Upto this point, what I understand is that the OEMs hold keys that they use to sign the binaries as trusted such that only what they sign will be accepted and rest others will be rejected. Well, some devices I see can simply unlock using fastboot flashing unlock command when OEM Unlocking option is turned on in developers mode, however, some devices such as the ones from Xiaomi require their own special software to unlock the bootloader which they say is to prevent attackers from stealing the phone data. Well, one can easily flash firmware from Xiaomi without unlocking the bootloader. How do they do that? Does their proprietay software use some kind of keys that sign the firmware files? If so, do you know if it would be possible to replace the keys they use to sign.
Android's user data at any time can get stolen by hackers: here it doesn't matter whether device's bootloader is locked or unlocked.
Most of the Android devices comes to the market with a locked bootloader. Locking the bootloader is actually a kind of encryption of the Android system files. OEMs / carriers do so to keep the OS unaltered by the users. And this for good reasons, IMO. One have to respect
that their devices will be restricted to running software ROMs provided only by them.
To re-flash a phone's Stock ROM phone's bootloader must not be unlocked, because the OS is the original one , means not altered in any way by user.
Related
So When we root our phone are phone is automatically S-Off right?
and S-Off means the phone is unlocked and we can use it on other networks ?
Just want to clear everything up. I thought I needed to buy an unlock code for it to be unlocked but I just read that S-Off means its sim unlocked
The "S" in S-off stands for security, a stock bootloader comes S-on or security on. This is to make the device to where you can only install what is considered authorized software, or to be more specific, software that the OEM or the carriers release for the device. Now when you S-off your de ice you unlock it so that you can flash other software other than just the OEM's or carrier's software, this kind of software is refered to as custom software. This type of software includes custom recoveries, custom ROMs, and sometimes custom bootloaders.
Now to unlock your device so that you can use it with another carrier is referee to as SIM unlocking the device. And yes to SIM unlock your device you need a unlock code. You can generally get theses codes from the original carrier you purchased the device from or from different websites that charge for the code.
Rooting your device is something that allows you full control of your device and also allows you to use your device to it's full potential. It allows your ROM to have direct communication with the Linux kernel it is running on top of, which gives your device much more functionality. Certain bloatware apps have limited root access bit the ROM itself does not when the device is running stock software.
So I hope you have a little better understanding now of the three. I also hope this answered your question. Cheers.
T-Macgnolia said:
The "S" in S-off stands for security, a stock bootloader comes S-on or security on. This is to make the device to where you can only install what is considered authorized software, or to be more specific, software that the OEM or the carriers release for the device. Now when you S-off your de ice you unlock it so that you can flash other software other than just the OEM's or carrier's software, this kind of software is refered to as custom software. This type of software includes custom recoveries, custom ROMs, and sometimes custom bootloaders.
Now to unlock your device so that you can use it with another carrier is referee to as SIM unlocking the device. And yes to SIM unlock your device you need a unlock code. You can generally get theses codes from the original carrier you purchased the device from or from different websites that charge for the code.
Rooting your device is something that allows you full control of your device and also allows you to use your device to it's full potential. It allows your ROM to have direct communication with the Linux kernel it is running on top of, which gives your device much more functionality. Certain bloatware apps have limited root access bit the ROM itself does not when the device is running stock software.
So I hope you have a little better understanding now of the three. I also hope this answered your question. Cheers.
Click to expand...
Click to collapse
While, I knew this already, that was a great explanation and you've been thanked for it.
maybe this can help you.
http://forum.xda-developers.com/showthread.php?t=1232107
Some people may have doubt about what is unlocking the phone. At first I mistakenly assume that Unlock is refer to unlock the phone screen. It's very clear now that it is not true.
Q: So what is unlocking the Phone?
A: There is a lock inside the phone that stop people from using the third-party system or what we said custom ROM. (Although many phones are using the Android OS, the system in different brands are not exactly the same. In order to keep the unified feelings of their brands, the manufacturers prevent users from using custom ROM. That’s why they set the lock. )
Q: What is the use of unlock?
