Bootloader Unlock and Root for Xiaomi devices (HyperOS / HyperOS 2.0 / HyperOS 3.0) (Non-Mainland China Devices)
&
Hide Root / Play Integrity / Spoof Bootloader Status as Locked (Key Attestation) for most Android devices
- BACK UP ANY DATA YOU MAY HAVE ON YOUR PHONE
- ALL OF YOUR DATA WILL BE WIPED
- Your Xiaomi account must be over 30 days old
- Enable Find device in Xiaomi Cloud in Settings (might not be necessary, but enable for certainty)
- In Settings, press About phone and tap OS version 5 times to unlock Developer Options
- In Developer Options, enable OEM Unlocking
- Uninstall Xiaomi Community and reboot
- Install the latest version of Xiaomi Community on the Play Store
- Sign in with your Xiaomi account in Xiaomi Community
- In the Me tab, find Set up and press it
- Press Change region and choose Global
- Press "Apply for unlocking" at exactly 12:00 AM GMT+8 (pressing it too late will cause the "application quota limit reached" error. Use this website to check the time)
- "Account Error" might show up. If that happens, retry after 10 days
- Tip: If it keeps failing, try another method using this Python automation script
- Logout of your Xiaomi account in Settings
- Reboot
- Login again with your Xiaomi account in Settings
- Turn off Wi-Fi and make sure a working mobile data connection is available
- In Developer Options, find Mi Unlock status and press it
- Press Add account and device
- Download the latest version of it from here
- After download, extract and navigate to its folder
- Open miflash_unlock.exe, you will be prompted to sign in
- After signing in, agree to the disclaimer
- Enter this site and select the one for Windows
- After download, extract and navigate to its folder
- Click on the address bar of the folder and replace everything with cmd
- Press enter and a CMD window should pop up
- In Developer Options, enable USB Debugging
- Plug in your phone and press allow computer when prompted on the phone
- In the CMD window opened in Step 9, type
adb.exe reboot fastbootand press enter - Your phone should reboot and display FASTBOOT
- In the Mi Unlock app, it should display phone connected
- Press unlock and then press unlock anyway
- It might say couldn't unlock; wait for the amount of time displayed (during this time, DO NOT log out of your Xiaomi account on the phone or in Xiaomi Community)
- When enough time has passed, repeat this Step and your phone should be unlocked
Disclaimer: init_boot is for newer devices. Older devices do not have init_boot, so only use boot on those
KernelSU (recommended — install to check if your phone is supported) (Android 12+)
- Navigate to About phone on your device
- Download the firmware (Fastboot ROM) from miuirom.org that matches your device and OS version
- After download, extract and navigate to its folder
- Find the
imagesfolder and enter it
- In the folder, copy
init_boot.imgto theplatform-toolsfolder in Step 9 of unlocking the bootloader- Rename the copied file to
init_boot_stock.img(DO NOT DELETE IN CASE OF A BRICK)
- Transfer the
init_boot_stock.imgfile to your phone
- Download and install the latest APK from their releases
https://github.com/tiann/KernelSU/releases
- Open KernelSU
- If the app shows Not installed, then your device is officially supported by KernelSU
If the app shows Unsupported, it means that you should compile the kernel yourself, KernelSU won't and never provide files for you to flash
- Open KernelSU
- Click on Not installed - Tap to install -> Select a file.
- Choose
init_boot_stock.img- Click on Next and choose the option with This device KMI
- Press Confirm
- The patched file should be something like
kernelsu_patched_20260605_045957.imgin the Download folder of your phone
- Move the patched file (
kernelsu_patched_20260605_045957.img) toplatform-tools
- Plug in your phone
- Navigate to
platform-tools, click on the address bar of the folder and replace everything with cmd- Press enter and a CMD window should pop up
- Run the following command in CMD:
adb.exe reboot fastboot
In the same CMD window, execute the following commands using it as an example:
fastboot.exe flash init_boot_a kernelsu_patched_20260605_045957.img fastboot.exe flash init_boot_b kernelsu_patched_20260605_045957.img fastboot.exe rebootYour device should reboot into the system and be rooted
Magisk Alpha
- Navigate to About phone on your device
- Download the firmware (Fastboot ROM) from miuirom.org that matches your device and OS version
- After download, extract and navigate to its folder
- Find the
imagesfolder and enter it
- In the folder, copy
init_boot.imgto theplatform-toolsfolder in Step 9 of unlocking the bootloader.- Rename the copied file to
init_boot_stock.img(DO NOT DELETE IN CASE OF A BRICK)
- Transfer the
init_boot_stock.imgfile to your phone
- Download and install the latest version of Magisk Alpha from their Telegram Channel
- Open Magisk Alpha
- Tap Install -> Select and Patch a File
- Choose
init_boot_stock.img- The patched file should be something like
magisk_patched-XXXXX_xxxxx.imgin the Download folder of your phone
- Move the patched file (
magisk_patched-XXXXX_xxxxx.img) toplatform-tools
- Plug in your phone
- Navigate to
platform-tools, click on the address bar of the folder and replace everything with cmd- Press enter and a CMD window should pop up
- Run the following command in CMD
adb.exe reboot fastboot
