Database Users

the risks of running an unlocked bootloader

Hi,
Running an unlocked bootloader is quite risky assuming someone has physical access to your phone.
It's extremely easy simply to put it into fastboot mode, flash a recovery (cwm/twrp) and then adb will provide root access to all data.
This is mitigated by encrypting the device, however, I haven't been successful in doing this (http://forum.xda-developers.com/showthread.php?p=48848592) on this particular phone although it works without any issues on nexus phones.
For the people with unlocked bootloaders, do you simply don't care about someone getting physical access or is there anything that can be done?
Also, did someone manage to successfully encrypt the phone (using the standard settings -> security -> encrypt phone) or is everyone running unencrypted?
Having a remote wipe capability is next to useless assuming the thief will power off the phone immediately (before you have a chance to issue the remote wipe).
An unlocked bootloader is mandatory for running Cyanogenmod so that's that.
Thank you.

A thief (if he had the knowledge or the inclination), could steal a locked bootloader phone (without encryption) and simply flash an ftf and untick "wipe data". He would then have full access to the data on the phone by rooting and flashing a recovery for LB. So locked bootloader is cold comfort really
Sent from my C6603 using xda app-developers app

i think the best to happen is to have passwords , when entering fastboot or flashtool , a password should pop up to access the fastboot or flash tool connection , and when entering recovery , a password should also pop up , it is so much secure to get these , but i think it is so hard to make it work or even impossible

You're right, a locked bootloader is indeed a false security.
At the end, encryption is needed but on this phone, it doesn't seem to work and no one tried using it apart from me...

I have my BL locked and I ensure that USB debugging is off, seeing as most rooting solutions required USB debugging I should be good for the average criminal. So the only way to have access to my data...(obviously SD card is immediately compromised with physical access) would be to guess my unlock code. Otherwise, a full wipe of the phone would be required for it to be usable but that should delete all my accounts off the device.
(At least this is what I tell myself to sleep better at night lol)

SmallsXD said:
I have my BL locked and I ensure that USB debugging is off, seeing as most rooting solutions required USB debugging I should be good for the average criminal. So the only way to have access to my data...(obviously SD card is immediately compromised with physical access) would be to guess my unlock code. Otherwise, a full wipe of the phone would be required for it to be usable but that should delete all my accounts off the device.
(At least this is what I tell myself to sleep better at night lol)
Click to expand...
Click to collapse
Getting all your data is as trivial as flashing a custom recovery for locked bootloaders which will provide direct root access.
It probably takes less than a few minutes.
Like they say, there's nothing more dangerous than the sense of false security.

Its not just having a Locked bootloader but also having USB Debugging off, 3rd Party App installs off as that alone would dramatically reduce the number of compatible tools to achieve root access to your device. As far as I know you have to be rooted in most cases to install custom recoveries or at least that is what most instructions say. Remember security is hardly ever a complete solution, its about making it not worth the effort.
For the average person/criminal it is not worth their time to access my data as it is actually worthless to them, As I said the SD card is already taken as soon.
My antitheft software will be lingering with a Data Wipe command, I would have changed the account information stored, I never stored Billing information. So my risk level is very low and not worth any more effort on my end.
As stated, Im speaking from a personal perspective and not a "best practice" one.
The real problem is we like to unlock everything and tick every security risk option and then complain when things get patched that make our device more secure, like all the root exploits.
BL unlocked - Any compilable kernel can now run
USB Debugging - Access from PC's to send commands to your device
Installs from unknown sources - Allows installations of root apps and other apps
All things we need set to do some great things with our devices but how many of us actually look back at these setting once we enable them. It is the equivalent to taking off a door to get the fancy new furniture inside but never putting it back on when we are done.

elias234 said:
i think the best to happen is to have passwords , when entering fastboot or flashtool , a password should pop up to access the fastboot or flash tool connection , and when entering recovery , a password should also pop up , it is so much secure to get these , but i think it is so hard to make it work or even impossible
Click to expand...
Click to collapse
Suppose i have encrypted my device, i.e., it asks for password before booting up...
Q1 So, is it still possible to access the fastboot or recovery mode? Will entering the recovery or fastboot mode would require the password?
Q2 If no, how can i prevent access to fastboot and recovery mode with an unlocked bootloader?

