Comment by chenxiaolong

3 years ago

In case anyone is curious which Android components are responsible for this:

* There are 3 boolean states:

    1. whether the bootloader is unlocked
    2. whether the bootloader unlocking ability is enabled by the user ("OEM unlocking" toggle)
    3. whether the bootloader unlocking ability is allowed to be enabled (carrier restriction)

* The Android Settings app grays out the "OEM unlocking" toggle if `isOemUnlockAllowedByCarrier()` returns false [1].

* The state of `isOemUnlockAllowedByCarrier()` is changed by a call to `setOemUnlockAllowedByCarrier(boolean allowed, @Nullable byte[] signature)`, which is done by the `android.apps.work.oobconfig` package (/product/priv-app/OTAConfigNoZeroTouchPrebuilt/OTAConfigNoZeroTouchPrebuilt.apk) on the Pixel's stock firmware. This is the same package that handles the Android Enterprise zero-touch provisioning. It's not obfuscated and can be trivially reverse engineered. Prior to the December 2022 update, it was actually possible to bypass the check just by disabling this package via `pm` [2]. This is now blocked both by [3] and also the bootloader's requirement of a signed blob to lift the carrier restriction. This package is also responsible for preventing the removal of the carrier restriction (for the bootloader) when the SIM is locked.

* The Android framework talks to `android.apps.work.oobconfig` at all because the stock firmware ships an overlay (/product/overlay/framework-res__auto_generated_rro_product.apk) that contains `<string name="config_deviceProvisioningPackage">com.google.android.apps.work.oobconfig</string>`.

* The communication with the bootloader is done via the `oemlock` HAL: /vendor/lib64/android.hardware.oemlock@1.0-impl.nos.so. Its implementation of `setOemUnlockAllowedByCarrier()` seems to require a signed blob from Google (passed in from `android.apps.work.oobconfig`) before the state of the setting can be changed (see: `carrierUnlockFromSignature()`). Once unlocking is allowed, the setting is persisted by the bootloader unless something calls `setOemUnlockAllowedByCarrier()` again to disable it. Without the carrier restriction, the bootloader allows the user to freely toggle the "OEM unlocking" state.

I don't know for sure since I haven't tested, but I believe even SIM-unlocked Pixels purchased from the Google Store use this "carrier" restriction mechanism. It's just that when the device asks Google's servers for the signed blob to lift the carrier restriction, it's always granted. (EDIT: Though there are reports that refurbished devices from warranty claims for bootloader-unlockable devices may sometimes have a carrier restriction that Google's servers don't allow removing.)

[1] https://cs.android.com/android/platform/superproject/+/andro...

[2] https://nvd.nist.gov/vuln/detail/CVE-2022-20611

[3] https://android.googlesource.com/platform/frameworks/base/+/...

1 comment

chenxiaolong

Reply
nfriedly  3 years ago

> Though there are reports that refurbished devices from warranty claims for bootloader-unlockable devices may sometimes have a carrier restriction that Google's servers don't allow removing.

Yep, this happened with my Pixel 2: Bought it directly from google, the usb-c port stopped working after a while, so I sent it in for a repair. I cannot unlock the bootloader on the phone they sent me back, so it's basically just e-waste now.