New Calls Home.. (to The Maintainers)


Z

Zedax

Members
Apr 4, 2017
3
13
I'm not sure if this is the proper place, but i haven't seen any other suitable section.

To the maintainers of this "EU" version of miui:

Are you aware of the home calls miui and its system applications do? Meaning the connection to the statistics and ad servers of Xiaomi.

Like data.mistat.intl.xiaomi.com and ccc.sys.miui.com that are forced and not needed to use the configuration, storage, account or cloud services, meaning the connection still happens even if you don't use any Xiaomi account, cloud service and you opted out from any statistics.

Are you aware of a tracking call performed each 5 minutes under root privileges?

A dns request to resolver.msg.xiaomi.net that connects to amazon aws servers in singapore, provides a json list that includes:
"app.chat.xiaomi.net":["114.54.23.116:5222","120.92.96.2:5222","111.13.142.2:5222","111.206.200.2:5222"]

A root privileged application connects to 114.54.23.116, or any of them, each 5 minutes, on TCP, sending encrypted packets.
They try to cover it using the 5222 port, used for XMPP protocol usually, and using the app.chat domain, but that isn't xmpp protocol neither any message service.

Are you European citizens, or distributing to European citizens?
-->en.wikipedia.org/wiki/General_Data_Protection_Regulation
 
  • Like
Reactions: cobben
Yes, they all do things like this, hard to know exactly what is going on.

You can experiment blocking this traffic selectively with a firewall app like Netguard (no root).

I haven't done this systematically with any Xiaomi phone yet, but I did with a Doogee Y100 about 2 years ago.
Netguard could block almost all unnecessary traffic, except for a few things that seemed to slip through anyway. Some things stopped working of course, but the phone did not soft brick at least.

Being a European resident with no ties to China, but American connections, I prefer to let the Chinese spy on me preferably to the Americans.
So I try to use only Mi contacts instead if Google contacts, for example.

Any serious business person with company secrets to protect should not be using any ordinary Android phone at all. One has to assume that the American "data collection" agencies will have your information available to the highest bidder.
 
Last edited:
Netguard doesn't work, neither any proxy, vpn or redirection.

Root apps don't go trough them, and also if they detect the connection is not working they just disable the vpn without telling you, and connect outside the vpn/netguard/proxy.

This isn't about the contacts or the information you willingly give to them.

Is a tracking system, that tracks you between networks, wifi and mobile, ands sends cell and other environment data.

Xiaomi is starting to open stores in Europe and directly exporting their devices to sell in Europe, is very easy to block their imports due the break of law, specially being a forgeing company.

To the maintainers, the GDPR doesn't make distinction between companies or individuals, but is worse when there is income from it.

The statistics domains can be nulled/blocked by resolving them to localhost, that is domain-->127.0.0.1 in the local host file.

The tracker needs code modification, which could be signed and may not run if modified.


If you care about users nothing stops you from enabling by default iptables (that will run as root of course), blocking the tracking ips.
 
  • Like
Reactions: cobben
Zedax said:
Netguard doesn't work, neither any proxy, vpn or redirection.

Root apps don't go trough them, and also if they detect the connection is not working they just disable the vpn without telling you, and connect outside the vpn/netguard/proxy.

This isn't about the contacts or the information you willingly give to them.

Is a tracking system, that tracks you between networks, wifi and mobile, ands sends cell and other environment data.

Xiaomi is starting to open stores in Europe and directly exporting their devices to sell in Europe, is very easy to block their imports due the break of law, specially being a forgeing company.

To the maintainers, the GDPR doesn't make distinction between companies or individuals, but is worse when there is income from it.

The statistics domains can be nulled/blocked by resolving them to localhost, that is domain-->127.0.0.1 in the local host file.

The tracker needs code modification, which could be signed and may not run if modified.


If you care about users nothing stops you from enabling by default iptables (that will run as root of course), blocking the tracking ips.
Click to expand...

As I recall there was some Google function that could access internet in the old Doogee (Android 5.1), even though I had blocked all system apps in Netguard (free version).

So yes, quite possible that Android is built as you describe.

I haven't tried this in the Xiaomi phones, which have all the MIUI stuff running besides all the Android stuff. It would be a long hard jobb to sort all this out, and I do not feel motivated.
I recall someone on the Swedroid forum had posted about doing this on some other phone, not Xiaomi. I'll see if I can find the thread.

Yes, I already have the Adaway host file in there to block ads, so it would be easy enough to add a few more ips if one had the list.
Problem is one risks blocking something that produces a softbrick.
 
Perhaps we should call @ingbrzy and @MarkHUK attention to this subject.

Xiaomi most definitely needs a pack of lawyers to sort out if this is an existential threat, as they are now actively selling to the EU.

Question is if Xiaomi.eu does to?

Here was this.
As you can notice, no interest in this subject, even on XDA.

Home Xiaomi Redmi Note 4 Xiaomi Redmi Note 4 Questions & Answers Debloat, Prevent Network Traffic, Optimize Battery / MIUI Global 8 Stable by ksmueller
. . .
Has someone managed to mute following services (being blocked by firewall some of them try more than 5000 network connects in 9 hours) :
. . .
Battery saver
No clue why there needs to be betwork traffic?

Find device
Have not configured a MI Account, don't use any MI cloud and don’t want to use MI’s find device function.
Can not be disabled / frozen: TitaniumBackup freezes when trying to freeze.
Uninstall (e.g. via Magisk) leads to a bootloop.
. . .
 
