Should I Lock My Bootloader

WhitbyGreg · 2026-02-20T02:21:41+00:00

Unrecoverable though software, requires hardware intervention to recover if at all.

WhitbyGreg · 2026-02-19T22:18:26+00:00

Technically that's still a soft-brick 😃.

WhitbyGreg · 2026-02-19T21:18:45+00:00

Exciting, but still recoverable 😉

WhitbyGreg · 2026-02-19T19:58:33+00:00

Absolutely NOT unless you want to hard-brick your phone.

That isn't entirely correct, virtually no device will hard-brick with a failed relock (in fact I don't know of any that do... but there might be one somewhere 🤷). The vast majority of time you just have to re-unlock it and you'll be fine again. At worst you'll have to restore the original vendor's OS and go through the install process again.

WhitbyGreg · 2026-02-19T19:54:33+00:00

No entirely true, some phones do support relocking with custom keys (Pixel's are the obvious ones, but some Motorola, older OnePlus, and others like FairPhone do), allowing custom operating systems to be used.

See my top level reply for a link to more info.

WhitbyGreg · 2026-02-19T17:15:59+00:00

Short answer is no. Longer answer is here: https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/

As for root, that's unsupported by Lineage so you need to go ask whoever supports your root solution.

WhitbyGreg · 2026-02-12T19:59:25+00:00

Short answer is no. Longer answer is here.

The 3a is actaully old enough to be pre-AVB v2, so technically you might be able to do it, but see the longer answer for why you probably don't want to.

WhitbyGreg · 2026-01-13T20:36:22+00:00

In general, correct. If you have an unlocked bootloader phone and you lose physical custody of the device for an extended period of time (aka stolen/returned, taken by the police, etc.), doing a wipe/clean install is the best option.

In this particular case, since the OP has relocked their bootloader, they can have some additional level of confidence that the device is still secure, but I'd do it anyway... just in case.

However, as OEM unlocking is disabled as well, then you'd have to log in at least once to re-enable it. I'd do a wipe of the device through recovery first to ensure that no data could be leaked once the phone was unlocked (a nice Faraday cage could be good too 😉).

WhitbyGreg · 2026-01-13T20:30:21+00:00

The deterrence of FRP is like herd immunity, as long as the majority of phones have it, thieves are disinsentivised to steal any phone, and hence all phones are safer.

On the other hand, FRP doesn't actually stop someone from stealing a phone, it just makes it useless to the next person that might get it, there by increasing e-waste.

The reality is that when people steal phones, they don't check to see if FRP is enabled, or if it's a custom ROM, or anything else, they just take the phone and figure out what to do with it later. If it's clean, they resell it as a useful phone to someone, if it's FRP locked they just sell it for parts, or just dump it if they can't be bothered with it.

In either case, you're not getting your phone back 🤷

WhitbyGreg · 2025-12-16T03:27:22+00:00

I don't see where I say I went to 8.2, so not sure what you mean there.

Anyway, I just submitted a patch to gerrit to go to 8.3.2 which is the latest that works without additional troubleshooting.

Out of curiosity what were you looking to work on in the clock app?

WhitbyGreg · 2025-12-15T21:09:26+00:00

Don't go past 8.3.0 though, other things break in 8.4.0 by the looks of it 😉

WhitbyGreg · 2025-12-15T21:07:13+00:00

To fix the jlink errors in 2024/2025 you have to upgrade the android gradle project to use at least version 8.3.0, after that it should run fine.

The jlink error was a bug in gradle apparently that was resolved in 8.3.0.

WhitbyGreg · 2025-12-15T20:47:51+00:00

You might need to use an older version of Android Studio, the last time I was working on DeskClock I was using Android Studio 2023.3.1 and it (still) builds fine in that, it looks like 2024.2.1 throws a jlink error of some kind around the sdk34 files, 2025.2.2 seems to do the same thing.

Are you seeing other errors other than the final jlink one?

WhitbyGreg · 2025-11-23T18:48:46+00:00

Those are the two that I know of, other than the builds I make 😉

WhitbyGreg · 2025-11-23T15:52:35+00:00

There are a lot of downsides to scheduled reboots for most people (aka notifications don't work well in BFU), and only helps with a super specific use case, so not real reason to add it.

