I installed a custom operating system (LineageOS for microG) and a custom recovery environment (TWRP) into my Oneplus 3T recently. The bootloader had to be unlocked to do this of course.
As far as I understand, locking it again would prevent the phone from booting as custom operating systems are not signed with the phone manufacturer's keys. This also applies to custom recoveries, is that correct?
What are the exact security drawbacks of having an unlocked bootloader? Assuming the phone is encrypted, protected with a strong PIN code, developer mode and USB debugging options disabled, and there's an attacker who has physical access to the phone so he/she can boot the phone to bootloader or recovery interface using the special buttons.
Encryption should protect the user data, at least from unsophisticated attackers, but can the attacker install malicious software into the phone?
With an unlocked bootloader, does the phone respond to fastboot or ADB commands from a computer even if developer mode and USB debugging are disabled?
What is the difference if these options are disabled, the bootloader is locked and the "OEM unlock" option in the menu is also disabled?
Considering my possible phone upgrade in the far future, is there a phone that allows one to insert custom signing keys into the bootloader so that the bootloader could be kept locked while having a custom ROM? Or to flash an entirely custom bootloader with custom signing keys?
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Roizoulou said:
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
Click to expand...
Click to collapse
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Stephanie_Sy said:
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Click to expand...
Click to collapse
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
novabright said:
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
Click to expand...
Click to collapse
1. yes
2. yes
Related
rooting mobile phone is also unlocks tha boot loader...?? what does exact it means how to unlock boot loader and rooting and unlocking boot loader is same thing...??
Sent from my SM-G7102 using Tapatalk
I searched the forums for you and I found this post:
theq86 said:
Root
Rooting a device is a method to gain full access to the operating system. With root you can do all the administrative stuff, write to locations normally restricted to the system and customize your device deeper.
Root enhances your privileges and you are able to change almost anything inside of your rom.
The rooting, however, affects ONLY your operating system (Android)
Unlocked Bootloader
In most devices, the Bootloader is the instance that calls the operating system (Android) and manages direct access to the device's partitions. Having an unlocked bootloader enables you to flash custom roms, custom kernels, recoveries and so on.
Bootloader and Rooting Teamplay
Often it is the case, and so, too in our devices, that a locked bootloader also locks write access to several partitions like the system partition. This is the reason why rooting is not able without unlocked bootloader. Rooting needs write access to the system partition (for storing the superuser binary and the superuser app)
Without unlocked bootloader, only a temporary half-root can be achieved.
Click to expand...
Click to collapse
I would have linked to the topic but I don't have the 10 post requirement.
I really hate that boot screen that makes you think your phone is going to blow up because the bootloader is unlocked... I realize that having it unlocked is perfectly fine, and with Magisk, all the Google security stuff still works just fine.. I also know that an unlocked booloader makes it much easier to flash updates (flash-all but remove the -w) ... So please don't try to explain why I should leave my bootloader unlocked.
WIth my HTC phones, unlocking the bootloader would erase the phone (obviously, and just like the Pixel 2). Locking the bootloader wouldn't erase the phone on the HTC, but with the Pixel 2, the instructions say that it WILL ERASE THE PHONE.
With the HTC, the wipe happened in recovery, so if I had TWRP installed, the phone wouldn't erase... I could easily switch between locked and unlocked, and as long as I had TWRP installed, the phone would "think" it was going to erase, but I stopped it.
So my question is... Does the Pixel 2 wipe the phone on lock/unlock through recovery? If so, can I lock the phone with TWRP installed in recovery and prevent that lock? I know I can make a backup and try it and see, but since the Feb update, getting into a decrypted recovery has become a pain (remove pin/password, reboot, reboot to recovery, do what you want, reboot to system, add the pin/password, add fingerprint, open EVERY SINGLE APP THAT USES FINGERPRINT AND SET LOGIN AND REGISTER THE FINGERPRINT - it frustrates me, in case you can't tell).
You cannot flash TWRP unless you are unlocked so at this time there is no way to unlock the bootloader without a full wipe.
I think you misunderstood the question. I have unlocked the bootloader (let it wipe) and installed TWRP. I want to know if the re-lock will wipe through recovery (and therefore be stopped by TWRP) or if it does the wipe using some other method (and therefore wiping regardless).
