• General
  • Pixel phones are sold with bootloader unlocking disabled

I'm posting an article I found which hasn't been mentioned here before because it seems well-researched and brings awareness to a topic directly related to installing GrapheneOS.

Here is the article: https://www.fitzsim.org/blog/?p=545

Excerpts:

None of the many many YouTube videos I watched about bootloader unlocking covered whether or not you need Internet connectivity. Nor did any of Google’s official documentation. GrapheneOS documentation is the only place on the Internet that documents this requirement, so, well done GrapheneOS documentation team!

I thought (based on the aforementioned GrapheneOS docs) that the device model variant I bought, being sold “unlocked”7 by Google, would not need the Internet connection. NOPE; Google sold it to me with “OEM unlocking” greyed out:

I consider this a customer-hostile practice. I should not have to connect a piece of hardware to the Internet, even once, to use all of its features. If I hadn’t connected the Pixel 7 Pro to the Internet, then “OEM unlocking” would have stayed greyed out, thus I would not have been able to unlock the bootloader, thus I would not have been able to install GrapheneOS.

Request to Google: ungrey the “OEM unlocking” toggle in the factory, before shipping store.google.com devices to customers. Do not make your customers connect the device to the Internet before they are allowed to install the operating system they want.


Google should not restrict its users by forcing them to check-in with over a dozen of their endpoints before they can use the phone that was sold to them for their own purposes.

Quoting from the founder of GrapheneOS. He posted these comments on Matrix yesterday

due to phones locked by carriers, OEM unlocking needs internet access on models that are sold to carriers to be locked phones

for example, T-Mobile Pixels are standard Pixels but are locked until you pay off your subsidized phone by having your plan for a certain number of months (not a high amount), and then you can request to lift the locking

this approach is taken to have standard hardware, firmware and software across all of them despite having locked carrier ones, and without needing to statically provision them as locked in the factory

it's in no way specific to Pixels

also used as part of enterprise device provisioning

    Also seems to be an issue of updates. My phone had to go through about 5 updates before I got a ungreyed toggle. Shouldn't be like that but damn annoying.

    treequell Thank you for posting this.

    this approach is taken to have standard hardware, firmware and software across all of them despite having locked carrier ones, and without needing to statically provision them as locked in the factory

    I would like to know why it's undesirable for the user to not have standard firmware and software before installing GrapheneOS, which will install the latest firmware and software updates anyway.

    I will say this:

    • No general computer ("smart", "mobile", or otherwise) should prevent its users from unlocking the bootloader, whether they are sold by a telecommunications company or otherwise; whether it grants better security, because it makes phone contracts more complicated upon early termination, is in the customer's best interest, or for any other fantastic reason. Google is doing right by customers by allowing them this basic, fundamental access in a market in which almost no other manufacturer is. This is something personal computers got right 50 years ago and continue to get right today.
    • Users should decide what updates they install, and whether they should install them before attempting to install another operating system on their phone. They should be warned what their behavior may lead to, if it is undesirable, but they should not be prevented from doing it. Right now, the interface does not even explain why the option is unavailable.
    • Users should be able to download updates from a website via HTTPS, RSYNC, FTP, BitTorrent—however Google wants to provide it—and sideload it onto their phone. There should be documentation regarding these updates, how to obtain them, and how to apply them, of which none apparently exists. Preferably in as easy a manner as GrapheneOS makes its releases available via its web installer.

    Maybe I will create some bugs on the Android issue tracker consistent with these issues, wherever that is.

    it's in no way specific to Pixels

    The reason Pixels are mentioned at all in this post is because they are the only phones which allow safely unlocking the bootloader, putting them ahead of every other phone on the market in respecting the user. All phones should allow users to safely unlock the bootloader. Google should still do better.


    Some other notes:

    • If you buy your phone from the Google Store, Google already knows some key details about you and your phone, like the IMEI.
    • I realize the GrapheneOS project is interested in one day selling phones, and specifically avoids patches licensed under GPLv3 or later in the event they wish to sell GrapheneOS phones with locked bootloaders for security reasons. I disagree with this unless the user is given some secure way of unlocking the bootloader (I don't know, ship your users a hardware security key along with the phone?), which is consistent with my position that no user should be locked out of their own computers.