturers would rather you continue using whatever OS they gave you so they can continue targeting ads at you or spying on your conversations or whatever it is they usualy do. This means the unlocking process for your phone, depending on the manufacturer, can be quick, complicated, annoying, or even impossible.
Xiaomi falls on the "officially supported but very bureaucratic" end of the spectrum. To unlock one of their phones, you officially need to have:
- A Mi account more than 7 days old
- A SIM card with a valid data plan, linked to your Mi account and inserted into your device
- Location services and "Find My Device" enabled on your phone
- A computer or laptop with Windows, to run their proprietary unlock software
- Ideally a USB 2.0 port, cable, or hub because apparently their software has issues with newer USB connections
I didn't have a Windows device (who even uses Windows these days?) but I found this handy guide by Cheewai which details how to perform the unlocking using Linux instead. Basically, I had to use XiaoMiToolV2 which is a version of Xiaomi's official Unlock Tool modified to work on operating systems other than Windows. The guide explains things very clearly, although things turned out slightly differently.
Here's what happened.
The unlock process
Note: What follows is my experience of the unlock process. If you just want to unlock your phone, I'd suggest you follow the first half of Cheewai's guide, up until the "How" section. After that, instead of the XiaoMiToolV2, download and run offici5l's MiUnlockTool (at least, that's what eventually worked for me).
Register a Mi account. I couldn't make this more than 7 days old, of course, but I signed up using my email address.
The email confirmation link didn't arrive though—and it seems Xiaomi OTPs are notorious for taking an eternity to deliver. Unfortunately I'd clicked on "resend link" a bunch of times, only to realise it generates a new link each time. So when the first link finally arrived, it had already been superseded by later ones. I eventually waited for all of them to come in, at approximately 7 minutes per link, and finally "resent" it for one last time and waited for it to come in to complete the signup process.
Insert a valid SIM card with enough data balance. Cheewai's guide says the process uses at least 50MB during the unlock process. My phone plan had more than a GB per day, so that was fine. In fact, my phone also had unlimited data from 12am to 6am, which could have worked in a pinch.
Log into the Mi account on the phone, using mobile data (not WiFi). I did this by going to Settings -> Mi Account as suggested. Since my number was not linked, I went and added the number to my account as well—you can never tell how strict these things are. I ran into some OTP glitches again (via SMS this time), but got it done with a bit of patience.
I also read somewhere else that I should enable "Find My Device" in the Mi settings, which also requires me to keep my location on. That's something I usually don't do, but I went ahead and did it this time.
Enable Developer options. This is a standard procedure that I'm familiar with. I went to Settings -> About phone and tapped repeatedly on the reported "Mi version" until a toast informed me that "You are now a developer!"
Go to Additional settings -> Developer options and enable "OEM unlocking" as well as "USB debugging". This was straightforward; just a couple of toggles to turn on. When I plugged the phone into laptops later, I had to give permission for those laptops to conduct debugging over the USB cable.
Go to Mi Unlock Status and register your account and device for unlocking. When I opened this setting, it asked me to turn off mobile data. I then tapped the button to check my device's unlock status, at which point it asked me to allow sending certain hardware information about the device and SIM card to Xiaomi. That done (they probably knew everything about me at this point) the button changed to one asking me to register the device and account for unlocking. Cheewai got an error message that they had to fix by signing out of their account and signing back in, but I soon got the "Device has been registered for unlocking with this account" toast without any problems.
Attempt 1: An outdated version
This is where I hit my first roadblock. I downloaded XiaoMiToolV2 from francescotoscari's repo as advised, but was unable to build it since it needed Java version 11, which was not packaged for my system. There were pre-built downloads available, but Xiaomi had since modified their login process, which meant I had to make a tiny edit to the code and rebuild it for it to work properly.
I decided to try with the pre-built download anyway and see how it went. After agreeing to a disclaimer that the tool is "developed by a random guy (me) and NOT by Xiaomi" and ignoring a demand to download an updated version of the software, I was greeted with a neat screen that had two options: "My device works normally; I want to mod it", and "My device is bricked; I want to unbrick it".
Well, I guess the second button was reassuring. I clicked on the first one after making sure my phone was plugged in with debugging allowed for my laptop. The tool did a little scan and detected my Poco F1, after which it rebooted the phone into Fastboot mode to gather further information. Fastboot mode, as I understand it, is a low-level mode where you can run commands via a USB cable to do things like reboot the phone or flash different images onto it. Anyway, the tool did its thing and then booted my phone back into normal mode. This was the point at which it asked me to sign into my Xiaomi account, which I did...
...and got hit by the error I was hoping to avoid! "Xiaomi procedure failed", the app yelled in bold. "[getServiceToken]", it added helpfully in a softer voice, "Missing serviceToken cookie".
It looked like I'd have to go and manually install Java 11 after all, and hope it didn't mess with my system Java. I've always found Java annoying (which makes Android development doubly annoying, and part of the reason I wanted to stay as far from it as possbile; it's ironic because Java is also a common way to program apps for various feature phones).
