Guide: Relock bootloader with custom rom on oneplus 5/5t

[happynobita]

7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.
8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.

If I have an unsigned version of TWRP already on my 5T with a custom rom, is it possible to follow these steps without formatting? Thank you!

 

[optimumpro]

If I have an unsigned version of TWRP already on my 5T with a custom rom, is it possible to follow these steps without formatting? Thank you!

If you are encrypted, you must format, as your encryption won't work after locking bootloader. If you are not encrypted, you don't have to do formatting. All you need is to install a signed version of TWRP plus signed boot.img.

 

[Wishmasterflo]

Signing will not work on Android Q. But if the boot image of your rom is signed by developer during building, you'd be able to boot on locked bootloader with a 10 second warning: Your phone has booted a custom OS.

Interesting does someone know if there is any custom ROM existing which has a signed boot image for any Oneplus device??

 

[optimumpro]

Interesting does someone know if there is any custom ROM existing which has a signed boot image for any Oneplus device??

There is no way of telling unless you check the bootimage yourself by running a command. Because over 90% of custom rom users have unlocked bootloaders, this is irrelevant to them. Hence, over 90% of custom roms don't sign kernel.

Lineage, which is a joke in terms of security, has even removed an option to toggle 'allow bootloader unlock' in development (and this is copied by all others). Allow unlock is enabled by default. And when it is enabled by default, your bootloader could be unlocked via fastboot. So, when an attacker gets your phone with locked bootloader, he will simply unlock it and then flash custom recovery (before reboot) that does not wipe data. Then, he can remove a few files that contain your lockscreen password (which is also your encryption password, thanks to Google) and your phone will boot with a default password. Your data and everything else is widely available. Yes, in case you didn't know, initial encryption has literally 'default_password' as your encryption password. It is also hard-coded in TWRP. When you create your lockscreen password, that changes, but 'default_password' stays there, as a fall back option. That's no security at all.

When the 'allow to unlock bootloader' option is visible and disabled, fastboot access is disabled too. Couple this with a signed recovery that has 'cancel' button removed, and it becomes impossible to flash anything on your phone, unless you enter encryption password in TWRP. It is also impossible to unlock bootloader: on executing the command, you get a response 'remote unlock is not allowed'.

 

[PokemonTotalWar]

Signing will not work on Android Q. But if the boot image of your rom is signed by developer during building, you'd be able to boot on locked bootloader with a 10 second warning: Your phone has booted a custom OS.

So this won't work on any 10 ROMs without compiling it yourself, signed?

 

[optimumpro]

So this won't work on any 10 ROMs without compiling it yourself, signed?

Some roms have kernel signed. So, you must ask the dev.

 

[Jerrybhathi]

Anyone find a way to lock bootloader on android 10 custom rom with magisk ???

 

[e/n]

This may be a dumb question but would it be possible install a rom with an unsigned kernel them install a custom kernel that is signed?

 

[optimumpro]

This may be a dumb question but would it be possible install a rom with an unsigned kernel them install a custom kernel that is signed?

Provided that the custom kernel is compatible with your rom - YES.

 

[rasputin_g]

Does this still not work on Android 10?

 

[mizzunet]

Oneplus 5/5T bootloader included with 5.1.5 firmware allows booting self-signed recoveries and kernels. In short, you generate signing keys; sign recovery and kernel from your current custom rom (kernel could be signed on the phone); transfer recovery on your phone; apply boot signer for kernel; and relock bootloader. This guide borrows from Chainfire's guide and customizes it for our device.

PROS:

1. Virtually total protection of your data, especially if encrypted
2. Inability to flash another recovery, even stock recovery (if OEM unlock allowed is unchecked)
3. Inability to flash another kernel, including stock kernel, (again if OEM unlock is unchecked)
4. Inability to unlock bootloader in fastboot, see above
5. Total inability to flash anything in fastboot. The only access to the phone is through TWRP
6. You can still change/update roms, backup/restore data to your liking
7. You get a different boot warning screen: 'your phone has loaded a different operating system' with a fingerprint (four rows of numbers). Write them down and compare once in a while: if the numbers are different, someone (and I am talking a sophisticated adversary) tempered with your phone

CONS:

1. You would have to set up things once
2. When changing or updating roms, one extra step is required - flashing Chainfire's modified Verified boot signer zip to resign kernel (right after Magisk and before reboot).


