> connect the device to the Internet before they are allowed to install the operating system they want
Phoning home before undertaking such an activity takes away the ownership rights from the customers. They do not actually own these devices even after they have purchased them.
The reason is that an important part of their ownership rights, i.e. the freedom to use the software of their choice, has been withheld from them. With a promise that it will be given to them on request. Unless, of course, the manufacturer changes their mind.
Unfortunately, there are cases when the manufacturer did not even make such a promise and disabled bootloader unlocking permanently with no way of enabling it again. On Pixel phones.
This used to happen (and perhaps still happens) to some Pixel phones purchased in the USA from Verizon. They have been known [0] for disabling the bootloader unlocking and for giving their customers no way to enable it. Not even after phoning home.
Some people claim [1] that they paid someone from China to unlock their Pixel 1 phone remotely using some shady approach. I assume that someone with inside information from Google has leaked some software and instructions for doing so. It is unclear whether later Pixel phones sold by Verizon with locked bootloaders could be unlocked in a similar way.
As a result, it seems like the only way to have a chance at unlocking such Pixel phones, which have been made by a US company and purchased from a US carrier, is to pay someone in China and hope for the best. It has gotten that far.
Xiaomi does the same (or at least did until my latest phone change i.e. around 3 years ago). You must unlock the bootloader before being able to install a custom recovery image such as TWRP, which itself is used to install custom ROMs.
This unlock involves: creating a user account in the Xiaomi services website, logging into that account from your phone's system, then having the phone logged in for at least 7 days, then using a Windows software which sends a request for unlocking, which they will grant (at least in my experience).
The most outrageous part of all this process (apart from the fact that it exists at all) is the 7 days of usage with the phone logged in. If you attempt an unlock earlier than that, the software will say: "You have to wait X days and Y hours before you can unlock this device."
EDIT: This Reddit wiki page explains the process. I'm flabbergasted that it actually takes 720 hours aka 30 days:
If laws let companies do this, they will. Eventually unlocking your phone will look like a https://en.wikipedia.org/wiki/Literacy_test. At 30 days, it has already passed the level of cancelling your subscription to The Economist and reached the obfuscation level of cancelling the average gym membership.
They'll just keep testing the limits until their analytics tell them that only 23 people made it through the process in the last year, then they'll shut it down for lack of use. Legally obligated, they'll replace the process with a promise that if you mail a newly purchased device to the company, they'll send you an unlocked version within about 3 months. Then, a year later, mail to that P.O. Box starts getting returned, and customer service claims that they're not aware of any mail-in program. The representative claims, honestly, that "we don't sell unlocked phones." You get escalated to a supervisor, and insist that they're legally required to unlock your phone. The supervisor apologizes to you, promises to get to the bottom of the training oversight that led to the escalation, and insists that you mail the device directly to his office and he will take care of you personally.
Only three people made it to the supervisor last year. Two of them never ended up sending in their phones, and for the one that did, the company accidentally sent another locked phone back and the customer failed to follow up.
> I love the idea of being able to unlock the bootloader.
> I don't love the idea of someone else being able to do it before the phone gets to me.
At the time it was their phone, and they can still do it by waiting 30 days.
But what does it matter if you're just going to flash your own system anyway? Let them put whatever they want on it as long as you can blow it away and replace it with yours.
And if you're not going to flash it yourself, make sure you buy it from a retailer you trust not to befoul it, or buy direct from the manufacturer. If you don't trust them then you have bigger problems.
That isn't a law of nature. The device could easily have a tiny amount of actual ROM the sole purpose of which is to reflash the device, which would also be useful to recover from a bad flash.
And if you want to talk about security, the most secure thing is to make all of the storage easily removable so it can be verified and reflashed from a known-clean device. Which would also make it upgradable, at the expense of an imperceptible single-digit number of grams in weight. That they don't do this is the proof that the other thing isn't really done for security.
Never been an issue? Just recently there was a LTT review of an Aliexpress laptop [1] where they found the Windows install had been tampered with (mostly because the Windows was pirated). PC or phone or anything, you buy stuff from shady sources it will not be trustworthy. If Xiaomi is/was locking down their phones to try and make purchasing from places like Aliexpress safer, I think that is a losing battle.
I bought a laptop from Dell and found the Windows install had been tampered with; there were all sorts of adware and trial software installed. Luckily, since the boot loader wasn't locked, I could install my own, clean OS.
I don’t think that’s the point, when you get a device from Aliexpress that’s been tampered by the retailer (as opposed to the OEM), the bootloader will already be unlocked and you could install a clean OS. That’s okay if you are the one buying the device and somehow trust that the retailer hasn’t messed with the hardware as well, but it doesn’t help the manufacturer that wants to stop retailers from messing with the OS in the first place.
Yeah, that's fair, but unfortunately it has been a problem at times and also phones are a different world. The default expectation for phones is to be really heavily locked down.
I wish that it wasn't that way.
I'm still not going to bash the one major company that consistently comes the closest to being as open as I'd want. I'd love it to be better, but I also understand the real and legitimate reasons that it doesn't work out that way.
Try to put those concerns in direct conflict with openness and the outcome is likely to be the worst possible.
did it solve this problem? I bought my Xiaomi phone from a shady seller who tampered with it to unlock the bootloader, so that I avoid all of this. I'm probably not the only one.
Some of the AliExpress sellers use this ability to install a custom kernel that reports more RAM and Flash than is installed. Sometimes they report a higher android version number and CPU too, and if you run any popular benchmarks the results will be faked (through binary patching of the benchmark app).
Then they sell the phone as a newer/better model than it is, and most users are unaware. If you complain to AliExpress they'll tell you to run AnTuTu or Geekbench, and both of those apps will report fake results.
People do the same with flash drives and hard drives which report more storage space than available.
Scam products will always exist. What makes phones so incredibly different from laptops, desktops, hard drives, cars (where people may claim false mileage numbers), or any other product category with specs which can be faked?
And why is the solution to lock the boot loader, rather than implementing some tamper evidence system? Show a "This phone has been tampered with!" screen on boot if the boot loader has been unlocked, problem solved.
1. crime organization (or governmental org) buys / steals a bunch of phones
2. org opens boxes, tampers with boot loader in such a way that they (and / or the original OEM and / or the original OS vendor) have a persistent remote administration account on phone
3. org then returns phones to supply chain either covertly or off the back of a truck.
4. org leverages remote access to do shady things
5. "the press" finds out that "vendor phones XYZ are trojaned!" and vendor looks like t-mobile for 5-30 hours until people find another cat video to look at.
A theoretical justification of this is that phones are stolen all the time from the supply chain. Making lots require remote activation allows the vendor to kill the stolen phones, reducing their resale market in that part of the stolen phone ecosystem. Another theoretical justification is to "protect" the average buyer who just wants a damned phone to look at cat videos on and maybe call their spouse when they're late; they don't wear boots and don't care about loaders. Just Want Cat Videos.
In these modern times I don't think any company actually trusts the contractors that have been hired to make a product.
You (some big name company) hire some company to make 10,000 widgets; your contractors may turn around and make 300,000 widgets sell you the 10,000 widgets per the agreement and sell the other 290,000 into other channels. They may sell the ones that didn't pass QA, they may make ones with cheaper parts, etc.
How do you stop this? See above - the part has to phone home and you can enable it (or not!) because you've got a registry of which things are legit and which aren't.
Also, this lets the companies spy on you. Errr.. Collect telemetry to allow them to improve the product.
Yeah, I bought a Pocophone F1 when it came out, expecting to instantly install LineageOS, but then I found out that I have to wait a full week and set up a Windows VM.
The phone per-se wasn't bad, but that was my last purchase from Xiaomi.
Replaced the Pocophone with a Google Pixel 5A and I will stick to Google Pixel because GrapheneOS is great.
Xiaomi have required this for a while now, not sure exactly when but at least since 2016.
The other big Chinese brands that have cheaper high end handsets don't offically support unlocked bootloaders as far as i know. They subsidize their handsets with all the junk that their custom Android UIs push, so don't want owners to flash a custom ROM.
Was that due to bootloader issues or just because there's no official support (It's not actually listed on https://wiki.lineageos.org/devices/#samsung) ? FWIW I have it running on a 2nd hand s10e and it's not flawless, but still pretty good.
Man, I love my Pocophone F1. Any idea where it would still be possible to purchase one?
With LineageOS it handles everything I throw at it without issues. Love the form factor and the finger print sensor on the back. Also SD card slot and headphone jack. Looks like the newer Pocophones are stepping backwards so I have been trying to get my hands on another second hand F1. Haven't been able to find it anywhere though. Surely there must be people out there selling them?!
Yep. All their stock apps, including those that have no business having any kind of network access as part of their functionality, come with a privacy policy, show it to you in a modal on first launch, and quit if you decline it. The calculator app has a privacy policy, so does the clock, the media gallery, the file manager, and the local music player. I was also told that there are actual ads sprinkled throughout the system.
I'm highly doubtful that it's possible to sell a phone for the equivalent of $100 at a profit.
