Related
Simply put I want to Lock my bootloader and recovery even disabling recovery would be fine.
I'm basically asking if this is possible although I understand there are so to speak 1337 methods to bypass the Security measures I'm concerned with.
It's just most people's first approach to a phone they just found/stole is factory reset where frp would kick in, with the unlocked bootloader that would be easy af to bypass. *Not to mention frp bypass methods that are public
My goal is to set up my phone with the latest release of Pure Nexus + root and Latest TWRP, from there Lock the bootloader and then secure TWRP IE recover with a return to owner for reward with contact info.
Basically disabling/locking recovery with a return to owner screen and locking the bootloader as basic deterrent's for any common / petty their or anyone looking to upgrade to the phone they just found if you catch my drift.
-Also it would be nice to feel a little more secure with all these extra features PureNexus offers although I get that Android Security is fundamentally flawed these are just deterrents, also I'd be stoked to see this on a device I come across.
*Wouldn't hesitate to up call the owner of a phone that properly configured, although I know I could bypass it just a respect thing for me. :3
You can lock the bootloader, but it can simply be unlocked again. The only way to ensure it can't be unlocked is to encrypt it, and no Nexus device has an encrypted bootloader. Recovery cannot be disabled, though you could flash a non-working recovery image to the recovery partition. In that case however, simply unlocking the bootloader would allow someone to flash a recovery image to the device.
Your goals are laudable, but you're wasting your time here. To accomplish your end goal requires a device with an encrypted bootloader, which means you want something that isn't a Nexus and is sold through AT&T or Verizon. Both carriers encrypt the bootloader so you can't unlock it.
So basically because the bootloader cannot be secured my efforts would be in vain, are we sure I can't simply relock the bootloader in the same fashion that the stock rom is shipped out.
IE I remember having to OEM unlock in order to flash a custom recovery, with that being said after flashing a disabled recovery is it not possible to then re enable OEM lock somehow even with Pure Nexus running.
*Perhaps even only with the stock rom?
I'll make this as plain as I can. The only way to secure the bootloader is to encrypt it. Locking the bootloader and resetting the OEM Unlocking toggle in Developer Options won't help since any potential thief can simply unlock the bootloader. If you want to improve security, set a pin, pattern lock, or password after you mess around with locking the bootloader and setting the OEM Unlock toggle to off (if possible).
Simply disabling the ome toggle in developer setting doesn't relock the bootloader so would you say it's safe to run "fastboot oem lock" with Pure Nexus installed wipe data and then disable the oem toggle?
If that works wouldn't it be True to say I would need re enable the oem toggle and then "fastboot oem unlock" if I ever intended to replace the disabled recovery.
I really just wanted to shoot in the dark, although I don't want to brick my Nexus 6. Also sorry for a better lack of information on my part I don't mean to be a hassle.
JmakeITlookEZY said:
Simply disabling the ome toggle in developer setting doesn't relock the bootloader so would you say it's safe to run "fastboot oem lock" with Pure Nexus installed wipe data and then disable the oem toggle?
If that works wouldn't it be True to say I would need re enable the oem toggle and then "fastboot oem unlock" if I ever intended to replace the disabled recovery.
I really just wanted to shoot in the dark, although I don't want to brick my Nexus 6. Also sorry for a better lack of information on my part I don't mean to be a hassle.
Click to expand...
Click to collapse
Never lock the bootloader when running a.custom ROM... Bad very bad idea
rignfool said:
Never lock the bootloader when running a.custom ROM... Bad very bad idea
Click to expand...
Click to collapse
Worth asking why?
As in is this a goal worth pursuing IE a custom or unofficial build that supports such functionality.
Possibly already done: http://android.stackexchange.com/qu...4-7-bootloader-after-flashing-a-non-stock-rom
JmakeITlookEZY said:
Worth asking why?
As in is this a goal worth pursuing IE a custom or unofficial build that supports such functionality.
Click to expand...
