Hi, I was wondering if anyone rooted with the most current firmware (November) for the SM-A326U could upload a system dump for me? Not odin firmware, just a system dump minus userdata. If you can help let me know. Or if you are on previous build that might help too. I am going to build a new boot image that allows OEM unlocking if at all possible. Thanks!
Sands207 said:
Hi, I was wondering if anyone rooted with the most current firmware (November) for the SM-A326U could upload a system dump for me? Not odin firmware, just a system dump minus userdata. If you can help let me know. Or if you are on previous build that might help too. I am going to build a new boot image that allows OEM unlocking if at all possible. Thanks!
Click to expand...
Click to collapse
Altering the boot image will not change whether OEM Unlocking is allowed, and is pointless as Android Verified Boot (as well as Samsung Vaultkeeper) will prevent flashing and loading of altered images.
The visibility of the OEM Unlocking toggle is controlled by the system property ro.oem_unlock_supported while the ability to toggle it is controlled by sys.oem_unlock_allowed. The former is set at firmware build time, while the latter is generally set by checking a cloud side whitelist.
In other words...While someone with root could potentially dump their system image, and you could edit these properties, you still wouldn't be able to flash the system image to your device, as you'd need Samsung's private cryptographic key to sign the firmware package.
I guess my question would be then, how are other people oem unlocking other samsung phones that are in the same situation without Samsungs verification?
V0latyle said:
Altering the boot image will not change whether OEM Unlocking is allowed, and is pointless as Android Verified Boot (as well as Samsung Vaultkeeper) will prevent flashing and loading of altered images.
The visibility of the OEM Unlocking toggle is controlled by the system property ro.oem_unlock_supported while the ability to toggle it is controlled by sys.oem_unlock_allowed. The former is set at firmware build time, while the latter is generally set by checking a cloud side whitelist.
In other words...While someone with root could potentially dump their system image, and you could edit these properties, you still wouldn't be able to flash the system image to your device, as you'd need Samsung's private cryptographic key to sign the firmware package.
Click to expand...
Click to collapse
Luckily for me I found a way to both bypass and disable knox and the need for the key...
Sands207 said:
I guess my question would be then, how are other people oem unlocking other samsung phones that are in the same situation without Samsungs verification?
Click to expand...
Click to collapse
Probably has something to do with the leaked code from Samsung, which to my understanding included some of the keys they used to sign updates and application packages. Since we have to stay in the "white" here on XDA, we can't allow any sharing of copyrighted intellectual property, even if it's already in the public domain...basically, our web hosts are pretty nervous about losing advertiser funding because of legal controversy.
Sands207 said:
Luckily for me I found a way to both bypass and disable knox and the need for the key...
Click to expand...
Click to collapse
Care to share? Knox =/= bootloader unlock so if you were able to enable OEM unlocking and unlock the bootloader, it's kinda moot...Knox on the other hand would trip if custom images were flashed, unless you found a way to sign the binaries using an aforementioned leaked key.
I was able to disable knox and FRP using a fairly common toolbox and gain surprisingly temporary root access today that ends when I reboot using a method that is still fairly early in development but does work. I will have time tomorrow to take a closer look
Related
Does android/S7 have anything equivalent to apples find my phone which effectively turns it into a brick when stolen? If so, how?
In the Google app settings there is a phone finding service you can activate, and some CSCs have "Find my mobile" which allows you to remote wipe / brick etc
but does this stop the device from being wiped if stolen and activating like apples activation lock does?
lofty5 said:
but does this stop the device from being wiped if stolen and activating like apples activation lock does?
Click to expand...
Click to collapse
Yes, provided you keep the bootloader locked.
EDIT: Technical term is FRP(Factory reset protection), and it's tied to the Google account used to set up the device
This is what i was thinking, that the boot loader has to be locked in order to do this. would keeping the phone rooted be an option or make it insecure?
Could i do this on a region that isn't my csc without bricking the phone? I'm pretty sure that as long as the source files are stock samsung any region should work. Can download mode be protected?
