Hi,
I have flashed my FP4 with AXP.OS and I want to lock my bootloader for complete security, however, FP4’s behavior makes me very concerned that I won’ be able to unlock the bootloader again.
Normally, it is not even possible to lock it after booting a custom ROM. Fastboot get_unlock_ability returns 0 making locking strictly unrecommended. After experimentation, I now know that after flashing stock FairphoneOS, but before booting it, get_unlock_ability gives a 1. It is still 1 after flashing a custom ROM after that. But booting the system makes it 0.
So, my concern is that I will lock myself out of unlocking the botloader after locking it while get_unlock_ability is 1, since after loading it will switch to 0.
Is it possible to lock the bootloader in a way to unlock it again after using the custom ROM? This switch from 1 to 0 is confusing and very concerning. It would be good for future Fairphonws to not have that.
If you have a bootable system you can always enable OEM unlocking in the Developer Options again, that’s essentially the UI representation of get_unlock_ability.
The switch is greyed out if the bootloader is already unlocked, there are ways to trick the system into thinking it has a locked bootloader which lets you toggle it again, but a reinstall is the quicker path.
I flick that switch immediatelly after installing & locking an OS so I can reflash the system in case it becomes unbootable at some point. Depends on your threat model if you want to do that, I’m usually the biggest threat to my devices so I keep it enabled.
As you already noticed, most ROMs will switch OEM unlocking off on the first boot after installation.
In order to keep yourself safe from bricks you should always lock the bootloader before that. If the installer doesn’t check for that or you’re installing manually, always check fastboot flashing get_unlock_ability right before locking it.
Thanks for the reply! Did I understand correctly, that in case I lock my bootloader, after loading a custom ROM and enabling OEM unlock get_inlock_ability will return 1?
My problem is that without locking the bootloader but loading ROM, get_inlock_ability always returns 0 even if OEM unlock is on… It goes to 1 only after reflashing FairphoneOS. So my fear is that even after locking it and booting the custom ROM get_inlock_ability will still give 0 - and this time I won’t be able to reflash FairphoneOS
No, most ROMs will reset get_unlock_ability to 0 on first boot, that happens regardless of bootloader lock status.
You have to enable OEM unlocking in the settings again to get that value back to 1.
Yes, sorry, had to reread your sentence again, that’s correct 
Your first boot will still reset get_unlock_ability to 0 but once you enable OEM unlocking again it will stay that way (until you install another system and the cycle repeats).
When you install a new system, get_unlock_ability will get set to 1 as a result of the flashing process, that’s not specific to FPOS.
I’m not familiar with the ROM you’re trying to install, but unless they don’t flash that specific partition for some reason (I doubt it), fastboot flashing get_unlock_ability should return 1 after installation and 0 after the first boot.