Advice about bootloader unlock, root

Hi everyone,
I got a FP4 :raised_hands:

I’d like to be able to back it up with Titanium or Helium backup, which need root, and TWRP for full partitions, which needs a bootloader unlock. However, I don’t want to leave it rooted or leave the bootloader unlocked. What’s the best way to go about setting up the phone to do this?

If I relock the bootloader, does this delete all user data?

Is it okay to relock the bootloader with TWRP installed or will it bootloop?

Even if this is okay, when I unlock the bootloader again then it will delete all user data won’t it?

And for rooting, I can follow the steps for using Magisk, but is it possible to leave it disabled most of the time (i.e. to allow banking and other similar apps to work)?

Magisk also means OS updates need to be done manually doesn’t it? So would I need to leave the bootloader unlocked?

Basically, I don’t want to start using my phone immediately without doing what I can to set up these things so I can use them in future, because I know that to set it all up in future will require a factory reset for which I’d actually want to have Titanium/Helium backup in the first place!

Thanks for your patience with my probably dumb questions!
Cheers :slight_smile:

Dont have an tipps here, just a few general comments/answers

Yes

TWRP is not officially supported (yet), maybe check here

Yes it will

For OTA updates with Magisk installed see here

Reg locking the bootloader

4 Likes

Hi @yvmuell,

Thank you for the helpful answers. I think this means I’m not going to bother with bootloader unlocking or rooting. I’m too busy to mess around with the boot image and manually install the OTA update every time I want to update the phone’s OS.

I might do in future though!

Cheers :slight_smile:

OTA updates aren’t that painful…

…takes like 30 extra seconds.

1 Like

Sure, I personaly use root time to time, when I need it I reboot to bootloader and :
fastboot boot patched-boot-image.img

Rest of the time my FP4 is not rooted, and banking apps are working without complaining
For this to work, bootloader was unlocked. And unlocking it wipes all userdata.

4 Likes

Hi @hirnsushi,
Thanks, that looks straightforward. So does step 1 restore the original unpatched boot.img? In step 2 does the OTA update install automatically or do I need to capture the download link via debugging then download it manually and sideload it? And step 3 creates a new patched boot.img?

Hi @oli.sax, that’s a good tip, thanks.

I found time to do a bit more reading (but not a lot) and found that the FP3 had EDL available at any time, which effectively means a locked bootloader is useless doesn’t it? Is EDL available at any time on the FP4 as well? I couldn’t find conclusive evidence on this, but it seems to be. If EDL can be activated any time then there seems to be no added security advantage keeping the bootloader locked, have I understood that correctly? If I have the bootloader unlocked then my personal data is still encrypted isn’t it (although can be downloaded and cracked).

Cheers :slight_smile:

Yes it does (if you installed Magisk through the Magisk app and there is actually a backup)

You’ll likely have to push “Install” in the OTA updater, other than that, no special process needed

Step 3 patches the other slot (you are currently not using) directly, which is the slot you will be booted into after an OTA update. And to make the next OTA update painless as well, Magisk is creating a backup of that boot partition to restore later.

EDL is available, but that’s completely useless without an EDL loader / firehose file, we searched long and hard for one.
As long as no EDL loader leaks (which might happen at some point), a locked bootloader has the security advantage. But the downside is, compared to the FP3, you can no longer revive a bricked phone without sending it to Fairphone (Cordon).

Your data is still encrypted, but a thief can just wipe your phone and resell it, if they aren’t after your data.

2 Likes

Titanium is not updated since years. Give Neo Backup (former OAndBackupX → initially a OAndBackup fork) a try. I really like it and can recommend it. I moved my stuff from A10 to A11 (LOS) and now to A12 (CalyxOS) with it successfully.

→ start reading the FAQ FAQ first :wink: e.g. What is the difference to the famous Titanium Backup?

1 Like

Which is the same in case the bootloader is locked, isn’t it?

2 Likes

It depends, @CransNeighbour did a great writeup here:

But that only applies to stock FPOS, because Factory Reset Protection is tied to a Google account.

