Can the oem bootloader be replaced?
If the bootloader is locked, can you be sure the Recovery/System partitions are untouched?
Recovery - where it doesn't matter whether it's Stock or Custom - simply is a menu you can select actions to perform and apply, the lock state of device's bootloader basically isn't of interest.
System partition can get tampered as soon as it gets mounted as RW where it doesn't matter whether device's bootloader is locked or unlocked, but device's Android got rooted or not.
Thank you for replying.
I'm asking about replacing the bootloader system itself and not the recovery.
How can you root without an open bootloader on a modern phone??
The AVB won't let you boot at all(since android 8).
I tried to answer 2nd question in your 1st post here. I can't help it if you didn't realize it.
To answer the question you asked above:
Rooting is the act of unlocking the Android OS to gain complete control over the device through which you can access hidden files or install certain special apps. Rooting Android OS simply means to add Superuser functionality to it.
Again:
Device's bootloader MUST NOT get unlocked in order to root Android. Even device's /system partition must not get touched in order to root Android: hence bootloader's DM-VERITY / AVB must not get disabled.
Last note: I no longer participate this thread ...
Related
rooting mobile phone is also unlocks tha boot loader...?? what does exact it means how to unlock boot loader and rooting and unlocking boot loader is same thing...??
Sent from my SM-G7102 using Tapatalk
I searched the forums for you and I found this post:
theq86 said:
Root
Rooting a device is a method to gain full access to the operating system. With root you can do all the administrative stuff, write to locations normally restricted to the system and customize your device deeper.
Root enhances your privileges and you are able to change almost anything inside of your rom.
The rooting, however, affects ONLY your operating system (Android)
Unlocked Bootloader
In most devices, the Bootloader is the instance that calls the operating system (Android) and manages direct access to the device's partitions. Having an unlocked bootloader enables you to flash custom roms, custom kernels, recoveries and so on.
Bootloader and Rooting Teamplay
Often it is the case, and so, too in our devices, that a locked bootloader also locks write access to several partitions like the system partition. This is the reason why rooting is not able without unlocked bootloader. Rooting needs write access to the system partition (for storing the superuser binary and the superuser app)
Without unlocked bootloader, only a temporary half-root can be achieved.
Click to expand...
Click to collapse
I would have linked to the topic but I don't have the 10 post requirement.
I really hate that boot screen that makes you think your phone is going to blow up because the bootloader is unlocked... I realize that having it unlocked is perfectly fine, and with Magisk, all the Google security stuff still works just fine.. I also know that an unlocked booloader makes it much easier to flash updates (flash-all but remove the -w) ... So please don't try to explain why I should leave my bootloader unlocked.
WIth my HTC phones, unlocking the bootloader would erase the phone (obviously, and just like the Pixel 2). Locking the bootloader wouldn't erase the phone on the HTC, but with the Pixel 2, the instructions say that it WILL ERASE THE PHONE.
With the HTC, the wipe happened in recovery, so if I had TWRP installed, the phone wouldn't erase... I could easily switch between locked and unlocked, and as long as I had TWRP installed, the phone would "think" it was going to erase, but I stopped it.
So my question is... Does the Pixel 2 wipe the phone on lock/unlock through recovery? If so, can I lock the phone with TWRP installed in recovery and prevent that lock? I know I can make a backup and try it and see, but since the Feb update, getting into a decrypted recovery has become a pain (remove pin/password, reboot, reboot to recovery, do what you want, reboot to system, add the pin/password, add fingerprint, open EVERY SINGLE APP THAT USES FINGERPRINT AND SET LOGIN AND REGISTER THE FINGERPRINT - it frustrates me, in case you can't tell).
You cannot flash TWRP unless you are unlocked so at this time there is no way to unlock the bootloader without a full wipe.
I think you misunderstood the question. I have unlocked the bootloader (let it wipe) and installed TWRP. I want to know if the re-lock will wipe through recovery (and therefore be stopped by TWRP) or if it does the wipe using some other method (and therefore wiping regardless).
