A basic question: is "unlocking bootloader" the same as "rooting"? - Upgrading, Modifying and Unlocking

A basic question: is "unlocking bootloader" the same as "rooting"?
This is in reference to the HTC's promise to make their bootloaders unlockable throgh a web tool.
What exactly does "to unlock the bootloader" mean? Is it the same thing that we also know as "rooting"? Is it just a first step towards "rooting"? Or is it something totally different?

Unlocking the bootloader is NOT the same as rooting. Unlocking the bootloader is turning off/removing the security flag of the bootloader. When the bootloader is locked, the security flag is on (S-ON) which prevents rooting easily and flashing of roms not made by the company (who made the device). When the bootloader is unlocked (S-OFF), you will be able to root easier, flash whatever you want,etc. Also, having S-OFF gives rooted devices much more access and freedom to many things. Example: some apps only require root, but others which do many more things require root + S-OFF.

Oh, I see. Thank you for the answer. So, we are talking about what is usually informally referred to as "S-OFF".

TheKorbenDallas said:
Oh, I see. Thank you for the answer. So, we are talking about what is usually informally referred to as "S-OFF".
Click to expand...
Click to collapse
Yes. Exactly.

Actually, this time the security flag was stored in the radio, not the bootloader (for the Evo 3D/Sensation), but the explanation was pretty much correct.
Root is a user/permission that grants a user or application total control over a system. It's a Unix/Linux term. The equivalent on a PC would be Administrator (or really System, but to keep it simple, Administrator). For Android, all you need to think of it as is the Superuser app and the "su" binary (a binary is an executable or command in the form of a file). Superuser can be downloaded from the Market, which is no problem. But it's useless without the "su" binary (file), which needs to be flashed/stored in the /system partition of the phone.
Well if you can't write to /system without root, and you can't get root without writing to /system, you have a bit of a problem. You see, most phones can be easily rooted with apps like Gingerbreak or SuperOneClickRoot because their bootloaders aren't locked. But HTC likes to add a second layer of protection: S-ON.
See this picture? It's a picture of the bootloader on the Evo 3D. It was pretty much the same exact thing for the Evo 4G, and is the same for the Sensation. In the top right corner, you see how it says S-ON? It stands for Security ON. S-ON is a flag in the bootloader (or in this case, radio) which disallows any non-system applications from touching the /system partition. What AlpharevX and TeamWin did was develop a tool which, through an exploit, allowed the flag to be changed to S-OFF, thereby allowing us to install a custom recovery (ClockworkMod or twrp), which now allows us to flash things (like the zip to install Superuser, and the su binary).
One last thing I left out is that most apps that require root also need busybox, which can be installed through the app from the Market, "BusyBox Installer", but it's useless without root.
Hope that helps!

Product F(RED) said:
You see, most phones can be easily rooted with apps like Gingerbread...
Click to expand...
Click to collapse
One minor spelling error (Which can confuse someone who's just learning). It's not Gingerbread, it's Gingerbreak.

Theonew said:
One minor spelling error (Which can confuse someone who's just learning). It's not Gingerbread, it's Gingerbreak.
Click to expand...
Click to collapse
Whoops. Thanks for that!

Related

Unrevoked regular VS Forever?

I don't see what you get out of doing Forever. What exactly are the pros and cons if someone could explain please. Keep in mind that I have no warranty so bringing it into verizon won't matter for me cause I can't. Thanks guys
Forever gives us full nand unlock....which lets us deletes system apps, ise metamorph/ninjamorph for themes, lets us use adblock/adfree....and regular unrevoked just gives us permanent recovery/ root.....you need root to apply forever
Sent from my ADR6300 using XDA App
buffnutz1 said:
I don't see what you get out of doing Forever. What exactly are the pros and cons if someone could explain please. Keep in mind that I have no warranty so bringing it into verizon won't matter for me cause I can't. Thanks guys
Click to expand...
Click to collapse
They are two different things. You don't have to do "forever". You just need to root if you want to add premade roms. Forever is for really getting serious about customizing your files but also sort of a permanent back door in case Verizon/HTC plugs all the holes with future updates.
jdkoreclipse said:
Forever gives us full nand unlock....which lets us deletes system apps, ise metamorph/ninjamorph for themes, lets us use adblock/adfree....and regular unrevoked just gives us permanent recovery/ root.....you need root to apply forever
Sent from my ADR6300 using XDA App
Click to expand...
Click to collapse
Uh. No.
The real difference:
The "Reflash" method from Unrevoked 3.1 is used to obtain root access on current roms and to install the ClockworkMod custom Recovery image.
Unrevoked forever is a special zip that disables the security on the phone (s = security, hence s-off) which makes us able to edit the /system partition while Android is booted, and flash any HBOOT formatted zip (PB31IMG.zip) without worrying about signatures or checks from the radio. What this enables you to do is that if there's ever an OTA update that will break any current root method, you can always use a PB31IMG.zip on HBOOT to flash ClockworkMod Recovery again, and install root that way. That is how we get "permanent" root, and why it's called "forever."
I hope this explains a lot. This should be stickied so we can stop explaining things.
One Warning
Please also note that "Regular" can be undone by a number of methods (including a RUU) if you need to return defective hardware to Verizon under warranty. If Verizon checked your phone, I do not believe they could tell you had ever done anything, and they would certainly honor the warranty.
"Forever" cannot be undone. I believe/hope that unrEVOked is working on "S-ON" and will release something soon, but until that point, if Verizon checked your HBOOT they would note the modification and could refuse to honor the warranty. There are a few threads where people who had run "forever" (I have NOT run it, because of this issue) now have to return their defective devices, so we shall see if Verizon does (or does not) actually check and refuse (subject to great debate). Of course, if unrEVOked releases "S-ON" at some point in the future, then this will not be an issue.
can forever be applied if a differnet root method was obtained?

