Unlocking bootloader online vs offline

Dear Fairphoners,
I was considering fp4 as my next purchase, however I have doubt about unlocking bootloader.
As I have read - currently for FP4 there is online service which every time generates new unlock code.
Please explain me why did you chosen this way of unlocking FP4 instead of offline unlocking?

This is my big concern, as inability of offline bootloader unlocking makes this phone heavily dependant on your service running - thus if any day you will go out of business or you just will stop supporting this phone - I will be locked and unable to change my phone OS anymore. Is it kind of “planned obsolescence”?

It is not a hypothetical question - I suggest to read as example ASUS support forums where people beg to help them with unlocking older phones - which ASUS decided to be “unsupported” and the only answer phone owners get is “this model will no longer have any maintenance (including server)”.
These phones were capable of being unlocked earlier and this was taken away from phone owners. Why working approach for unlocking was abandoned in favor of “online” codes?

And additional question - is Fairphone sharing “unlocked” IMEI numbers with any external party? Will they be used for any kind of “blacklist” or marking my phone as “dangerous”?

Couple examples of unlock support - I’d like to ensure FP4 will NOT look like this in the future:

zentalk .asus. com/en/discussion/56504/unlock-bootloader-asus-tf300tg
zentalk. asus. com/en/discussion/55405/unlock-bootloader

Hi and welcome to the forum.
‘you’

This is a user forum and no one here did that

Yes, and not a Asus forum…

As mentioned, it’s best to #contactsupport for this to get an official answer. Please do post their response here so we know the answer as well. Thanks for providing the examples, it’s indeed worrying you have to depend on their service to unlock your device. That could limit the future use of the device if you cannot generate these unlock codes anymore. Although in the event of Fairphone going bankrupt or anything, I think they will make the code generator freely available. They have their heart in the right place

Thank you for your responses. My intention was not to blame user community for anything (and hope you didn’t read it this way).
I am considering new phone and trying to understand all advantages and disadvantages of different models. I’ve read many (but not all) posts in forum and they did not answer my question, so hoped that asking directly may help to get straightforward answer. I haven’t contacted fairphone support strictly because I don’t own any fairphone yet. And contact form requires to provide phone details (the only option without is direct emails which maybe I will try).

This is obvious that Fairphone is trying to support FP4 for long time. But requesting IMEI number along with my IP address puts my privacy at risk and just wanted to know if you as users know any good justification for online method and why old method was abandoned?
Based on your answers I assume there is no good justification or you’re not aware of it.

• IMEI number
  Fairphone have that already so you are not giving any information away only confirming the that this is a particular phone to be unlocked. Unlocking a phone, from what I have heard requires informing Google, no matter how it is done. (Will try and reference that)
  An IMEI number in Fairphone’s case ties to the purchaser of the phone, no the user. So it provides no personal info to anyone.

This is not to say that your IEMI doesn’t allow for tracking the user, not owner of the phone. But that not the issue is it.

• IP address

Again any browser can display your IP as it required in Server to Client confirmation, so again you are not giving anything away, just confirming the request.

I think English is not your native language as your tone and assumptions are generalised i.e. applied to everyone and are in that sense insulting.

To assume something about another, in the UK, is to say you have a closed mind to those whom you address.

As you said that was not your intention at the start, yet you continued, it’s more than sad. a bit weird but perfectly OK

Well you may find opinions on some issues, from some users, and you will also find contradictory ones.

• Some like the lack of a 3.5mm jack others don’t
• Some don’t want a notification LED some do
• Some like the weight and size others don’t
• Some like the colours, some don’t

But none of these are advantages or disadvantages.

The only advantage I can think of is to the mineral miners and the factory labourers that get better wages and working conditions.

The disadvantage is that once I consider I can afford to to buy a Fairphone I then commit have to undertake all kinds of assessments, and as you indicate in your posts not the easiest or most pleasant occupation.

Have you seen

All the above is what comes to mind and may not be correct. Just trying to respond to your query and your concerns.

All the best

UPDATE IEMI

Fairphone pay Google to install Android and in that is the requirement to keep Google Search and other apps etc.