[Q] Bootloader with password

Even if you have any anti theft installed in your android phone and lose your phone , the stealer can easily wipe off everything by accessing bootloader with volume keys. By this way you cannot track your phone.:crying:
Bootloader is written specific to the hardware by manufacturers but there are number of open source bootloaders like u boot. Now my question is how to put password for bootloader?, What programming language is used in bootloaders.?Where can I find source code?

Hi
agnelvishal said:
Even if you have any anti theft installed in your android phone and lose your phone , the stealer can easily wipe off everything by accessing bootloader with volume keys. By this way you cannot track your phone.:crying:
Bootloader is written specific to the hardware by manufacturers but there are number of open source bootloaders like u boot. Now my question is how to put password for bootloader?, What programming language is used in bootloaders.?Where can I find source code?
Click to expand...
Click to collapse
Try searching from /system. theres used two languages in bootloader, java and java C.

agnelvishal said:
Even if you have any anti theft installed in your android phone and lose your phone , the stealer can easily wipe off everything by accessing bootloader with volume keys. By this way you cannot track your phone.:crying:
Bootloader is written specific to the hardware by manufacturers but there are number of open source bootloaders like u boot. Now my question is how to put password for bootloader?, What programming language is used in bootloaders.?Where can I find source code?
Click to expand...
Click to collapse
But not everyone can do this, But it's helpful.

Can you still access the bootloader if device encryption is switched on? Don't you need to enter the password?

thelous said:
Try searching from /system. theres used two languages in bootloader, java and java C.
Click to expand...
Click to collapse
I have not checked but I think boot loader is written in assembly language as it deals with hardware. If anyone has a rooted device, you can check and reply here.

Lockscreen bypass

I need to recover data from a samsung galaxy s7 edge, but I don't know the code for unlocking the screen. There's a way to bypass this?

1. How could You forget a 4 digit pin code? Seriously.
2. Is it rooted? Any custom rom on it? Encryption?

ProtoDeVNan0 said:
1. How could You forget a 4 digit pin code? Seriously.
2. Is it rooted? Any custom rom on it? Encryption?
Click to expand...
Click to collapse
It isn't mine, it was of a dead person and the family asks me to recover data but they don't know the pin.
It's fully original.

Then I'm not sure if it's possible.
If it didn't have encryption enabled (it's enabled by default by samsung) then You could flash TWRP and then flash a zip file which removes certain files in Data partition and well, unlocks the device (I've done it before when I broke my lock screen buttons). But with Encryption being enabled TWRP won't be able to read Data partition and yeah. I'm not sure if You can even access internal storage through TWRP.
Maybe try all possible combinations? Or the most popular ones.
Try this:
Flash TWRP(a detailed instruction is on XDA)
Tap on advanced and then file manager.
You should be able to see internal storage if it's not encrypted, and then just copy all files that You want to sd card or just mount usb storage.
But if the encryption covers Data and internal storage then I don't think You can do anything.
Like I said, in the worst case try using most popular code combinations and maybe one will work. But try that before flashing TWRP, cause TWRP might soft brick the device.

No. Who knows what you're really after? I'm totally against questions like these and would urge people not to answer. If it's really your own device, you have to deal with the consequences of forgetting a 4 digit number.

Not possible with encryption, only way is brute forcing it and it might auto wipe after 15 attempts

Really??? Xda is the first place someone with this situation would ask for help? First post? I'm calling BS.
If - hah - you are legit, the "dead" person's phone is still under warranty, therefore the "family" can take the phone to the dealer/network provider and get help there.

sounds very suspicious

How protect phone data when bootloader unlocked?

Hello,
I doesn't know if this is a real problem in newer Android versions.
I apologize if this problem is already solved; i'm out of Android development since a while...
From me the problem is to protect MY data if I loss the phone...
If my phone is password protected (and bootloader locked), a person that found the device can't use it directly.
It can unlock the bootloader (more or less easily) but the phone data is removed by the unlock process.
My data is sure!
But if the bootloader is unlocked the person that has found my phone can acess to the custom recovery (or load a custom recovery if I'm on stock recovery) then force a wipe of the device.
Due to that, all my security (fingerprint and lock code) was erased and the user can access to my phone and also to all the data stored in /sdcard.
My data isn't sure!
It exists any mode to use a custom ROM but maintaining my data sure?
(I'm not confidence with the Google remote device access)
Thanks in advance!

I think you'll be fine, as the data on your internal memory should be encypted, which is enabled by default!

I'll be honest and I mean no offense but your data is worthless. If someone steals your device the first things done are Sim removed and devices reset or powered off. Data thieves don't get the data from stolen devices. They get it from the places we give it freely. Like shopping stores and on line accounts.

Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.

jhs39 said:
Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.
Click to expand...
Click to collapse
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks

bartito said:
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks
Click to expand...
Click to collapse
Yep, like any other android, the oneplus 5 has full disk encryption enabled by default:
http://www.androidpolice.com/2015/1...ll-disk-encryption-by-default-on-new-devices/

bartito said:
Hello,
I doesn't know if this is a real problem in newer Android versions.
I apologize if this problem is already solved; i'm out of Android development since a while...
...........................................
Click to expand...
Click to collapse
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Now, for that matter, having a locked bootloader either doesn't ensure that your data is safe. For example, for HTC phones, you don't even need to unlock the bootloader for flashing a custom recovery or kernel. You can turn the phone to S-Off state using some proprietary tools (without losing data) and then flash custom images over a locked bootloader.
In case of Samsung, only FRP lock prevents you from flashing custom images (that too on newer phones) but in that case also, you can turn FRP off using some paid services and then flash any custom images and run the above mentioned commands.
In case of LG, it is even easier. Professional tools exist for communication over download mode protocol and turning off the screen lock doesn't even require a custom image in LG's case. However, most newer models are not supported by those tools yet.
In case of Apple, professional tools existed that used to read screen lock over a time span of 1-4 hours in an older version of iOS. I've heard that a tool is being made available for the current versions also in the coming weeks.
So, if you are conscious about your data, it is safe as far as the you have the phone in your possession. Once you lose it, you can't be sure about what is happening with it.
But then, as said in above posts, why would the thief want to crack open the data of a common man. If you are not a common man, you should worry. Otherwise I personally really don't care.

Hello,
Absolutelly appreciate your anwer.
I'm a common man, but I'm a bit worried due to 2 points:
1) I'm using LastPass and I doesn't would to my passwords to fall into someone's hands if I loss the device,
2) I'm using the app from my bank to pay using NFC and I doesn't would that anyone can use it
EDIT: 3) Of course, I'm using my Google account to store my contacts data. It would be a mess if someone erase my contacts
Thanks!
sikander3786 said:
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Now, for that matter, having a locked bootloader either doesn't ensure that your data is safe. For example, for HTC phones, you don't even need to unlock the bootloader for flashing a custom recovery or kernel. You can turn the phone to S-Off state using some proprietary tools (without losing data) and then flash custom images over a locked bootloader.
In case of Samsung, only FRP lock prevents you from flashing custom images (that too on newer phones) but in that case also, you can turn FRP off using some paid services and then flash any custom images and run the above mentioned commands.
In case of LG, it is even easier. Professional tools exist for communication over download mode protocol and turning off the screen lock doesn't even require a custom image in LG's case. However, most newer models are not supported by those tools yet.
In case of Apple, professional tools existed that used to read screen lock over a time span of 1-4 hours in an older version of iOS. I've heard that a tool is being made available for the current versions also in the coming weeks.
So, if you are conscious about your data, it is safe as far as the you have the phone in your possession. Once you lose it, you can't be sure about what is happening with it.
But then, as said in above posts, why would the thief want to crack open the data of a common man. If you are not a common man, you should worry. Otherwise I personally really don't care.
Click to expand...
Click to collapse

jhs39 said:
Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.
Click to expand...
Click to collapse
Black listing the imei doesn't work everywhere. Plus while banned on xda so I can't say how. But the imei is not that hard to change.

bartito said:
Hello,
Absolutelly appreciate your anwer.
I'm a common man, but I'm a bit worried due to 2 points:
1) I'm using LastPass and I doesn't would to my passwords to fall into someone's hands if I loss the device,
2) I'm using the app from my bank to pay using NFC and I doesn't would that anyone can use it
EDIT: 3) Of course, I'm using my Google account to store my contacts data. It would be a mess if someone erase my contacts
Thanks!
Click to expand...
Click to collapse
Maybe some experts can give their opinion on how to protect your data using some third party apps or by using some other options that I am not aware of. But in my opinion, a phone with an unlocked bootloader is always more vulnerable than a phone with locked bootloader.