1. You won't be able to maintain your userdata while switching between locked and unlocked states.
2. You will likely not be able to boot your device either after locking your phone.
For 1)
The Pixel 2 enables FBE (filesystem-based encryption) by default for your userdata partition. The encryption keys are derived from a hardware secret (accessible only from TrustZone), the RSA public key that was used to sign the boot image and a flag (whether it is locked or unlocked). The latter parameters are provided by the bootloader (lk) to the Keymaster trustlet (running in TrustZone).
If any of these parameters change, then the encryption keys will change as well. As a result, your files will remain inaccessible even if you were hypothetically able to flip the lock state.
For 2)
Unlocking the bootloader (fastboot flashing unlock) will disable verification of the boot image. TWRP is installed by modifying the boot image (in both the "a" and "b" slots) which invalidates the Verified Boot signature that covers this boot image (stored in the vbmeta partition). When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Source: reading the lk source code and various Android documentation such as https://source.android.com/security/encryption/file-based
Lekensteyn said:
When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Click to expand...
Click to collapse
The signature of the Custom ROM (Official LineageOS) can be integrated into the bootloader before re-locking the bootloader.
But this is the problem: "Lineage Recovery is also built in userdebug mode, that's a problem. When Lineage recovery is built this way, it allows any package, signed or unsigned, to be installed on your phone. This effectively negates the benefits of locking the bootloader. [...] In fact most custom ROMs simply use TWRP or another third party recovery which has the same issues as they are designed to never even look at the signatures of the packages they are flashing to your device."
"A discussion about bootloader locking/unlocking... AKA I want to relock my bootloader, should I?: LineageOS"
https://www.reddit.com/r/LineageOS/comments/n7yo7u
I was wondering if there is a way to disable the warning screen or relock the bootloader while keeping the root and recovery.
Everytime i try it it say it can no longer find a valid operating system.
plain and simple, not there is no way for our phones. if your bootloader is unlocked, the warning screen will always show and your bootloader must be unlocked in order for magisk to run and root to be allowed.
Currently no. The reason is that to have root, you have to have a patched boot image, and to have a patched boot image, you need to be able to have an unlocked bootloader to allow flashing of /boot from recovery. "Locked" rooting would involve an exploit that would undoubtedly get fixed quickly. Also, keep in mind that the Pixel 2/XL do not have dedicated recovery partitions, but that recovery itself also resides in /boot.
Is it possible to lock the bootloader with TWRP and a custom ROM installed and still use the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Ungeskriptet said:
Is it possible to lock the bootloader with TWRP and a custom ROM installed and still us the device? Can I still flash ROMs in TWRP without hard/soft bricking my POCO?
Click to expand...
Click to collapse
Short Answer: No it's not feasible to do that, reason behind that is AVB 2.0 (Android Verified Boot). It checkes for a pre-existing hash of all paritions signed by the OEM key (in this case Xiaomi), If there are conflicts found and Bootloader is in Locked state, The result would be a Fatal Error and would skip booting The OS to go to repair mode (aka EDL mode), which you can access in Xiaomi devices only if you have a verified EDL account.
Besides, even if you modify the Bootloader Binery or signed the twrp.img with the oem key (which you don't have access to), you wouldn't be able to flash anything anyway, since the device would consider any modifications after that a fatal error as well and won't boot.
Long Answer: read up on the follwing topics:
1- Android verified boot https://android.googlesource.com/platform/external/avb/+/master/README.md
2- FROST attack on unlocked bootloader (The reason android implemented avb) https://www.cs1.tf.fau.de/research/system-security-group/frost/
Can the oem bootloader be replaced?
If the bootloader is locked, can you be sure the Recovery/System partitions are untouched?
Recovery - where it doesn't matter whether it's Stock or Custom - simply is a menu you can select actions to perform and apply, the lock state of device's bootloader basically isn't of interest.
System partition can get tampered as soon as it gets mounted as RW where it doesn't matter whether device's bootloader is locked or unlocked, but device's Android got rooted or not.
Thank you for replying.
I'm asking about replacing the bootloader system itself and not the recovery.
How can you root without an open bootloader on a modern phone??
The AVB won't let you boot at all(since android 8).
I tried to answer 2nd question in your 1st post here. I can't help it if you didn't realize it.
To answer the question you asked above:
Rooting is the act of unlocking the Android OS to gain complete control over the device through which you can access hidden files or install certain special apps. Rooting Android OS simply means to add Superuser functionality to it.
Again:
Device's bootloader MUST NOT get unlocked in order to root Android. Even device's /system partition must not get touched in order to root Android: hence bootloader's DM-VERITY / AVB must not get disabled.
Last note: I no longer participate this thread ...