To use Android without Google search, for example, would likely cost Faiphone more

So if you unlock to install an alternate OS it would make sense that Fairphone may have to pay a fee for each phone unlocked

Hence ensuring the detail of which phone has been ‘paid’ for.

But I see no reason why Fairphone would would have to pass any new information to Google, just the IEMI number to flag it as ‘Unlocked’

I was chuckling rather hard when I read today that thin and light is apparently Out in consumer electronics and apparently heavier chunkier things are officially In Style now. Personally I’d rather things were not too heavy because RSI never really heals, but 250g is fine for me and the Fairphone 4 is lighter than that. My personal lower limit seems to be about 150g, which is lighter than any phone I’ve ever had but heavier than the original Kindle Oasis, the one with the weird separate battery cover. That weighed in at 127g and while lovely to hold it was so light that it had a tendency to leap out of your hands while you were walking and hurl itself suicidally to the ground…

Android (AOSP = Android open source project) is open source and manufactures can basically install it on whatever phone they want. If a manufacturer wants to legally include Google micro services (GMS) they can do so for free (not 100% sure, there have been reports of that changing), but then they have to include the entire GMS package. So no Playstore without youtube, maps, Gmail and such.
Google probably makes this money back with ads and pure market dominance.

I do not see how not using a product would cost more? For most Android users not having Google services preinstalled is pretty bad, so manufactures want GMS on their phones.

Quite unlikely. That would make sense on devices where unlocking gives access to something new that has to be licenced. The Nintendo switch for example has an optional download that enables exFAT. Since exFAT is proprietary it was speculated that Nintendo had to pay a licencing fee to Microsoft for each download.

I don’t know if requiring an internet connection to unlock the bootloaderis is part of some stupid GMS security requirement, but since SafetyNet and Google Play Protect fail if you unlock the bootloader that does not seem too far fetched

That I can imagine, if you have a source for this I’d be interested

Hi thanks for your comments.

I haven’t found the reference yet. I remember something in this forum and have not found anything outside it either.

My arguments are that the Google AOSP is provided with certain conditions of use, for advertising purposes. So Google not only want to know each time that condition is breached but charge a levy to Fairphone.

It is unlikely that Google would allow Fairphone to exclude the search app without levying a charge. So too unlocking would likely incur a levy. ??

Maybe I’m getting Goggle all wrong and they are far more charitable than I imagine

I imagine you are mixing some things up. While Google is involved in the AOSP, the AOSP is licensed under the Apache V2.0 license.
AOSP contains no Google Apps, no Google Services or any of that stuff (and is completely free). If you don’t want to read through the entire license, there are good summaries available online.

Now we have what is commonly known as Google Android, which is the AOSP bundled with GMS, Google micro services. GMS come as a bundle, you either install all of it or nothing at all.

You most certainly do not violate the Apache V2 license by unlocking your bootloader, so no breach here. I did not read the Google TOS in its entirety, but I don’t think they prevent you from unlocking the bootloader. From what I know unlocking Google Pixel devices is even easier than unlocking FPs (i.e. is apparently available without entering stuff in an online form).
Who are you breaching a contract with anyways? Did you sign something with FP that disallows you from unlocking? Something with Google? Did FP sign a Google contract, that assures Google that FP will prevent costumers from unlocking?

Not saying that this couldn’t be the case, but seems a bit unlikely.

To summarise, an OEM can without any kind of charge, cost or fee ship any device they want, legally, without Google Search or any Google related stuff if they stick to the AOSP.
If they want to ship their device with any Google software at all, they have to install the entire GMS package. There is no way for an OEM to legally install the Google Play Store but not the Google Search app, doesn’t matter how much they want to pay.

Nah, pretty sure Google is not a charity xD

Yes and as Fairphone do then it would seem savy from a business point to track when someone wants to dump any Google connection and unlocking is a sure sign of a likely hood.

But back to the query I was addressing, I don’t see any issue regarding privacy in unlocking the bootloader online ??

I don’t know why FP should care what happens to the device after they sold it, and I don’t think an unlocked bootloader would be a good indicator, I’d reckon that most devices with an unlocked bootloader are still running some subset of Google services. If Google is interested in whether a device is still running GMS they just need to check if they still receive telemetry data from it

I don’t see a direct impact either. IMEI and the serial number are used to identify the device, kinda like a fingerprint. The IP is way to vague to identify and track a user on its own. If I’m not mistaken one had to enter the serial number when applying for the extended warranty, so FP should be able to connect device and user without much hassle anyway.

