Hubbry Logo
Bootloader unlockingBootloader unlockingMain
Open search
Bootloader unlocking
Community hub
Bootloader unlocking
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Bootloader unlocking
Bootloader unlocking
Bootloader unlocking
View on Wikipedia
from Wikipedia
An unlocked bootloader, showing additional available options

Bootloader unlocking is the process of disabling the bootloader security that enforces secure boot during the boot procedure. It can allow advanced customizations, such as installing custom firmware. On smartphones, this can be a custom Android distribution or another mobile operating system. Some bootloaders are not locked at all and some are locked, but can be unlocked with a command, a setting or with assistance from the manufacturer. Some do not include an unlocking method and can only be unlocked through a software exploit.

Bootloader unlocking is also done for mobile forensics purposes, to extract digital evidence from mobile devices, using tools such as Cellebrite UFED.

Background

[edit]

Unlocking the bootloader allows installing and running unsigned code on a device, including user customized software. Operating outside the manufacturer specification might usually result in voiding any warranties and may make the device susceptible to data theft, as the integrity of the operating system (as intended by the manufacturer) can no longer be guaranteed.[1] On Chromebooks, enabling developer mode makes the system less secure than a standard laptop running Linux.[2] Unlocking the bootloader may require reinitialization, formatting to factory settings, or otherwise lead to data loss on Android and ChromeOS devices. This is due to the fact that some user data is impossible to back up without root permission. This will also lead to certain security apps not working, such as Samsung Knox for which the counter would be stuck at "0x1."

Sascha Segan from PCMag considered a locked bootloader a mistake on the Qualcomm Snapdragon Insiders phone, which is targeted at advanced users.[3]

Platforms

[edit]

Android

[edit]

Unlocking the bootloader is typically a prerequisite of obtaining root access and/or installing a custom ROM.

Android bootloader unlocking as of 2025
Manufacturer Difficulty level Method
Google Easy (non-Verizon)
Medium[4] (Verizon)		 Command-line (unlocked variant, not restricted to carrier, and non-Verizon carrier variants when paid off fully)
Samsung Complicated
  • Some very old Android versions - available with usual flashing tools.
  • North American versions
    • Below March 2021 security update - Freely unavailable, commercially available (required unlock tokens that are officially unobtainable, but obtainable by third parties through yet publicly unknown means, resold as paid shady services available in Telegram and Discord), additionally modified flashing tools and firmwares are required[5][6].
    • Above March 2021 security update - unavailable.
  • Other versions
    • Below One UI 8.0 - freely available.
    • Any versions above One UI 8.0 - unavailable[7]
 Enable option that allows OEM unlock (if it exists) in Development settings, then unlock bootloader in Download mode.

Samsung Knox (on supported[8] devices) will be permanently tripped if modified or custom firmware is flashed, so Samsung Wallet, Secure Folder and applications made use of the Knox framework will be permanently unusable even if the bootloader is re-locked.

Prior to One UI 8.0, Devices sold outside of North America had the OEM Unlock option to unlock the bootloader.

From One UI 8.0, Samsung has removed the ability to unlock the bootloader in all regions.[9][10]

OnePlus Easy (non-T-Mobile)
Medium (T-Mobile)		 Command-line, except on T-Mobile US variants where an unlock code is needed
Xiaomi Hard (MIUI powered devices)
Very Hard (non-Chinese HyperOS powered devices)
Impossible (China Mainland) 		Requires a 3-7 day old Mi account (limited to one device per month and three devices per year).

On devices with Xiaomi HyperOS outside mainland China, you need to request bootloader unlock permissions in the Xiaomi Community app before proceeding with bootloader unlocking. Requires a 1-month-old Xiaomi account.

For Mainland China devices with HyperOS, bootloader unlock has not been available since February 2025.

Asus Impossible Unavailable since August 2023, when first-party apps were removed and servers were shut down.
Sony Medium Command-line, request code at Sony website
Fairphone Medium Command-line, request code at Fairphone website or forum
Motorola Varies widely between model and SoC manufacturer[11]

Medium (Except Verizon, AT&T, TracFone)

Impossible (Verizon, AT&T, TracFone)

Command-line, request code at Motorola website
Realme Medium-Hard (China Mainland and India)
Impossible (global)		 Command-line, after installation of the in-depth test app and submitting an application for in-depth testing.
Nothing Easy Command-line
Huawei Medium-Hard (Kirin SoCs, select Huawei phones)

Impossible (others)

Select Huawei phones using the Kirin SoC can have their bootloader unlocked unofficially via potatonv: https://www.xda-developers.com/huawei-honor-bootloader-unlock-potatonv/

For other devices, bootloader unlock has not been available since July 2018.

