[APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1

Search This thread

segv11

Senior Member
Mar 19, 2012
379
526
[APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1

NEW: beta version available!

[SIZE="+2"]BootUnlocker for Nexus Devices -- Unlock your bootloader without fastboot.[/SIZE]

This application REQUIRES a Galaxy Nexus (maguro, toro or toroplus), Nexus 4 (mako), Nexus 5 (hammerhead), Nexus 7 2013 (deb or flo), Nexus 10 (manta), OnePlus One (bacon / A0001), OnePlus 2 (OnePlus2), OnePlus X (OnePlus / ONE / E1001), YU Yuphoria (lettuce / YUPHORIA), YU Yureka (tomato / YUREKA), Lenovo Zuk Z1 (ham / Z1), InFocus M810 (VNA), InFocus M812 (VN2), or Yota Phone 2 (yotaphone2), with root.

You've rooted your device, and you are trying to decide between the security of relocking your bootloader (with stock recovery and USB Debugging off), and the flexibility of leaving it unlocked.

You know that in order to prevent an unauthorized user from accessing your data by flashing a custom recovery, "fastboot oem unlock" wipes your data. This also means that if you relock your bootloader, you will need to do a full backup-and-restore whenever you decide to unlock it again.

BootUnlocker for Nexus Devices lets you have the best of both worlds by using root privileges to unlock your bootloader from within Android, without wiping your data. This allows you to keep your bootloader locked for security, with this application safely protected behind your lockscreen password. Whenever you want to unlock or relock your bootloader, just unlock your screen and run BootUnlocker.

License
BootUnlocker for Nexus Devices is Open Source Software, licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html.
You can redistribute, reuse, or modify this software as permitted under this license.

Source code is maintained on GitHub.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

For support, please leave a comment on this thread, or open an issue on the GitHub page.

STABLE version: (a) XDA post, (b) XDA download, (c) Google Play download
BETA version: (a) XDA post, (b) XDA download


XDA:DevDB Information
BootUnlocker, App for the Samsung Galaxy Nexus

Contributors
segv11, osm0sis
Source Code: https://github.com/segv11/boot-unlocker


Version Information
Status: Stable
Current Stable Version: 1.6.1
Stable Release Date: 2015-01-12
Current Beta Version: 1.6.3
Beta Release Date: 2017-10-29

Created 2017-07-18
Last Updated 2017-10-29
 

Attachments

  • GNex_Portrait.png
    GNex_Portrait.png
    119.4 KB · Views: 3,400
  • N4_Portrait_Unlocked.png
    N4_Portrait_Unlocked.png
    186.5 KB · Views: 3,398
  • N7_Portrait_Unlocked.jpg
    N7_Portrait_Unlocked.jpg
    63.2 KB · Views: 3,335
  • Nexus10_Portrait.png
    Nexus10_Portrait.png
    153.9 KB · Views: 2,984
Last edited:

segv11

Senior Member
Mar 19, 2012
379
526
How it Works

BootUnlocker for Nexus Devices avoids using "fastboot oem unlock", with its associated "userdata" wipe. When fastboot unlocks it updates a lock status flag, stored on a partition of your device's internal storage. Device partitions, positions and state values (locked/unlocked) are as follows:

  • On the Galaxy Nexus, the bootloader uses position 0x000007C of the "param" partition, stored as 01 / 00.
  • On the Nexus 10, the bootloader uses position 0x0000224 of the "param" partition, stored as 00 / 01.
  • On the Nexus 4 and Nexus 5, the bootloaders use position 0x0004010 of the "misc" partition, stored as 00 / 01. The Nexus 4 and Nexus 5 bootloaders also keep a "Tamper" flag at position 0x0004014 of the "misc" partition. It is stored as 00 / 01 (untampered/tampered).
  • On the Nexus 7 (2013), the bootloader uses position 0x04FFC00 of the "aboot" partition, stored as 00 / 02.
  • On the OnePlus One, the bootloader uses position 0x000FFE10 of the "aboot" partition, stored as 00 / 01. The OnePlus One has a "Tamper" flag, at position 0x000FFE14 of the "aboot" partition.

On devices with Tamper flag locations listed above, BootUnlocker for Nexus Devices can also set and clear this flag. You can also view this flag using "fastboot oem device-info".

BootUnlocker uses root privileges to write to to the appropriate location directly, bypassing fastboot. This allows you to lock and unlock your bootloader from within Android, without wiping your "userdata" partition.