Of course, I agree with your affirmation at 100%
The question is: I can improve security if I keep TWRP as a recovery instead of return to the stock recovery and I lock the bootloader?
Thanks
sikander3786 said:
Maybe some experts can give their opinion on how to protect your data using some third party apps or by using some other options that I am not aware of. But in my opinion, a phone with an unlocked bootloader is always more vulnerable than a phone with locked bootloader.
Click to expand...
Click to collapse

bartito said:
Of course, I agree with your affirmation at 100%
The question is: I can improve security if I keep TWRP as a recovery instead of return to the stock recovery and I lock the bootloader?
Thanks
Click to expand...
Click to collapse
I don't think you will be able to boot TWRP after relocking the bootloader. You need to test it yourself. Chances are very few because locked bootloaders prevent from booting un-signed images.
If you do manage to boot TWRP after relocking, make sure your data is encrypted. If it is not, then it doesn't matter if the bootloader is locked or not.
Also, you will need to turn off "oem unlock" option from developer options.

sikander3786 said:
I don't think you will be able to boot TWRP after relocking the bootloader. You need to test it yourself. Chances are very few because locked bootloaders prevent from booting un-signed images.
If you do manage to boot TWRP after relocking, make sure your data is encrypted. If it is not, then it doesn't matter if the bootloader is locked or not.
Also, you will need to turn off "oem unlock" option from developer options.
Click to expand...
Click to collapse
I think in the end I will stay as I am: bootloader unlocked and TWRP instead of the original recovery.
After all... I've never lost a phone...

bartito said:
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks
Click to expand...
Click to collapse
I haven't checked, but I believe it should.
nxss4 said:
Yep, like any other android, the oneplus 5 has full disk encryption enabled by default:
http://www.androidpolice.com/2015/1...ll-disk-encryption-by-default-on-new-devices/
Click to expand...
Click to collapse
Uh no, OP5 with OOS 4.5.x Nougat uses File-Based Encryption (FBE), not FDE.
I know because I wrote the utility to get back to FDE, which works if you change the/fstab* file:
https://forum.xda-developers.com/showthread.php?t=3672477
sikander3786 said:
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
Click to expand...
Click to collapse
Do you have a source for the first part of that information? The part where if userdata is formatted with TWRP, it is vulnerable?
I don't see how that can happen unless you run decrypted. TWRP is never involved in the encryption process. When you format userdata, it just runs mkfs. Android upon booting sees the forceencrypt flag in the fstab and then promptly encrypt the device with a default passphrase. When you later set up security, the passphrase is changed to whatever you input.
How can TWRP decrypt the files at this point without your passphrase?
Note that if you are running FBE, and run adb shell on a device that's booted into TWRP while waiting for the password, you will be able to see the file structure under /data, but most of its contents will be garbage (=encrypted).
If you're running FDE, and run adb shell on a device that's booted into TWRP, /data will be completely inaccessible.
sikander3786 said:
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Click to expand...
Click to collapse
This will remove the PIN/password phrase to get into Android, but won't give access to any encrypted files.
That may mess your phone royally as well.

Hello,
Thanks for your anwer. I appreciate the time that have you spend on my question
I need to go to the FDE thread to learn a bit more about the process and results.
Now, I have 2 more questions...
1) If the phone is encrypted with FBE a user can remove user passwords using "adb shell rm /data/system/*.key
&& adb reboot" commands, like @sikander3786 has explained but, due to the device is encripted, it can't access to my data
and the device will require for the decrypt password when booting in normal mode or recovery. I'm correct?
2) If the device is encrypted with FBE a user can access to /sdcard even without the decrypt password in recovery (TWRP) mode but not if encrypted with FDE?
Thanks again!
Fif_ said:
I haven't checked, but I believe it should.
Uh no, OP5 with OOS 4.5.x Nougat uses File-Based Encryption (FBE), not FDE.
I know because I wrote the utility to get back to FDE, which works if you change the/fstab* file:
https://forum.xda-developers.com/showthread.php?t=3672477
Do you have a source for the first part of that information? The part where if userdata is formatted with TWRP, it is vulnerable?
I don't see how that can happen unless you run decrypted. TWRP is never involved in the encryption process. When you format userdata, it just runs mkfs. Android upon booting sees the forceencrypt flag in the fstab and then promptly encrypt the device with a default passphrase. When you later set up security, the passphrase is changed to whatever you input.
How can TWRP decrypt the files at this point without your passphrase?
Note that if you are running FBE, and run adb shell on a device that's booted into TWRP while waiting for the password, you will be able to see the file structure under /data, but most of its contents will be garbage (=encrypted).
If you're running FDE, and run adb shell on a device that's booted into TWRP, /data will be completely inaccessible.
This will remove the PIN/password phrase to get into Android, but won't give access to any encrypted files.
That may mess your phone royally as well.
Click to expand...
Click to collapse

nxss4 said:
I think you'll be fine, as the data on your internal memory should be encypted, which is enabled by default!
Click to expand...
Click to collapse
Suppose i encrypt my device, i.e., it asks for password everytime before booting...
Q1. Will booting into fastboot or recovery require the password?
Q2. If no, how can i prevent access to fastboot and recovery on an unlocked bootloader?

