Tuesday, August 21, 2018

August security update on Nokia phones blocks the only bootloader unlock method

nokia 9

Bootloader unlocking is an essential part of Android modding. Before you can even consider rooting your device or installing a custom ROM on it, you first need to unlock your device's bootloader so you can boot unsigned boot images. Before you can unlock your bootloader, however, you need to manually go through a series of steps to make sure that you acknowledge the risks of unlocking the bootloader. Some of these steps involve disabling security features and/or requesting a bootloader unlock code which may be granted immediately or, in the case of Xiaomi devices, could take days to receive. Regardless of how many hoops you need to jump through to take control of your own device that you purchased with your own money, some smartphone makers still choose to prevent you from unlocking your device's bootloader. HMD Global is one such device maker, and the company recently rolled out the August security patch to their Nokia-branded smartphones which blocks the only known bootloader unlock method.

When HMD Global first announced the revival of the Nokia-brand, we were excited. We were even more excited to hear that HMD Global would ship Nokia-branded smartphones with near-stock builds of Android. Then they made an announcement that all of their 2018 smartphones destined for international release would be on the Android One program. And most recently, they even committed to updating all Nokia-branded smartphones to Android Pie! HMD Global clearly cares about keeping their customers happy, but the one thing that holds us back from fully supporting their brand is their refusal to make bootloader unlocking available for all. Enter the unofficial bootloader unlocking tools.

An underground scene of Nokia-branded phones with unlocked bootloaders

Most users on our forums know that Nokia-branded smartphones can't be bootloader unlocked, but some community members actually figured out a method on how to do so. You may have seen a few threads which suggest you can unlock the bootloader such as these threads on our Nokia 7 Plus and Nokia 6.1 forums. There's even an official TWRP release for the Nokia 8 that was recently published. What makes these threads possible is a bootloader unlock method discovered by XDA Senior Member hikari_calyx and members of his team. They figured out a way to generate a bootloader unlock code for Nokia-branded smartphones, although they decided to offer their tool as a paid service. Unfortunately, with the August security patch release, the bootloader unlock codes that their tool generates will no longer unlock the bootloader.

To be perfectly clear, we aren't against HMD Global patching this particular method of unlocking the bootloader. As explained by Lê Nguyên Chương, Samuel Ridosko, and Seppe Baelus on a Medium blog post, the method admittedly involved an exploit. HMD Global can, and should, patch any exploit or security vulnerability in their device's software. However, we're disappointed that the company still doesn't offer an official method of unlocking the bootloader so users don't have to turn to a closed-source, third-party paid service.

HMD Global's Delayed Promise

Security issues regarding unlocked bootloaders have been a matter of conversation for years now. Certain manufacturers and carriers choose to lock down their devices completely, citing security reasons. Huawei recently made the controversial decision to stop providing bootloader unlock codes, and that decision has soured the opinion of their smartphones in the eyes of some of our readers. Without an unlockable bootloader, most owners of Huawei devices (barring the Huawei P20 line and upcoming Huawei Mate 20 line) will have to wait months for an Android Pie release to make its way to their devices. With an unlocked bootloader, they can install unofficial releases right now.

Sure, we'll acknowledge that HMD Global has been quick to provide monthly security updates (albeit not without their fair share of issues) and has rolled out the Android Oreo update fairly quickly across their range of devices. And as we said before, they have committed to rolling out Android Pie to their entire device lineup. But what'll happen once HMD Global drops official support for their older budget and mid-range devices, which makes up the bulk of their portfolio? Without custom ROMs to unofficially update them, users will eventually have to ditch their perfectly functional smartphone if they want to stay up-to-date against some (but not all) of the new vulnerabilities that get discovered. Or maybe they just want to experience the latest Android release without having to spend money on an upgrade they don't want or need.

Furthermore, Nokia users can't reinstall their phone's firmware by themselves anymore, as the flashing tool currently available online was rendered useless—you'll need to take your phone to a service center if something goes wrong. Warranty should cover most of these issues, so if you haven't physically damaged your phone, you should be alright. But if you're warranty is voided or expired, it's an added cost for something you can fix by yourself or get fixed at your local repair store.

Last year, HMD Global's Chief Technology Officer, Mikko Jaakkola, took to Twitter to say that allowing bootloader unlocking was "indeed in their backlog," yet, almost one year later, users still have no way to officially do so. We're not even touching upon the company's failure to abide by the GPL by not releasing the kernel source code for the Linux kernel binaries shipped on many of their smartphones.

We reached out to HMD for comment on this latest matter, and we'll update you if we hear back. In the meantime, if you're interested in voicing your opinion, you can sign this petition or leave a comment on the official Nokia support forum.



from xda-developers https://ift.tt/2Bz3cih
via IFTTT

No comments:

Post a Comment