• GeneralSolved
  • Updating Pixel 6a for OEM unlocking - Tracking/Privacy?

According to the information provided in the guide, I would need to update the pixel 6a, because of a bug with the OEM unlocking. Which means either putting in a sim or connecting the phone to wifi while running stock android. I can't find any information about updating android, without taking the device itself online.
This feels like a problem for maintaining privacy in the long run (letting Google know which phone I bought, my location, .. ), but I lack the knowledge.

Could anyone advise me on what information would be leaking, what the consequences might be for privacy after installing grapheneOS, and if there is anything I can do to prevent it?

    there's nothing you can do to prevent it, your phone sends its serial number to a remote server to determine if its a variant that can be unlocked.

    you can connect to the internet places that are not associated with you if you wish, but note that apps in android cant get hardware ids, that means google play on grapheneos doesn't have access to them.

    you can also update by sideloading an ota

    mari

    OEM Unlocking requires going online unfortunately, this is to check your IMEI/serial against a database to determine whether your device is subject to carrier restrictions such as those Verizon impose and have agreements with Google for.

    However as you do not need to login to your/a Google account and as you do not wish to allow Google to connect your phone to your IP you would be best off visiting a coffee shop or local public library or such that offers free wifi to go through the OEM unlock toggle enabling process.

    None of this is considered 'leaking' as it is intended and is required to use the service.

    Once done and GrapheneOS flashed, the service no longer calls back when using the the OEM Unlock toggle as it isn't included in AOSP but just stock Pixel Experience. Not only that but ALL hardware identifiers other than Phone Model are hidden from any app or service including sandboxed play services. The ONLY time any other hardware ID would be further exposed to Google would be if you utilise the privileged eSIM management tool, the IMEI while being exposed shows no evidence this is harvested.

    The only other 'consequences' to your privacy after flashing GOS would not come from the OS but would be any further voluntary disclosure of hardware ID's you choose to and voluntarily provide to an app, service or provider.

    lberrymage

    Enabling OEM unlocking is a prerequisite to flashing GrapheneOS.

    The steps i suggest would get OP to unlocking without touching internet with their new 6a.

    OP wants to know:

    I can't find any information about updating android, without taking the device itself online.

    I must be missing/forgetting something, but I believe the steps above would get OP to GrapheneOS install without ever connecting the new 6a to the internet pre-install.

    the Android version that shipped with your 6a doesn't allow OEM unlock
    the solution is to update to later (220601.002.b2) Android update, which allows OEM unlock.
    But that OTA can be sideloaded, does not need to be updated Over The Air, it can be sideloaded with a cable to a laptop.

    OTA and sideload steps are HERE

    What am I missing here? At what step in my suggested process would 6a connection to internet be required?

      Three1989 the update allows the toggle to be activated but only when the device has been connected to the internet first to question Googles servers to make sure your device is unlockable based on carrier agreements.

      Preparing your device
      Before you can flash a build to your device, you must prepare your device:

      • Enable Developer options and USB debugging.
      • Enable OEM Unlocking in the Developer options menu. If your bootloader is already unlocked, this option is grayed out with Bootloader is already unlocked.

      If you're having trouble enabling OEM Unlocking, make sure:

      • Your device is connected to the internet.
      • Your device has checked in with Google, which may not be the case just because your device recently connected to the internet. To force a check in, enter ##CHECKIN## (##2432546##) in the Dialer (no SIM required). After entering the number (no need to press call), the text disappears and a success notification appears.

      Source: https://source.android.com/docs/setup/contribute/flash

      Thanks everyone.
      Finding out after the fact, leaves a really bitter taste. This kind of stuff needs more publicity.
      I mean, you always have to expect making a mistake ("voluntary disclosure") at some point. Which can have very different consequences, depending on how you handle the phone pre-GOS.
      The moment you connect to the internet for that OEM-check, play-services (or any other) can upload all data collected. So I think this is not a trivial matter, yet that's how it was treated in the instructions.

      I also realized this:

      • When you buy the phone, your timezone/country is already set. So I guess Google already has some (location) information on the device before you even turn it on. And traveling to mask your location has limited effect.
      • The moment you turn on the phone for the first time, it automatically turns on wifi. You can skip connecting, but the phone will keep scanning for all available wifi networks. Which, if I remember correctly, is data Google likes to collect, and can be used to pinpoint your location.

        mari

        The moment you connect to the internet for that OEM-check, play-services (or any other) can upload all data collected. So I think this is not a trivial matter, yet that's how it was treated in the instructions.

        You consent to such data collection by using a Pixel, and you're not required to enter any personal information before the flashing process.

        mari There simply is no way to avoid the things you indicate as concerns. There is no purity.

        You could investigate alternative measures, such as:

        • buy the phone with cash from a stranger
        • make all updates on public wifi
        • then do all GOS installation with USB sticks and CLI installation, from an airgapped machine running Linux/QubesOS
        • ... while wearing thermoptic camouflage inside a Faraday Bag tent, in international waters

        I'm being dramatic here, but there simply is no purity that GOS proclaims or provides or advertises, and the only purity you'll find = what you create for your own installation/ecosystem.

          4 months later