Lock bootloader of an OnePlus 7 with /e/

With my unlocked bootloader, the SafetNet from Google fails even though I have microG with DroidGuard Helper. Since recently we can’t anymore hide the apps working with SafetyNet with magisk. My device is nonrooted.
So I would want to relock my bootloader while /e/ is installed, but I’m afraid of what might happen (like a hardbrick). I read that OnePlus allows to relock the bootloader on custom Roms, and I read here that the user Hawk just relocked the bootloader with fastboot and it works.

Does anyone knows what to do ?

Thanks a lot

Hi, welcome in the community :slight_smile:

I don’t think locking the bootloader will make SafetyNet positive. (The Fairphone 3 /e/ will sell will have locked bootloader by the way).

SafetyNet in MicroG doesn’t work for months, but before it did work even with an unlocked bootloader.

Hi, thanks !
So I can say good bye to SafetyNet with /e/ installed ? Because there are apps unusable without SafetyNet :frowning:
On XDA, someone has relocked his bootloader one OP3 and he says SafetyNet works.

How to re-lock your bootloader with LineageOS 17.x
First the WHY;
A locked bootloader is needed to pass safetynet api if you do not want to install Magisk.
Passing Safetynet is needed for many things like banking apps, Gpay, installing Netflix etc…
So you can do it the ‘Magisk’ way which is also giving you a rooted device, or re-lock the bootloader again.
This is only working with a signed ROM and TWRP!
And now the HOW:
For anyone who wants to use Lineage 17.1 with locked bootloader; this is what I did and is working:
flash SAR TWRP (fastboot flash recovery twrp-3.3.1-system-as-root-oneplus3.img)
Format /data and wipe the rest
Do an OEM LOCK by fastboot (fastboot devices, fastboot oem lock >> choose NO on your phone, this is a bug in OnePlus firmware and actually means YES)
flash the whole stuff from within Recovery after copying the needed files to sdcard:
- latest firmware
- latest Lineage 17.1 build
reboot into system
set a password
encrypt the device
In developer settings:
- disable OEM unlock
- disable ADB
reboot into system and configured the rest
The result;
Re-locked bootloader, warning screen on boot gone (of course) and Lineage working fine without any issues!

But I’m not a pro at these things that’s why I ask if it would be possible with /e/ rom ? :slight_smile:
Because if I can’t have SafetyNet I think I will go back to stock ROM and that would be sad ahah
(I was wondering whether the /e/phones we can buy are sold with an unlocked or locked bootloader ? )

I’m not a pro either, so try, it’s not a bad thing to have a bootloader locked.

My experience on my j5nlte (Galaxy J5 2015) is :

/e/ before June 2019 : worked
/e/ after June 2019 : doesn’t work because MicroG isn’t able to make SafetyNet positive anymore

Lineage without GApps : doesn’t work
Lineage with GApps (pico) : works

Everytime the bootloader was unlocked (and Magisk installed).

As it Said :

I am asking about the /dev build signature :
(user-debug with dev-keys), is it a correct/needed signature for a “verified boot” ?


And the official /e/ ROM aren’t signed ?

Is SafetyPatcher not suitable?

Guide: Relock bootloader with custom rom on oneplus 5/5t

It will work on Pie, if the original kernel was signed or if you run on device signer after Magisk and before reboot.

The procedure is not everybody’s choice.

I was wondering about locking the bootloader on the oneplus 7 pro and then bam! there it was on this post. :grinning:

Did the op try locking it? What happened?

I am new to android based roms but very eager to learn. I am very familiar with linux :smiley:

Sorry for my late reply, i kind of forgot :upside_down_face:
So, yes it seems the official /e/ Rom are not signed. By re-locking my bootloader it goes to the red warning “your device is corrupt”. That’s why everyone on the net says not to do it. But with OnePlus (idk if with other brands it’s possible), I can relock it afterwards with a button combination to go into fastboot mode and then using fastboot with the terminal.
So in conclusion, I didn’t found a way to have SafetyNet working on /e/ :

  • Magisk hide can’t make it work
  • If SafetyNet fails because of an unlocked bootloader, we can’t have it working because the /e/ Rom aren’t signed apparently.

I went back to the OxygenOS stock rom on my OP7, and I removed all the google software (with the root), unless the GooglePlay Services. I use only F-droid and Aurora Store.
Now my rom is now signed, i still have my bootloader unlocked and NOW magisk hide works perfectly because SafetyNet works.
Thus I think (although I don’t know much about it) Google makes SafetyNet fail on all the phones with a custom Rom (they want the people to stay on their stock ROM, where they can still steal your data ahah :sweat_smile: )
So “maybe” if I sign myself my rom (like here), Magisk Hide could work … (But that’s pure speculation, it’s a very complicated field and again I don’t know how it works precisely)
Does anyone knows ?

And I was wondering, as the fairphones sold by /e/ have their bootloader unlocked, does Safetynet work on them?

The Fairphone 3 sold by /e/ has a locked bootloader, bur SafetyNet doesn’t work because MicroG isn’t able to bypass the SafetyNet certification anymore (for almost a year). And it’s the same thing for every custom ROM without Google apps installed on it.