A: You can use custom ROM after unlock.
Q: Will it brick the phone if unlock failed?
A: Unlock failed has no effect on the phone. If there are some problems during the unlocking process, just take out the battery and restart your phone.
All of these statements are based on personal experience, if wrong, please specify, thank you for your read.
Purpose of unlocking the phone is to use it on another network
markdc said:
Purpose of unlocking the phone is to use it on another network
Click to expand...
Click to collapse
:good:Thank you for your add
Most of the time when it's unlock you can use it with many different carriers check GSM and non GSM carriers, Carriers like verizon, sprint have there own bootloader (Brand Image upon starting) and a secure stock rom. So it somewhat difficult to root there devices, Like my verizon S6 I've been waiting since the OTA update.
-AndroidPhreak.com
Hello guys, This is my first thread on XDA forum.
I just bought Xiaomi device (Poco X3 Pro Global) a few days ago.
So this is my first time to try custom rom, I searched what I'm trying to do, I'd like to make sure whether what I understand is correct or not since I'm totally new on custom rom.
the sources I mainly referred to:
source1
source2
Basic assumption:
1. Only flash custom rom without rooting
2. All unlocking bootloader and flashing custom rom process done perfectly, and all resouces (recovery, rom, ADB tool etc...) used during process are 100% clean and genuine.
3. No cold boot attack (source2) happens on me.
Q1. source1 is really helpful, but it's from 2012, is this still valid today?
Q2. source1 is posted on Galaxy Nexus forum, but is this applied to all android based devices, right?
Q3. This threat model assumes attacker has physical access to device, then I guess unlocking bootloader itself is 100% totally irrelevant to software level security risks like malware or OS vulnerability, is this right? (assuming no rooting and 100% genuine rom and resources)
Q4. From source1 you can choose between [device encryption] and [relocking bootloader] to protect security, which methods do you recommend using?
I feel I'm much more inclined to try device encryption method since I don't know if it's possible to relock bootloader safely after migrating from Global stock rom to xiaomi.eu rom. (Can anyone confirm this?) I fear it become bricked during relocking process.
Q5. So if I set device encryption with strong password and turn off USB debugging mode, I need not too worrysome?
Are there any other points in terms of security to bear in mind if you use device with unlocked bootloader?
Thank you for reading my thread
[INFO] Understanding the risks of having an unlocked bootloader
While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an...
forum.xda-developers.com
jwoegerbauer said:
[INFO] Understanding the risks of having an unlocked bootloader
While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an...
forum.xda-developers.com
Click to expand...
Click to collapse
that's what I linked in thread (source1)
Only a side-remark:
An Android Smartphone bootloader is processor-specific and every OEM has its own version of bootloader specific for the hardware present in its environment.
It's the primary task of every bootloader to verify the Android OS to be loaded is genuine means signed by OEM to ensure the Android OS ( it's by nature a Custom ROM ) works flawlessly as it can be expected by user. People who use a phone as a tool and not as a toy probably never come up with the idea to unlock the bootloader because they know about the strengths and weaknesses of the phone when they bought it, they can expect that OEM did their best with regards to a phone's performance - OEMs are certainly not dumber than generally claimed by the modder / hacker scene.
My POV: Unlocking a phone's bootloader is an unnecessary action at all. If people do so they indirectly admit that they have purchased a phone that does not meet their expectations - they have made a wrong purchase.
Thanks for comment.
I understand your POV.
I realized later Global rom can't do call recording, that's the main reason why I try to flash xiaomi.eu rom and other optimazations are second reason.
And this phone will be my main phone so I wanted to make sure about security risk before I will change rom.
cromcromc said:
Thanks for comment.
I understand your POV.
I realized later Global rom can't do call recording, that's the main reason why I try to flash xiaomi.eu rom and other optimazations are second reason.
