Can we re-lock the boot loader on Pixel devices if the device is rooted and modded with custom boot and recovery partitions? I heard that it will brick the device when you try to re-lock the boot loader.
Also what if recovery partition ever gets corrupted and a user never had enabled OEM unlocking for the boot loader in the developer option as set as default, and the boot loader is locked as is, user can'f flash the factory images and /or full OTA from ADB.
I'm no expert but from what I've read 'Never relock the bootloader unless you are 10000% sure it's full stuck' and if I remember correctly there is no recovery partition on A/B slot builds which is why a brick is a non recoverable scenario (check that out just in case I'm wrong)
I've unlocked my bootloader and it ain't getting relocked after reading through heaps of bricked pixel threads, best to be safe than bricked.
Yep @junglism93 is right, only re-lock bootloader if you are 100% stock and unrooted to avoid bricks. Also Pixel doesn't have a recovery partition, everything happens in the boot partition, that means that in case of problems if you don't want to reflash the whole factory image (which needs unlocked bootloader), you can just reflash boot.img on slot-a and slot-b (which needs unlocked bootloader anyway).
I unlocked my bootloader straight after the unboxing and I can tell it's like a life saviour, if any problem occurs you can always solve it with an unlocked bootloader.
TENN3R said:
Yep @junglism93 is right, only re-lock bootloader if you are 100% stock and unrooted to avoid bricks. Also Pixel doesn't have a recovery partition, everything happens in the boot partition, that means that in case of problems if you don't want to reflash the whole factory image (which needs unlocked bootloader), you can just reflash boot.img on slot-a and slot-b (which needs unlocked bootloader anyway).
I unlocked my bootloader straight after the unboxing and I can tell it's like a life saviour, if any problem occurs you can always solve it with an unlocked bootloader.
Click to expand...
Click to collapse
That seems like a crazy partition scheme on the device. I can't stand that dreaded unlock screen at the startup. plus you never know for sure if that OEM unlock switch in the developer menu will stay enabled all the time and not accidentally get disabled after modding your device so you're just having a very vulnerable device if it is modded...eh?
I wonder if there is a pure Android device which does not have such restrictions and/or actually comes pre-rooted?
Related
Hi there:
So, I've decided to unroot and relock my Xoom 4G, in anticipation of the official JB release. When I lock the bootloader (fastboot oem lock), the device locks, reboots, then comes up with the "Failed image SOS 0x0002" error. If I then unlock the bootloader, it boots into Honeycomb just fine.
Now, I'm assuming that I need my bootloader locked to do the upgrade, because there is a small update I'm notified on (HLK75F), and when I try to install it, the devices reboots, and I get the yellow bang and can go no further until a hard reset.
So, I can't boot with locked bootloader; can't do updates with an unlocked bootloader.
Can anyone advise?
Thanks!
shmengie said:
Hi there:
So, I've decided to unroot and relock my Xoom 4G, in anticipation of the official JB release. When I lock the bootloader (fastboot oem lock), the device locks, reboots, then comes up with the "Failed image SOS 0x0002" error. If I then unlock the bootloader, it boots into Honeycomb just fine.
Now, I'm assuming that I need my bootloader locked to do the upgrade, because there is a small update I'm notified on (HLK75F), and when I try to install it, the devices reboots, and I get the yellow bang and can go no further until a hard reset.
So, I can't boot with locked bootloader; can't do updates with an unlocked bootloader.
Can anyone advise?
Thanks!
Click to expand...
Click to collapse
You can do updates with an unlocked bootloader as long as it is stock. The lock doesn't have anything to do with that.
However: The fact that it can't boot when locked suggests that your not back to 100% stock. Re-download images for your Xoom from http://developer.motorola.com/products/software/ and re-flash them.
airesch said:
The fact that it can't boot when locked suggests that your not back to 100% stock.
Click to expand...
