[Q] Password Protect Bootloader/Recovery?

Search This thread
By:
Advanced…
M

marclais

Senior Member
Feb 16, 2010
107
19
I lose phones... habitually. Sometimes they find their way back to me and sometimes they don't, It is unsettling to me that even if I have a security app installed, or a GPS tracker that anyone with the ability to perform a google search can simply factory wipe my phone and make it their own.

So the question: Is it possible to include a password requirement to access the bootloader or recovery? I realize that if you forget your password there would likely be no way to save your phone in the event you need to, but I don't forget my passwords so this does not affect me.

Just wondering if this is even possible or worthwhile. Any input will be appreciated.
 
  • Like
Reactions: armujahid, MateusGabrielBR, Tmasterizer and 1 other person
0

00Ghz

Guest
I opened a similar thread. It is possible to do however it seems people just don't care about the security risk.

Xda app
 
G

GuestK00233

Guest
-1 this is pointless. someone could just go into download mode or fastboot and reflash the recovery.
 
zelendel

zelendel

Senior Member
Aug 11, 2008
23,360
20,609
OnePlus 6T
OnePlus 9
mightyiam said:
What we're looking for is a password protected bootloader which will require password for booting into recovery or using download mode or fastboot.
Click to expand...
Click to collapse

Good luck as it would need to boot before anything else and we can see the issues with this. There will never be a fool proof way to lock your phone if lost. It will be as simple as loading up the bootloader and flash a stock rom which will wipe the recovery.

No there is not alot of interest in this as to be honest if the info you have on your phone is that important then its simple. Don't loose your phone.
 
M

mightyiam

Senior Member
Feb 15, 2010
55
9
Ra'anana
zelendel said:
Good luck as it would need to boot before anything else and we can see the issues with this. There will never be a fool proof way to lock your phone if lost. It will be as simple as loading up the bootloader and flash a stock rom which will wipe the recovery.

No there is not alot of interest in this as to be honest if the info you have on your phone is that important then its simple. Don't loose your phone.
Click to expand...
Click to collapse

Perhaps you think I'm talking about an app. No, I'm talking about a modified bootloader.
 
  • Like
Reactions: NotesOfReality and RohAb
M

masiminder

Guest
+1

a bootloader with password setting is one of the few things i'm missing.
 
T

-Tiz-

Senior Member
Jul 5, 2010
479
134
+1

We either need a password protected bootloader + CWM.

Or fulldisk encryption a la Whispercore.

I absolutely HATE the insecure concept of Android. Android is for kids and nerds. But not for serious people.
 
  • Like
Reactions: Hank87, jakson7474 and dgm_mixtoon
G

GuestK0045

Guest
Plus 1 I like 2 see this bootloader password

Sent from my SGH-T839 using XDA App
 
A

AJMetal87

Senior Member
Oct 16, 2010
121
10
Yes please

+ 1
I'm glad I'm not the only one wondering about this. I'm sure it would have been done if it was possible by now. Nqmobile + gotta! App is almost good enough for me, but a password protected bootloader would be a sick addition :)
 
face-t

face-t

Member
Feb 19, 2012
31
1
Liverpool
Redmi Note 11
+I

It is one of the questions bothering me for last few months.

I like all those sec. apps - but Android Lost, Call Back, TouchMyLife nor Avast! Lost will not be able to save me if someone will boot straight into CWM and flash it with whatever just to get rid of the "FindIt" stuff.
 
P

pileot

Senior Member
Oct 16, 2010
752
210
cool

i too would like to see a passworded bootloader, or even a passworded version of CWM.

Think about it: how many regular joes on the street know how to flash a phone, or put it into download mode. Im a samsung guy, i know how to put it into download mode. My buddy is an iPhone guy, he wouldnt know the first place to start. An HTC guy might know how to deal with a few HTC devices, but in reality a handfull of people who MIGHT find your phone MIGHT know how to thwart that sort of 'security'.

From a lost phone aspect: Samsung dive is impressive. Found my phone location to within a few houses. with GPS and Wifi off. as long as the phone has battery life and is turned on, i can find it. Unless someone wipes it. which takes my password. Or boots into CWM and wipes it that way.... which currently does not need a password. or uts it into download mode and flashes a new firmware, which knowing my phone is just asking for issues. In reality, i want someone to boot my phone and have to have it on in the state that i lose it and NOT reset it. That yeilds the highest possibility of me finding it again.

So yes, i realize that any security we put on here could be thwarted somehow, but by who? how much time and effort are they going to put into it aside from trying a reset and it fails, trying to reboot into recovery, passworded protected, turn it off and sell it on the street, when the next guy turns it on with their sim card (texts my google account the new number) and now i can get his name and address

what are the chances the guy who finds my phone is going to have a computer handy and know exactly how to flash the phone? Not high.

Definately +1 for passworded protected CWM.
 
  • Like
Reactions: THE_KINGDOM and madbadbatman
face-t

face-t

Member
Feb 19, 2012
31
1
Liverpool
Redmi Note 11
Huge chances. Anytime, everywhere.

You don't need to know anything, apart from taking battery off.
And placing back when you got tools ready. This simply means, lost phone will never again boot into normal android os. Never.