[Q] 4EXT Recovery Updater "stops unexpectedly" on every menu option

Please can someone assist with my problem loading 4EXT recovery.
I've downloaded and installed 4EXT Recovery Updater 2.1.4 and installed it on my HTC Desire (with S-OFF). When I run it I'm presented the disclaimer and asked for for root permission (which I give) and I then see the menu (Online Install, Check for news, Recovery etc..).
Any option I select gives me
"Sorry The application 4EXT Recovery Updater (process ext.recovery.updater) has stopped unexpectedly. Please try again".
I guess there must be something about my phone it doesn't like, but what? Other apps appear stable.
I've tried removing, deleting files, rebooting and re-installing.
Any ideas would be most gratefully received, thanks.
Other info:
Used Revolutionary to get S-OFF
HBOOT 6.93.1002
Installed RMD Recovery 1.0.34 succesfully from fastboot on PC-USB
Stock ROM
Model HTC Desire A8181
Android 2.3.3
Baseband 32.56.00.32U_5.17.05.23
Kernel 2.6.35.10-g3f43272
Build 3.14.405.1 CL96875 release-keys
Software (Gingerbread) 3.14.405.1
MICROP-031d
RADIO 5.17.05.23 Jul 22 2011,16:19:16
Contact the developer directly via email or his thread.
Droidzone said:
Contact the developer directly via email or his thread.
Click to expand...
Click to collapse
Only way he can post in his thread is via tapatalk or XDA app, until he has 10 posts.
Or obviously, post 9 spams first
Just use fastboot?
fastboot erase recovery
fastboot flash recovery recovery_name.img
k3lcior said:
Just use fastboot?
fastboot erase recovery
fastboot flash recovery recovery_name.img
Click to expand...
Click to collapse
And where does he get recovery_name.img from?
Fine for one off, but asking people to upload it every time he needs latest version is far from ideal. Better the app works since that's the only way to download it
Sent from my HTC Desire using Tapatalk
Thanks for your replies.
Yes, I don't have enough credits to contact madmaxx82 directly Better earn some more, I guess. I don't suppose someone who does could possibly alert him to my humble post, please?
I've not been able to find 4EXT Touch in .img form anywhere, and wouldn't expect to really. So doing a fastboot flash is unlikely to be a viable solution.
Ok..
Sent from my HTC Desire using Tapatalk
hi,
may i suggest you remove ext4 permission from su applist.
Pm sent
I suspect busybox. Stock rom must be the problem there..
But let's see.
Ahhhhhhhhh!!!!
Thank you all for your assistance, especially madmaxx82 for his PM which enabled me to solve the problem.
Confession time, I think.
I'm a noob to smartphones and Android as you can probably tell, and have been reading loads of blogs, forums etc. etc. trying to understand rooting benefits, issues and procedures. I've read so much that it's starting to hurt. There is so much info out there including some heroic posts on rooting from first principles. However, a lot of techniques have been superceded and you often run up against dead ends, finding that the method you hoped to use is now outdated. Noobs have to be patient enough to solve the puzzle piece by piece. I'm very patient, fortunately.
With that in mind prepare to gasp in amazement at a big hole in my knowledge of this subject after days of reading. Everyone refers to S-OFF and rooting as the big things to achieve on the way. S-OFF I got fairly quickly, but the term "rooting" is badly misused by many and not well described in terms of what constitutes a rooted system. Usually people tell you what you can do with a rooted phone and not the necessary software components you find in one. Until madmaxx82's PM I didn't appreciate that apps need superuser to do their work. Also, In my naivity I thought that apps accessed the filesystem on their own using some kind of system API rather than needing busybox to issue commands.
I know, horrific isn't it - how do I manage to feed myself, you're wondering.
Anyway, after flashing superuser and installing busybox I was able to use the 4EXT Recovery updater and now have 4EXT recovery installed. After getting used to that I'll upgrade to Touch.
Ironically, if I'd just flashed a pre-rooted ROM rather than trying to root my own stock ROM, I'd never have run into this difficulty. Now, I wonder what adventures lie ahead on the road to total enlightenment.
Thanks again for your help, Gentlemen.
grmm22 said:
Thank you all for your assistance, especially madmaxx82 for his PM which enabled me to solve the problem.
Confession time, I think.
I'm a noob to smartphones and Android as you can probably tell, and have been reading loads of blogs, forums etc. etc. trying to understand rooting benefits, issues and procedures. I've read so much that it's starting to hurt. There is so much info out there including some heroic posts on rooting from first principles. However, a lot of techniques have been superceded and you often run up against dead ends, finding that the method you hoped to use is now outdated. Noobs have to be patient enough to solve the puzzle piece by piece. I'm very patient, fortunately.
