Guide: Relock bootloader with custom rom on oneplus 5/5t

Search This thread

Raj dholakia

Member
Jun 21, 2015
12
0
0
Ahmedabad
Hmm, the step by step instruction are within the first post of this thread(1-13) exactly for oneplus 5.

I have performed all the steps and got exactly the same results as I should get. I specifically want to sigh my twrp with AOSP keys. So I don't get any message on boot. And my Netflix works in HD with bootloader unlocked and root.
 

RMarques

Senior Member
Jan 28, 2013
949
157
73
Sup guys,
I just bought an OP6 and I'm selling my OP5 6/64.

I'd like to re-lock the bootloader, unroot and to install the latest stable Pie on the OP5 in order to sell it on it's stock state.

Can someone point me to the right direction?
 

strongst

Forum Moderator
Staff member
Sep 18, 2007
11,856
9,304
253
prolific location
prolific-page.com
  • Like
Reactions: ninjæon

canteo

Senior Member
May 6, 2012
291
73
48
Hi dev, i don't know what i'm missing, i get this:
[email protected]:~/Descargas/bootkeys$ java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
Exception in thread "main" java.io.FileNotFoundException: custom.x509.der (No existe el archivo o el directorio)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
at com.android.verity.Utils.loadPEMCertificate(Utils.java:214)
at com.android.verity.BootSignature.doSignature(BootSignature.java:241)
at com.android.verity.BootSignature.main(BootSignature.java:316)

had install linux mint one week ago, java is version openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1)
OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1, mixed mode, sharing)

thanks in advance, trying to sign last bluespark recovery
 

optimumpro

Senior Member
Jan 18, 2013
6,357
13,804
263
Hi dev, i don't know what i'm missing, i get this:
[email protected]:~/Descargas/bootkeys$ java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
Exception in thread "main" java.io.FileNotFoundException: custom.x509.der (No existe el archivo o el directorio)

It tells you right there what's wrong: you are missing 'custom.x509.der' file. Terminal commands must be run from the directory where you have all the files. If you do have the file, check for spelling.
 
Last edited:

canteo

Senior Member
May 6, 2012
291
73
48
It tells you right there what's wrong: you are missing 'custom.x509.der' file. Terminal commands must be run from the directory where you have all the files. If you do have the file, check for spelling.

i am sorry, i don't know why, but didn't ran the second line for public key....all is fine thanks:good:
 

MZGSZM

Senior Member
Oct 7, 2017
90
12
18
Curious if anyone has tried this method recently and had success getting it working on an Android 10 ROM with 9.0.X firmware and WITH Magisk. I've been able to get the bootloader locked with Havoc v3.3 installed, but as as soon as I try to add Magisk (and use the boot signer) I get a "your device is corrupt message".
 
  • Like
Reactions: Odder1

optimumpro

Senior Member
Jan 18, 2013
6,357
13,804
263
Would this allow passing SafetyNet on LineageOS, now that it uses key attestation to verify the unlock state?

You won't be able to pass SafetyNet without Magisk on any custom rom.

Does this also apply to newer firmware like 9.0.11 or the recently released h2os 10 firmware?

It's not firmware, it's TWRP, which is unable to properly mount partitions in Q, and TWRP for Q isn't coming...
 
  • Like
Reactions: trancinguy

d1n0x

Senior Member
Oct 4, 2010
3,996
1,764
243
You won't be able to pass SafetyNet without Magisk on any custom rom.



It's not firmware, it's TWRP, which is unable to properly mount partitions in Q, and TWRP for Q isn't coming...

So it should still work on 9.0.11?
That thing about Q is pretty sad then..
 

santhu518

Member
Oct 20, 2017
5
0
0
Unable to generate keys

In the process of these steps to lock my bootloader with custom rom, I got struck with generating keys. Openssl comands are not working in PC. Can any one please help me with this ?

I have tried installing the openssl using the link https://knowledge.digicert.com/solution/SO27347.html . But still not working.
Error snippet:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: C:\OpenSSL-Win64\bin>cd C:\ C:\>cd OpenSSL-Win64\bin C:\OpenSSL-Win64\bin>ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\OpenSSL-Win64\bin>cd C:\personal\Bootkeys C:\personal\Bootkeys> C:\personal\Bootkeys>openssl genrsa -f4 -out custom.pem 2048 'openssl' is not recognized as an internal or external command, operable program or batch file. C:\personal\Bootkeys>
 

dansou901

Recognized Contributor
Apr 10, 2012
3,120
1,209
243
30
Aachen
OnePlus Nord
In the process of these steps to lock my bootloader with custom rom, I got struck with generating keys. Openssl comands are not working in PC. Can any one please help me with this ?