OPPO Easy (MediaTek) or phones that bought in mainland China[12]
Medium (Snapdragon). 		Only certain Snapdragon-powered OPPO phones can be unlocked[13][better source needed] without a third-party paid tool such as UnlockTool.[citation needed] Unlocking is possible on some MediaTek SoCs via MTKClient. Note that certain fastboot binaries have been removed, or locked by RSA key.

MediaTek: MTKClient can be used for older devices, which sometimes requires using MTK bypass utility beforehand. This is unfeasible on modern Mediatek SoCs as they require a download agent file signed by the OEM and this file is not typically distributed.

Any phones bought from mainland China and in depth-test's device support lists: Depth test regardless of SoC (the depth test app can be downloaded from Oppo's website). Command line using adb and fastboot.

HMD-Nokia Medium (select models, e.g. Nokia 8)
Impossible (Others)		 Possible with unofficial unlocking methods[14]
Vivo Impossible as of May 2022.[15] N/A
LG Hard Possible[16][better source needed] by flashing bootloaders with QFIL utility (Unofficial).
Tecno Medium Command-line. Requires Tecno ID account at least two weeks old.
Infinix Medium Command-line. Requires Inifinix ID account at least two weeks old.
Itel Medium Command-line. Requires Itel ID account at least two weeks old.
TCL Medium (Ion V only)

Unknown (others)

For the Ion V mobile phone, you can use a Python tool to reboot to a normally hidden fastboot.
Amazon Medium Command-line and unofficial. Requires using Linux to brick the device temporarily.[17][better source needed]

History

[edit]

The bootloaders of Nexus and Pixel devices can be unlocked with fastboot.[18]

When Motorola released a bootloader unlocking tool for the Droid Razr, Verizon removed the tool from their models.[19]

In 2011, Sony Ericsson released an online bootloader unlocking tool.[20] Sony requires the IMEI number to be filled in on their website.[21] For the Asus Transformer Prime TF201, Asus has released a special bootloader unlock tool.[22]

In 2012, Motorola released a limited tool for unlocking bootloaders.[23] They require accepting terms and conditions and creating an account before the bootloader can be unlocked for your Motorola device.[24]

A 2012 article by The Verge called the unlockable bootloaders a 'broken promise' and called for a fix.[25]

HTC phones have an additional layer of lock called "S-OFF/S-ON".

Bootloaders can be unlocked using an exploit or using a way that the vendor supplied. The latter method usually requires wiping all data on the device.[26] In addition, some manufacturers prohibit unlocking on carrier locked phones. Although Samsung phones and cellular tablets sold in the US and Canada do not allow bootloader unlocks regardless of carrier status, a service has allowed users on an earlier version to unlock their US/Canadian Samsung phone(s) and/or tablet(s)[27][28]

In 2018, a developer from XDA Developers launched a service which allowed users to unlock the bootloader of some Nokia smartphone models.[29] Similarly, another developer from XDA Developers launched a service to allow users to unlock the bootloaders of Samsung Galaxy S20 and Samsung Galaxy S21 Phones.

Huawei announced plans to allow users to unlock the bootloader of the Mate 30 series, but later retracted that.[30] Huawei has stopped providing bootloader unlock codes since 2018.[31] A bootloader exploit named checkm30 has been developed for HiSilicon based Huawei phones.[32][non-primary source needed]

When the bootloader of the Samsung Galaxy Z Fold 3 was unlocked, the camera became less functional. This could be restored by re-locking the bootloader.[33] This issue was later fixed by Samsung.[34] For the Samsung Galaxy S22 series, unlocking the bootloader has no effect on the camera.[35]

Others

[edit]

Microsoft

[edit]

The WPInternals tool is able to unlock bootloaders of all Nokia Lumia phones running Windows Phone, but not phones like the Alcatel Idol 4 or HP Elite x3.[36][37] Version 1.0 was released in November 2015.[38] In October 2018, the tool was released as open source software when the main developer René Lergner (also known as HeathCliff74) stepped down.[39]

The slab bootloader used by Windows RT could be unlocked using a vulnerability, but was silently patched by Microsoft in 2016.[40] UEFI Secure Boot on x86 systems can generally be unlocked.

Apple

[edit]

The boot ROM protection on iOS devices with an A11 processor or older can be bypassed with a hardware exploit known as checkm8, which makes it possible to run other operating systems including Linux.[41]

The bootloader on Apple Silicon-based Macs can be unlocked.[42] However, other Apple devices like the iPhone and iPad cannot be bootloader unlocked even when using the same chip used in a Mac.