I'm currently backing up my device after which i am enabling all the security options and am going to try to hack into the phone to see if its worth doing or not. If it can be broken easily id rather keep it unprotected for convenience, but if i can protect the phone I'd rather do this as i lost my phone a couple of years ago and there was no protection on it at all nor on the sd card, which sucked.
bump
Root almost always requires a modified boot image which will immediately be blocked by a relocked bootloader. So root and FRP cannot coexist as they counteract each other. FRP itself is not CSC locked, only the remote control features. There are ways around it but they are mostly only present in older firmware, which is blocked by bootloader downgrade fuses. So yeah, pretty unbreakable if the device remains full Knox stock.
Hint: anything confidential should never be stored on the external card, or should be encrypted if it is (eg. Turn on encryption in titanium backup). Internal memory is always encrypted on stock firmware.
Edit: Download would work as usual. So basically what would happen is if a malicious firmware was flashed the bootloader will block it at boot and trip the Knox fuse, essentially burning all data on the device. If the crooks are smart they can still make use of the device, but most aren't so you should be safe
I'm using Cerberus, it can disable the shutdown/reboot menu on the lockscreen.
CurtisMJ said:
Root almost always requires a modified boot image which will immediately be blocked by a relocked bootloader. So root and FRP cannot coexist as they counteract each other. FRP itself is not CSC locked, only the remote control features. There are ways around it but they are mostly only present in older firmware, which is blocked by bootloader downgrade fuses. So yeah, pretty unbreakable if the device remains full Knox stock.
Hint: anything confidential should never be stored on the external card, or should be encrypted if it is (eg. Turn on encryption in titanium backup). Internal memory is always encrypted on stock firmware.
Edit: Download would work as usual. So basically what would happen is if a malicious firmware was flashed the bootloader will block it at boot and trip the Knox fuse, essentially burning all data on the device. If the crooks are smart they can still make use of the device, but most aren't so you should be safe
Click to expand...
Click to collapse
I had it rooted last night with magisk and boot loader locked, however it did refuse to boot due to modification and frp locked after a factory reset, but worked fine prior to this.
is it not worth doing if not fully knox stock?
I only really use root these days for titanium backup and perhaps ad blocking.
How difficult is it for a hacker to get back into the phone, I mean iPhones are practically impossible to get back into if on the latest firmware.
Blacky25 said:
I'm using Cerberus, it can disable the shutdown/reboot menu on the lockscreen.
Click to expand...
Click to collapse
is your boot loader locked and rooted?
lofty5 said:
is your boot loader locked and rooted?
Click to expand...
Click to collapse
Yes it is, I know it is also possible to delete everything but when I really loose my phone I will hope that people without the knowledge find my phone.
lofty5 said:
I had it rooted last night with magisk and boot loader locked, however it did refuse to boot due to modification and frp locked after a factory reset, but worked fine prior to this.
is it not worth doing if not fully knox stock?
I only really use root these days for titanium backup and perhaps ad blocking.
How difficult is it for a hacker to get back into the phone, I mean iPhones are practically impossible to get back into if on the latest firmware.
Click to expand...
Click to collapse
About as difficult as an iPhone to crack provided it's on latest firmware with a locked bootloader, even preventing reuse. FRP remains fully operational irregardless of Knox warranty status. It's possible to keep encryption while rooting (though this depends on strictly "close to stock" firmware, specifically by using a stock kernel binary. Ramdisk mods like Magisk or SuperSU are fine) to retain the data protection so thieves wont be able to deduce anything about you, but as long as the bootloader is unlocked a thief could always just wipe and reuse the device.
CurtisMJ said:
About as difficult as an iPhone to crack provided it's on latest firmware with a locked bootloader, even preventing reuse. FRP remains fully operational irregardless of Knox warranty status. It's possible to keep encryption while rooting (though this depends on strictly "close to stock" firmware, specifically by using a stock kernel binary. Ramdisk mods like Magisk or SuperSU are fine) to retain the data protection so thieves wont be able to deduce anything about you, but as long as the bootloader is unlocked a thief could always just wipe and reuse the device.
