• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Use 'fastboot oem citadel' to unlock bootloader? (Verizon Pixel 3)

Search This thread


Senior Member
Aug 2, 2019
I don't know if it was at this point or not. Because I don't recall seeing it there before while having it in edl. But that's another mode I've been trying to work with some tools in.

The proto device is what this emulated whatever it is, is named. And I'm pretty sure it will be the same across all the pixels and it is the same on my pixel 3 as well as my pixel 4. If you run various commands in Ubuntu you can get a readout of the identifiers for the various devices and consoles and emulators that are operating. The only thing I've been able to surmise Proto2 means is Google's way of calling it a "prototype device" so obviously we would not really be speaking of that in the physical sense. Whatever Proto is it is tied directly into the Titan Citadel. That much I am certain of but to what capacity I have no clue. Since I wasn't expecting to see it, in this state much less on a Windows machine, I can't recall what got it there and I haven't seen it again yet, but I'm also working tonight so I didn't have much time on my hands today.

I've only gotten pretty much one good command to come out of this and actually return something that may or may not be useful and that is a command in edl mode to OEM unlock. Spits out a pretty long set of hex numbers and whatnot. Didn't get a log of it yet but I've seen it several times and I'll post it the next time I look at it. Anything else I try it detects the device but then tells me it's in a "unknown mode" and to reboot and try "adb reboot edl". Which is exactly how I got it there in the first place.
Hm, if only we could find the Servo V3 or v4 cable, it supports loading a bootloader into RAM so we potentially replace the bootloader from a Unlocked Pixel 3

Hm, if only we could find the Servo V3 or v4 cable, it supports loading a bootloader into RAM so we potentially replace the bootloader from a Unlocked Pixel 3

Well there is this. When booted properly, the device is called proto2 for usb serial. Now as to what it is in edl, I don't know. I didn't have time to look.


  • proto2 device.jpg
    proto2 device.jpg
    236.5 KB · Views: 111


New member
Jul 9, 2021
Well there is this. When booted properly, the device is called proto2 for usb serial. Now as to what it is in edl, I don't know. I didn't have time to look.
Any progress here yet? All their refurbished pixels seem to be bootloader-locked as well. The interesting thing is, at least on my refurbished pixel 2, in the build.prop file ro.oem_unlock_supported is 1, sys.oem_unlock_allowed is 1, and ro.boot.flash.locked is 1.
  • Like
Reactions: arima0k
Any progress here yet? All their refurbished pixels seem to be bootloader-locked as well. The interesting thing is, at least on my refurbished pixel 2, in the build.prop file ro.oem_unlock_supported is 1, sys.oem_unlock_allowed is 1, and ro.boot.flash.locked is 1.
I can confirm that on my pixel3 the first build prop has a value of 1. The other two props of course, have a value of 0.

Sorry I have been really busy with work as we are severely understaffed so I have had very little free time to do pretty much anything.

Not sure if it has anything to do with it but maybe those build props have something to do with the Android flash tool on the web. On my Pixel 3 I was able to upgrade to Android 12 via ADB side load, and downgrade it back to the latest stable Android 11 the same way, but I had to go through a few hoops to get there.

This may be something this may be nothing. I use Nova launcher I'm sure many of you do. Without root access of course you cannot have the Google companion or discovery option that swipes across the screen unless you download the Nova Google companion APK. Interesting enough going into developer options and checking compatibility options for applications, Nova's companion application comes up with several items to toggle. Not sure what if any effect they have on a device that's locked or unlocked but figure I would throw that out there given that some of these flags look weird to me.
interesting observation. I have been able to load a DSU GSI image, direct from google. That's not a surprise. What's a surprise is when you try to install a Custom DSU GSI and you get a warning verity is disabled, when the phone turns on that the "device cannot be trusted and is corrupt". Pressing the power button makes the device boot normally. I mentioned this before, but i didn't know the cause of the failed verity. Correct me if I am wrong but this isn't supposed to happen right? No image should be able to be flashed much less corrupting the verity image. So what would the explanation be here? Nonetheless, the custom DSU GSI doesn't boot while official google GSI does.


Senior Member
Feb 24, 2011
Any progress on this? I also saw THIS thread about the Verizon Pixel 4 and using DePixel with success. Anyone tried this on a 3?

I've still got my Pixel 3 XL, and I would like to get some more time out of it, but the new Pixel 6 is looking appetizing. It would be incredible if we could figure something out here because the discounts from Verizon are too appealing and I'm not switching carriers.


