Re-lock bootloader without erase? - Google Pixel 2 Questions & Answers

I really hate that boot screen that makes you think your phone is going to blow up because the bootloader is unlocked... I realize that having it unlocked is perfectly fine, and with Magisk, all the Google security stuff still works just fine.. I also know that an unlocked booloader makes it much easier to flash updates (flash-all but remove the -w) ... So please don't try to explain why I should leave my bootloader unlocked.
WIth my HTC phones, unlocking the bootloader would erase the phone (obviously, and just like the Pixel 2). Locking the bootloader wouldn't erase the phone on the HTC, but with the Pixel 2, the instructions say that it WILL ERASE THE PHONE.
With the HTC, the wipe happened in recovery, so if I had TWRP installed, the phone wouldn't erase... I could easily switch between locked and unlocked, and as long as I had TWRP installed, the phone would "think" it was going to erase, but I stopped it.
So my question is... Does the Pixel 2 wipe the phone on lock/unlock through recovery? If so, can I lock the phone with TWRP installed in recovery and prevent that lock? I know I can make a backup and try it and see, but since the Feb update, getting into a decrypted recovery has become a pain (remove pin/password, reboot, reboot to recovery, do what you want, reboot to system, add the pin/password, add fingerprint, open EVERY SINGLE APP THAT USES FINGERPRINT AND SET LOGIN AND REGISTER THE FINGERPRINT - it frustrates me, in case you can't tell).

You cannot flash TWRP unless you are unlocked so at this time there is no way to unlock the bootloader without a full wipe.

I think you misunderstood the question. I have unlocked the bootloader (let it wipe) and installed TWRP. I want to know if the re-lock will wipe through recovery (and therefore be stopped by TWRP) or if it does the wipe using some other method (and therefore wiping regardless).

1. You won't be able to maintain your userdata while switching between locked and unlocked states.
2. You will likely not be able to boot your device either after locking your phone.
For 1)
The Pixel 2 enables FBE (filesystem-based encryption) by default for your userdata partition. The encryption keys are derived from a hardware secret (accessible only from TrustZone), the RSA public key that was used to sign the boot image and a flag (whether it is locked or unlocked). The latter parameters are provided by the bootloader (lk) to the Keymaster trustlet (running in TrustZone).
If any of these parameters change, then the encryption keys will change as well. As a result, your files will remain inaccessible even if you were hypothetically able to flip the lock state.
For 2)
Unlocking the bootloader (fastboot flashing unlock) will disable verification of the boot image. TWRP is installed by modifying the boot image (in both the "a" and "b" slots) which invalidates the Verified Boot signature that covers this boot image (stored in the vbmeta partition). When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Source: reading the lk source code and various Android documentation such as https://source.android.com/security/encryption/file-based

Lekensteyn said:
When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Click to expand...
Click to collapse
The signature of the Custom ROM (Official LineageOS) can be integrated into the bootloader before re-locking the bootloader.
But this is the problem: "Lineage Recovery is also built in userdebug mode, that's a problem. When Lineage recovery is built this way, it allows any package, signed or unsigned, to be installed on your phone. This effectively negates the benefits of locking the bootloader. [...] In fact most custom ROMs simply use TWRP or another third party recovery which has the same issues as they are designed to never even look at the signatures of the packages they are flashing to your device."
"A discussion about bootloader locking/unlocking... AKA I want to relock my bootloader, should I?: LineageOS"
https://www.reddit.com/r/LineageOS/comments/n7yo7u

Related

Is it possible to have a locked bootloader and root simultaneously?

I was wondering if there is a way to disable the warning screen or relock the bootloader while keeping the root and recovery.
Everytime i try it it say it can no longer find a valid operating system.
plain and simple, not there is no way for our phones. if your bootloader is unlocked, the warning screen will always show and your bootloader must be unlocked in order for magisk to run and root to be allowed.
Currently no. The reason is that to have root, you have to have a patched boot image, and to have a patched boot image, you need to be able to have an unlocked bootloader to allow flashing of /boot from recovery. "Locked" rooting would involve an exploit that would undoubtedly get fixed quickly. Also, keep in mind that the Pixel 2/XL do not have dedicated recovery partitions, but that recovery itself also resides in /boot.

Lock/Unlock boot loader?

Can we re-lock the boot loader on Pixel devices if the device is rooted and modded with custom boot and recovery partitions? I heard that it will brick the device when you try to re-lock the boot loader.
Also what if recovery partition ever gets corrupted and a user never had enabled OEM unlocking for the boot loader in the developer option as set as default, and the boot loader is locked as is, user can'f flash the factory images and /or full OTA from ADB.
I'm no expert but from what I've read 'Never relock the bootloader unless you are 10000% sure it's full stuck' and if I remember correctly there is no recovery partition on A/B slot builds which is why a brick is a non recoverable scenario (check that out just in case I'm wrong)
I've unlocked my bootloader and it ain't getting relocked after reading through heaps of bricked pixel threads, best to be safe than bricked.
Yep @junglism93 is right, only re-lock bootloader if you are 100% stock and unrooted to avoid bricks. Also Pixel doesn't have a recovery partition, everything happens in the boot partition, that means that in case of problems if you don't want to reflash the whole factory image (which needs unlocked bootloader), you can just reflash boot.img on slot-a and slot-b (which needs unlocked bootloader anyway).
I unlocked my bootloader straight after the unboxing and I can tell it's like a life saviour, if any problem occurs you can always solve it with an unlocked bootloader.
TENN3R said:
Yep @junglism93 is right, only re-lock bootloader if you are 100% stock and unrooted to avoid bricks. Also Pixel doesn't have a recovery partition, everything happens in the boot partition, that means that in case of problems if you don't want to reflash the whole factory image (which needs unlocked bootloader), you can just reflash boot.img on slot-a and slot-b (which needs unlocked bootloader anyway).
I unlocked my bootloader straight after the unboxing and I can tell it's like a life saviour, if any problem occurs you can always solve it with an unlocked bootloader.
Click to expand...
Click to collapse
That seems like a crazy partition scheme on the device. I can't stand that dreaded unlock screen at the startup. plus you never know for sure if that OEM unlock switch in the developer menu will stay enabled all the time and not accidentally get disabled after modding your device so you're just having a very vulnerable device if it is modded...eh?
I wonder if there is a pure Android device which does not have such restrictions and/or actually comes pre-rooted?