Click to collapse
Incorrect. If you've been running with your bootloader unlocked, then decide to lock it, 99% of the time it won't boot, even if you're running 100% stock. For example, if you're on stock 4.0.4 with an unlocked bootloader, then decide to re-lock it, it won't boot. If your bootloader is unlocked, the only way your Xoom will boot after locking it is to install one of the firmware packages listed for your device at http://developer.motorola.com/xoomsoftware, as you correctly pointed out. Once you flash those images with fastboot, you can then lock your bootloader and it will boot. Once it boots, just keep applying the system updates as it prompts you and eventually you'll end up on the latest version available for your device.
oldblue910 said:
Incorrect. If you've been running with your bootloader unlocked, then decide to lock it, 99% of the time it won't boot, even if you're running 100% stock. For example, if you're on stock 4.0.4 with an unlocked bootloader, then decide to re-lock it, it won't boot. If your bootloader is unlocked, the only way your Xoom will boot after locking it is to install one of the firmware packages listed for your device at http://developer.motorola.com/xoomsoftware, as you correctly pointed out. Once you flash those images with fastboot, you can then lock your bootloader and it will boot. Once it boots, just keep applying the system updates as it prompts you and eventually you'll end up on the latest version available for your device.
Click to expand...
Click to collapse
The cause of that 99% is because rooting the Xoom also changes the boot image (to set certain parameters,) and unless you have the clean boot image (of the right version that your updates are at,) it's not 100% stock. Even then, sometimes the rooting process (or if you have also installed busybox and not uninstalled it,) can update timestamps on folders in the system image which will foul up the checksums. I have restored a nandroid of my stock installs, re-flashed the boot and recovery to the right versions, and had it relock successfully several times. The trick is to have those images so all the checksums line up.
Lesson here: If it won't boot when locked, then it wasn't exatcly 100%.
Thanks, guys. I will try redownloading the img files and go through the fastboot commands again.
airesch said:
Lesson here: If it won't boot when locked, then it wasn't exatcly 100%.
Click to expand...
Click to collapse
False. Run unrooted pure stock 4.0.4 on an unlocked bootloader. After that, lock your bootloader and watch what happens.
Also, rooting only modifies your boot image if you use one of those pointless universal root methods. If you simply unlock, flash a mod recovery, and flash the Superuser ZIP from androidsu.com, it leaves the boot image untouched. An insecure boot image is only needed if you want root access in ADB, which 99% of rooted users couldn't care less about.
Sent from my Nexus S using Tapatalk 2
When i did the OTA update, the device is bootlooping. Unfortunately i dont have an unlocked bootloader and have no way of unlocking it as the phone needs to restart to unlock the bootloader. It still stays locked after go to fastboot mode again. I have the stock image from google but have no way of flashing it. Is there anyway to unlock the bootloader without having to restart?
The bootloader relocks itself after reboot? If it does, the emmc is defective and cannot be repaired by reflashing a stock rom or custom rom.
I really hate that boot screen that makes you think your phone is going to blow up because the bootloader is unlocked... I realize that having it unlocked is perfectly fine, and with Magisk, all the Google security stuff still works just fine.. I also know that an unlocked booloader makes it much easier to flash updates (flash-all but remove the -w) ... So please don't try to explain why I should leave my bootloader unlocked.
WIth my HTC phones, unlocking the bootloader would erase the phone (obviously, and just like the Pixel 2). Locking the bootloader wouldn't erase the phone on the HTC, but with the Pixel 2, the instructions say that it WILL ERASE THE PHONE.
With the HTC, the wipe happened in recovery, so if I had TWRP installed, the phone wouldn't erase... I could easily switch between locked and unlocked, and as long as I had TWRP installed, the phone would "think" it was going to erase, but I stopped it.
So my question is... Does the Pixel 2 wipe the phone on lock/unlock through recovery? If so, can I lock the phone with TWRP installed in recovery and prevent that lock? I know I can make a backup and try it and see, but since the Feb update, getting into a decrypted recovery has become a pain (remove pin/password, reboot, reboot to recovery, do what you want, reboot to system, add the pin/password, add fingerprint, open EVERY SINGLE APP THAT USES FINGERPRINT AND SET LOGIN AND REGISTER THE FINGERPRINT - it frustrates me, in case you can't tell).
You cannot flash TWRP unless you are unlocked so at this time there is no way to unlock the bootloader without a full wipe.
I think you misunderstood the question. I have unlocked the bootloader (let it wipe) and installed TWRP. I want to know if the re-lock will wipe through recovery (and therefore be stopped by TWRP) or if it does the wipe using some other method (and therefore wiping regardless).