There are plenty of $100 phones. I used a $50 phone for a year, and it was fine to use - it ran every app I tried to use, had a 3 day battery life, and the only thing that it lacked was NFC and a gyroscope and compass (makes maps apps hard to use because you don't get a blue arrow).
I now have a $500 phone and overall it's a bit of a downgrade because the battery only barely lasts a day.
> With a promise that it will be given to them on request. Unless, of course, the manufacturer changes their mind.
Or if the manufacturer decides to simply shut down those servers after some time, at which point the effective default situation will almost certainly be a denied request. In this case, they may not necessarily even be actively changing their mind, but rather just trying to reduce some overhead for those devices they deem to be "no longer supported" but which are nevertheless still out there being used.
So google is going through all this effort and some guy in China will just bypass the bootloader lock for $30.
There is absolutely no way that the intelligence agencies don't have this same capability, which makes all of this security posturing utterly pointless, other than to prevent regular users from owning their devices.
That's exactly the purpose of this measure - to prevent consumers from fully owning their device. Presumably the carriers are selling you the device at some discount for longer term loyalty (through constraining the phone). This is not a security measure and government agencies being able to bypass it seems irrelevant.
You are confusing Verizon's motives with Google's motives. Verizon disabling the bootloader on phones that users are still paying off, or bought at a discount together with special terms of condition, is something that might be defensible.
Google however made it so that any Pixel phone bought anywhere, even by customers who pay 100% of the price themselves with no carrier involved are not actually owned by those users until they connect it to the internet and Google blesses the device.
I don't think I'm insane for not wanting my cellphone to get stolen and then be sold as a working phone to somebody else. Anything to cut down resale value of stolen phones. With full root you can overwrite the IMEI, and the stolen phone is as good as new.
"Defense in depth" applies to crime too. After-the-crime discovery and punishment can only do so much.
It's not that no enforcement happens, a quick search for "phone theft ring busted" returned an article [1] from March of this year. The search results suggest it's far from the only relatively recent bust.
Phones have exceptional monetary value compared to their size/weight. They're easy to steal, and anything that makes wiping the phone easier, faster, or cheaper will be exploited as it increases the value the thieves, fences, etc can extract.
The enforcement scheme needed to substantially reduce phone theft would likely be extremely expensive. It would also likely involve device and purchase tracking methods that many would consider draconic and ripe for abuse by governments and law enforcement.
What would you specifically recommend be done on the enforcement side of things, compared to what happens presently?
>>It's not that no enforcement happens, a quick search for "phone theft ring busted"
very limited enforcement happens, for every story you pull that shows enforcement, i can pull 10 that shows that even when a person can track their stolen phone to a building with "find my phone" many police dept refuse to do anything. This is a common thing.
I am willing to bet the phone theft ring that was busted was only busted as ancillary to a wider investigation in to terrorism, drugs, sex crime, or some other criminal activity and they were not targeting phone thefts at all
It would also be interesting to know if the charges are dropped, as they often are these days for these low level property crimes.
When you have people leaving their windows down, and trunks open to show there is nothing to steal or people can just brazingly walk in to a store and walk out of handfuls of merchandise because theft is soo rampant and prosecutors refuse to prosecute the crimes there is an enforcement issue.
>>The enforcement scheme needed to substantially reduce phone theft would likely be extremely expensive
I disagree, but please enlighten me as to what you think will be expensive
>>What would you specifically recommend be done on the enforcement side of things, compared to what happens presently?
Actually filling criminal charges for theft instead of just the Catch and release model we have today, so much so that police dept often do not even arrest or investigate the crimes at all because they know activist prosecutors will simply refuse to file charges for any theft under a certain dollar value.
I am not sure why this is even debated given that stores are moving out of several cities due to rampant theft that is going unenforced / unpunished. A quick search will show news report after news report of unlawful property theft being done sometimes even in full view of law enforcement who do nothing because they have been instructed not to in many major cities
My viewpoint is not that it is fair or not for the carrier doing so. But that restricting freedom from a users device and software should not be allowed. This means that if the carrier decides to sell devices via some kind of credit it cannot take away the freedoms of the user (and future owner) of the device, but the carrier can decide simply to not sell devices via some credit.
Pretty sure that if there's a guy in China who is bypassing the bootloader lock for $30, he's just going to connect your device to the internet, and do what you wouldn't. Why wouldn't he?
Did you read the thread? That's not at all what's happening. People boot the device into fastboot, connect it to USB, install an USB redirector and the guy in china does something and it's unlocked.
Intelligence agencies probably do have these capabilities. There’s a massive difference between them having it and “some guy in China”. These kinds of things are pretty expensive and nobody is going to sell you the capability for $30, unless it’s just meant to be a carrier lock rather than a security feature.
> some guy in China will just bypass the bootloader lock for $30.
I've seen this kind of thing before but I have no idea how this works. Is it an insider employee at google or a mobile provider that is doing this on the side? Is it a 0-day exploit? Is it something that anyone can do but someone is productizing it for $30?
I think that it is something anyone can do, provided that they know how. I would assume that it is as simple as putting the phone into some kind of low-level programming mode, perhaps EDL or similar, and overwriting a few bytes of data.
These low-level modes likely use proprietary protocols that are only known to the vendors who manufacture the SoC used in the phone, for example Qualcomm. As many of those devices are manufactured in China, it is likely that someone who worked there leaked some tools for performing these low-level programming activities. And then they figured out how to use these tools for unlocking the bootloaders.
> Phoning home before undertaking such an activity takes away the ownership rights from the customers. They do not actually own these devices even after they have purchased them.
Smartphones have become pocket game consoles, with the same business model.
There may be other Android app stores, but Google Play still owns the Android app store market (except in China where Google is blocked/unavailable) - in spite of charging hefty platform fees comparable to those charged by Apple or Nintendo.
I am not sure why people are shocked by this, as any company gains market share in a given market the more hostile to their customers / users they become.
This is not new to tech companies, I suspect though many people believed they would somehow be different than other corporations. Maybe because the people heading those corporation seemingly were aligned politically when in the past they were not?
Regardless Google is following the same script that many many many other companies, tech and not, follow
There's examples of companies that weren't like that. redhat, sgi, sun, novell, dec... Becoming another Oracle/Adobe isn't inevitable (and yes, I know the connection between sgi and Adobe)
Then you have firms like Nvidia which regardless what do you think of them you can probably agree they've at least been consistent for the past 25 years
As a result, it seems like the only way to have a chance at unlocking such Pixel phones, which have been made by a US company and purchased from a US carrier, is to pay someone in China and hope for the best. It has gotten that far.
That reminds me of the right-to-repair article about patched John Deere firmware created by Ukrainian hackers.
It wouldn't surprise me that China has the same skills. I remember coming across a lot of products made to unlock/unbrick Apple's products too, although that was many years ago and I'm not sure if they've gotten through Apple's security for the newer models yet --- and it wouldn't surprise me if they knew but won't easily disclose.
Yep, my Pixel 2 is as good as dead because the bootloader can't be unlocked, Google refuses to do anything about it, and software updates stopped a long time ago. Great way to lose me as a customer.
Just upgraded from a, I think, 6 year old Pixel 2 to a carrier discounted Pixel 7. Being in Germany, I am fairly certain tue bootloader is unlocked (-able), I might try it during the weekend. Reason forbthe switch was that a) even CalyxOS stopped supporting it b) the phone lost the mobile network evervso often c) the screen was held together by clue and proteczive glass. Otherwise, it isbstill working and will stay as my backup phone.
Now I kust try to make up my mind regarding CalyxOS on the Pixel 7. The pure Google andrpid looks good, I think I turned most of the tracking off (unique add ID to improve persobal adds, WTF?). But there are still some annoying things, e.g this crappy, unremovable, Google search bar. If Ibread correctly, one can go back from CalyxOS to stock android now, right? Not that I would really mind so, I didn't miss anything the last couple of years except maybe Google maps at some occassions, and I could have installed that using microG and Aurora store.
I'd be interested to hear about your experience. My contact info is in my bio if you're up for it. I do really like the Pixel line, and I'd be excited to upgrade if I were sure the new device could be successfully unlocked.
May I recommend LineageOS, which supports Pixel 7 [0] and the Pro version. Whatever you go with, yes I do think you can flash stock Android back on your phone if you like.
In my experience, it worked great with a Pixel 2 XL. Except my botched attempt at getting stock back onto it, which resulted in warning during boot. Otherwise CalyxOS worked like a charm, incl. banking and 2FA apps.
We'll see when I have time, and patience, to get it on my new phone... Might be a while, so far I manage to convince myself that I got rid of almost all tracking so far...
> The reason is that an important part of their ownership rights, i.e. the freedom to use the software of their choice, has been withheld from them.
Thank you for your comment and info. But be careful, this is the wrong argument here. They are still letting you use the software you choose.
We can look at this move conceptually, keeping in mind the future. Here's one possible outcome.
