18
Dec
bootloader_unlock

In addition to things like stock Android and being carrier-unlocked, one of the big features of Nexus and Google Play Edition devices that Android power users love is an easily unlockable bootloader. While OEMs and carriers often make a policy of locking their devices' bootloaders to prevent installation of unauthorized software, Google makes it very easy for us to tinker with devices bearing its brand. All you really need to unlock a Google device is a tool called "fastboot," which is made available through the Android SDK. Just install the drivers for your device, which are generally available as part of the SDK, then run a quick command via the command line on your computer and you're done! Unfortunately, when it comes to Google Play Edition devices, unlocking is often times only the first step.

Background

The reason bootloader unlocking is such a hot-button issue is that it allows you a dangerous level of control over your device. When unlocked, your device becomes a blank canvas. You can install a new recovery, a new kernel, an entirely new operating system, change your partition mappings, get root access to the stock firmware, among countless other things. While this all sounds great, and is great for a lot of people, the sobering reality is that you can also do some real, and possibly irreversible, damage to your device in the process. It's for this reason that OEMs who allow unlockable bootloaders, with the notable exception of Motorola, almost universally make you agree to voiding your device's warranty before proceeding with the unlock.

The current process for unlocking Google devices began with the Nexus One and has never changed. When the Google Play Edition program launched back in June, Google announced that GPE devices would also feature unlockable bootloaders like their Nexus counterparts. What we had to find out the hard way was that while, yes, they are unlockable, there are certain security measures that are still in place, and these can be a pain point for users who like to take matters into their own hands. So far, the only GPE device that hasn't had any major red flags raised about the bootloader is the LG G Pad 8.3.

What The Problems Are

These problems aren't major and can generally be worked around without a whole lot of effort. You'll just want to make sure you tread carefully.

Sony Z Ultra GPE

The Z Ultra is the only one of the GPE devices that cannot be unlocked with a simple "fastboot oem unlock" from a command line. That's because Sony requires you to get an unlock code first. This is done, presumably, for warranty purposes so that there's a database of devices known to have been unlocked at some point in the past. The unlock instructions can be found here and have been verified to work with the Z Ultra GPE.

z_ultra_bootloader

As with other Sony Xperia devices, unlocking your bootloader also wipes a device-specific partition called "TA." It contains configuration files and DRM keys, and cannot be restored from another device. The big hang-up here is the DRM keys, but thankfully for GPE owners, those keys are only used with Sony apps. Those apps are not included on the Z Ultra GPE, and are not available (at least for now) on the Play Store, therefore you have no use for them in the first place.

We should also mention that the Z Ultra GPE's bootloader cannot be re-locked using the normal "fastboot oem lock" method. As of the time of this writing, there is no known method for locking it again. Folks are working on a similar solution to that used for retail Xperia devices, which involves modifications to a device's TA partition, but it's currently unclear whether this will work with the GPE variant.

HTC One GPE

The HTC One GPE has two levels of bootloader security.

  1. The lock/unlock state, which is changeable using the "fastboot oem unlock" command.
  2. A "security state," referred to by HTC as the "S" flag. Out of the box, the flag is set to S-ON.

htc_one_hboot

How the "S" flag affects you depends on your bootloader's lock state.

  • Locked and S-ON: Permanent root, custom recovery and custom ROM installation is not possible due to a strictly enforced NAND lock that prohibits making changes to the system and recovery partitions. In addition, this state also enforces signature checks on the recovery and kernel. If an unauthorized recovery or kernel is detected, the device will not boot.
  • Unlocked and S-ON: This occurs when you unlock with fastboot. The NAND lock and signature checks are not enforced. You can flash custom recoveries, ROMs, kernels, and the like with very little restriction. The biggest problem with the unlocked/S-ON combination is that you cannot manually flash bootloaders or modems. By extension, you also cannot flash OTA updates manually. The only way to apply OTA updates on the stock firmware is to actually wait for the update notification to appear on your phone and do it "the right way."
  • Unlocked and S-OFF: This combination is not possible using official methods, but is arguably the most desirable. The only way to get S-OFF on any HTC device, including the One GPE, is to use 3rd party hacks. That said, if you can get S-OFF, you essentially have Nexus-like freedom to do whatever you want to your device, including manual flashing of bootloaders, radios, and OTAs.

