[APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1
- Thread starter segv11
- Start date
osm0sis
Senior Recognized Developer / Contributor
Not that weird, to unlock all we have to do is zero a few sections, but to lock, unfortunately, it appears we would need to reverse engineer the security tokens.
So the only way we could handle it officially would be my idea for having BootUnlocker allow a power user (after a serious disclaimer and an Advance Option toggle perhaps) to capture the dumps in the two states and then tie flashing them whole to the app buttons. Basically what I suggested for the N7 2012.
Last edited:
osm0sis
Senior Recognized Developer / Contributor
Hmm thinking some more, does flashing it again allow you to relock? It should leave the tokens intact, so might be possible. That would mean as long as a rooted user started with a locked bootloader BootUnlocker could do its thing. BootUnlocker could check for the existence of the tokens and if they don't exist request the user oem lock before using it.
Last edited:
This might work, but it is definitely getting complicated.
Now we need to know: which of the locations in a locked bootloader need to be cleared in order to unlock, and which of those need to be saved for relocking.
And I need to read up on how to save user data, and disallow backups (we wouldn't want people restoring a BootUnlocker backup from one N6 onto a different one).
I hope the N9 is easier, if we can get some dumps.
Sent from my Manta
What happens if a user writes a bad lock token to an unlocked device? Does it brick, or does it simply fail to lock?
Also, I wonder what the situation looks like before the first unlock. Does the first unlock just clear some tokens from sp like second unlocks do, or does it blow a qFuse like it does on the Moto X (according to the page I linked to earlier)?
Sent from my Manta
Also, I wonder what the situation looks like before the first unlock. Does the first unlock just clear some tokens from sp like second unlocks do, or does it blow a qFuse like it does on the Moto X (according to the page I linked to earlier)?
Sent from my Manta
Yes, flashing the script a second time immediately after the first relocks the bootloader
osm0sis
Senior Recognized Developer / Contributor
I'm just saying we could leave the tokens alone. As long as there's root and the tokens exist we can write the common changes around them and control the lock state as long as the initial state was locked.
Why not keep things simple and only offer the unlock option in BootUnlocker for the N6.
Users can always lock using fastboot. The main benefit of BootUnlocker which is to unlock preserving your data, will still be there.
Can that be a security risk? Everybody would be using the same keys if that's what's in there.
osm0sis
Senior Recognized Developer / Contributor
You misunderstand. The tokens are the unique data. I'm proposing we don't touch them at all, so each device remains with its own "key".
Wait, so does flashing ONLY the common changes to a locked device unlock it? So I don't need to wipe and restore the token, just leave it alone?
In that case, my next question would be do I have to flash ALL the common changes to unlock, or only some of them?
Sent from my Manta
osm0sis
Senior Recognized Developer / Contributor
Yup, that's what I suggested and was tried here: http://xdaforums.com/showpost.php?p=58153849&postcount=503
Whether only some suffice is the next big question.
osm0sis
Senior Recognized Developer / Contributor
I'm just saying we could leave the tokens alone. As long as there's root and the tokens exist we can write the common changes around them and control the lock state as long as the initial state was locked.
Proof of concept. Won't flash on an unlocked N6 bootloader (to relock) by checking for the existence of the first token, and will advise in this case the user fastboot oem lock before flashing again.
Last edited:
Can test this if you want. How safe is it? Ie, if it "breaks", will it brick, force flashing, or just me to factory reset?
osm0sis
Senior Recognized Developer / Contributor
I'm fairly confident in the script, but you're best practice would still be backing up one state or the other of your sp partition first. You would need to flash this partition dump back to sp if something went wrong, though honestly locking and unlocking again might fix it too. Factory Reset doesn't act on any partitions BootUnlocker will ever come in contact with.
Last edited:
Bit nooby on the backing up specifics part. Could you provide the full path to the files I should back up?
Edit: did a backup of boot, firmware and efs. Is this sufficient?
Big fat edit: That's a brick. Flashed it once before relocking, locked, then wouldn't boot into anything but the bootloader. Totally should have done a full backup, good thing the device is only a day old!
