Redmi Note 11S : incorrect critical_lock_state in seccfg

[pierre-durand]

My phone is a Redmi Note 11S.
The seccfg partition is V4.

In unlock mode, field critical_lock_state is incorrectly set to 1 (instead of 0).
It has no effect with Android 11, but with Android 13, dm-verity complains at startup!

This can be fixed in bootloader mode:
fastboot oem cdms fix
This simply sets critical_lock_state to 0 in seccfg partition (+rehashing...).

This patch works for me:

--- mtkclient/mtkclient/Library/Hardware/seccfg.py	2024-10-03 15:36:45.159499963 +0200
+++ mtkclient/mtkclient/Library/Hardware/seccfg.py	2024-10-03 15:38:02.693707339 +0200
@@ -87,7 +87,7 @@
             return False, "Device is already unlocked"
         if lockflag == "unlock":
             self.lock_state = 3
-            self.critical_lock_state = 1
+            self.critical_lock_state = 0
         elif lockflag == "lock":
             self.lock_state = 1
             self.critical_lock_state = 0

If this is specific to my hardware, maybe there could be a flag to set critical_lock_state with a custom value?

[pierre-durand]

Of course, I disabled verification flags in vbmeta. But it seems flags in seccfg has a precedence there.