But think of banks and music services, comrade! Banks need the waste to protect you, and poor music services will go out of business if you control your own phone!
What do you use? Samsung are anti-consumer but none of the other big phone manufacturers seem to be much better (and historically at least Samsung's flagship phones have been pretty good hardware-wise).
Those 300 people include some experts at spiritual warfare which will guarantee that all involved in this decision will reincarnate into durian fruits in the next life.
So, notice Graphene OS was able to port Android 16 on all the supported devices (from Pixel 6 up) basically within a week without device trees already, without the early (OEM) access to the release.
It's a big inconvenience but not a showstopper for them. Pixels are still viable.
The only blocker with pixels would be if they stopped allowing OEM unlocking or relocking (which is a must).
> Even Graphene OS reported that they're in talks with some vendor... Have there been any updates towards that?
The startup we were working with before went bankrupt. In June, we started working with a major Android OEM which has provided resources for identifying everything which will need to be done to meet our requirements and provide official GrapheneOS support. They believe they can meet all our official requirements without much trouble and they're going to determine how much resources they want to put into it soon. We don't yet know how many resources are going to go into it.
> The main reason i used to root devices are
Note using GrapheneOS does not involve rooting.
> System level adblock using adaway
You can use RethinkDNS for filtering combined with still using a WireGuard VPN or multiple chained WireGuard VPNs. Android has a perfectly good API for this.
> Titanium backup
GrapheneOS has a built-in encrypted backup system we plan to significantly improve upon. The basics are there already.
Exactly. This is why I won't buy from these companies even when conditions look good. It'll be bait and switch every sigle time. Fairphone all the way.
The writing's been on the wall for custom ROMs in general for a while, so I've been starting to think about a mobile phone vendor I could actually have a decent business relationship with. I.e. use their stock ROM and be fairly happy with it.
Any opinions? Samsung was a candidate for their somewhat unified ecosystem. Maybe even apple.
I still really like Sony phones. Excellent hardware. They have no online services they are trying to push, they just want you to buy their phones. As a result, the stock software is very clean Google Android without much extra. But they're not available in every region, and quite expensive. Used to have very short software support but now they do 4 major Android version updates / 6 years of security updates.
You get no ecosystem benefits though, it's really just plain Android.
Samsung carries a lot of advertising crap, tracking, etc. Pretty much every phones is going to be worse than Pixel in that respect, since you get Google's tracking + whatever pile of crap the vendor added (which in the end they all seem to do).
So it's basically:
Pixel with GrapheneOS > iPhone >> Google Pixel with PixelOS
I wouldn't recommend anything else. Theoretically Fairphone + e/OS may have been an option, but the security is crap.
I guess there is Sony, you could even install Sailfish OS, no experience though.
> Theoretically Fairphone + e/OS may have been an option, but the security is crap.
Lack of current privacy/security patches and the current privacy protections in Android means having very poor privacy too. There's no equivalent to the privacy protections added by GrapheneOS either including ones also offered by iOS now such as iOS having a more basic equivalent to the GrapheneOS Contact Scopes feature since iOS 18 and iOS having better storage/media control than Android similar to Storage Scopes in GrapheneOS.
> I guess there is Sony, you could even install Sailfish OS, no experience though.
SailfishOS is much less private/secure than AOSP and is largely closed source. It's the opposite of a more open OS.
It is really a pity, as this means Android OS is closing down.
Without supported Consumer Hardware available on the market in sufficient volume, even less end-users will use an alternative OS, which will affect quality and size of the alternative OS-market and fragment the remaining users even more.
This will put the future of the entire alternative-OS ecosystem firmly back into the hands of Google. If they start further restricting BL-unlock on the Pixel-series to e.g. only Google Developer Account-Holders, the whole ecosystem will finally close down.
I have to wonder what Samsung's motivation is here. Of course they probably have some bloatware they profit from, but someone who plans to unlock the bootloader just won't buy their device now. Samsung only benefits if they lose money on device sales (do they?) and make it up on "services".
Xiaomi apparently have also stopped unlocking their bootloaders, so the "workaround" was to go to an official store and ask them perform a downgrade, and before the staff can relock the bootloader, grab the phone and run:
I did that years ago when I bought a Redmi Note 4 in Shenzhen and discovered that the Chinese ROM is very locked down. I created the Mi post, but I don't remember having to make a forum post (although it does ring a slight bell). AFAIK it was just sending a DM to support on the forum / app to explain why you needed to install the Global ROM rather than the Chinese ROM (and being a foreigner was accepted as a valid reason). About a day later they unlocked the phone bootloader remotely, and then I could install any version of the Global ROM I wanted.