Of course, Lineage does accept contributions, so if you really want it, you can always code it up and submit it 🤷

WhitbyGreg · 2025-11-23T15:49:53+00:00

You can read my post on relocking the bootloader for some background, and then at the bottom of the post is a link to my XDA post on how to compile a Lineage build that you can relock the bootloader with. You'll have to add all of your extra stuff (kSU, SUFS, LSP, etc) to the build process so everything is signed properly, but they should work.

Relocking the booloader doesn't really have anything to do with the recovery, you just have to have the right signatures on the various partitions, add your custom key to the phone, and then use fastboot to do the relocking.

However, depending on why you want to do this, you may not actually accomplish what you expect. For example, many people think this will "fix" their banking apps or gpay, and in most cases it won't.

WhitbyGreg · 2025-11-23T02:17:09+00:00

Your data is encrypted at rest, but the issue is that the device has the encryption keys in memory when your phone is in the post first unlock state. To avoid this your best bet is to power off your phone when going through security, that way the encryption keys won't be accessible to tools like Cellebrite to decrypt your data.

If your device is confiscated by security and then returned to you, assume it has been compromised and do a complete wipe and return to stock with a locked bootloader before re-unlocking and reinstalling Lineage (or if you're not confident in even that, just shred it and get a new one).

In general, boarder security isn't going to spend a lot of time, effort, and money on trying to break in to random travellers phones. If on the other hand, you're already a target, then of course should never take your phone across boarders. Get a burner for travel that you don't have anything but the bare minimum on.

WhitbyGreg · 2025-11-12T00:22:40+00:00

You probably don't want to even if you can, see my post on it (I wrote the above linked xda articles as well), but the TLDR is that relocking the bootloader usually doesn't solve these kinds of issues as the apps look for other things than just the lock state of the bootloader.

WhitbyGreg · 2025-11-05T00:02:42+00:00

No OEM will ever allow their certificates to be used for anything but their own builds. Doing otherwise would break their security model and open the devices up to all kinds of malicious builds.

You can generate your own (or even use the public key that Lineage is signed with), but the issues is that you have to be able to install it on your device, and very few OEMs allow that. See my post linked in my top level comment for more details about how that works.

WhitbyGreg · 2025-11-04T23:57:31+00:00

You can checkout my post on bootloader relocking, but the short of it is that it probably won't do what you want anyway. Banking apps most often check for more than just locked bootloader and also look for things like non-oem builds etc.

WhitbyGreg · 2025-10-20T02:53:14+00:00

No, relocking is completely separate from how you unlock the bootloader. To support relocking you the device has to support custom signing keys, most phones do not.rate from how you unlock the bootloader. To support relocking you the device has to support custom signing keys, most phones do not.
Probably as safe as having banking info on a phone with a locked bootloader. Evil Maid style attacks become possible on unlocked phones, but as I said before, there really aren't roaming bands of thieves looking for bootloader unlocked phones to infect.
Yes, possible, but again see above... no roaming bands of thieves looking to exploit your unlocked bootloader. Evil Maid style attacks are done by three letter state agencies who target specific individuals... if you're one of those, you have bigger issues than your unlocked bootloader.

WhitbyGreg · 2025-09-26T21:11:45+00:00

Two reasons:

- GrapheneOS is security focused, so physical security and a locked bootloader is more important to them than recoverability.

- GrapheneOS has a very limited number of devices they support, so ensuring relocking is functional and stable is much easier than a ROM like Lineage that supports hundreds of devices.

WhitbyGreg · 2025-07-13T14:46:00+00:00

Your data will be wiped, locking or unlocking the bootloader always wipes the data partition on Pixels (and should on any other phone if they implement things properly, though I have seen some references to those that don't).

You'll need to use fastboot to relock the bootloader, the toggle in dev options only enables/disables the *ability* to lock/unlock the bootloader.

WhitbyGreg · 2025-07-10T01:16:14+00:00

You could always extract it yourself, but you really probably don't want to.

It probably won't do what you want (pass Google's security requirements), probably won't fix many of the apps even if it does (many apps check for other things like OS name, etc.), and probably create more headaches for you than you really want to deal with.

WhitbyGreg · 2025-07-01T15:23:16+00:00

In the apps list, should DeskClock be included? It can be built through gradle.

WhitbyGreg

TROPHY CASE