Click to collapse
Because...
Stock ROMs are tested and tested for compatibility... To make sure you don't wind up in a bootloop (unless you have an LG)
Custom ROMs... Are not... No matter beans best intentions... He's no OEM...
You wind up in a bootloop for whatever reason... And a factory reset doesn't fix it... You're done... You have a paperweight...
So proceed as pleased, if I feel risky or got an extra Shamu I'll shoot in the dark and post the results. :3
More info:
What the consequences are really depends on your device. Most devices enable signature-verification for the boot partition (kernel) which prevents you from booting any kernels not signed by device manufacturer (unless you exploit some security breaches like 2nd boot). They also disallow you to flash any partition via 'fastboot flash' command, but not on all devices.
So no, you are not okay with relocking your phone: If you use custom firmware, you typically use a custom kernel and in this case, re-locking your bootloader via 'fastboot oem lock' will put your device in a state where it will not boot anymore! Be careful with that.
Info source: http://android.stackexchange.com/users/89475/kuleszdl
Idea: Disable signature-verification?
Note: Everyone thinks it will brick no one has said it happened, very strong possibility signature-verification is enabled. ?
are you an secret agent or something?
why the extreme paranoia about having this phone?
wase4711 said:
are you an secret agent or something?
why the extreme paranoia about having this phone?
Click to expand...
Click to collapse
I agree.
@JmakeITlookEZY, Basically, if your trying to say they want to give someone a phone that cannot be unlocked after locking it, then this isn't the device for you. There is an 'OEM Unlock' to prevent this but to hide this setting, would have no idea . And if you lock the bootloader and then someone wants to unlock it, it has to wipe the device.
Just have to live with the fact if someone wants to try and unlock the device, it's gonna get wiped no matter what. I'm no security expert but if you're worried something is going to happen to your phone, then you shouldn't be using it.
And if your really concerned, using a screen lock will prevent users from going into the recovery or booting the device anyways.
Gysper said:
?
Click to expand...
Click to collapse
It would be nice to feel confident enough to leave my device lying around or even lose it and know that it will either be returned or discarded.
I believe that level of security should be an option, not to mention have the ability to do it to begin with.
JmakeITlookEZY said:
It would be nice to feel confident enough to leave my device lying around or even lose it and know that it will either be returned or discarded.
I believe that level of security should be an option, not to mention have the ability to do it to begin with.
Click to expand...
Click to collapse
Yeah its called GPS
google Android Device Manager and use the locate device. You can even lock it if lost and erase all data.
Gysper said:
?
Click to expand...
Click to collapse
Not really a concern, if someone decided to keep the device the first step would be turn it off.
*More than likely reset from there epically considering encrypting the device would be a given.
JmakeITlookEZY said:
Not really a concern, if someone decided to keep the device the first step would be turn it off.
*More than likely reset from there epically considering encrypting the device would be a given.
Click to expand...
Click to collapse
Buy a tracking device and hack the phone. Problem solved
Gysper said:
?
Click to expand...
Click to collapse
Care to elaborate "tracking device" & "hack the phone" just dosen't seem to be what I'm shooting for.
JmakeITlookEZY said:
Care to elaborate "tracking device" & "hack the phone" just dosen't seem to be what I'm shooting for.
Click to expand...
Click to collapse
So you don't work for the CIA...
Let's be real, if you have no trust when something gets lost, then you don't deserve it. Should do your research and check out how to prevent something if it get's lost: http://www.apartmenttherapy.com/what-really-happens-when-a-smartphone-is-lost-195321
This is not a suicide hotline thread, if you're scared about losing something and not getting it returned, then I have to say you have a serious episode of OCD. Don't be that guy and learn to live with the consequences.
Gysper said:
?
Click to expand...
Click to collapse
Just to be Frank this is about information and general purpose security how you perceive it, is whatever.
*Also to address the "you don't deserve it" my concerns are the opposite it's not that I don't deserve it, more the other way around.