Samsung Galaxy S4 GPE

While the Galaxy S4 GPE's bootloader can be unlocked via the "fastboot oem unlock" command like you'd expect, you can't do much with fastboot beyond that. Doing anything useful with an unlocked bootloader requires Odin, an OEM tool that is extremely powerful and, by extension, extremely dangerous. The only thing you can really do with fastboot is boot a recovery from memory using "fastboot boot recovery.img." If you boot a custom recovery this way, the touchscreen won't work. This isn't so much of an issue with ClockworkMod since you can navigate with volume keys. TWRP is rendered basically useless, though. If you want to permanently flash a custom recovery (so the touchscreen will work), root your device or install a custom ROM; it all has to be done with Odin on this device. Just be careful because I promise you that your phone will attempt to walk straight into Mordor if you start checking off boxes with functions you're unclear about.

gs4_odin_mode

Also worth noting is that download mode (Odin mode) keeps a flash counter and an "official/custom" state on the GPE model just as it does on retail variants. These can be reset using Triangle Away, which is a root app available on the Play Store.

Closing

Because Google Play Edition devices are managed by OEMs, they are essentially identical to their retail counterparts with the exception of an unlockable bootloader and a stock Android ROM. Unfortunately, that means that some anomalies from the retail variants have made it over to the GPE variants as well. Thankfully for us, we have many smart, dedicated people in the Android enthusiast community who have contributed countless amounts of time and energy into finding solutions and workarounds to these obstacles.

Thanks, Sean, Bin4ry, SamuriHL, CraigP17, and monkeypaws!

Shawn De Cesari
Shawn is a web developer by day and XDA's resident archivist for Nexus and Google Play Edition device OTA updates by night. When not immersing himself in code or Android, he can be found hunting down antique signs, taking road trips, listening to music, or playing video games. His phone of choice is a Samsung Galaxy Note 4.
  • cbstryker

    "your device becomes a blank canvas. You can install a new recovery, a new kernel, an entirely new operating system, change your partition mappings, get root access to the stock firmware, among countless other things."

    Sounds a lot like the computers we've been using for over 30 years. Hasn't been that big of a problem yet.

    • http://www.androidpolice.com/ Shawn De Cesari

      I don't disagree.

    • duse

      Yeah, it's really sad that you have to jump through hoops and void your warranty to simply run something as an administrator, something every version of every desktop operating system ever has let you do out of the box. Also, why should messing with partitions and installing different OSes be able to cause irreversible damage? You can wipe every last bit off your PC's permanent storage and still start fresh just fine.

      Maybe if Android was so miraculously perfect that it didn't require tinkering I wouldn't care so much, but until that time, it's Nexus or nothing.

      • USSENTERNCC1701E

        Android radio/bootkoader act like a PC bios, wipe that and see what happens... don't really

        • duse

          True but I didn't mention the bootloader or radio, I just said partitions and the OS. There should be nothing wrong with flashing recoveries, different versions of the OS, the su binary, etc.

          • USSENTERNCC1701E

            The fastboot commands don't differentiate, that's why I mention it. On a PC it's not just as easy to wipe bios as it is to format a hard drive; on android it is.

          • duse

            Fair point...the reality of it being a CE device. Still as cbstryker said, that kind of access hasn't been an issue in the PC space, it shouldn't be an issue for these either. It's just about history and precedent.

          • The Motto

            The OS'es your referring to have also had HUGE safety problems over the time.. your are right though and one of the reasons I've been buying Nexus phones is the ability to always "revert to box fresh" software when you fuck something up..