With that in mind prepare to gasp in amazement at a big hole in my knowledge of this subject after days of reading. Everyone refers to S-OFF and rooting as the big things to achieve on the way. S-OFF I got fairly quickly, but the term "rooting" is badly misused by many and not well described in terms of what constitutes a rooted system. Usually people tell you what you can do with a rooted phone and not the necessary software components you find in one. Until madmaxx82's PM I didn't appreciate that apps need superuser to do their work. Also, In my naivity I thought that apps accessed the filesystem on their own using some kind of system API rather than needing busybox to issue commands.
I know, horrific isn't it - how do I manage to feed myself, you're wondering.
Anyway, after flashing superuser and installing busybox I was able to use the 4EXT Recovery updater and now have 4EXT recovery installed. After getting used to that I'll upgrade to Touch.
Ironically, if I'd just flashed a pre-rooted ROM rather than trying to root my own stock ROM, I'd never have run into this difficulty. Now, I wonder what adventures lie ahead on the road to total enlightenment.
Thanks again for your help, Gentlemen.
Click to expand...
Click to collapse
have a read of teh rooting faq linked via my signature. Should help clarify quite a lot for you hopefully.
rootSU said:
have a read of teh rooting faq linked via my signature. Should help clarify quite a lot for you hopefully.
Click to expand...
Click to collapse
I think I read the rooting guide at one point in my journey and found it very useful indeed. Much appreciated In my noob head I still managed to associate the superuser app with unrEVOked, specifically, rather than 'a rooted phone no matter how achieved'.
I'm wondering is this is a true and complete definition of rooting? "A rooted phone is one in which apps can be granted root access permissions when needed. Rooting always means installing the superuser app so that this can happen. For superuser to function the security flag has to be set to S-OFF. There are several ways of installing superuser and setting S-OFF but these two things are the essence of a rooted phone".
Superuser is a two pronged armament that communicates with the Linux based core Android system and gives you permission to interact with and modify system files, and run certain system programs which require elevated permissions. One, the superuser binary, /system/bin/su provides this functionality, while another, superuser.apk is a gui which allows you to control which apps should be given permissions, and provides an interface to su binary. Busybox is a Linux 'Swiss army knife' utility, much like the multi purpose knife, it is a collection of different Linux utilities, like mount, format, file system check, grep, sed, tar, .. you name any Linux based binary, most of it in Android is provided by busybox. You want to reboot the phone, you need busybox.
Neither of them require s off. Rooting is the process of unsecuring your boot image, and installing superuser and busybox..Once that's done, you can modify and see stuff on /data, that is application data. But you still can't modify system files in /system, on the fly if you're simply rooted (though you can modify them from recovery). That is protected by the radio security flag. S off allows you to do that.
I think that's enough info for one day.
Well I for one would .like.more
Sent from my HTC Desire using Tapatalk
Well there's nothing new that I can tell you!
Droidzone said:
Superuser is a two pronged armament that communicates with the Linux based core Android system and gives you permission to interact with and modify system files, and run certain system programs which require elevated permissions. One, the superuser binary, /system/bin/su provides this functionality, while another, superuser.apk is a gui which allows you to control which apps should be given permissions, and provides an interface to su binary. Busybox is a Linux 'Swiss army knife' utility, much like the multi purpose knife, it is a collection of different Linux utilities, like mount, format, file system check, grep, sed, tar, .. you name any Linux based binary, most of it in Android is provided by busybox. You want to reboot the phone, you need busybox.
Neither of them require s off. Rooting is the process of unsecuring your boot image, and installing superuser and busybox..Once that's done, you can modify and see stuff on /data, that is application data. But you still can't modify system files in /system, on the fly if you're simply rooted (though you can modify them from recovery). That is protected by the radio security flag. S off allows you to do that.
I think that's enough info for one day.
Click to expand...
Click to collapse
Thank you. That's the clearest description of the mechanics of rooting that I have read.
I'm going to go and lie down for a bit now.
Ice cream cools the mind
Sent from my HTC Desire using Tapatalk