Update: Found more information that pretty much sums up what I hope to accomplish aswell as the implications.
Source: http://www.androidpolice.com/2011/0...ncryption-signing-and-locking-let-me-explain/
Update,
May be possible via: https://forum.xda-developers.com/an...signing-boot-images-android-verified-t3600606
Hello guys..
I am not able to find out what is DM verity..??
When does it occur ???
And how to fix it ??
Is it really a serious problem..?
Please help me
Actually I am a noob ..
Hello
+1
When it will be fix ?
bye
DM-verity is a security feature in Android. There's nothing to fix...
If you root and modify your device you usually need to somehow disable dm-verity, but this is usually taken care of when rooting (Magisk and SuperSU). Otherwise there's usually dm-verity disable zips around, and most custom kernels also disable it as well.
Mayank7 said:
Hello guys..
I am not able to find out what is DM verity..??
Actually I am a noob ..
Click to expand...
Click to collapse
If you weren't able to find it, I don't think you looked very hard. It's been discussed and answered many may many times.
Number one rule to learn as an xda noob: search search search. You will have a very tough time, thinkiing of a question that hasn't already been asked and answered at some point. At least not things as simple as dm-verity, how to root, etc.
Mayank7 said:
When does it occur ???
And how to fix it ??
Is it really a serious problem..?
Click to expand...
Click to collapse
To be nice, since you are new:
If you have the dm-verity warning screen (which simply goes away after 5 seconds, or you can bypass by pressing power button), I assume you flashed TWRP and/or root, custom ROM, etc.
In that case, dm-verity is normal, as those types of modifications will always trigger the dm-verity warning screen.
The dm-verity warning is similar to the bootloader unlocked warning. Simply ignore it, wait 5 seconds for it to go away, or just press the power button to bypass.
If you want, there are ways to bypass the dm-verity warning screen (so it doesn't show up) either by downgrading firmware, disable dm-verity, then upgrade firmware again. Other method is modified boot.img. Either of these mods, don't "correct" the condition that is causing the dm-verity warning, but rather just disable the appearance of the warning screen itself. As already mentioned, there is really nothing to "fix" since the dm-verity warning screen is normal, if your phone is modified by you.
If however, you get the dm-verity screen, and the phone refuses to boot, you may have swiped in TWRP to allow system modifications (which you are not supposed to do). But normally, rooting or custom kernel will bypass this condition.
Hello everyone,
Every time my moto x4 is restarted, a message appears on the boot screen:
"verity mode is set to logging"
It is something quick, written in yellow and soon the device finishes the initialization.
I wonder if this affects anything on the device?
I make the following observations:
My moto x4 was in the version PAYTON_OPW29.69-26_SUBSIDY-DEFAULT_REGULATORY-DEFAULT_CFC.XML. As I was having problems with Wi-Fi on the device, I decided to unlock the bootloader and flash another version of the android. Finally I opted for PAYTON_FI_OPWS28.46-21-12_SUBSIDY-DEFAULT_REGULATORY-DEFAULT_CFC.XML, this after having tested other versions, all with success. But since I unlocked the bootloader and did the first downgrade this message appears at the boot of the device.
My moto x4 is an XT1900-6.
Another thing done through a previous search was to run the command "getprop ro.boot.veritymode" in the terminal, directly on the device, which returned: "enforcing".
Anyway, I'm not sure if everything is OK with the device or if I lost any important function. If it is a normal error and if it is not, I would like to know the solution to this problem.
This is "normal". I think you can ignore it. If you were worried about security and privacy, you would want it to be enforcing so that the phone wouldn't boot if it was modified. Most users do not want this since it would break a lot of things.
Edit: are you using any third party zips to hide root or pass safety net? They might mask the verity mode, maybe? I don't use them so I couldn't tell you the expected behavior.
gee one said:
This is "normal". I think you can ignore it. If you were worried about security and privacy, you would want it to be enforcing so that the phone wouldn't boot if it was modified. Most users do not want this since it would break a lot of things.