Attempt 2: The Official Way™
At this point, I decided to try things The Official Way™ since I was anyway visiting smileybone who is one of the few people I know running (a dual-booted) Windows on his laptop. ("See?" he told me gleefully. "This is why I dual-boot, unlike you guys!")
After doing the Mi Unlock Status thing again just in case, we downloaded The Official unlock tool from The Official website. The tool first asked me to sign in. I entered my password, and there was a bit of a stumble because it said it was going to send an OTP to my phone, but displayed a page with a CAPTCHA instead and the OTP never came. It turned out I had to fill out the CAPTCHA in order to send the OTP, which explained why it was never delivered even after a long breakfast (although given my experience I wouldn't put it past Xiaomi to actually take that long).
On plugging in my phone, it was detected by the tool the same way as last time. Unfortunately, once the phone got into Fastboot mode, the Xiaomi unlock tool wasn't able to detect the phone any more, even though Windows seemed to detect it fine. "Please plug in your device", it kept bleating.
I searched online and found instructions to install a driver file that unfortunately didn't exist in the version of the Xiaomi tool I'd downloaded, and didn't work even when I got hold of it from a different place. But the main instruction most people seemed to say was: use a USB 2.0 port, because Xiaomi has problems with newer USB versions. Alternatively, use an old USB hub that has only 2.0 ports, or do anything else to get it down to 2.0.
Unfortunately, we had neither time nor USB hubs on our hands, so I decided to shelve the project for another day.
Attempt 2½: Window(s) shopping
I was in the middle of attending the IndiaFOSS conference, and started to get a bit worried because I heard of other people bricking their Xiaomi phones while trying to unlock them. Saswata, who has been unlocking phones for over a decade reassured me that it's possible to un-brick phones even after they've been bricked. The procedure involves something like opening up the phone and shorting two terminals somewhere near the SIM card, so it's not the most convenient, but at least it's possible and he had in fact done it quite recently. Like everyone else I knew at the conference, though, he didn't have Windows on him ("Thankfully not", he quipped).
In the meantime, I met up with rajudev who I learnt has actually unlocked Xiaomi phones using Linux. I was supposed to meet up with him to get help unlocking my phone, but that didn't work out due to the hectic schedule of the conference and me falling ill for about two weeks after. On the bright side, my being ill gave enough time for my Xiaomi account to cross the age of 7, in case that was still important. In the meantime, rajudev sent me a link to the same XiaoMiToolV2 I had tried earlier, so I was on the right track!
The problem was, I was back home by this time, where the mobile data connection on my Vi SIM card didn't work. This usually wasn't a problem, because Vi has the best phone signal, and I'd be using WiFi for data anyway—but as you know, the Xiaomi unlock process specifically needs mobile data to function. Eventually, I went up to the nearby Hippo Rock where mobile signals can reach more easily, and I managed to find a reasonably steady 4G connection! Armed with this new location, my laptop, and a hotspot with my brother's SIM card inserted to serve the laptop, I was ready for my next attempt at unlocking my phone.
Attempt 3: Forks FTW
One workaround mentioned for the XiaoMiToolV2 was to log in by scanning the QR code rather than entering a password. Apparently, that bypassed the [getServiceToken]
error I had encountered last time. I hadn't realised scanning a QR code was an option, but I realised the option was hiding in plain sight: on the corner of the login box was a triangular half-QR code, which when clicked revealed a full code for scanning. This QR code can be scanned with "any supported Xiaomi app"; in my case I used the pre-installed Mi Scanner (after giving the app permission to use my camera, thereby ceding another small bit of my privacy to Xiaomi).
Scanning the QR code magically took me to a "Confirm sign in" button on my phone, which I selected. The phone showed me as signed in, but the app instead said that the QR code had expired. This happened consistently; I tried a few times.
I had started this process in the evening when it wasn't too bright to use screens on the rock, but that meant it had already gotten dark by this time and I had to retreat home. But all wasn't in vain, because in the process of looking this up I came upon an update fork of the XiaoMiToolV2, created by someone called topminipie. What was better still, this one compiled immediately without having to install any different versions of Java!
topminipie's fork handle the QR code login process well. For the first time, I reached a screen warning me about unlocking the phone, what it would mean, the fact that all my data would be cleared, and the button to actually conduct the unlock process. Clicking on it sent the phone into Fastboot mode again, and the app verified that the account was authorised to unlock the phone. Then it tried to verify the phone and get the authentication token, but at that point failed with another error, the even less descriptive "20045".
Searching for this error threw up mixed results. One person had solved the problem for themselves by going into the code and changing the device region to "India", which sounded promising but didn't help me. Others said it could be that the Xiaomi server for my region is down, and suggested simply waiting and trying again later. And, there was a related issue on topminipie's fork, closed cryptically with just a link to a now nonexistent file on a different project.
That turned out to be the final key in this series of locks.
Attempt 4: A Python script was all it took
Giving up after the previous attempt, I came home, but then started looking further into topminipie's comment. The file from that comment was removed, but the repo, MiTool, was still active. It turned out to be a tool that allows you to unlock your phone using another phone, connecting the two through a USB OTG cable.
