Guide: Relock bootloader with custom rom on oneplus 5/5t

[Chiku7]

no OEM unlock option in Developer setting

In case i want to unlock bootloader after sometime how i can unlock boot loader.? there is no "oem unlock" switch in custom ROM? please post link any tutorial if available.

 

[optimumpro]

deleted

 

[arvindgr]

Thanks for the guide, I will try this when a new open beta comes out.
This might be really useful for those who have upgraded their devices from Widevine L3 to L1 by OnePlus, only to be disappointed that after unlocking the bootloader, L1 breaks.

Thanks a lot for the guide! @optimumpro Does it mean once I have DRM Widewine L1 enabled in my phone, installing custom ROM and locking the phone, will still have L1 enabled?

 

[david19au]

Thanks a lot for the guide! @optimumpro Does it mean once I have DRM Widewine L1 enabled in my phone, installing custom ROM and locking the phone, will still have L1 enabled?

Nope, L1 still won't work even when this is performed. I had high hopes but was quickly disappointed after trying it. You have to be complete stock to have L1 working.

 

[praveenkv1988]

Considering the LineageOS public key is available now, Can we use that in the recovery(for flashing official lineageOS builds) and lock the bootloader?


LineageOS public key: https://github.com/LineageOS/update_verifier/blob/master/lineageos_pubkey

 

[gee one]

Considering the LineageOS public key is available now, Can we use that in the recovery(for flashing official lineageOS builds) and lock the bootloader?


LineageOS public key: https://github.com/LineageOS/update_verifier/blob/master/lineageos_pubkey

I think that's the public key and not the private key.

It's used to verify that the private key that was used to sign the image is correct. If your recovery has that public key as part of the allowed keys, the official zips or anything that is signed with the private key will pass signature verification.

 

[praveenkv1988]

Yes, I think official recovery from LineageOS will allow images signed with LineageOS private key.

 

[optimumpro]

Considering the LineageOS public key is available now, Can we use that in the recovery(for flashing official lineageOS builds) and lock the bootloader?

LineageOS public key: https://github.com/LineageOS/update_verifier/blob/master/lineageos_pubkey

First, you can never sign anything without the private key. Second, that public key is to verify that their rom update comes from them, as opposed to someone else. Their public key has nothing to do with recovery and/or kernel, but rather with the rom itself.

Yes, I think official recovery from LineageOS will allow images signed with LineageOS private key.

For the purposes of locking bootloader, it is irrelevant what Lineage's recovery can allow. You need recovery and boot image (not rom) signed to lock. And I am pretty sure Lineage's recovery/kernel are NOT signed.

 

[PokemonTotalWar]

I would like to do this, but I have two questions: What is the build.prop edit to enable/disable the OEM Unlock option in custom ROMs, and does this cause any issues when switching Firmware versions?

 

[Zocker1304]

@optimumpro If I follow this procedure and if I DON'T install Magisk afterwards, will my phone behave like full stock?
My plan was using this to only have TWRP just in case, to do backups and restore them.
So I have TWRP installed, but otherwise full stock, no root and bootloader locked. Will this fix safetynet issues(Google Pay, etc.) or will it still trigger safetynet since the phone isn't full stock?

 

[optimumpro]

@optimumpro If I follow this procedure and if I DON'T install Magisk afterwards, will my phone behave like full stock?
My plan was using this to only have TWRP just in case, to do backups and restore them.
So I have TWRP installed, but otherwise full stock, no root and bootloader locked. Will this fix safetynet issues(Google Pay, etc.) or will it still trigger safetynet since the phone isn't full stock?

At this point, Safetynet doesn't care whether your bootloader is locked or not. So, it doesn't matter, as long as you stay on stock and don't root.

 

[optimumpro]

For anyone interested in re-locking bootloader on any custom rom and having absolutely no warning messages (such as 'your phone has loaded a custom OS), contact me via PM. You can have a custom rom with locked bootloader and zero warnings, just like on OEM rom.

 

[mysterio619]

I want to unlock my bootloader just to install gcam libfix..... I'm on 9.0.6 version......Will this guide work for me?

 

[strongst]

I want to unlock my bootloader just to install gcam libfix..... I'm on 9.0.6 version......Will this guide work for me?

? This guide is for locking the bootloader on custom roms. You have OxygenOS stock rom and you need this guide https://forum.xda-developers.com/oneplus-5/how-to/oneplus-5-unlock-bootloader-flash-twrp-t3624877

 

[koltun]

Good guide!

I've used it for OnePlus 3. Some notes:
- 9.0.3 firmware
- Official TWRP 3.3.1.0
- LOS 16.0 with "Enable OEM unlock and bootable image signing" changeset from March 28
- used AOSP verity keys

End result: secure phone with locked bootloader, encrypted storage TWRP recovery, running LOS 16 with no warning messages at boot.

 

[ADRez]

Is it possible to relock bootloader with stock Oxygen OS and have no bootloader warning messages?

 

[strongst]

Is it possible to relock bootloader with stock Oxygen OS and have no bootloader warning messages?

Yes, like described here: https://forum.xda-developers.com/on...k-bootloader-flash-twrp-t3704592/post79512430

 

[ADRez]

Yes, like described here: https://forum.xda-developers.com/on...k-bootloader-flash-twrp-t3704592/post79512430

I don't want to return to stock, I'd like to keep twrp, magisk and bootloader locked without warnings

 

[xda_wall]

I followed the instructions and everything worked. So I decided to encrypt the phone. I left it do it's thing and when I returned I got "Your device is corrupt. It can't be trusted and will not boot."
I can't get into recovery and in fastboot flashing fails with "flashing is not allowed in Lock State"
Any help with this?

edit: I followed this guide and started fresh.

 

[mysterio619]

Can I relock with custom kernel, TWRP and modified system partition of stock rom with this guide? ?

Also want to know how it affects the OTA updates