Secure while bootloader unlock - Android Q&A, Help & Troubleshooting

I have a few questions about being secure and things with the bootloader, and stuff like that.
#1: Is there anyway to be secure or thiefproof or even law enforcement proof with an unlocked bootloader?
#2: How does encryption work on Android. It Full disk encryption forced on by default, because I don't see the option anymore (except for SD card) How does it work? Does it encrypt the device till turned on? Till lock code in entered? Is it only there when there's a lock code? Does it work like Bitlocker?
#3: I wanna unlock my bootloader and install Lineage or Graphene OS. Since I can't relock the bootloader with custom rom or recovery (considering I have AT&T LG G8 THINQ and Xperia 5 II) can't anyone just flash TWRP or something, and even if the data's encrypted, just delete the security settings to bypass the lockscreen as shown in MANY tutorials and get to all my sensitive info and functions that way?

Related

Users with encrypted phones, help please

From the online articles and the encryption description i was left with the impression that i will need to enter the password only on boot.
Well appears that once encrypted the only active unlock options become, face unlock, pin and password.
All take too long for my daily use, and since you don't have to use the encryption password for unlocking (the phone is decrypted on boot) but other options like face unlock, why we can't unlock with the normal slider screen or at least pattern unlock?
Is there a way to go around it and enable the slider unlock on an encrypted phone?
p.s.
i know that decreases the security, but knowing that if i lose my phone, chances are the battery will die before someone digs into it, and they will need to decrypt it then.... is enough for my needs.
what version of the os is it? and yes you can change it. you have to go into settings >>security>> and should give you the option to change it. you just have to disable encryption. worst comes to worst...FACTORY RESET
the idea is to change it and still be encrypted...
it's 4.1.1
I guess encryption is not that popular among android users?

eMail send to Sony Developer World with subject "Unlock bootloader"

Hello!
I wrote the following email to Sony Developer World, but they asked me to post it here.I don't know why I should do this because this page is not meintained by Sony. But hoping that Sony will give me a definitive answer I do as they asked me for:
[start of email]
I haven’t understood your risk explanation on your „Unlock your boot loader“ page because to my mind it is a little bit unprecise:
You wrote there:
“Risks
Please be aware that Sony cannot guarantee the full functionality, and will not be responsible, for any unsigned custom ROM being flashed to your device after the boot loader is unlocked. An unsigned custom ROM may not have gone through the thorough tests that we run for each device and software version that we release.
Also, a custom ROM might not work properly on your device, and certain functions and offerings may cease to work. The performance of the device might also be affected, and you may damage your device permanently. In worst case, unlocking the boot loader will cause physical injuries or material damage, for example, due to the device overheating.
Certain pre-loaded content on your device may also be inaccessible due to the removal of DRM security keys. For high-end devices running recent software versions, for instance Xperia Z3, the removal of DRM security keys may affect advanced camera functionality. For example, noise reduction algorithms might be removed, and performance when taking photos in low-light conditions might be affected. The secure user data partition may also become inaccessible, and you will not be able to get any more official software upgrades if you unlock the boot loader.
After unlocking your device, you should not enable My Xperia (found in the settings menu under security on some devices running Android 5.0) as this might cause the device to malfunction.”
I don’t understand the red marked sentence. So my question concerns the removal of the DRM security keys because I haven’t found out who and when they are removed:
WHO removes the DRM security keys? Is it done by SONY when unlocking the bootloader (and why do you do that?) or is it a risk caused by installing custom ROM’s or recovery images?
And what will happen if I’ll unlock the bootloader of my Sony Xperia Z5 compact via the integrated function “OEM unlock”? Will the DRM security keys deleted any way using this or will they be preserved? And will I be able to lock the bootloader again?
Regards
Ansgar
[end of email]
klausstoertebeker said:
WHO removes the DRM security keys? Is it done by SONY when unlocking the bootloader (and why do you do that?) or is it a risk caused by installing custom ROM’s or recovery images?
Click to expand...
Click to collapse
It's done automatically if you unlock the bootloader, i.e. "by Sony".
klausstoertebeker said:
And what will happen if I’ll unlock the bootloader of my Sony Xperia Z5 compact via the integrated function “OEM unlock”? Will the DRM security keys deleted any way using this or will they be preserved?
Click to expand...
Click to collapse
The DRM keys will be erased.
klausstoertebeker said:
And will I be able to lock the bootloader again?
Click to expand...
Click to collapse
Most likely, but the DRM keys cannot be restored. They are forever lost.
sorry, that's bull****.
remove the bootloader lock in developer settings and you will see, that Marlin, Widevine and CKB are still active and reported as "key ok"
and no, Sony does not remove them, you do it while flashing.
BTW. there are already early attempts in flashing, and yes they have deleted their DRMs. and no, there is no way to bring them back.
however, for the time being: keep the bootloader closed, as you've no benefits from unlocking it, yet.
Gesendet von meinem E5823 mit Tapatalk
basthet said:
sorry, that's bull****.
remove the bootloader lock in developer settings and you will see, that Marlin, Widevine and CKB are still active and reported as "key ok"
and no, Sony does not remove them, you do it while flashing.
BTW. there are already early attempts in flashing, and yes they have deleted their DRMs. and no, there is no way to bring them back.
however, for the time being: keep the bootloader closed, as you've no benefits from unlocking it, yet.
Gesendet von meinem E5823 mit Tapatalk
Click to expand...
Click to collapse
Dude, you should relax. There's no manure in my post.
You have misunderstood the toggle in the developer settings menu. It does NOT unlock the bootloader.
The toggle only disables some software features that would cause trouble if you actually choose to unlock the bootloader.
Bootloader in unlocked using fastboot oem unlock, as always.
Please read up:
http://forum.xda-developers.com/showpost.php?p=63216335&postcount=23
http://forum.xda-developers.com/showpost.php?p=63216352&postcount=24
http://forum.xda-developers.com/showpost.php?p=63343765&postcount=33 (quoting you)
http://forum.xda-developers.com/showpost.php?p=63299154&postcount=17
Well, I'm relaxed, but you help no-one in posting wrong stuff.
Lets make it simple:
Compare it with a simple door and a door guard.
The door guard has order only to let you in, having a specific key.
In order to get this key, e.g. for the z3 family:
Go to Sonys webpage, register, download the key.
procedure for the z5c:
go into developer settings, enable: OEM unlock.
This corresponds to: Tell the guard, no key is required anymore.
Setting the flag of making something accessible is called "unlock" - so: in fact you can call it "unlock the boot loader" by enable the "OEM unlock" in Developer Settings*.
fastboot oem unlock does much more.
In my example:
go to the door,
ask the guard: is door open / already unlocked?
[z3c: handover the key to the guard]
[z3c: Wait to get the "Ok" to pass - guard: unlock the door] -> correspond to: setting flag: accessible = unlock
pushing the door open,
hanging a fat note in the entrance hall telling "Door is open";
So: you did not miss understood what the toggle does, but the whole procedure.
And no: the toggle does not disable some software feature, it just removes the OEM specific key requirement by accessing the boot loader
*Note: I know, that was quite rough simplification, and to be absolute correct: the OEM unlock toggle in Dev. Setting does in fact not physically "unlock" the boot loader. It just removes the requirement for a key in the unlocking process. However, that correspond to an open boot loader, as all attempt to enter it, will not be denied.
basthet said:
Well, I'm relaxed, but you help no-one in posting wrong stuff.
Lets make it simple:
Compare it with a simple door and a door guard.
The door guard has order only to let you in, having a specific key.
In order to get this key, e.g. for the z3 family:
Go to Sonys webpage, register, download the key.
procedure for the z5c:
go into developer settings, enable: OEM unlock.
This corresponds to: Tell the guard, no key is required anymore.
Setting the flag of making something accessible is called "unlock" - so: in fact you can call it "unlock the boot loader" by enable the "OEM unlock" in Developer Settings*.
fastboot oem unlock does much more.
In my example:
go to the door,
ask the guard: is door open / already unlocked?
[z3c: handover the key to the guard]
[z3c: Wait to get the "Ok" to pass - guard: unlock the door] -> correspond to: setting flag: accessible = unlock
pushing the door open,
hanging a fat note in the entrance hall telling "Door is open";
So: you did not miss understood what the toggle does, but the whole procedure.
And no: the toggle does not disable some software feature, it just removes the OEM specific key requirement by accessing the boot loader
*Note: I know, that was quite rough simplification, and to be absolute correct: the OEM unlock toggle in Dev. Setting does in fact not physically "unlock" the boot loader. It just removes the requirement for a key in the unlocking process. However, that correspond to an open boot loader, as all attempt to enter it, will not be denied.
Click to expand...
Click to collapse
I can't argue with you. I'm not even sure where we agree and disagree.
For the sake of other users, here's the clarification:
Under Developer settings, there is a setting called "OEM Unlocking - Allow the bootloader to be unlocked".
This setting does not unlock the bootloader, it just enables the possibility to unlock. That's why it's called "Allow the bootloader to be unlocked".
No DRM keys will be deleted by toggling this setting.
After setting "Allow the bootloader to be unlocked", you can unlock the bootloader using fastboot.
When doing so, the DRM keys will be deleted and the bootloader will be unlocked.
Until you issue the fastboot command, you can't flash any unsigned code - as usual.
nilezon said:
I can't argue with you. I'm not even sure where we agree and disagree.
For the sake of other users, here's the clarification:
Under Developer settings, there is a setting called "OEM Unlocking - Allow the bootloader to be unlocked".
This setting does not unlock the bootloader, it just enables the possibility to unlock. That's why it's called "Allow the bootloader to be unlocked".
No DRM keys will be deleted by toggling this setting.
After setting "Allow the bootloader to be unlocked", you can unlock the bootloader using fastboot.
When doing so, the DRM keys will be deleted and the bootloader will be unlocked.
Until you issue the fastboot command, you can't flash any unsigned code - as usual.
Click to expand...
Click to collapse
We are not arguing here
I asked you to be more specific as unlocking a door does not mean opening it.
However - there is one important thing missing and quite profound error in your summary (beside the "unlock" wording stuff...).
Enabling the "OEM Unlocking" switch bears a high security risk. Unsigned software now can enter the TA.
In fact: you do not have to run the fastboot unlock by yourself. Any piracy software can now make irreparable damages to the phone!
basthet said:
We are not arguing here
I asked you to be more specific as unlocking a door does not mean opening it.
However - there is one important thing missing and quite profound error in your summary (beside the "unlock" wording stuff...).
Enabling the "OEM Unlocking" switch bears a high security risk. Unsigned software now can enter the TA.
In fact: you do not have to run the fastboot unlock by yourself. Any piracy software can now make irreparable damages to the phone!
Click to expand...
Click to collapse
You are saying that toggling the "OEM Unlocking" switch would make TA partition writeable (by any other user than root)?
Why would you assume that?
nilezon said:
You are saying that toggling the "OEM Unlocking" switch would make TA partition writeable (by any other user than root)?
Why would you assume that?
Click to expand...
Click to collapse
No, I'm not saying this.
But the reason for the OEM Lock is to ensure, only OEM signed software is able to be installed.
Enabling "OEM Unlocking" removes this check.
This implies:
- Nice people can now provide software to be installed -> custom roms.
- Bad people can now also install software, but to their needs.
To keep it simple: Let some evil person post any rom called "official Sony z5c Android 6.0".
Let this bad person make the appearance of this rom as any official Sony Update.
Users with the OEM lock in place will not be able to install it, as the OEM key from Sony is missing.
Users with the OEM lock removed will install it w/o any burden.
Do not forget:
Original OEM Software still is signed as original software.
To install the original software, you do not have to toggle the "OEM unlock" in the Developers Settings, as this ROM carries the original OEM key.
to install original software, you do not have to fastboot oem unlock
Removing the OEM-key check with the "OEM unlock" switch, makes the OEM-key obsolete. Hence bears a security risk.
basthet said:
No, I'm not saying this.
But the reason for the OEM Lock is to ensure, only OEM signed software is able to be installed.
Enabling "OEM Unlocking" removes this check.
This implies:
- Nice people can now provide software to be installed -> custom roms.
- Bad people can now also install software, but to their needs.
To keep it simple: Let some evil person post any rom called "official Sony z5c Android 6.0".
Let this bad person make the appearance of this rom as any official Sony Update.
Users with the OEM lock in place will not be able to install it, as the OEM key from Sony is missing.
Users with the OEM lock removed will install it w/o any burden.
Do not forget:
Original OEM Software still is signed as original software.
To install the original software, you do not have to toggle the "OEM unlock" in the Developers Settings, as this ROM carries the original OEM key.
to install original software, you do not have to fastboot oem unlock
Removing the OEM-key check with the "OEM unlock" switch, makes the OEM-key obsolete. Hence bears a security risk.
Click to expand...
Click to collapse
OMG dude. Where are you getting this?
You toggle that switch and install an unsigned ROM and I'll eat my shorts.
nilezon said:
OMG dude. Where are you getting this?
You toggle that switch and install an unsigned ROM and I'll eat my shorts.
Click to expand...
Click to collapse
You either learn this in school, or should find it s.w. in the Android docs.
And instead of flaming you should start reading and learn IT.
So be brave and toggle the switch, which by your interpretation has no meaning.
The rest of the user i can only advice to keep it locked and only enable in order to flash customs Roms.
Gesendet von meinem E5823 mit Tapatalk
@basthet:
So, if I get you right, I just need a customized firmware (e. g. a pre-rooted one), toggle that "OEM unlock" switch and install it via recovery mode? And that without loosing DRM keys? If it is so easy rooting is no problem, isn't it?
klausstoertebeker said:
@basthet:
So, if I get you right, I just need a customized firmware (e. g. a pre-rooted one), toggle that "OEM unlock" switch and install it via recovery mode? And that without loosing DRM keys? If it is so easy rooting is no problem, isn't it?
Click to expand...
Click to collapse
No, "OEM Unlock" is just a option to allow OEM unlock, so you have to unlock bootloader after enabling it (and you'll loose DRM key)

Relocking bootloader?

I can't find any questions regarding this, the closest I saw was today, about not having gotten the OEM Unlock option back.
Ever since unlocking the bootloader, it broke Google Pay and Device Certification. I don't know why Google Pay needs a locked bootloader to work. I imagine security reasons, but there are other banking apps that work regardless (Barclays has its own contactless system built in for example, and that works).
I know that enabling OEM Unlock will force a factory reset and then disappear for 7 days. I have it back and it is currently disabled saying "bootloader is already unlocked"
What I want to know is, will enabling it re-lock the bootloader or is there some other way I can do that? Because I would like Google Pay functionality back. Netflix I'm not so fussed about as APKs for things can be installed manually.

Bootloader unlock/re-lock

When you do the bootloader unlock you need to wait and get some form of security info from Xiaomi itself, but then you can lock back the bootloader and restore everything to factory-like state (and you will be able to pass the most paranoid checks that you would be able to pass from factory state, obviously not Widevine L1 since you can't do that one in the first place).
The question here is if after that you want to unlock again - do you still need a link / secure token from Xiaomi (and thus you are still subject of their control) or you can do it the same way as with Nexus / Pixel or Oneplus phones in fastboot?
Since if that would be the case it absolutely makes sense to make this unlock + re-lock the first time you get the device just in order to be 100% certain that bootloader unlocking is no longer under Xiaomi's later control but your own!
xclub_101 said:
When you do the bootloader unlock you need to wait and get some form of security info from Xiaomi itself, but then you can lock back the bootloader and restore everything to factory-like state (and you will be able to pass the most paranoid checks that you would be able to pass from factory state, obviously not Widevine L1 since you can't do that one in the first place).
The question here is if after that you want to unlock again - do you still need a link / secure token from Xiaomi (and thus you are still subject of their control) or you can do it the same way as with Nexus / Pixel or Oneplus phones in fastboot?
Since if that would be the case it absolutely makes sense to make this unlock + re-lock the first time you get the device just in order to be 100% certain that bootloader unlocking is no longer under Xiaomi's later control but your own!
Click to expand...
Click to collapse
AFAIK the unlocking is always through the Mi Unlocker, whether it is the first time or after re-locking. The fastboot command for unlock won't work. The only saving grace seems to be that you don't need to make a request and wait for 3 days every time. It is applicable for the first time only.

Secure startup (easy full device encryption bypass?)

In Android 9 Pie (and earlier versions) there is a setting ‘Secure startup’, which is applicable in case of full device encryption (which comes by default in all new Android phones AFAIK). When ‘Require password when device turns on’ is enabled, the password must be entered at phone start and the phone won’t boot if no password is entered. When the other option ‘Do not require’ is enabled the phone starts and I can even receive phone calls, I just cannot unlock the phone.
So my question is: if ‘Require password when device turns on’ is NOT enabled – does this mean that my phone is NOT encrypted and if for example gets stolen, the thief will be able to download all my data to a PC (without unlocking the phone)? If this is true this seems like an absurdly easy way to bypass full device encryption...
Your data is encrypted by default. You can have it set to not encrypt it but it is not something I would advice of you.
As for the secure start up. As long as you have a locked bootloader and a password there are less then .01% of people that can hack into your device.
zelendel said:
Your data is encrypted by default. You can have it set to not encrypt it but it is not something I would advice of you.
As for the secure start up. As long as you have a locked bootloader and a password there are less then .01% of people that can hack into your device.
Click to expand...
Click to collapse
My phone is rooted and the bootloader is not locked AFAIK (it's Exynos).
I am not asking about bruteforce and other hacking techniques that could be used, I am just asking whether my phone is encrypted after boot and before the screen is unlocked.
Yes it is encrypted. Has been since the day you first day Bought it.
OK, but how come then my phone boots and is almost fully operational when ‘Require password when device turns on’ is NOT enabled (e.g. I can receive phone calls, calendar events pop up on screen - although I cannot see what they are all about because the screen is locked)?
orifori said:
OK, but how come then my phone boots and is almost fully operational when ‘Require password when device turns on’ is NOT enabled (e.g. I can receive phone calls, calendar events pop up on screen - although I cannot see what they are all about because the screen is locked)?
Click to expand...
Click to collapse
Think of it as safe mode on PC. Not everything or all permissions are allowed when booting like that. It just a security feature and has nothing to do with encryption. It just locks out some info from being seen without the password.
Ill be honest with you. If you are worried about your data then dont be too worried. Unless you are someone important then your device is only useful for how much the hardware will get. Let me tell you how a phone theft goes.
1. Phone Stolen
2. Sim card removed
3. Device reset
4. If its locked then take it home and flash an OS to it or sell it to a pawn shop that is questionable.
Now the first 3 are normally done before you even know your device is gone (less then a minute)
Encryption bypass / Android (10) security issue after first unlock
zelendel said:
Yes it is encrypted. Has been since the day you first day Bought it.
Click to expand...
Click to collapse
I have discovered another security issue on a rooted device:
On my Magisk-rooted and encrypted Note 10+/Exynos (Android 10) I just found out, that the userdata (data/data ) partition is UNENCRYPTED and fully readable when viewed with an ADB viewer from my PC although the device is in lockscreen mode / locked!
This doesn't happen after reboot before the first unlock! After the device has been unlocked, accessed via ADB and re-locked (but not rebooted) it is (still) unencrypted, even after rebooting the PC!
Here the lockscreen password would not make much sense at every screenlock - it just unlocks the screen which can be bypassed and all data can be read via ADB anyway - it would only make sense once at boot. Is there a way to have two passwords (1 at boot and an easier one at screenlock) for example?
Is this a known bug? / Any ideas?

Categories

Resources