How to disassemble Xiaomi firmware: the complete guide

Working with Xiaomi smartphone software often requires a deep understanding of the structure of the operating system files. Disassembling firmware is not just an archive, but a complex process that allows you to modify system partitions, replace components or restore damaged data. Users resort to this manipulation for the sake of installing custom recoveries, implementing root rights or trivial learning how MIUI works from the inside.

The process requires care, because breaking the integrity of critical files can cause a device to fail. Modern firmware versions have a complex structure that has changed over the years. Unlike older versions of Android, where everything was in one image, now we use a modular system with many partitions, which is why it is important to clearly understand what type of archive you are trying to open and what tools are needed to do this.

In this article, we will look at all the stages of working with software distributions for smartphones Redmi and Poco. We will examine the differences between archive formats, necessary utilities and step-by-step algorithm of actions. The knowledge gained will allow you to safely modify the software part of the gadget without turning it into a β€œbrick”.

Firmware types and archive formats

Before you start extracting files, you need to determine what format you are dealing with. The official site and various repositories offer distributions in two main formats: Recovery and Fastboot. Understanding the difference between them is critical, because the structure of their content is radically different. Recovery firmware usually have the.zip extension and are designed to be updated through the recovery menu or built-in updater.

Fastboot versions are distributed in.tgz (tar.gz) format and contain a full set of partition images for direct recording to the device memory via the computer. Inside this archive is another archive that contains direct image files such as system.img, boot.img and others, a heavier version that gives full access to all parts of the phone's memory.

It is also worth noting the existence OTA-These are delta files that only contain changes between versions, not a complete copy of the system. It is more difficult to disassemble such an archive, since it is not a complete image of the system, but only a patch. For deep analysis of the structure of Android, the best complete versions of firmware are the full versions of the firmware.

⚠️ Warning: Never attempt to install a firmware designed for Fastboot through the Recovery menu, and vice versa.This will result in verification errors or the device fails to boot completely.

Global versions (Global) may differ in file structure from Chinese (China) or Indian ones, for example, Chinese firmware often lacks Google services, while global ones add additional system applications and modify modem configuration files.

πŸ“Š What type of firmware do you use most often?
Recovery (zip)
Fastboot (tgz)
OTA (delta)
Castomium assembly

Necessary tools for the job

For high-quality unpacking and file analysis, you will need a set of specialized software. Standard tools of the Windows operating system or macOS may not be enough, especially when working with.tgz archives and specific image files. The basic tool is an archiver that supports work with tar archives, for example, 7-Zip or WinRAR.

But if you want to do more than just get a file, but modify it or pack it back, you need more powerful tools. One of the most popular programs in the community is MIUI Payload Dumper, which allows you to open the payload.bin file, which in modern firmware contains all the partitions of the system in compressed and encrypted form.

Also, remember the classic tools from Google: Android SDK Platform Tools includes ADB and Fastboot, which may be needed to verify the integrity of devices or test extracted images. To work with file systems inside images (for example, ext4) may require utilities like Ext4Extractor or mounting via WSL in Windows 10/11.

  • πŸ“¦ 7-Zip β€” Free open source archiver required to work with tar and gzip.
  • πŸ”“ Payload Dumper – a utility for extracting partitions from payload.bin (main file of modern firmware).
  • πŸ”§ Android Platform Tools – Google’s official toolkit for interacting with Android.
  • πŸ’» Python 3 – often required to run unpacking scripts if you are using non-exe versions of utilities.

All of these tools must be downloaded from official sources or verified repositories on GitHub. Using questionable software with modified code can lead to data leakage or the introduction of malicious code into your system even in the preparation stage for firmware.

πŸ’‘

Use portable versions of programs where possible to avoid clogging the Windows registry with unnecessary entries and easily transfer tools to other PCs.

Step-by-step unpacking Recovery firmware

Let’s start with a simpler version,.zip firmware. This process does not require the use of complex scripts and is performed by standard means. After downloading the firmware file from the official website, make sure that it is fully loaded and not corrupted. Checksum (MD5 or SHA1) will not be superfluous if the file was downloaded from a third-party source.

Open the archive with 7-Zip or a similar archiver, and you'll see a lot of files and folders, and the main elements here are the system, boot, recovery, and updater-script folders. It's the updater-script script (located in the META-INF folder) that tells the phone where to write and what files to write.

If you just need to replace a system file (like fonts or sounds), you can extract the archive, make changes and pack it back, keeping the folder structure intact. However, modern firmware often uses the payload.bin format even inside zip archives (called A/B firmware), which makes it difficult to do.

β˜‘οΈ Checking the Recovery Archive

Done: 0 / 4

If you find a payload.bin file inside a zip archive, standard unpacking will not give you access to system files. You will have to move on to the methods described in the next section using special dampers. This is done by Xiaomi developers to protect the integrity of the system and speed up the update process.

⚠️ Note: When repackaging Recovery firmware, strictly adhere to the structure of the archive. Changing file paths or permissions (permissions) will lead to an installation error (Error 7 or similar).