Difference between rooting and unlocking bootloader

I just want to know the difference
Sent from my Wildfire S using XDA
There is no difference. If you unlock bootloader you can gain root.
Sent from my Wildfire S using XDA
SanderTheNinja said:
There is no difference. If you unlock bootloader you can gain root.
Sent from my Wildfire S using XDA
Click to expand...
Click to collapse
Of course there is a difference. Rooting lets you have complete admin rights on your phone, eg access to write files to the system partition for example or delete all the files. Or uninstall system apps.
Unlocking lets you flash an entire new rom or a custom recovery.
OP - There is plenty of info elsewhere, don't be lazy, just do some reading
with an unlocked bootloader, then you are able to root your phone and install custom roms and overclock and root stuff.
an unlocked bootloader is something you must do before having full access to your phone
scott_doyland said:
Of course there is a difference. Rooting lets you have complete admin rights on your phone, eg access to write files to the system partition for example or delete all the files. Or uninstall system apps.
Unlocking lets you flash an entire new rom or a custom recovery.
OP - There is plenty of info elsewhere, don't be lazy, just do some reading
Click to expand...
Click to collapse
I mean, you can only get root if you unlock your bootloader.
Sent from my Wildfire S using XDA
Root
Rooting a device is a method to gain full access to the operating system. With root you can do all the administrative stuff, write to locations normally restricted to the system and customize your device deeper.
Root enhances your privileges and you are able to change almost anything inside of your rom.
The rooting, however, affects ONLY your operating system (Android)
Unlocked Bootloader
In most devices, the Bootloader is the instance that calls the operating system (Android) and manages direct access to the device's partitions. Having an unlocked bootloader enables you to flash custom roms, custom kernels, recoveries and so on.
Bootloader and Rooting Teamplay
Often it is the case, and so, too in our devices, that a locked bootloader also locks write access to several partitions like the system partition. This is the reason why rooting is not able without unlocked bootloader. Rooting needs write access to the system partition (for storing the superuser binary and the superuser app)
Without unlocked bootloader, only a temporary half-root can be achieved.
Thanks alot guys
Sent from my Wildfire S using XDA
How to unlock bootloader ,but the way that I can lock it again
prdonja said:
How to unlock bootloader ,but the way that I can lock it again
Click to expand...
Click to collapse
Do some research. There are hundreds of posts on this topic.
scott_doyland said:
Of course there is a difference. Rooting lets you have complete admin rights on your phone, eg access to write files to the system partition for example or delete all the files. Or uninstall system apps.
Unlocking lets you flash an entire new rom or a custom recovery.
OP - There is plenty of info elsewhere, don't be lazy, just do some reading
Click to expand...
Click to collapse
19 months after the question was asked, i just happened to be wanting to answer the same question for myself, so I searched and found this thread...
I am happy he asked the question, as it was the first answer I saw in google search... so maybe he could also have done a search 19 months ago, but his question was useful to me, and your response seemed rude and unnecessary. You never know who may benefit from a little generosity.
Mark.
scott_doyland said:
Do some research. There are hundreds of posts on this topic.
Click to expand...
Click to collapse
I know that you're not rude (even though you sounded so). You replied what was correct and appropriate.
But my research for the question in question (pun unintended) on google pointed me straight to this very thread.
So, it would be greater if someone had posted some more good links besides their rude looking remark (again, not rude, but just looking so).
theq86 said:
Root
Rooting a device is a method to gain full access to the operating system. With root you can do all the administrative stuff, write to locations normally restricted to the system and customize your device deeper.
Root enhances your privileges and you are able to change almost anything inside of your rom.
The rooting, however, affects ONLY your operating system (Android)
Unlocked Bootloader
In most devices, the Bootloader is the instance that calls the operating system (Android) and manages direct access to the device's partitions. Having an unlocked bootloader enables you to flash custom roms, custom kernels, recoveries and so on.
Bootloader and Rooting Teamplay
Often it is the case, and so, too in our devices, that a locked bootloader also locks write access to several partitions like the system partition. This is the reason why rooting is not able without unlocked bootloader. Rooting needs write access to the system partition (for storing the superuser binary and the superuser app)
Without unlocked bootloader, only a temporary half-root can be achieved.
Click to expand...
Click to collapse
Thanks for this useful info
I agree. It is the autumn of 2014, and I've been reading webpages until my eyes are bleary. This is the 1st thread that actually explains how the two concepts relate rather than descending into buttonology. I think the OP's question hits the nail on the head (well, one of them at least) and he doesn't need to be treated in a demeaning manner.
Wow, 1 year after last post, I thanked he asked this question! Was thinking as same as u, loll
fredphoesh said:
19 months after the question was asked, i just happened to be wanting to answer the same question for myself, so I searched and found this thread...
I am happy he asked the question, as it was the first answer I saw in google search... so maybe he could also have done a search 19 months ago, but his question was useful to me, and your response seemed rude and unnecessary. You never know who may benefit from a little generosity.
Mark.
Click to expand...
Click to collapse
Root vs bootloader
If i have an unlocked bootloader can i install apps that require root. Will they still work even though im not rooted?
Deogracias said:
If i have an unlocked bootloader can i install apps that require root. Will they still work even though im not rooted?
Click to expand...
Click to collapse
I'm not an expert, but here's my understanding from months of reading up on this: Unlocking the bootloader lets you install a program known as Recovery, which is another program that lets you install operating systems, e.g., stock Android, CyanogenMod. Whether you have root or not is determined by settings made after the operating system is installed. So unlocking a bootloader is different from root. You can have either one without the other. However, I am also left with the impression that software that helps you unlock the bootloader also give you root (and perhaps vice-versa). This dual functionality is designed into the software, but they are separate things which don't have to both happen.
I just reviewed my answer and realized that it doesn't really address the quoted question very directly. Unfortunately, there is no "delete" function. So hopefully, it helps a bit. As further info, I unlocked bootloader, changed the Recovery, and replaced the native Android OS from Koodo with CyanogenMode. However, I did not root. Hopefully, someone else can chime in with further experience.
I've been wondering about this for years, as well. I don't feel confident doing things to my phone that I don't understand. I'm sure I'll never have a thorough understanding, as I'm not a programmer, but even a rough one would suffice. This is the same reason why I will only attempt certain operations on my car -- if I muck it up, I'm boned.
I rooted my phone (or maybe unlocked the bootloader?) a couple years ago, and never got around to doing anything else with it, because I couldn't figure out how to "do a recovery" (still don't know what that means, exactly). Or maybe I unlocked the bootloader, and never rooted it? I'm still confused. I see LOADS of folks who throw the terms around, whom I suspect, actually have no clue. I have a Verizon S4 MDK 4.2.2, and I just now finished the process -_- Better late than never? Now, I'm trying to decide if it's worth the headache, and possible risk, of installing custom ROMs, etc. Also, I know my phone is "SO old!!' and blah-blah-blah. At least if I screw things up now, I can get a new phone with a new contract, etc.
I really wish Verizon weren't such dirtbags about the locked bootloader thing.
No
SanderTheNinja said:
There is no difference. If you unlock bootloader you can gain root.
Sent from my Wildfire S using XDA
Click to expand...
Click to collapse
Heee is full difference between rooting and unlocking bootloader
Rooting - Administrative access to the entire file system including the ability to change system files such as installing system-wide ad-blocker by modifying the host file on your device, or uninstalling system apps, such as bloatware that comes pre-installed on your device. Without root, one can only see files in root directory instead of editing them. Some alps and mods only work with root.
Unlocking bootloader- To understand this term, one need to know the meaning of bootloader first. In simple terms, bootloader is like a person which checks many functions at the time of boot. It's on of the most important part and boots the first. Unlocking bootloader means asking that person to give us rights to do some modifications in our device like flashing custom recovery, rom etc.
prdonja said:
How to unlock bootloader ,but the way that I can lock it again
Click to expand...
Click to collapse
ADB