I didn't have another phone at hand, but I found another repo by the same GitHub user called MiUnlockTool. This was a simple Python script that claimed to do the same thing as the official Mi Unlock Tool, albeit without the fancy UI. It's also cross-platform, and can run on Windows, Mac, Linux, and even within Termux on an Android phone. Since I was back home, I didn't have access to mobile data, but I decided to take a chance and try anyway—what was to lose? I had already registered my account for unlocking less than an hour ago while trying it on the other tool.
I plugged in my phone and ran a script. It opened up a browser window with the familiar Xiaomi login page, the difference being that after logging in I had to manually paste the URL back into the terminal when I saw {"R": "","S":"OK"}
appear. Logging in with the QR code presented me with only a blank page, which the script didn't like, but then I tried again with my email and password and saw the expected page come up. I copied the link to the console, and—
It worked!
The script found the unlock token, worked its magic, and my phone rebooted to the too-familiar "POCO, powered by Android" boot screen. The difference was, this screen now also had an unlock 🔓 icon on top! It stayed that way for quite a while which got me a bit worried, but then when I came to a "Welcome, let's start setting up your device" screen I knew I was through.
A look into the settings confirmed that yes, my phone was now unlocked and therefore insecure and we recommend for your own safety that you lock the device before doing anything else.
If you've read through the article, you might think that unlocking the Poco F1 is extraordinarily complicated. I felt the same way, until I had done it once! But now that I know what to do, it feels like a breeze. (If you want help unlocking your phone, contact me!)
The main stumbling block would be the the timeout asking you to wait a certain number of days—something that I didn't encounter, possibly because my device was already an old phone, or perhaps because (as a note in Cheewai's guide seems to suggest) Xiaomi has loosened up that part of their rules. The other crucial piece is of course to find a tool that's been updated to work with whatever changes Xiaomi makes to their website. In that sense, offici5l's MiUnlockTool served me well, although XiaoMiToolV2 has better documentation on the pre-unlock setup.
That said, Xiaomi is a company to be wary of. Their HyperOS devices have even more complicated unlock requirements than their Android ones, especially in China where you apparently have to become a Level 5 Xiaomi developer by being a citizen of China and filing at least one HyperOS bug report per day, among other things.
This is also not to say that other manufacturers aren't bad too—there's a whole Bootloader Unlock Wall of Shame to inform you otherwise. At the same time, Xiaomi did reduce the unlock waiting time of the Poco F1 back in the day, and seems, according to some reports, to have now dispensed with it entirely.
Would I recommend the Poco F1? If you're on a budget and have some patience, then yes. Just read up a bit first to make sure nothing major has changed. And ideally, make your account and keep it ready at least 7 days before you plan to actually receive the phone.
Addendum: Installing TWRP on the Poco F1
If you've come this far, you'll probably want to install a custom recovery like TWRP and get your custom ROMs going.
Recovery Mode is a special mode of the phone that you can get to—in the case of the Poco F1 by powering the phone down and then holding down both Volume Up and the power button for about ten seconds till the phone boots up again, into recovery mode this time. Recovery modes often don't support touch interaction, so you'll have to use the Volume Up and Volume Down keys to move up and down in the menu and the power button as "Select" or "Enter".
The default recovery mode can't really do much (it's meant to fix Xiaomi's stock Android, not some custom thing). TWRP is a custom recovery that can do a lot more, including finding images downloaded to your filesystem and booting them or even (I think?) flashing them. (It also supports touch interaction, which makes things much less fiddly—or more, depending on your perspective.)
The official instructions are quite clear, as are the those in Cheewai's TWRP flashing guide, which I didn't realise existed until I started writing this post. For reference, here's my version of the steps:
Download the TWRP image for your exact model of phone from the official website. For the Poco F1, the images are called
beryllium
and can be found here.Rename the downloaded file to just
twrp.img
for convenience (or you can just replacetwrp.img
in the following commands with the actual image name)Plug in your phone and get into the now-familiar bootloader mode using
adb reboot bootloader
Once in Fastboot mode, flash the image to recovery:
fastboot flash recovery twrp.img
And, you're done! Well, mostly. The problem is that once you reboot the phone (either pressing fastboot reboot
or through the power button) and get back into Xiaomi's Android, it automatically puts Xiaomi's official recovery back on the device, overwriting TWRP. One way to prevent this is to use Magisk as described in Cheewai's article. The other, which I used, was to explicitly boot into TWRP using,
fastboot boot twrp.img
Note that this command sends the entire image to the phone again, for booting this time. It's nothing to do with what recovery is installed on your phone. But it does the trick, because now you're in TWRP and can use the options there to get back into bootloader mode or just power off your phone (rather than rebooting into stock Android).
The first time I went into TWRP this way, it asked me if I wanted to write onto the system to prevent it from overwriting TWRP with the official bootloader, but in a way that could potentially prevent the system from booting. I said no and rebooted the system, but after getting into Android and out I found that TWRP had been replaced. So I repeated the process, but this time selected "yes" for force-writing changes.
I don't know what the exact consequences to that were, because I installed Mobian right after and never went into Android again.