You need to phone in first. Imagine the phone is just an IMEI number or a serial number, or one part of a key pair. In a future regime, phoning in marks that phone as no longer "trustworthy". It's now in the digital quarantine or isolation pile. And future network services will isolate the device appropriately.
Phoning in doesn't change what software you can install. It possibly changes who you can interact with.
I don't know if the argument can be won.
We could come up with examples where people were isolated wrongly with other technologies. But there's a subtle psychological trick there about solitary confinement and forcing a family of networks and social interactions. Using that argument reinforces the network that limited us. I don't want to hurt that network. But it also limits us.
And the alternative, hidden network lockouts, is also troubling. So, lose lose I guess?
I don't think I have the power to change the story.
> They are still letting you use the software you choose.
At the moment, yes.
My point was primarily about the fact that giving the customer an option to use Android software of their choice on recent Pixel phones is currently fully up to the manufacturer. Phoning in is merely a tool to achieve it.
> possibly changes who you can interact with
I am aware that identifying customers who have requested to have this option can potentially be used to mistreat them. Many mobile apps today are already trying to perform a similar form of identification. They check for non-OEM software or root access. If they detect something they do not like, they show warnings or refuse to provide some functionality. But that is, I think, another topic.
> Some people claim [1] that they paid someone from China to unlock their Pixel 1 phone remotely using some shady approach. I assume that someone with inside information from Google has leaked some software and instructions for doing so. It is unclear whether later Pixel phones sold by Verizon with locked bootloaders could be unlocked in a similar way.
This usually involves someone who has bribed a Verizon support rep or otherwise obtained access to their internal systems so they can "unlock" you.
It's not rocket science that some carrier and manufacturer lock the goat out of their phone like Samsung and Verizon, but I think this thread is dealing with a much more different problem and everyone who bought carrier does not belong.
> Phoning home before undertaking such an activity takes away the ownership rights from the customers. They do not actually own these devices even after they have purchased them.
Is this just philosophically speaking or were there some actual rights granted by law being violated?
I am unaware of any current law that would require devices which can run software to be able to run arbitrary software.
That being said, Google's Pixel phones have widely been known for their ability to unlock the bootloader and install an Android software of the user's choice. It was one of their selling points for a long time.
If this ability is turned into a "possibility" that can be taken away at any time and if it has not been properly communicated to the customers, then it might qualify as false advertising.
Do you have some references supporting that claim?
If unlocking the bootloader on e.g. Pixel phones sold by Verizon would be as simple as asking Verizon to do it, I do not understand why there would be multiple long threads on XDA developers forum where people try to circumvent this restriction in various shady ways.
So I guess one should activate the phone at some Wifi cafe first before unlocking bootloader and flashing a new OS otherwise Google could make a direct link to ownership during the lifetime of the device.
"Magic hostname" mentioned in article (afwprovisioning-pa.googleapis.com) makes me believe this may be related to zero-touch enrollment of Android Enterprise/Android for Work (https://support.google.com/work/android/answer/7514005). I'm sure devices sold to regular customers and enterprises are identical and nobody is going to unbox and pre-provision them before shipment, so unboxed phone needs to contact provisioning server at least once to verify that there is no pending zero-touch enrollment configuration prepared for it (which may prevent bootloader unlocking if device is enterprise-owned).
This is correct, people generally don't get to own a device provided by their employer. Not allowing the bootloader to be unlocked on company-owned devices seems like a very desirable feature.
Not allowing a bootloader to be unlocked on a company-owned device does sound like a desirable feature, but only for company-owned devices. Applying that setup to all phones assumes that the default phone is a company-owned device and is subject to external control.
A different SKU for enterprise managed devices would cripple IT departments that don't pay the big bucks to e.g. verizon to manage their device provisioning & MDM enrollment.
Wut? I don’t follow? Anyway, once you are big enough to care about preventing bootloader unlocking on your company devices you are big enough to pay for that privilege.
You'd need two different SKUs for each different color and size to enable this in a more user-friendly way, where devices either enterprise locked or carrier locked get the one with a locked-by-default bootloader, and ones bought directly by the consumer have an unlocked bootloader. Realistically the latter group is so small it doesn't make sense to complicate the production and logistics process by having this separation. Instead, we get the current situation where the bootloader can be unlocked after initial setup check.
It would be much nicer if it defaulted to allowing unlocking through. You can boot up a DEP enrolled Mac and use it even if your internet connection doesn't work, including disabling SIP and the bootloader. Though your MDM attestation may fail if you then enroll it. That need to explain yourself to the IT department should be enough incentive to an employee to not unlock your work device bootloader.
Has it occurred to you that the feature you're defending allows Google to lock customers into their provisioning/MDM? That this is worse than Verizon controlling provisioning/MDM, because at least Verizon is subject to market competition (ie you can buy the device from other parties), whereas Google doing it means you have no choice whatsoever?
You're also grossly exaggerating things. We're not talking about a change that would prohibit management, just one that would not allow them to do zero-touch enrollment into their management systems.
It assumes that company owned and managed phones are more common than people who want to unlock the bootloader. I know this isn't ideal, but that's the correct assumption to make.
That’s a stupid false dichotomy caused by a poor onboarding workflow. “Well we either make it easier for businesses or deny the right to literally every customer to own their device. It’s okay because most people won’t notice.”
You'll notice that the market is not lining up to buy the PinePhone in response to this state of affairs, so I would say that the decision has been working out well for Google.
It is very much the case that most people don't care about this definition of freedom.
Very few people exercise their fifth amendment right. That doesn’t mean people are tacitly agreeing to it being taken away.
I didn’t say it wasn’t popular. I’m saying people don’t realize how badly they are exposed because the hammer hasn’t dropped.
The market for PinePhone is weak because it’s “only for the pesky open source people”. It will stay that way a long time and we better hope they survive long enough for Google to keep screwing people into a big enough market.
It assumes that company owned and managed phones are more common that people who are unwilling to connect to the internet to unlock their bootloader. Which is definitely true. Probably by several orders of magnitude. Who cares? You get to unlock your bootloader.
I don't think it's reasonable to enforce a provisioning process on every single person just because a small number of the devices go to enterprise-sized companies that want "zero touch" and Google (and their distributors) don't want the expense of stocking two SKUs, one set to require provisioning, and another not.
I shouldn't have to prove ownership of my device to said device straight out of the box.
A company should not have the ability to render millions of devices useless because they purposefully or accidentally shut off a provisioning service
All this bullshit is so that Google and their enterprise customers save a few dollars.
> A company should not have the ability to render millions of devices useless because they purposefully or accidentally shut off a provisioning service
Isn't this considering a hypothetical scenario where somebody buys one of these phones, tosses it in a drawer for years, and only later comes back to discover the provisioning server is gone?
If you buy one of these phones it says it can be unlocked and you can't unlock it, Google is obligated to take it back for a refund or to eat a lawsuit from aggrieved customers for false advertising.
Well, "hope" is doing a lot of heavy lifting here. Google is still very much bound by the law regarding advertising and declaration of utility of sold product. The law gives them broad leeway as to the implementation, but if they decided tomorrow "hey you know how you can unlock your devices that we advertised as unlocked on our store? We changed our minds, the devices sold can no longer be unlocked," that would be grounds at the very least for return with refund, and a lawsuit if Google didn't honor that.
If the servers are running. If the servers deign to give permission to own the device you purchased. If they correctly recognize that this device is owned by the user. After I've purchased the device, the seller has no right to withhold ownership, and the existence of enterprise devices doesn't change that in the slightest.
This is incorrect. Have you considered that the delay between getting the device and getting it connected could be well outside of the return window or people could be purchasing them in countries without such consumer rights?
Who buys a brand new phone but also has no internet connection for weeks? Do they have all the apps they need pre-downloaded? I don't think that's a big group.
Who said it has to be brand new to the end user? It might sit in a box for years getting sold back and forth as a commodity before anyone opens that box.
Have you ever hear of the concept of a “gift” or the even more exotic “person in a foreign country”? It’s shocking that the connectivity addiction is so strong that you’re even asking this question.
If it's a normal gift, then the recipient won't have any roms or bootloaders they need to install. To get those they will need internet, at which point they can unlock the phone.
> or the even more exotic “person in a foreign country”
What's the problem? Are they buying a phone they won't get a plan for, and can't find anywhere with wifi, and they have no home internet? But they still want to unlock the boot loader because... why?
If that ultra-niche scenario is not what you have in mind, then please explain.
It's quite common for people from elsewhere in the world to buy electronics in the US, Europe, Japan, etc and then bring them back to their home countries for a fraction of the cost of what the official or unofficial importer(s) want. That's why you end up with all sorts of region-locking nonsense, companies trying to protect their importers who have a monopoly on distribution of a particular device.
And it depends on the user being willing to connect it to the (public) internet without a firewall in between.
I wonder if any of the countries that implement a country-wide firewall block this domain. That would disable bootloader unlocking for the entire country.
We're talking about a cell phone though, right? A device that sooner or later is going to be connected to a cellular internet that will track it relentlessly?