Edit: are you using any third party zips to hide root or pass safety net? They might mask the verity mode, maybe? I don't use them so I couldn't tell you the expected behavior.
Click to expand...
Click to collapse
I did another clean install, using the same firmware as android 8.1 (one), now I'm not using root, as I see no need. I hope there is no problem with this message on the boot screen. I hope I still receive updates via OTA.
To remove this message needs to flash the bootloader from phone variant. This file fix for XT1900-6.
filipepferraz said:
To remove this message needs to flash the bootloader from phone variant. This file fix for XT1900-6.
Click to expand...
Click to collapse
nice bro, it worked for me. :good: :fingers-crossed:
Hi all,
I am trying to relock the bootloader on 3T, with no success. I want to do it because of too many apps nagging me or not working with unlocked bootloader
here's what I did to unlock in the past and relock:
unlocking:
- enable dev options, enable oem unlocking & usb debugging
- flashed TWRP & fastboot oem unlock from command line (don't remember which I did first)
- got my phone wiped which was an an unexpected surprise!
- bootloader unlocked, the fist of those lovely warning screens telling me so
- tried to root without success, so no custom ROMs for me
- lived with it like this for a while, too many apps telling me they won't work, decided to relock
- got latest stock ROM, flashed it via TWRP, wiped, tried to fastboot oem lock ==> success reported by CLI, BUT device still unlocked
- flashed just the 3t recovery img, wiped, fastboot oem lock ==> success reported by CLI, BUT device still unlocked
- tried the qualcomm unbrick tool after installing the recommended drivers, can't have it see my device maybe because it's not bricked or maybe some other reason, I don't know. it doesn't show up in the app. Will uninstall and reactivate driver signature checks soon unless someone explains me how to make the bloody phone show up ...
So at this moment I have a many times-wiped phone with latest 9.0.4 stock ROM whose bootloader won't lock back. I am quite at a loss. I haven't tried any magisk or similat, SuperSU at the time told me I am not rooted.
I am tearing out the few hairs I have left. Any help for this poor family man so that he may not be allowed to walk in darkness? (quote from Uninvited). Thanks
Why don't you use Magisk hide to hide root/unlock status to those apps instead of loosing root/adaway and more?
pitrus- said:
Why don't you use Magisk hide to hide root/unlock status to those apps instead of loosing root/adaway and more?
Click to expand...
Click to collapse
I have never investigated Magisk, I think I installed it at the tima but there was some problem with it so I uninstalled it and didn't think much more about it. The problem is, my phone is not rooted (even though I tried it failed, I unlocked the bootloader to root it in the first place but was not successful), only OEM unblocked. So, so to say, I'm stuck in the worst of the possible worlds except for a bricked device. unlocked with no apparent way to relock it, and not rooted.
I feel like my phone is in some strange state where the normal procedures do not work. If I could at least figure out what's wrong with the rooting, I could go the full way AND then, in case use Magisk. but at the moment I feel like there is a need to put the phone in a known definite state whichever it is and work from there. I'd be happy to revert to stock and locked and then redo everything when needed in the future.
How could I troubleshoot further or get to such a "known state"? many thanks
The thing you did wrong was using the outdated SuperSU method of rooting which is not supported anymore. You should just flash the latest Magisk zip of their github page and then you will have root with the possibility of hiding it for bank apps and others.
https://github.com/topjohnwu/Magisk/releases/download/v20.4/Magisk-v20.4.zip
pitrus- said:
The thing you did wrong was using the outdated SuperSU method of rooting which is not supported anymore. You should just flash the latest Magisk zip of their github page and then you will have root with the possibility of hiding it for bank apps and others.
https://github.com/topjohnwu/Magisk/releases/download/v20.4/Magisk-v20.4.zip
Click to expand...
Click to collapse
Thanks pitrus, I'll have a look at it tomorrow and will update with what happened
MassiB said:
Thanks pitrus, I'll have a look at it tomorrow and will update with what happened
Click to expand...