I've bought all my subsequent ones (Note 5, Note 8, Note 11, Note 12Pro) in either HK or UK so they all came with the Global ROM, and I've not felt the need to unlock any of them, so not tried to process since. But it definitely used to be pretty easy.
I suspect the reason for the weird process is legal to ensure that phones in China don't get unlocked in order to circumvent content controls.
As someone who roots single-purpose Android devices, this is one of those things that sucks big-time but makes total sense.
The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
This is a huge problem for banking and music apps that absolutely rely on this capability. Samsung is, by far, the biggest seller of Android phones in the US. (I think Xiaomi is the biggest globally), so they are under much more pressure to clamp down on this.
That said, rooting Samsung devices has been a worthless pursuit for a long time. Doing so irreversibly (via eFuse) disables KNOX, which prevents DeX and Samsung Health from working. It also trips SafetyNet, which disables a whole suite of key apps (banking apps and Apple Music don't work; not sure about Spotify). There's a Magisk module that uses well-known device IDs to work around these, but these only work temporaily. Many people have also reported issues with the camera (a popular reason for buying Samsungs in the first place), and you no longer get OTA updates. I believe you also get degraded camera performance if you flash another ROM since the device module is closed-source and relies on One UI to work. This is before considering that stock ROMs have gotten really good over the years (especially Samsung's), and many of the reasons why we had to root have mostly gone away.
You can work around this by buying a Pixel for now, but I think we're a few years away from bootloader unlocking going away entirely.
That said, I stll root Android devices that will only serve a single-purpose, like my BOOX eBook readers that I use Firefox on. This lets me run AFWall so that I can block network traffic for everything except Firefox (and a few other apps). However, I won't be logging into my Google account on them, and they aren't ever going to run banking apps or anything like that.
Normally, I'd go and say "vote with your wallet" - but sadly, in the tablet sphere, it's either ultra low spec Alibaba junk or it's Samsung. No Fairphone, no Pixel, nothing.
Seriously Samsung, go and screw yourselves.
The reason I insist on rooting in the first place is because unlike iOS which has a true full backup that you can trigger from your Mac (and restore afterwards), Android decidedly does not, and a bunch of apps don't do any kind of cloud sync.
Sony Xperia models have been my choice since the Sony Ericsson days. Unlockable bootloader, LineageOS available, microsd card, headphone jack, good screen, decent camera, reasonably powerful SoC, water/dust resistant, and probably several other benefits that I'm forgetting at the moment.
I don't know if any US carrier offers them, but last time I was shopping, models with North American radios could be bought online.
My main complaints about Xperia phones:
- They don't support re-locking the bootloader at all, let alone with custom keys. This could be problematic for folks who depend on mobile banking apps that require full Google Play Integrity (SafetyNet) attestation, or risky for folks who leave their phone unattended around potential adversaries. To be fair, almost all smartphones have this problem.
- Their wonderful Xperia Compact line, comprising smaller versions of their flagship phones, seems to have been abandoned. Even their most recent "compact" models were bulky compared to their predecessors.
It is getting incredibly difficult to obtain a non-backdoored smartphone nowadays.
I tried to find which phones support alternative OSes, without Google control and telemetry, but it turned out that alternative OSes (LineageOS, PostmarketOS, Graphenos) support mostly support outdated models and it makes no sense to buy them. There is also "Google Pixel", but the prices start at around $600 which is 3 times more than a reasonable price for a phone.
So now I am wondering if it is possible to extract the ROM from a reasonably priced Samsung phone, remove the components I don't like and write it back.
GrapheneOS supports the newest Pixels, and only the Pixels that are still getting updates from Google. Right now the least bad option is probably a one-generation-old NOS or Open Box Pixel with GrapheneOS.
Damn, I got a samsung instead of an asus phone because I could unlock it. Now what:s left? Really annoyed at all those companies who refuse to let me own my own phone.
And before anyone asks me if I really need to unlock my phone... It's the principle of it, if I bought it, I own it and I should be able to run what I want on it. I will not buy a phone from a company that denies me that right.