I'd imagine the demographic that is buying the cell phone and then not intending to use it as a phone is not one that Google is losing a lot of sleep over serving poorly.
So you don't own it when you buy it. At best Google still owns it and they graciously allow you permission to change the bootloader after you submit to their terms of service. Also, better hope their servers are online and reachable, and that you have functional internet.
This is honestly the most overblown issue I've ever seen on HN. How many people are buying a brand new in box pixel to install a custom OS on and do not have an internet connection anywhere, not even a free public wifi? I'd be shocked if this impacts even a single person.
At this point it's being angry for the sake of it.
I can totally imagine a situation in which, in the future, someone buys a new old stock pixel phone and can't replace the OS because the bootloader can't be unlocked because the servers don't exist anymore.
A few years ago I bought a Nokia N900 which was at the time a 10 year old phone. I did this to use it as a daily driver.
Without community support the phone would have been useless. But, more importantly, if the phone required an internet connection to some server in order to let you replace the stock OS then it would have been a brick because Nokia's servers were long gone by then.
That being said, all things considered, the most important argument here is not of the practicality but the principle.
You handed over money for a piece of hardware but you can't make full use of the hardware until you let the phone talk to the manufacturer once. Thats completely insane irrespective of how small of a perceived issue you think it is.
Yes this is obviously the reason they do it. They don't want to have to flash different firmware for carriers, consumers, enterprises, etc. I think it's kind of reasonable.
I wonder how this will work for Google. I can only speak for the Danish market, but when we (both private and public Enterprise) buy devices for business we tend to want the supplier to roll them for us. Apple and many Android manufactures does this. At one point we had a bunch of iPads stolen, likely from someone on the inside since they were delivered and then promptly “lifted” from where they had been delivered by someone who had a key and knew where the cameras were. But since Apple has enrolled them for us, they are essentially dead devices. It’s been some time since I worked for the organisation, but when I was still there we frequently got calls from people who had bought the iPad “legitimately” calling us to get it unlocked.
Google might not care, since it’s not likely to consider the EU it’s primary market for these things, but I think they risk finding out that their being “lazy” is going to bite them in the ass.
Or maybe I don’t understand the bootlicking enough, and what I described above of having a Pixel turn on as “owned by organisation” is entirely possible with it.
Do you need to actively be connected to the internet while enabling bootloader unlocking, or does the phone merely need to have connected to the internet once at some point?
The latter seems reasonable to me in light of your point about enterprise enrollment. However, I'm confused by nelblu's post downthread[1], which describes using wifi to unlock used phones.
According to "Locking/Unlocking the Bootloader" docs (https://source.android.com/docs/core/architecture/bootloader...), "(...) the user needs to boot to the home screen, open the Settings > System > Developer options menu and enable the OEM unlocking option (...). After setting, this mode persists across reboots and factory data resets.".
My guess would be that if OEM unlocking stays disabled, phone reverts to "greyed-out" setting after each factory reset (yeah, that would be an issue if Google suddenly decides to send Android to graveyard...). I believe actual bootloader unlocking happens inside fastboot mode, outside regular OS and without access to WiFi/cellular data - enabling OEM unlocking is only a prerequisite to actual unlock.
The title of the article is misleading. The author says the phone cannot be bootloader unlocked without first connecting to the Internet. Once they have connected they are able to unlock the bootloader.
Possibly misleading indeed, but not wrong: the state that the phone is in at the moment ownership of the phone changes from Google to the customer has bootloader unlocking disabled.
I understood the title, but only because I already knew that Pixel phones were able to have their bootloaders unlocked, so I assumed there was some kind of bar that had to be jumped.
Support for LineageOS is a key issue for me in the purchase of a phone, so Pixels are desirable as a known quantity. I'm not too bothered about having to "do the thing" because so many other phone brands / models either can't be unlocked easily or aren't supported by LineageOS.
Other comments about Pocophone F1 being compatible with PostmarketOS puts that on my watch list.
The very next text in the article after what you quoted (following the image) is:
> I consider this a customer-hostile practice. I should not have to connect a piece of hardware to the Internet, even once, to use all of its features. If I hadn’t connected the Pixel 7 Pro to the Internet, then “OEM unlocking” would have stayed greyed out, thus I would not have been able to unlock the bootloader, thus I would not have been able to install GrapheneOS
The author then describes connecting the phone to a networking sandbox and monitoring its traffic, all the way through where they were eventually able to unlock it after giving it internet access.
> If I hadn’t connected the Pixel 7 Pro to the Internet, then “OEM unlocking” would have stayed greyed out, thus I would not have been able to unlock the bootloader, thus I would not have been able to install GrapheneOS.
I got a Samsung S21 FE 5G as an award on a programming competition.
OEM unlocking wasn't even an option in the developer settings until I connected the phone to the internet and set the date to one month in the past (I assume this has something to do with the warranty -- you can't even unlock the bootloader right away).
An internet connection was required before even using the phone on the Android initial setup screen.
Apart from that, developer settings can't even be enabled before agreeing with Samsung EULA. Initial setup screen can be weirdly manipulated into opening settings (Accessibility, Additional apps, Live transcribe, Connectivity settings (only shows if there's no inet connection), back), but spamming the Build number does not enable developer settings.
Granted that I did not buy the phone, but it's still disgusting that such devices are being sold.
One thing I find very annoying about Samsung is that it tries to get people to use Bixby (Samsung's "Google Assistant") by remapping their phone's power button to Bixby. Due to the nature of my current project, I talked to many Samsung owners in their 50s and 60s who don't know how to turn Bixby off and, consequently, don't know how to, e.g., shut down or reboot their phones.
I liked my Samsung phones but after the a couple of them went end of life despite being very usable I am never buying one of their devices again and sticking with Pixel. There should be an Android code of ethics or regulation to unlock bootloaders of these devices when discontinued to minimize eWaste.
Why on earth would Google institute a policy that runs completely contrary to the cell phone industry's business model, making their devices as useless as possible as fast as possible?
It always cracked me up that Apple gets bashed for planned obsolescence when they support their phones longer than anyone else in the industry.
Apple got caught artificially degrading performance and battery life after a period of time. That really isn't "planned obsolescence" so much as irt is "planned crippling"
Planning for a device's software to be unsupported after a certain period of time, ideally a predefined time made clear up front, is totally reasonable though. Thatjust gets to the question of whether you own a functional phone or a block of hardware that is useful only as long as the company wants it to be.
That is not correct. Apple got caught degrading performance because the batteries were degrading.
This was when Apple was so focused on thinness that they used very small batteries. After a couple of years the batteries were not able to supply enough power to the SOC under full load, so Apple had to underclock the SOC to prevent the phones from crashing.
*I'm not saying that was OK. Apple absolutely should have explained what they were doing instead of hiding it. But after this happened it did force them to install bigger batteries in the newer iPhones.
Did apple ever actually release details on specifically what they were seeing and how underclocking "fixed" it?
Lithium cells can have increased voltage sag, but they should have well over 1000 cycles before any noticeable decrease in capacity of voltage potential. Even then the total capacity might drop on the order of 5-15% and the voltage say shouldn't be impacted.
I agree that they aren't exactly good citizens in the corporate sense, I'm all for regulation to step in if companies won't voluntarily do it. To your point Google does unlock their bootloaders so they seem OK with it for their devices?
There is some planned obsolescence in incremental improvement of technology but that that is probably too slow for them (e.g. my S10/S11 lacked LTE, 5g, eSim...).
At this point its simply not devices that are being sold, but the package device+software.
There simply isn't a market for android-capable devices only
OnePlus has no such restrictions that I've seen, from the One to the 8T. I haven't heard of them locking down newer ones either. You just run the usual command to unlock the bootloader, no funny business. I've run a custom ROM on all of them that I've owned.
OnePlus also doesn't allow enrollment of custom signing keys like Pixels do so they're objectively worse for your ownership even if they don't phone home.
Their security patch and update support for hardware is also abysmal.
> It seems lame that you have to phone home to unlock a new device, but it's nothing compared to what they could be doing.
My guess is that it's protection against stolen hardware? They can basically ban S/N of stolen phones, and the thieves can't unlock the bootloader and resell the device.
But yeah, it seems like a reasonable thing. Out of all the vendors, Pixel phones are by far the easiest to unlcok, seems like a weird thing to complain about.
If Sony counts as mainstream vendor, the bootloader is unlockable and they even provide instructions on how to build and flash your own Android! https://developer.sony.com/develop/open-devices
For all we know it's just Google activating the device to ensure it wasn't stolen and reflashed with another OS. Apple requires a device to be activated before it's usable.
That likely is exactly what's going on. That raises the question though if you really bought a functional phone or not - you may have paid for it but even then it only works if the company is still supporting it and allows you to use it.
Agreed. It's fine for most cases and keep security and anti-fraud. If they are serious privacy phobia, I don't know why they want to buy Google products.
Counterintuitively, Pixels are great for "serious privacy phobia" people, as they are one of few phones that can be flashed with a custom OS and have the bootloader locked. GrapheneOS only supports Pixels for this reason.