1. You won't be able to maintain your userdata while switching between locked and unlocked states.
2. You will likely not be able to boot your device either after locking your phone.
For 1)
The Pixel 2 enables FBE (filesystem-based encryption) by default for your userdata partition. The encryption keys are derived from a hardware secret (accessible only from TrustZone), the RSA public key that was used to sign the boot image and a flag (whether it is locked or unlocked). The latter parameters are provided by the bootloader (lk) to the Keymaster trustlet (running in TrustZone).
If any of these parameters change, then the encryption keys will change as well. As a result, your files will remain inaccessible even if you were hypothetically able to flip the lock state.
For 2)
Unlocking the bootloader (fastboot flashing unlock) will disable verification of the boot image. TWRP is installed by modifying the boot image (in both the "a" and "b" slots) which invalidates the Verified Boot signature that covers this boot image (stored in the vbmeta partition). When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Source: reading the lk source code and various Android documentation such as https://source.android.com/security/encryption/file-based
Lekensteyn said:
When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Click to expand...
Click to collapse
The signature of the Custom ROM (Official LineageOS) can be integrated into the bootloader before re-locking the bootloader.
But this is the problem: "Lineage Recovery is also built in userdebug mode, that's a problem. When Lineage recovery is built this way, it allows any package, signed or unsigned, to be installed on your phone. This effectively negates the benefits of locking the bootloader. [...] In fact most custom ROMs simply use TWRP or another third party recovery which has the same issues as they are designed to never even look at the signatures of the packages they are flashing to your device."
"A discussion about bootloader locking/unlocking... AKA I want to relock my bootloader, should I?: LineageOS"
https://www.reddit.com/r/LineageOS/comments/n7yo7u
I was experiencing some minor glitches the past couple of weeks after taking the Android 10 OTA, so I decided to a factory reset and flash the Android 10 image. I had to unlock the bootloader to do that of course.
Now I'm realizing I need to re-lock the bootloader so that it's not in this insecure state. However I'm reading that re-locking the bootloader wipes the device (which returns it to Pie?) I'm also reading it can brick the phone if custom data is written.
When exactly do I re-lock the bootloader to preserve my clean install of Android 10?
terrapin01 said:
I was experiencing some minor glitches the past couple of weeks after taking the Android 10 OTA, so I decided to a factory reset and flash the Android 10 image. I had to unlock the bootloader to do that of course.
Now I'm realizing I need to re-lock the bootloader so that it's not in this insecure state. However I'm reading that re-locking the bootloader wipes the device (which returns it to Pie?) I'm also reading it can brick the phone if custom data is written.
When exactly do I re-lock the bootloader to preserve my clean install of Android 10?
Click to expand...
Click to collapse
If you're completely stock you can lock the bootloader. Before you do i would make sure you can boot into the stock recovery as sometimes flashing an ota in the stock recovery is the only way to recover your device if the bootloader is locked. Locking will wipe your device, but it won't change the operating system you're currently on. So if you're on andriod 10 it'll still be 10 after a wipe.
This is the case, I have a problem with the Flash ROM, now the phone can go into fastboot, but there is no Recovery, and the phone's bootloader is locked.
You're going to have to give a bit more detail if you want help from this community.
For example:
What phone variant do you have?
What did you have on your phone when it was running properly? i.e stock android, locked bootloader, rooted etc.
What 'Flash ROM" do you mean a factory image or custom ROM?
What had been trying to do to your phone i.e upgrade from Android 9 to 10 by sideloading an image?
Had you previously unlocked the bootloader?
I'm not saying that I will ultimately be able to resolve your issues but the more info you give the more likely someone here will.
Now,my pixel 3 can not work,the bootload is locked.when I select recovery by fastboot,The phone noticed me can not find vaild operating system,the device will not start.
I used to unlock the bootloader, it is because I locked the bootloader that this situation has occurred.
Can you unlock the bootloader again in fastboot?
wangdaning said:
Can you unlock the bootloader again in fastboot?
Click to expand...
Click to collapse
When I lock my devices bootload,then this devices auto wipe data, so I think oem unlock is not open.And I can not unlock bootload.