In the same CMD window, execute the following commands
fastboot.exe flash init_boot_a magisk_patched-28001_xxxxx.img (e.g., fastboot.exe flash init_boot_a magisk_patched-28001_p5r8c.img) fastboot.exe flash init_boot_b magisk_patched-28001_xxxxx.img (e.g., fastboot.exe flash init_boot_b magisk_patched-28001_p5r8c.img) fastboot.exe rebootOnly for OLD DEVICES without
init_boot(DO NOT FOLLOW IF YOUR DEVICE HAVEinit_boot)fastboot.exe flash boot_a magisk_patched-28001_xxxxx.img (e.g., fastboot.exe flash boot_a magisk_patched-28001_p5r8c.img) fastboot.exe flash boot_b magisk_patched-28001_xxxxx.img (e.g., fastboot.exe flash boot_b magisk_patched-28001_p5r8c.img) fastboot.exe rebootOnly for OLD DEVICES without
init_boot, if there's an error, try running this command (DO NOT FOLLOW IF YOUR DEVICE HAVEinit_boot)fastboot.exe --disable-verity --disable-verification flash vbmeta vbmeta.img (vbmeta.img is from the firmware you downloaded)Your device should reboot into the system and be rooted
KernelSU
Install the latest release version of the following modules in this order:
- Hybrid Mount (reboot your phone)
https://github.com/Hybrid-Mount/meta-hybrid_mount/releases- Zygisk Next (reboot your phone)
https://github.com/Dr-TSNG/ZygiskNext/releases- TEESimulator-RS (Way Better Alternative to Tricky Store)
https://github.com/Enginex0/TEESimulator-RS/releases- Tricky Addon Enhanced (auto-fetch keyboxes)
https://github.com/Enginex0/tricky-addon-enhanced/releases (press Vol+ when asked)- Vector (LSPosed fork)
https://github.com/JingMatrix/Vector/releases- PlayIntegrityFix (inject-s)
https://github.com/KOWX712/PlayIntegrityFix/releases
Magisk Alpha
Install the release version of the following modules in this order:
- Zygisk Next (reboot your phone)
https://github.com/Dr-TSNG/ZygiskNext/releases- TEESimulator-RS (Way Better Alternative to Tricky Store)
https://github.com/Enginex0/TEESimulator-RS/releases- Tricky Addon Enhanced (auto-fetch keyboxes)
https://github.com/Enginex0/tricky-addon-enhanced/releases (press Vol+ when asked)- Vector (LSPosed fork)
https://github.com/JingMatrix/Vector/releases- PlayIntegrityFix (inject-s)
https://github.com/KOWX712/PlayIntegrityFix/releases- Shamiko
https://github.com/LSPosed/LSPosed.github.io/releases
KernelSU
- Download and install the latest version of KsuWebUI from
https://github.com/5ec1cff/KsuWebUIStandalone/releases
- Open KernelSU
- Go to Settings → Turn off Kernel unmount
- Open KsuWebUI
- Click on the Zygisk Next module
- Set Denylist Policy to Unmount Only
- Turn on Use anonymous memory
- Install Open Source HMA-OSS
https://github.com/frknkrc44/HMA-OSS/releases- Enable it in the LSPosed Manager notification, select Recommended
- Reboot
- Open HMA-OSS
- Go to Manage templates
- Create a blacklist template
- Name it anything
- Edit list of 0 apps invisible, add:
- HMA-OSS
- KernelSU
- All LSPosed modules installed
- If new LSPosed modules are installed later, update this template again
- Open HMA-OSS
- Go to Manage apps
- Select the app(s) detecting root
- Turn on Enable hide
- Press Template config
- Make sure Work mode is Blacklist
- Press Using 0 templates and select your blacklist template
- Confirm
Magisk Alpha
- Download and install the latest version of KsuWebUI from
https://github.com/5ec1cff/KsuWebUIStandalone/releases
- Open Magisk Alpha
- Go to Settings → Hide Magisk App (you can name it anything, e.g.,
Settings)- Disable Zygisk
- Turn Enforce Denylist OFF
- Navigate to Configure DenyList
- Select the app(s) you want to hide root from (tap app first, then checkbox)
- Open KsuWebUI
- Click on Zygisk Next module
- Set Denylist Policy to Enforced
- Turn on Use anonymous memory
- Install Open Source HMA-OSS
https://github.com/frknkrc44/HMA-OSS/releases- Enable it in the LSPosed Manager notification, select Recommended
- Reboot
- Open HMA-OSS
- Go to Manage templates
- Create a blacklist template
- Name it anything
- Edit list of 0 apps invisible, add:
- HMA-OSS
- Settings (hidden Magisk app or renamed one)
- All LSPosed modules installed
- If new modules are installed later, update this template again
- Open HMA-OSS
- Go to Manage apps
- Select the app(s) detecting root
- Turn on Enable hide
- Press Template config
- Make sure Work mode is Blacklist
- Press Using 0 templates and select your blacklist template
- Confirm
- Open the KsuWebUI app.
- Click on the Play Integrity Fix [INJECT] module.
- Make sure Spoof Build and Spoof Build (Play Store) is enabled
- Click on Fetch and choose GitHub to get the latest one
- Use this app to check it
Some old custom ROMS spoof old fingerprints (PIF's) by default, you'd need to disable that functionality if your ROM has it built in, I can't help much for this part
- Open KsuWebUI
- Click on the TEESimulator-RS module
- Click on the 3 dots on the top right corner
- Press Keybox Automation
- You can set Fetch Interval to your liking or just leave it as it is
- Find Manual Actions and click on Fetch Key
Search for the app(s) you want to spoof bootloader status as locked, then click on the checkbox for it
Tested / Working on the following devices (I'd appreciate it if you could report your device back to me in Issues if it works)
- Xiaomi 14T (HyperOS)
- Xiaomi Redmi K60 Ultra 5G (HyperOS/HyperOS 2.0)
- Xiaomi Mi 11 Ultra (HyperOS)
- Xiaomi 12 (Lineage OS 22.2)
- Xiaomi 13 Ultra (HyperOS 2.0)
- Xiaomi Redmi Note 15 5G (HyperOS 2.0)
- Poco F8 Pro (HyperOS 3.0)




