[DISCUSSION] Re-locking Bootloader w/ Custom…

While I am an advocate for device customization and modifications, I also believe there is an inherent need for locked bootloaders. When we unlock a BL and leave it that way so we can run custom ROMs, root etc, we sacrafice the security it provides allowing our devices to be tampered with or redistributed after a theft. I've seen the PSA advising people not relock their bootloaders on anything except stock. That is entirely true for Verizon and EE pixels that were never intended to be unlocked in first place. However I believe its entirely possible to boot properly self signed images on unlockable devices after re-locking.

Now, I'm not saying we should go around re-locking bootloaders with custom firmware installed there's a process. I've done a bit of reading on verified boot. I am interested in utilizing the "YELLOW STATE" so we can run self signed boot images using an "embedded certificate" along with dm-verity disabled. The problem is how can we self sign our boot images allowing boot to continue without compiling from source?

https://source.android.com/security/...fied-boot.html

https://mjg59.dreamwidth.org/31765.html

I found some information & maybe a more experienced DEV can shed some light on if its possible with our Pixel devices. That's really the goal of this thread, to start a discussion which I think is extremely important & hopefully turn into a guide or tool. We shouldn't completely sacrafice security to utilize root or custom ROMs. On my N5X I have a locked bootloader and modified boot/system with Allow OEM unlock disabled. Difference with our Pixels and Nougat BLs is verified boot is strictly enforced.

Please excuse me if this thread seems jumbled or all over the place. I really do want help with this idea tho to help inform and keep us secure. Any input is appreciated.

Submit to XDA Portal Quick Reply Reply

The Following User Says Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free

16th March 2017, 09:56 PM |#2

OP Senior Member

Long Beach, CA

Thanks Meter: 88

Donate to Me

Well if anybody is interested in re-locking their boot loader with a custom ROM and kernel in place I basically figured out how

Refer to this post

If anybody plans to attempt this and has ANY questions or concerns regarding re-locking their bootloaders in a custom state please don't hesitate to post here. I successfully re-locked my bootloader with custom ROM and Kernel. I also modified TWRP in my kernel to only start via locked down adb with key access. This allows my pixel to be highly secure and still recoverable. Might start a new post highlighting my proceedures and research on this subject.

Submit to XDA Portal Quick Reply Reply

The Following User Says Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free

19th March 2017, 06:27 PM |#3

Senior Member

Thanks Meter: 384

I still wouldn't do this. What's the point? You will still pass safety net with custom kernel.
As for security you, your device still needs to be decrypted to use TWRP. It should still be as secure. I guess someone can wipe your device if they get ahold of it but that's not really a security risk.

Risk is still huge locking your device with a custom OS.

Sent from my Pixel using Tapatalk

Submit to XDA Portal Quick Reply Reply

The Following User Says Thank You to milan187 For This Useful Post: [ View ] Gift milan187 Ad-Free

6th April 2017, 03:21 AM |#4

OP Senior Member

Long Beach, CA

Thanks Meter: 88

Donate to Me

Quote:

Originally Posted by milan187

It has nothing to do with passing safety net. TWRP can only access the data after the pin is input, true, but leaving a device with an unlocked boot loader leaves the ability to flash modified boot images (a huge attack vector). This is to keep your device yours if it falls into a theives hands. You can not have device protection features on a unlocked Allow OEM unlock device. You're right there is risk but being careful can alleviate the risk. I do this because I want my phone to be a trackable paper weight if somebody takes it. I have established my own chain of trust outside of googles. I have even modified my TWRP side of boot.img to only start with my PC using adb-keys.

Submit to XDA Portal Quick Reply Reply

6th April 2017, 03:53 AM |#5

Senior Member

Thanks Meter: 1,093

Which risk is greater. The risk of losing an unlocked device and it falling into the hands of someone that knows what to do or bricking it relocking it.

I vote the latter.

Submit to XDA Portal Quick Reply Reply

6th April 2017, 08:20 AM |#6

OP Senior Member

Long Beach, CA

Thanks Meter: 88

Donate to Me

Its not re-locking that bricks... Its disabling the allow OEM unlock in dev options & screwing with stuff afterwards that may cause a bootloop. As long as you have a signed boot image in place with TWRP or stock recovery that uses your own keys the risk is minimal.

Simple rule... With a locked boot loader on a device where verification is strictly enforced always leave that option ticked if modifying anything.

I'm sorry but people are misinformed. Locking the boot loader doesn't brick if you have a custom ROM in place any more than a stock ROM. Its screwing with things or using a poorly dev'd ROM. If you are like me and can set something up the way you like once and not screw with it you'll be fine. If you do wanna screw with something remember to check allow OEM unlock in dev opts. Don't uncheck until you're 100% sure. It really is that simple.

Submit to XDA Portal Quick Reply Reply

6th April 2017, 02:17 PM |#7

Senior Member

Thanks Meter: 1,093

If you are leaving the toggle open what have you accomplished when it gets stolen? They just issue the fastboot command to unlock it. Yea, it wipes data at that point. But I honestly can't think of anything on my phone that is confidential.

Submit to XDA Portal Quick Reply Reply

7th April 2017, 10:48 PM |#8

OP Senior Member

Long Beach, CA

Thanks Meter: 88

Donate to Me

When I'm out n about and using my phone normally (i.e. not modding, flashing etc) I put the toggle to off. If I'm planning on changing anything I toggle it back on & if something causes a bootloop (most probably user error) I can recover. I don't think most people who steal phones care about data either but I keep a lot of keys, passwords etc to networks in my devices storage. I admit its not for everybody, just a way to be more secure and protect a $700+ investment. My phones bootloader isn't just locked, its locked with a persistent root ssh backdoor integrated into system so I can maintain control in the event.

Submit to XDA Portal Quick Reply Reply

13th July 2018, 10:57 AM |#9

Junior Member

Thanks Meter: 0

want to re-lock my boot loader ?

Quote:

Originally Posted by Geofferey

Well if anybody is interested in re-locking their boot loader with a custom ROM and kernel in place I basically figured out how

Refer to this post

If anybody plans to attempt this and has ANY questions or concerns regarding re-locking their bootloaders in a custom state please don't hesitate to post here. I successfully re-locked my bootloader with custom ROM and Kernel. I also modified TWRP in my kernel to only start via locked down adb with key access. This allows my pixel to be highly secure and still recoverable. Might start a new post highlighting my proceedures and research on this subject.

hey,
I as well as plenty of others thought I was clever unlocking it as I mainly wanted to unlock it from EE UK network , its not been touched since ,no custom rooms or root but after reading people are trying to Re-lock it and getting bricked im too scared too try lol its only phone ive got ? Appreciate any help please x

---------- Post added at 10:57 AM ---------- Previous post was at 10:21 AM ----------

Quote:

Originally Posted by sally76

Sorry Duhhhh !! Custom u said lol

Submit to XDA Portal Quick Reply Reply