Senior Member
Apr 20, 2016
Any progress on this? I also saw THIS thread about the Verizon Pixel 4 and using DePixel with success. Anyone tried this on a 3?

I've still got my Pixel 3 XL, and I would like to get some more time out of it, but the new Pixel 6 is looking appetizing. It would be incredible if we could figure something out here because the discounts from Verizon are too appealing and I'm not switching carriers.
See this thread on unlocking a Verizon Pixel 3. However, it seems to work only on a new, fresh out of the box phone, that has never connected to Verizon. Even then, it is not always successful.

It also works on a Pixel 2. I bought a new (old stock) Verizon Pixel 2 XL from Woot last month, and successfully unlocked it.

It appears the bootloader is not permanently locked until the phone connects to Verizon. After it connects, you are out of luck.


New member
Jan 13, 2019
Based on available instructions for previous versions of the pixel and pixel xl I suspect the solution is as easy as a single pm command. For example, the pixel/xl...
adb shell
pm uninstall --user 0 com.android.phone
To unlock the bootloader you then connect to wifi, load any website in chrome, toggle the oem unlock switch in developer options, then fastboot oem unlock.

for the pixel 3a/xl...
adb shell
pm uninstall -k --user 0 com.google.android.apps.work.oobconfig
Unfortunately that only unlocks the sim. But I'm sure with a few simple tweaks you can get the bootloader unlocked as well. Maybe remove sim, wipe cache, factory reset, skip all setup, don't connect wifi, run pm uninstall, try fastboot unlock. If doesn't work then connect wifi, load a site in chrome, try fastboot unlock.



New member
Jan 13, 2019
I tested the sim unlock on a Pixel 3a and it does seem that the code to enable the OEM unlocking feature is in the com.google.android.apps.work.oobconfig package.

If you remove sim, do a factory reset, connect to internet, swipe down the notification bar and follow the complete phone setup instructions, it will change the toggle switch description from 'connect to internet or contact your carrier' to 'carrier does not support oem unlocking' (going from memory here - may not be verbatim).

If you remove sim, do a factory reset, uninstall the oobconfig package, connect to internet, finish phone setup, the toggle switch message remains the same. So something within that package is responsible for performing the verification of oem unlocking permissions and then changing the setting.

I would say you could just open the apk in a hex editor, tweak a value or two, then install the apk over adb. The oobconfig package points to the OTAConfigPrebuilt.apk file. So you can use adb pull to copy to your pc. Tweak whatever code you want.

The problem is that I can't find a way to re-install the package due to the certificates check failing. Even after disabling 'verify apps over usb' it still fails the certificates check. I even copied it to the internal tmp folder and tried to install using the command below and it failed.
adb shell cmd package install /data/local/tmp/OTAConfigPrebuilt.apk

The good news is there's no danger in removing the oobconfig package. Just factory reset and it'll be right as rain.

A few tips...
// to find the apk for any given package name
pm path nameOfPackage

// to search the contents of binary files for keywords
// -R is recursively search folders
// -a is binary
grep -Ra "oem_unlock" /product/priv-app/*

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    If it works, could you please post a tutarial?

    So I just completed the first phase of configurations. I had to make sure my rules.d configs were right. Although they were, they were missing a few entries, but I can confirm the cable *DOES INDEED WORK!!!* It is functioning and it appears a console(s) are indeed opening upon plugging in the phone to a properly configured pc and environment. To what extent and what consoles? I do not yet know. Run this command in a terminal to monitor when Cr50 device emulation is activated on the device we are working with. If the device appears in the list (refreshes every few seconds), the device is successfully recognized, uart should be enabled aloing twith the Cr50 emulation (what we were banking on being available):

    $ watch -n 1 "lsusb | grep 18d1:5014"

    5014 is what the Pixel 3 is identified as while this emulation is occuring. The cable MUST be plugged into the PHONE port with the text ADBG facing UP, or the device will not be triggered into the mode we need it in (device is still booted and turned on and usable). Posted below is a screen shot when running 'lsusb' in a terminal, the PC is properly configured and the emulation is ocurring:

    I don't know if this had an effect, but depending on what fastboot mode you are in, (fastboot vs. fastbootd), the device ID changes, so I added the config to the rules.d files I have set up in /etc/udev.

