Our next release will have a safer flashing procedure preventing people from bricking 6th generation Pixels due to the SoC firmware anti-rollback protection deployed in the Android 13 firmware update:
We'll try to get them to fix this issue upstream too.
We're also improving this for the fastboot.js library used by our web installer:
(fastboot.js was initially developed as a project we funded for our web installer)
We've tested this new approach and it's currently deployed for our staging website.
If you want to help with testing the new safer approach for our web installer, it's currently available through https://staging.grapheneos.org/install/web.
It'll be pushed to our production site very soon since the post-13 status quo isn't good.
Google should do this for their web installer too.
Most users have done a single update from Android 12 to Android 13. They have Android 13 firmware on their active slot and Android 12 firmware on their inactive slot. This is safe with a locked device since rollback was disabled by the update client before anti-rollback update.
Anti-rollback protection was enabled for the boot chain on 6th gen Pixels with Android 13 to prevent bypassing fixes for verified boot / TEE vulnerabilities.
If you unlocked the device, incorrectly flash an OS and try to boot a non-booting OS, it triggers rollback to inactive.
They should have added a check to the firmware to prevent it rolling back to the inactive slot if the inactive slot has out-of-date SoC firmware. That wouldn't be as safe as our new procedure, but it would stop people bricking their phone by trying to boot incomplete installs.