Click to expand...
Click to collapse
I am now back to full stock with no root. It’s not the same now as when i first started rooting back on the arc s, back then you could literally do nothing without it, things so basic such as a firewall. I only at this minute have one issue.
How in god’s name do you do a full backup of apps WITH data. I have helium but it refuses to backup most of them, it’s not a big deal now as i have re-setup the programs it wasn't compatible with. However, it would be handy to know for future reference, is there anything that can do a full backup with app data that doesn’t require root? If not, never mind I guess.
lofty5 said:
How in god’s name do you do a full backup of apps WITH data. I have helium but it refuses to backup most of them, it’s not a big deal now as i have re-setup the programs it wasn't compatible with. However, it would be handy to know for future reference, is there anything that can do a full backup with app data that doesn’t require root? If not, never mind I guess.
Click to expand...
Click to collapse
Not quite sure as I've always been rooted. Kies or Google Cloud Sync might be sufficient?
CurtisMJ said:
Not quite sure as I've always been rooted. Kies or Google Cloud Sync might be sufficient?
Click to expand...
Click to collapse
is the latest s7 fw protected against this attack?
https://forum.xda-developers.com/sa...galaxy-on5-metropcs-sm-g550t1-t3439557/page13
and root junkies hack?
lofty5 said:
is the latest s7 fw protected against this attack?
https://forum.xda-developers.com/sa...galaxy-on5-metropcs-sm-g550t1-t3439557/page13
and root junkies hack?
Click to expand...
Click to collapse
Only one way to find out An easy way to test would be to see if the phone responds to the USB command to dial the number, so no need to reset to check.
XDA today published an article about a vulnerability in the OnePlus 6 bootloader that allows the booting of a custom boot.img image without unlocking the bootloader. This is of course a huge security risk but I'm sure OnePlus will patch it in an upcoming update. In the mean time, let's have some fun!
Back in the good old days of the Nexus 4, it was possible to install an app that would write boot config data to the device from userland, with root, to toggle the bootloader between the locked and unlocked states. The object of this post? Do this as a community for the OnePlus 6!
Why do this?
There are two major gains to being able to do this:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Netflix HD: Widevine L1 keys aren't accessible when the Bootloader is unlocked. This way, we may be able to get our Widevine keys accessible again to get HD Netflix with root
I attempted to reverse some of the bootloader on my own a few weeks back but didn't have much luck. With this vulnerability, my thoughts are that we could dump the data partitions with a locked device (that is exploited using this trick) and compare them with an unlocked device. This might give us the magic data that the bootloader uses to determine whether a device is locked or unlocked. Then, in theory, we should be able to toggle this data from userland. The only caveat to this is that I don't know whether the unlock state is stored somewhere in the TrustZone or if it is written to the flash like they did back in the Nexus days.
I honestly have no idea whether this will work, but surely it's worth a shot? Just for reference, I recommend we look at diffing following partitions before and after locking:
param
sec
sti
ssd
frp
config
misc
We should also, to ensure there is no confusion, stick to OOS 5.1.5 stock + Magisk for root. Images of the above partitions can be obtained using dd.
If anybody has any further tips on bootloaders that either proves that this won't work, or perhaps can suggest other places this lock data could be stored, please do let me know!
NB: getting this data will involve at least one full data wipe of the phone so it might take time to dump the data, switch lock state then dump it again.
I also strongly suspect that we might hit the issue of Android Verified Boot noticing that the device is locked (but has a modified boot image when rooted). This would depend on whether the Android security checks are implemented as per the Android Verified Boot specification.
Who's in?
Couldn't you just hide Netflix HD from root detection in Magisk?
dgunn said:
Couldn't you just hide Netflix HD from root detection in Magisk?
Click to expand...
