Pixel telephones are offered with bootloader unlocking disabled – fitzsim’s growth log
Request to Google: ungrey the “OEM unlocking” toggle within the manufacturing facility, earlier than delivery retailer.google.com units to prospects. Don’t make your prospects join the machine to the Web earlier than they’re allowed to put in the working system they need.
My spouse had a requirement to make use of Android1, and she or he needed to run GrapheneOS; I experimented with different units and ROMs to make sure the particular utility she wanted would run on GrapheneOS.
As a part of my analysis, I learn the GrapheneOS set up information2, which said:
Enabling OEM unlocking
OEM unlocking must be enabled from throughout the working system.
Allow the developer choices menu by going to Settings > About cellphone and repeatedly urgent the construct quantity menu entry till developer mode is enabled.
Subsequent, go to Settings > System > Developer choices and toggle on the ‘OEM unlocking’ setting. On machine mannequin variants (SKUs) which assist being offered as locked units by carriers, enabling ‘OEM unlocking’ requires web entry in order that the inventory OS can verify if the machine was offered as locked by a provider.”
Not one of the many many YouTube movies I watched about bootloader unlocking coated whether or not or not you want Web connectivity. Nor did any of Google’s official documentation3. GrapheneOS documentation is the one place on the Web that paperwork this requirement, so, properly completed GrapheneOS documentation workforce!
GrapheneOS solely helps latest Google Pixel telephones. These telephones are good {hardware}4, and I can simply (so I believed) set up a distinct working system, so I made a decision to purchase one. To be as future-proof as attainable, I purchased a Pixel 7 Professional from retailer.google.com (Canada).
I believed (based mostly on the aforementioned GrapheneOS docs) that the machine mannequin variant I purchased, being offered “unlocked”7 by Google, wouldn’t want the Web connection. NOPE; Google offered it to me with “OEM unlocking” greyed out:
I contemplate this a customer-hostile follow. I mustn’t have to attach a bit of {hardware} to the Web, even as soon as, to make use of all of its options. If I hadn’t related the Pixel 7 Professional to the Web, then “OEM unlocking” would have stayed greyed out, thus I’d not have been in a position to unlock the bootloader, thus I’d not have been in a position to set up GrapheneOS5.
Take into account that I purchased this cellphone full value6 from retailer.google.com, the place it was marketed proper within the FAQ as an “unlocked smartphone”7. There may be zero provider involvement right here, so carriers can’t be blamed for this coverage. Additionally, I paid full value for the cellphone, so this isn’t a case of “if you happen to don’t pay for the product, you ARE the product”.
I most likely ought to have returned the machine for a refund. As an alternative, I arrange a community debugging surroundings to see what exercise occurs after I join the Pixel 7 Professional to the Web.
By tailing some log recordsdata and watching them carefully, I used to be in a position to decide that the ultimate web site accessed simply earlier than “OEM unlocking” goes from greyed to ungreyed is “afwprovisioning-pa.googleapis.com“. Right here is the video of “OEM unlocking” ungreying:
Right here is the remainder of the community exercise, all of which is TLS-encrypted by keys buried within the inventory Google working system, and thus not managed by the machine purchaser:
Hostname | Downloaded to cellphone | Uploaded from cellphone |
---|---|---|
storage.googleapis.com | 383 MiB | 8 MiB |
fonts.gstatic.com | 137 MiB | 3 MiB |
afwprovisioning-pa.googleapis.com | 18 MiB | 1 MiB |
www.gstatic.com | 8 MiB | 287 kiB |
googlehosted.l.googleusercontent.com | 8 MiB | 345 kiB |
ota-cache1.googlezip.web | 3 MiB | 175 kiB |
dl.google.com | 3 MiB | 86 kiB |
instantmessaging-pa.googleapis.com | 1 MiB | 300 kiB |
www.google.com | 46 kiB | 24 kiB |
ssl.gstatic.com | 25 kiB | 3 kiB |
ota.googlezip.web | 17 kiB | 6 kiB |
digitalassetlinks.googleapis.com | 17 kiB | 4 kiB |
purchasers.l.google.com | 14 kiB | 7 kiB |
gstatic.com | 13 kiB | 3 kiB |
mobile-gtalk.l.google.com | 8 kiB | 1 kiB |
cell.l.google.com | 5 kiB | 1 kiB |
lpa.ds.gsma.com | 5 kiB | 4 kiB |
connectivitycheck.gstatic.com | 3 kiB | 3 kiB |
app-measurement.com | 1 kiB | 0 bytes |
time.android.com | 180 bytes | 180 bytes |
Solely Google is aware of exactly what all that information is and what it’s used for.
Because the video exhibits, the ungreying did occur; I had the Settings utility open, then related the cellphone to the Web. I needed to shut then re-open the Settings utility; the entry to “afwprovisioning-pa.googleapis.com” appeared to be co-timed with the Settings utility restart. After the Settings appliation restart, the “OEM unlocking” possibility was operable.
I don’t know what subset of the hosts within the above desk have to be accessible to the cellphone for ungreying to happen; I thought-about firewalling every individually utilizing a script, however I ran out of time. I additionally don’t know if a manufacturing facility reset of the cellphone leads to “OEM unlocking” being greyed once more. I ended my experimentation when the ungreying happened and I proceeded to put in GrapheneOS efficiently (the remainder of the method was very simple, because of GrapheneOS’s nice documentation and set up scripts).
All in all, cheers to Google for releasing Android as Free and Open Supply software program, and for promoting units that are (with steps) bootloader-unlockable; each of which make GrapheneOS possible8. Jeers to Google for promoting units from retailer.google.com that can’t have their bootloaders unlocked with out first connecting them to the Web.