1. You won't be able to maintain your userdata while switching between locked and unlocked states.
2. You will likely not be able to boot your device either after locking your phone.
For 1)
The Pixel 2 enables FBE (filesystem-based encryption) by default for your userdata partition. The encryption keys are derived from a hardware secret (accessible only from TrustZone), the RSA public key that was used to sign the boot image and a flag (whether it is locked or unlocked). The latter parameters are provided by the bootloader (lk) to the Keymaster trustlet (running in TrustZone).
If any of these parameters change, then the encryption keys will change as well. As a result, your files will remain inaccessible even if you were hypothetically able to flip the lock state.
For 2)
Unlocking the bootloader (fastboot flashing unlock) will disable verification of the boot image. TWRP is installed by modifying the boot image (in both the "a" and "b" slots) which invalidates the Verified Boot signature that covers this boot image (stored in the vbmeta partition). When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Source: reading the lk source code and various Android documentation such as https://source.android.com/security/encryption/file-based
Lekensteyn said:
When the device is locked again, the bootloader will fail to pass the signature check and stay in the "red" boot state. At that point I guess you have a brick (I have not tried this myself for obvious reasons).
Click to expand...
Click to collapse
The signature of the Custom ROM (Official LineageOS) can be integrated into the bootloader before re-locking the bootloader.
But this is the problem: "Lineage Recovery is also built in userdebug mode, that's a problem. When Lineage recovery is built this way, it allows any package, signed or unsigned, to be installed on your phone. This effectively negates the benefits of locking the bootloader. [...] In fact most custom ROMs simply use TWRP or another third party recovery which has the same issues as they are designed to never even look at the signatures of the packages they are flashing to your device."
"A discussion about bootloader locking/unlocking... AKA I want to relock my bootloader, should I?: LineageOS"
https://www.reddit.com/r/LineageOS/comments/n7yo7u
I was wondering if there is a way to disable the warning screen or relock the bootloader while keeping the root and recovery.
Everytime i try it it say it can no longer find a valid operating system.
plain and simple, not there is no way for our phones. if your bootloader is unlocked, the warning screen will always show and your bootloader must be unlocked in order for magisk to run and root to be allowed.
Currently no. The reason is that to have root, you have to have a patched boot image, and to have a patched boot image, you need to be able to have an unlocked bootloader to allow flashing of /boot from recovery. "Locked" rooting would involve an exploit that would undoubtedly get fixed quickly. Also, keep in mind that the Pixel 2/XL do not have dedicated recovery partitions, but that recovery itself also resides in /boot.
I installed a custom operating system (LineageOS for microG) and a custom recovery environment (TWRP) into my Oneplus 3T recently. The bootloader had to be unlocked to do this of course.
As far as I understand, locking it again would prevent the phone from booting as custom operating systems are not signed with the phone manufacturer's keys. This also applies to custom recoveries, is that correct?
What are the exact security drawbacks of having an unlocked bootloader? Assuming the phone is encrypted, protected with a strong PIN code, developer mode and USB debugging options disabled, and there's an attacker who has physical access to the phone so he/she can boot the phone to bootloader or recovery interface using the special buttons.
Encryption should protect the user data, at least from unsophisticated attackers, but can the attacker install malicious software into the phone?
With an unlocked bootloader, does the phone respond to fastboot or ADB commands from a computer even if developer mode and USB debugging are disabled?
What is the difference if these options are disabled, the bootloader is locked and the "OEM unlock" option in the menu is also disabled?
Considering my possible phone upgrade in the far future, is there a phone that allows one to insert custom signing keys into the bootloader so that the bootloader could be kept locked while having a custom ROM? Or to flash an entirely custom bootloader with custom signing keys?
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Roizoulou said:
unlocked bootloader allows the modification of the partitions and access to your data from a custom recovery.
Click to expand...
Click to collapse
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Stephanie_Sy said:
All I know is that an unlocked bootloader is easier to root as commands can be sent to the device using the fastboot protocol used to boot it so it is not necessary to take advantage of an exploit on the device in order to root it
Click to expand...
Click to collapse
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
novabright said:
So a threat actor with physical access to the phone could then install malware using the recovery environment, without the user ever noticing it?
Encryption should protect the data but having malware in the phone would quickly compromise it.
