11
Nov
icon

Did you know it's possible to unlock your Nexus 5 bootloader without wiping user data? If your device has already been rooted and relocked for optimal security, then unlocking is just a button tap away thanks to the latest update to BootUnlocker. Support for Google's latest flagship phone was just added with an update to version 1.4 of the app from XDA member segv11. Sadly, both generations of the Nexus 7 from ASUS remain unsupported.

If you haven't heard about BootUnlocker, it's a simple utility app with a single purpose: toggling the locked state of the bootloader on supported Nexus devices. With the exception of the ASUS-built Nexus 7 (both 2012 and 2013 models), all recent Nexus devices (Galaxy Nexus and newer) have kept their lock state stored in a single memory location on the param (or misc) partition. By flipping that bit directly instead of using fastboot, your data will not be lost. Of course, this partition is normally write protected, thus the requirement that you already have root. By securing other avenues as thoroughly as possible, including a strong password on your lockscreen, you can enjoy the benefits of frequent modding while still ensuring nobody can mess with your device without wiping its data.

Screenshot_2013-11-11-16-00-40 Screenshot_2013-11-11-16-00-55

Yesterday's update to version 1.4 brings the welcome addition of Nexus 5 support. This brings the family of supported devices to 4, which includes the Galaxy Nexus, Nexus 10, Nexus 4, and now the Nexus 5. Of course, with each new update to the bootloader, it's possible for the memory location for the lock bit to be relocated, but this has yet to happen. Unfortunately, the bootloaders on the ASUS-made Nexus tablets use a more complicated mechanism to manage lock state. While it's possible to work around this, it requires recording individual locked and unlocked states for each device, a feature the developer isn't planning to add.

If you fall into the cross section of people that is both security conscious and eager to flash mods and ROM updates regularly, then BootUnlocker is probably just what you're looking for. It's both open source and free in the Play Store.

Source: XDA

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Samuel Hart

    Nice idea! Very useful :)

  • A Black UI is the best UI

    Why?

    Locking a bootloader is counter productive.

    • ProductFRED

      Returns/Warranty repairs.

      • A Black UI is the best UI

        Strange since I never had a device break on me after I rooted it but usually the process to return to stock isn't too hard.

        • exadeci

          By just running google back to stock it will flash a locked bootloader so no need to lock it, I did it to return my first N4 that had a speak issue

    • NoUsernamesFree

      I have an encrypted Nexus 5. I have TWRP installed which prompts for a password when I enter recovery. I used EncPassChanger to set a 25 character dm-crypt password I provide at boot while having an 11 character unlock password once booted. Tasker autolocks my phone when it disconnects from my Pebble. Cerberus takes photos using the front camera when the unlock PIN is entered incorrectly or a new SIM is entered. Unlocking the bootloader is the ONLY thing that a thief can do to my phone, and it ensures that the device is completely wiped if it is stolen.

      I run CM. Why should I have to clean flash when I install a new nightly every fortnight or so? BootUnlocker means I can do an adb sideload within TWRP to update with no hassle and update to new versions of TWRP when I want.

      • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

        Wow, you sir, are pretty much EXACTLY who this app is perfect for ;)

  • duse

    Is it wise to relock the bootloader? If your device is not encrypted, is a locked bootloader actually providing protection? As in, there is no way to get data off of it via a cable, if it's locked? What about staying rooted - any risks there?

    • http://404err0r.com/ Henry Park

      I just did it... my root is intact and doesn't seem to do much, but its great not seeing that unlocked symbol on my Nexus 4 when it boots

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      It's perfectly reasonable to relock the bootloader, at least if there's a reason behind it. For example, if you just had a password on your lockscreen, there are a couple of different ways to disable it by flashing certain packages from within recovery. If the bootloader is locked, that option is lost. If you're unlocked, somebody can install virtually anything, possibly starting with a new recovery or directly flashing from fastboot.

      Locking up the bootloader after you've rooted probably isn't going to stop somebody with enough time and ninja flashing skills, but it'll keep out virtually any thief and most power-user types.

      • Kit Tihonovich

        Simple. User probably forgot their custom recovery. Boot to recovery. Wipe security settings through adb. Boot up with no secure lock. Unlock bootloader or snoop through whatever you want to.

