In addition to things like stock Android and being carrier-unlocked, one of the big features of Nexus and Google Play Edition devices that Android power users love is an easily unlockable bootloader. While OEMs and carriers often make a policy of locking their devices' bootloaders to prevent installation of unauthorized software, Google makes it very easy for us to tinker with devices bearing its brand. All you really need to unlock a Google device is a tool called "fastboot," which is made available through the Android SDK. Just install the drivers for your device, which are generally available as part of the SDK, then run a quick command via the command line on your computer and you're done! Unfortunately, when it comes to Google Play Edition devices, unlocking is often times only the first step.

Background

The reason bootloader unlocking is such a hot-button issue is that it allows you a dangerous level of control over your device. When unlocked, your device becomes a blank canvas. You can install a new recovery, a new kernel, an entirely new operating system, change your partition mappings, get root access to the stock firmware, among countless other things. While this all sounds great, and is great for a lot of people, the sobering reality is that you can also do some real, and possibly irreversible, damage to your device in the process. It's for this reason that OEMs who allow unlockable bootloaders, with the notable exception of Motorola, almost universally make you agree to voiding your device's warranty before proceeding with the unlock.

The current process for unlocking Google devices began with the Nexus One and has never changed. When the Google Play Edition program launched back in June, Google announced that GPE devices would also feature unlockable bootloaders like their Nexus counterparts. What we had to find out the hard way was that while, yes, they are unlockable, there are certain security measures that are still in place, and these can be a pain point for users who like to take matters into their own hands. So far, the only GPE device that hasn't had any major red flags raised about the bootloader is the LG G Pad 8.3.

What The Problems Are

These problems aren't major and can generally be worked around without a whole lot of effort. You'll just want to make sure you tread carefully.

Sony Z Ultra GPE

The Z Ultra is the only one of the GPE devices that cannot be unlocked with a simple "fastboot oem unlock" from a command line. That's because Sony requires you to get an unlock code first. This is done, presumably, for warranty purposes so that there's a database of devices known to have been unlocked at some point in the past. The unlock instructions can be found here and have been verified to work with the Z Ultra GPE.

As with other Sony Xperia devices, unlocking your bootloader also wipes a device-specific partition called "TA." It contains configuration files and DRM keys, and cannot be restored from another device. The big hang-up here is the DRM keys, but thankfully for GPE owners, those keys are only used with Sony apps. Those apps are not included on the Z Ultra GPE, and are not available (at least for now) on the Play Store, therefore you have no use for them in the first place.

We should also mention that the Z Ultra GPE's bootloader cannot be re-locked using the normal "fastboot oem lock" method. As of the time of this writing, there is no known method for locking it again. Folks are working on a similar solution to that used for retail Xperia devices, which involves modifications to a device's TA partition, but it's currently unclear whether this will work with the GPE variant.

HTC One GPE

The HTC One GPE has two levels of bootloader security.

  1. The lock/unlock state, which is changeable using the "fastboot oem unlock" command.
  2. A "security state," referred to by HTC as the "S" flag. Out of the box, the flag is set to S-ON.

How the "S" flag affects you depends on your bootloader's lock state.

  • Locked and S-ON: Permanent root, custom recovery and custom ROM installation is not possible due to a strictly enforced NAND lock that prohibits making changes to the system and recovery partitions. In addition, this state also enforces signature checks on the recovery and kernel. If an unauthorized recovery or kernel is detected, the device will not boot.
  • Unlocked and S-ON: This occurs when you unlock with fastboot. The NAND lock and signature checks are not enforced. You can flash custom recoveries, ROMs, kernels, and the like with very little restriction. The biggest problem with the unlocked/S-ON combination is that you cannot manually flash bootloaders or modems. By extension, you also cannot flash OTA updates manually. The only way to apply OTA updates on the stock firmware is to actually wait for the update notification to appear on your phone and do it "the right way."
  • Unlocked and S-OFF: This combination is not possible using official methods, but is arguably the most desirable. The only way to get S-OFF on any HTC device, including the One GPE, is to use 3rd party hacks. That said, if you can get S-OFF, you essentially have Nexus-like freedom to do whatever you want to your device, including manual flashing of bootloaders, radios, and OTAs.

Samsung Galaxy S4 GPE

While the Galaxy S4 GPE's bootloader can be unlocked via the "fastboot oem unlock" command like you'd expect, you can't do much with fastboot beyond that. Doing anything useful with an unlocked bootloader requires Odin, an OEM tool that is extremely powerful and, by extension, extremely dangerous. The only thing you can really do with fastboot is boot a recovery from memory using "fastboot boot recovery.img." If you boot a custom recovery this way, the touchscreen won't work. This isn't so much of an issue with ClockworkMod since you can navigate with volume keys. TWRP is rendered basically useless, though. If you want to permanently flash a custom recovery (so the touchscreen will work), root your device or install a custom ROM; it all has to be done with Odin on this device. Just be careful because I promise you that your phone will attempt to walk straight into Mordor if you start checking off boxes with functions you're unclear about.

Also worth noting is that download mode (Odin mode) keeps a flash counter and an "official/custom" state on the GPE model just as it does on retail variants. These can be reset using Triangle Away, which is a root app available on the Play Store.

Closing

Because Google Play Edition devices are managed by OEMs, they are essentially identical to their retail counterparts with the exception of an unlockable bootloader and a stock Android ROM. Unfortunately, that means that some anomalies from the retail variants have made it over to the GPE variants as well. Thankfully for us, we have many smart, dedicated people in the Android enthusiast community who have contributed countless amounts of time and energy into finding solutions and workarounds to these obstacles.

Thanks, Sean, Bin4ry, SamuriHL, CraigP17, and monkeypaws!