Yeah, I can see where this isn't ideal in principle, but in practice it's completely insignificant for 99.99% of users. I unlocked my Pixel phone first thing and I never even noticed this requirement. It's not like you were planning to buy a flagship smartphone and then not connect it to the internet.
If you're really worried about Google installing something sinister, it's already too late--the made they thing, they could have installed whatever they want at the factory. Anyway if you're installing a custom OS it's trivial to wipe on install.
ELI5 - everything about a phone only works when the carrier allows it to connect to the network.
So, the way this is done is to, well, connect to the network and allow the phone to be unlocked - which according to the article is what happened?
So the real complaint is that the Pixel can't be loaded with a customized Android OS (or Linux, etc.) without being connected to the internet first and this is bad because the vendor might put bloatware, spyware, etc. on the phone, which, once you install your OS will be gone anyway?
OK, well then other than the underlying hardware needing to still be recognized on the carrier's network, which pretty much means you still have to be connected. The point is you aren't going to be stealthy using the carrier network on a phone, so at the EOD you have a pretty expensive device you can really only use on WIFI using your own VPN without the Vendor's software.
So what's the advantage over a small tablet based on OTS SOC hardware that you have full control over? IOW why buy the phone in the first place?
One issue for this process that I have seen when talking about the Pixel is:
- ***You can't actually back up your Pixel***
It's enormously frustrating, because this is the typical advice before moving to a different OS. But apparently, actually mounting the device or seeing it via `lsblk` is from what I can tell impossible.
I tried for a while to simply make a direct image with `dd` to try out other OSes etc but I couldn't even figure out a way to mount it, or in the cases it could be mounted it was using some insanely stupid fuse fs that was specifically made to be difficult to use.
They want you to use some ridiculously complex and idiotic idea that revolves around using the cloud for backups, which I couldn't figure out precisely what was done because it isn't open source, so I refuse to use it. It's insane that you can't just `dd if=/dev/sdX of=phone.img` or something simple.
Yep. It was fun while it lasted, but I expect none of the manufacturers will support hacking or mods on these devices in the future because there's too few people doing that compared to the masses they want to sell to, and they have zero time or money to train technical support staff. They want to sell you an appliance that can't be repaired, has planned obsolescence and locks you into the platform by (effectively) keeping your data hostage.
If you actually care about FLOSS on your phone, you might be interested in trying a GNU/Linux phone (Librem 5 or Pinephone). Those have no restrictions on mounting or alternative operating systems.
So anyone who has already unlocked their Pixel 2 is good to go right? Getting the latest Pixel unlocked requires an internet connection, but once done it's done.
So the complaint is that in the far future the vendor might not support that on a six year old phone (by that time)? But, it is supported now, so what's the beef?
My old Pixel 2 only works now plugged into power and on WIFI because the battery is dead. I can get super-pissed off at Google for not supporting battery replacement on the Pixel 2, but it's a 6 year old phone. How long should I expect them to support it knowing at the time about the sealed battery. I can't get that pissed seeing as I bought it knowing the facts at the time :)
> So anyone who has already unlocked their Pixel 2 is good to go right?
So anyone who hasn't is fucked and you are fine with that?
> So the complaint is that in the far future
It's not a far future. It's already happening. And if decades ago it took up to years for a company to stop providing the services (or existing as a company) nowadays it takes mere weeks from the announcement.
And this is still not relevant to the problem - you can't do what you want with the device you paid full price for.
It's always amusing to hear people like you who defend the corporate behemoths at the expense of Regular Joe. "Embarrassed millionaires" vibe.
I believe the real complaint here is that you can't buy and use a Pixel at all without ending up as a row in Google's database that may include hardware identifiers, network details, you're location, your phone number, etc.
When buying a phone directly from Google you are indeed buying the hardware but you don't actually own the software. The OS will work only if Google still supports it and allows you to use it. The article is raising the point that even if you don't want to use Google's software and instead want to jump straight to your own OS installation you can't avoid their OS initialization steps and any network traffic sent back to Google first
Basically this is done to ensure that the phone isn't locked by the carrier, meaning if you buy the device directly from google you can still unlock the device by connecting to the internet. Yeah, it sucks, yeah, you own your device less in a way, but im happy they still let you do it.
I sent a support message a while back asking about it on the google store thing - and they said it was unlocked. I installed grapheneOS today on the pixel 7 actually, and was surprised to read that you had to connect it to the internet just to unlock it. Its strange.
I enjoy grapheneOS so far though.
Edit: if you get the phone through an upgrade with your providers plan it will most likely be locked. There are some threads on grapheneOS' forum about which ones do or dont lock the phone.
It is relevant because the excuse made for disabling bootloader unlocking is that unlocking the bootloader can defeat a carrier lock. They are interrelated.
Is that correct? Phones purchased via carrier are locked to the carrier. The customer has the right to unlock it after the purchase, but the default state of the phone is locked, is it not?
> (CRTC) today announced that as of December 1, 2017, all individual and small business wireless service customers will have the right to have their cellphones and other mobile devices unlocked free of charge upon request. In addition, all newly purchased devices must be provided unlocked from that day forward.
If I wanted to buy a new phone that I could root, install a custom ROM on, and use without voiding the warranty, what's the current best bet? One Plus used to be pretty good, but they've gone down in freedoms and up in price. Samsung are an obvious no. The entire design of the iPhone is specifically aimed at keeping the user out of it. Linux phones aren't usable yet. The shop on the /e/ foundation website seems to be selling flashed Samsung devices.
Motorola has an automated process where you send them the phone serial number or something like that and they'll send you back a code that can be used to unlock the bootloader.
I'm on a Moto g100 that I bought last year, originally intending for it to be a temporary phone while I found a flagship that I actually liked, but it's really grown on me. It has most of the features I was looking for, in particular official LineageOS support, and a microSD slot. I think I might just stick with it.
The other one I had been seriously looking at is Sony's Xperia lineup, but the current and previous generation have had overheating issues. I think their bootloader unlocking process is similar, though.
I should clarify: while it's automated from the Motorola side, it's still a bunch of manual steps for the device owner. You have to create an account and have a desktop PC involved, and if I remember right Motorola, gives you a bunch of nonsense about avoiding the warranty. It's strictly worse than Google's process.
I think OnePlus is the only one that might be better than Google. But they've been disappointing me in other aspects recently.
Generic Chinese Androids might fit. There's still many with features that mainstream manufacturers have started removing like expandable storage, removable battery, and a headphone jack. Of course there's no voiding the warranty, because there isn't one to begin with.
Are you using it as a daily driver? Seems like every time I look into Linux phones, there's always been some fundamental bit of functionality that wasn't working yet, like waking from sleep for phone calls. Are we beyond that now?
I'm using Librem 5 as a daily driver. Calls, texts work fine. The battery life is just about 10-12 hours, since suspend is still experimental. But it is progressing: https://forums.puri.sm/t/status-of-suspend-for-librem-5.
The next level page on "unlock the bootloader" immediately states (a) they'll charge you a significant fee if you make a warranty claim – even if it's for a hardware defect; and (b) the following "gem" of shitty DRM:
> Certain pre-loaded content on your device may also be inaccessible due to the removal of DRM security keys. For devices running recent software versions, for instance Xperia Z3, the removal of DRM security keys may affect advanced camera functionality. For example, noise reduction algorithms might be removed, and performance when taking photos in low-light conditions might be affected. The secure user data partition may also become inaccessible, and you will not be able to get any more official software upgrades if you unlock the bootloader.
Thanks for the thought though. I like that they have a page at least.
I bought the 9 Pro instead of the 10 Pro, because there is no (even unofficial) Lineage build yet. Apparently they stopped supporting a tool that was needed for ROM development.
> Request to Google: ungrey the “OEM unlocking” toggle in the factory, before shipping store.google.com devices to customers. Do not make your customers connect the device to the Internet before they are allowed to install the operating system they want.
That won't happen. I can think of two big reasons off the top of my head:
1. Supply-chain attacks, someone gets a hold of the phone before it gets to you and unlocks the bootloader and then proceeds to modify or install another OS.
2. Warranty reasons, very likely they want to have it phone back and send a record that it was unlocked so they can deny warranty in cases where user damaged the device through software.
3. anti-theft. AFAIK the way that anti-theft features are implemented in android is that the owner's google account information is stored on a partition that survives a wipe, but the actual enforcement of the anti-theft feature is done by the OS itself. If you flash a third party os (eg. grapheneos), you can bypass it. Having phones being "unlocked" in the warehouse or during shipment increases their value to thieves, because they can easily bypass any anti-theft features.
1. Pixel phones display an "unlocked bootloader" warning (which can't be disabled) during boot. In case it is re-locked with an additional signing key installed (Pixel-s are literally the only phones which you can do this currently in the market), a similar screen with the SHA256 hash of the public key is displayed.
2. Unlocking does not void warranty.
The only reason Google is doing this is they do not want to have two separate SKUs and pay extra cost to configure each phone physically as unlockable or not in the factory.
I don't think the average user would understand what "unlocked bootloader" means, and may even mistake it for a feature or enhancement.
It is a supply chain risk. The Android & Pixel teams walk a fine line here: they risk upsetting an important (but small) user group if they change the language and defaults to "THE BOOTLOADER IS UNLOCKED: USE AT YOUR OWN RISK" or even stronger language and shipping these devices to end users.
The unlocked bootloader warning screen isn't very different from what you described [1]. It says:
> The bootloader is unlocked and software integrity cannot be guaranteed. Any data stored on the device may be available to attackers. Do not store any sensitive data on the device. Visit this link on another device: g.co/ABH
It's already pretty strong language (and very accurate! which is a rare combination).
That's actually not exclusive to Pixel phones. The custom signing key part probably is, just because no other phone allows you to lock the bootloader with a custom key. But the "bootloader is unlocked" screen is built into AOSP
> 1. Pixel phones display an "unlocked bootloader" warning (which can't be disabled)
Yet. Other manufacturers have the same warning and have had them disabled. (I did it to one of my older moto phones a few years back)
> 2. Unlocking does not void warranty.
Not by itself, but having a signal in place that it was unlocked lets the manufacturer look for common problems caused by doing things like flashing the wrong device images to critical partitions (go search around a bit for people corrupting EFS on their phones).
Critically Pixel devices do not have a debrick tool that's leaked, at least not for the Qualcomm-based Pixel devices. This means that a brick on any of those partitions means the phone needs a trip back to the depot or a service center that has these tools. Can't be fixed by end-user. Maybe this situation has changed for the Tensor/Samsung pixels but the point is screwing up your device due to flashing incorrect images shouldn't be something the manufacturer needs to foot the bill on.
> Maybe this situation has changed for the Tensor/Samsung pixels but the point is screwing up your device due to flashing incorrect images shouldn't be something the manufacturer needs to foot the bill on.
Then maybe the manufacturers should be more forthcoming with making said tools available to the public, such that they don't have to foot the bill for said mistakes to be corrected.
> someone gets a hold of the phone before it gets to you and unlocks the bootloader and then proceeds to modify or install another OS
Doesn't the splash screen clearly show some scary warning when the phone was unkocked?
> very likely they want to have it phone back and send a record that it was unlocked so they can deny warranty in cases where user damaged the device through software
It definitely does. Anytime you reboot under graphene you see what looks like an error message with a web address to visit for several seconds from the phone, before the OS loads.
You don't have access to the data that's sent to Google when you connect the phone to the internet, so how does that help you mitigate or at least be aware of a supply-chain attack?
Conversely, if you got a brand new phone, the bootloader is supposed to be locked, so wouldn't you immediately be aware of tampering if it wasn't?
I swear it's been a clause in their phones since they were called Nexus instead of Pixel where you breach the warranty when you unlock the bootloader. I never bother anymore but when I used to swap the Android versions myself I recall running into something saying as much.
> breach the warranty when you unlock the bootloader
Under the Magnuson-Moss Warranty Act in the USA, activities such as unlocking the bootloader, launching a service menu, removing a sticker or opening a case cannot by themselves void a device's warranty.
If I understand correctly, in order for the warranty to be voided, it is the manufacturer who has to prove that what you did to the device has indeed damaged it or made it otherwise unsuitable for further warranty service.
Unlocking the bootloader is a reversible action. The phone might implement some one-way unlocking mechanisms though. For example, a fuse which needs to be blown. Or some encryption chip whose private key needs to be erased while a new valid private key can only be generated by the manufacturer. Then it would be a process that is irreversible for a regular customer.
That being said, undertaking such activity would only result in some control mechanism being triggered and some software flag being set. It might be permanent, similar to you scratching the case of your phone. But that does not mean it makes the phone unfit for warranty service.
The phone's functionality would remain unaffected.
It would be on the manufacturer to prove that the presence of a flag indicating an open bootloader is in some way detrimental to the device's functionality.
2 is probably not legal. The onus is on a manufacturer to prove that the customer's changes caused damage sufficient to negate their warranty responsibilities.
When you buy a new car they have the VIN of the car and log any recall repairs done. So not sure how you think the same wouldn't be legal on a phone?
Having a device in their database as NEVER_UNLOCKED takes away any onus from having to look for this in the first place for a large % of users.
Additionally this is kind of important for a company that's had a history of selling devices with hardware defects. It'd be very useful for them to know the RMA rate and whether damage was caused by such a defect or whether it was from a 3rd party software issue.
The PinePhone can boot from an SD even if the eMMC install isn't working, so it kinda fits the description. You can either run an OS from the SD or boot an image to fix/reinstall on the eMMC.
Maybe not a great example. The PinePhone relies on software to manage its battery charging parameters. Thermal limits are controlled entirely in software and sent to the PMIC by the kernel, if this isn't done correctly or at all it's not just possible to have a brick, but a flaming brick. Another post on the matter: https://xnux.eu/log/#017
While this is absolutely true, and it should never have been implemented this way, I have been following the topic very closely and have not come across a single report of a flaming PinePhone in over three years. With five-digit numbers of PinePhone's out there in the hands of people who don't know what they are doing, this IMHO thus is fortunately mostly a theoretical issue.
BTW: PINE64 did better on the PinePhone Pro, and (since it's also going to be Rockchip (RK3566) based in all likelihood) is unlikely to replicate the mistake on the PinePhone 2.
It's pretty common. Apple Silicon devices (at least) have a BootROM feature to pull a signed boot image over USB which can be used to provision the device from a blank flash.
Why would I cite a court case here? I just cited a very common scenario in a better regulated industry. If you have concerns over legality, why don't you cite some law or examples that illustrate why you think this wouldn't be legal?
Collecting that data is about not wasting time looking for issues caused by unlocking and not grouping unlocked device issues in with locked device issues.
As usual, security is used as an excuse to lock down more than is necessary. To prevent the supply chain attack you mention, the boot lock just has to be tamper evident, such as showing a "Bootloader unlocked" message during boot. As is already the case in some phones. Additionally, a way to reset to a factory-verified state could undo such an attack.
Warranty could also easily be achieved by flipping a non-reversible bit that the phone was unlocked at least once. Though even if it couldn't, warranty troubles are not a justification for user-hostile behavior. If it were, they'd use it for all sorts of invasive logging/spying with the excuse they have to know if you used your phone in a way not covered by warranty.
Pixel's are locked down a very tiny bit, and I don't think this is some kind of dystopian over-reach with security as an excuse. For all the security listed in this thread the whole "I must connect to the internet once" problem is a very fair tradeoff from the user's perspective.
This would only be a problem not when you first buy the phone but only if you buy a very very old used phone that has never had the OS replaced and google has exited the phone business and if you wanted to replace the OS.
One of the problems with this is that Google can change the behavior at any time. We have no shortage of examples of big tech companies changing something that's valuable to users because it no longer aligned with their business goals.
The internet is not a thing you connect to, what you must actually do is register your intent to disable the bootloader with an adversarially controlled server, and that server must respond with a yes.
If the root comment is to be believed, this (connecting via the internet to Google's servers), is required to provide additional security. I'm just taking that as true and deciding that connecting to the provider of my phone's hardware and software _once_ as a purchaser of their hardware, is fine for me. I also imagine it's not too burdensome for others.
Scenarios in which that's not possible are hypothetical (disaster, totalitarian takeover, alien invasion, sudden policy change), and I'm fine calculating that into the risk calculus and deciding that, yep I don't mind driving home and unlocking it the same day I bought it and praying nothing changes in their policy during the drive.
That's basically what I did. We can disagree on this, but it has worked out OK so far.
In return for this feature a class of lower income users are able to buy hundreds of millions of phones and pay for them over an extended period using monthly payments on their phone account. This is the trade-off Google makes.
I have a much older Google phone, a Verizon sold Pixel 2 which is not unlockable even after connecting to the internet.
I got the phone second hand hoping to run LineageOS but I couldn't, so I just left it on my drawer.
They really need to put an end to this ewaste generating policy. I should be able to do what I want with my device.
Yup, I am quite annoyed too with this practice. I have had 3 pixel phones and first thing i do is to unlock and flash calyxos or graphene. Since I always purchase used phones only, I just make it a practice to buy them in cash and unlock at a public WiFi.
I just got myself an old used Pixel phone as a daily driver, and I intend someday to flash it with a lineageOS. It already was somewhat tricky for me, at my skill level, to successfully do this on "ordinary" devices (Nexus 7 and Pixel C tablet), and it seems like getting the Pixel to truly unlock is going to be an added layer of complexity.
Not sure if there is an equivalent for LineageOS but GrapheneOS offers an almost completely automated flashing process in Chrome via WebUSB and gives instructions for the actions you need to take on the phone itself when necessary throughout the process (on my Pixel 4a I just needed to press volume up and power to unlock the bootloader when prompted by the installer).
The whole process was amazingly easy when I did it and took less than 15 minutes.