anuragm13 said:
Suppose i encrypt my device, i.e., it asks for password everytime before booting...
Q1. Will booting into fastboot or recovery require the password?
Q2. If no, how can i prevent access to fastboot and recovery on an unlocked bootloader?
Click to expand...
Click to collapse
You can't, but your data isn't accessible without the password

bartito said:
You can't, but your data isn't accessible without the password
Click to expand...
Click to collapse
But one can flash custom recovery from fastboot and subsequently use it to flash custom roms.
Am i right?

anuragm13 said:
But one can flash custom recovery from fastboot and subsequently use it to flash custom roms.
Am i right?
Click to expand...
Click to collapse
Yes, you can flash any recovery and any rom, but phone data can't be accessible if you don't have the password.
To use the device you need to know the password or do a data format

Isn't your phone technically always safe as long as you keep it encrypt it?
Only thing a thief could do would be a reset in both cases, isn't it?

[solved] is it possible to remove screen unlock pattern (fingerprint works)?

Hi,
I've just set up my Axon7 from scratch, after it returns from service, and set up new unlock pattern. I admit, I must've been drunk or something, because can't remember the pattern itself. Currently I unlock the phone with fingerprint sensor.
Is it possible to change/remove the unlock method without factory reset? As I said, the phone reads my fingerpritnts fine.
Thank's for any advice

1. Boot to TWRP
2. In File Manager go to the /data/system folder. Scroll down and find the two files with the .key extension. Delete both of them (by tapping on the file and then tapping the <Delete> button). Then, delete all the files containing the word locksettings:
gatekeeper.password.key
gatekeeper.pattern.key
locksettings.db
locksettings.db-shm
locksettings.db-wal
3. Reboot system.

kinetiq said:
Hi,
I've just set up my Axon7 from scratch, after it returns from service, and set up new unlock pattern. I admit, I must've been drunk or something, because can't remember the pattern itself. Currently I unlock the phone with fingerprint sensor.
Is it possible to change/remove the unlock method without factory reset? As I said, the phone reads my fingerpritnts fine.
Thank's for any advice
Click to expand...
Click to collapse
Is it possible for you to post in the right section (i.e. questions & answers)?
besides from that, the user above is right, you just have to do that

Thank you very much, for your advice.
Unfortunately I haven't rooted my phone yet, and after lecture of few tutorials I'm slightly intimidated, so...
Is it possible to do something with my problem without rooting, instaling custom recovery etc?
I could even accept factory reset, after all, but it asks for unlock pattern as well...

kinetiq said:
Thank you very much, for your advice.
Unfortunately I haven't rooted my phone yet, and after lecture of few tutorials I'm slightly intimidated, so...
Is it possible to do something with my problem without rooting, instaling custom recovery etc?
I could even accept factory reset, after all, but it asks for unlock pattern as well...
Click to expand...
Click to collapse
No man, without your bootloader unlocked there's not much you can do, unlock bootloader then install twrp and you'll be good to go

I made some digging, and found solution: Power on+vol up allowed factory reset, problem is solved.
Thank you all for your help.

kinetiq said:
Hi,
I've just set up my Axon7 from scratch, after it returns from service, and set up new unlock pattern. I admit, I must've been drunk or something, because can't remember the pattern itself. Currently I unlock the phone with fingerprint sensor.
Is it possible to change/remove the unlock method without factory reset? As I said, the phone reads my fingerpritnts fine.
Thank's for any advice
Click to expand...
Click to collapse
kinetiq said:
I made some digging, and found solution: Power on+vol up allowed factory reset, problem is solved.
Thank you all for your help.
Click to expand...
Click to collapse
Hmm... Well you said "without factory reset" in OP... Else everyone could've told you to do that...

Gachmuret said:
Hmm... Well you said "without factory reset" in OP... Else everyone could've told you to do that...
Click to expand...
Click to collapse
i guess he was still a little drunk?