Google

[edit]

The equivalent of bootloader unlocking is called developer mode in Chromebooks.[43] Chromebooks use custom bootloaders that can be modified or overwritten by removing a Write-protect screw.[44] Some models lack a screw and instead may or may not require disabling the onboard Cr50 chip.[1]

In 2013, the bootloader of the Chromecast was hacked using an exploit.[45] In 2021, it was hacked again for newer versions.[46] In 2023, it was reported that the Chromecast HD could be unlocked without exploit.[47]

Asus

[edit]

Asus used to provide an Unlocking tool for both of their smartphone lines, the Zenfone and ROG Phone. This worked as an installable .apk file that the user could install on their phone, then unlock the bootloader. The app worked by contacting Asus unlocking servers, then prompting the user to perform a factory reset.

In 2023 Asus removed the tool from their website and closed the unlocking servers, so even phones with the .apk file installed couldn't unlock their bootloaders. Representatives on the Asus forums claimed the tool would be available again, but as of March 2024 no additional information has been provided, even after the release of their latest device the ROG Phone 8 and the upcoming release of the Zenfone 11 Ultra.

A user on the popular forum XDA (website) filed a court claim application against Asus due to the unlock tool never being released and alleged that Asus censored comments about the unlock tool on their forum.[48]

SpaceX

[edit]

In August 2022, security researcher Lennert Wouters applied a voltage injection attack to bypass firmware verification of a Starlink satellite dish from SpaceX.[49]

Relocking

[edit]

After unlocking a bootloader, some devices allow users to relock it. Relocking is typically done to restore the device to a factory-like state, often for warranty purposes or to re-enable certain security features like verified boot. This process is usually carried out through fastboot commands or manufacturer-specific software.

However, the ability to relock a bootloader varies significantly across manufacturers and device models. Some manufacturers provide official methods to relock the bootloader without issue, especially if the device is running official, signed firmware. In contrast, other devices may experience functionality issues after relocking—such as the loss of access to certain features or the risk of a "soft brick"—particularly if any system modifications remain or if unofficial firmware is installed.

Importantly, relocking the bootloader does not always reverse all changes made during the unlocking process. For example, some devices will retain a bootloader unlock flag or record in the hardware's tamper logs, which may still void warranties or affect access to services like DRM-protected content.

As a result, users are advised to consult manufacturer-specific guidelines and ensure that all system components are restored to their official state before attempting to relock the bootloader.[50]

VNeID app changes

[edit]

According to information from technology groups in Vietnam, after updating version 2.1.6 of the VNeID application released on May 30, 2024, some Android phone users have received warnings : "Your device is not safe, there is a risk of containing malicious code...". As a result, users are thrown to the main screen and cannot use the VNeID application, even though before the update they could still log in and use it normally.

This is because VNeID 2.1.6 update has added new security measures to stop working on Android devices with root access, unlocked bootloader and developer mode enabled. To use, users must disable root access to the device, relock bootloader and turn off developer options.

Shutdown of online services

[edit]

In 2018, Huawei stopped providing bootloader unlock codes.[51] On 31 December 2021, LG shut down their website which provided bootloader unlock codes.[52] In August 2023, ASUS removed the unlocking tool from their website and shut down the servers used to unlock the bootloader.[53]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Bootloader unlocking

View on Grokipedia
from Grokipedia
Bootloader unlocking is the process of disabling the security restrictions on a device's , the low-level software that initializes hardware and loads the operating during startup, thereby allowing users to flash , install alternative operating systems, or perform modifications such as rooting on compatible mobile devices. This feature is most commonly associated with Android devices, where manufacturers ship products with the bootloader locked by default to enforce secure boot and prevent unauthorized changes that could compromise device integrity or user data. Unlocking provides advanced users, developers, and enthusiasts with greater control over the device's software environment, enabling the installation of custom recoveries, kernels, or full ROMs to customize functionality, enhance , or test experimental features. The process typically begins with enabling the "OEM unlocking" option in the device's Developer settings, which verifies the user's intent and device eligibility through the 's get_unlock_ability property set to 1. Once enabled, the device is ed into mode—often via commands like adb reboot [bootloader](/page/Bootloader) or hardware key combinations—and the unlocking is executed using the fastboot flashing unlock command from a connected computer. This action prompts a critical warning about potential issues with unofficial images, followed by an automatic factory reset to erase all user and prevent unauthorized access to sensitive information. The unlock state persists across s, but for security, the device clears non-essential RAM during the process and on subsequent boots to mitigate risks like leakage from previous sessions. While unlocking expands customization possibilities, it carries significant risks and implications. Unlocking the bootloader may void the manufacturer's , depending on the device and region (for example, it does not on devices but often does on others like ). It bypasses verified boot mechanisms that ensure only signed software runs, potentially exposing the device to or instability if incompatible images are flashed. Additionally, some carriers or manufacturers, like certain models, restrict unlocking to maintain security features such as Knox, which could permanently disable advanced protections once altered. Users must back up data beforehand, as the reset is mandatory, and relocking the bootloader via fastboot flashing lock is possible but recommended only after verifying the flashed images to restore secure boot without issues. Overall, unlocking remains a foundational step for Android modding communities but is advised only for those with technical expertise.