That said, I do use root for a few things:
- AFWall+ (previously I used netguard but can't run multiple VPN on android so I couldn't have that running together with tailscale)
- Neo-backup. Some messaging apps believe that keeping chat history is not important. Or they believe that it's fine that the only way to transfer chat history is to upload it to Google cloud without encrypting it. I hate losing my chat history and I do not want it uploaded somewhere without encrypting it so I need a backup solution. Enters neobackup
- Sometimes, it is useful to be able to spoof one's GPS without the app being the wiser from a privacy perspective.
- A very stupid banking app I have prevent screenshots but then doesn't allow me to download a proof of transfer. So I use root to remove the restriction against screenshots
I never had the chance to root any Android device (unknown models, locked bootloaders, no benefit on rooting, or simply bad hardware), guess I'll never have it again.
This seriously pisses me off. We are literally watching the end of true ownership of our phones end right before our eyes, imagine if your laptop or new motherboard you purchased from MSI or whoever did the same and locked the bootloader to only allow booting official Microsoft-signed code (aka Windows only) and if you wanted to run Linux... sorry but no that's what we decided and we know better than you. Despite custom OS support being grainy in phones due to proprietary hardware and ARM chips, I really care about having the option to be able to do it (plus rooting with tools like Magisk is pretty universal across phones anyways since it lets you patch most firmware images).
It was already bad with Huawei stopping their unlock program and Google cracking down more on rooting by introducing strong integrity with their new Play Integrity API (which was an upgrade from the older SafetyNet API), basically meaning there is hardware security called the TEE (ARM TrustZone for most phones if you're interested in reading more) built into the ARM processor which "snitches? (lack of better word)" on you if the firmware booted no longer matches the manufacturer signed firmware, and causes you to fail strong integrity which means apps like bank apps can choose to deny you service (Google Wallet does this for NFC payments). There are workarounds which the custom ROM/root community still uses which mainly relies on older leaked cryptographic signing keys from the TEE being used which bypass the phone's TEE and sign the "integrity verdict" in user land to say "all is good" to Google, but Google can easily tell if these keys have been compromised since they track usage, and the storage of these keys just keeps getting better, getting as close to impossible as you can in a modern phone since to extract it would require you to quite literally de-lid the ARM chip and hope you don't break anything in the process while somehow extracting the key, in other words not feasible.
This is all great when it comes to security which Google and all manufacturers have been pushing on, but it comes at a serious cost of ownership, you cannot tell me we truly own our phones when we have literal hardware protection that, quoted right from wikipedia: "code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which *may also be the computer owner itself*". I don't know about you but a chip (and Google) that dictates what I can and cannot do with my phone doesn't sound like ownership to me.
All these recent changes and events sounds to me that Google is actively pushing and "encouraging" phone manufacturers to disable bootloader unlocking, we're constantly seeing manufacturers which were once before root and unlock friendly randomly changing their mind and quietly removing or severely limiting that feature in the background (Huawei, Xiaomi, now Samsung, etc). You have to remember these manufacturers won't back down from what Google tells them to do if it's for "security" since they're all in each other's pockets so they won't pushback without a good reason.
And if you want to use the typical excuse "allowing bootloader unlocking is unsafe", we've already proved it can work quite well while maintaining security as demonstrated by UEFI's Secure Boot which allows you to enroll custom boot keys (should you wish), while keeping some popular default keys such as Microsoft for Windows, and allowing you to lock the entire firmware config behind a password (which is stored in a security chip in modern motherboards so you can't use the old trick of removing the CMOS battery). That's more security than any regular citizen might need.
This TEE thing is all about control. Google and manufacturers don't like people installing custom firmware or rooting because then they can't keep you in their ecosystem to keep taking your data and hoping you eventually buy s...
45 comments
[ 2.8 ms ] story [ 75.4 ms ] threadAs for me, I already swore off Samdung for their whole Samsung account bs and apps they bundle and won't let me remove (or disable).
Samsung has been doing this for a while now.
Which are the devices/vendors that still allow / encourage this?
Even Graphene OS reported that they're in talks with some vendor... Have there been any updates towards that?
The main reason i used to root devices are:
* Get longer support/OS updates than what the vendor provided
* System level adblock using adaway
* Titanium backup
These days firefox/brave browser gets me half way through adblocking and i lost interest in the ad filled apps..
Syncing gets me good level of syncing for backup on my NAS etc .
