As I described in the backstory, hardware-wise the Xiaomi Qin F21 Pro was the perfect form factor for me. The power of a smartphone, but actually designed to be a focused communication device, rather than a hamstrung computer.
There are thoughtful debates about the security pros and cons, but the prerequisite for this level of control is rooting the phone.
However, on the software side it needed a bit of work. The phone arrived with little bloat and mercifully no Google components – but there was still a fair bit of Xioami stock software, including the notorious browser which reportedly was spying on Chinese users for every page browse [I have no idea if this is the case in the internal Qin].
You can read about my philosophy on the software for the phone here. But to briefly reiterate:
- As the human and owner I and no-one else must be the root of trust.
- Likewise, I should be able to decide what software runs and when it runs.
- Need to know basis – applications should know as little possible, just enough to work and nothing else.
There are thoughtful debates about the security pros and cons, but the prerequisite for this level of control is rooting the phone.
This page will describe the procedure I followed to completely unlock the Qin F21, patch the firmware and root the phone. By the end you will have TWRP (the Team Win replacement project bootloader) and root under the control of Magisk.
* The usual caveats apply – these interventions can potentially break your phone and will certainly void any warranty. Do not perform unless you absolutely know what you are doing. The steps worked perfectly for me but I cannot accept any responsibility for any damage you may cause to your own device by referring to them – any guidance or software provided on this site are purely for informational purposes only and you use them entirely at your own risk.
Backup and unlock the bootloader
I initially followed this guide [Xiaomi Qin F21 Pro mt6761 Global — Rooted with Play store] on XDA developers. This got me part of the way there – but I had trouble booting after patching the firmware (others have also had this problem), so in the second state switched it out for the custom firmware (see below).
This first stage uses a few standard tools. The Qin runs on Mediatek (a Taiwanese company’s) chips, and some good tooling exists. I performed this first step on a Linux (Mint) machine, but the tools should run ok on Windows or Mac too. Either way, you’ll need a PC with a USB port and 20+ GB of disk free to make backups.
- Mediatek’s MTK client. This can access the storage partitions on a low level, allowing complete backup of the phone system to a PC. MTKClient requires Python 3.9 (likely already on your system in Linux/Mac).
- The ADB (Android Debug Bridge). This is available as a system package in Ubuntu-derivative Linux – there are some instructions on how to install it in Windows here.
- The Magisk manager app can be downloaded here. Magisk (“the magic mask for Android”) helps to establish root privileges. Note that this is not Magisk itself – it is the manager app that helps install it.
Steps:
- Download and install the software to a PC
- Start your Qin phone and activate developer mode. Go to Settings -> About Phone and then tap 7 times on the “Build number” entry to activate (it’s this kind of bullshit that gives me serious doubts about Android…)
- Go into developer options (Settings -> System -> Developer Options) and activate USB debugging. Then the important one: turn on OEM unlocking (“allow the bootloader to be unlocked”). Turn the phone off.
- Backup step. Start the MTK client user interface using
python3 mtk_gui. It will wait for the phone to be connected. Do this by holding the Qin (Q top left) and back button simultaneously while plugging in the USB connector. - MTK client should detect the phone and show the partitions. You can back up all or any of these – generally everything other than
userdatashould be backed up. Of interest is thevbmetapartitions – these are hashes calculated to validate the boot, so can and will need to be cleared (with an empty file) when we replace partitions. Reading the partitions will take a while.
The original guide then attempted to directly patch the bootloader with Magisk in order to root the phone. This didn’t work for me, but might be worth a try (we’ll follow it up in the next step):
- Disconnect from MTK Client, and start up your phone normally. Ensuring USB debugging is on, connect it to the USB port.
- Make a copy of the boot image
boot_a.binthat you’ve just backed up using MTK client, namedboot.imgand move it onto the phone so we can patch it. Also move the Magisk APK:cp boot_a.bin boot.imgadb push boot.img /sdcard/Downloadadb push magisk.apk /sdcard/Download
- Navigate to the
Downloadfolder using the built-in file manager. Find the Magisk APK and install it. This should show the Magisk manager app on your phone (without installing Magisk itself or being rooted). - Attempt to patch the boot image you copied across. Go to Install -> Select and patch a file. Select the
Download/boot.imgfile, and let Magisk install into that image. - Pull the patched image just created according to the path Magisk gives – then turn your phone off.
adb pull /sdcard/Download/boot_patched.img
- Use MTK client to unlock the bootloader and push the patched image into the boot partition. First, run the following and connect the phone holding the two button (Q and back) salute above
python3 mtk da seccfg unlock
Following unlock, reset:python3 mtk reset
Unplug, then reconnect the MTK client to the phone as before:python3 mtk_gui
- Write the patched bootloader and a blanked
vbmeta_ainto the phone. Select the Magisk patchedboot.imgyou have created in theboot_aslop, and create an empty file calledvbmeta.bin, and use the MTK client to push them to the phone. Then reset using when done:python3 mtk reset
Unfortunately, upon rebooting the phone, I got the dm_verity error message and it went into a boot loop. Never fear – if this does happen, you can always reconnect the phone to MTK client and reflash the original boot_a.bin (and blank vbmeta_a.bin). This completely restored the boot.