CalyxOS for example disables OEM unlocking after the first successful boot automatically, according to one of the devs

Also when CalyxOS is locked we automatically set OEM unlocking to off aka unlock ability to 0

But it only happens after a successful boot and thus is safe

…but I have no idea what’s the benefit of disabling OEM unlocking in a custom ROM :man_shrugging:
(Other than making disaster recovery harder)

Either way, since IMEIs can be blocklisted, a stolen phone is probably not that useful to a thief anyway.
The data on it is probably more valuable and that is encrypted.
Locked or unlocked bootloader gets more interesting if you deal with adversaries that want to modify your device, for example to spy on you. But most people probably don’t live under a threat level where that becomes relevant.

5 Likes

Yes, a locked bootloader (without OEM lock) itself does not make the phone unusable for a thief. The linked article gives good details of cases it does.

Hi everyone,
Thank you for the useful advice and extra technical explanations.

Tell me about what these adversaries might do…! :wink:

I presume that with an unlocked bootloader, under FPOS, with factory reset protection, they could flash a new recovery, reflash the phone? Obviously if they’re really sophisticated they can easily bypass factory reset protection and the data encryption, but let’s assume they’re not nation state level of cleverness, what could they do?

…okay now I’ve read Is there any benefit to disabling the option “OEM unlocking” again? - #6 by CransNeighbour. How is the last bullet possible with an unlocked bootloader? Does it allow the attacker to flash a custom boot image which then has elevated permissions to steal all my credentials and data? I.e. the attacker gets root access?

So the counter to this attack would be, every time the phone has left my hands, to reflash with a known, trusted recovery, boot and system image before unlocking it again?

Cheers :slight_smile:

With an unlocked bootloader you (or anyone else) can basically just flash most of the partitions without any security measures coming into effect. If the critical partitions are unlocked, you can flash those too.
The possibilities are endless at this point, you might not be able to decrypt userdata outright, but, as mentioned in the other thread, since you can just put your malicious code on one of the system partitions, all you have to do is wait for the owner to decrypt it for you.

You aren’t completely safe from a similar attack on a locked bootloader either, stock FPOS still ships with Google Test keys (I just checked), as mentioned here.
But since there isn’t an EDL loader (publicly) available, that’s not that big of an issue (for now).

If your phone gets taken away from you against your will and somebody might have connected it to a USB cable and maybe modified it, you might want to wipe it and completely reflash it from factory images.

I’ve personally had my phone seized by police before and given back at a later time, I’ve obviously wiped it afterwards, but I can still sleep great at night with my bootloader unlocked now :man_shrugging:
It all depends on your threat level, if you are some kind of activist or live under an oppressive regime, you might not have the luxury to feel that way.

4 Likes

Hi @hirnsushi,
Thanks for the detail, very helpful. Do we know which partitions the FP4 has unlocked when the bootloader gets unlocked? Is it necessary to unlock the critical ones to install TWRP and Magisk?
Cheers :slight_smile:

Edit: answering my own questions: I think TWRP can be installed without unlocking critical partitions. Not sure about Magisk.

In any case, nothing’s stopping someone who gets the phone after I’ve done fastboot flash unlock then unlocking the critical partitions, is there?

Most of them, minus the critical partitions listed here.

Magisk gets installed to the boot partition, that’s not a critical partition. I wouldn’t install TWRP by the way, better just fastboot boot it when needed, it’s really not all that useful anymore.

Well, unlocking critical partitions will wipe userdata, so if they (whoever they are) need access to critical partitions to get to you, you would be “safe”. But since there are enough interesting partitions left, it really doesn’t make that big of a difference.

2 Likes

Hi @hirnsushi,

This is excellent, thanks for your help. I also wonder if just fastboot flash unlock wipes user data, but I’ll find that out when I do it :slight_smile:

Interesting on TWRP, why do you say it’s not that useful anymore. Do you mean because of A/B partitions, because of encrypted user data, or some other reason?

Cheers :slight_smile:

Locking and unlocking the bootloader will wipe userdata as well, yes.

Mostly because TWRP (so far) has no access to encrypted userdata, so it’s not really that useful for backups. All the custom ROMs ship their own recovery, which takes care of your basics like sideloading and wiping data.
You can do “interesting” things with TWRP and adb. But in the unlikely case you have to, you can just fastboot boot TWRP, instead of installing it and causing yourself another hurdle for OTA updates.

2 Likes