I am wondering about security of Galaxy S6 (not Edge) bootloader. The goal is to prevent users to do any major modifications to the phone (boot custom ROMs, for example), so I have a few questions about this phone:
1. Some versions are unlocked by default, can I lock bootloader manually (and restore OEM Unlock option if missing)?
2. How secure is option "OEM unlock" in Debugging mode? If disabled, can user unlock bootloader in recovery mode with 3rd party tools or not?
3. Can Samsung phones be somehow secured to prevent OS reinstallation?
The best goal we may want to archieve is to prevent unauthorised persons to do anything with the phone without knowing the PIN, so the phone cannot be flashed with the new ROM and used again.
Thanks.
1-You can't
2-It should pretty secure on other brands but I'm not sure for Samsung devices.
3-Only Samsung can adjust it on bootloader.
On S6, bootloader doesn't allow custom (modded) bootloader flash, custom (modded) modem flash or repartition in any situtation.
But, if you turn on Google factory reset protection or Samsung factory reset protection, any root proccess or any custom (modded) kernel, any custom (modded) recovery, or custom (modded) system image flash proccess will be denied by bootloader. FRP is more powerful than OEM Unlock.
Related
I really hate that boot screen that makes you think your phone is going to blow up because the bootloader is unlocked... I realize that having it unlocked is perfectly fine, and with Magisk, all the Google security stuff still works just fine.. I also know that an unlocked booloader makes it much easier to flash updates (flash-all but remove the -w) ... So please don't try to explain why I should leave my bootloader unlocked.
WIth my HTC phones, unlocking the bootloader would erase the phone (obviously, and just like the Pixel 2). Locking the bootloader wouldn't erase the phone on the HTC, but with the Pixel 2, the instructions say that it WILL ERASE THE PHONE.
With the HTC, the wipe happened in recovery, so if I had TWRP installed, the phone wouldn't erase... I could easily switch between locked and unlocked, and as long as I had TWRP installed, the phone would "think" it was going to erase, but I stopped it.
So my question is... Does the Pixel 2 wipe the phone on lock/unlock through recovery? If so, can I lock the phone with TWRP installed in recovery and prevent that lock? I know I can make a backup and try it and see, but since the Feb update, getting into a decrypted recovery has become a pain (remove pin/password, reboot, reboot to recovery, do what you want, reboot to system, add the pin/password, add fingerprint, open EVERY SINGLE APP THAT USES FINGERPRINT AND SET LOGIN AND REGISTER THE FINGERPRINT - it frustrates me, in case you can't tell).
You cannot flash TWRP unless you are unlocked so at this time there is no way to unlock the bootloader without a full wipe.
I think you misunderstood the question. I have unlocked the bootloader (let it wipe) and installed TWRP. I want to know if the re-lock will wipe through recovery (and therefore be stopped by TWRP) or if it does the wipe using some other method (and therefore wiping regardless).
1. You won't be able to maintain your userdata while switching between locked and unlocked states.
2. You will likely not be able to boot your device either after locking your phone.
For 1)
The Pixel 2 enables FBE (filesystem-based encryption) by default for your userdata partition. The encryption keys are derived from a hardware secret (accessible only from TrustZone), the RSA public key that was used to sign the boot image and a flag (whether it is locked or unlocked). The latter parameters are provided by the bootloader (lk) to the Keymaster trustlet (running in TrustZone).
If any of these parameters change, then the encryption keys will change as well. As a result, your files will remain inaccessible even if you were hypothetically able to flip the lock state.
For 2)
Unlocking the bootloader (fastboot flashing unlock) will disable verification of the boot image. TWRP is installed by modifying the boot image (in both the "a" and "b" slots) which invalidates the Verified Boot signature that covers this boot image (stored in the vbmeta partition). When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Source: reading the lk source code and various Android documentation such as https://source.android.com/security/encryption/file-based
Lekensteyn said:
When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Click to expand...
Click to collapse
The signature of the Custom ROM (Official LineageOS) can be integrated into the bootloader before re-locking the bootloader.
But this is the problem: "Lineage Recovery is also built in userdebug mode, that's a problem. When Lineage recovery is built this way, it allows any package, signed or unsigned, to be installed on your phone. This effectively negates the benefits of locking the bootloader. [...] In fact most custom ROMs simply use TWRP or another third party recovery which has the same issues as they are designed to never even look at the signatures of the packages they are flashing to your device."
"A discussion about bootloader locking/unlocking... AKA I want to relock my bootloader, should I?: LineageOS"
https://www.reddit.com/r/LineageOS/comments/n7yo7u
I rooted my s7, latest version of 8.0 United Kingdom (g930fxxu4esae build r16nw.g930fxxs5esf6). I used TWRP and magisk.
All was well until I rebooted, then got the dreaded "custom binary blocked by frp lock". I was able to take the stock rom and install the AP file, and now it's working again except that of course root is gone. I suspect that if I attempt to root again, I will run into the same error on a reboot.
I've done some googling but haven't found anything really reliable sounding about getting around this problem.
EDIT: UPDATE: I've flashed the latest version of BTU on phones 1 and 2. I've successfully rooted phone 1 and it seems to be sticking. Phone 2 I'm still working on, it doesn't have to be rooted though as it's more of a backup for gaming. Thanks again to everyone in this thread for all the good advice and info.
