While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an anti-theft app installed (maybe even converted/installed as a system app) your phone's data is easily accessible for a knowledgeable thief.
All the thief needs to do is reboot into the bootloader and boot or flash a custom recovery such as ClockWorkMod or TWRP. It's then possible to boot into recovery and use ADB commands to gain access to the phone's data on the internal memory (unless you have it encrypted) and copy/remove files at will.
Granted, the risk seems low. The thief would not only require knowledge of fastboot, he would have to turn off the phone before you have issued a wipe command using an anti-theft app. You could of course flash back the stock recovery & relock the bootloader after being done with flashing stuff, but that would require you to unlock it again if needed which will erase your userdata.
There are two ways to tackle this security risk AND retain unlocked bootloader functionality without losing userdata.
1) Encrypt your phone using Android's built-in encryption feature
Advantages:
- you can leave your bootloader unlocked & leave a custom recovery installed without risk of exposing your data.
Disadvantages:
- unless the custom recovery can decrypt your phone, you cannot use all of its features.
- when decryption fails, you cannot access your phone and need to do a factory reset from recovery. Users have reported not being able to decrypt after applying OTA updates.
- the encryption process is irreversible. The only way to return to an unencrypted phone is to perform a factory data reset which erases all your data.
2) Unlock & relock the bootloader from Android OS
Prerequisites:
- root access
- an app that can unlock/relock the bootloader at will such as BootUnlocker
Steps
Root your device using one of the many guides out there (recommended guide). Install BootUnlocker. Reflash stock recovery and lock the bootloader. Whenever you need an unlocked bootloader again, simply use Bootlocker to unlock it (this won't wipe userdata). When done, relock.
Advantages:
- doesn't require encryption (for those who do not wish to use it).
Disadvantages:
- relies on third-party apps.
- method will not work if you lose root access for whatever reason.
- method will not work when you cannot boot into Android for whatever reason.
USB debugging
Strictly not related to the bootloader, but for maximum security disable USB debugging when not required. Having it enabled allows the execution of ADB commands even if the lockscreen is still locked. Myself, I use Tasker in combination with Secure Settings to automatically enable USB debugging when my device is connected to my home WiFi access point but disabled if not connected.
The following video demonstrates what a knowledgeable thief can do with your phone when you have USB debugging enabled by default: http://www.youtube.com/watch?v=ah7DWawLax8&t=7m0s
More info: recently, an exploit has been discovered that will enable gaining root without going through the 'traditional' process of unlocking the bootloader & flashing a custom recovery in order to flash Superuser or SuperSU packages. See this post for a guide.
Play store devices
Devices bought directly from Google's Play Store apparently do NOT wipe userdata after fastboot oem unlock. So for these devices, method number 2 does not add any security. For more info, read this thread: http://forum.xda-developers.com/showthread.php?t=1650830
Very well written!!
One thing you may want to tie in to your explanation is the effect of having USB Debugging enabled - it's easy to gain root (and subsequently unlock your bootloader) with it enabled, even with a locked bootloader.
Sent from my Galaxy Nexus using Tapatalk 2
Added some information regarding USB debugging. Thanks for the tip efrant.
Good read:good:
Do you have to be on stock rom to lock the bootloader ?
Oscuras said:
Do you have to be on stock rom to lock the bootloader ?
Click to expand...
Click to collapse
Nope.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Guiding.God said:
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Click to expand...
Click to collapse
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Petrovski80 said:
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
Click to expand...
Click to collapse
qtwrk said:
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Click to expand...
Click to collapse
Thanks for the clarification.
And I worry more about the work related data, the phone itself is insured
This is important info, and a lot of folks probably don't realize how open they are. This should be stickied or better yet included in the stickied thread where the bootloader unlock instructions are. Thanks for the post.
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Pkt_Lnt said:
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Click to expand...
Click to collapse
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
I downloaded Secure Settings to check it, and it will work. I have AutomateIT Pro and it does not support plug-ins. I have been finding more tasks that it seems only Tasker can perform, I guess it is time to get it. Thank you.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
Great idea.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
I am not a paranoid worry wart so the risk are more than worth it for me. There's nothing on here that I would care if some one got a hold of anyway.
Sent from my Galaxy Nexus using xda premium
Cilraaz said:
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
Click to expand...
Click to collapse
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Petrovski80 said:
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Click to expand...
Click to collapse
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Cilraaz said:
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Click to expand...
Click to collapse
Watching the video right now. Personally, I find it a gaping security hole that the ADB interface is accessible through a locked lockscreen.
For anyone interested in the vid: the ADB part starts at 7:00.
Edit: amazing video. It really proves what a knowledgeable thief can do when you have USB debugging enabled, especially when combined with root access (don't we all?). I'm going to add the video to my post. Thanks for the info Cilraaz!
I want to use the Root call blocker app which requires root access.
HTCdev instructions for root emphasise that 'OEM unlock' should be ticked in developer options before proceeding further. This option is not shown in my developer options screen & when I look at the bootloader screen the top item shows **LOCKED**
I guess this is why OEM unlock isn't shown.
