Flashing essentials

Once the bootloader is unlocked, it is possible to modify the partitions that were previously untouchable, such as recovery or system.
Those partitions can be replaced them with another, user-provided *.img file in a process called flashing. It’s done through fastboot.

You can flash partitions one by one (e.g. fastboot flash system system.img) or follow a script, which is a list of commands pre-written. Depending on your computer operating system, the script will have its name end in .sh,.bat, or .command.
Essentially, it’s going to flash, or replace, each partition in the phone with the image you downloaded (for instance, stock Android from Fairphone).

At the end, the command line interface returns OKAY and the phone can reboot into the newly installed system.

You may get a warning on boot, that says that the bootloader is unlocked and that constitutes a security flaw. That is why you may want to re-lock the bootloader after flashing, which can carry risks of bricking (see next section).

Locking the bootloader safely

Locking the bootloader implies then that the system images installed in the device must correspond to the manufacturer’s: only stock Android provided by Fairphone (found here), and the “official” /e/OS provided by e-foundation, are “legit” and can be locked upon as-is.

If OEM unlocking is still active, then fastboot flashing get_unlock_ability should return 1 and the bootloader can be locked.

You need to know about rollback protection. Android does not allow locking a bootloader when the system has lower-security level than it had before.

SPL aside

Every day new vulnerabilities are discovered in Android and Google finds fixes for the most important of them. Those fixes are bundled into a monthly Android Security Bulletin. At the beginning of each month, a Security patch that address these issues is released by Google. Each and every phone manufacturer is bound to include these fixes in their subsequent updates, but it can take weeks, or months. The Security Patch Level only identifies the most recent threats that the device can handle.

In practice, you need to check the Security Patch Level (SPL) of the image you’re flashing, which is a date (e.g. 5 June 2025), and compare to the latest the phone have had installed (which is not necessarily the most recent system, it takes into account all active systems before).
It does not take into account the version of Android or the release date of the system.
You can only lock if the SPL you’re flashing is the same or newer.
To be safe, consider waiting for a brand new SPL version before trying to flash and lock, then you can’t go wrong.

Check the Manage the bootloader support page.
In the support page, you’re invited to lock_critical and then lock.

You should reboot to bootloader again between the two, before you let the system load to “userspace”.

Again, at each step before locking, make sure that fastboot flashing get_unlock_ability returns 1.

If fastboot get_unlock_ability returns 0, you need to activate OEM unlocking again by going into the OS and activating it through developer options.

AVB custom keys

This section is a stub…

For some security and privacy-oriented ROMs, leaving the bootloader unlocked is an unacceptable security risk.
But, only stock Android provided by Fairphone, and /e/OS provided by e-foundation, are “legit” and can be locked upon as-is.

So, for CalyxOS, DivestOS, and others, another solution is provided in the form of AVB custom keys, to tell the bootloader that those keys are legit too and that it can lock the bootloader on their ROM.

TBC