It's a big inconvenience but not a showstopper for them. Pixels are still viable.
The only blocker with pixels would be if they stopped allowing OEM unlocking or relocking (which is a must).
GNU/Linux phones (Librem 5 and Pinephone).
The startup we were working with before went bankrupt. In June, we started working with a major Android OEM which has provided resources for identifying everything which will need to be done to meet our requirements and provide official GrapheneOS support. They believe they can meet all our official requirements without much trouble and they're going to determine how much resources they want to put into it soon. We don't yet know how many resources are going to go into it.
> The main reason i used to root devices are
Note using GrapheneOS does not involve rooting.
> System level adblock using adaway
You can use RethinkDNS for filtering combined with still using a WireGuard VPN or multiple chained WireGuard VPNs. Android has a perfectly good API for this.
> Titanium backup
GrapheneOS has a built-in encrypted backup system we plan to significantly improve upon. The basics are there already.
Any opinions? Samsung was a candidate for their somewhat unified ecosystem. Maybe even apple.
You get no ecosystem benefits though, it's really just plain Android.
So it's basically:
Pixel with GrapheneOS > iPhone >> Google Pixel with PixelOS
I wouldn't recommend anything else. Theoretically Fairphone + e/OS may have been an option, but the security is crap.
I guess there is Sony, you could even install Sailfish OS, no experience though.
Lack of current privacy/security patches and the current privacy protections in Android means having very poor privacy too. There's no equivalent to the privacy protections added by GrapheneOS either including ones also offered by iOS now such as iOS having a more basic equivalent to the GrapheneOS Contact Scopes feature since iOS 18 and iOS having better storage/media control than Android similar to Storage Scopes in GrapheneOS.
> I guess there is Sony, you could even install Sailfish OS, no experience though.
SailfishOS is much less private/secure than AOSP and is largely closed source. It's the opposite of a more open OS.
Without supported Consumer Hardware available on the market in sufficient volume, even less end-users will use an alternative OS, which will affect quality and size of the alternative OS-market and fragment the remaining users even more.
This will put the future of the entire alternative-OS ecosystem firmly back into the hands of Google. If they start further restricting BL-unlock on the Pixel-series to e.g. only Google Developer Account-Holders, the whole ecosystem will finally close down.
[1] https://us.community.samsung.com/t5/Galaxy-S22/One-UI-7-0-Up...
https://x.com/kobe_koto/status/1949154478298456531
Absolutely hilarious.
I've bought all my subsequent ones (Note 5, Note 8, Note 11, Note 12Pro) in either HK or UK so they all came with the Global ROM, and I've not felt the need to unlock any of them, so not tried to process since. But it definitely used to be pretty easy.
I suspect the reason for the weird process is legal to ensure that phones in China don't get unlocked in order to circumvent content controls.
The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
This is a huge problem for banking and music apps that absolutely rely on this capability. Samsung is, by far, the biggest seller of Android phones in the US. (I think Xiaomi is the biggest globally), so they are under much more pressure to clamp down on this.
That said, rooting Samsung devices has been a worthless pursuit for a long time. Doing so irreversibly (via eFuse) disables KNOX, which prevents DeX and Samsung Health from working. It also trips SafetyNet, which disables a whole suite of key apps (banking apps and Apple Music don't work; not sure about Spotify). There's a Magisk module that uses well-known device IDs to work around these, but these only work temporaily. Many people have also reported issues with the camera (a popular reason for buying Samsungs in the first place), and you no longer get OTA updates. I believe you also get degraded camera performance if you flash another ROM since the device module is closed-source and relies on One UI to work. This is before considering that stock ROMs have gotten really good over the years (especially Samsung's), and many of the reasons why we had to root have mostly gone away.
You can work around this by buying a Pixel for now, but I think we're a few years away from bootloader unlocking going away entirely.
That said, I stll root Android devices that will only serve a single-purpose, like my BOOX eBook readers that I use Firefox on. This lets me run AFWall so that I can block network traffic for everything except Firefox (and a few other apps). However, I won't be logging into my Google account on them, and they aren't ever going to run banking apps or anything like that.
Seriously Samsung, go and screw yourselves.
The reason I insist on rooting in the first place is because unlike iOS which has a true full backup that you can trigger from your Mac (and restore afterwards), Android decidedly does not, and a bunch of apps don't do any kind of cloud sync.