Click to collapse
No. With an unlocked bootloader the device is switched to Widevine level 3 instead of level 1. This means no HD playback in Netflix (and I believe Amazon) regardless of Magisk hide status. This may be the new normal for all unlocked devices with the Qualcomm SD 845 or newer.
blackthund3r;76765953[* said:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Click to expand...
Click to collapse
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
RusherDude said:
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
Click to expand...
Click to collapse
Well, I can confirm that with SafetyNet test passing, and Magisk hide enabled for Netflix, I can not get HD streaming.
This is highly interesting. I will be following that threat constantly. Thanks for opening that discussion.
So does this vulnerability allow flashing or booting of TWRP through fastboot without unlocking the bootloader. I am interested in keeping Netflix HD and gaining root access, but don't want to brick the device. I know that under normal circumstances you always unlock the bootloader before flashing any mods, but was curious of some devs thoughts on it.
Interesting read. You can root the device without unlocked bootloader
https://www.androidcentral.com/oneplus-6-bootloader-vulnerability-lets-anyone-access-your-phone?amp
the question is can we keep opened this feature and force to be opened.
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
akaHardison said:
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
Click to expand...
Click to collapse
Not true booted a magisk patched boot image and installed some modules
Is there Maby another methode to root hold safety net for widevine lv3
---------- Post added at 06:28 PM ---------- Previous post was at 06:23 PM ----------
joemossjr said:
Not true booted a magisk patched boot image and installed some modules
Click to expand...
Click to collapse
And did you also installed magisk to the boot img?!
Widevine L1 + V4A would make me very happy. Perhaps we should add a financial incentive like a bug bounty? I would certainly contribute some loot for this noble cause!
Since some people with OP5s and OP5Ts sent there phone to OP for L1 with the bootloader unlocked, I wonder if OP would consider offering a similar service. Even if it wasn't completely free I would probably do it unless it required re-locking the bootloader...
I'm curious as to the method of fixing my phones as I feel/ know they have been hacked from person(s) I considered friends. They never had access to said phones other then a Hotspot on my Galaxy Note 20 5g with no physical access to my Galaxy Note 10. My Google accounts are 2-step verified protected. I haven't noticed any unrecognized logins to any of my accounts. I don't know much about coding or I wouldn't be asking thus question. How do I go about finding the software and removing it? Is there a website or person who can offer such services ? How can I resolve this issue , please let me know.
Thank you,
........
...???
Kyleson253 said:
..
Click to expand...
Click to collapse
Simply factory resetting the device, preferably by using the factory reset and wipe cache option in stock recovery mode and then reflashing your stock firmware would be the easiest way to solve whatever they may have tampered with.
alt google account could also be helpful. Factory resetting can remove any extra malware they might of installed, but it also removes any pictures or personal files you own. But I gotta admit if your friend could hack into a google account ( and ESPECIALLY a GOOGLE account) they deserve some credit. Could you tell me what they did?
If with "hacked" is meant phone's Android system got tampered then take note that phone only can get hacked if both its bootloader got unlocked and its Android's SELinux / DM-Verity protection got disabled and the "hacker" has superuser rights.
So I guess your phone didn't get "hacked", but only 3rd-party apps got installed - what easily can get removed: To achieve this performing a factory reset isn't necessary.
jwoegerbauer said:
If with "hacked" is meant phone's Android system got tampered then take note that phone only can get hacked if both its bootloader got unlocked and its Android's SELinux / DM-Verity protection got disabled and the "hacker" has superuser rights.
So I guess your phone didn't get "hacked", but only 3rd-party apps got installed - what easily can get removed: To achieve this performing a factory reset isn't necessary.
Click to expand...
Click to collapse
Not entirely true, but, yes, in general, this is true. There are exploits that do not require an unlocked bootloader to embed code in the system partition. Many devices can be rooted without unlocking bootloader and DM-verity disabled, also, you'd be surprised what can be done even when SELinux is set to enforcing.
It really comes down to exactly which specific device is being modified.
