• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[How-to] Unlock bootloader on Verizon Pixel/XL

Search This thread

matthew5025

Senior Member
Dec 23, 2010
452
137
I live in China. Can you please tell me which store you choose? I ask several ones and they all ask for 150 Yuan.
 

1stWinters

Member
Jun 17, 2019
14
4
  • Like
Reactions: roirraW "edor" ehT

EnumC

Senior Member
Dec 22, 2014
113
65
Cupertino
enumc.com
TCL 10 5G
OnePlus 8T
This worked for Verizon model running the latest OTA. They used USB Redirector + Teamviewer VPN to issue fastboot commands. There must be a vulnerability in fastboot to unlock the bl for Pixel XL. Either that or they have the private keys used to generate the unlock challenge token.
 
  • Like
Reactions: roirraW "edor" ehT
This worked for Verizon model running the latest OTA. They used USB Redirector + Teamviewer VPN to issue fastboot commands. There must be a vulnerability in fastboot to unlock the bl for Pixel XL. Either that or they have the private keys used to generate the unlock challenge token.
This sounds familiar to how I am able to run some commands via citadel, using a special debugging cable, on the pixel 3, while the device is supposedly in UART. I'm almost 100% sure there are no fast boot commands to unlock it at least not that I can find. My guess is they have The same debugging cable and somehow are able to run some kind of commands that way. They may have found a way to toggle the AVB feature in citadel which would essentially turn all the values into zeros, essentially unlocking the bootloader. You can hook the device up in fast boot mode and run
Code:
fastboot oem citadel
.

There's also a bug in the pixel 3 while trying to install some DSU generic system images. Somehow it flashes verity causing the device to flash a warning when booting up saying The device is corrupt. It actually isn't though. So it's a head scratcher.
 
  • Like
Reactions: roirraW "edor" ehT

EnumC

Senior Member
Dec 22, 2014
113
65
Cupertino
enumc.com
TCL 10 5G
OnePlus 8T
This sounds familiar to how I am able to run some commands via citadel, using a special debugging cable, on the pixel 3, while the device is supposedly in UART. I'm almost 100% sure there are no fast boot commands to unlock it at least not that I can find. My guess is they have The same debugging cable and somehow are able to run some kind of commands that way. They may have found a way to toggle the AVB feature in citadel which would essentially turn all the values into zeros, essentially unlocking the bootloader. You can hook the device up in fast boot mode and run
Code:
fastboot oem citadel
.

There's also a bug in the pixel 3 while trying to install some DSU generic system images. Somehow it flashes verity causing the device to flash a warning when booting up saying The device is corrupt. It actually isn't though. So it's a head scratcher.
This could be possible, although running `fastboot oem citadel` results in "unknown command" on my device. After they presumably ran some type of script, I still had to run fastboot oem unlock to unlock the bl. The entire process took around 30 seconds after he got USB redirector configured.
 
  • Like
Reactions: roirraW "edor" ehT

zfk110

Senior Member
Jan 11, 2014
1,022
202
Atlanta
This worked for Verizon model running the latest OTA. They used USB Redirector + Teamviewer VPN to issue fastboot commands. There must be a vulnerability in fastboot to unlock the bl for Pixel XL. Either that or they have the private keys used to generate the unlock challenge token.
How did you get intouch with him? I can't understand Chinese on that website. Do you have his WhatsApp number?
 
  • Like
Reactions: FoneWatcher

EnumC

Senior Member
Dec 22, 2014
113
65
Cupertino
enumc.com
TCL 10 5G
OnePlus 8T
How did you get intouch with him? I can't understand Chinese on that website. Do you have his WhatsApp number?
He/she have their WeChat number in the taobao listing. Not sure of alternate ways to contact them since WeChat is the predominant IM platform in mainland China. I think you can also message him directly on taobao, but then you would have to install "AliWangWang" on your pc/mobile.
 

Joran01

Member
Jan 21, 2017
22
8
He/she have their WeChat number in the taobao listing. Not sure of alternate ways to contact them since WeChat is the predominant IM platform in mainland China. I think you can also message him directly on taobao, but then you would have to install "AliWangWang" on your pc/mobile.
He's asking me 25 USD instead of 50 Yuan... How much did you have to pay?
 
  • Like
Reactions: roirraW "edor" ehT

rkha

Member
Nov 19, 2013
9
1
So appears I have a Verizon variant, confirmed by CID and response from https://store.google.com/us/repair. For some naive reason I was sure my phone was not Verizon variant, given that it was purchased new in a European country, far from Verizon land, and from a reputable store.