You are going to have to re flash you current firmware unrooted and before you root, enable OEM unlocking in developer options AFTER setting up your google account(you have to use the same google account as you did before), unfortunately there is no way of force enabling OEM unlock with a flashable zip on the s7, well least to my knowledge. FRP lock is googles factory reset protection, which stops people from factory resetting a phone and then just use their google account instead of the one they don't know the password too, and it stops custom binaries like trwp from booting and even a stock binary that has been rooted from booting because it thinks you could be trying to bypass FRP.
Enabling OEM unlocking with disable FRP lock on the device, allowing you to use custom binary and boot normally without the checks.
Viper4060 said:
You are going to have to re flash you current firmware unrooted and before you root, enable OEM unlocking in developer options AFTER setting up your google account(you have to use the same google account as you did before), unfortunately there is no way of force enabling OEM unlock with a flashable zip on the s7, well least to my knowledge. FRP lock is googles factory reset protection, which stops people from factory resetting a phone and then just use their google account instead of the one they don't know the password too, and it stops custom binaries like trwp from booting and even a stock binary that has been rooted from booting because it thinks you could be trying to bypass FRP.
Enabling OEM unlocking with disable FRP lock on the device, allowing you to use custom binary and boot normally without the checks.
Click to expand...
Click to collapse
Correct basically turn FRP lock off it's a pain in the ass.
Also @kettir this is the final release of BTU not the one you have in your post 》》https://www.sammobile.com/samsung/galaxy-s7/firmware/SM-G930F/BTU/download/G930FXXU5ESD2/270504
cooltt said:
Correct basically turn FRP lock off it's a pain in the ass.
Also @kettir this is the final release of BTU not the one you have in your post 》》https://www.sammobile.com/samsung/galaxy-s7/firmware/SM-G930F/BTU/download/G930FXXU5ESD2/270504
Click to expand...
Click to collapse
Thanks for more great advice and info. It appears that now the requirements are:
Download the latest BTU as per your note because I like it better
Flash it to attain a "stock" system.
Go through the minimum setup after reboot and get developer options.
Set up google account
Enable OEM unlocking (and USB debugging of course)
flash TWRP
go into recovery immediately
Use TWRP to flash magisk
go back into download mode immediately
flash only the AP from the stock firmware
And this might, possibly, achieve root with magisk, while keeping the stock bootloader. That is, if I understand what TWRP and magisk are actually doing to the system. I.e., TWRP replaces the system part that handles recovery, while magisk roots the phone without changing the system, so that TWRP is the problem for FRP.
Hello,
I had a problem with my samsung j7 prime (SM-G610M) biometric reader and now the only way to access the phone is through the password I can't remember anymore.
I tried installing a custom recovery (TWRP) with Odin, then removing the password file and recovering my photos. When I try to install TWRP I get the message "custom binary blocked by FRP lock".
USB debug is not enabled.
Is there any possibility of circumventing this protection?
This should be easily resolved by flashing latest firmware for your device in Odin. Just make sure you choose CSC and not Hone CSC. You will lose all your data and internal memory but will have your phone back. Doesn't matter if you have not enabled USB debugging as you will be on download mode. I assume that you did not unlocked bootloader, reason why you are frp locked.
Is it possible to lock the bootloader with TWRP and a custom ROM installed and still use the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Ungeskriptet said:
Is it possible to lock the bootloader with TWRP and a custom ROM installed and still us the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Click to expand...
Click to collapse
Short Answer: No it's not feasible to do that, reason behind that is AVB 2.0 (Android Verified Boot). It checkes for a pre-existing hash of all paritions signed by the OEM key (in this case Xiaomi), If there are conflicts found and Bootloader is in Locked state, The result would be a Fatal Error and would skip booting The OS to go to repair mode (aka EDL mode), which you can access in Xiaomi devices only if you have a verified EDL account.
Besides, even if you modify the Bootloader Binery or signed the twrp.img with the oem key (which you don't have access to), you wouldn't be able to flash anything anyway, since the device would consider any modifications after that a fatal error as well and won't boot.
Long Answer: read up on the follwing topics:
1- Android verified boot https://android.googlesource.com/platform/external/avb/+/master/README.md
2- FROST attack on unlocked bootloader (The reason android implemented avb) https://www.cs1.tf.fau.de/research/system-security-group/frost/
I installed a custom operating system (LineageOS for microG) and a custom recovery environment (TWRP) into my Oneplus 3T recently. The bootloader had to be unlocked to do this of course.
As far as I understand, locking it again would prevent the phone from booting as custom operating systems are not signed with the phone manufacturer's keys. This also applies to custom recoveries, is that correct?
What are the exact security drawbacks of having an unlocked bootloader? Assuming the phone is encrypted, protected with a strong PIN code, developer mode and USB debugging options disabled, and there's an attacker who has physical access to the phone so he/she can boot the phone to bootloader or recovery interface using the special buttons.
Encryption should protect the user data, at least from unsophisticated attackers, but can the attacker install malicious software into the phone?
With an unlocked bootloader, does the phone respond to fastboot or ADB commands from a computer even if developer mode and USB debugging are disabled?
What is the difference if these options are disabled, the bootloader is locked and the "OEM unlock" option in the menu is also disabled?
Considering my possible phone upgrade in the far future, is there a phone that allows one to insert custom signing keys into the bootloader so that the bootloader could be kept locked while having a custom ROM? Or to flash an entirely custom bootloader with custom signing keys?
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Roizoulou said:
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
Click to expand...
Click to collapse
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Stephanie_Sy said:
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Click to expand...
Click to collapse
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
novabright said:
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
Click to expand...
Click to collapse
1. yes
2. yes