Even more editing:
So, according to what I saw, this following bit did NOT happen, and the script claimed to have unlocked my bootloader:
Edit: did a backup of boot, firmware and efs. Is this sufficient?
Big fat edit: That's a brick. Flashed it once before relocking, locked, then wouldn't boot into anything but the bootloader. Totally should have done a full backup, good thing the device is only a day old!
Even more editing:
So, according to what I saw, this following bit did NOT happen, and the script claimed to have unlocked my bootloader:
Code:
ui_print "Security token not present.";
ui_print "Please fastboot oem lock before flashing.";
Last edited:
Hello all,
I've been tinkering with my Nexus 6 today and flashing the unlock script supplied by @osm0sis upthread and something occurred to me.
It appears as though there are (at least) two different unlocked states of the bootloader in the Nexus 6.
One unlocked state allows relocking of the bootloader through the use of the script and the other doesn't seem to.
I was able to get dumps of the sp partition in both unlocked states and generated an MD5 of each .img and they are different.
At first glance it seems that booting into the bootloader, rebooting the system or a combination of both after unlocking the bootloader is what is changing the unlocked state. I haven't had time yet to try and figure out the cause.
My thought is that if we can figure out what the difference is between the two unlocked states, maybe there's a way to retain the ability to relock the bootloader using the script even after booting into the bootloader/rebooting the system.
Please let me know if this is old news and not worth looking into further or if additional examination could prove helpful.
I've been tinkering with my Nexus 6 today and flashing the unlock script supplied by @osm0sis upthread and something occurred to me.
It appears as though there are (at least) two different unlocked states of the bootloader in the Nexus 6.
One unlocked state allows relocking of the bootloader through the use of the script and the other doesn't seem to.
I was able to get dumps of the sp partition in both unlocked states and generated an MD5 of each .img and they are different.
At first glance it seems that booting into the bootloader, rebooting the system or a combination of both after unlocking the bootloader is what is changing the unlocked state. I haven't had time yet to try and figure out the cause.
My thought is that if we can figure out what the difference is between the two unlocked states, maybe there's a way to retain the ability to relock the bootloader using the script even after booting into the bootloader/rebooting the system.
Please let me know if this is old news and not worth looking into further or if additional examination could prove helpful.
Last edited:
I've had some more time to test.
As mentioned in my previous post, it looks to me like we've got two different and distinct unlock states. I've taken to referring to them as "OEM unlocked" and "script unlocked".
Starting from OEM locked the script will continue to toggle back and forth between script unlocked and locked repeatedly with no problems - until any form of reboot into bootloader or system.
After any reboot into the bootloader or system the unlock state changes from script unlocked to OEM unlocked.
From OEM unlocked, the script will not switch back to locked. This appears to mean that after every reboot, if the bootloader is unlocked, the script wouldn't be able to lock the bootloader again without an OEM lock being done.
I noticed some discussion earlier in the thread about having users manually go back to OEM locked after installing BootUnlocker.
I wonder now if we might have an additional avenue to try? Instead of having users manually go back to OEM locked, what about trying to have the script attempt to reflash the data to unlock again before attempting to lock?
What I have in mind is having the script change the bootloader unlock state from OEM unlocked to script unlocked and therefore be able to use the script to relock and avoid the need for the user manually doing an OEM lock.
I haven't had time to really look at the script that @osm0sis posted upthread but I could try to modify it to test this concept. I may need assistance with this if I get stuck but I'm not afraid to at least try it before asking for help from you all.
I am by no means proficient with this so if anyone thinks I'm on the wrong track, or you've already been down this avenue with other devices without success, let me know.
As mentioned in my previous post, it looks to me like we've got two different and distinct unlock states. I've taken to referring to them as "OEM unlocked" and "script unlocked".
Starting from OEM locked the script will continue to toggle back and forth between script unlocked and locked repeatedly with no problems - until any form of reboot into bootloader or system.
