Hi,
I am not (yet) a eos user and am just learning about it. My understanding is that, when installing it manually, it’s required to disable some boot lock/verifier in order to change the installed OS (correct if I’m wrong).
Does that apply also for devices bought from the Murena store, such as the CMF phone 1 (and others) ?
If I have the choice between a secured boot and non-secured I’d likely prefer the former and willing to pay the price diff.
Hi and welcome jotak
All phones bought from the Murena shop come preinstalled with e-os and have a locked bootloader afaik.
Updates and upgrades come OTA monthly and i never had severe issues in 3 years with my Murena FP4.
To get some understanding of the status of the os, maybe read through the latest release feedback threads on this forum.
HTH
Looking at the cmf phone page, information on “Bootloader relocking support” and “Verified boot support” is missing.
It mentions support for Safetynet and Rootbeer but i don’t know what that means (does that add some security?)
Indeed the Murena shop preorder page for the CMF 1 mentions an unlocked bootloader and states that this can be an issue if an attacker gains physical access to your phone.
If this scenario applies to you, you should clearly consider another phone model for now.
That is not the case!
Compare with the /e/OS documentation
Even with the CMF Phone 1 by Nothing with /e/OS-U, as with most devices with a custom ROM, whether with /e/OS, LinegaeOS & Co, the bootloader is not locked again, i.e. unlocked.
fastboot getvar all
(bootloader) off-mode-charge: 1
(bootloader) slot-retry-count:b: 1
(bootloader) slot-retry-count:a: 4
(bootloader) slot-successful:b: yes
(bootloader) slot-successful:a: yes
(bootloader) slot-unbootable:b: no
(bootloader) slot-unbootable:a: no
(bootloader) slot-count: 2
(bootloader) current-slot: a
(bootloader) unlocked: yes
(bootloader) secure: no
(bootloader) partition-type:userdata: f2fs
(bootloader) partition-size:userdata: 1afcff8000
[...]
(bootloader) product: k6878v1_64
(bootloader) max-download-size: 0x8000000
(bootloader) version-bootloader: k6878v1_64_6750febb6_202408281648
(bootloader) version: 0.5
all: Done!!
Finished. Total time: 0.093s
Do you happen to know if there are technical barriers that prevent from relocking the phone with a custom rom (signed, I presume) ?
I suppose the process would involve Nothing for signing the rom, but I guess Murena must have some agreement with them? Maybe more a question for a murena insider though…
The /e/OS-U community is dev-signed, as is usual with /e/.
Locking the bootloader again with a custom ROM is primarily for technical reasons and also usually required a device-specific custom avb key.
No, i cant confirm that.
The bootloader on my murena bought FP4 seems pretty locked to me.
Mind Its the u official versus your community version, Xxpsilon !
You wrote:
A l l which is not the cases.
Your FP4 Booloader is locked. And relocking procedure is also described in the /e/ documentation
Hi, I’ve got a similar question but slightly different. I recently bought a CMF phone 1 (Nothing version, with Nothing OS 2.6) and am planning to install it with /e/OS. I understand the bootloader must be unlocked in order to load the OS, as per the disclaimer on the Murena store page for CMF phone with /e/OS.
If I want to switch back, is it possible to reinstall the stock OS and re-lock the bootloader? I admit this is a question for the Nothing boards, but I ask it here for others to find.
You can do that as long as you have the OEM ROM from Nothing Phone. Just don’t lock the bootloader while using /e/os or it will brick.
Normally the bootloader does a signature verification against an OEM certificate within the OS. If the bootloader is unlocked it disregards the results of that check. If the bootloader is locked and that check fails the phone won’t boot. At that point you may not be able to unlock the bootloader and the phone is bricked.
Official versions of /e/os include the OEM certificate so you can safely lock the bootloader. However there is an “anti-rollback” caveat. The security patch version of the installation os has to be equal or greater than the OEM version it’s replacing. If you re-lock the bootloader without meeting that requirement, again you’re stuck.
The range of phones that have the certificate is pretty limited, basically just Pixel and Fairphone. Even then only the official /e/os releases include it. Community releases do not.
So all in all, unless you’re using a Pixel or Fairphone with an official release newer than the original installation you’re not going be able to re-lock the bootloader. It’s not as bad as it sounds, there’s almost zero security risk for the average consumer. The main concern is some banking and streaming apps require a locked bootloader to function.