The technique used was discovered through the efforts of several contributors on http://xdaforums.com/showthread.php?t=1650830&page=13

Special thanks go to those who posted raw images of their device partitions, helped with/conducted the analysis, or put their devices in harm's way to beta test: efrant, osm0sis, iuss, Archpope, AdamOutler, NCguy, Raftysworld, Mach3.2, Meep70, Polarfuchs, and others. This application could not have been written without their contributions.

To learn more about how this app works, and plans for future functionality, follow this project on GitHub, or subscribe the application's XDA thread.

Please note that the Nexus 7 (2012 version) cannot be supported in BootUnlocker. See this XDA thread for an alternative: http://xdaforums.com/showthread.php?t=2068207
 
Last edited:
  • Like
Reactions: sant514 and osm0sis

segv11

Senior Member
Mar 19, 2012
379
526
Change Log

Version 1.6.1:

  • Adds support for bacon / A0001 (OnePlus One)

Version 1.5.2:

  • Updated wording for tamper flag management

Version 1.5.1:

  • Adds support for flo and deb (Nexus 7 2013)
  • Adds tamper flag management on mako (Nexus 4) and hammerhead (Nexus 5)

Version 1.5beta2:

  • Experimental tamper flag management on mako (Nexus 4) and hammerhead (Nexus 5)

Version 1.5beta1:

  • Experimental support for flo and deb (Nexus 7 2013)

Version 1.4:

  • Adds support for hammerhead (Nexus 5)

Version 1.3.2 Beta:

  • Experimental support for hammerhead (Nexus 5)

Version 1.3:

  • Adds support for mako (Nexus 4)

Version 1.2.5 Beta:

  • Experimental support for mako (Nexus 4)

Version 1.2:

  • Adds support for manta (Nexus 10)
  • Adds status area (bottom-left) to display information about the device and app

Version 1.2 Beta 1:

  • Adds support for manta (Nexus 10)

Version 1.1:

  • Adds support for toroplus (Sprint Galaxy Nexus)
  • Corrects multiple-su-request issue for users of ChainsDD's Superuser app

Version 1.0:

  • Initial Release on XDA and Play Store

Version 0.9 Beta:

  • Fixed race conditions from exec()ing su on the main thread
  • Removed the need for busybox

Version 0.8 Beta:

  • New launcher icons and screenshots

Version 0.7 Beta:

  • Device restrictions in the Manifest to prevent installation on many non-Galaxy Nexus devices

Version 0.6 Beta:

  • Checks that you have a toro or maguro device before doing anything.
  • Makes diagnostic output to logcat.
  • Various code cleanups

Version 0.5 ALPHA:

  • First testing Release on XDA
 
Last edited:
  • Like
Reactions: osm0sis

segv11

Senior Member
Mar 19, 2012
379
526
How to help bring BootUnlocker to new devices

For those of you who are thinking of helping to bring this app to a new device, you should know what is involved. First, it should be a Nexus or similar device, with "fastboot oem unlock" and "fastboot oem lock", and without the 2014 security changes in the bootloader. Second you should know which devices are already supported, and which we probably can't support.

You will want up-to-date nandroids, copied off-device. Backup your /sdcard off-device too, as nandroids don't save this.

The general idea is that we take images of all the partitions, in both the locked and unlocked states. We then compare them to see where the changes were. Once we've figured it out, we test it by flashing back the appropriate images to make sure that they change the lockstate of the device. If we can't figure it out, we will need to unlock your device using "fastboot oem unlock", which will wipe ALL of /data, including /sdcard...

If your device started locked, we would:
  1. run "ls -lR /dev/block" and send me the result
  2. I'll send back a list of "dd" commands to dump all the paritions to /sdcard
  3. dump all the partitions
  4. take md5's of each image for quick change detection
  5. copy the images off-device
  6. reboot bootloader
  7. fastboot oem lock
  8. reboot
  9. dump all the partitions again, to a different directory
  10. take md5's of each new image for quick change detections
  11. copy new the images off-device

If your device started locked, we would:
  1. run "ls -lR /dev/block" and send me the result
  2. I'll send back a list of "dd" commands to dump all the paritions to /sdcard
  3. dump all the partitions
  4. take md5's of each image for quick change detection
  5. copy the images off-device
  6. reboot bootloader
  7. fastboot oem unlock (wipes device!)
  8. reboot
  9. re-enable ADB debugging
  10. dump all the partitions again, to a different directory
  11. take md5's of each new image for quick change detections
  12. copy new the images off-device
  13. restore a nandroid of userdata


At this point, we can use the md5's to check which partitions have changed, which are hopefully only a few. We'll discuss which ones seem "interesting", so you can zip up and send as few images as necessary. I'll run "xxd" to make hexdumps of them, and "diff" and friends to analyze them.

