[How-to] Unlock bootloader on Verizon Pixel/XL

Search This thread

IzzY-AxL

Member
Mar 16, 2015
15
10
Orange County
Can confirm that the OP's method worked with the Verizon Google Pixel XL 128 GB with build #OPM4.171019.021.D1 . Security update June 5th, 2018. ( I factory resetted twice after reading other posters comments ). Didnt work the first time due to the fact that its been a while since I messed around with ADB and i forgot the commands LOL. Inputted the proper commands and BAM no problems over here. THANKS!!
 

Attachments

  • Screenshot_20180701-110257.png
    Screenshot_20180701-110257.png
    184.9 KB · Views: 679
  • Like
Reactions: andrew2432

digimon04

Member
Mar 27, 2012
33
5
I followed OP's instruction to unlock the bootloader of my Pixel XL three days ago. It still works with the latest June's patch. Thanks:highfive:

I read this post and follow the instructions to unlock the bootloader, and then I download the Google pixel factory image and flash it. But I need Google pay for daily use, I need to relock the bootloader to pass the saftynet test, so I try to relock the bootloader. after that ,I test unlock and relock again ,it succeed even though the button is grey in Dev option.

Did you flash factory image to both slots? Do you mean you can unlock again in fastboot without going through OP's process again? What is the state of the "enable OEM unlock" button, On or Off? (you mentioned its grey out)

Anyone else confirm this? I can't test it myself atm. If that is the case, I would more than happy to relock it again because I don't need root nor custom recovery. I unlock it just to keep the possibility to flash custom ROM in the future.

I saw another member saying he can't unlock again without going through the OP process

I unlocked with the original method. When this was discovered the other day I relocked it and unlocked again with the new method. I wanted to see if this new method would be a permanent way to toggle the bootloader switch on and off. Unfortunately it doesn't seem that it is permanent. As soon as I unlocked again and reset the phone it went back to being greyed out and gives the contact your carrier message. Makes sense I would imagine the check file that this new process deletes is cooked into the factory image thus any flash or factory reset would place the file back in the root. I might be totally offbase though, someone more enlightened than me correct me if my understanding is incorrect.
 
Last edited:

jfishbone311

Senior Member
Dec 4, 2010
59
19
Elizabethton
I guess it is too early for anyone to have tried this with DP4. I got the notification for the update but haven't taken it cause I don't want to lose this ability to unlock. So from what I'm reading it is confirmed on the June Dp3 right? I would have already done it but haven't had time. Today is the day
 

andrew2432

Senior Member
I guess it is too early for anyone to have tried this with DP4. I got the notification for the update but haven't taken it cause I don't want to lose this ability to unlock. So from what I'm reading it is confirmed on the June Dp3 right? I would have already done it but haven't had time. Today is the day

Once unlocked it stays unlocked for good. I think you can update ota with the bootloader unlocked and no twrp or root!?
 
  • Like
Reactions: jfishbone311

Homeboy76

Senior Member
Aug 24, 2012
2,515
1,214
Last edited:

Everage Tech

New member
Jun 18, 2018
2
0
Problem Solving...

I had a similar problem. I connected to my home wifi which has a static IP address assigned to it multiple times and had no luck with this procedure. This was the same WiFi I also used with the phone when I first got it. I think I tried the procedure 4 times with no dice. Then, on a whim I decided to try it with a neighbor's WiFi network which I had never connected to before on the phone; poof -- it worked first shot. Is it possible that the "phone home" remembers the source IP the first time the phone was activated?

What OS are you on? Are you on build 8.1.0 (OPM4.171019.021.D1, Jun 2018)? Anything on/past that build is not able to unlock the bootloader, they already patched the exploit. To check however, reboot your phone into recovery mode, and then bring up the options. Go to the option that says "View recovery logs". From there, look into the logs that says something like " ro.boot.oem_unlock_support=0". If it says "0", you can't unlock your bootloader. If it says "ro.boot.oem_unlock_support=1", you can still unlock the bootloader. If you can, do it as fast as possible as they are patching the exploit.
 