After any reboot into the bootloader or system the unlock state changes from script unlocked to OEM unlocked.
From OEM unlocked, the script will not switch back to locked. This appears to mean that after every reboot, if the bootloader is unlocked, the script wouldn't be able to lock the bootloader again without an OEM lock being done.
I noticed some discussion earlier in the thread about having users manually go back to OEM locked after installing BootUnlocker.
I wonder now if we might have an additional avenue to try? Instead of having users manually go back to OEM locked, what about trying to have the script attempt to reflash the data to unlock again before attempting to lock?
What I have in mind is having the script change the bootloader unlock state from OEM unlocked to script unlocked and therefore be able to use the script to relock and avoid the need for the user manually doing an OEM lock.
I haven't had time to really look at the script that @osm0sis posted upthread but I could try to modify it to test this concept. I may need assistance with this if I get stuck but I'm not afraid to at least try it before asking for help from you all.
I am by no means proficient with this so if anyone thinks I'm on the wrong track, or you've already been down this avenue with other devices without success, let me know.
Last edited:
I've flashed this a few times with OEM unlock but don't get any notification to do OEM lock before flashing again.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
109[APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1
NEW: beta version available!
[SIZE="+2"]BootUnlocker for Nexus Devices -- Unlock your bootloader without fastboot.[/SIZE]
This application REQUIRES a Galaxy Nexus (maguro, toro or toroplus), Nexus 4 (mako), Nexus 5 (hammerhead), Nexus 7 2013 (deb or flo), Nexus 10 (manta), OnePlus One (bacon / A0001), OnePlus 2 (OnePlus2), OnePlus X (OnePlus / ONE / E1001), YU Yuphoria (lettuce / YUPHORIA), YU Yureka (tomato / YUREKA), Lenovo Zuk Z1 (ham / Z1), InFocus M810 (VNA), InFocus M812 (VN2), or Yota Phone 2 (yotaphone2), with root.
You've rooted your device, and you are trying to decide between the security of relocking your bootloader (with stock recovery and USB Debugging off), and the flexibility of leaving it unlocked.
You know that in order to prevent an unauthorized user from accessing your data by flashing a custom recovery, "fastboot oem unlock" wipes your data. This also means that if you relock your bootloader, you will need to do a full backup-and-restore whenever you decide to unlock it again.
BootUnlocker for Nexus Devices lets you have the best of both worlds by using root privileges to unlock your bootloader from within Android, without wiping your data. This allows you to keep your bootloader locked for security, with this application safely protected behind your lockscreen password. Whenever you want to unlock or relock your bootloader, just unlock your screen and run BootUnlocker.
License
BootUnlocker for Nexus Devices is Open Source Software, licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html.
You can redistribute, reuse, or modify this software as permitted under this license.
Source code is maintained on GitHub.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
For support, please leave a comment on this thread, or open an issue on the GitHub page.
STABLE version: (a) XDA post, (b) XDA download, (c) Google Play download
BETA version: (a) XDA post, (b) XDA download
XDA:DevDB Information
BootUnlocker, App for the Samsung Galaxy Nexus
Contributors
segv11, osm0sis
Source Code: https://github.com/segv11/boot-unlocker
Version Information
Status: Stable
Current Stable Version: 1.6.1
Stable Release Date: 2015-01-12
Current Beta Version: 1.6.3
Beta Release Date: 2017-10-29
Created 2017-07-18
Last Updated 2017-10-2929How to help bring BootUnlocker to new devices
For those of you who are thinking of helping to bring this app to a new device, you should know what is involved. First, it should be a Nexus or similar device, with "fastboot oem unlock" and "fastboot oem lock", and without the 2014 security changes in the bootloader. Second you should know which devices are already supported, and which we probably can't support.
You will want up-to-date nandroids, copied off-device. Backup your /sdcard off-device too, as nandroids don't save this.
The general idea is that we take images of all the partitions, in both the locked and unlocked states. We then compare them to see where the changes were. Once we've figured it out, we test it by flashing back the appropriate images to make sure that they change the lockstate of the device. If we can't figure it out, we will need to unlock your device using "fastboot oem unlock", which will wipe ALL of /data, including /sdcard...