Fundamentals

Definition and Purpose

A is the initial that executes upon powering on a , responsible for initializing hardware and loading the operating system kernel. It enforces secure mechanisms to verify the and authenticity of the software it loads, thereby preventing the execution of unauthorized or tampered that could device security. In addition to security considerations, Android original equipment manufacturers (OEMs) lock bootloaders partly for commercial reasons, to protect revenue streams from system-level advertisements and push notifications. Unlocking the bootloader and gaining root access enables users to block or remove these features, which directly impacts profits for vendors such as Xiaomi and OPPO. Bootloader unlocking refers to the process of disabling these secure boot restrictions, which typically involves bypassing cryptographic signature verification. This allows the device to boot unsigned or custom software, such as modified kernels, custom ROMs, and alternative recovery environments. The primary purposes of unlocking include enabling the installation of for enhanced functionality or development, gaining access to the operating system for advanced user privileges and system modifications, facilitating mobile forensics to extract data using specialized tools like , and supporting hardware-level alterations such as or sensor tweaks. The general steps for bootloader unlocking begin with enabling the OEM unlocking option in the device's developer settings, which verifies the user's and device eligibility. The device is then rebooted into mode, often via a command-line tool like ADB, followed by executing the fastboot flashing unlock command to initiate the process. This typically triggers a confirmation prompt on the device, after which a occurs to wipe user data and mitigate potential security risks.

Risks and Benefits

Unlocking a device's bootloader offers several advantages, primarily centered on user control and device utility. It enables enhanced customization by allowing the installation of modified and user interfaces, such as altering system themes, animations, or navigation gestures, which are often restricted in stock operating systems. Additionally, it facilitates the use of custom ROMs, which can extend the device's lifespan by providing ongoing software updates and security patches long after the manufacturer has ended official support; for instance, devices like the can receive Android 15 or later through community-developed ROMs, reducing and the need for premature hardware replacement. Unlocking also grants access to privileges, permitting advanced system tweaks like optimizing battery performance, removing bloatware, or integrating specialized modules for audio enhancement and . In professional contexts, such as mobile forensics, an unlocked bootloader allows tools to elevate privileges during the for extracting encrypted , aiding investigations without full device decryption. However, these benefits come with significant security risks. An unlocked bootloader bypasses secure boot mechanisms, which verify the integrity of the operating system and before loading, thereby exposing the device to unsigned or malicious code that could introduce during the boot sequence. This vulnerability increases the , particularly with physical access, allowing potential data theft or implantation of backdoors, as the bootloader no longer enforces cryptographic checks on loaded components. On devices with advanced security like , unlocking permanently trips a hardware fuse, disabling features such as real-time kernel protection and encrypted data vaults, rendering the system unable to attest its integrity to apps or networks. Practically, bootloader unlocking often requires a mandatory on most Android devices, erasing all user data to mitigate risks from unauthorized access, which can disrupt workflows and necessitate backups. It typically voids manufacturer warranties, as the process modifies core system components outside official support, leaving users liable for any hardware or software failures. Furthermore, it leads to incompatibility with security-sensitive applications, such as or digital wallets, which detect the unlocked state and refuse to operate; for example, Samsung Knox's tripped status blocks features like Secure Folder and indefinitely. Legally, unlocking may violate the device's or end-user license agreements, as manufacturers like explicitly warn that it waives all warranties and assumes user responsibility for compliance with applicable laws, potentially exposing individuals to liability for network disruptions or unauthorized modifications. It can also breach carrier contracts if operating an unlocked device on a network without approval, as some carriers prohibit modifications that could affect network integrity. While not inherently illegal, in regions with stringent cybersecurity regulations, such as the EU's updated Radio Equipment Directive effective August 1, 2025, which requires protections against unauthorized software installation, some manufacturers have disabled bootloader unlocking on devices sold there to ensure compliance, though the directive does not explicitly prohibit unlocking. For instance, as of 2025, has removed the OEM unlocking option in 8 for EU-sold devices to align with these requirements.