Hm, so this means that a phone with an unlocked bootloader will reply to fastboot commands from a computer even if developer/debug settings etc. are not enabled inside the main OS?
Click to expand...
Click to collapse
1. yes
2. yes
Hello again! I have a problem, i have the original firmware and the tool to flash it in case anything goes wrong (MTK Client), so i unlocked the bootloader, the problem is that when you unlock the bootloader, the baseband says (020null) and imei is unknown. I tried to restore my own nvcfg, nvram and nvdata to no luck, when I lock the bootloader, they appear again without flashing anything. So there must be something in the system that checks if you have the bootloader locked or not... I want to know how to disable it because I want to have root (I have rooted it with no issues, but i want my imei you know), i thought init.rc may have something to do with it, here is it (https://gist.github.com/ThePinkLyna/a43e65572896a57af2624610f74d00f2).
By the way my phone is an Alcatel 5007G, MTK 6762. Any ideas in where could be the block? The bootloader? An script in the system? There must be a way, right?
Re-lock the bootloader.
Android can get rooted without having the bootloader got unlocked before.
It's the Android kernel that checks if bootloader is locked or not.
xXx yYy said:
Re-lock the bootloader.
Android can get rooted without having the bootloader got unlocked before.
It's the Android kernel that checks if bootloader is locked or not.
Click to expand...
Click to collapse
How to get root without unlocking the bootloader? Because if i patch boot.img to use with magisk, then it goes into red state because secure boot. I know, the last thing you said, but i was talking about the system, there must be something which checks if the bootloader is unlocked or not and if its unlocked then it blocks the imei, i doubt android does that by default.
well, not answer to your original question, however try bootless-root method. but read warnings about limitations on locked bootloader (do not modify boot, system, ...)
TheAndrew579 said:
How to get root without unlocking the bootloader? Because if i patch boot.img to use with magisk, then it goes into red state because secure boot. I know, the last thing you said, but i was talking about the system, there must be something which checks if the bootloader is unlocked or not and if its unlocked then it blocks the imei, i doubt android does that by default.
Click to expand...
Click to collapse
You can doubt all, it's on you. Also take note that
1. every Android device comes shipped with a recovery partition by default,
2. you can't use a Custom Recovery like TWRP to restore lost IMEI.
are you sure it's bootloader lock state and not Magisk? I have same issue with Redmi 6, when booted in Magisk from fastboot baseband is unknown. normal boot baseband reappear (nothing flashed)
my suspect is magisk mount overlay (have to dig more into)
https://github.com/topjohnwu/Magisk/issues/426
What Magisk version you tried?
xXx yYy > /dev/null
aIecxs said:
are you sure it's bootloader lock state and not Magisk? I have same issue with Redmi 6, when booted in Magisk from fastboot baseband is unknown. normal boot baseband reappear (nothing flashed)
my suspect is magisk mount overlay (have to dig more into)
https://github.com/topjohnwu/Magisk/issues/426
What Magisk version you tried?
xXx yYy > /dev/null
Click to expand...
Click to collapse
Its not Magisk, because the problem starts happening when i unlock the bootloader, when i unlock it (Without installing magisk or flashing anything), and androids appears again, i go to info and it says baseband = 020null and imei unknown, if i flash magisk, then i get root but still no imei.
Im talking about the original firmware, unlocked bootloader = no imei, when i lock it again after uninstalling magisk (By flashing the original boot.img) then the imei appears again.
aIecxs said:
well, not answer to your original question, however try bootless-root method. but read warnings about limitations on locked bootloader (do not modify boot, system, ...)
Click to expand...
Click to collapse
And my android security version is newer, so that method wont work, still, i want root so i can uninstall system apps, so an unlocked bootloader is a must, but how exactly if when i unlock it i lose the imei? Thats the problem
you don't need root to get rid of system apps. this will do it. be careful what you're doing, in case of bootloop the only way left is factory reset. do a backup before.
Code:
adb shell cmd package disable --user 0 <pkgname>
How to disable any pre-installed system app bloatware on Android without root
If you hate the bloatware or pre-installed apps on your Android smartphone, here's how to disable them even if Android doesn't normally let you.
www.xda-developers.com