    Fastboot: 18d1:4ee7
    Fastbootd: 18d1:4ee0

    Once I did that, installed the required dependencies for hdctools cleared my cache and what not, and rebooted, all was working so far, as it should. Now time to research a little and see what I can do and where can find instructions on how to do it :D
    Ok I got the rx error to stop. There are so many dependencies for all of these utilities, it's a miracle I haven't screwed anything up yet.

    If I can get the EC console working, that's where we can flash EC firmware. We also have EDL mode (adb reboot edl) where, if I can get it working, "Qualcomm Sahara / Firehouse Attack Client /Diag Tools": https://github.com/bkerler/edl.git

    I don't know if this is something to do with my configurations not being right but for some reason Ubuntu refuses to read the existence of a device in edl mode. At least in terms of running commands, it doesn't exist. We'll need to definitely install drivers on Windows and get Ubuntu to carry them over. But the tools used for a lot of edl are available only on Windows.

    But getting that to run on a Linux machine is not going to be easy so it looks like I'm going to have to boot up my Windows 7 if I'm to even try because the drivers are only able to be installed there.

    I again was looking through the vendor image. Since I'm trying to access the EC console, I started to look for files related to it. There are 2 files in the vendor image: ec.bin and ec.rec. looking through both are intriguing, but the bin file even more so which I have yet to finish looking through using a hex editor. There are or at least appear to be in readable format, several strong box keys. There is one option in fast food I have yet to try, because of the lack of anything to test.
    fastboot flashing unlock_bootloader <request>

    Now it doesn't fail or give me a warning that I can't run the command on a locked device but it tells me to provide a bin file. I was unaware This phone had a bin file to flash when requesting a bootloader unlock. I haven't gotten enough courage to try it but wouldn't it be a son of a gun if ec.bin worked? Also I have a few different variants of fastboot that have been modified in various other forums in an attempt to bypass some of those restrictions and hoping to get commands working that normally wouldn't on other fastboots.

    It probably wouldn't which brings me to the latest update overall. Those files tell me there is a EC console available. But I am having a very hard time getting it set up properly. Most of these tools when configured right will work properly if you have all the dependencies which has been the real kicker here, finding them all. If I can finally get that end of the tools working, then we can update the EC firmware with newer EC bins. And somehow using that same cosole, you can remove write protect on certain other firmwares. I know the council is active or is available because of the certain values I got in which I posted above. Some of stuff I posted above actually comes out of that console.

    All we need is just that one little area to write on, that we can write to an exploit in an attempt to get root privileges if at the very least. I'm sorry I don't have any more than this for today.
    Sorry if this doesn't make any sense guys. I'm going to write down a detailed way on how everybody can at least get this far without having to worry about any destruction to their devices or whatnot. That will hopefully give a better understanding as to what might be going on here and we can work from there. I would also appreciate it if somebody could take a look at the vendor image while mounted and pull the files and question and use a hex editor to look at the code and see if what I'm seeing isn't just some crazy talk. This may take me a few days to put together so I may not be around as I do that but will try and reply if anyone has any more questions.
    Ok so nevermin
    rebooting the device into fastboot (adb reboot-bootloader) and running the usb_console command returns this:
    usb_console -d 18d1:5014
    [161155.250820 gpio_wiggling: VOL_DN_L = 0]
    [161155.251544 km_set_vol_dn_btn: vol_dn already set]
    [161155.458140 gpio_wigglingl dn released]
    [161156.020804 gpio_wiggling: PHONE_ON_L = 0]
    [161157.550416 ap_reboot_actions: signaling]
    [161157.550976 ap_reboot_actions: 0 done 0]
    [161157.551540 ap_is_rebooting: MSM_RST_OUT_L_FALLING: ap_is_in_bootloader=1]
    [161157.554112 flash_physical_write: 0x73d00, 0xec bytes]
    [161157.554916 nugget_dispatch_loop: [161157.556064 flash_physical_write: 0x73c00, 0x100 bytes]
    reboot seen (vol-dn: 1)]
    [161157.559688 flash_physical_write: 0x73e00, 0xec bytes]
    [161157.561736 flash_physical_write: 0x73d00, 0x100 bytes]
    [161157.563424 gpio_wiggling: VOL_UP_L = 0]
    [161157.588992 passthru off]
    [161157.622916 ap_reboot_actions: signaling]
    [161157.623476 ap_reboot_actions: 0 done 1]
    [161157.624044 ap_is_rebooting: MSM_RST_OUT_L_RISING: ap_is_in_bootloader=1]
    [161157.624980 nugget_dispatch_loop: reboot seen (vol-[161158.725452 usb_reset, status 9020]
    [161158.809772 SETAD 0x21 (33)]
    rx [Errno 110] Operation timed out