And this phone will be my main phone so I wanted to make sure about security risk before I will change rom.
Click to expand...
Click to collapse
Having an unlocked bootloader doesn't need to be a risk whatsover as long as you're not flashing untrusted ROMS and other components to the device and critically control anything being flashed to the device. If you're flashing a signed ROM from the manufacturer as it sounds like is your plan, there is nothing to worry about. You can even lock the BL again after flashing & optimizing if you absolutely wish to although usually not recommended.
I see that I can add user-settable root of trust to the bootloader so I can set custom secure boot keys like PCs at https://source.android.com/docs/security/features/verifiedboot/device-state , so I think I can use a user modified init_boot image (including the magisk patched one) by signing it with my own keypair.
Also, I know that some manufacturers require 7 days for new devices to be unlocked (like Xiaomi) or do not allow user unlock at all. However, authorized repairers can flash signed factory system images without unlocking it. I guess it is implemented by internal (read-only) root of trust. But can I do this with user-settable root of trust part so I can become authorized repairer to my own device?
P.S. I am using a bootloader-unlocked Pixel 4 XL as my major phone now. I have bought a Pixel 7 Pro but not yet switched to it. I am looking for a method to take both security and scalability into account.
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
s3axel said:
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
Click to expand...
Click to collapse
The reason why I am aiming for a re-locked bootloader is that everyone can flash a modified image at bootloader. An evil maid or cop may be able to flash a trojan boot image when I am not with my phone.
Hi,
While going around this forum, i saw a lot that people where claiming that an unlocked phone had it's data fully secure if it was encrypted. Is it actually the case ?
From what i understand, a phone isn't encrypted with your pin code / password. It first generates keys, encrypts the phone with them, and then cyphers these keys using your code. The keys are then stored in a special partition of the phone's memory.
(And thus, if the phone needs be wiped, either remotely or because of too many failed attempts, it just deletes this partition)
Normally, it would be impossible to brute force a lock screen, since the phone will prevent more than ~ 15 attempts. However, with an unlocked device, couldn't an attacker with sufficient knowledge of the hardware be able to use the ability to flash custom boot images / roms to access these keys, and brute force them, bypassing the lock screen ? A sufficiently powerful computer could be able to brute force a 4, 6 or even 10 digits AES key in hours, if not minutes.
So :
1) Is this correct, and how the android encryption works ?
2) if it is, is there any device specific protections to prevent that ?
3) is there any ways to counterbalance that threat with an unlocked device, other than setting a 10 characters password ?
Thank you.
Short answer:
If phone's bootloader is unlocked, someone could take your phone, flash a malicious ROM that contains keystroke loggers or something, and then return the phone to you and wait for you to type your PIN or decryption password. It'd be better to keep the bootloader locked whenever you don't actually need to flash things via Fastboot.
xXx yYy said:
It'd be better to keep the bootloader locked whenever you don't actually need to flash things via Fastboot.
Click to expand...
Click to collapse
I guess this wanders into device specificness, but, at least for my device, pixel 6a, i read that you should never re-lock a bootloader without a completely stock firmware / boot image. So, how can you protect your bootloader while keeping your phone rooted ?
What has a device's bootloader to do with device's Android OS ? Nothing!
xXx yYy said:
What has a device's bootloader to do with device's Android OS ? Nothing!
Click to expand...
Click to collapse
The lockability of the bootloader depends on the signing of the OS!?
you are right. do not lock bootloader on pixel devices. imagine device is fully stock and locked, now some OTA brick device and recovery mode not able to unbrick by sideloading full OTA image - this is nightmare. google's solution is to RMA device, they do not provide any flash tool other than fastboot or WebUSB flash tool (via adb lol)
on the other hand, encryption is secured against bruteforce by gatekeeper (in TEE). as long as your device is powered off your data remains encrypted, unless you decrypt with credentials (we won't talk about the .dismiss() bug on decrypted devices)