      • duse

        Thanks for your detailed reply, I appreciate it. I do understand the risks of an unlocked bootloader if your phone is the hands of someone else. But how much protection is the locked bootloader providing? If the device isn't encrypted, can data be pulled over adb even anyway? Can lock screen security really be wiped via adb as Kit Tihonovich just mentioned even with a locked bootloader? That doesn't seem right.

        • mgamerz

          Adb is not turned on until the user unlocks the device and accepts the RSA fingerprint. Assuming the computer is not the standard one that the user uses (I doubt you'd hack into a phone with the owners computer), they'd have to accept it, and it has to be unlocked on any computer to begin with.

          • Kit Tihonovich

            Not through recovery. You never need to accept the RSA fingerprint. This isn't true with the stock recovery. But all custom recoveries allow ADB access.

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            Exactly right. This is why I'm disappointed that the developers of custom recoveries seem to be spurning the idea of passwords to access recovery.

          • mgamerz

            I suppose there is adb sideload. But I think it has to be signed for that to work so you don't have real adb usage. Adb does not respond to calls unless the phone has been unlocked (as in, your lock screen has been unlocked).

        • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

          There are a few ways to defeat the lockscreen, just like Kit mentioned. It's trivial to replace the lockscreen code with something insecure or to wipe the settings the user put in place. You can even install an app with the sole purpose of unlocking the screen a second after it's turned on. But all of these rely on having the ability to go into a custom recovery and flash something, which relies on having an unlocked bootloader.

          Again, a determined hacker (not a regular thief) could still get to your data if they REALLY wanted it, especially with a custom recovery in place, but the effort goes up exponentially as you close up each loophole.

          Of course, all of this should be tempered by how much you need to even worry about it. Where I live, most people have trouble successfully operating the Facebook app and have never even heard of Dropbox. The number of people who can do this kind of stuff, at least in my area, is just me :) I also don't have much on my phone worth a hacker's time unless they are looking for some pictures from last night's activities or to vandalize my accounts. For a CEO or politician, there might be more incentive to keep things locked up tight. ;)

          • duse

            Thanks Cody for the info. So if you flash a custom recovery, and then relock the bootloader, could a malicious app wipe or change my security settings as you described? Would this require root and be easily defeated by just denying permission for the app?

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            How is this malicious app getting installed on your device? Even if it does get installed through tricky means (it does happen), it almost certainly needs you to grant it root or an exploit to gain root.

            If such an app is installed, the other security stuff really isn't important anymore.

          • duse

            I would say the other security stuff is MOST important at the time when a user has a malicious app like this installed. That is the time when protections built into the OS matter the most to keep users safe. Let's say a user does accidentally download an app that's pretending to be something else but is actually malicious. It's good to know how much Android actually protects a user in this kind of scenario.

            It sounds like the combination of not being rooted plus "enforcing" SELinux mode should be enough to stop most nefarious activity (except for stealing data), would you agree with this? Next question is an unlocked bootloader/custom recovery. Users should know what this does or doesn't open them up to in the event they accidentally install a malicious app. According to your last post, it sounds like possibly nothing as long as they don't grant root access to the app and the app doesn't find an exploit. If the app does obtain root, and you have a custom recovery but have relocked the bootloader, could the app proceed to flash things? I'm trying to determine if there is ANY benefit at all to relocking your bootloader with an app like BootUnlocker after flashing TWRP.

            The gate access to root provided by the SuperSU app is of utmost importance. The recent exploits here are troubling. Sure they were patched quickly, but with SuperSU being closed source, it is a slightly concerning thing to have on your device.

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            Locking the bootloader is almost entirely about blocking those with physical access to the device. It's possible for a malicious app to take advantage of an unlocked bootloader, but only with root. Of course, if it has root, it almost certainly doesn't need to take advantage of an unlocked bootloader because there's not very much it would need an unlocked bootloader for that it can't already do with root aside from surviving a hard reset (which it can even do if it has write access to /system).