If your device started locked, we would:
- run "ls -lR /dev/block" and send me the result
- I'll send back a list of "dd" commands to dump all the paritions to /sdcard
- dump all the partitions
- take md5's of each image for quick change detection
- copy the images off-device
- reboot bootloader
- fastboot oem lock
- reboot
- dump all the partitions again, to a different directory
- take md5's of each new image for quick change detections
- copy new the images off-device
If your device started locked, we would:
- run "ls -lR /dev/block" and send me the result
- I'll send back a list of "dd" commands to dump all the paritions to /sdcard
- dump all the partitions
- take md5's of each image for quick change detection
- copy the images off-device
- reboot bootloader
- fastboot oem unlock (wipes device!)
- reboot
- re-enable ADB debugging
- dump all the partitions again, to a different directory
- take md5's of each new image for quick change detections
- copy new the images off-device
- restore a nandroid of userdata
At this point, we can use the md5's to check which partitions have changed, which are hopefully only a few. We'll discuss which ones seem "interesting", so you can zip up and send as few images as necessary. I'll run "xxd" to make hexdumps of them, and "diff" and friends to analyze them.
If we have a candidate set of changes, then you would use dd to copy back the relevant image(s) and reboot bootloader, to verify that this does indeed unlock and lock the device. If everything works, then I can change BootUnlocker to recognize the device. If things don't work, and you want an unlocked bootloader, you will need to unlock it with "fastboot oem unlock" and then restore your nandroid.
As you can see, there is a significant risk of data loss. You also need to be comfortable with fastboot, adb, and the adb/linux shell on your device. And of course, you need root.
We've got the Galaxy Nexus, Nexus 4, and Nexus 10 in the bag. The ASUS bootloader in the Nexus 7 (2012 edition) stores the lockstate using device-specific encryption; we cannot support that device. If you've got some other Nexus device and feel like some hacking, PM me and we'll see if we can figure your device out.
On the other hand, I'm not the only one who can do this work; many of us figured out the G-Nex together, on a different XDA thread. If you've already done the relevant hacking on your bootloader and know how it stores the lockstate, send me the info and I'd be happy to add it to BootUnlocker.11BootUnlocker v1.6.2 Beta
Well, I finally got down to it on my list, and it was actually pretty easy importing my fork of @segv11's project repo into Android Studio, so here we are, finally with a test build of my proposed BootUnlocker v1.6.2 adding OnePlus 2 and OnePlus X support!
Changes:
https://github.com/osm0sis/boot-unlocker/commits/master
I'll accept Pull Requests for new device support via my repo. Please look at my OnePlus 2 commit for an example/template of everything required for a complete app and documentation update for each new device. Please submit one device per commit in each Pull Request, and let me sort out bumping the app version numbering/changelog items.
@efrant, @Titokhan were there any outstanding devices we can add along with the PR I've already got for Yota Phone 2 in v1.6.3?
We still need @dinomight or someone to help with OnePlus 3/T as well. Any users interested in helping can follow the directions I gave to @dinomight, here: https://xdaforums.com/galaxy-nexus/...r-nexus-devices-version-t1731993/post67720772
It'd be nice if for ~v1.7.0 we could also do a Material redesign, like how AdAway did, but we'll need someone with more app coding chops than myself to submit a Pull Request; I am brand new to app creation, but as always I hope to learn as I go along.8OnePlus One support is published
A new version with bacon / A0001 (OnePlus One) support has been published to the Play Store.
You can also download the APK from Google Drive: https://drive.google.com/file/d/0B6qHcVHPO4VrUmpZUWd6Mnh5elE/view
This version also includes fixes for crashes on unsupported devices.
Thank you all for your research and beta testing. Thank you especially to Polarfuchs, who provided the offsets for this device.
New posts
-
Features disabled on fastboot and bootloader. How do I enable them?- Latest: mayberandomparable
-
-