Droidriven said:
Not entirely true, but, yes, in general, this is true. There are exploits that do not require an unlocked bootloader to embed code in the system partition. Many devices can be rooted without unlocking bootloader and DM-verity disabled, also, you'd be surprised what can be done even when SELinux is set to enforcing.
It really comes down to exactly which specific device is being modified.
Click to expand...
Click to collapse
This guy/friend is actually talented as **** tbh
Hi, i am looking more styles for EdgeLighting. before, we could use EdgeLighting+ but now its not working on android 12.
there is an app called muviz edge that contains excellent styles but app does not work properly. so i am looking for a better app for replacing edgelighting+ with beautiful styles.
can we install S21 or something else edge lighting app on our A51?
do you have any recommended app?
Funny thing is, your phone already has all the edge lighting effects built in, the only problem is that there is a specific file called floating_feature that's missing one text line that would make all those extra edge lighting effects appear
So to answer your question, to get more styles for edge lighting you need to root your phone and edit the following file:
system/etc/floating_feature.xml
And add the following line inside the features:
<SEC_FLOATING_FEATURE_SYSTEMUI_CONFIG_EDGELIGHTING_FRAME_EFFECT>frame_effect</SEC_FLOATING_FEATURE_SYSTEMUI_CONFIG_EDGELIGHTING_FRAME_EFFECT>
Save, reboot and your phone should now have all the effects available that Samsung enables on their flagship phones.
And before you ask, no, there is no way to do this without root.
Tnx, but with root, secure folder will be disabled. and i cant root my phone.
in android 10 We could install edgelighting+ that installs additional styles. (without root).
so Did EdgeLighting+ somehow edit this file?
mahdi72 said:
Tnx, but with root, secure folder will be disabled. and i cant root my phone.
in android 10 We could install edgelighting+ that installs additional styles. (without root).
so Did EdgeLighting+ somehow edit this file?
Click to expand...
Click to collapse
I have no clue. But as you said, edge lighting+ no longer works so on newer Android versions, rooting is your only choice.
ShaDisNX255 said:
I have no clue. But as you said, edge lighting+ no longer works so on newer Android versions, rooting is your only choice.
Click to expand...
Click to collapse
Can i Edit Stock Rom in Linux (add Floating_Feature, remove apps, add new apps) and flash it in my A51 phone?
Do I need root to install this modified rom?
mahdi72 said:
Can i Edit Stock Rom in Linux (add Floating_Feature, remove apps, add new apps) and flash it in my A51 phone?
Do I need root to install this modified rom?
Click to expand...
Click to collapse
You will need to root, yes. Since you will edit it, it will lose Samsung's trusted signature and will therefore count as a custom ROM
ShaDisNX255 said:
You will need to root, yes. Since you will edit it, it will lose Samsung's trusted signature and will therefore count as a custom ROM
Click to expand...
Click to collapse
As far as I have researched, it does not seem to require root, but we have to open the bootloader or OEM Option in Developer Mode.
People are also talking about a tool called Odin Patched, which can bypass some verifications.
Is it possible to flash only the edited CSC file with this tool? Sorry to take up your time
mahdi72 said:
As far as I have researched, it does not seem to require root, but we have to open the bootloader or OEM Option in Developer Mode.
People are also talking about a tool called Odin Patched, which can bypass some verifications.
Is it possible to flash only the edited CSC file with this tool? Sorry to take up your time
Click to expand...
Click to collapse
Hey no worries, XDA is meant for a place to learn and I'm happy to try and help/educate in any way I can.
Opening the bootloader is step 1 in getting root access. You may think that root is the equivalent of installing Magisk and that's what root is but it's a lot more than that. By installing something custom you've in some way obtained root access by editing your stock ROM.
But anyway, going back to your original question/answer, the patched Odin can only bypass some verifications on Odin's side but it can't bypass the verification that the phone does itself. The patched Odin is mainly for installing U firmware on U1 variants and vice-versa, something that you can't do on the original Odin. It can't really bypass checking the validity of Samsung's signature on stock firmware. Even if it could bypass that check, the phone also checks the firmware it's being installed so it will detect it as a custom fw file
So, long story short, if you edit stock FW with any tool it will break Samsung's trusted signature and both phone and Odin will pick it up as a custom firmware (i.e. custom ROM) and you will only be able to install it by unlocking the bootloader. Flashing anything custom will break/trip Knox and it will be broken forever
Let me know if you have any more questions I can help you with.