Homeboy76

Senior Member
Aug 24, 2012
2,515
1,214
I had a similar problem. I connected to my home wifi which has a static IP address assigned to it multiple times and had no luck with this procedure. This was the same WiFi I also used with the phone when I first got it. I think I tried the procedure 4 times with no dice. Then, on a whim I decided to try it with a neighbor's WiFi network which I had never connected to before on the phone; poof -- it worked first shot. Is it possible that the "phone home" remembers the source IP the first time the phone was activated?

What OS are you on? Are you on build 8.1.0 (OPM4.171019.021.D1, Jun 2018)? Anything on/past that build is not able to unlock the bootloader, they already patched the exploit. To check however, reboot your phone into recovery mode, and then bring up the options. Go to the option that says "View recovery logs". From there, look into the logs that says something like " ro.boot.oem_unlock_support=0". If it says "0", you can't unlock your bootloader. If it says "ro.boot.oem_unlock_support=1", you can still unlock the bootloader. If you can, do it as fast as possible as they are patching the exploit.
Some have reported unlocking the bootloader on (OPM4.171019.021.P1, July 2018).

I think, his bootloader is unlocked.
 
Last edited:

dorqus

Senior Member
Sep 2, 2010
1,077
274
NY
What OS are you on? Are you on build 8.1.0 (OPM4.171019.021.D1, Jun 2018)? Anything on/past that build is not able to unlock the bootloader, they already patched the exploit. To check however, reboot your phone into recovery mode, and then bring up the options. Go to the option that says "View recovery logs". From there, look into the logs that says something like " ro.boot.oem_unlock_support=0". If it says "0", you can't unlock your bootloader. If it says "ro.boot.oem_unlock_support=1", you can still unlock the bootloader. If you can, do it as fast as possible as they are patching the exploit.
I unlocked mine with the June 2018 security patch using the method where you factory reset, remove the Sim card, surf the internet, etc.
 

retali8

Senior Member
Jul 4, 2008
73
7
I am able to follow this on build OPM4.171019.021.E1 but when I boot it into fastboot mode the bootloader is still locked. Is there another workaround for this?

Code:
[[email protected] ~]$ fastboot oem unlock
...
FAILED (remote: unknown command)
finished. total time: 0.000s
[[email protected] ~]$ fastboot flashing unlock
FAILED (remote: Flashing Unlock is not allowed
)
Finished. Total time: 0.000s
[[email protected] ~]$ fastboot flashing unlock_critical
FAILED (remote: Flashing Unlock is not allowed
)
Finished. Total time: 0.001s
 

retali8

Senior Member
Jul 4, 2008
73
7
You were able to get the switch to show that OEM locking was on in developer settings?

Yes then when I would reboot it normally it would still show it was toggled on. It just wouldn't work in fastboot mode to where I could issue the unlock command. I've tried to reset it to factory 2-3x and run into the same errors when attempting to fastboot unlock.
 

Al3xxxinho

Senior Member
Jun 19, 2008
319
71
Craiova
Hi,

Tried on EE locked Pixel XL with Android 8.1.0, latest June patch and it works as expected.
After running the "adb shell pm uninstall --user 0 com.android.phone", connecting to wifi and opening Chrome, I went to dev options, but the unlock bootloader was still grayed out. I toggled the DEV options off and on from the toggle and then the option was not grayed out anymore.

The rest of the steps were as detailed in the first post.

Thanks !
 
  • Like
Reactions: andrew2432

Top Liked Posts

  • 2
    Update...

    - G-2PIMG_S1_WHL_N70_HTC_Generic_NDE63H_user_release_Radio_Not_Specify_release_485607_2_4.zip, here
    - usbredirector_setup64.exe, https://www.incentivespro.com/usb-redirector.html
    - ShuameSetup_4.2.3.223.1.exe, http://www.shuame.com/shuame-pc.html <-- seems dead, can use web.archive.org to download
    - htc_fastboot.exe, here
    - adb.rar (htc version), still can't find

    -----

    Update Apr 8, 2021 ...