[Q] How is root obtained on the G-Nexus?

Alright so being the tech-nut that I am, I have an off the wall question, which, appears to be unanswered from my searching.
I've rooted plenty of android devices in my day, but I've never actually known how root is gained, or how tools like the Nexus tool kit obtain it. My question is...what do these tools do in order to gain root? AKA, how is it done? Hope that makes sense!
Probably a question that most people don't know the answer to lol.
But to my understanding, root is achieved when you find the exploit in the system. I dunno, that's my guess lol.
mackster248 said:
Probably a question that most people don't know the answer to lol.
But to my understanding, root is achieved when you find the exploit in the system. I dunno, that's my guess lol.
Click to expand...
Click to collapse
I kinda felt weird asking this because I didn't know if it was obvious, But my curiosity intrigued me!
That's kinda what I thought, but I guess I've just always been curious!
I've been told by one of my friends who has the verizon version that the toolkit basically flashes an unlocked image of the stock rom and then installs super user. Not sure how true it is.
mackster248 said:
Probably a question that most people don't know the answer to lol.
But to my understanding, root is achieved when you find the exploit in the system. I dunno, that's my guess lol.
Click to expand...
Click to collapse
There is no exploit required on a Nexus. You just unlock the bootloader (1 command line prompt) and push the SU binary to the phone, then push superuser.apk to the phone, and grant it SU access. Done.
The only way you needed an exploit for is if you were on 4.0.2 and didn't want to unlock your bootloader (which wiped the device). There was an exploit to root w/o unlocking first.
Just to add to what martonikaj said:
"Rooting" or gaining root user access to the Android OS is essentially placing 2 file (with the correct permissions) in the system partition: the su binary, which actually grants root access, and a Superuser app, which acts as kind of a firewall, filtering root access requests.
The trick, however, on most devices, is getting write access to the system partition (which is read-only by default). Devices with locked bootloaders require an exploit of some sort to enable "temporary root access" to make /system rw.
Given that all Nexus devices have unlockable bootloaders, an exploit is not really necessary. With an unlocked bootloader, we can flash a custom recovery like CWM, and then flash the two required files via the recovery. Done.
Sent from my Galaxy Nexus using Tapatalk 2