The phone was not SIM locked to any operator, but bought unlocked. Is this really the case that the Verizon variant was sold so broadly? I'm just wondering if I have any recourse asking the seller to enable OEM unlocking of the bootloader, since there are no known DIY way of unlocking it right now.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    I live in China. Can you please tell me which store you choose? I ask several ones and they all ask for 150 Yuan.
    2
    50 Yuan so ~ 8 USD

    Anyway it seems they were able to compute the get_ks_token challenge, so they must have the master key.
    2
    How did you get intouch with him? I can't understand Chinese on that website. Do you have his WhatsApp number?
    He/she have their WeChat number in the taobao listing. Not sure of alternate ways to contact them since WeChat is the predominant IM platform in mainland China. I think you can also message him directly on taobao, but then you would have to install "AliWangWang" on your pc/mobile.
    1
    Please, link me to this guy 🙏🏻
    1
    He/she have their WeChat number in the taobao listing. Not sure of alternate ways to contact them since WeChat is the predominant IM platform in mainland China. I think you can also message him directly on taobao, but then you would have to install "AliWangWang" on your pc/mobile.
    He's asking me 25 USD instead of 50 Yuan... How much did you have to pay?
  • 159
    Hi guys. So I finally found a way to unlock a bootloader on a Verizon Pixel. Without further ado, let's get started. This method works on Pixel and Pixel XL.

    1. Remove Google account and any kind of screen lock (fingerprint, PIN, pattern, etc.) from your device.
    2. Eject sim card from your device.
    3. Reset your device. In setup wizard, skip everything, don't connect to WiFi, don't add fingerprint or any kind of screen lock.
    4. Go to Developer Options and enable USB debugging.
    5. Connect your phone to PC.
    6. Open CMD in adb directory and type
    Code:
    adb shell pm uninstall --user 0 com.android.phone
    7. Restart your device.
    8. Connect to WiFi, open Chrome and go to google.com (or any website really).
    9. Go to Developer Options and enable OEM unlocking.
    10. Reboot into bootloader and via CMD run
    Code:
    fastboot oem unlock
    or
    Code:
    fastboot flashing unlock
    11. Profit

    Be aware that unlocking bootloader removes everything from your device.

    Credit to members LeoTheRomRasta and Qu3ntin0 for making this method available to the community on the Bounty thread yesterday. https://forum.xda-developers.com/pi...rizon-pixel-bootloader-unlock-t3740911/page14 There is an ongoing discussion there about variations on this method.

    UPDATE: Confirmed that this method works on Android Oreo as well as Android P Developer Preview.
    15
    Please can someone go through the trouble with making some step-by-step instructions that are a bit more noob-friendly, like in the OP? Thanks.

    Here is what worked for me:

    Prerequisites:

    No SIM card in the phone
    ADB and Platform Tools installed on a computer (https://www.xda-developers.com/install-adb-windows-macos-linux/)
    The latest OTA image downloaded to the computer (https://developers.google.com/android/ota#sailfish for the Pixel or https://developers.google.com/android/ota#marlin for the Pixel XL)
    The phone connected to the computer with USB
    Learn how to use ADB and Fastboot on your computer as it can differ.

    Steps:

    1. On the phone, open Settings>System>Reset Options and factory reset the phone. It should say "Restarting" or something similar.
    2. When the screen goes black, press and hold the Volume Down key until you get into the Bootloader mode. Use the volume keys to navigate to "Recovery Mode" and select it with the power button.
    3. Hold the Volume Down key for about a minute (while it resets) until you make it back to the bootloader.
    4. Again use the volume keys to select Recovery Mode, then you should see a graphic of an android lying down.
    5. Hold the Power button then press the Volume Up button once. It should give you a menu. If that doesn't work, try pressing them at the same time.
    6. Use the volume and power buttons to select "Wipe Data/Factory Reset"
    7. Once it finishes, select the "Apply update via ADB" option.
    8. Go to your computer and type in 'adb sideload sailfish-ota-qp1a.191005.007.a3-394b5899.zip' (without quotes) for the Pixel or 'adb sideload marlin-ota-qp1a.191005.007.a3-23002a57.zip' for the Pixel XL.
    9. Factory reset again from recovery mode
    10. Reboot to system
    11. While it just shows the G, press the power button until the phone restarts
    12. Once it boots up, skip all of the steps but disable the options for sending information to Google.
    13. Enable Developer Options by tapping "Build Number" seven times
    14. In Developer Options, enable USB Debugging
    15. On your computer, run 'adb shell pm uninstall --user 0 com.android.phone'
    16. Reboot twice
    17. Connect to WiFi
    18. Open google.com in Chrome
    19. check Developer Options to see if you can enable OEM unlocking
    20. If you can't, swipe away Settings from the Recents menu and go back to Chrome
    21. In Chrome, open a bunch of websites. After opening each one, check the OEM Unlocking option again and close Settings afterward.
    22. Once you can enable it, do so! Now you can unlock the bootloader.