    Found a chinese website for the detail step.

    But it said we need temp S-OFF for change CID and MID in order to flash the "NDE64H" image.
    And Temp S-OFF need a "HTC JavaCARD" :cry:

    And "usbredirector" just for taobao dealer access your phone via internet.
    That rom should be for Pixel (S1 stand for Sailfish) but for XL (M1 Marlin) the rom should be this one:

    G-2PIMG_M1_WHL_N70_HTC_Generic_NDE63H_user_release_Radio_Not_Specify_release_485606_2_4.zip
  • 2
    How much for it?
    50 Yuan so ~ 8 USD

    Anyway it seems they were able to compute the get_ks_token challenge, so they must have the master key.
    2
    Update...

    - G-2PIMG_S1_WHL_N70_HTC_Generic_NDE63H_user_release_Radio_Not_Specify_release_485607_2_4.zip, here
    - usbredirector_setup64.exe, https://www.incentivespro.com/usb-redirector.html
    - ShuameSetup_4.2.3.223.1.exe, http://www.shuame.com/shuame-pc.html <-- seems dead, can use web.archive.org to download
    - htc_fastboot.exe, here
    - adb.rar (htc version), still can't find

    -----

    Update Apr 8, 2021 ...

    Found a chinese website for the detail step.

    But it said we need temp S-OFF for change CID and MID in order to flash the "NDE64H" image.
    And Temp S-OFF need a "HTC JavaCARD" :cry:

    And "usbredirector" just for taobao dealer access your phone via internet.
    That rom should be for Pixel (S1 stand for Sailfish) but for XL (M1 Marlin) the rom should be this one:

    G-2PIMG_M1_WHL_N70_HTC_Generic_NDE63H_user_release_Radio_Not_Specify_release_485606_2_4.zip
    1
    I just picked up a new Pixel (Verizon variant) to replace my OG Pixel without realizing the bootloader can't be unlocked. Needless to say I'm really disappointed that the latest methods no longer work just months after the workaround was discovered. I've tried it over and over but no luck so far. Thanks to all who worked on making it happen, fingers crossed we discover a new way to unlock it.
    1
    I hope we discover a way or we build it. I have many pixels waiting for it.
    Staying hopeful. I've tried numerous combinations to unlock it but I assume that if anything did work, someone would have discovered it by now. I have no intention of using this device with a locked bootloader, it's going back in the box for now.
    1
    I found a video in Chinese video-sharing platform.

    It shows someone (taobao dealer?) remote help the client to unlock bootloader.

    I know that the video record in 2018. But something "new" found in the video.

    Here is the link: https://www.bilibili.com/video/BV1tW41137Kx?from=search&seid=16669762842626353082

    In the video, the taobao dealer force pixel enter HTC download mode(?), and downgrade(?) the pixel version, and use "dePixel8" to unlock the bootloader.

    He seems download the following file...
    - G-2PIMG_S1_WHL_N70_HTC_Generic_NDE63H_user_release_Radio_Not......??? (Can't see the whole filename)
    - usbredirector_setup64.exe
    - ShuameSetup_4.2.3.223.1.exe
    - htc_fastboot.exe

    But really don't know how to perform...

    And search around, seems the first file is for HTC Alpine S1 (HTC U Play?), And the Android Version NDE63H should be 7.1.0.
  • 159
    Hi guys. So I finally found a way to unlock a bootloader on a Verizon Pixel. Without further ado, let's get started. This method works on Pixel and Pixel XL.