    • http://www.toysdiva.com Toys Samurai

      Agree 99%, with the rest 1% -- one can actually cause big problem on a computer. Example, flashing a BIOS. True, there are motherboards that have dual BIOS, and they exist just for this exact problem. But the locked bootloader is a serious problem, especially the so-called solution is for people to buy a > $600 developer edition. If we want young people to be creative, to experiment with their mobile equipment, to be engaged in computer programming, we need to fix that.

      • cbstryker

        In all honesty though, how many people do you know that ever had a problem flashing their BIOS? I do not know of a single person and I have heard of less issues with flashing a BIOS versus someone buying a defective motherboard.

        • blumpkinator

          I remember back in the early 2000s it was cool to edit your bios and replace the engergy star logo with something cooler (like a quake 3 logo). That was before dual bios motherboards and I don't recall there being many posts about "Halp I fried my bios!"

    • Cody Curry

      To be fair, and I'm saying this as someone working in IT, we need to train anyone who wants to do this stuff how to do it properly and why. Anything else and it will be an issue. I doubt many phones will be permanently broken. It's almost impossible to make it irreversible. That being said, there'll be a lot of bad flashes by idiots who go crying on forums or to the carrier that they broke their phone.

      • cbstryker

        I work in IT also. However, the majority of people are concerned with customizing their devices to that extent. The rest of the users who want to would then have an easy and straight forward way of doing so. I would hazard a guess that the majority of people that damage or brick their devices from trying to modify it do so because they are trying to circumvent these ridiculous security features and run in to problems. If those didn't exist then they wouldn't be doing things that could kill their devices.

        When was the last time you heard of someone bricking their Nexus device when trying to flash something?

  • usaff22

    Glad that the Nexus 5 has none of these issues :)

    • anon

      that's the entire purpose of the nexus line.

  • senor_heisenberg

    Thanks for the info. I'll just make sure I never get anything other than a Nexus (or maybe a Motorola) device.

    • wideopn11

      A Motorola nexus!

      • http://www.androidpolice.com/ Shawn De Cesari

        Motorola has released two Nexus devices in the past...if by Nexus you mean devices that were used by Google to develop a version of Android, got updates direct from Google (albeit with carrier certification), had an unlockable/unlocked bootloader, and was the launch device for a version of Android, showcased in stock form.

        Motorola DROID (Android 2.0/Eclair)
        Motorola Xoom (Android 3.0/Honeycomb)

        • BetterWithRoot

          I always referred to them not as Nexii, but Google Experience Devices.

          • http://www.androidpolice.com/ Shawn De Cesari

            Fair. The DROID pre-dates the Nexus program and I'm not sure why the Xoom wasn't branded a Nexus, but I think we can agree that the T-Mobile G1, original MyTouch 3G, DROID, and Xoom were Nexii in everything but their name.

          • BetterWithRoot

            Yeah, Totally agree.

          • thartist

            Well but they were not strictly Nexus so there lie our chances of getting some proper ones eventually.

          • hp420

            I feel like they aren't even quite GPE devices, but rather just official AOSP exactly the same as a handful of Sony's devices have been in the past.

            http://developer.sonymobile.com/knowledge-base/open-source/android-open-source-project-for-xperia-devices/

    • godutch

      all htc qualcomm devices have been s-offed in the past, i know it's not a guarantee it will happen in the future but until now it has been pretty good

  • Daniel Smith

    Actually, on Nexus Devices you still have Security On (S-ON basically) and you don't have full NAND access even when you unlock the bootloader. You can only flash signed bootloaders, radios etc.

    S-OFF is allows full read/write of any part of the NAND and disables all security checks.

    • http://www.androidpolice.com/ Shawn De Cesari

      Thanks for clarifying.

    • tekdbfoe

      On Nexus devices, you can flash OTAS via a custom recovery (and that may change recovery and bootloader). On HTC devices with S-ON and unlocked bootloader, you cannot. So it's not the same.

    • dude

      Nope, I disagree, I flash hybrid modem to the Nexus 4 to get LTE.
      As for custom bootloader, haven't come pass one for a Nexus device. But I easily created my own custom recovery package that can flash bootloaders without problems.