ShaDisNX255 said:
Hey no worries, XDA is meant for a place to learn and I'm happy to try and help/educate in any way I can.
Opening the bootloader is step 1 in getting root access. You may think that root is the equivalent of installing Magisk and that's what root is but it's a lot more than that. By installing something custom you've in some way obtained root access by editing your stock ROM.
But anyway, going back to your original question/answer, the patched Odin can only bypass some verifications on Odin's side but it can't bypass the verification that the phone does itself. The patched Odin is mainly for installing U firmware on U1 variants and vice-versa, something that you can't do on the original Odin. It can't really bypass checking the validity of Samsung's signature on stock firmware. Even if it could bypass that check, the phone also checks the firmware it's being installed so it will detect it as a custom fw file
So, long story short, if you edit stock FW with any tool it will break Samsung's trusted signature and both phone and Odin will pick it up as a custom firmware (i.e. custom ROM) and you will only be able to install it by unlocking the bootloader. Flashing anything custom will break/trip Knox and it will be broken forever
Let me know if you have any more questions I can help you with.
Click to expand...
Click to collapse
Thank you, now many things are clear.
I want to know if unlocking the bootloader is worth it?
I have no problem with the warranty, I have the phone for more than 2 years and Samsung has no after sales service in our country. But for me, the use of banking app, Secure Folder, Samsung Pass are very important.
Is there a way to make all these apps work without problems by unlocking the bootloader?
Surely the OTA updates will also fail with this work, right?
can i unlock bootloader, flash edited files and relock bootloader?
mahdi72 said:
But for me, the use of banking app, Secure Folder, Samsung Pass are very important.
Click to expand...
Click to collapse
Some banking apps are harder to trick than others. I have no problems hiding root from my banking app but I've seen others struggle to hide from theirs, can't really comment on it. Secure Folder has a fix in Android 12 so it should be able to be fixed. Samsung Pass is something that still has no fix as far as I know so if you decide to root/blow knox fuse, this will never work again even if you lock your bootloader again. I've made my change to Google Pass which works with root so Samsung Pass isn't important to me anymore.
mahdi72 said:
Surely the OTA updates will also fail with this work, right?
Click to expand...
Click to collapse
This is correct, OTA updates stop working when you unlock your bootloader but if you re-lock your bootloader, you may get OTA updates again.
mahdi72 said:
can i unlock bootloader, flash edited files and relock bootloader?
Click to expand...
Click to collapse
No, this will lock your phone. Once you edit anything with root or install a custom fw (rom) then it will always count as custom for the phone. If you lock your bootloader while you have custom fw installed, your phone will be stuck in download mode telling you that your phone has custom fw and will refuse to boot until you flash stock fw.
Thank you very much for your very detailed explanation
So, for this part, I need Magisk, which probably Hide all banking apps in Iran
ShaDisNX255 said:
Some banking apps are harder to trick than others. I have no problems hiding root from my banking app but I've seen others struggle to hide from theirs, can't really comment on it.
Click to expand...
Click to collapse
According to your explanation, This is my decision: I can unlock the bootloader and flash the modified ROM (I can apply the necessary fixes for Secure Folder and other changes to the ROM (Can i?)). The only thing I miss is the Samsung Pass feature, which I can replace with Google Pass, OTA updates can be ignored and do not have much priority for me.
The only important thing is the banking apps.
When the bootloader is unlocked, is the root status rooted or un-rooted? Because I feel that some banking apps only check root access and have nothing to do with bootloader (At least in Iran).
If the root status has not changed after Unlocking the bootloader (I think the root status changes after installing Magisk or SU) I think that I can do the above steps and reach my goal
mahdi72 said:
This is my decision: I can unlock the bootloader and flash the modified ROM (I can apply the necessary fixes for Secure Folder and other changes to the ROM (Can i?))
Click to expand...
Click to collapse
You can, yeah.
mahdi72 said:
When the bootloader is unlocked, is the root status rooted or un-rooted?
Click to expand...
Click to collapse
With unlock bootloader alone it's still un-rooted
mahdi72 said:
When the bootloader is unlocked, is the root status rooted or un-rooted? Because I feel that some banking apps only check root access and have nothing to do with bootloader (At least in Iran).
If the root status has not changed after Unlocking the bootloader (I think the root status changes after installing Magisk or SU) I think that I can do the above steps and reach my goal
Click to expand...
Click to collapse
This is where it can get a little tricky and depends on each app because it's not a standard. If your banking app checks if your bootloader is unlocked then you pretty much need Magisk to hide your bootloader unlocked. Without Magisk, any app will be able to check that you have an unlocked bootloader
If your bank app checks to see if you have Magisk only then you can certainly avoid having to flash Magisk if you're not going to use it anyway
If your bank apps checks safetynet then you will again need to flash Magisk and flash a patch to pass safetynet tests
Again, it's not a standard so it all depends on the bank app in question. You can certainly try to unlock your bootloader and stay in stock and check if your bank apps detects your unlocked bootloader. Just unlocking bootloader shouldn't blow knox yet.
ShaDisNX255 said:
You can, yeah.
With unlock bootloader alone it's still un-rooted
This is where it can get a little tricky and depends on each app because it's not a standard. If your banking app checks if your bootloader is unlocked then you pretty much need Magisk to hide your bootloader unlocked. Without Magisk, any app will be able to check that you have an unlocked bootloader
If your bank app checks to see if you have Magisk only then you can certainly avoid having to flash Magisk if you're not going to use it anyway
If your bank apps checks safetynet then you will again need to flash Magisk and flash a patch to pass safetynet tests
Again, it's not a standard so it all depends on the bank app in question. You can certainly try to unlock your bootloader and stay in stock and check if your bank apps detects your unlocked bootloader. Just unlocking bootloader shouldn't blow knox yet.
Click to expand...
Click to collapse
thank you so much Now everything became clear to me
I see that I can add user-settable root of trust to the bootloader so I can set custom secure boot keys like PCs at https://source.android.com/docs/security/features/verifiedboot/device-state , so I think I can use a user modified init_boot image (including the magisk patched one) by signing it with my own keypair.
Also, I know that some manufacturers require 7 days for new devices to be unlocked (like Xiaomi) or do not allow user unlock at all. However, authorized repairers can flash signed factory system images without unlocking it. I guess it is implemented by internal (read-only) root of trust. But can I do this with user-settable root of trust part so I can become authorized repairer to my own device?
P.S. I am using a bootloader-unlocked Pixel 4 XL as my major phone now. I have bought a Pixel 7 Pro but not yet switched to it. I am looking for a method to take both security and scalability into account.
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
s3axel said:
Good and interesting question, sadly I don't have a definitive answer to it - but a few thoughts:
As to your own keypair: I would think that the bootloader checks for integrity and you would need to patch bootloader as well to accept a user-key - not sure if this is feasible.....
AFAIK for Xiaomi devices the authorized repairers use EDL mode with a separate authentification - EDL-mode is (IMO) a separate very low-level boot mode.... I don't think this is related to the "normal" boot mechanism and its keys.....
Is there any specific reason you are aiming for a re-locked bootloader ? The only aspect I could think about is some specific apps that can detect an unlocked bootloader and refuse to function.... from a pure security standpoint I don't see a benefit from re-locking a modified device, at least until you really (!) know all modifications that have been done in low-level detail.....
Click to expand...
Click to collapse
The reason why I am aiming for a re-locked bootloader is that everyone can flash a modified image at bootloader. An evil maid or cop may be able to flash a trojan boot image when I am not with my phone.