Bootloaders (aboot/sdi/rpm/hyp/pmic/cmnlib/etc) Interchangeability

Hi, I understand that the G-2PW2100s all share identical hardwares, but are the bootloader partitions interchangeable between the Verizon ones & non-Verizon ones? (<- This is question #1) i.e. Can I for example use NJH47F factory image instead of NHG47Q (Verizon) from https://developers.google.com/android/images#marlin on a Verizon marlin assuming the bootloader is unlocked? Or if the stock rom is already rooted and I can overwrite the bootloader partitions via dd? Or perhaps fastboot boot twrp and then dd the bootloader partitions?
If so, can one say there are then no differences between these G-2PW2100 variants? (<- This is question #2)
Update 1: Since everyone focuses on the unlockability and ignores what's asked above, let me state that I know there's currently no way to unlock the bootloader or root the Verizon Pixel, and the purpose of this thread is to collect information in order to help those stuck with a locked bootloader on Verizon Pixels. If you have such information, feel free to share; repeating "you can't unlock/root" is not helpful. I do not own a Verizon Pixel, and I have absolutely nothing to gain from this; I merely want to give back to the community.
Rooting gives one access to read/write the partitions on the eMMC, therefore gives the ability to overwrite the bootloader partitions, which allows unlocking the bootloader.
Unlocking the bootloader also grants read/write access to the partitions on the eMMC, therefore allowing one to overwrite the partitions on the eMMC.
Sneaking an OTA pre-rooted image may or may not be possible, so is finding another way to gain access such as disabling signature check.
The point is, it comes down to the ability to write the partitions on eMMC; once it's writable, you own everything that's on the eMMC. Most people tend to think it's only about the ability to root/unlock, which isn't exactly false, but it's not exactly true either.
Update 2: According to aboot.c, the last byte of the eMMC controls whether a device can be unlocked or not (assuming the compiled aboot in your device uses this logic) For future reference, code is attached.
I don't think you can fastboot boot twrp img with lock bootloader.
Sent from my SM-G950U using Tapatalk
Nochis said:
I don't think you can fastboot boot twrp img with lock bootloader.
Sent from my SM-G950U using Tapatalk
Click to expand...
Click to collapse
Right, but if there's a way to flash or write to the partitions, it should be able to convert a Verizon Pixel to a non-Verizon Pixel. That's what I'm trying to confirm.
AncientDeveloper said:
Right, but if there's a way to flash or write to the partitions, it should be able to convert a Verizon Pixel to a non-Verizon Pixel. That's what I'm trying to confirm.
Click to expand...
Click to collapse
You can't overwrite a locked bootloader...that is the very definition of a locked bootloader. Yes, you need root. Root either temporary or permanent is what is needed to unlock the VZ phones. This has been covered a million times here.
TonikJDK said:
You can't overwrite a locked bootloader...that is the very definition of a locked bootloader. Yes, you need root. Root either temporary or permanent is what is needed to unlock the VZ phones. This has been covered a million times here.
Click to expand...
Click to collapse
The question asked in the post was that if this was doable, then there should be no differences between the 2 variants? I have not asked if unlocking the bootloader is possible at the moment.
Go ahead, brick it. You can't. Same hardware doesn't mean same software, there's still a difference.
martinez5241 said:
Go ahead, brick it. You can't. Same hardware doesn't mean same software, there's still a difference.
Click to expand...
Click to collapse
The Verizon image is obviously different than the non-Verizon one. That's a proven as the checksums are different. The question asked was that by loading the non-Verizon image into a Verizon Pixel, does it effectively make the phone non-Verizon since the hardware is the same?
Lets clear up some misconceptions here.
The phones ship with exactly the same image. It is not until you put in a VZ SIM do you get the different image. And it is only changes to radio and some network settings. Don't matter where you bought it, and it has nothing to do with locking.
Verizon does not lock the phone. They all ship locked including Googles. When you start it up it phones home to Google and Google decides if the phone qualifies to be unlocked. If so it unlocks. Verified with packet captures.
You will not unlock this phone without root. You will not flash anything other than OTA's without root.
If Rooted
yes on the first
NO on the second
TonikJDK said:
Lets clear up some misconceptions here.
The phones ship with exactly the same image. It is not until you put in a VZ SIM do you get the different image. And it is only changes to radio and some network settings. Don't matter where you bought it, and it has nothing to do with locking.
Verizon does not lock the phone. They all ship locked including Googles. When you start it up it phones home to Google and Google decides if the phone qualifies to be unlocked. If so it unlocks. Verified with packet captures.
You will not unlock this phone without root. You will not flash anything other than OTA's without root.
Click to expand...
Click to collapse
chazall1 said:
If Rooted
yes on the first
NO on the second
Click to expand...
Click to collapse
Since we're on the "unlockability" subject, we know that once it normal boots with a Verizon SIM, it becomes not unlockable; but does anyone know if it's because the phone contacts Verizon/Google & received "you can't unlock" command, or the baked-in factory image is pre-programmed to do this once the phone boots with a Verizon SIM?
Technically, one would just need to gain access to write to the eMMC; rooting is one way to gain such access.
AncientDeveloper said:
Since we're on the "unlockability" subject, we know that once it normal boots with a Verizon SIM, it becomes not unlockable; but does anyone know if it's because the phone contacts Verizon/Google & received "you can't unlock" command, or the baked-in factory image is pre-programmed to do this once the phone boots with a Verizon SIM?
Technically, one would just need to gain access to write to the eMMC; rooting is one way to gain such access.
Click to expand...
Click to collapse
It has nothing to do with the sim. This has been covered a million times. Some think it's the cid. Others think it's the IMEI. Either way it's nothing you can get around without temp root.
toknitup420 said:
It has nothing to do with the sim. This has been covered a million times. Some think it's the cid. Others think it's the IMEI. Either way it's nothing you can get around without temp root.
Click to expand...
Click to collapse
I don't have a Verizon Pixel to verify what you're saying, but according to this post, what you said is not true. Either way, I'm just trying to study the specifics and help the community, and I have nothing to gain or lose by either helping or not helping the community.
As mentioned, "rooting" is one way to gain access to write the system onto eMMC, unlocking bootloader is another; there may or may not be other methods. Saying one cannot get around without temp root is quite an absolute statement. And yes, I have also read most of the "million" threads.
AncientDeveloper said:
I don't have a Verizon Pixel to verify what you're saying, but according to this post, what you said is not true. Either way, I'm just trying to study the specifics and help the community, and I have nothing to gain or lose by either helping or not helping the community.
As mentioned, "rooting" is one way to gain access to write the system onto eMMC, unlocking bootloader is another; there may or may not be other methods. Saying one cannot get around without temp root is quite an absolute statement. And yes, I have also read most of the "million" threads.
Click to expand...
Click to collapse
Okay let me definitively explain this.
VZW Pixel's run the EXACT same software Google Store Pixel's that insert a VZW SIM get. The factory image you run doesn't affect your unlock ability at all.
A Google Store Pixel will update to the VZW build if a VZW SIM is inserted.
DISCLAIMER: From here down is conjecture based on my findings, reverse engineering, and things said/found around the forums.
/** begin my thoughts **/
A few things affect unlock ability (this isn't a catch all list, just from my findings):
1. Is the device SIM locked? - if yes, return grey out "Allow OEM Unlock" switch, if no, continue.
2. Is the device IMEI/MEID on approved by Google to be unlocked? - if this is met, allow "Allow OEM Unlock" to be checked, if not, continue checks.
3. Is the CID a non-unlockable CID (CID = Carried ID ex. VZW___001 on VZW sold Pixels) - if this is met (meaning that the CID is on a specific list of CID's like VZW's for example), grey out "Allow OEM Unlock", if not, allow "Allow OEM Unlock" to be checked.
If when the device connects to Google's servers it passes the above checks, the switch can be toggled.
If the switch can be toggled, you can unlock your device.
Hence why random VZW Pixels are unlockable for no apparent reason, their IMEI isn't VZW's or it doesn't have the VZW MEID (which comically is "vzwmeid"), then the CID being one of a locked device doesn't matter, because that check is never reached.
/** end my thoughts, back to cold hard facts **/
Though I may not be certain of the exact order/magnitude of the checks, the same basic principle applies, its a list of if/then statements. "Flashing an unlocked bootloader" doesn't even make sense in the context of 99% of devices. If you were on a VZW Pixel, and magically were able to flash a non-VZW generic factory image, bootloader set and all, you'd still be unable to unlock all the same.
Now, what else do we know? The device's switch can be toggled if /data/system/users/ 0.xml reports <restrictions> as "false".
This file cannot be edited without root, which many will say "...requires an unlocked bootloader...", but that isn't right.
Currently there are 3 main methods to root access:
- /system/ root - in which the SU binary is put in /system/, as /system/ already has the set-suid capability (which allows SU to actually work), this used to be the go to way, but as of DM-Verity's unveiling in Android 6.0 Marshmallow, we can't remount the system partition read/write, as the verity contexts would be changed, and the device would refuse to boot (and I haven't seen any public DM-Verity bypasses/vulnerabilities). An example of this is SuperSU installed in "System Mode". This can't be used on Locked Bootloader devices (running higher than Android 6.0 Marshmallow), because DM-Verity is enforced in the kernel (which is signature checked).
- Boot Image Root - in which the SU binary is put in the ramdisk, which has the set-suid capability (which allows SU to actually work), this was ChainFire (and later everyone else's) method to root Android 6.0 Marshmallow and beyond while respecting DM-Verity, with this method, we still can't remount the system partition read/write, as the verity contexts would be changed, and the device would refuse to boot (and I haven't seen any public DM-Verity bypasses/vulnerabilities). An example of this is SuperSU installed in "System-less Mode", or any Magisk installation. This can't be used on Locked Bootloader devices because the ramdisk is signature checked.
- Temporary Root - in which the SU binary is either put in /system/ in memory (like we saw with the DirtyCow vulnerability/exploits), or in the /data/ partition (this won't work unless we use some method to give /data/ the set-suid capability). To explain a little more, you've likely seen devices with Locked Bootloaders and /system/ write protection making use of these temp-root setups, like carrier editions of the Samsung Galaxy Note 4/5 with locked bootloaders, and of HTC phones that are S-ON/Bootloader locked. On these devices the exploit needs to be re-run after each boot (hence the "temp" part of temp-root).