  • frankusb

    Would Heimdall work on the Galaxy S4?

    • http://www.androidpolice.com/ Shawn De Cesari

      Heimdall does work on the GS4 as an alternative to Odin, but I'm not sure whether or not it works with the Galaxy S4 GPE since its partition mappings are completely different than the retail variants.

      • Daniel Smith

        Believe it or not, the Nexus 10 actually has a Download/ODIN mode, but it's extremely buggy, and due to fastboot existing it's never used.

        So I wouldn't be surprised if the Galaxy S4 GPe has some sort of download mode.

        • http://www.androidpolice.com/ Shawn De Cesari

          The GS4 GPE does have download mode in addition to fastboot mode. Fastboot mode is severely gimped, so download mode is the only way to do anything useful.

        • Shi Qiu

          The Galaxy Nexus has a Download/ODIN mode too, but at least its Fastboot mode is fully working, so Download mode is used rarely.

        • tekdbfoe

          Just for the record, the ODIN mode on Nexus 10/ Galaxy Nexus/Nexus S is used basically when you ruined the stuff and adb/fastboot is broken. At that point, sometimes you can revive it via ODIN with "USB Jigs" or other hardware cheats or tricks.

          • http://www.androidpolice.com/ Shawn De Cesari

            Exactly. It's there as an absolute last resort.

      • Greg Neal

        Is it possible to change the partition mappings?

    • Mike Reid

      Those of us who hate Windows and run Linux exclusively really appreciate Heimdall for the low level stuff.

      Mobile Odin can also be useful for avoiding Windows.

  • Ricardo Moura Rocha

    Why doesn't the LG G Pad 8.3 get a mention??

    • http://www.androidpolice.com/ Shawn De Cesari

      Because LG did the bootloader correctly and there aren't any real issues worth mentioning. I said as much in the article.

      • Ricardo Moura Rocha

        Sorry, I guess I missed that part...

    • Mike Harris

      It did.

      So far, the only GPE device that hasn't had any major red flags raised about the bootloader is the LG G Pad 8.3.

    • http://www.androidpolice.com/ Artem Russakovskii

      I would like to actually mention that unlocking the G Pad 8.3 GPE gave me a lot of trouble and really showed the difference between GPE and Nexus.

      The issue is with flashing a custom recovery right after unlocking the bootloader, which actually affects the latest Nexus devices as well due to a change in unlock sequences under-the-hood.

      But the point is with a Nexus device, I always know Google will provide all the necessary files to flash back and recover from pretty much anything. The factory image will contain the bootloader, recovery, system, userdata, and radio - all the components I need.

      GPE devices, however, are far from guaranteed to have these files. Just look at LG's V510 page right now: it's pretty much empty: http://www.lg.com/us/support-mobile/lg-LGV510.

      I was able to unbrick my G Pad after a day thanks to a fellow XDA user. Not thanks to LG. And that is why a Nexus will always trump GPE in that sense.

      However, start getting used to GPE devices, as that's going to be the best way to get high-end hardware that gets fast updates. I just wish OEMs treated it with more respect (just look at Sony's disastrous initial release of the Z Ultra GPE).

      My G Pad issue is documented here btw: https://plus.google.com/107797272029781254158/posts/9fVGRa72iHL.

      • AOSPrevails

        Nice to know, would have liked to have this included in this article.

        • http://www.androidpolice.com/ Artem Russakovskii

          Well, since the actual unlock isn't affected, and it's actually the custom recovery's fault, it didn't deserve to be in the post. LG has done it correctly. I am considering a PSA about not flashing recovery straight after unlocking in general until recoveries support it right, or else people will continue running into issues.

      • Alberto

        Is the G Pad GPE more "high-end hardware" than a Nexus 7? I mean, higher CPU clock speed, but LPDDR2 RAM... I don't see big differences, and considering the G Pad is being released months later and at a higher price I don't think it stands out particularly well next to the Nexus. I think, now that the Nexus 5 has a decent camera, there's no much you can ask for in Nexus devices to call them premium, even if they don't include features such as microSD support, IR blaster or FM radio (which has never been a problem for the iPhone).