I have tried installing the openssl using the link https://knowledge.digicert.com/solution/SO27347.html . But still not working.
Error snippet:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: C:\OpenSSL-Win64\bin>cd C:\ C:\>cd OpenSSL-Win64\bin C:\OpenSSL-Win64\bin>ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\OpenSSL-Win64\bin>cd C:\personal\Bootkeys C:\personal\Bootkeys> C:\personal\Bootkeys>openssl genrsa -f4 -out custom.pem 2048 'openssl' is not recognized as an internal or external command, operable program or batch file. C:\personal\Bootkeys>
You either need to add the folder which is containing openssl.exe to your PATH variable or use the absolute path
Another thing: ls won't work on Windows, instead use dir
 

spfenwick

New member
Apr 27, 2020
1
0
0
I tried following these instructions with a OnePlus 5t and Pixel Experience rom.

I got as far as running VerifiedBootSigner-v8.zip, which gave this error:
Something unexpected has happened. Please pull /tmp/recovery.log and post it to the thread on XDA

I first tried following the instructions with the latest Pixel Experience rom already installed, and got the error above.

When that didn't work I tried switching back to OOS 5.1.5 as that's the version mentioned in the opening post. However then I couldn't get TWRP to work - I'm assuming because of incompatible firmware.

Then I upgraded to the latest OOS and got TWRP to work again but when I ran VerifiedBootSigner-v8.zip got the same error I started with.

/tmp/recovery.log is here: https://pastebin.com/HhXz1xUm

Thanks for any help you can give.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.

    PROS:

    1. Virtually total protection of your data, especially if encrypted
    2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
    3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
    4. Inability to unlock bootloader in fastboot, see above
    5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
    6. You can still change/update roms, backup/restore data to your liking
    7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone

    CONS:

    1. You would have to set up things once
    2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).


    The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him


    THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows

    Preliminary steps:

    Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.

    1. Create a directory on your PC named, let's say, Bootkeys.
    2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
    3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory

    4. Key Generation:
    Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.

    Code:
    # private key
    openssl genrsa -f4 -out custom.pem 2048
    openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt
    
    # public key
    openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
    openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der

    You don't need to use pem files and can delete them after key generation.

    5. Signing:
    Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal

    Code:
    java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
    java -jar BootSignature.jar -verify recovery_signed.img

    Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').

    6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager

    7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.

    8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
    9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.
    10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
    Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
    Now, you are ready for the FUN PART: re-locking:
    11. Boot in fastboot and execute fastboot oem lock
    12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
    13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again
    4
    Now, that I have locked bootloader on my Oneplus 5, and made sure that everything is working including encryption, I have disabled OEM unlock within developer settings. When I put the phone in fastboot and try 'fastboot oem unlock', I get a response 'FAILED (remote: Flashing Unlock is not allowed'. Since the bootloader is locked, no one can put another self-signed recovery or kernel via fastboot or otherwise, as it can only be done with unlocked bootloader. They can start the phone and get to my recovery, but data cannot be mounted and adb sideload wouldn't work either. They can try to press cancel at password prompt, but TWRP can't format unmounted data. The only way to proceed is to flash stock recovery via adb or full stock. In any event, my data is wiped.
    4
    Interesting does someone know if there is any custom ROM existing which has a signed boot image for any Oneplus device??

    There is no way of telling unless you check the bootimage yourself by running a command. Because over 90% of custom rom users have unlocked bootloaders, this is irrelevant to them. Hence, over 90% of custom roms don't sign kernel.

    Lineage, which is a joke in terms of security, has even removed an option to toggle 'allow bootloader unlock' in development (and this is copied by all others). Allow unlock is enabled by default. And when it is enabled by default, your bootloader could be unlocked via fastboot. So, when an attacker gets your phone with locked bootloader, he will simply unlock it and then flash custom recovery (before reboot) that does not wipe data. Then, he can remove a few files that contain your lockscreen password (which is also your encryption password, thanks to Google) and your phone will boot with a default password. Your data and everything else is widely available. Yes, in case you didn't know, initial encryption has literally 'default_password' as your encryption password. It is also hard-coded in TWRP. When you create your lockscreen password, that changes, but 'default_password' stays there, as a fall back option. That's no security at all.

    When the 'allow to unlock bootloader' option is visible and disabled, fastboot access is disabled too. Couple this with a signed recovery that has 'cancel' button removed, and it becomes impossible to flash anything on your phone, unless you enter encryption password in TWRP. It is also impossible to unlock bootloader: on executing the command, you get a response 'remote unlock is not allowed'.
    3
    For anyone interested in re-locking bootloader on any custom rom and having absolutely no warning messages (such as 'your phone has loaded a custom OS), contact me via PM. You can have a custom rom with locked bootloader and zero warnings, just like on OEM rom.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone