• General
  • OEM unlocking without internet?

Why does OEM unlocking require internet?

What kind of hack would be required to achieve this without internet?

    UpStream Why does OEM unlocking require internet?

    It's to verify the bootloader can be unlocked on a particular phone.

    UpStream What kind of hack would be required to achieve this without internet?

    I don't think that's possible.

      other8026 Thanks for your answer but that's not the reply I was looking for.

      What I meant by "why" is how exactly does the "verification process" happen and where does the internet connection take part in? Where is the information stored (physically) on the device and what would need to be done to bypass that?

        UpStream not to sound stupid but you're talking about when you first get the phone and are on stock os?

          UpStream Where is the information stored (physically) on the device and what would need to be done to bypass that?

          I have no idea where it's stored. But Google has some pretty sharp security people, and it would be straightforward for them to use the following approach would be quite infeasible to bypass. A small program in Google's OS could contact a Google server and ask for an unlock certificate, i.e., a statement of the form "Device with serial number ##### is OEM-unlockable", signed by a Google key pair. That program could feed the certificate into the trusted execution environment, which could verify the signature and then permanently store state in the trusted element.

          If they are doing something like that, then subverting the program that fetches the certificate would be ineffective, and subverting the stored state would be no easier than breaking the trusted element in any other way.

          Again, I have no idea whether they are using anything fancy like that for the OEM-unlock toggle. But why not? The devices already have an industry-leading trusted element and a solid trusted execution environment. If they are deploying those tools, then forcing a device to unlock isn't a matter of finding the place in the flash where a 0 needs to be flipped to a 1, any more than unlocking somebody's private data is a matter of finding the place in the flash where their unlock code is stored.

          It may well be the case that a sophisticated nation-state actor, or a well-resourced criminal gang, could flip OEM-unlock toggles at will. But would they bother? And of course it might also be the case that Google went with a simplistic implementation, or with something that is easy to trick. But it's not clear that's the way to bet.

            de0u Thanks for sharing your ideas on that!

            I wasn't aware of the fact that it's "unknown" how this happens.

            • de0u replied to this.

              UpStream I wasn't aware of the fact that it's "unknown" how this happens.

              It's definitely unknown to me! I'm not claiming it is globally unknown.

              Interesting thread. I wonder too. I don't like how I have to beg MY phone to please allow me to unlock the bootloader.

                Viewpoint0232 I don't like how I have to beg MY phone to please allow me to unlock the bootloader.

                The situation is not ideal. But cellular phones exist in a grey area when it comes to ownership. Carriers (and others) really don't want device owners to do things like change IMEIs or install non-vendor firmware which could in theory disrupt service for other users. Some people "buy" devices at substantial discounts subject to completing carrier contracts.

                We are far from having phones with completely open firmware that people can freely replace. But we do have a hardware platform with industry-co-leading hardware security that allows the installation (and verified boot) of a strong OS with frequent security updates. For me that's worth the cost of running the vendor OS for a couple of minutes once after opening the box.