Pixel phones are sold with bootloader unlocking disabled

Request to Google: ungrey the “OEM unlocking” toggle in the factory, before shipping store.google.com devices to customers. Do not make your customers connect the device to the Internet before they are allowed to install the operating system they want.

My wife had a requirement to use Android1, and she wanted to run GrapheneOS; I experimented with other devices and ROMs to ensure the specific application she needed would run on GrapheneOS.

As part of my research, I read the GrapheneOS installation guide2, which stated:

Enabling OEM unlocking

OEM unlocking needs to be enabled from within the operating system.

Enable the developer options menu by going to Settings > About phone and repeatedly pressing the build number menu entry until developer mode is enabled.

Next, go to Settings > System > Developer options and toggle on the ‘OEM unlocking’ setting. On device model variants (SKUs) which support being sold as locked devices by carriers, enabling ‘OEM unlocking’ requires internet access so that the stock OS can check if the device was sold as locked by a carrier.”

None of the many many YouTube videos I watched about bootloader unlocking covered whether or not you need Internet connectivity. Nor did any of Google’s official documentation3. GrapheneOS documentation is the only place on the Internet that documents this requirement, so, well done GrapheneOS documentation team!

GrapheneOS only supports recent Google Pixel phones. Those phones are nice hardware4, and I can easily (so I thought) install a different operating system, so I decided to buy one. To be as future-proof as possible, I bought a Pixel 7 Pro from store.google.com (Canada).

I thought (based on the aforementioned GrapheneOS docs) that the device model variant I bought, being sold “unlocked”7 by Google, would not need the Internet connection. NOPE; Google sold it to me with “OEM unlocking” greyed out:

The Pixel 7 Pro Developer options settings screen, showing the OEM unlocking slider greyed out, with the label Connect to the internet or contact your carrier

I consider this a customer-hostile practice. I should not have to connect a piece of hardware to the Internet, even once, to use all of its features. If I hadn’t connected the Pixel 7 Pro to the Internet, then “OEM unlocking” would have stayed greyed out, thus I would not have been able to unlock the bootloader, thus I would not have been able to install GrapheneOS5.

Keep in mind that I bought this phone full price6 from store.google.com, where it was advertised right in the FAQ as an “unlocked smartphone”7. There is zero carrier involvement here, so carriers cannot be blamed for this policy. Also, I paid full price for the phone, so this is not a case of “if you don’t pay for the product, you ARE the product”.

I probably should have returned the device for a refund. Instead, I set up a network debugging environment to see what activity happens when I connect the Pixel 7 Pro to the Internet.

By tailing some log files and watching them closely, I was able to determine that the final site accessed just before “OEM unlocking” goes from greyed to ungreyed is “afwprovisioning-pa.googleapis.com“. Here is the video of “OEM unlocking” ungreying:

Here is the rest of the network activity, all of which is TLS-encrypted by keys buried in the stock Google operating system, and thus not controlled by the device purchaser:

Hostname Downloaded to phone Uploaded from phone
storage.googleapis.com 383 MiB 8 MiB
fonts.gstatic.com 137 MiB 3 MiB
afwprovisioning-pa.googleapis.com 18 MiB 1 MiB
www.gstatic.com 8 MiB 287 kiB
googlehosted.l.googleusercontent.com 8 MiB 345 kiB
ota-cache1.googlezip.net 3 MiB 175 kiB
dl.google.com 3 MiB 86 kiB
instantmessaging-pa.googleapis.com 1 MiB 300 kiB
www.google.com 46 kiB 24 kiB
ssl.gstatic.com 25 kiB 3 kiB
ota.googlezip.net 17 kiB 6 kiB
digitalassetlinks.googleapis.com 17 kiB 4 kiB
clients.l.google.com 14 kiB 7 kiB
gstatic.com 13 kiB 3 kiB
mobile-gtalk.l.google.com 8 kiB 1 kiB
mobile.l.google.com 5 kiB 1 kiB
lpa.ds.gsma.com 5 kiB 4 kiB
connectivitycheck.gstatic.com 3 kiB 3 kiB
app-measurement.com 1 kiB 0 bytes
time.android.com 180 bytes 180 bytes

Only Google knows precisely what all that data is and what it is used for.

As the video shows, the ungreying did happen; I had the Settings application open, then connected the phone to the Internet. I had to close then re-open the Settings application; the access to “afwprovisioning-pa.googleapis.com” seemed to be co-timed with the Settings application restart. After the Settings appliation restart, the “OEM unlocking” option was operable.