If we have a candidate set of changes, then you would use dd to copy back the relevant image(s) and reboot bootloader, to verify that this does indeed unlock and lock the device. If everything works, then I can change BootUnlocker to recognize the device. If things don't work, and you want an unlocked bootloader, you will need to unlock it with "fastboot oem unlock" and then restore your nandroid.

As you can see, there is a significant risk of data loss. You also need to be comfortable with fastboot, adb, and the adb/linux shell on your device. And of course, you need root. :)

We've got the Galaxy Nexus, Nexus 4, and Nexus 10 in the bag. The ASUS bootloader in the Nexus 7 (2012 edition) stores the lockstate using device-specific encryption; we cannot support that device. If you've got some other Nexus device and feel like some hacking, PM me and we'll see if we can figure your device out.

On the other hand, I'm not the only one who can do this work; many of us figured out the G-Nex together, on a different XDA thread. If you've already done the relevant hacking on your bootloader and know how it stores the lockstate, send me the info and I'd be happy to add it to BootUnlocker.
 
Last edited:

LoveNFC

Senior Member
May 14, 2012
161
63
Excellent application. But a question:

Does this now also mean that a tech-savvy thief would be able to unlock the bootloader without wiping data? Assuming that my phone is rooted and I don't place a PIN on the lockscreen.
 

Smabbage

Senior Member
May 9, 2010
211
27
Lost in Arkansas
I had to backup my ROM before I jumped in feet first. Tested a lock and a unlock and I can now say it worked without a hitch. Thanks to everyone involved in the production of this APP.
 
Last edited:
  • Like
Reactions: segv11

segv11

Senior Member
Mar 19, 2012
379
526
Excellent application. But a question:

Does this now also mean that a tech-savvy thief would be able to unlock the bootloader without wiping data? Assuming that my phone is rooted and I don't place a PIN on the lockscreen.

Yes, if your phone was rooted and you had no PIN/password the thief could use this to unlock the bootloader without wiping data. But if you were rooted with no PIN, you've got bigger problems than this app. :)

For example: a thief (or even a "visitor") could run Titanium Backup and then copy the backup off the device.
 
  • Like
Reactions: Exnor

NCguy

Senior Member
Jul 4, 2010
1,657
227
NC
Excellent application. But a question:

Does this now also mean that a tech-savvy thief would be able to unlock the bootloader without wiping data? Assuming that my phone is rooted and I don't place a PIN on the lockscreen.

If your phone is already rooted and you don't have a pin then the thief doesn't need to unlock, he can just walk in and help himself.
 

NCguy

Senior Member
Jul 4, 2010
1,657
227
NC
Segv11, congrats!

If the google play GNs use this to relock their bootloaders will a fastboot unlock do a wipe or will the play store devices still fail to wipe?
 
  • Like
Reactions: mike33311

Mach3.2

Senior Member
May 1, 2012
2,038
446
Singapore
I don't think it will wipe. We did not even found out why it did not wipe.

Anyway OP, do state that root is requires on Play Store.

Pressed from my Galaxy Nexus.
 
Last edited:

segv11

Senior Member
Mar 19, 2012
379
526
Segv11, congrats!

If the google play GNs use this to relock their bootloaders will a fastboot unlock do a wipe or will the play store devices still fail to wipe?

Thank you.

I don't have a Play Store GNex so I can't say for sure, but I imagine that they will still fail to wipe. All this app does is change the lock state flag in the param partition; and from our investigations on the other thread, neither the param partition, nor the bootloader, seem to control the no-wipe-on-unlock behavior of the Play Store GNexes. In fact, we weren't able to figure out where the phone stores that flag.

If we can figure out where the phone stores that little gem, I'd be happy to include a way to set/clear it in this app too.
 
  • Like
Reactions: NCguy

LoveNFC

Senior Member
May 14, 2012
161
63
Don't know how realistic this is, but I'll go ahead and request it anyways.