I don't know if any US carrier offers them, but last time I was shopping, models with North American radios could be bought online.
My main complaints about Xperia phones:
- They don't support re-locking the bootloader at all, let alone with custom keys. This could be problematic for folks who depend on mobile banking apps that require full Google Play Integrity (SafetyNet) attestation, or risky for folks who leave their phone unattended around potential adversaries. To be fair, almost all smartphones have this problem.
- Their wonderful Xperia Compact line, comprising smaller versions of their flagship phones, seems to have been abandoned. Even their most recent "compact" models were bulky compared to their predecessors.
I tried to find which phones support alternative OSes, without Google control and telemetry, but it turned out that alternative OSes (LineageOS, PostmarketOS, Graphenos) support mostly support outdated models and it makes no sense to buy them. There is also "Google Pixel", but the prices start at around $600 which is 3 times more than a reasonable price for a phone.
So now I am wondering if it is possible to extract the ROM from a reasonably priced Samsung phone, remove the components I don't like and write it back.
And before anyone asks me if I really need to unlock my phone... It's the principle of it, if I bought it, I own it and I should be able to run what I want on it. I will not buy a phone from a company that denies me that right.
That said, I do use root for a few things:
- AFWall+ (previously I used netguard but can't run multiple VPN on android so I couldn't have that running together with tailscale)
- Neo-backup. Some messaging apps believe that keeping chat history is not important. Or they believe that it's fine that the only way to transfer chat history is to upload it to Google cloud without encrypting it. I hate losing my chat history and I do not want it uploaded somewhere without encrypting it so I need a backup solution. Enters neobackup
- Sometimes, it is useful to be able to spoof one's GPS without the app being the wiser from a privacy perspective.
- A very stupid banking app I have prevent screenshots but then doesn't allow me to download a proof of transfer. So I use root to remove the restriction against screenshots
Yes. I was buying Samsung devices for years because of size (A5, A7, S10e) and ability to unlock bootloader for Lineage OS. Time to look elsewhere.
It was already bad with Huawei stopping their unlock program and Google cracking down more on rooting by introducing strong integrity with their new Play Integrity API (which was an upgrade from the older SafetyNet API), basically meaning there is hardware security called the TEE (ARM TrustZone for most phones if you're interested in reading more) built into the ARM processor which "snitches? (lack of better word)" on you if the firmware booted no longer matches the manufacturer signed firmware, and causes you to fail strong integrity which means apps like bank apps can choose to deny you service (Google Wallet does this for NFC payments). There are workarounds which the custom ROM/root community still uses which mainly relies on older leaked cryptographic signing keys from the TEE being used which bypass the phone's TEE and sign the "integrity verdict" in user land to say "all is good" to Google, but Google can easily tell if these keys have been compromised since they track usage, and the storage of these keys just keeps getting better, getting as close to impossible as you can in a modern phone since to extract it would require you to quite literally de-lid the ARM chip and hope you don't break anything in the process while somehow extracting the key, in other words not feasible.
This is all great when it comes to security which Google and all manufacturers have been pushing on, but it comes at a serious cost of ownership, you cannot tell me we truly own our phones when we have literal hardware protection that, quoted right from wikipedia: "code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which *may also be the computer owner itself*". I don't know about you but a chip (and Google) that dictates what I can and cannot do with my phone doesn't sound like ownership to me.
All these recent changes and events sounds to me that Google is actively pushing and "encouraging" phone manufacturers to disable bootloader unlocking, we're constantly seeing manufacturers which were once before root and unlock friendly randomly changing their mind and quietly removing or severely limiting that feature in the background (Huawei, Xiaomi, now Samsung, etc). You have to remember these manufacturers won't back down from what Google tells them to do if it's for "security" since they're all in each other's pockets so they won't pushback without a good reason.
And if you want to use the typical excuse "allowing bootloader unlocking is unsafe", we've already proved it can work quite well while maintaining security as demonstrated by UEFI's Secure Boot which allows you to enroll custom boot keys (should you wish), while keeping some popular default keys such as Microsoft for Windows, and allowing you to lock the entire firmware config behind a password (which is stored in a security chip in modern motherboards so you can't use the old trick of removing the CMOS battery). That's more security than any regular citizen might need.
This TEE thing is all about control. Google and manufacturers don't like people installing custom firmware or rooting because then they can't keep you in their ecosystem to keep taking your data and hoping you eventually buy s...