• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[GUIDE] Re-locking the bootloader with a pre-built custom ROM, such as LineageOS official

Search This thread

rlees85

Senior Member
Mar 19, 2008
161
76
Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

IMPORTANT

  • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
  • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
  • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
  • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device without wiping your data.
  • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

So how to do it?


STEP 1:

Download your ROM (eg: official LineageOS, or LineageOS with MicroG). Keep the ZIP to one side as we will need it later.


STEP 2:

Unlock your bootloader and install your ROM as normal, following the instructions given by the ROM maintainer. You must NOT flash any flash-able zips after installing the ROM or you will no longer be able to boot.

At this stage it is assumed you have your chosen ROM installed and your boot loader is unlocked.


STEP 3:

On your computer, extract the ZIP file containing the ROM.


STEP 4:

Use: payload dumper to extract the payload.bin file.


STEP 5:

Use: this tool to extract the public key from the vbmeta.img file.

Code:
ruby ./run.rb ./extracted/vbmeta.img output

This will generate "output.pem" and "output.img".


STEP 6:

Reboot into fastboot, run:

Code:
fastboot erase avb_custom_key
fastboot flash avb_custom_key ./output.img
fastboot oem lock


At this point your phone should reboot, wipe itself, have a locked boot loader and successfully boot your ROM of choice. When upgrading in the future you can extract the public key in the same way and compare it to the one you have loaded into fastboot to ensure you won't be forced into having to wipe your device again.

If something goes wrong and your ROM does not boot and gives a red error about corrupt OS, you will need to unlock the bootloader again in order for things to work.
 

rlees85

Senior Member
Mar 19, 2008
161
76
I don't know (sorry) I've never used Magisk. I think it modifies the boot image right? If so I don't expect it would work as the boot image signature must match the one that is in the vbmeta image.
 

ahmed.elsersi

Senior Member
Oct 1, 2010
59
11
Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

IMPORTANT

  • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
  • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
  • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
  • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device without wiping your data.
  • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

So how to do it?


STEP 1:

Download your ROM (eg: official LineageOS, or LineageOS with MicroG). Keep the ZIP to one side as we will need it later.


STEP 2:

Unlock your bootloader and install your ROM as normal, following the instructions given by the ROM maintainer. You must NOT flash any flash-able zips after installing the ROM or you will no longer be able to boot.

At this stage it is assumed you have your chosen ROM installed and your boot loader is unlocked.


STEP 3:

On your computer, extract the ZIP file containing the ROM.


STEP 4:

Use: payload dumper to extract the payload.bin file.


STEP 5:

Use: this tool to extract the public key from the vbmeta.img file.

Code:
ruby ./run.rb ./extracted/vbmeta.img output

This will generate "output.pem" and "output.img".


STEP 6:

Reboot into fastboot, run:

Code:
fastboot erase avb_custom_key
fastboot flash avb_custom_key ./output.img
fastboot oem lock


At this point your phone should reboot, wipe itself, have a locked boot loader and successfully boot your ROM of choice. When upgrading in the future you can extract the public key in the same way and compare it to the one you have loaded into fastboot to ensure you won't be forced into having to wipe your device again.

If something goes wrong and your ROM does not boot and gives a red error about corrupt OS, you will need to unlock the bootloader again in order for things to work.
Thank You Soooooooo much, may God bless you always. By the way it's working with LineageOS microG as well.
 

ahmed.elsersi

Senior Member
Oct 1, 2010
59
11
Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

IMPORTANT

  • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
  • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
  • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
  • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device without wiping your data.
  • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

So how to do it?


STEP 1:

Download your ROM (eg: official LineageOS, or LineageOS with MicroG). Keep the ZIP to one side as we will need it later.


STEP 2:

Unlock your bootloader and install your ROM as normal, following the instructions given by the ROM maintainer. You must NOT flash any flash-able zips after installing the ROM or you will no longer be able to boot.

At this stage it is assumed you have your chosen ROM installed and your boot loader is unlocked.


STEP 3:

On your computer, extract the ZIP file containing the ROM.


STEP 4:

Use: payload dumper to extract the payload.bin file.


STEP 5:

Use: this tool to extract the public key from the vbmeta.img file.

Code:
ruby ./run.rb ./extracted/vbmeta.img output

This will generate "output.pem" and "output.img".


STEP 6:

Reboot into fastboot, run:

Code:
fastboot erase avb_custom_key
fastboot flash avb_custom_key ./output.img
fastboot oem lock


At this point your phone should reboot, wipe itself, have a locked boot loader and successfully boot your ROM of choice. When upgrading in the future you can extract the public key in the same way and compare it to the one you have loaded into fastboot to ensure you won't be forced into having to wipe your device again.

If something goes wrong and your ROM does not boot and gives a red error about corrupt OS, you will need to unlock the bootloader again in order for things to work.
If I may to ask, Why the OEM unlocking toggle doesn't appear in the Developer options menu after the steps above done successfully ?
 

WhitbyGreg

Senior Member
If I may to ask, Why the OEM unlocking toggle doesn't appear in the Developer options menu after the steps above done successfully ?
The offical builds of LineageOS do not inlcude the OEM lock option in them for the 7/7Pro/8T (maybe others), so it does not appear in developers options.

To get it you'd have to recomiple LineageOS (maybe tweak build.props?).
 
  • Like
Reactions: ahmed.elsersi

optimumpro

Senior Member
Jan 18, 2013
6,793
14,314
Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

IMPORTANT

  • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
  • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
  • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
  • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device without wiping your data.
  • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

So how to do it?


STEP 1:

Download your ROM (eg: official LineageOS, or LineageOS with MicroG). Keep the ZIP to one side as we will need it later.


STEP 2:

Unlock your bootloader and install your ROM as normal, following the instructions given by the ROM maintainer. You must NOT flash any flash-able zips after installing the ROM or you will no longer be able to boot.

At this stage it is assumed you have your chosen ROM installed and your boot loader is unlocked.


STEP 3:

On your computer, extract the ZIP file containing the ROM.


STEP 4:

Use: payload dumper to extract the payload.bin file.


STEP 5:

Use: this tool to extract the public key from the vbmeta.img file.

Code:
ruby ./run.rb ./extracted/vbmeta.img output

This will generate "output.pem" and "output.img".


STEP 6:

Reboot into fastboot, run:

Code:
fastboot erase avb_custom_key
fastboot flash avb_custom_key ./output.img
fastboot oem lock


At this point your phone should reboot, wipe itself, have a locked boot loader and successfully boot your ROM of choice. When upgrading in the future you can extract the public key in the same way and compare it to the one you have loaded into fastboot to ensure you won't be forced into having to wipe your device again.

If something goes wrong and your ROM does not boot and gives a red error about corrupt OS, you will need to unlock the bootloader again in order for things to work.
Great find. By the way, you don't need './' when flashing output.img. Straight command is sufficient:
Code:
fastboot flash avb_custom_key output.img
 

Scotm95

New member
Nov 30, 2021
1
0
Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

IMPORTANT

  • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
  • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
  • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
  • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device IndigoCard Login without wiping your data.
  • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

Thanks for the information you shared. Loved the way you explained everything in this blog.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Similar to https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/ but for pre-built custom ROMs, such as official LineageOS.

    WARNING: This will wipe your data - as far as I know there is no way to change the bootloader status (locked/unlocked) without a wipe.

    IMPORTANT

    • If you mount ANY partition R/W after installing your ROM, you will no longer be able to boot. This means you will not be able to install ANY flash-able zips, INCLUDING GAPPS!
    • You will still get a warning message on boot, though it will be yellow rather than orange and just point out that your operating system is custom.
    • It is unlikely it will fix your banking app, as the bootloader status will be yellow (rather than orange/red for unlocked).
    • If your ROM developer's verity key changes and you update, you will be stuck and not be able to get back to a working device without wiping your data.
    • In short this is pointless, carries a lot of risk and the only benefit you get is the questionable extra security of a locked bootloader that will only load an operating system that is signed by a key that you have explicitly trusted.

    So how to do it?


    STEP 1:

    Download your ROM (eg: official LineageOS, or LineageOS with MicroG). Keep the ZIP to one side as we will need it later.


    STEP 2:

    Unlock your bootloader and install your ROM as normal, following the instructions given by the ROM maintainer. You must NOT flash any flash-able zips after installing the ROM or you will no longer be able to boot.

    At this stage it is assumed you have your chosen ROM installed and your boot loader is unlocked.


    STEP 3:

    On your computer, extract the ZIP file containing the ROM.


    STEP 4:

    Use: payload dumper to extract the payload.bin file.


    STEP 5:

    Use: this tool to extract the public key from the vbmeta.img file.

    Code:
    ruby ./run.rb ./extracted/vbmeta.img output

    This will generate "output.pem" and "output.img".


    STEP 6:

    Reboot into fastboot, run:

    Code:
    fastboot erase avb_custom_key
    fastboot flash avb_custom_key ./output.img
    fastboot oem lock


    At this point your phone should reboot, wipe itself, have a locked boot loader and successfully boot your ROM of choice. When upgrading in the future you can extract the public key in the same way and compare it to the one you have loaded into fastboot to ensure you won't be forced into having to wipe your device again.

    If something goes wrong and your ROM does not boot and gives a red error about corrupt OS, you will need to unlock the bootloader again in order for things to work.
    5
    Anyone thinking of doing this might be interested in a post I made over on reddit talking about relocking, which includes info on why using pre buildt ROM is probably a bad idea.
    2
    I don't know (sorry) I've never used Magisk. I think it modifies the boot image right? If so I don't expect it would work as the boot image signature must match the one that is in the vbmeta image.
    1
    If I may to ask, Why the OEM unlocking toggle doesn't appear in the Developer options menu after the steps above done successfully ?
    The offical builds of LineageOS do not inlcude the OEM lock option in them for the 7/7Pro/8T (maybe others), so it does not appear in developers options.

    To get it you'd have to recomiple LineageOS (maybe tweak build.props?).