Custom firmware
So my next approach was to replace the firmware itself. There are pros and cons here:
- One pro is you are replacing the stock Xioami firmware, which potentially gives you more control and means you’re not even exposed to low-level spying they might conduct at that level.
- One con is the cracked firmware is … somewhat unofficial. Specifically, it comes from the Russian enthusiasts 4pda.to site.
Now I know that Russian hackers aren’t everybody’s favourite people at the moment, but getting past the Cyrillic it’s actually a well established and respected site and – as far as I can tell – the contributors there seem to be on the level. They just seem to be enthusiast geeks, working in such a niche that – frankly – there wouldn’t be huge about for them to gain in introducing malicious code. But caveat emptor, naturally.
You could also use these instructions to install any other firmware you wanted to use, rooted or otherwise.
User Jbatz has prepared a good guide on XDA forum (which is the most respected venue for these matters) going through the installation [Xiaomi Qin F21 Pro Custom Firmware, Root, Playstore Certified]. They also bundled up all the firmware and the software you’ll need – you can download that here.
You will need access to a Windows box for this step (boo!). The instructions in the thread are a little terse, so here are the steps I followed:
- Download and unzip that file onto your Windows PC. I used Windows 10, but anything 7+ should work. Locate and unzip the firmware
F21PRO_1.1.1 (2).zip. - Unzip the driver installer
Driver_Auto_Installer_SP_Drivers_20160804and install. This provides the basic MediaTek SP drivers for the Windows box. - Locate and unzip the flash tool
SP_Flash_Tool_V5. Runflash_tool.exe. Go to the Download section (download meaning: transfer files to target phone). - The
Download-Agentshould already be populated. You’ll need to select the right scatter file – this is important to tell the flash tool the structure of the partitions. You’ll find this in the firmware:F21PRO_1.1.1 (2)\MT6761_Android_scatter.txt
Click download and the flash tool will be ready to transfer… - Turn off the phone. Then hold the back button and plug it into the PC via the USB. You will see the transfer activity happening on the flash tool. Wait until finished successfully (if it fails – it’s worth just trying it again, as a number of people have found).
- Unplug the phone. You now have replaced the firmware and have the TWRP recovery tool. Boot into that by:
i. Turning the phone on while holding the Q (top left button) and * star button. This requires some manual dexterity!
ii. Upon seeing the DuoQin logo, immediately press up and power on
The TWRP logo should appear.
- TWRP will initially be in Russian. To switch to English, select the right third menu item (Настройки meaning “Settings”) and then click on the globe icon on the top right. Then Perform a factory reset within TWRP (in the Wipe menu).
- Next we’re going to update the boot image. Reboot your phone in normal mode, and ensure it boots completely. Then plug in (with USB file storage enabled) and transfer the
boot_2.imgfile to e.g./sdcard/Download. - Reboot the phone back into TWRP. We’re going to install the boot image – go to Install, navigate to the SD card at
/sdcard/Downloadand click Install Image so TWRP will show theboot_2.imgfile. - Reboot from TWRP by going to Reboot and selecting System.
All being well, the system should reboot without any kind of verity error. You now have a minimal system with all the Chinese apps removed.
Rooting with Magisk
So all is well – we can now go ahead and root the phone. Here I diverged a bit from the guide on XDA developers, as I do not want to install Google apps including Google play. As we shall see, there are reliable ways to remove the Google ecosystem completely, including the play store, and still have any apps you like working.
To complete the root I followed several guides to Magisk. In contrast to the first guide I did not use an older version of Magisk and I did install Zygisk – which is an important component for “systemless root” for the many root-level modules we’ll install later for full control.
- Install the Magisk manager app as above, and ensure it is updated to the latest version (v24.3 as of writing). As noted, the app does not mean the phone is rooted – it is simply a manager for managing the rooting and modules.
- Open the app, and select Install -> Select and Patch a file. Find the
boot_2.imgthat you previously transferred over, and let Magisk patch that. (You can also try a Direct Install at this stage). - Reboot the phone into TWRP (using the key combination above). It should story language settings. Flash the patched boot image file via the Install -> Install Image menu.
- Reboot from TWRP (Reboot -> System) and ensure phone boots. Open the Magisk manager app – it should now show that the Magisk root (not just the app!) is installed and is of the most recent version.
- We’ll need to activate a few modules for later use. Go to Magisk settings, and then ensure the following are activated:
-
Systemless hosts Zygisk (beta)Enforce Denylist-
Superuser Access= Apps and ADB
-
Congratulations, the phone is now rooted!
All good? Backup!
That’s the hardest technical part of what we have to do. There remain numerous occasions for us to mess things up down the road – so if your phone is unlocked to your satisfaction make a complete backup now with TWRP.
This is a much simpler backup to create and restore than the MTK client above – it’s known as a NANDroid backup (because it backs up the usually readonly parts of the operating system which we have been messing with) and we will backup everything.
To do this is simple:
- Reboot into TWRP
- Go to Backup and give it a name (or accept the timestamped default)
- Select partitions to backup (I select everything). Swipe to start.
It should only take a few minutes to complete. If something gets messed up, restoring these backups will restore your phone to the exact state it was when backed up – a very useful tool.