Android Devices

Historical Development

The historical development of bootloader unlocking in the Android ecosystem traces back to the platform's inception in , when its open-source nature under the Android Open Source Project (AOSP) facilitated early modifications, including on the ( G1), which shipped with an unlocked bootloader to encourage developer experimentation. This developer-friendly approach extended to subsequent devices from HTC and , where community efforts often enabled unlocks without official resistance, aligning with Android's ethos of customization and openness. By 2010, Google advanced the process with the , introducing the standardized fastboot oem unlock command via the , allowing users to disable secure boot verification and flash custom firmware directly. A pivotal milestone occurred in 2011, when formalized its policy encouraging bootloader unlocking to foster innovation; this prompted OEMs like HTC to commit to unlockable bootloaders on all devices released after September 2011, using a web-based tool for developers and enthusiasts. followed suit by announcing plans to unlock portions of its portfolio, marking a shift toward official support amid growing developer demand. However, carrier interventions began to counter this momentum; Verizon, for instance, enforced locked bootloaders on 's Droid series starting with the in July 2010, citing and compatibility concerns, a policy that persisted through devices like the DROID Bionic in 2011 and DROID 4 in 2012. Despite these restrictions, maintained unlocked bootloaders on its lineup—and later devices—to provide factory images and tools for developers, reinforcing Android's role as a platform for customization. In the , the landscape shifted toward greater restrictions as manufacturers prioritized amid evolving threats, with post-Android 10 updates emphasizing verified boot and hardware-backed protections to prevent unauthorized modifications. This era saw increased bootloader locks to comply with integrity checks like Google's Play Integrity API, which flags unlocked devices as potentially compromised, partly in response to vulnerabilities exposed by geopolitical tensions. Notable milestones include Huawei's May 2018 policy ceasing unlock codes for all new devices to enhance and , affecting models launched after that date, and LG's December 2021 shutdown of its entire bootloader unlocking service, ending official support for custom development on its Android phones. These changes reflected a broader industry trend balancing with fortified defenses against exploits.

Manufacturer-Specific Methods

Bootloader unlocking procedures on Android devices vary significantly by manufacturer, reflecting differences in implementations, carrier agreements, and corporate policies. As of 2025, maintains relatively straightforward support for its and lineages, while other vendors impose increasing restrictions to enhance device security and comply with regional regulations. For and devices, unlocking is achieved through the (ADB) and tools, specifically by enabling the OEM unlocking toggle in developer options, then issuing the fastboot flashing unlock command, which wipes all user data as a security measure. Non-Verizon models receive full official support, allowing users to obtain unlock codes directly without additional barriers, though the process requires a USB connection to a computer with platform-tools installed. This method remains accessible for the 10 series (released August 2025) and earlier supported models, ensuring compatibility with custom recoveries and ROMs. Samsung's approach historically involved enabling OEM unlocking and USB debugging in developer options, powering off the device, entering download mode by holding Volume Up and Volume Down buttons while connecting to a PC via USB, and long-pressing Volume Up to confirm the unlock, which wipes all user data and trips the Knox security counter. This procedure applied to supported models like the Galaxy S20 FE, particularly international variants with Exynos chipsets, but was unavailable on many US Snapdragon models due to carrier restrictions that prevent official unlocking. The process was complicated by the Knox security suite, which flags modifications and voids warranty protections. However, with the release of 8.0 on July 26, 2025, Samsung fully removed bootloader unlocking capabilities across all models, eliminating the OEM unlock toggle from settings and stripping related code from the to prevent rooting and custom installations globally. This policy shift applies to devices like the Galaxy S25 series, rendering official unlocks impossible without exploits, which are not endorsed by the manufacturer. OnePlus devices generally support a fastboot-based unlock for non-carrier variants, involving the activation of OEM unlocking in settings followed by the fastboot oem unlock command after connecting to for verification. However, starting August 2025 with 16 (based on Android 16), users must submit an official application for approval through channels before proceeding, adding restrictions for security and stability on eligible new devices. T-Mobile variants require a paid unlock token from support or reliance on unofficial exploits due to carrier locks, as seen in models like the OnePlus 12, where standard fastboot access is restricted without authorization. This approach balances accessibility for unlocked users with carrier-specific and evolving security constraints. OPPO maintains a strict policy against official bootloader unlocking across its devices, a practice in place for years to enforce security and ecosystem integrity. This restriction partly serves commercial purposes by protecting revenue from system-level ads and push notifications, as unlocked devices would enable users to root and remove these features, thereby impacting vendor profits. Users of models like the Reno series must resort to unofficial methods, which are not supported by OPPO and may void warranties or pose security risks. Xiaomi employs the official Mi Unlock application for bootloader unlocking on eligible global models, requiring users to bind their Mi Account, enable developer options, and endure a mandatory 168-hour (seven-day) waiting period after initial setup to prevent unauthorized access, after which the tool facilitates the unlock via . Since early 2025, including February updates, stricter policies have been implemented, particularly for Chinese variants, limiting unlocks to one per account annually with extended waiting periods (up to 180 days in some cases); these measures are driven by security and regional mandates but also aim to safeguard revenue from system-level ads and push notifications by hindering rooting that allows their removal, affecting devices like the 14 series and often necessitating third-party services or bypass methods. To check if a Motorola device is eligible for bootloader unlocking, users should consult Motorola's official bootloader unlock portal and verify the exact model number in Settings > About phone. Motorola's process begins with toggling OEM unlocking in developer options on supported models, followed by booting into fastboot mode and running fastboot oem get_unlock_data to generate a key, which is then submitted to Motorola's official unlock portal for approval before executing fastboot oem unlock to complete the procedure, again wiping device data. Some Verizon models remain permanently locked without viable exploits, as carrier firmware excludes bootloader unlock eligibility entirely, impacting devices such as the Moto G series purchased through Verizon.