"Here is the rest of the network activity, all of which is TLS-encrypted by keys buried in the stock Google operating system, and thus not controlled by the device purchaser:
Only Google knows precisely what all that data is and what it is used for."
Why should the owner of the computer be allowed to see what is being sent to Google? (Maybe the strange folks at Google cannot think of any reasons.)
Who pays for transport of the data to Google? (Is there any reason Google should not pay?)
Putting the data sent aside, there is the question of whether the computer owner should have a choice in whether they want to send it, and there is the fact that these unauthorised connections are all pings to the mothership.
Using NetGuard, it's possible to block all these connections without rooting or installing GrapheneOS. It's also possible to log all the DNS lookups and attempted connections, without rooting or installing GrapheneOS. The log will indicate which software is making the connection attempts. One can also create PCAP files showing the patterns of network activity, again without rooting or installing GrapheneOS. It's relatively easy to determine what connections are actually necessary for the computer to work as desired.
After installing GrapheneOS, I wonder if it is possible to selectively stop connections to GrapheneOS servers. There are probably some connections to Graphene servers enabled by default.
Would be fun to compare PCAP files from a device running NetGuard versus one running GrapheneOS.
I'm generally not a fan of bigger government, but we need to legislate to death the practice of companies sending your data off without transparency and consent.
> After installing GrapheneOS, I wonder if it is possible to selectively stop connections to GrapheneOS servers. There are probably some connections to Graphene servers enabled by default.
This is actually extensively covered in the GrapheneOS FAQ:
Who gives a shit? If it's a new phone it has none of your data on it, and you're just about to wipe the OS and install one which respects you much more. No harm done.
Google does. That's why the Google's code is forcing a computer owner to connect the internet using a Google OS before installing an OS that the owner chooses. The customer has paid, title has been transferred, the computer is no longer Google's or the carrier's property. If Google or a carrier does not get to collect some data after purchase, then no harm done.
not only is the title misleading and click-baity (connecting to wifi is the only pre-requisite) the format of the blog doesn't format correctly (text and media is cut off on the right) . maybe spend less time writing misleading articles and more time fixing its viewability?
Oneplus phones just unlock when told 'OEM unlock' over the adb. No big brother home to phone, no bullshit begging for the rights to my device. If I decide to unlock it the worst I get is a nagscreen at boot with a scary warning about security.
In case anyone is curious which Android components are responsible for this:
* There are 3 boolean states:
1. whether the bootloader is unlocked
2. whether the bootloader unlocking ability is enabled by the user ("OEM unlocking" toggle)
3. whether the bootloader unlocking ability is allowed to be enabled (carrier restriction)
* The Android Settings app grays out the "OEM unlocking" toggle if `isOemUnlockAllowedByCarrier()` returns false [1].
* The state of `isOemUnlockAllowedByCarrier()` is changed by a call to `setOemUnlockAllowedByCarrier(boolean allowed, @Nullable byte[] signature)`, which is done by the `android.apps.work.oobconfig` package (/product/priv-app/OTAConfigNoZeroTouchPrebuilt/OTAConfigNoZeroTouchPrebuilt.apk) on the Pixel's stock firmware. This is the same package that handles the Android Enterprise zero-touch provisioning. It's not obfuscated and can be trivially reverse engineered. Prior to the December 2022 update, it was actually possible to bypass the check just by disabling this package via `pm` [2]. This is now blocked both by [3] and also the bootloader's requirement of a signed blob to lift the carrier restriction. This package is also responsible for preventing the removal of the carrier restriction (for the bootloader) when the SIM is locked.
* The Android framework talks to `android.apps.work.oobconfig` at all because the stock firmware ships an overlay (/product/overlay/framework-res__auto_generated_rro_product.apk) that contains `<string name="config_deviceProvisioningPackage">com.google.android.apps.work.oobconfig</string>`.
* The communication with the bootloader is done via the `oemlock` HAL: /vendor/lib64/android.hardware.oemlock@1.0-impl.nos.so. Its implementation of `setOemUnlockAllowedByCarrier()` seems to require a signed blob from Google (passed in from `android.apps.work.oobconfig`) before the state of the setting can be changed (see: `carrierUnlockFromSignature()`). Once unlocking is allowed, the setting is persisted by the bootloader unless something calls `setOemUnlockAllowedByCarrier()` again to disable it. Without the carrier restriction, the bootloader allows the user to freely toggle the "OEM unlocking" state.
I don't know for sure since I haven't tested, but I believe even SIM-unlocked Pixels purchased from the Google Store use this "carrier" restriction mechanism. It's just that when the device asks Google's servers for the signed blob to lift the carrier restriction, it's always granted. (EDIT: Though there are reports that refurbished devices from warranty claims for bootloader-unlockable devices may sometimes have a carrier restriction that Google's servers don't allow removing.)
> Though there are reports that refurbished devices from warranty claims for bootloader-unlockable devices may sometimes have a carrier restriction that Google's servers don't allow removing.
Yep, this happened with my Pixel 2: Bought it directly from google, the usb-c port stopped working after a while, so I sent it in for a repair. I cannot unlock the bootloader on the phone they sent me back, so it's basically just e-waste now.
This isn't great, but what they did with the Pixel 2 was far more egregious - they permanently looked the bootloaders of any phone that came back from a warranty repair.
It really soured me on the Pixel line, I'm not sure I'll ever buy another one.
Seems likely they simply don't sell enough full-cost unsubsidised phones direct to consumers to warrant a separate firmware for that stream. Not surprising, phones are expensive these days, and almost everybody is on a contract for their SIM anyway, so why not get it from the carrier?
I don't, but I know I'm the weirdo. The only other people I know who buy phones outright are my brother because he keeps dropping them and smashing them, and a mate who buys my old iPhones when I upgrade every 2 years or so because he knows I look after them.
i was just considering switching to android after hitting “you’ve created too many apps in the last 7 days” and couldn’t build a project in xcode. glad to see that would be a waste of time and that everything sucks.
Oh come on now, it’s common knowledge that Pixel phones need to contact fonts.gstatic.com and download 137 MB of fonts in order for the bootloader unlocking option to be made available :-)
How else do you expect they get your device on a surveillance list? Or do people honestly believe that the 0.001% of mobile phone users that unlock their bootloader for custom operating systems are not subject to additional scrutiny by big brother? NSA flagged Linux Journal as an "extremist forum" and flagged readers for extra surveillance - and that was a decade ago.
I think at this point Big Brother has the processing power to scrutinize everyone all the time anyway. It's naive to think that you were in any way off their radar before you unlocked your phone.
Perhaps, but deviating from social norms and ubiquitous technologies multiplies scrutiny. Most efforts made to boost privacy actually often have the opposite effect, but this is a subtle nuance few will understand.
Thats not 100% accurate, if you get the phone directly from certain carriers, they may keep the phone locked. iirc verizon is the worst at it but you can contact them and waste an hour and a half of your life over phone support to get it changed.
Why we have this system in place for phones is just... beyond me.
So I’m guessing with this you’d use an alternative store like F-Droid instead of the Play Store? (Pardon my ignorance, I’m an iOS dev and have been for a decade; I don’t really know the Android landscape.)
The project officially develops secure, private access to the Play Store and its apps. My interpretation is that the project's authors prefer users to use the secure Play Store implementation over alternatives like Aurora, even if Aurora works fine.
> So I’m guessing with this you’d use an alternative store like F-Droid instead of the Play Store?
Not necessarily, but that's the best way to do it. Between apps from F-Droid and a browser, you don't need any apps from the play store. Your bank doesn't have an app on F-Droid you might say? Well that's what the browser is for.
Ha. Your example is rather specific seeming to me, as I actually work on one of the big 5 Canadian banking iOS apps here in Toronto.
For obvious reasons; we don’t ship to alternate stores - even if such a thing as iOS sideloading existed; we wouldn’t support it, and we of course do not support anything but the Play Store on Android.
It’s obviously partly a support cost issue - there would be less than 1% of our millions of users using F-Droid, etc - and, more importantly; it’s a security and support issue.
I think for a while we even had some sort of check that would detect a jailbroken iPhone or rooted Android device and attempted to refuse to run on them. Security is so far above the #1 priority working in banking it’s insane. We’d never consider anything outside of Apple or Google’s official solutions. We actually have real life contacts at Apple to help address specific security or approval concerns; which is practically unheard of.
Security in banking apps in the U.S. is an absolute joke. I'm glad to hear Canada takes it more seriously.
I've used everything from giant multinational banks to local credit unions in the U.S., and none of them will even let me sign in with U2F. Many of them still have password character limits.
(I'm sure I'm missing the obvious here) but why are you happy to have customers log in using a browser on a device they fully control, yet not do the same using your app on a device they fully control?
The obvious answer is that they're not happy about it, but that browsers don't give them the access necessary to detect whether the device running said browser is rooted (let alone do anything about it), so they can't pretend they know better about my own device's security than I do.
> I think for a while we even had some sort of check that would detect a jailbroken iPhone or rooted Android device and attempted to refuse to run on them.