Not exactly - Fairphone has the information that this particular IMEI was manufactured and sold (maybe including country and distributor). It does not have the information about IP which gives accuracy of geolocation somewhere between 100km and 2km unless someone unlocking the phone will use VPN to change the location.
The same applies to web browser user agent - but this information is available (but not sure if sent over the network) to other loaded scripts on the unlock page - today for youtube and googletagmanager.

The same information (IP address, user agent) is sent from my browser to many other services which gather either my IP address, personal information like phone number, physical address and web browsing history and all of them cooperate with google or other advertising companies and may share and correlate information sent from my web browser to a different web pages.
So not only “IP address is displayed” - it is actively logged on server side of many services to build user profile, and this user profile is sold during your web browsing. If you wish to understand what is really happening during your web activities - start from reading about Real-Time bidding on Wikipedia.

But this is not my main point of concern. Unlocking is much more safe if is run in reproducible environment. For example - if every time unlocking code is different - and something fails during unlocking process - how will you know if code was “consumed” and you will have to request another one?
I appreciate that Fairphone does not require to install dedicated application for unlocking like some other companies (which requires phone to connected to the internet) , or logging with google account (which I don’t want to have) but I still have some doubts, which cannot be easily understood by others who focus mostly on FP4 hardware not software.

I understand that Fairphone as a company has to pay some royalties to Google for software and I’m ok with that because I understand that there are people who will use google software and even I would be ok with paying this fee within price of new smartphone - the same way as I have paid for laptop shipped with windows which I have replaced with linux distribution. But in case of laptop - manufacturer has NEVER expected me to use any online support service to install OS which I prefer nor to provide any serial number or mac address when I wanted to get rid of windows installed.
The reasons which come to my mind - is that Fairphone pays google not the one time fee, but some kind of recurring fee and unlocking stops this obligation (that’s why it’s treated like support service and not sales)
The other which I can suspect but cannot prove is that my IMEI number can be used by SafetyNet if shared by Fairphone (intentionally or not ) to Google.

It’s not impossible a skilled dev sets up a server as it was done for FP3 unlock code: FP3 'verify code' generator.

I basically agree with you but as i bought the phone via the Fairphone website they have my IP if they wanted it, they have it now I’m using the forum.

I’m pretty sure they know which IEMI numbers I have that went with the Serial number of the phone.

I didn’t think that they would have to share either with Google.

That’s good solution for me, and perl script for me is perfectly safe and transparent. However this solution forces to stick to the old good FP3 instead of going for FP4. I already have old smartphones and buying another old one or second hand is not something I was looking for.
But anyway thank you for the hint.

I think it was not meant to stick with FP3 but to do the same, as was done for FP3, with a different script for FP4…

The bootloader unlock form for the FP4 is the same as for the FP3, so I would assume that script should still work just fine

Edit: Nope, it doesn’t, the length for the IMEI / serial is different

Even better then…

Ok, so the perl script will spit out a nice looking code if the minimum length for the serial is changed to 8, but the generated code doesn’t work. I only get Incorrect code when toggling OEM Unlocking.

There is clearly more effort needed, worth a try though

Update: A quick follow up, since I ran into this issue again. It has probably been mentioned before somewhere (I know it’s been discussed here), you can’t unlock the bootloader when not connected to the internet.
I just reflashed a phone for testing and it popped up a message “No connection” or similar and only would let me unlock the bootloader once I connected it to wifi.

So I’m no longer convinced this can be reimplemented by the community with a “simple” script this time around, or at the very least it probably involves sniffing some network packets to reverse engineer this process

Update 2: There seems to be some kind of server side component this time around. I generated multiple unlock codes for one device, but only the newest one will let you unlock the bootloader.
So not only can’t you unlock the bootloader offline, but as soon as you create a new code all the old ones are somehow invalidated. I’ll have to test how long the newest code stays usable

Since you have to use that code to unlock a FP4 that has been flashed with factory images, let’s hope the online generator stays up for a while…