    Again the rx error repeats over and over. Note: Unless the device is rebooted, or it's mode is switched (fastboot vs fastbootd) then the above information will NOT reappear. Instead the message referenced in the post abive this one appears:
    --- UART initialized after reboot ---
    [Reset cause: rdd]
    [Retry count: 1 -> 0]
    [Image: RW_B, 0.0.3/brick_v0.0.8279-f93f99159371.195216 update_rollback_mask: stop at 0]
    [159371.195856 gpio_wiggling: AP_EL2_LOW_IRQ = 0]
    Console is enabled; type HELP for help.
    > [159371.238856 passthru usb]
    [159371.239492 usb_init, resume 0]
    [159371.606672 usb_reset, status 4801020]
    [159371.695496 usb_reset, status 9028]
    [159371.779716 SETAD 0x11 (17)]
    rx [Errno 110] Operation timed out

    Nevermind the RX error. Cr50 console is open. Navigating to my hdc tools and running the usb_console command in fastboot or fastbootd returns the RX error, but I am still able to type commands. typing HELP after the usb_console command returns this (ignore the continuous scrolling of RX error. manual scroll to stop the screen and read)
    Known commands:
      apfastboot     Assert POWER + VOL_DN to force the AP into fastboot
    The min/default time is 20 seconds, max is 60
      board_id       Display the Board ID values
      help           Print command help
      history        Print console history
      idle           Set or show the idle action: wfi, sleep, deep sleep
      reboot         Reboot Citadel
      repo           Show the repo snapshot for this image
      sleepmask      Display/force sleep mask
      stats          Show the current syatem power stats
      taskinfo       Print task info
      timerinfo      Print timer info
      trngstats      Collect some TRNG stats
      version        Print versions
    HELP CMD = help on CMD.

    The first command apfastboot requires an unlocked bootloader :(

    History shows your command history. I will get to repo later.

    running: taskinfo:
    Task Ready Name         Events      Time (s)  StkUsed    Flags
       0 R << idle >>       80000000  556.135876    80/ 512  0000
       1 R HOOKS            20000000    0.166836   120/ 640  0000
       2   NUGGET           00000000    0.286404   168/1024  0000
       3   FACEAUTH         00000000    0.000524    80/2048  0000
       4   AVB              00000000    0.008216    88/4096  0000
       5   KEYMASTER        00000000    0.026576    88/9600  0000
       6   IDENTITY         00000000    0.000224    88/1952  0000
       7   WEAVER           00000000    0.006664   240/1024  0000
       8 R CONSOLE          00000000    0.359764   448/ 576  0000
    Service calls:                 1588
    Total exceptions:              1589
    Task switches:                 1835
    Task switching started: 162202.505900 s
    Time in tasks:           557.084916 s
    Time in exceptions:        0.086496 s

    Chip:    Google Citadel C2-PVT
    Board:   0
    RO_A:    0.0.3/d55cc99c ok
    RO_B:  * 0.0.3/874a9517 ok
    RW_A:    0.0.3/brick_v0.0.8277-61fd4bbbc ok
    RW_B:  * 0.0.3/brick_v0.0.8279-f93f993f0 ok
    Build:   0.0.3/brick_v0.0.8279-f93f993f0
             2021-02-04 19:23:01 wfrichar

    0x00020000 0xff000080 0xfffdffff # MP, PVT/MP

    Time:     0x00000025f6f75af0 us, 163057.195760 s
    Deadline: 0x00000025f701b268 ->    0.677752 s from now
    Active timers:

    hard_reset_count            1
    time_since_hard_reset       163124.847384
    wake_count                  106
    time_at_last_wake           162202.503892
    time_spent_awake            17124.537648
    deep_sleep_count            105
    time_at_last_deep_sleep     162200.189768
    time_spent_in_deep_sleep    146000.309736
    time_at_ap_reset            162614.632272
    time_at_ap_bootloader_done  ---