Your uncertainty about this suggests it's not something you decided, but please let anyone involved in making decisions like that know that's a dick move. It's the user's device, not the bank's.
Erm, why would you ever want an app for your bank on your mobile phone? So that when you get mugged, it can turn into a kidnapping?
I use some bank apps because they're quicker than the websites. But I do this with a cheap Nexus 7 tablet that stays at home with a label saying "full take" stuck to the top to remind me to not trust it with any sensitive information.
Segregating apps onto different devices is the way to go to protect yourself from corporate malware.
> Erm, why would you ever want an app for your bank on your mobile phone?
To easily check balances and make transfers wherever I am. This is possible without the app, but the app makes it easier/quicker than the mobile site in most cases.
> So that when you get mugged, it can turn into a kidnapping?
How do you suggest a mugger to find out whether such an app is even installed, let alone do anything about it, in this day and age of full-device encryption being the default? Even assuming a mugger somehow has access to the nation-state-level compute resources and exploit tools necessary to gain access to anything on my phone, by the time the mugger has finished using said tools and compute resources, I'll have already changed my passwords and invalidated existing login sessions.
Also, kidnapping involves considerably more effort and risk than mugging, so this is a weird argument in general. The vast majority of people with both smartphones and bank accounts almost certainly have banking apps installed on their phones, and I know of precisely zero cases of muggers deciding "oh you have a banking app? lemme go find my windowless van and kidnap you, drawing considerably more attention to me and giving you considerably more reason to violently defend yourself instead of cooperating; surely nothing will backfire from that, no siree!".
Muggers quite frankly don't give a flying fuck about the apps on your phone. They want your cash and/or whatever they can quickly fence.
> Segregating apps onto different devices is the way to go to protect yourself from corporate malware.
Having firmware that gives you fine-grained app permissions that you can freely grant/revoke also accomplishes this. If apps on the Play Store are subverting that, then banking apps are probably the least of your worries.
> How do you suggest a mugger to find out whether such an app is even installed, let alone do anything about it, in this day and age of full-device encryption being the default?
They make you do it, the same way they made you give them the device in the first place.
I don't know why anyone thinks it would turn into a kidnapping, but it's pretty easy for someone who has already forced you to give them your phone to use the same technique to force you to unlock it.
What I'm getting at is that attempting to escalate a mugging beyond "I point a gun/knife at you, you give me stuff, I get away as fast as physically possible, I fence the stuff you gave me as soon as possible" introduces a lot more risks than what most muggers are willing to bear. Things get hairy very quickly the moment either the mugger or muggee deviates from that script - and forcing the muggee to unlock a mugged device is a rather drastic deviation, especially when the muggee can just as quickly call the police or reboot the phone or otherwise introduce yet more risk for the mugger on top of the existing risk from prolonging the duration of the mugging.
Same deal with home burglaries. No burglar in one's right mind is going to give the slightest iota of a rodent's anus about the possibility of there being a Bitcoin wallet and SSH keys on your laptop; most burglaries are smash-and-grab, and are intended specifically to minimize the amount of time spent inside the victim's home. Every second adds risk of complications; unless the burglar is targeting you specifically and knows ahead of time exactly which devices might have valuable data, it's in said burglar's best interests to take the laptop and run rather than spend precious seconds (or worse: minutes) "persuading" you to unlock it.
You can also just have multiple banks and then choose one of them to be the account where you put your 'working money'; i.e. an amount that you can afford to lose. This way you still get the convenience of having a bank app (quick payments, transfers & stuff), but not the risk of losing it all.
Shrugs I have a pixel 7, have never used this option, I put the phone in airplane mode and was able to flip the "enable OEM unlocking " switch without issue. Granted this phone has had intenet access for months so not sure if it already has decided it's "not a carrier-locked phone ".
Google has a console called panopticon where they can see every Chromebook in the world. This monitoring facility is used to measure bug / crash prevalence in e.g. 802.11 driver software and to determine how much of each fleet is running the latest ChromeOS security patches.
They can do this because Unlike Microsoft Google ports ChromeOS onto new laptops and tests the crap out of them (including the verification that the manufacturer meets about 25 min performance requirement standards for Chrome hardware like LCD viewing angles and speaker volume). They also test the laptops by giving them to employees and then demand hardware improvements of the manufacturers to get the Chrome branding logo.
I bet the have a similar system for for their HTC phones. So your Pixel is probably registering with a panopticon type system because 99.9% of customers are gonna use the stock OS. They do this so their users perceive and experience higher hardware reliability. So it may sound creepy but the goal (100% fleet registration) is hard to meet without forcing 1 internet connection at the 1st boot. It will be hard to meet your freedom goals and google's reliability goals at the same time ..
I was in the chrome dogfooding program at Google, testing pre release hardware and I used panopticon. They locked it down a short while later. I could see all the acer Chromebooks in the wild before the lockdown. I imagine they renamed it and/or came up with a new tool named panopticon since it's a common term for a special type of prison where from one location you can observe every prisoner at once.
You'll be SHOCKED that Microsoft has been aggregating global crash data for more than a decade. Lmao. Google isn't breaking any new ground here. All Windows BSODs and even app crashes get uploaded to Microsoft as far back as XP. Microsoft has even written a blog post on them fixing a 0day before it even got deployed because it got errantly caught as a crash from an attacker's development machine.
> Google has a console called panopticon where they can see every Chromebook in the world.
I bet Apple has this for iPhones, as does Microsoft for Windows 10 internet connected devices. It would be important to have for "Find My Device", disabling stolen devices, etc.
I'm a little confused that people think they are free to use the software of their choice and that there is some built in right to use the software of your preference on a given hardware.
Sure, if you're so smart, you can do it and it's up to you to try to dance around whatever the manufacturer wants to throw your way. Don't like it, don't buy it.
Nothing says that any manufacturer is required to sell general purpose hardware. They can restrict it however they want, no?
>I'm a little confused that people think they are free to use the software of their choice and that there is some built in right to use the software of your preference on a given hardware
I'm a little confused as to how you're confused? I bought it, I should be free to set up whatever software I please with it. It's mine.
I mean, clearly it's the case that there is_ no legal right to use your own hardware as you see fit. The argument is that there is a moral right to use your own hardware as you see fit. It'd be nice if legalities and moralities were the same thing, and in the mean time we're allowed to be upset about it? I don't know what you're confused by.
Nobody is claiming there currently exists some inherent legal right to have general purpose hardware, they're complaining that they're being sold something intentionally designed to not behave the way a consumer would want. It's the same way people complain about any poorly designed product. If I bought some furniture and it used a custom screw head to incentivize repairs from the manufacturer, I would complain about that too, not because they did something illegal, but because it's a bad product.
Disgusting. Google has taken the fraud of Android to a new level. The great "open-source" OS that was supposed to free us all from vendor and telco tyranny has spectacularly failed to do so, and to cripple fully-owned hardware in this manner just adds further insult.
Say what you want about "socialist" countries in Europe, but I don't think this kind of bullshit would stand in France. Based on laws they've passed over the last decade or two, Europeans seem to protect consumers; while the U.S. government abets corporations in ripping them off.
"In France, SIM locks are not prohibited. However, the mobile operator must inform the consumer of the existence of a SIM lock, and the subscriber has the right to request that the lock be removed at any time. No later than three months after the subscription of the contract, the mobile operator must "systematically and free of charge" provide the subscriber with a procedure to deactivate the SIM lock. Proposal to shorten the time that operators may charge a fee for removing the SIM lock prior from six-month to the three-month deadline."
The stupid thing, at least in the U.S. is that carriers lock phones if the user is UNDER CONTRACT. This is backward; who cares if the user takes the phone to another network, when he has to continue paying the contract? This actually benefits the original carrier.
Phoning home before undertaking such an activity takes away the ownership rights from the customers. They do not actually own these devices even after they have purchased them.
The reason is that an important part of their ownership rights, i.e. the freedom to use the software of their choice, has been withheld from them. With a promise that it will be given to them on request. Unless, of course, the manufacturer changes their mind.
Unfortunately, there are cases when the manufacturer did not even make such a promise and disabled bootloader unlocking permanently with no way of enabling it again. On Pixel phones.
This used to happen (and perhaps still happens) to some Pixel phones purchased in the USA from Verizon. They have been known [0] for disabling the bootloader unlocking and for giving their customers no way to enable it. Not even after phoning home.
Some people claim [1] that they paid someone from China to unlock their Pixel 1 phone remotely using some shady approach. I assume that someone with inside information from Google has leaked some software and instructions for doing so. It is unclear whether later Pixel phones sold by Verizon with locked bootloaders could be unlocked in a similar way.
As a result, it seems like the only way to have a chance at unlocking such Pixel phones, which have been made by a US company and purchased from a US carrier, is to pay someone in China and hope for the best. It has gotten that far.
[0] https://forum.xda-developers.com/t/how-to-unlock-bootloader-... [1] https://forum.xda-developers.com/t/how-to-unlock-bootloader-...