Other Platforms

Apple Devices

Apple's iOS devices, including iPhones and iPads, employ a highly integrated architecture where the is locked by the Secure Enclave, a dedicated that enforces cryptographic verification of components to prevent unauthorized execution. This mechanism ensures that only signed from Apple can load, isolating the main application processor from potential tampering. The Secure Enclave processes integrity checks independently, using hardware-rooted keys to validate each stage of the chain, making traditional bootloader unlocking impossible without exploiting low-level vulnerabilities. For devices with A5 through A11 chips ( through X), permanent bootloader unlocking can be achieved using the checkm8 bootrom exploit, a hardware-level in the that allows entry into a pwned DFU mode, bypassing Secure Enclave protections. Discovered by security researcher axi0mX in 2019, checkm8 targets the ARM TrustZone implementation and cannot be patched via software updates since it resides in read-only . Tools like ipwndfu leverage this exploit to flash custom bootloaders, enabling persistent modifications such as jailbreaks. For devices with A12 and later chips ( and subsequent models), no such permanent hardware exploits exist as of November 2025, with modifications limited to temporary software-based jailbreaks where available. Historically, iOS versions 4 through 10 exhibited greater vulnerability to jailbreaks due to less mature Secure Enclave implementations and exploitable kernel bugs, allowing widespread use of tools like redsn0w and evasi0n. Post-2018, Apple has aggressively patched many vectors through security updates, such as those addressing and kernel flaws in and later, significantly raising the bar for new exploits; for instance, iOS 12.1.4 included fixes for vulnerabilities that could enable . For A12 and later devices, software-based jailbreaks like unc0ver use kernel vulnerabilities to gain access without altering the directly, though these are semi-tethered or untethered and require re-jailbreaking after reboots or updates, with support limited to older versions (up to iOS 14.8 as of 2021). As of November 2025, no permanent unlocking methods are available for devices with A12 and later chips, with software-based jailbreaks increasingly restricted on and beyond. These methods invariably require physical access to the device and specialized tools, often running on a separate computer in DFU or recovery mode. On the macOS side, Intel-based Macs with the T2 security chip (introduced in 2018) can bypass bootloader restrictions via USB DFU mode, exploiting a debug interface left enabled that allows forced entry into update state for root access. This , demonstrated in 2020, combines checkm8-like flaws in the T2's ARM-based core with USB-C messaging to load custom payloads, potentially disabling Secure Boot. For Macs (M1 and later), bootloader unlocking remains limited, with no full permanent exploits available; however, users can officially adjust security policies in the Startup Security Utility (accessible in Recovery mode) to enable reduced security, allowing loading of unsigned kernel extensions from identified developers and booting from external media for development or legacy support. These approaches often involve tools like OpenCore for patching processes on compatible hardware, though they are not true bootloader unlocks. Apple provides no official support for bootloader unlocking on any devices, explicitly warning that such modifications void warranties and expose systems to risks including permanent bricking from failed flashes or corrupted . Unlocking is typically pursued for unsigned apps outside the or performing firmware downgrades to vulnerable versions for further customization, but it compromises the device's protections and increases susceptibility to . Physical access and precise execution are mandatory, with errors potentially rendering the hardware inoperable.