        • Roh_Mish

          FM Radio is must for some people (like my dad) and useless for some (me). I don't know about U.S. or other countries but here in my, people widely still listen to radio while free, in transit or while working. And it is a main reason why many people buy Samsung phones over others like iPhone even if they like/can afford it.

      • Roh_Mish

        Is boot sequence changed in 4.4?? I unlocked and flashed Cwm together on 4.3 the time I did it and it worked.

  • Testraindrop

    Well, thats why
    Nexus>>GPE

    • http://www.androidpolice.com/ Shawn De Cesari

      I'd argue GPE > Nexus purely because you get stock Android, fast updates, and an unlockable bootloader on a device with kickass hardware. And I'm not just referring to the processor and RAM.

      • mccheeze

        Agreed. The Nexus devices are just never built with premium materials. The nexus 4 and 5 feel like a cheap toy compared to an HTC One or Sony Z.

        Samsung's products have always felt like flimsy junk to me so I'd argue Nexus 5 > Galaxy S4 GPE.

        The Nexus phones are designed to hit a low price point, and in order to have good internals they have to sacrifice the exterior housing.

        • Kid Rock

          "Nexus 4 feels like a cheap toy"... said noone ever.

          • http://www.androidpolice.com/ Artem Russakovskii

            Actually, my wife said that about the Nexus 5, but I think it was partially the penguin color scheme that threw her off. Not that the Nexus 5 has great build quality, at least the first revision.

          • Roh_Mish

            Not sure about Nexus 5 (design has let me off. And I like the wide potrait screen as in N4l but The nexus 4 is on par with my iPad and I feel like keeping the 4 and not upgrading to 5.

          • Stacey Liu

            To add on to Artem..my dad said those exact words about my Nexus 4.

            I'm not even going to disagree. If you hold a premium device like the iPhone 5S, the Nexus 4 feels kind of shoddy.

  • PuzzledObserver

    What does PSA mean (in the title of the article)? I searched Google, I prefer not to mention the result. It's probably off-topic.

    • Alan Shearer

      public service announcement

  • Chris

    However, the most recent update for the HTC One GPE has caused errors when doing "fastboot oem unlock", leaving those converted or original to be stuck with a locked bootloader for the time being.

    • mccheeze

      not if you properly converted, as proper conversion requires s-off. Unfortunately some idiots have attempted conversion with s-on [way to read before you flash]

      If you're S-Off and have root access you can unlock again using:
      adb shell
      su
      echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796

      If you are s-off and don't have root, you just need to flash an older hboot in RUU mode and then you can fastboot oem unlock (and put your hboot back to the right version!)

      If your s-on and relocked you might be hosed. Worth a shot to try flashing the signed firmware.zip from 4.3 in RUU mode as the hboot version is still 1.54. if you get the older hboot in there you can use fastboot oem unlock

  • Nick Mushat

    I am glad to see that the LG G Pad 8.3 GPE has not had any major issues. Just ordered mine but have to wait til Christmas. Looks promising, I hope some devs jump on board with it!

  • AOSPrevails

    Why is there nothing on LG Gpad 8.3? Is that one trouble free and Nexus like?

    Edit: NVM, I saw Artem's post below and the part about Gpad in the original article.

  • hp420

    First, thanks for this article! I've actually been wondering exactly how open they each are, but I just haven't had the time or energy to look into each one to find out. This is by & large, my biggest concern when I buy a phone. This is why I buy Nexus devices every time. I don't want someone standing in the way of me doing what I want with my own property. Even if you buy a device sim unlocked, you still have issues from the OEM to worry about because of their bootloader security.