Work with Fastboot firmware and payload.bin

Fastboot firmware is a.tgz archive, inside of which lies another archive with a name corresponding to the model of the device. After double unpacking, you will see a set of files with the.img extension and one large file. flash_all.sh (Or.bat. In older versions. MIUI The images were separate but in new ones (Android) 10/11/12/13/14) They are often combined in payload.bin.

File. payload.bin β€” This is a container that contains compressed data for all partitions: system, vendor, boot, recovery, modem, and others. To access this data, you need to use the Payload Dumper utility. payload.bin to the damper folder and run the executable file.

payload-dumper-go.exe payload.bin

Once the program is finished, the output folder will have extracted partition images, and you can now work with them separately, such as extracting system.img to analyze preinstalled applications or taking boot.img for the Magisk patch and obtaining root rights.

It's important to understand that you can't just take a modified image back to payload.bin with standard tools. Back-assembly requires complex manipulations with checksum and metadata recalculation, which only experienced developers can do, most often modifying the final.img file and stitching it separately through the Fastboot if the partition is unlocked.

What is A/B Partitioning?
This is a memory splitting scheme where the system has two sets of partitions (Slot A and Slot B). While you are using one version, the second version is updated in the background. This allows you to instantly roll back if you make an error, but makes it difficult to modify the firmware, since payload.bin contains data for both slots at once or updates the current active one.

Partition structure and file system

Once.img images are extracted, the user is tasked with opening their contents. These files are casts of partitions of memory. The main partition of the system usually has an ext4 or erofs file system (in newer versions of Android).

Inside the system section, you’ll find the familiar Android structure: app folders (system applications), priv-app (privileged applications), framework (libraries) and etc (configuration files). The vendor section contains drivers and device-specific libraries, without which the phone won’t start.

SectionDescriptionCan we modify it?
boot.imgThe kernel and the ramdisk. It's responsible for the boot.Yes (for Root/Recovery)
system.imgThe main operating system and applications.Yes (with caution)
vendor.imgEquipment drivers and HAL.No (high risk)
recovery.imgRecovery Wednesday.Yes (for TWRP installation)

The data partition is usually missing from firmware, as it is created when the phone is first started and contains user data. cust.img (regional settings; or mi_ext.img (additional regional annexes) which are also editable.

When working with the erofs file system (Enhanced Read-Only File System), which is actively implemented in MIUI 12/13/14, file modification is impossible on the fly, since this system is designed only for reading.

πŸ’‘

Modifying a vendor or boot partition without proper knowledge can lead to a cyclic bootloop, as these partitions contain critical drivers and the kernel.

Modification and reverse assembly

If your goal is to remove ads (bloatware) or add features, it is easiest to use methods that do not require backpacking. payload.bin. For example, you can extract system.img, Remove it, remove unnecessary APK-You can then flash this modified image directly through the Fastboot with the fastboot flash system. system.img.

However, this method only works when the bootloader is unlocked, and if the bootloader is locked, the phone will not allow the modified image to be flashed because of Verified Boot, in which case the firmware disassembly only makes sense for analyzing or preparing files for the custom recovery.

To reverse assemble full-fledged firmware from modified images into payload.bin, there are utilities like Android Image Kitchen (for boot) or specialized scripts in Python for payload. But is the game worth the candle? It's often easier to find a ready-made custom firmware or module for Magisk that will do the same without the risk of damaging system files.

When editing files inside images (like build.prop or framework-res.apk), always back up the originals. Even one extra line in the configuration file can prevent the operating system from starting.

⚠️ Warning: Antiviruses may respond to firmware decompression tools (especially dampers) as a threat, as they work with low-level data structures.

Frequent errors and troubleshooting

In the process, users often encounter a problem when the utility can not open payload.bin. This may be due to the fact that the file is damaged during download or used incompatible version of the damper. Modern firmware Xiaomi uses different versions of the payload format, so the tools need to be updated regularly.

Another common mistake is the lack of disk space: unpacked firmware can take up 3-4 times more space than the archive itself. Make sure that the system disk (usually C:) has at least 10-15 GB of space before starting operations.

If you make a modification to your phone, you go to bootloop, and you try Recovery and Wipe Data, and if that doesn't work, you'll have to go back to the clean official firmware through the Mi Flash Tool, which is why the ability to disassemble firmware should go hand in hand with the ability to restore it.

Can I get a firmware on my phone without a PC?
You can theoretically use terminal emulators and scripts, but it's very inconvenient and risky. Mobile processors and file systems are not designed to do that. There's a high probability of damaging data or running out of memory. It's better to use a computer.
Is it safe to remove system applications from system.img?
Only if you know exactly what the package is for, removing critical components (such as the Package Installer or SystemUI) will cause the system to fail. Always check the destination of the package online before removing it.
Why is payload.bin not unpacked?
Possible causes: file is corrupted (unproven), an old version of Payload Dumper is used, there are not enough administrator rights to write to the output folder, or antivirus blocks the process.
Do I need to unlock the bootloader to disassemble the firmware?
No, the process of unpacking archives on the computer does not require an unlocked bootloader. Unlocking will only be needed at the stage of writing back modified files to the memory of the smartphone.