Microsoft and Miscellaneous Devices

Bootloader unlocking on platforms primarily involved legacy tools for devices, particularly Nokia Lumia models, during the 2014-2016 period. The WPInternals tool, developed by the Windows Phone hacking community, allowed users to unlock the bootloader on supported Lumia devices running or , enabling access and installation. This process also facilitated an "interop unlock," which permitted of unsigned applications and access to developer-only features otherwise restricted by 's ecosystem. However, these methods were limited to specific hardware variants, such as Lumia 520, 620, and 920 series, and required careful execution to avoid bricking the device. For Windows RT devices, such as the RT tablet, bootloader unlocking relied on exploiting vulnerabilities in the secure boot implementation until a critical patch in July 2016. Prior to this update, researchers and enthusiasts used techniques like the "Golden Keys" method or USB-based payloads to bypass locks, allowing installation of alternative operating systems or unsigned code. The 2016 firmware update from closed this loophole by strengthening secure boot verification, rendering further unlocks impossible on updated devices without hardware modifications. This effectively ended community-driven customization for Windows RT hardware post-patch. On OS devices like Chromebooks, bootloader unlocking is achieved through enabling developer mode, a built-in feature that disables OS verification and allows custom kernels or alternative operating systems. Activating developer mode involves a hardware key combination during —typically Escape + Refresh + Power—followed by a confirmation to wipe all local data via a "powerwash" process, which resets the device to factory settings and erases user files. Once in developer mode, verified can be bypassed to load unsigned , but system updates automatically re-enable verified unless the device remains in this mode, potentially requiring repeated reconfiguration. This approach, while accessible, compromises the device's model and is intended for developers rather than end-users. Asus ROG gaming phones previously supported bootloader unlocking via an official app provided by the manufacturer, which connected to Asus servers to verify and authorize the process for models like the and 5. This tool enabled rooting and custom ROM installation, aligning with Asus's developer-friendly policies in the early . However, since August 2023, unlocking has become impossible due to the permanent shutdown of Asus's unlock servers, affecting all ROG models regardless of release date, as confirmed by support communications. No alternative official methods exist, leaving these devices locked to stock . A notable hardware-based example outside traditional mobile platforms is the satellite terminal, where access was demonstrated through a attack in August 2022. Security researcher Lennert Wouters developed a $25 that uses voltage glitching on the pins to bypass secure boot protections, allowing execution of custom code on the terminal's embedded processor. This non-software method requires physical access and soldering to the hardware but enables installation of unauthorized firmware, potentially for research or modification of satellite connectivity features. Unlike software unlocks, it highlights vulnerabilities in embedded systems where traditional tools are unavailable.

Relocking

Procedures

The process of relocking a bootloader generally involves re-enabling secure boot verification to restore the device's original security state, typically requiring the reinstallation of official stock firmware to ensure compatibility with verified boot mechanisms. This step clears any modifications made during unlocking, such as custom recoveries or ROMs, and sets a persistent flag to enforce signature checks on subsequent boots. On compatible Android devices, the primary command is fastboot flashing lock executed in bootloader mode, which performs a factory reset and locks the device against unauthorized flashes. For Android devices, the procedure varies by manufacturer but centers on reverting to stock firmware before issuing the lock command. On Google Pixel devices, users must first flash the official factory image using the Android SDK platform-tools to restore signed partitions, followed by entering fastboot mode (via adb reboot bootloader or volume key combinations) and running fastboot flashing lock to re-enable secure boot. This process wipes all user data and verifies the bootloader state through Android Verified Boot, ensuring only OEM-signed images load. For Samsung devices, relocking entails downloading the official stock ROM from authorized firmware repositories and flashing it via the Odin tool in download mode, which includes the bootloader partition (BL) to restore secure verification; the device then auto-relocks upon reboot with unmodified stock software. However, some Samsung models implement permanent locks after modifications, preventing relocking without service center intervention. Relocking on Apple devices is uncommon due to the tightly integrated secure boot chain, but it can be achieved by restoring a signed version through recovery or DFU mode using official tools like Finder or , which reinstalls the full signed firmware and re-establishes the chain of trust from the onward. Exploits like checkm8, which target the immutable on devices from to X (A5 to A11 chips), create semi-permanent unlocks that cannot be fully reversed without hardware replacement, as the vulnerability persists across software restores. After relocking, verification confirms the process by booting into the bootloader mode, where a locked state displays no unlock warning and enforces signature checks via Android Verified Boot or Apple's Secure Enclave; commands like fastboot getvar all or visual indicators (e.g., a secure lock icon) can further attest to the status. In some cases, particularly with carrier-locked devices, relocking may necessitate re-certification to restore network privileges or DRM levels like Widevine L1, though bootloader status itself remains independent of SIM unlocks.

Limitations

Relocking a bootloader after unlocking and performing custom modifications often proves irreversible in practice, as alterations such as repartitioning the storage or flashing incompatible can violate the device's integrity checks, preventing a successful relock without bricking the hardware. On devices, unlocking the permanently trips the Knox security counter via an e-fuse, which cannot be reset even after relocking, thereby disabling features like Secure Folder and indefinitely. Across platforms, relocking introduces significant risks of device failure. In Android ecosystems, attempting to relock with residual custom changes frequently results in a hard , where the device becomes unresponsive due to failed verified boot processes that detect inconsistencies in the boot chain. For Apple devices, factory restores via or Finder do not fully reset the Secure Enclave, as hardware-bound keys and tamper indicators persist, potentially leaving traces of prior modifications that could affect future security features like or . On Windows Phone devices unlocked via WPInternals, the process modifies secure boot fuses in a way that renders relocking impossible, leaving the bootloader permanently open. Security limitations persist post-relock, as the process does not retroactively erase any exposure that occurred during the unlocked state, such as potential unauthorized access to unencrypted files or keys before a wipe. Additionally, verified mechanisms on Android can still detect prior tampering through hash mismatches or chain-of-trust violations, triggering warnings or failures even after relocking. Practical barriers further complicate relocking, including the permanent loss of custom features like root access or third-party recoveries, which cannot be reinstated without re-unlocking. On devices like those from , relocking typically requires official Mi Flash Tool scripts such as "flash_all_lock.bat," but these become unavailable or ineffective after extensive modifications, as the tool enforces a clean official ROM state that custom setups violate.