    Unlocking the bootloader:

    1. Reboot and press the Volume Down key when the screen goes black
    2. On the computer, type 'fastboot flashing unlock'

    You just unlocked the bootloader!

    Credit goes to djared704 for finding this method.

    Let me know if I need to change anything about this guide.
    11
    Hey guys. After 5 months of my purchase I finally achieved bootloader unlocking. Basically I am a user that has never updated to latest, I don't know if it makes it a variable if you're already on latest and try this. (I was coming from Sept 2019). So what I did was factory reset from the system menus. Then as soon as the screen went black, I did bootloader combos and straight to recovery. I factory resetted as prep, flashed DECEMBER patch, then after that finished, factory resetted again. Essentially, I followed the classic ADB exploit that has "never worked since Sept-Oct 2019" And yes I do have the VZW_001 CID and "_VZ" in GL website. Know when yours is bootlooping as soon as you reboot it, just hard reboot so it boots up quicker, I don't know what it does for it to take so long. Anyways when you get in, just setup like we'd always do, NO google account, turn off all setting requests (Data location, wallpapers, etc). Then as soon as I got in, I turned on debugging, ran the classic adb pm command, rebooted TWO times. This means as soon as I booted, i swiped to go to home, then rebooted a second time. As soon as I did that, I loaded up my wifi connection, I don't know if it matters but Im using the 5G wifi, then I load up google.com. Immediately, I already notice something strange. Google.com doesn't have a "valid SSL certificate" I thought it was weird, so I went to google.com on my PC and look certified SSL. As I knew that was weird, I was clicking around and I thought that was enough. so I went to the dev menu. OEM lock still grayed out. I went back to chrome and simply typed in "youtube" Let it load up. Then I clicked on the site. I went back to the dev menu. Still grayed out. I exited settings app and relaunched it to the dev menu. OEM unlock lit up in flying colors. I could not believe it. I instantly ticked it with 0 hesitation and rebooted immediately to the bootloader. The unlock command worked! I am now unlocked sailfish! I thank the community so much for all the hard work. I, only motivated the community to their potential. Thank you again!

    Generally there are some kinds of factors.
    Users have stated before if you OTA'd from menus to Latest patch, it would say "October", even though it's really december. This may make the unlocking procedure impossible. I have also not seen any marlin users report back to me yet about this method. You can still try flashing from googles site if you're already on "October = Dec".

    Enjoy guys. We proved WE own these phones, and not VZW.
    6
    Uhm, how do you skip Wi-Fi setup? :confused:

    EDIT: Guys, can confirm. It works!!! Just tested this as of now. The trick is to factory reset twice because the first reset leaves an indicator to the phone that you did a factory reset just now. Therefore, not allowing you to skip Wi-Fi connection in Setup Wizard. As for the steps, once you opened Google Chrome and visit a website, Go to Developer Options and wait until 3-5 minutes if the option to unlock is still grayed out. You might want to go back and forth one more time to see if the option to unlock is now enabled.
    6
    Apparently there may a very very small case of possibly unlocking bootloader on VZW pixel 1 again. There is a Chinese service known by the name of "Taobao", performing premium paid bootloader unlocks for Pixel 1. Now at XDA, we do not agree with charging people in any way. The first way the old adb uninstall exploit was even discovered was because some user leaked, also a premium service in China. This is a bit different. The interface they are using is in Chinese (I know this because I connected with a user in our TG channel that has used this service). When I talked with this user they spoken about how they used the getvar command to determine if it was a actual VZW model or not. He went on to tell me that he used a VPN service to connect to their (data centre?) or his own phone, built for going long distances, I guess. He tells me he hasn't paid attention to the PC that much, and in a bit his bootloader was successfully unlocked. I actually took a look at the fastboot toolkit when I was on his PC and it was actually a toolkit from 2016, and it was obviously a bit modified, having a chinese file shortcut that directs to system32 cmd. The shortcut was obviously "命令提示符", translating Command Prompt. I can't understand why you would need admin access for adb, but to spin off, the commands in the help directory of both fastboot and ADB are different. Some I noticed were "flashing get_unlock_bootloader_nonce" "flashing unlock_bootloader <request>" "flashing lock_bootloader". However the ADB directory looks a bit similar to what we see today. I looked at a couple of the proprietary apps he used and the interfaces of those kinda reminded me of IP grabbing applications. Some great people at TG attempted to translate for me, and it looked about right.
    In theory, they use these apps to grab a VZW IP and maybe bully it with your own router? Or maybe they infiltrate it with their own IP which explains turning on the VPN. We have to work together, and figure out exactly how it was done. We have some info, but no steps on reproducing it. Lets try and work this out together! WE ARE so close! Thanks so much.