I'm a complete novice & my only reason to root (so far....) is to use that particular call blocker. I have called HTC & they don't seem to know what i'm talking about...they think i'm asking how to get into developer options screen! Any help will be appreciated & explanations in simple terms also
Ah.. you don't reply in other thread but you open a new one.. and I asked moderator to move this to Q&A section.
Why don't you use any call blocker apps that don't require root access ? There are many of them on Play Store.
Anyway .. to root your M8, you need :
1. unlock the bootloader thru http://www.htcdev.com/
2. install TWRP recovery
3. install SuperSU.zip
There is no such thing "OEM unlock" on M8
Hi, Thanks for reply & sorry for posting in wrong section earlier.
The reason I want to use 'root call blocker' is because unlike other such apps it doesn't use the ring & hang up or divert to voicemail method. It kills the call completely & as such avoids the single ring scam which has just started to affect some phones here....mostly Vodaphone users. As yet no one is sure how the scam works but the victims are left with huge phone bills & have never called the number itemised on the bill. So......that's why I want to use that app.
Regarding Htcdev.....I have registered with them, having researched them as probably being the safest for someone with no experience & it is the reason for this post as I quote below step 2 of their instructions
''Step 2
Use the Volume buttons to select up or down. Highlight Fastboot and press the Power button.
NOTE: All new HTC devices shipped since One M9 support download mode instead of bootloader mode for this step. And for select HTC devices with Android Lollipop and all devices that receive Marshmallow, you will need to first manually enable OEM unlocking in Developer options in order to allow the bootloader to be unlocked and proceed with the next steps.''
The reason I can't proceed is because my device does not show the option for OEM unlocking....yes I do know how to get to developer options.
I have tried all the ''one click root'' methods & they haven't worked........so......any help?
There is no OEM UNLOCKING on HTC M8, only certain/newer devices have that.
In step 2, they explain how to get to fastboot screen. If your current screen show hboot (highlighted in blue) -- press power once to get to fastboot screen
As long as your screen now is showing fastboot usb (highlighted in red) when connected to PC .. you can proceed to step 5 to run command
fastboot oem get_identifier_token
OK password forgotten you still can use the device, but you'll need a smartphone with mobile data and turn on the "Mobile hotspot". on the checking for software updates a.s.a.p. turn off the mobile hotspot it will say could not connect
UPDATE 1. for those who do not have access to hotspot. be prepared to disable your wifi at your modem.
agree to the next prompts it will ask you if you want to set up security create a 4-digit PIN i suggest 1234. After you create the 4-digit PIN, you turn off the tablet and turn it on again.
When the tablet is on again and "Enter PIN" appears, don't worry if you don't see the camera icon on the display. What you need is the USER icon (what I mean is that "human face" icon which is located on the TOP RIGHT CORNER). Click that "human face" icon, then you'll see "Add user" so click on that "Add user". Follow through as a new user, you'll need to create a Samsung account or if you have one already you'll need to log into your Samsung account. UPDATE 2. I SKIPPED THIS ACCOUNT SETUP.
UPDATE 3. You'll have 2 users, you will not be able to erase the first one.
now you have access to storage place the this https://dl.dropboxusercontent.com/u/...FRP_REMOVE.apk
to downloads run the app on install.
full tool here https://dl.dropboxusercontent.com/u/...pps Full.zip
go back to users first user owner tap it you will log in to that account it will say set up tablet drag the notification bar down software update smart switch ignore it enable WiFi connect to any one you can then tap setup tablet follow i will ask for a password i skipped it and got in and went to settings now i had access to backup and reset full wipe done smile
Thanks to everyone who has worked on this i have updated these instructions Originally Posted by dama0002
and it is working on all mm devices i have come across so far phones included.
FYI again for those who done have access to hotspot be prepared to disable your wifi at your modem timing is important.
i hope it helps
I've had an unlocked Snapdragon Note 10+ sitting around for quite a while doing nothing (it was powered on much of the time) and finally decided it was time to give it the gift of TWRP and Magisk. After enabling developer mode, the OEM unlock toggle was present, and seemeingly was reflected on the download screen:
Code:
OEM LOCK : OFF (L)
The bootloader welcome screen was shown in Asian characters, so I initially didn't realize what was going on, but in each case, my attempts to flash TWRP failed with the booatloader indicating it was blocked by the OEM lock. I ultimately did a few factory resets to see if they would have any effect. In some cases after factory reset, the OEM Unlock setting in developer options was present and in other cases it was not. However, in each case where it was missing, I was ultimately able to get it to appear by manipulating a combination of date/time and software update settings as described in numerous posts and articles.
What I didn't realize was that the Asian language welcome screen was simply asking me to press volume up to enable custom image flashing. After realizing this, my impression here is that the OFF/ON refers to the bootloader's interpretation of the OEM Unlock status, and the (L/U) refers to whether the user pressed volume up at the welcome screen (unlock to enable flashing custom images) or something else (leaving the bootloader locked).