Would it be possible to have an option to remove the application from the app drawer, but to allow it to be launched through the dialer, in the same fashion as Cerberus?
 

Mach3.2

Senior Member
May 1, 2012
2,038
446
Singapore
Don't know how realistic this is, but I'll go ahead and request it anyways.

Would it be possible to have an option to remove the application from the app drawer, but to allow it to be launched through the dialer, in the same fashion as Cerberus?
I actually had this on my mind

Pressed from my Galaxy Nexus.
 

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,469
10,985
Montreal
Samsung Galaxy S20
Would it be possible to have an option to remove the application from the app drawer, but to allow it to be launched through the dialer, in the same fashion as Cerberus?


I actually had this on my mind .
Not sure why it would even matter. Having an unlocked or locked bootloader makes no difference security-wise if you are booted into Android and have root.


Sent from my Galaxy Nexus using Tapatalk 2
 
  • Like
Reactions: segv11

segv11

Senior Member
Mar 19, 2012
379
526
Don't know how realistic this is, but I'll go ahead and request it anyways.

Would it be possible to have an option to remove the application from the app drawer, but to allow it to be launched through the dialer, in the same fashion as Cerberus?

ChainsDD's Superuser can also do this. I would find it too inconvenient to go through the dialer, however: instead I would just get a shell and issue the same "dd" command that this app makes.

However, I've added it (Issue 27 on Google Code) to my list of desired features: perhaps the user could opt in to this feature in a preference panel.

There are other other little features I'd like to add (like the ability to reboot from within the app), and one big feature: I'd like the app to be able to flash a custom recovery without a USB connection and fastboot.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 109
    [APP][2015-01-12][root][GNex/Dev] BootUnlocker for Nexus Devices -- version 1.6.1

    NEW: beta version available!

    [SIZE="+2"]BootUnlocker for Nexus Devices -- Unlock your bootloader without fastboot.[/SIZE]

    This application REQUIRES a Galaxy Nexus (maguro, toro or toroplus), Nexus 4 (mako), Nexus 5 (hammerhead), Nexus 7 2013 (deb or flo), Nexus 10 (manta), OnePlus One (bacon / A0001), OnePlus 2 (OnePlus2), OnePlus X (OnePlus / ONE / E1001), YU Yuphoria (lettuce / YUPHORIA), YU Yureka (tomato / YUREKA), Lenovo Zuk Z1 (ham / Z1), InFocus M810 (VNA), InFocus M812 (VN2), or Yota Phone 2 (yotaphone2), with root.

    You've rooted your device, and you are trying to decide between the security of relocking your bootloader (with stock recovery and USB Debugging off), and the flexibility of leaving it unlocked.

    You know that in order to prevent an unauthorized user from accessing your data by flashing a custom recovery, "fastboot oem unlock" wipes your data. This also means that if you relock your bootloader, you will need to do a full backup-and-restore whenever you decide to unlock it again.

    BootUnlocker for Nexus Devices lets you have the best of both worlds by using root privileges to unlock your bootloader from within Android, without wiping your data. This allows you to keep your bootloader locked for security, with this application safely protected behind your lockscreen password. Whenever you want to unlock or relock your bootloader, just unlock your screen and run BootUnlocker.

    License
    BootUnlocker for Nexus Devices is Open Source Software, licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html.
    You can redistribute, reuse, or modify this software as permitted under this license.

    Source code is maintained on GitHub.

    Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

    For support, please leave a comment on this thread, or open an issue on the GitHub page.

    STABLE version: (a) XDA post, (b) XDA download, (c) Google Play download
    BETA version: (a) XDA post, (b) XDA download


    XDA:DevDB Information
    BootUnlocker, App for the Samsung Galaxy Nexus

    Contributors
    segv11, osm0sis
    Source Code: https://github.com/segv11/boot-unlocker


    Version Information
    Status: Stable
    Current Stable Version: 1.6.1
    Stable Release Date: 2015-01-12
    Current Beta Version: 1.6.3
    Beta Release Date: 2017-10-29

    Created 2017-07-18
    Last Updated 2017-10-29
    29
    How to help bring BootUnlocker to new devices

    For those of you who are thinking of helping to bring this app to a new device, you should know what is involved. First, it should be a Nexus or similar device, with "fastboot oem unlock" and "fastboot oem lock", and without the 2014 security changes in the bootloader. Second you should know which devices are already supported, and which we probably can't support.

    You will want up-to-date nandroids, copied off-device. Backup your /sdcard off-device too, as nandroids don't save this.

    The general idea is that we take images of all the partitions, in both the locked and unlocked states. We then compare them to see where the changes were. Once we've figured it out, we test it by flashing back the appropriate images to make sure that they change the lockstate of the device. If we can't figure it out, we will need to unlock your device using "fastboot oem unlock", which will wipe ALL of /data, including /sdcard...

    If your device started locked, we would:
    1. run "ls -lR /dev/block" and send me the result
    2. I'll send back a list of "dd" commands to dump all the paritions to /sdcard
    3. dump all the partitions
    4. take md5's of each image for quick change detection
    5. copy the images off-device
    6. reboot bootloader
    7. fastboot oem lock
    8. reboot
    9. dump all the partitions again, to a different directory
    10. take md5's of each new image for quick change detections
    11. copy new the images off-device

    If your device started locked, we would:
    1. run "ls -lR /dev/block" and send me the result
    2. I'll send back a list of "dd" commands to dump all the paritions to /sdcard
    3. dump all the partitions
    4. take md5's of each image for quick change detection
    5. copy the images off-device
    6. reboot bootloader
    7. fastboot oem unlock (wipes device!)
    8. reboot
    9. re-enable ADB debugging
    10. dump all the partitions again, to a different directory
    11. take md5's of each new image for quick change detections
    12. copy new the images off-device
    13. restore a nandroid of userdata


    At this point, we can use the md5's to check which partitions have changed, which are hopefully only a few. We'll discuss which ones seem "interesting", so you can zip up and send as few images as necessary. I'll run "xxd" to make hexdumps of them, and "diff" and friends to analyze them.

    If we have a candidate set of changes, then you would use dd to copy back the relevant image(s) and reboot bootloader, to verify that this does indeed unlock and lock the device. If everything works, then I can change BootUnlocker to recognize the device. If things don't work, and you want an unlocked bootloader, you will need to unlock it with "fastboot oem unlock" and then restore your nandroid.

    As you can see, there is a significant risk of data loss. You also need to be comfortable with fastboot, adb, and the adb/linux shell on your device. And of course, you need root. :)

    We've got the Galaxy Nexus, Nexus 4, and Nexus 10 in the bag. The ASUS bootloader in the Nexus 7 (2012 edition) stores the lockstate using device-specific encryption; we cannot support that device. If you've got some other Nexus device and feel like some hacking, PM me and we'll see if we can figure your device out.

    On the other hand, I'm not the only one who can do this work; many of us figured out the G-Nex together, on a different XDA thread. If you've already done the relevant hacking on your bootloader and know how it stores the lockstate, send me the info and I'd be happy to add it to BootUnlocker.
    11
    BootUnlocker v1.6.2 Beta

    Well, I finally got down to it on my list, and it was actually pretty easy importing my fork of @segv11's project repo into Android Studio, so here we are, finally with a test build of my proposed BootUnlocker v1.6.2 adding OnePlus 2 and OnePlus X support! ;):cowboy:

    Changes:
    https://github.com/osm0sis/boot-unlocker/commits/master

    I'll accept Pull Requests for new device support via my repo. Please look at my OnePlus 2 commit for an example/template of everything required for a complete app and documentation update for each new device. Please submit one device per commit in each Pull Request, and let me sort out bumping the app version numbering/changelog items.

    @efrant, @Titokhan were there any outstanding devices we can add along with the PR I've already got for Yota Phone 2 in v1.6.3?

    We still need @dinomight or someone to help with OnePlus 3/T as well. Any users interested in helping can follow the directions I gave to @dinomight, here: https://xdaforums.com/galaxy-nexus/...r-nexus-devices-version-t1731993/post67720772

    It'd be nice if for ~v1.7.0 we could also do a Material redesign, like how AdAway did, but we'll need someone with more app coding chops than myself to submit a Pull Request; I am brand new to app creation, but as always I hope to learn as I go along. :p:)
    10
    Reserved

    This post is Reserved.
    8
    OnePlus One support is published

    A new version with bacon / A0001 (OnePlus One) support has been published to the Play Store.

    You can also download the APK from Google Drive: https://drive.google.com/file/d/0B6qHcVHPO4VrUmpZUWd6Mnh5elE/view

    This version also includes fixes for crashes on unsupported devices.

    Thank you all for your research and beta testing. Thank you especially to Polarfuchs, who provided the offsets for this device.