    FUSE.DEV_ID: 0xd2dccd59,0x2102f007
    PHONE_ON_L: 1
    VOL_UP_L: 1
    VOL_DN_L: 1
    PM_MSM_RST_L: 1
    AP_CTDL_IRQ: 0
    NETS_GOOD: 1
    TEMP.RANGE: 42.625,43.375
    STATS.MIN: 792
    STATS.MAX: 2215
    STATS.AVG: 1549
    HIST(0-599): 0
    HIST(600-1199): 1
    HIST(1200-1799): 7
    HIST(1800-2399): 2
    HIST(2400-2999): 0
    HIST(3000-3599): 0
    HIST(3600-4199): 0
    HIST(4200-4799): 0
    HIST(4800-5399): 0
    HIST(5400-5999): 0
    HIST(6000-6599): 0
    HIST(6600-7199): 0
    HIST(7200-7799): 0
    HIST(7800-8399): 0
    HIST(8400-8999): 0
    HIST(9000-9599): 0
    HIST(9600-10199): 0
    HIST(10200-10799): 0
    HIST(10800-11399): 0
    HIST(11400-11999): 0
    HIST(12000-): 0

    97ad30fe2da20fc0300261bc1a3cbc37b989df88 bazel_rules
    3cdf3eca0d0dd70c88b4f76fb44a9999df6e872b core/dcrypto
    f93f993f0a5e6ad9915a28441e48e8dfea6b9afe core/nugget
    e2797a7a7763ec042ce0287bec6bc031d04de9fd host/android
    5f8a04f743447950a3a1977ea87dafa2ceb2c369 host/generic
    5baf30afefa6fbbc2748b2998b48dc3760b89c30 host/linux
    6d6c354952307f1acb7b5bb4a38ccff9aba384bc prebuilts/clang/host/linux-x86
    29c92c535f007cfc33b396e9201f8179eba07194 prebuilts/lcov
    8984774a642892f25b7e353a333833ef7acb8174 prebuilts/linaro/4.9
    b09cda38a63d15ec3c761d48af51e183a1393f1d prebuilts/locked_loaders
    c4bcce8b73b0382a3cafca0009e303581d2d7c46 prebuilts/protoc/linux-x86
    c51dd6870ac22ad6729742bcf72baf6264370fe3 prebuilts/python-virtualenv/linux-x86
    53add29eb7b4eaa9e128e3ec84eac9e65cf4c986 prebuilts/python/linux-x86/2.7.5
    b5ddcdd0fc5f017cba9c823de5c472f10d849e56 prebuilts/riscv-gchips-clang
    fdcc9b8194be613a6f1c48eeef2871407f61223e prebuilts/riscv-gnu/stable
    42e4aa4f4c041746bcc2b3427f35c928bfa3d291 repohooks
    648aea1ad6c5b9937b988f3b3b0099132ce4b1ac test/jenkins
    16b9e671e6223fd2fabde111b56b3d453f4b4ad9 test/system-test-harness
    83c422905dd29a759b67892082bc943b04d2657d third_party/ahdlc
    f5bbc56c79e4ec0653aced61219c370b87df4f75 third_party/cn-cbor
    910a575cc5a204f49c2d266db546e124a04a3b7a third_party/cryptoc
    6924462b9f1522d391df1491a5c7db1f3e98fcda third_party/cryptoc-bsd
    e9c240dc7afc8b67c865625e675e3a5d5d7227cc third_party/libftdi
    9660e1954456ccce8848c9673a08e95aef8ed3a6 third_party/libmpsse
    d9b2ff3e8de040dc630fc4138b2f61be6063f4d9 third_party/nanopb
    9fa2a3d9e356a1f42a6184dcf1e0508ddfa9dbfb third_party/rapidjson
    7e4ee69b4d716edcda8dd21eecaa608fe494ec17 third_party/scripts
    cb2de5a810df1898cd3ae47d517603b8b12371c0 third_party/tpm2
    Found a Debian based hdctools installation that works *without* having to setup a chromium based chroot. Going to take a bit to install and configure everything. If anyone is interested, the installation is here: https://gitlab.collabora.com/chromium/servod-tools

    Note: even if this works for me, it won't work for you unless you have the suzyq cable or you modify an existing usb-c cable. Supposedly this cable, and when configured properly, automatically opens up consoles and uart, when connected to the device. This should only be possible if the device is unlocked *unless* you are able to enable the suzyq function without unlocking the bootloader. In this case we are able to do just that. And from what I gather, we aren't supposed to be able to enable suzyq at all.