    Some points made in the article actually sparked a theory...the fact that Sony is the only OEM that officially allows bootloader unlocking on all their devices, but they have never allowed oem bootloader unlock, including on a GPE device, is an interesting point. All the OEMs that have had Nexus devices in the past have conformed to the fastboot/terminal unlocking method, even if there is a slight variation in some way (including even a second layer of security). Is this why we have seen Xperia devices crowned as official AOSP and GPE devices, but never an Xperia Nexus still? It seems to me Sony would be the first choice to have build Google a device, since they contribute so much to the AOSP already.

  • Mason Gup

    After my recent experiences with my GPE HTC One, I have to object to your description of how it affects your device. When I got the phone, I originally unlocked, installed CWM recovery, and rooted it. Everything worked fine, until the KitKat OTA arrived.

    Every time I flashed the OTA (that the device had actually received OTA), it soft-bricked the phone. The only way to get back to a state where it would accept OTAs properly was to flash a RUU, which wipes the whole phone and restores everything to stock.

    I'm not exactly sure why this happened, but I think each OTA updates the recovery and the radio as well as the system. With the CWM recovery, the radio and recovery don't get updated and thus don't do what the OTA update expects, even if you have S-OFF and flash a stock recovery.

    So you certainly can unlock, install custom recoveries, etc, but be prepared for the OTA updates to not work at all, or only work after extensive hacking around.

    I don't know about anybody else, but I got a GPE device because I want fast, painless OTA updates to the latest Android. Rooting seems to break that, so I'm staying with stock.

    • http://www.androidpolice.com/ Shawn De Cesari

      I have experience with plenty of people who flashed the OTA without any issue. I would tend to believe yours is an isolated issue. Not sure why it's happening, though. Even if your bootloader is unlocked, OTAs should still flash fine as long as it's done via the real OTA system in the stock ROM and not attempted to flash manually in stock or custom recovery. Do you have any links anywhere of other people experiencing the problem? I'd be curious to read about it.

      • Mason Gup

        Yes, if the bootloader is unlocked, but you're using the stock recovery, it does update fine. That's exactly where I am now.

        The trouble is, the entire purpose of unlocking the bootloader is to install a custom recovery. There's pretty much nothing else you can do with it until you do that, since the stock recovery will only flash signed updates. However, it seems that once you do that, you can't go back to the stock recovery. I tried it, and it didn't work. Maybe it was the wrong version or something, but I scoured all of the boards looking for stock recoveries to try, or any other possible solution, and nothing I could find worked. If anybody has flashed the Kitkat update with a custom recovery successfully, or switched back to a stock recovery and had that work, then I'd like to read about it, since it sure didn't work for me.

        I started a thread about the problem on XDA http://forum.xda-developers.com/showthread.php?p=48491622 and got some help from one guy who seemed to know only a little more than I did about it.

        Like I said before, it's something you should be prepared for if you want to go down the rooting road. Your OTAs might not work right, you might lose data or have your phone rendered unusable for a while, and there might be nobody to help you figure it out when you need it.

  • Roh_Mish

    I used Samsung devices before Nexus 4 and I remember the boot loader was unlocked by default. Also we used to rely heavily on Odin in early days but the new phones and even newer versions of old ROMs don't require it. We just use Odin for flashing the stock Image on device (factory Images). If Odin and Boot loader Unlocking is required on the SGS4 then it is a real step backwards.

  • Ryan Morales

    well i just ordered the z ultra love the screen size and the specs jumped out at me so ill be looking for a root method for this device so ill see how the unlocking process is

    • True Radiant Free

      I got mine a few weeks ago, and I want to root it to be able to write to the SD card. Have you found a good root method?

  • Jimbo

    The most ridiculous thing of all is that the google play edition of the htc one is locked and s-on out of the box. There's no way for me to root this phone :(

  • True Radiant Free

    Has anyone found a good root method for the Sony Z Ultra GPe. I just figured I'd ask here... I'm looking into OneClickRoot, is that good?

  • TRILLIGAF

    I'm wondering if I could make a custom splash screen on the samsung s4 if I unlock the bootloader but, I don't know how to unlock the bootloader from download mode.