Click to collapse
Hi, update. I installed Magisk but, seeing that it had a way to put the phone in EDL mode, instead of going full root I decided to go the other way around and try to make my phone as stock as possible and reserve the experiments to an unit other than my primary. So I used the Qualcomm "unbrick" tool, and was able to flash the OxygenOS version that came with it - a rather old Android 6 whose networking (wifi, mobile...) wasn't working. But an adb sideload of the latest version after having put the phone in recovery mode allowed me to restore the networking and to update to the last supported version.
Magisk made the difference in getting me out of the spot. Thanks for bringing it to my attention!
1) Make sure your bootloader is unlocked, and your phone is USB debuggable.
Note: unlocking the bootloader will wipe your data and void your warranty and stop OTA updates.
Note 2: There are guides on how to unlock it elsewhere.
2) Check your software channel version. It is under Settings>About Phone>Software Channel. Also, check your model number. That should be available on the box the phone came in, or you can get that by using a device information app like CPU-Z or AIDA64, or if you boot into fastboot mode, it should be displayed there as well. Check your build number as well.
Mine is "retin", so I will be using that as an example. And my model number is XT-2091-4, or something like that. My build number is QZC30.Q4-22-57.
3) Go to @sd_shadow's thread (link here) to grab the stock firmware for your specific channel, build number and model number. Make sure that you get the firmware for your software channel, build number and model number only. Your phone will brick if you get this wrong.
4) The file is around 2 gigs, once it is downloaded, unzip it, because it is a archive. Once unzipped, there will be various image files, grab the one named 'boot.img' and transfer it to your phone.
5) Grab the latest Magisk release, as of this writing v22.0, from https://github.com/topjohnwu/magisk/releases/. From v22.0, there will only be a single Magisk apk, no separate Magisk Manager app. Install the app, and follow the guide to use it to root your phone at https://topjohnwu.github.io/Magisk/install.html
6) And that's it, your phone has been rooted, go install the boot animation of your choice (the stock one is atrocious. What is this monstrosity, Moto?), whichever Magisk modules you want, or use the newly gained superpower of superuser access to make a device tree for our device to start building TWRP and custom ROMs.
EDIT 1: This should be common knowledge and pretty obvious, but in case you didn't know, unlocking your bootloader will degrade your Widevine certification to L3, meaning Netflix, and other apps requiring Widevine DRM will only play content at Standard Definition, i.e., below 720p. There is no known way to get back L1 with the bootloader unlocked, the only solution is relocking the bootloader.
Also, banking apps, Google Pay, etc, and other apps that specifically check for unlocked bootloaders will cease to work properly. If this is unacceptable, DO NOT unlock your bootloader.
Note:
I don't know if this is placebo effect or what, but I noticed the battery drain was a lot more after I unlocked the bootloader and installed Magisk.
The battery ran out way too quickly as compared to when running stock.
I don't know if this is a result of unlocking the bootloader, or running Magisk, or a combination of the two, or the Magisk modules I installed on top of it, or all of the above.
So, take note of this. Here there be dragons, and all that.
mistersmee said:
Note:
I don't know if this is placebo effect or what, but I noticed the battery drain was a lot more after I unlocked the bootloader and installed Magisk.
The battery ran out way too quickly as compared to when running stock.
I don't know if this is a result of unlocking the bootloader, or running Magisk, or a combination of the two, or the Magisk modules I installed on top of it, or all of the above.
So, take note of this. Here there be dragons, and all that.
Click to expand...
Click to collapse
Thats pretty much how i did mine... The battery is a beast... Im a day and half without charge and still at 44%. I do a lot of odd power hungry dookie on mine. Only thing I think I noticed was making it drain faster wss i inserted a memory card after rooting but it may have been a fluke as a couple days later i cant tell anymore
¯\_(ツ)_/¯
Hi
Hi
Si