            If a malicious app is installed, it happens in one of three scenarios:

            1. User installs it intentionally - This shouldn't happen. It's the user's fault for installing something that shouldn't be trusted. That might sound harsh, but it's because people are too trusting.

            2. User installs it accidentally - Well, this can happen as a result of something like the recent Firefox vulnerability or some other creative exploit. This is what the Play Store scanning feature is (ideally) supposed to prevent. Granted, this sucks, but it happens. But, as I mentioned before, an unlocked bootloader probably isn't necessary for the app to achieve whatever it wants to do.

            3. A hacker installs it - This is probably done through the unlocked bootloader or it happens when the hacker gets to your device after the lockscreen has already been cleared. It could also happen if they somehow get the installed app onto the Play Store and access your web browser. At this point, said hacker has already bypassed any security measure you had, thus, it's a moot point.

            Put simply, if the phone remains in your possession, a locked bootloader rarely makes much of a difference for security purposes. It's when you no longer have physical control of the device that you really want it locked. As for the other stuff, that's a much bigger topic and probably deserves a bigger discussion about security as a whole, not just a response in a comment thread.

          • duse

            Thanks Cody, your response is appreciated. I think it's a good point to make that a locked bootloader is more about physical security. However my question still stands of, once I've already flashed TWRP, is there any advantage to relocking my bootloader with BootUnlocker? If someone got physical access to it, TWRP is already there for them to flash things, so what would relocking it get me?

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            If the bootloader is locked, TWRP and CWM should not be able to flash, at least not to /system (I'm not sure about some other partitions). They can definitely still be used to make nandroid backups and use adb, which introduces ways to extract data and possibly hack into the phone, but it's still safer than being unlocked.

          • duse

            Got it, thanks, that makes all the difference then. So if they wanted to write to /system, they'd have to unlock your phone to be able to use an app like this, or do it over command line and go through a wipe. I guess if this app doesn't have any bad side effects, it's worth doing.

      • MrNinjaPanda

        Are there any negative points to locking the bootloader? Like, if I'm ever stock in a boot loop, would that that mean that I wouldn't be able to flash stock android?

        • Jordan Thoms

          No. The locked bootloader will accept images signed by Google, the difference with unlocking it is that it'll allow images not signed by Google.

  • https://twitter.com/#!/Zengster6474 Zengster

    I must be missing something here. I've got a Nexus 5. How do I go about using this app if in order to root my phone I must unlock my bootloader first, thus losing all my data? Can someone help me please.

    • Mo3tasm

      i don't think you need to unlock the bootloader before rooting your device, nor rooting will wipe your data.. i don't have a nexus, i have a sony instead, but i guess all Androids should be the same...

      • Brad

        Nope, sometimes you have to wipe to gain root... every phone is different. Well, not every... but you get the picture.

    • Cloduar

      You need to unlock your bootloader in order to gain root access on your N5. This app is meant for users who want to unlock-relock their bootloader multiple times without losing their data (after unlocking for the first time). Even when you use ChainFire's CF Root you'll unlock your bootloader...

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      As far as I'm aware, there isn't a publicly available root exploit for stock KitKat, so the only way to gain root at this time is to unlock your bootloader. As Cloduar said, this is really more of a tool for people once they've already unlocked and rooted their phone. In the mean time, you can always make a backup of your phone with ADB, unlock the bootloader (thus wiping it), then restore from the backup and then root it. I can't promise everything will go perfectly, but it's an option.

  • Mansgame

    Meh. I want a phone that works, can be updated when the new OS comes out, and doesn't have the crapware the phone companies add. I know a lot of kids these days love adding custom ROMS but who do I trust more to not give me malware? Google's developers or some kid in a Russian basement somewhere who came out with his own OS?

  • Last google device for me

    Trickster Mod allows you to do the same. Under Settings-Tools it has an option for "Boot Loader Lock State" and it is on or off (locked/unlocked) also without doing anything more than downloading the App to your rooted device. I use the App to tweak my Franco kernel as well, and to keep the settings each time I reboot. I have the Pro (Paid) version , but there is a great free version as well...
    HAPPY NEW YEAR 2014, ANDROID ENTHUSIASTS!
    callahanrobertt@gmail.com

Quantcast