The Pixel's can't be rooted with the top two methods due to the combination of DM-Verity and the bootloader being Locked. Though, temp-root can work.
All dePixel8 did was temp-root the Pixel's, remove the restrictions in that file (no proof of this one, though I believe it did), and manually set the "unlockable" bit that the "Allow OEM Unlock" sets when flipped on.
Hence why JCase (one of its creators) said "If anyone hands us a temp-root, we will release another unlock for the Pixel's.". It is literally as simple as plugging in the new temp-root exploit.
Now, the problem with finding a temp-root solution for the Pixel's is that they are one of the most secure and updated devices on the market, often getting Android's monthly security patches before any other device. What I would do it I were serious about it (and let me tell you, I am not), is surf the Android security bulletins and CVE boards for "Privilege Escalation" vulnerabilities that have public PoC's or exploits, and then either further reverse dePixel8 to figure out what bit they set, or just ask JCase, because if you can prove you have temp-root working, I'd bet he'd be friendly enough to talk it through with you. Now granted, that train of thought will only result in an unlock for a previous month's security patch level, but it is better than nothing.
As I noted above, I am not putting this here to express interest in me working on this (for those that might recognize me from my S4 research, or other security ventures), but have seen so much misinformation on these forums, and so much general misunderstanding that I felt it would be helpful to throw this out publically.
Tl;DR: Please link the confused to this post.
npjohnson said:
Tl;DR: Please link the confused to this post.
Click to expand...
Click to collapse
Thank you for your time and effort. I did not want to explain all that. I was attempting to collect information, but instead ended up explaining myself and replying replies that weren't related to the questions I asked.
Anyway, here's a minor update: According to the aboot.c code (and assuming the logic is not modified), the last byte of the eMMC controls whether the device is unlockable. Having root would be nice as it allows the user to write anything onto the eMMC, which makes this rather easy if it's a matter of overwriting one byte.
AncientDeveloper said:
Thank you for your time and effort. I did not want to explain all that. I was attempting to collect information, but instead ended up explaining myself and replying replies that weren't related to the questions I asked.
Anyway, here's a minor update: According to the aboot.c code (and assuming the logic is not modified), the last byte of the eMMC controls whether the device is unlockable. Having root would be nice as it allows the user to write anything onto the eMMC, which makes this rather easy if it's a matter of overwriting one byte.
Click to expand...
Click to collapse
Which aboot.c are you analyzing?
1. Google uses its own lock/unlock mechanism, much alike many other OEM's.
2. msm8996 uses non-standard LK, so it the public LK logic isn't necessarily what we use.
npjohnson said:
Which aboot.c are you analyzing?
1. Google uses its own lock/unlock mechanism, much alike many other OEM's.
2. msm8996 uses non-standard LK, so it the public LK logic isn't necessarily what we use.
Click to expand...
Click to collapse
Yes, in fact, the public aboot.c requires OEM implementation in order for it to work as some functions are merely defined as interfaces where OEM has to implement the actual code.
Perhaps I should've been more clear on "assuming the logic is not modified". What I meant was, if the OEM did not change the specific position of the unlock byte, this is where it'd be. Of course, there's no way to verify this without (1) obtaining the OEM aboot.c or (2) experimenting it on a device. One of the OnePlus for example, stores it at position 0x000FFE10.
This particular aboot.c is listed under quic/la from codeaurora under a late enough branch, where marlin is under.
Hope this clears things up a bit.
AncientDeveloper said:
Yes, in fact, the public aboot.c requires OEM implementation in order for it to work as some functions are merely defined as interfaces where OEM has to implement the actual code.
Perhaps I should've been more clear on "assuming the logic is not modified". What I meant was, if the OEM did not change the specific position of the unlock byte, this is where it'd be. Of course, there's no way to verify this without (1) obtaining the OEM aboot.c or (2) experimenting it on a device. One of the OnePlus for example, stores it at position 0x000FFE10.
This particular aboot.c is listed under quic/la from codeaurora under a late enough branch, where marlin is under.
Hope this clears things up a bit.
Click to expand...
Click to collapse
If you need some one to test this theory out for ya, I've got a VZW Pixel xl. I've also got a Nexus 6p I can fall back on if we "F UP" my Pixel. Plus I've brought back a lot of phones from brick. Even the Bootloader locked LG Flex. And those Flex owners thought it couldn't be done.
mattwheat said:
If you need some one to test this theory out for ya, I've got a VZW Pixel xl. I've also got a Nexus 6p I can fall back on if we "F UP" my Pixel. Plus I've brought back a lot of phones from brick. Even the Bootloader locked LG Flex. And those Flex owners thought it couldn't be done.
Click to expand...
Click to collapse
That's very brave of you. I've been exploring the possibility of using EDL (QDLoader 9008) mode to overwrite the whole eMMC with an already-unlocked image. Pixel is in an unique position to try this as all US versions share the same hardware (except marlin vs sailfish), so there shouldn't be a reason why they can't run the same image.
Shameless bump.

Categories

Resources