• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Guide: Relock bootloader with custom rom on oneplus 5/5t

Search This thread

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.

PROS:


1. Virtually total protection of your data, especially if encrypted
2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
4. Inability to unlock bootloader in fastboot, see above
5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
6. You can still change/update roms, backup/restore data to your liking
7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone


CONS:

1. You would have to set up things once
2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).


The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him


THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows

Preliminary steps:

Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.


1. Create a directory on your PC named, let's say, Bootkeys.
2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory

4. Key Generation:
Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.

Code:
# private key
openssl genrsa -f4 -out custom.pem 2048
openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt

# public key
openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der

You don't need to use pem files and can delete them after key generation.

5. Signing:
Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal

Code:
java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
java -jar BootSignature.jar -verify recovery_signed.img

Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').

6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager

7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.

8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.

10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
Now, you are ready for the FUN PART: re-locking:
11. Boot in fastboot and execute fastboot oem lock
12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again
 
Last edited:

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Screenshots
 

Attachments

  • IMG_1.jpg
    IMG_1.jpg
    121.1 KB · Views: 2,766
  • IMG_2.jpg
    IMG_2.jpg
    105.8 KB · Views: 2,668
  • IMG_3.jpg
    IMG_3.jpg
    76 KB · Views: 2,751
Last edited:

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
 

vdbhb59

Senior Member
Feb 15, 2016
1,331
501
OnePlus 5
Samsung Galaxy M30
Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?
 

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
But in any case, the OEM unlock from dev option can be turned on, and then surely one can get through, right?
Also, did you go bootloader locked post encrypting, I mean is this the last step?
For my guidance, can you tell me, the sequence (number wise please), how to go encrypted?
Btw, any snapshot of bootloader failure?

Will this work if the phone is decrypted (using no verity)?

Guys. Read 9-10 in the OP. Everything about encryption is there.
 
Last edited:

vdbhb59

Senior Member
Feb 15, 2016
1,331
501
OnePlus 5
Samsung Galaxy M30
Guys. Read 9-10 in the OP. Everything about encryption is there.

Also, OEM option isn't available on custom roms. But you can modify build.prop for it to show up. Once everything is working, you can set oem unlock not allowed and remove the entry from build.prop.
Oops, my bad. I get your point. :)
Will try over the weekend. BTW, are you going for a release in the next 2-3 days? Then, I will clean flash once that is out. :)
 

david19au

Senior Member
Jul 17, 2012
407
95
Prague

Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)
 
  • Like
Reactions: arvindgr

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.
One question tho, although right now I'm encrypted, I do not have that dialogue "To start Android, enter your password" with a black background when booting. Normally when I reboot, I get to my lockscreen with my wallpaper etc. and when I try to unlock the device, there's a small scrolling text saying "Unlock your device to access your apps..." or something around those lines. This seems like a bit different encryption than the one I have. Any clue on why's that? (fyi, I am 100% encrypted, TWRP asks me for my password to decrypt data)

That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.
 
  • Like
Reactions: david19au

david19au

Senior Member
Jul 17, 2012
407
95
Prague
That's because you are encrypted with FBE. My rom has FDE, and it is not forced. So, if you are force-encrypted, you need to flash 'no verity', as stated in the guide. You must be de-crypted to relock. Then, if you want to be encrypted, reflash your rom without 'no verity'.

Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?
 
Last edited:

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Ohh, I see. Thanks for the swift answer!
I have two more questions: if I want to update my recovery, I need to keep the generated keys and with those keys I need to sign the recovery.img again, right? And do you have any guides on generating the keys while on Windows? Or do I have to be on Linux to generate the keys using those commands?

Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.

Haven't been using Windows for 10 years. So, can't help you.
 
Last edited:

david19au

Senior Member
Jul 17, 2012
407
95
Prague
Every time another recovery or kernel are installed, you need to sign. Only kernel could be signed on the phone. Your keys are supposed to be on your PC.

Haven't been using Windows for 10 years. So, can't help you.
I have a Linux VM just in case this happens :D but maybe you should mention it in your thread as most users here use Windows.
 