I don’t know what subset of the hosts in the above table need to be accessible to the phone for ungreying to take place; I considered firewalling each individually using a script, but I ran out of time. I also don’t know if a factory reset of the phone results in “OEM unlocking” being greyed again. I ended my experimentation when the ungreying took place and I proceeded to install GrapheneOS successfully (the rest of the process was very straightforward, thanks to GrapheneOS’s great documentation and installation scripts).

All in all, cheers to Google for releasing Android as Free and Open Source software, and for selling devices which are (with steps) bootloader-unlockable; both of which make GrapheneOS feasible8. Jeers to Google for selling devices from store.google.com that cannot have their bootloaders unlocked without first connecting them to the Internet.

Footnotes

  1. One day I hope we can both use PinePhones. ^
  2. https://grapheneos.org/install/cli#enabling-oem-unlocking ^
  3. https://source.android.com/docs/core/architecture/bootloader/locking_unlocking

    “Devices should deny the fastboot flashing unlock command unless the get_unlock_ability is set to 1. If set to 0, the user needs to boot to the home screen, open the Settings > System > Developer options menu and enable the OEM unlocking option (which sets the get_unlock_ability to 1). After setting, this mode persists across reboots and factory data resets.” ^

  4. Google Pixel devices lack several features of my PinePhone; luxuries such as a 3.5mm audio jack, a swappable battery, a microSD card slot, and HDMI output (with a hardware mod). ^
  5. The “lock”/”unlock” terminology is hopelessly overloaded; as a result, confusion abounds online, even among phone enthusiasts. The “OEM” term here is also at best confusing and at worst misleading. I hope the screenshot and video make clear the specific context of this post, but here are definitions, and the states of the device I’m discussing:
    • “greyed” => the user interface element is inoperable
    • “ungreyed” => the user interface element is operable
    • “OEM unlocking” toggle is greyed (this is the state of the device after unboxing and before letting it have an Internet connection)
    • “OEM unlocking” toggle is ungreyed (the device must be connected to the Internet for this ungreying to take place (see video))
    • “OEM unlocking” toggle is ungreyed and toggled to “disabled”
    • “OEM unlocking” toggle is ungreyed and toggled to “enabled”
    • “OEM unlocking” toggle is ungreyed and toggled to “enabled” and bootloader is locked
    • “OEM unlocking” toggle is ungreyed and toggled to “enabled” and bootloader is unlocked (this is the state required to install GrapheneOS)

    At this point I don’t care about SIM unlocking or carrier unlocking or any other type of unlocking. There are plenty of horror stories on forums of people having purchased new Pixel phones from carriers at full price and then, via this same mechanism, the carrier never allowing bootloader unlocking (while apparently allowing various forms of SIM and carrier unlocking which are useless for running alternate operating systems like GrapheneOS). ^

  6. With a Black Friday discount. ^
  7. https://store.google.com/product/pixel_7_pro

    “Frequently asked questions

    What is an unlocked smartphone?

    An unlocked smartphone is a phone that isn’t tied to a specific carrier. When you purchase an unlocked Google Pixel phone, you get to choose which carrier or plan works best for you. Most phones in the Google Store come unlocked. Important: Google Pixel phones work with all major carriers. But not all Google Pixel 4a (5G) and later phones have 5G functionality on all 5G networks. See a list of certified carriers to make sure your smartphone works on its 5G network.

    To use a SIM-unlocked phone:

    1. Buy an unlocked Google Pixel phone from the Google Store.
    2. Contact a mobile carrier.
    3. Follow their instructions to set up your phone with their service plan.
    4. For 5G, some carriers may require a 5G plan (sold separately). Contact carrier for details. See g.co/pixel/networkinfofor info.” ^ ^
  8. Other major phone vendors and operating systems are not in this blog’s Overton window. ^

Join the Conversation

1 Comment

  1. Google has a console called panopticon where they can see every Chromebook in the world. This monitoring facility is used to measure bug prevalence in e.g. 802.11 driver software and to determine how much of each fleet is running the latest ChromeOS security patches. They can do this because Unlike Microsoft Google ports ChroneOS onto new laptops and tests the crap out of it (including the verification that the manufacturer meets about 25 min performance requirement standards for Chrome hardware like LCD viewing angles and speaker volume).

    I bet the have a similar system for for their HTC phones.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.