However, now regardless of the OEM Unlock setting, I always see the following on the download screen, depending on whether I press volume down on the welcome screen:
Code:
OEM LOCK : ON (L)
or volume up:
Code:
OEM LOCK : ON (U)
I also see:
Code:
RMM STATUS : CHECKING
So, what's going on here? Did I just earn myself a 7-day RMM lockout, or is something else going on? I thought that 7-day lockouts were indicated by an RMM status of "PRENORMAL". How can I can get the bootloader to unlock properly?
The software build currently on the device is N9750ZSS2ASKB.
Thanks.
sjevtic said:
I've had an unlocked Snapdragon Note 10+ sitting around for quite a while doing nothing (it was powered on much of the time) and finally decided it was time to give it the gift of TWRP and Magisk. After enabling developer mode, the OEM unlock toggle was present, and seemeingly was reflected on the download screen:
Code:
OEM LOCK : OFF (L)
The bootloader welcome screen was shown in Asian characters, so I initially didn't realize what was going on, but in each case, my attempts to flash TWRP failed with the booatloader indicating it was blocked by the OEM lock. I ultimately did a few factory resets to see if they would have any effect. In some cases after factory reset, the OEM Unlock setting in developer options was present and in other cases it was not. However, in each case where it was missing, I was ultimately able to get it to appear by manipulating a combination of date/time and software update settings as described in numerous posts and articles.
What I didn't realize was that the Asian language welcome screen was simply asking me to press volume up to enable custom image flashing. After realizing this, my impression here is that the OFF/ON refers to the bootloader's interpretation of the OEM Unlock status, and the (L/U) refers to whether the user pressed volume up at the welcome screen (unlock to enable flashing custom images) or something else (leaving the bootloader locked).
However, now regardless of the OEM Unlock setting, I always see the following on the download screen, depending on whether I press volume down on the welcome screen:
Code:
OEM LOCK : ON (L)
or volume up:
Code:
OEM LOCK : ON (U)
I also see:
Code:
RMM STATUS : CHECKING
So, what's going on here? Did I just earn myself a 7-day RMM lockout, or is something else going on? I thought that 7-day lockouts were indicated by an RMM status of "PRENORMAL". How can I can get the bootloader to unlock properly?
The software build currently on the device is N9750ZSS2ASKB.
Thanks.
Click to expand...
Click to collapse
RMM status of "PRENORMAL". you cann't flash TWRP
kin201303 said:
RMM status of "PRENORMAL". you cann't flash TWRP
Click to expand...
Click to collapse
It's not though. It's on "CHECKING". What's blocking my installation of TWRP?
sjevtic said:
It's not though. It's on "CHECKING". What's blocking my installation of TWRP?
Click to expand...
Click to collapse
see the Image
kin201303 said:
see the Image
Click to expand...
Click to collapse
And more specifically, why isn't the bootloader OEM lock status message following the OEM unlock toggle setting in developer options?
sjevtic said:
And more specifically, why isn't the bootloader OEM lock status message following the OEM unlock toggle setting in developer options?
Click to expand...
Click to collapse
I don't know
I have
After a week (168 hours) of uptime, booting into download mode no longer results in an RMM status message. Although the OEM Unlock toggle in developer options is set to ON, the bootloader still does not reflect this, instead still indicating that the OEM lock is activated. How can I resolve this?
Thanks.
For all that wondered what was going on: the problem here was the lack of a long press of the volume up button on the bootloader unlock confirmation screen to complete the second stage of bootloader unlocking. Though this is clearly explained on the screen, this particular device features bootloader screens in Asian language characters which I sadly didn't understand.
sjevtic said:
For all that wondered what was going on: the problem here was the lack of a long press of the volume up button on the bootloader unlock confirmation screen to complete the second stage of bootloader unlocking. Though this is clearly explained on the screen, this particular device features bootloader screens in Asian language characters which I sadly didn't understand.
Click to expand...
Click to collapse
korean or What?
Hello, if you trying to unlock bootloader follow this steps:
1. Start the phone and update to newer version of firmware
2. To enable OEM Unlocking first enable development options in Settings > About phone > Click 5 times in build number.
3. Now, if the OEM Unlocking was greyed in Settings > System > Advanced > Development Options try:
3.1. Connect to internet and wat few days and the option automatic enable
3.2. Contact agent in Lenovo forums
This work fine to moto g60 xt2135-1
Step 4: Get the unlock code from Moto Unlock site.
Unlocking the Bootloader | Motorola Support US
Visit the customer support page to view user guides, FAQs, bluetooth pairing, software downloads, drivers, tutorials and to get repair and contact us information.
motorola-global-portal.custhelp.com
Hi! I have a Motorola G60, I opened the bootloader, but couldn't find any modified ROMs for it. I didn't change anything, I didn't root.
How to lock the bootloader?
Fastboot oem lock?
Unlocking the bootloader probably removes Widevine L1 support right. So, does relocking it get it back from L3 to L1?