Owning an Android device, especially from Xiaomi, often involves intrusive system constraints and embedded advertising. One of the key mechanisms that ensure these features work, and protect the integrity of the software shell, are Certificate Authority (CS) certificates. Deletion or deactivation may be required by advanced users who want to fully customize the system and improve privacy.
Interfering with system certificates is not a trivial task and requires a deep understanding of the MIUI and HyperOS architecture. The standard settings menu means that you cannot remove root system certificates because they are protected by superuser rights, which is why you need root rights obtained through tools like Magisk or KernelSU to perform this operation.
It is important to understand that any manipulation of system files carries potential risks. Incorrect removal of critical certificates can lead to malfunctioning of banking applications, failures in updating the system or complete failure of the device to boot. Deleting certificates marked as system (System), without creating a full backup, may require a flashing device.
What are root certificates and why remove them
Root CAs are digital identities that serve as the basis for trust in the operating system. They authenticate sites, applications, and system services. In the context of Xiaomi devices, these certificates are used not only for security, but also to verify the system components that run the GetApps app store, cloud services, and ad modules.
The main reason why enthusiasts are seeking to remove or block certain CA certificates is to stop collecting telemetry. System services send location, application usage and search queries to the company's servers. Blocking the relevant certificates breaks the chain of trust, and the system can no longer safely transfer this data because it "does not recognize" the recipient's server.
In addition, deletion of certificates is often necessary to install modified versions of system applications or custom firmware that do not have an official Xiaomi digital signature. Without edits to the key store, the system will block the launch of such software, considering it potentially dangerous.
- π Blocking system advertising and trackers at the certificate level.
- π Possibility of installing modified system components.
- π Reducing the load on the processor by disabling background telemetry services.
- π Increased privacy by breaking the connection to analytics servers.
Training and tools required
Before you start deleting or modifying the key store directly, you need to prepare a work environment. A standard file manager is not suitable for working with system partitions. You need specialized software that can work with superuser rights and mount the /system partition in write mode.
A mandatory requirement is the availability of an unlocked bootloader. Without this step, obtaining superuser rights is impossible. It is also critical to make a full backup of data, including the boot and recovery section. In case of an error, you should be able to roll back to the operating state of the device.
To work, youβll need a computer with ADB and Fastboot drivers installed, and a USB cable with a high-quality screening. An unstable connection can interrupt the file transfer process, which will damage the file system.
βοΈ Preparation for the removal of certificates
Do not attempt to operate system files with a battery charge of less than 60%. A sudden power outage at the time of writing system files can lead to a "bricking" of the device that cannot be restored by software methods.
Step-by-step instructions for removing certificates
Xiaomi CS certificate removal requires care, and we will use a root-enabled file manager, which is the most visible method, allowing you to control each step. The alternative method through ADB is more complex and requires accurate knowledge of file names.
First, you need to access hidden system folders. Open your root file manager and activate System Partition or Mount System mode. Find a directory where user and system certificates are stored. Usually this is the path /system/etc/security/cacerts or /data/misc/keychain.
β οΈ Note: Before deleting any file from the cacerts folder, copy it to a secure location on internal memory or to the cloud. The file name is usually a hash, so without a copy, it will be impossible to restore a particular certificate.
Find certificates related to Xiaomi domains (e.g., those containing miui, xiaomi, ad in name or properties). Be careful not to remove certificates with names you are not familiar with if they are standard for Android (e.g., Google certificates or Let's Encrypt), as this will disrupt the Internet and stores.
adb shell
su
cd /system/etc/security/cacerts
ls -l | grep xiaomiAfter deleting or renaming the target files (it is recommended to change the extension to.bak), you need to restart the device. The first start may take more than usual, as the system will recalculate hash amounts and check the integrity of the files.
What to do if the phone goes into a cyclical reboot?
Using Magisk Modules to Block
A safer and more modern method than direct editing of system files is using modules for Magisk, which works on the principle of "Systemless", that is, does not change the system partition directly, and it makes it easy to roll back all changes by simply removing the module.
There are specialized modules, such as Universal SafetyNet Fix or Xiaomi telemetry removal modules (such as MIUI-AD-Blocker), that automatically implement lock rules and manage certificates. They substitute system responses or block requests to specific CCs at the boot level of the system.
| Method | Difficulty | Risk of error | Possibility of rollback |
|---|---|---|---|
| Manual deletion of files | Tall. | High-pitched | Only through the backup. |
| Magisk modules | Medium | Low. | Instant. |
| ADB team | Tall. | Medium. | Difficult. |
To install the module, download the.zip archive from a trusted source (such as the 4PDA or XDA forum). Open the Magisk app, go to the Modules section and click "Install from storage" or select the downloaded file. After installation, restart your smartphone.
π‘
Use the Systemless Hosts module in Magisk settings to block Xiaomi ad domains through the hosts file without touching the certificates themselves. This is often more efficient and safer.
Possible problems and ways to solve them
When deleting CC certificates, users often face a number of common problems, the most common being the loss of Internet access in individual applications, which occurs when an application tries to establish a secure connection but cannot verify the server due to the lack of a root certificate.
Another problem is the occurrence of errors "Certificate not trusted" when visiting sites, which indicates that the system-wide certificate necessary for the operation of SSL/TLS protocols was deleted, in which case you need to restore deleted files from the backup.
If banking applications or Google Pay (Wallet) are no longer working, the system may have detected a breach of integrity or lack of necessary security keys, and may require root-rights concealment modules such as Zygisk and Shamiko.
β οΈ Note: Some banking applications may not work properly even after the certificates are restored if they detect signs of interference with system files, in which case only a full reset (Wipe Data) or stock firmware reflashing will help.
Users may also notice an increase in battery consumption in the first hours after the change, actively logging connection errors to try to reach blocked services, usually by themselves within a day or after cleaning logs.
Alternative methods of advertising blocking and surveillance
Removing certificates is not the only, or always the best way to deal with Xiaomiβs restrictions. DNS-Filtering. Set up a private DNS (For example, AdGuard. DNS or DNS66) Allows you to block advertising requests at the network level without affecting system files.
To do this, go to network settings: Settings β Connection and Sharing β Private DNS. Enter the address of the blocker server. This method is secure, reversible and does not require superuser rights, although it is less effective against embedded advertising in system applications.
Another option is to use local VPN-Apps like Blokada or AdGuard create a local tunnel and check all outgoing requests. If a request goes to a known ad server, it is blocked.
π‘
Use of the DNS-Filtering is the safest alternative to removing system certificates for ordinary users who do not want to risk the stability of the system.
The choice of method depends on your goals, and if you want maximum privacy and you're willing to spend time debugging the system, removing certificates and using Magisk modules will be the best choice. If the goal is just to remove ads, start with DNS.