    1. Remove Google account and any kind of screen lock (fingerprint, PIN, pattern, etc.) from your device.
    2. Eject sim card from your device.
    3. Reset your device. In setup wizard, skip everything, don't connect to WiFi, don't add fingerprint or any kind of screen lock.
    4. Go to Developer Options and enable USB debugging.
    5. Connect your phone to PC.
    6. Open CMD in adb directory and type
    Code:
    adb shell pm uninstall --user 0 com.android.phone
    7. Restart your device.
    8. Connect to WiFi, open Chrome and go to google.com (or any website really).
    9. Go to Developer Options and enable OEM unlocking.
    10. Reboot into bootloader and via CMD run
    Code:
    fastboot oem unlock
    or
    Code:
    fastboot flashing unlock
    11. Profit

    Be aware that unlocking bootloader removes everything from your device.

    Credit to members LeoTheRomRasta and Qu3ntin0 for making this method available to the community on the Bounty thread yesterday. https://forum.xda-developers.com/pi...rizon-pixel-bootloader-unlock-t3740911/page14 There is an ongoing discussion there about variations on this method.

    UPDATE: Confirmed that this method works on Android Oreo as well as Android P Developer Preview.
    13
    Please can someone go through the trouble with making some step-by-step instructions that are a bit more noob-friendly, like in the OP? Thanks.

    Here is what worked for me:

    Prerequisites:

    No SIM card in the phone
    ADB and Platform Tools installed on a computer (https://www.xda-developers.com/install-adb-windows-macos-linux/)
    The latest OTA image downloaded to the computer (https://developers.google.com/android/ota#sailfish for the Pixel or https://developers.google.com/android/ota#marlin for the Pixel XL)
    The phone connected to the computer with USB
    Learn how to use ADB and Fastboot on your computer as it can differ.

    Steps:

    1. On the phone, open Settings>System>Reset Options and factory reset the phone. It should say "Restarting" or something similar.
    2. When the screen goes black, press and hold the Volume Down key until you get into the Bootloader mode. Use the volume keys to navigate to "Recovery Mode" and select it with the power button.
    3. Hold the Volume Down key for about a minute (while it resets) until you make it back to the bootloader.
    4. Again use the volume keys to select Recovery Mode, then you should see a graphic of an android lying down.
    5. Hold the Power button then press the Volume Up button once. It should give you a menu. If that doesn't work, try pressing them at the same time.
    6. Use the volume and power buttons to select "Wipe Data/Factory Reset"
    7. Once it finishes, select the "Apply update via ADB" option.
    8. Go to your computer and type in 'adb sideload sailfish-ota-qp1a.191005.007.a3-394b5899.zip' (without quotes) for the Pixel or 'adb sideload marlin-ota-qp1a.191005.007.a3-23002a57.zip' for the Pixel XL.
    9. Factory reset again from recovery mode
    10. Reboot to system
    11. While it just shows the G, press the power button until the phone restarts
    12. Once it boots up, skip all of the steps but disable the options for sending information to Google.
    13. Enable Developer Options by tapping "Build Number" seven times
    14. In Developer Options, enable USB Debugging
    15. On your computer, run 'adb shell pm uninstall --user 0 com.android.phone'
    16. Reboot twice
    17. Connect to WiFi
    18. Open google.com in Chrome
    19. check Developer Options to see if you can enable OEM unlocking
    20. If you can't, swipe away Settings from the Recents menu and go back to Chrome
    21. In Chrome, open a bunch of websites. After opening each one, check the OEM Unlocking option again and close Settings afterward.
    22. Once you can enable it, do so! Now you can unlock the bootloader.

    Unlocking the bootloader:

    1. Reboot and press the Volume Down key when the screen goes black
    2. On the computer, type 'fastboot flashing unlock'

    You just unlocked the bootloader!

    Credit goes to djared704 for finding this method.