  • Like
Reactions: vdbhb59

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Additional experience having a custom rom on locked bootloader:

It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
 

vdbhb59

Senior Member
Feb 15, 2016
1,331
501
OnePlus 5
Samsung Galaxy M30
Additional experience having a custom rom on locked bootloader:

It appears that nothing, not even stock kernel or recovery, could be flashed via fastboot, if 'oem unlock allowed' is unchecked in Developer's settings. I tried to flash stock recovery via fastboot and got a response: 'remote flashing is not allowed', and fastboot is remote flashing. So, the only access to the phone is TWRP and unless data is mounted (via entering password/pin), not much could be done there either.
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..
 

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
So, the only way around is by OEM unlock checked? This is good. Fully encrypted and hope it does work, especially for me. I will do a clean flash tomorrow. Can you share in the other thread just for me the exact steps for going Encrypted?
Once more please..

So, were you able to encrypt on Jaguar?

Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
 

vdbhb59

Senior Member
Feb 15, 2016
1,331
501
OnePlus 5
Samsung Galaxy M30
So, were you able to encrypt on Jaguar?

Regarding locking bootloader: just remember, you have to be de-crypted when re-locking. Otherwise, encryption key will be automatically erased, and you will have to do everything from start.
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.
 

optimumpro

Senior Member
Jan 18, 2013
6,789
14,306
Ohh, so in that case a bit confused. If I Encrypt Jaguar, then locking bootloader will be done how? Sorry if it is a stupid question.

Whatever rom you have, if you are encrypted (whether FDE or FBE), you must wipe encryption by doing factory reset in TWRP before re-locking. Otherwise, when you re-lock, your encryption key will be wiped, but encryption will stay, so, the phone will be useless. You can do encryption later, when you are successfully re-locked.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.

    PROS:


    1. Virtually total protection of your data, especially if encrypted
    2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
    3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
    4. Inability to unlock bootloader in fastboot, see above
    5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
    6. You can still change/update roms, backup/restore data to your liking
    7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone


    CONS:

    1. You would have to set up things once
    2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).


    The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him


    THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows

    Preliminary steps:

    Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.


    1. Create a directory on your PC named, let's say, Bootkeys.
    2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
    3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory

    4. Key Generation:
    Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.

    Code:
    # private key
    openssl genrsa -f4 -out custom.pem 2048
    openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt
    
    # public key
    openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
    openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der

    You don't need to use pem files and can delete them after key generation.

    5. Signing:
    Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal

    Code:
    java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
    java -jar BootSignature.jar -verify recovery_signed.img

    Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').

    6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager

    7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.

    8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
    9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.

    10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
    Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
    Now, you are ready for the FUN PART: re-locking:
    11. Boot in fastboot and execute fastboot oem lock
    12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
    13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again
    4
    Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
    4
    Interesting does someone know if there is any custom ROM existing which has a signed boot image for any Oneplus device??

    There is no way of telling unless you check the bootimage yourself by running a command. Because over 90% of custom rom users have unlocked bootloaders, this is irrelevant to them. Hence, over 90% of custom roms don't sign kernel.

    Lineage, which is a joke in terms of security, has even removed an option to toggle 'allow bootloader unlock' in development (and this is copied by all others). Allow unlock is enabled by default. And when it is enabled by default, your bootloader could be unlocked via fastboot. So, when an attacker gets your phone with locked bootloader, he will simply unlock it and then flash custom recovery (before reboot) that does not wipe data. Then, he can remove a few files that contain your lockscreen password (which is also your encryption password, thanks to Google) and your phone will boot with a default password. Your data and everything else is widely available. Yes, in case you didn't know, initial encryption has literally 'default_password' as your encryption password. It is also hard-coded in TWRP. When you create your lockscreen password, that changes, but 'default_password' stays there, as a fall back option. That's no security at all.

    When the 'allow to unlock bootloader' option is visible and disabled, fastboot access is disabled too. Couple this with a signed recovery that has 'cancel' button removed, and it becomes impossible to flash anything on your phone, unless you enter encryption password in TWRP. It is also impossible to unlock bootloader: on executing the command, you get a response 'remote unlock is not allowed'.
    3
    For anyone interested in re-locking bootloader on any custom rom and having absolutely no warning messages (such as 'your phone has loaded a custom OS), contact me via PM. You can have a custom rom with locked bootloader and zero warnings, just like on OEM rom.