The key generation and signing is based on Android source directions and Chainfire's thread about relocking bootloaders with custom roms. So, credit for that goes to him

THESE ARE INSTRUCTIONS FOR LINUX. I am sure there is a way to do the same on Windows

Preliminary steps:

Remember, if you are not on 5.1.5, you may have problems. For example, my own rom, Jaguar Oreo, requires 5.1.4 firmware. I did all the steps and everything worked, except that TWRP couldn't de-crypt. However, I went ahead and flashed 5.1.5 firmware and the rom is working fine. So, I re-did all the steps and now de-cryption works too. This may or may not be the case with your favorite rom, if it is not on 5.1.5.

1. Create a directory on your PC named, let's say, Bootkeys.
2. Get Chainfire's Bootsignature.jar from here: https://forum.xda-developers.com/attachment.php?attachmentid=4136392&d=1493804209 and VerifiedBootsigner.zip from here: https://forum.xda-developers.com/attachment.php?attachmentid=4164411&d=1496000476 and put both files in that newly created directory
3. Get your favorite TWRP (I use Blue_Spark) and put it also in that directory

4. Key Generation:
Run the following code one line at a time from PC terminal opened in your newly created directory. Skip the lines with "#" sign, these are for comments only.

# private key
openssl genrsa -f4 -out custom.pem 2048
openssl pkcs8 -in custom.pem -topk8 -outform DER -out custom.pk8 -nocrypt

# public key
openssl req -new -x509 -sha256 -key custom.pem -out custom.x509.pem
openssl x509 -outform DER -in custom.x509.pem -out custom.x509.der

You don't need to use pem files and can delete them after key generation.

5. Signing:
Rename your TWRP into recovery.img and run the following code one line at a time from the same terminal

java -jar BootSignature.jar /recovery recovery.img custom.pk8 custom.x509.der recovery_signed.img
java -jar BootSignature.jar -verify recovery_signed.img

Your recovery is signed (first command) and verified (second command - the output should be 'signature valid').

6. Open Verifiedbootsigner-v8.zip you downloaded from Chainfire's thread with your PC's archive manager (don't have to unzip it). Grab your newly generated keys custom.pk8 and custom.x509.der and put them into the opened zip. Make sure the files are there and close archive manager

7. Now back to the phone. Flash your newly signed 'recovery_signed.img' (not original 'recovery.img') to the phone via fastboot or in your existing TWRP. Reboot in your new recovery.

8. Now, format the phone - you have to type 'yes'; next, format separately system/cache/dalvik/data/SD. Reboot the phone into TWRP again.
9. Transfer your favorite Rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner to your SD card. Remember. You must be decrypted to relock. Locking bootloader on encrypted device will destroy encryption key. Once bootloader is locked and everything is working, you can encrypt.
10. Flash the rom, No verity (only if your rom is force-encrypt) and Verifiedbootsigner. Reboot and make sure you are NOT encrypted (in Settings/Security). (If encrypted, stop and return to step 8: you either haven't formatted to factory reset or your no verity didn't work).
Now, back to TWRP: most likely your data is gone, so, re-transfer the rom and and Verifiedbootsigner to internal SD
Now, you are ready for the FUN PART: re-locking:
11. Boot in fastboot and execute fastboot oem lock
12. Reboot. You will get a yellow warning: 'Your phone loaded a different operating system". The first boot may throw you into TWRP. Just reboot normally again
13. Now, you can do whatever you want, including Gapps and Magisk. Everything should operate normally. Just remember, every time after flashing Magisk/update/change rom, you MUST reflash Verifiedbootsigner, as the last step and before reboot, even if during flashing, the script tells you kernel is signed. Follow the script and press volume down to sign again

Does this still work for A10 ROMS? And may I know if you have plan to update this thread? I really would like to lock my bootloader with custom ROM in it.

Thanks