Sent from my HTC Desire using XDA
 
You must log in or register to reply here.

Similar threads

keifus.rahn
Ultimate Guide For [BOOTLOOP RECOVERY] Noob Friendly
Replies
571
Views
564K
H
Hadi Hesam
A
  • Poll
[FIX][SOLVED]Status 7 Error with CWM or TWRP Recovery on Rooted Android!
Replies
166
Views
889K
P
pawtz
amith007
Any way to retrieve stored wifi password from Android device without root and ADB??
Replies
47
Views
420K
NoahDomingues
NoahDomingues
J
[Q] Pantech Burst Love, Anyone? Anyone?
Replies
5K
Views
835K
hawkwind212
hawkwind212
RajGopi
  • Locked
ROOT ZENFONE 5 KITKAT UPDATED(bootloader unlock,recovery)
Replies
248
Views
223K
justmpm
justmpm

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 11
    aarongillion63
    aarongillion63
    It's almost 2016 now! Recent advancements + how to secure your phone

    This is the first result on Google search for "password protect bootloader", I'd like to pitch in some options (with links) for those who are dedicated to read to the 10th page.

    First and foremost, password protected recovery is here, it's called Philz Touch and it works with 50+ Samsung phones, LG G2 or various Optimus phones, Nexus, Moto G/X, HTC One, and Xperia devices.

    Because this is the 10th page, you probably know that locking recovery alone won't leave you worry-free.
    I'd like to share some nearly uncrackable scenarios you can set up on different brand-name phones, even considering our limitations of not being able to add passwords to our bootloaders.

    Because the topic is about protecting our phones, I can safely assume you won't want get a specific phone to get the protection you want. So I organized my findings by phone, but I recommend you read all of them!

    First, for those who are stock, unrooted, and carrier-locked bootloader (Verizon, Sprint, AT&T, *not* T-mobile!) :
    There was a post in this thread about carrier-locked-bootloader phones being protected, this is partially true. Here's the summary: you can't flash custom recovery if the phone is carrier locked, has a passcode, and USB Debugging is turned off. Your thief will need ADB or a custom recovery to bypass your lockscreen (gesture.key). Of course this doesn't mean your data is protected from an FBI investigation. To get maximum protection in this category, you should turn on Device Encryption. There are really no downsides on a completely stock device, it doesn't actually make your phone slower, it only makes boot slower and bulk file transfer slower. Device encryption only goes to sh!t when you have custom recovery and wanting to make full device backups. It's a hit-or-miss with TWRP and Philz trying to access encrypted filesystem. With an unrooted phone, backup your pictures and text messages often, to an SD card/USB drive, or use a backup service. I don't trust backup services, but I also don't like losing vacation pictures. If bite comes to chew, I would use a Tasker profile to detect when your DCIM Pictures directory receives a new file (changes size) and upload that file to Dropbox or a personal cloud. That covers data integrity, let's cover device. Have a GPS Locator installed such as Lookout or AVG, and use Android Device Manager. You can set up those apps to e-mail you pictures from the front camera, detect when SIM card is removed, and remote wipe, all without root--just device administrator rights. All 'n all you may not get your device back, but you may get a picture of the thief, and if you're on the lookout you may be able to find your device on ebay based on IMEI (always take note of that info!), purchase it, receive it, then backcharge him and report ebay ID, address, paypal account to authorities. If it's Craiglist then you can meet up and give him a nosejob. It will be worth it after messaging so many people on what the IMEI number is.

    Those who rock their rooted LG G2, Oneplus One/Two, Optimus G, Xperia Z, Moto G, Moto X, Galaxy S6, Galaxy Note 5, HTC One, Nexus 5, or other sealed battery phone:
    You guys have it easy. Your sealed battery provides a strong basis to work against. For immediate protection, install a GPS Locator such as Lookout, AVG, ADM, Prey, and/or Cerberus, then install Xposed framework and install Advanced Power Menu. This mod allows you to hide power off and airplane mode options in the lockscreen, preventing thieves from turning off your phone. However, some sealed phones have a 10/15 second hard reboot key combo, which APM+ has accounted for. Instead of disabling the options on the lockscreen, you can instead have a "Fake Power Off" animation that tricks your thieves into thinking the phone is off. This can give you the upper hand when it matters most: the first hour of theft. On top of all of that, have Philz Touch recovery installed and password protected (you're already rooted, and you should be making backups), if you're still worried, apply some additional devilish tactics mentioned below! And please, have USB Debugging turned off when you're not using it!

    Those who sport their rooted Galaxy S3 thru S5, Note 2 thru Note 4, Galaxy Nexus, LG G3-G4, Redmi Note 2, Oppo Find, or any other removable battery phone:
    This is where we have to get aggressive. The thief can just pull the battery out at any time. This is where I'm going to share my tactical Galaxy-owner ideas, I hope you guys enjoy. To cover the basis, have a GPS Locator installed, and also have Advanced Power Menu (mentioned above) installed. You never know what kind of dumb@ss will actually give up there. 2nd base, install Philz recovery and password protect it. (Don't forget to unlock your bootloader). Now here's the meat of this operation: we're gonna use Tasker to display a ransom message. Install Tasker, create a profile: SMS Received, any number, text contains "{secret password}-ransom" --> Action: Show Scene - Fullscreen Overlay. "Call {this number} to return phone, cash will be rewarded". Make sure you selected overlay! Overlays will cover the lockscreen and are NOT dismissible by the home button. They cannot be focused, tapped or dismissed. That's how screen dimmer apps work. It's just a semi-transparent overlay (you can make that in Tasker in 3 minutes btw) that lets screen taps go right through it to the app/lockscreen underneath. Anyway, that is the "nice" version of the ransom. Professional thieves are gonna laugh at that, so we need a little more meat. Everyone has a phone case right? 3rd base: have a phone case with a close-range NFC tag hidden inside it, and have phone detect when case is removed! After installing this mod, have Tasker change the ransom message after case removal, this gets dirty: Task caseRemoval: Show Scene "Ransom2" -- Large text: "(Paraphrase) You've messed with the wrong guy! You have 6 minutes to call {this number} or the phone will be rendered unusable. Removing the battery will also brick the phone permanently. A "device stolen" message will appear every time you start the phone and no reset menus will be available." -> Activate Shell "su dd if=/sdcard/death.img of=/dev/block/platform/msm_sdcc.1/by-name/boot" Let's stop for a second. The shell command I just wrote, given you have a dummy .img file in memory, will f**k your bootloader when ran. This dummy .img file can be ANYTHING. Just take any file nearby, like a large .jpg photo from your DCIM folder, and rename it to an .img. Of course it will not display the image, because it is not binary. But it will hard-brick your phone. You should have a backup of your bootloader saved for when you get the phone back via "dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/sdcard/backup.img", you should also have another SMS Received profile to disable the ransom in case you can't draw your lock pattern underneath to get the phone unlocked without seeing the lockscreen. That's Tasker profile "Phone Unlocked" or "SMS Received {password unlock}" then "Close Scene: Ransom". You'll also want a battery level text label in your scene, just in case the phone is close to dying. You may have to modify the shell commands to reflect the actual partitions ex. "mmcblk0p7" (check this guide). I have not implemented this Tasker profile yet but now that I took the time to write it I am thoroughly motivated to get this running, HA! I will include Tasker exports when I am done.

    There's only one loophole left with the galaxy devices. Either you don't notice that your phone is missing for too long, or you're all in a no-service area. Well, this one is for the hardware folks! If you're into soldering, you may want to try this cruel trick: reverse the data I/O pins on the microUSB socket, with some fine soldering. Then splice your cable and reverse the I/O wires on your cable! That way, you can still use OTG and transfer data, but only your special cable will work! Realize that the charge wires are separate, any charger will work with the phone. Just data transfer will not!
    Micro_USB_5P_Female_Connector_B_type.jpg_200x200.jpg


    Still paranoid? Every other Android phone has a Windows autorun driver installation ISO that runs when you first plug your phone into your computer. My Galaxy Note II does, as well as my various LG phones. If you can't catch the thief via Android, then I can hook you up with a copy/paste autorun ISO that, when run, grabs the thief's registered info on his computer and sends it to you so you can send it to authorities. PM me if you're interested, I will have to compile on a per-user basis so the driver installer matches the phone and sends info to *your* e-mail.

    I will probably fan this out into another thread, but let's see what you guys think.

    Hit thanks if you liked the freakshow

    From one paranoid dude to another,
    View
    6
    J
    Jorgitosms
    Bootloader Password + Recovery Password + Cerberus installed as System

    Bootloader Password + Recovery Password + Cerberus installed as System APP with fixed configuration would be the way to be able to recover the phone. The thief has 3 chances:

    - Throw it through the window, as it is not possible to format it.

    - Do a Wipe from Settings menu and use it normally (that's why Cerberus or similar should be as System app and must keep the configuration)

    - Sell it... but this is nothing against our possibilities to recover it!


    BTW, do you really think that "professional" phone thiefs don't know how to wipe and flash mainly all devices in the market?!?! If you think that way... let me say you are dreamer... they are experts, and they get a lot of money from our phones!

    So I vote... YES, let's develope it. I would buy such a solution!
    View
    5
    M
    mightyiam
    What we're looking for is a password protected bootloader which will require password for booting into recovery or using download mode or fastboot.
    View
    4
    M
    marclais
    I lose phones... habitually. Sometimes they find their way back to me and sometimes they don't, It is unsettling to me that even if I have a security app installed, or a GPS tracker that anyone with the ability to perform a google search can simply factory wipe my phone and make it their own.

    So the question: Is it possible to include a password requirement to access the bootloader or recovery? I realize that if you forget your password there would likely be no way to save your phone in the event you need to, but I don't forget my passwords so this does not affect me.

    Just wondering if this is even possible or worthwhile. Any input will be appreciated.
    View
    3
    L
    logic5
    if my phone or tablet got stolen and the thief formatted the device or flashed a new ROM with download mode then I am screwed,,

    if the bootloader is protected then no matter what the thief do ,, I will find my device.

    please developers do this please.
    View

New posts