    Let me know if I need to change anything about this guide.
    11
    Hey guys. After 5 months of my purchase I finally achieved bootloader unlocking. Basically I am a user that has never updated to latest, I don't know if it makes it a variable if you're already on latest and try this. (I was coming from Sept 2019). So what I did was factory reset from the system menus. Then as soon as the screen went black, I did bootloader combos and straight to recovery. I factory resetted as prep, flashed DECEMBER patch, then after that finished, factory resetted again. Essentially, I followed the classic ADB exploit that has "never worked since Sept-Oct 2019" And yes I do have the VZW_001 CID and "_VZ" in GL website. Know when yours is bootlooping as soon as you reboot it, just hard reboot so it boots up quicker, I don't know what it does for it to take so long. Anyways when you get in, just setup like we'd always do, NO google account, turn off all setting requests (Data location, wallpapers, etc). Then as soon as I got in, I turned on debugging, ran the classic adb pm command, rebooted TWO times. This means as soon as I booted, i swiped to go to home, then rebooted a second time. As soon as I did that, I loaded up my wifi connection, I don't know if it matters but Im using the 5G wifi, then I load up google.com. Immediately, I already notice something strange. Google.com doesn't have a "valid SSL certificate" I thought it was weird, so I went to google.com on my PC and look certified SSL. As I knew that was weird, I was clicking around and I thought that was enough. so I went to the dev menu. OEM lock still grayed out. I went back to chrome and simply typed in "youtube" Let it load up. Then I clicked on the site. I went back to the dev menu. Still grayed out. I exited settings app and relaunched it to the dev menu. OEM unlock lit up in flying colors. I could not believe it. I instantly ticked it with 0 hesitation and rebooted immediately to the bootloader. The unlock command worked! I am now unlocked sailfish! I thank the community so much for all the hard work. I, only motivated the community to their potential. Thank you again!

    Generally there are some kinds of factors.
    Users have stated before if you OTA'd from menus to Latest patch, it would say "October", even though it's really december. This may make the unlocking procedure impossible. I have also not seen any marlin users report back to me yet about this method. You can still try flashing from googles site if you're already on "October = Dec".

    Enjoy guys. We proved WE own these phones, and not VZW.
    6
    Uhm, how do you skip Wi-Fi setup? :confused:

    EDIT: Guys, can confirm. It works!!! Just tested this as of now. The trick is to factory reset twice because the first reset leaves an indicator to the phone that you did a factory reset just now. Therefore, not allowing you to skip Wi-Fi connection in Setup Wizard. As for the steps, once you opened Google Chrome and visit a website, Go to Developer Options and wait until 3-5 minutes if the option to unlock is still grayed out. You might want to go back and forth one more time to see if the option to unlock is now enabled.
    6
    Apparently there may a very very small case of possibly unlocking bootloader on VZW pixel 1 again. There is a Chinese service known by the name of "Taobao", performing premium paid bootloader unlocks for Pixel 1. Now at XDA, we do not agree with charging people in any way. The first way the old adb uninstall exploit was even discovered was because some user leaked, also a premium service in China. This is a bit different. The interface they are using is in Chinese (I know this because I connected with a user in our TG channel that has used this service). When I talked with this user they spoken about how they used the getvar command to determine if it was a actual VZW model or not. He went on to tell me that he used a VPN service to connect to their (data centre?) or his own phone, built for going long distances, I guess. He tells me he hasn't paid attention to the PC that much, and in a bit his bootloader was successfully unlocked. I actually took a look at the fastboot toolkit when I was on his PC and it was actually a toolkit from 2016, and it was obviously a bit modified, having a chinese file shortcut that directs to system32 cmd. The shortcut was obviously "命令提示符", translating Command Prompt. I can't understand why you would need admin access for adb, but to spin off, the commands in the help directory of both fastboot and ADB are different. Some I noticed were "flashing get_unlock_bootloader_nonce" "flashing unlock_bootloader <request>" "flashing lock_bootloader". However the ADB directory looks a bit similar to what we see today. I looked at a couple of the proprietary apps he used and the interfaces of those kinda reminded me of IP grabbing applications. Some great people at TG attempted to translate for me, and it looked about right.
    In theory, they use these apps to grab a VZW IP and maybe bully it with your own router? Or maybe they infiltrate it with their own IP which explains turning on the VPN. We have to work together, and figure out exactly how it was done. We have some info, but no steps on reproducing it. Lets try and work this out together! WE ARE so close! Thanks so much.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone