I think the ability for /e/ users to re-lock the bootloader would be a big security improvement wouldn’t it? Not trying to sound sarcastic - genuine question/suggestion. From what I read online it is a big security risk to leave bootloader unlocked.
2 Likes
bootloader locking
I am not allowed to paste links anymore so bear with me:
this is pretty easy to support/enable, you just have to integrate the following into your builds
- builds must be -user, not -userdebug
- in DivestOS-Build repo:
- signing keys can be generated correctly using Scripts/Generate_Signing_Keys.sh $device
- Scripts/Common/Copy_Keys.sh is used to copy verity keys into kernels
- processRelease() in Scripts/Common/Functions.sh is used to sign releases
- devices can have verified boot re-enabled using enableVerity() in Scripts/Common/Functions.sh
- you need to
sed -i 's/^\treturn VERITY_STATE_DISABLE;//' drivers/md/dm-android-verity.con all kernels, to restore verified boot that LineageOS disabled - you’ll need to apply Patches/*/android_build/0002-OTA_Keys.patch to android_build repo to correctly add keys to the recovery
- update_device_info.sh in DivestOS-Website repo has device bootloader information in the format: unlock method, bootloader lock support, verified boot support
As for device support (per the devices I build for):
- 9 devices have been tested working with locked bootloader and verified boot
- 5 devices have been tested working with locked bootloader but do not support verfied boot
- 25 devices should support locked bootloader with verified boot
- 6 devices should support locked bootloader but do not support verified boot
10 Likes
Yea you are right. Sometimes unlocking bootloader is critical for finance / banking app.
Yes I m into that also
Dear All,
From this topic I have been contuining to learn something new everyday. Very interesting feedbacks.
In my case I locked the bootloader again trough ADB in Linux. Some banking apps work with help of Shelter, some not. Could be /e/OS sign verification the issue?
Thanks
BR
1 Like
Hi, I too want to lock bootloader of Redmi Note 4. How to do it?
Hi,
- On your smartphone:
- Go to settings
- tap multiple times on build number to enable developer options
- go to developer options
- enable “OEM Unlocking”
- enable “advanced reboot”
- enable “Android debugging”
- in your Linux computer (I have used Ubuntu), open the terminal and install adb-tools and fastboot with the following code:
sudo apt-get install android-tools-adb
sudo apt-get install android-tools-fastboot
-
backup of your data because the phone will go on Factory Reset once we do OEM Unlock…
Ensure that your battery is charged around 80% atleast. -
Connect the phone to your Linux pc with adb enabled on device. You will see a RSA signature to trust the device connection. Select always trust.
To check if device is detected write on terminal:
sudo -s[/INDENT] */ this to change user to root */
adb devices
…and you should see your device listed.
- Unlock Bootloader (OEM Unlocking) or lock:
Reboot to fastboot mode, you can do this in 2 ways :
- Connect phone to Linux machine and enter thr following code:
adb reboot-bootloader
- OR on the smartphone, log press power button > reboot > bootloader
After this, you will see a screen with text saying
Fastboot Mode.
Now, check if Linux detects the phone i
you will see your phone listed if it is detected.
If it is dected, enter following command to unlock the bootloader finally:
fastboot oem unlock
(fastboot oem lock) if you want to lock again…
This will take you to a screen with Chinese text on the phone:
Option 1 means Proceed
Option 2 means Cancel
If you are sure you want to proceed, select the 1st option. Pay attention: as mentioned earlier, your phone will factory reset at this point if you select “Yes”.
To ensure this has succeeded, go back to fastboot mode and enter:
fastboot oem device-info
If the output contains something that looks like
(bootloader) Device unlocked: true
you are successful !!
2 Likes
Thanks a lot for the help.
Now please tell me is it possible to Lock Bootloader with /e/ os installed??
Thnaks again
You must be careful with locking.
bacon and oneplus2 cannot be unlocked.
grouper will instantly brick if locked.
some Motorola devices have a special command you need to run before locking and you need to flash the stock firmware at the same time in between.
devices with verified boot via verity or avb will not boot if not signed correctly.
1 Like
Absolutely best comment in this thread:
/e/ does great things, DivestOS does great things too.
Chose one of them, or else chose google and apple. Your choice.
7 Likes
This topic was automatically closed after 26 days. New replies are no longer allowed.