Last edited:
Xiaomi obviously is aware of the new EU regulation - that's why they switched off the themes app and Mi message for EU customers in their global ROM. As the .eu ROM is based on the Chinese ROMs, I think it should not be affected yet. The problem is that the .eu team might face legal problems, but that's not clear because they don't sell the .eu ROM.
Nevertheless it would be good to have the .eu team to address these concerns and potential legal threats. In my eyes it would be best to let the user decide whether or not he has a problem to share data with Chinese servers. I actually don't have a bigger problem with this than with American servers that steal our data anyway, but everyone will have a personal opinion about this.
 
  • Like
Reactions: cobben
Pertti Kosunen said:
http://techsarjan.com/2017/12/how-to-send-free-message-in-xiaomi-mobiles-mi-message-miui-9.html

Do you have Mi Message enabled or disabled?
Click to expand...

I have never tried it, it is disabled.

I also have never tried the app Truecallers "flash messaging" service, which I assume is something similar.

I suppose these might be useful for some people in some countries.

I do not understand why Xiaomi has stopped this service in the Global ROMs.
How does this run afoul of EU or other regulations?

Addendum:

1. If Mi Message infringes on EU privacy regulations, then I would guess that Truecallers Flash Messaging does too.

Swedish co., but main customer base seems to be in India, and I could only guess where they keep your personal data.

2. I just checked, and Mi Message is gone in my Mi Max1 Prime running EU weekly 8.3.22.

It is still there in my Mi Mix1 and my wife's Mi Note 3, both still running 8.2.1.

Addendum2

The theme app is still working normally in my Mi Max1 Prime.

So the Mi Message seems to be turned on/off depending on region, not rom.

While the Theme app is left intact in the China ROMs, irrespective of region.

So far, it would seem.
 
Last edited:
Just adding this to the hosts (/system/etc/hosts) file, as simple as copy & paste, would block most of the calls:

127.0.0.1 app.chat.xiaomi.net
127.0.0.1 data.mistat.xiaomi.com
127.0.0.1 data.mistat.intl.xiaomi.com
127.0.0.1 ccc.sys.miui.com
127.0.0.1 ccc.sys.intl.miui.com
127.0.0.1 connect.rom.miui.com
127.0.0.1 sdkconfig.ad.xiaomi.com
127.0.0.1 sdkconfig.ad.intl.xiaomi.com
127.0.0.1 api.sec.intl.miui.com
127.0.0.1 api.sec.miui.com
127.0.0.1 auth.be.sec.miui.com
127.0.0.1 auth.be.sec.intl.miui.com
127.0.0.1 weatherapi.market.xioami.com
127.0.0.1 resolver.msg.xiaomi.net

All the apps and services appear to keep working with them blocked, xiaomi account and login, xiaomi cloud, system backups, automatic sync , xiaomi app store..

And these domains have hundred of conections per hour, so why not protect the users by default? what's the point to wait? you know this already and has always happened since years ago, the average user won't have a clue on how to protect himself, and they won't know this happens.
The chinese goverment forces all companies to do this, share and give access to them if they want to stay in bussiness, every single chinese company, wether the company wants or not.

We aren't in china, we don't have to help them gather information to gain power, we can say f**k off, we can do what the people living in china can't.

So is overly stupid to let them do this when is so easy to stop.
 
  • Like
Reactions: cobben
Zedax said:
Just adding this to the hosts (/system/etc/hosts) file, as simple as copy & paste, would block most of the calls:

127.0.0.1 app.chat.xiaomi.net
127.0.0.1 data.mistat.xiaomi.com
127.0.0.1 data.mistat.intl.xiaomi.com
127.0.0.1 ccc.sys.miui.com
127.0.0.1 ccc.sys.intl.miui.com
127.0.0.1 connect.rom.miui.com
127.0.0.1 sdkconfig.ad.xiaomi.com
127.0.0.1 sdkconfig.ad.intl.xiaomi.com
127.0.0.1 api.sec.intl.miui.com
127.0.0.1 api.sec.miui.com
127.0.0.1 auth.be.sec.miui.com
127.0.0.1 auth.be.sec.intl.miui.com
127.0.0.1 weatherapi.market.xioami.com
127.0.0.1 resolver.msg.xiaomi.net

All the apps and services appear to keep working with them blocked, xiaomi account and login, xiaomi cloud, system backups, automatic sync , xiaomi app store..

And these domains have hundred of conections per hour, so why not protect the users by default? what's the point to wait? you know this already and has always happened since years ago, the average user won't have a clue on how to protect himself, and they won't know this happens.
The chinese goverment forces all companies to do this, share and give access to them if they want to stay in bussiness, every single chinese company, wether the company wants or not.

We aren't in china, we don't have to help them gather information to gain power, we can say f**k off, we can do what the people living in china can't.

So is overly stupid to let them do this when is so easy to stop.
Click to expand...

Good initiative, just that a few of these are probably used for "innocent" usage collection to improve MIUI, etc.

Now we just need a similar list for Google.:)
 
You must log in or register to reply here.

Similar threads

P
New People stop hear me during the call
Replies
2
Views
675
Bugs
PavloT
P
R
No SMS verification code received to create new Mi account (lots of details provided, help please?)
Replies
1
Views
12K
Questions & Answers
garmenezor
garmenezor
N
Xiaomi SIM Activation SOLVED
Replies
77
Views
257K
Mi General
firmaznap
firmaznap
Kacper Skrzypek
  • Sticky
About xiaomi.eu work (miuipolska.pl article, English version)
Replies
7
Views
12K
Mi General
mss01010
M
B
  • Poll
The ~ultimate guide to unlock bootloader, use twrp, flash beta from stock rom, setup and hide magisk + edxposed for mi 10 umi, use LP, plus extra tips
Replies
55
Views
44K
Mi General
Patricia1066
P
Top Bottom
Back