Help! how to re-lock bootloader with magisk models?

As title said: I have an 1+8 device and unlocked bootloader lock,but I am wanna to keep my magisk models and re-lock it. I also flashed twrp and edxposed. could I re-lock using custom vbmeta partition? or modify my aboot to remove boot verify. If I directly use "fastboot oem lock" ,it says a letter said my device are occoupt? or sth,in red. could these methods jailbrake google's boot verify ,disable ignore these red letter ,directly boot hydragon os or oxygen os? thanks
Markpeng0315 said:
As title said: I have an 1+8 device and unlocked bootloader lock,but I am wanna to keep my magisk models and re-lock it. I also flashed twrp and edxposed. could I re-lock using custom vbmeta partition? or modify my aboot to remove boot verify. If I directly use "fastboot oem lock" ,it says a letter said my device are occoupt? or sth,in red. could these methods jailbrake google's boot verify ,disable ignore these red letter ,directly boot hydragon os or oxygen os? thanks
Click to expand...
Click to collapse
You can't have a locked bootloader with any changes to system like that or verified boot will not let it boot up, as you've seen and there's really no way around that
If you change aboot, it still won't boot
if i modify vbmeta partion and compeletely changed verification files? is it possible? or could i flash a boot file modified from Android older version to skip this limit. thanks
Not possible, but I do not understand why you would even worry about un rooting. I see no possible reason why you would even risk bricking your device!
But if it means so much to you go ahead, and then you will know why.
I recommend against it, you will basically have a paperweight. When you relock the system checks for a signature, if it is not found, then the phone won't boot. Or something like that.
Markpeng0315 said:
As title said: I have an 1+8 device and unlocked bootloader lock,but I am wanna to keep my magisk models and re-lock it. I also flashed twrp and edxposed. could I re-lock using custom vbmeta partition? or modify my aboot to remove boot verify. If I directly use "fastboot oem lock" ,it says a letter said my device are occoupt? or sth,in red. could these methods jailbrake google's boot verify ,disable ignore these red letter ,directly boot hydragon os or oxygen os? thanks
Click to expand...
Click to collapse
Sounds like you want to modify the boot.img and create a sub partition to force boot a custom firmware? If that's the case then you seem to know about coding or at least modifying firmware. So why don't you just download OnePlus 8 firmware, create a virtual SDK and play around with the new Android 10 firmware. Because even if you did these modification on other phones it stands to reason that they were on older Android builds. This will keep your phone safe and give you the opportunity to test your theory. Happy modding!

Lock Bootloader with TWRP and custom ROM?

Is it possible to lock the bootloader with TWRP and a custom ROM installed and still use the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Ungeskriptet said:
Is it possible to lock the bootloader with TWRP and a custom ROM installed and still us the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Click to expand...
Click to collapse
Short Answer: No it's not feasible to do that, reason behind that is AVB 2.0 (Android Verified Boot). It checkes for a pre-existing hash of all paritions signed by the OEM key (in this case Xiaomi), If there are conflicts found and Bootloader is in Locked state, The result would be a Fatal Error and would skip booting The OS to go to repair mode (aka EDL mode), which you can access in Xiaomi devices only if you have a verified EDL account.
Besides, even if you modify the Bootloader Binery or signed the twrp.img with the oem key (which you don't have access to), you wouldn't be able to flash anything anyway, since the device would consider any modifications after that a fatal error as well and won't boot.
Long Answer: read up on the follwing topics:
1- Android verified boot https://android.googlesource.com/platform/external/avb/+/master/README.md
2- FROST attack on unlocked bootloader (The reason android implemented avb) https://www.cs1.tf.fau.de/research/system-security-group/frost/

Genuine Bootloader

Can the oem bootloader be replaced?
If the bootloader is locked, can you be sure the Recovery/System partitions are untouched?
Recovery - where it doesn't matter whether it's Stock or Custom - simply is a menu you can select actions to perform and apply, the lock state of device's bootloader basically isn't of interest.
System partition can get tampered as soon as it gets mounted as RW where it doesn't matter whether device's bootloader is locked or unlocked, but device's Android got rooted or not.
Thank you for replying.
I'm asking about replacing the bootloader system itself and not the recovery.
How can you root without an open bootloader on a modern phone??
The AVB won't let you boot at all(since android 8).
I tried to answer 2nd question in your 1st post here. I can't help it if you didn't realize it.
To answer the question you asked above:
Rooting is the act of unlocking the Android OS to gain complete control over the device through which you can access hidden files or install certain special apps. Rooting Android OS simply means to add Superuser functionality to it.
Again:
Device's bootloader MUST NOT get unlocked in order to root Android. Even device's /system partition must not get touched in order to root Android: hence bootloader's DM-VERITY / AVB must not get disabled.
Last note: I no longer participate this thread ...

Categories

Resources