Developments and Restrictions

Service Shutdowns

In 2018, suspended its official bootloader unlock code service for devices launched after May 25, citing concerns over issues from custom ROM flashing and to enhance . This decision coincided with escalating U.S. trade restrictions on the company, which intensified scrutiny on its global operations. For existing devices prior to that date, unlock codes remained available for a 60-day . The policy extended to its sub-brand Honor, which was under ownership until late 2020, limiting official unlocks and relying on third-party workarounds. fully terminated the service on July 25, 2018. LG discontinued all bootloader unlock services on December 31, 2021, following its exit from the market earlier that year. The closure affected the entire LG Mobile Developer website, rendering legacy unlock tools inaccessible for new requests and leaving previously unlocked devices without further official support. This move aligned with LG's strategic pivot away from consumer smartphones, eliminating any ongoing developer resources for customization. Asus shut down its bootloader unlock servers in August 2023, specifically impacting ROG Phone series devices with no official alternatives provided thereafter. The removal of the unlock tool from Asus's website halted the process for both new and pending requests, affecting gaming-focused models that previously supported modifications for performance tweaks. As of January 2024, Asus phones released after that date no longer receive active bootloader unlock tool support. Samsung removed the bootloader unlock option in One UI 8.0, released on July 26, 2025, affecting S25 series devices and subsequent models onward. This change eliminated the OEM unlocking toggle from developer options across global variants, preventing users from enabling modifications through official channels. These shutdowns have broadly forced users toward unofficial exploits and third-party tools, which carry higher risks of device bricking or vulnerabilities. Official support for customizations has diminished, pushing enthusiasts to alternative ecosystems and reducing device longevity for advanced users. The decisions are often linked to heightened standards and , such as EU directives on device integrity, prioritizing locked bootloaders to mitigate potential threats from unauthorized software.

App and Regulatory Changes

In , the VNeID national application underwent a significant update in version 2.1.6, released on May 30, 2024, which introduced detection mechanisms to block access on Android devices with unlocked , access, or enabled developer mode. This measure aims to mitigate risks such as infection or unauthorized data access, displaying error messages like "Your device is not safe and may contain malicious code" when such modifications are detected. Users affected by this change must relock the bootloader and disable developer options to regain functionality for services like certificates and residency verification. Globally, banking and security-focused applications, such as (formerly ), have implemented checks that detect unlocked bootloaders, often preventing setup or use of features like tap-to-pay. These apps rely on attestation services like SafetyNet or to verify device , flagging unlocked bootloaders as a potential that could expose to tampering. For instance, since 2016, has explicitly blocked Android Pay (now Wallet) on devices with unlocked bootloaders to enforce secure boot processes. In the , the 2022 (DMA) seeks to enhance user control over devices by promoting competition and interoperability among gatekeeper platforms like . The 2014/53/EU Radio Equipment Directive (RED), via its Delegated Act effective August 1, 2025, introduces mandatory cybersecurity requirements, including secure boot mechanisms, for radio equipment; while some manufacturers have cited these to limit unlocking options, the directive does not prohibit bootloader unlocking provided standards are maintained. Regional policies further complicate bootloader unlocking. In , manufacturer policies under the Cybersecurity Law amendments have led companies like to impose restrictions on bootloader unlocking for HyperOS devices sold domestically, including a 180-day waiting period effective February 2025 and a limit of one device per account starting January 2025. Conversely, in , 2025 guidelines under the initiative, including the introduction of a Repairability Index for mobile phones, encourage manufacturers to facilitate user access to parts and repair information; however, these policies impose penalties for bypassing built-in features that could compromise device integrity or user . These app and regulatory changes result in significant consequences for users, including loss of access to services like VNeID for identity verification and administrative tasks. To circumvent such restrictions, developers have created workarounds, such as Magisk modules that spoof status to hide unlocks from detecting apps, allowing continued use of services like while maintaining modifications. These tools operate by intercepting app queries to the Android system properties, presenting a locked illusion without altering the underlying hardware state.

References

  1. https://source.android.com/docs/core/architecture/bootloader/locking_unlocking
  2. https://www.htc.com/lk/contact/productissue/htc/912aa70a-d410-000a-6f40-580718dccfbb/
  3. https://android.gadgethacks.com/news/psa-unlocking-your-pixels-bootloader-does-not-void-your-warranty-0175739/
  4. https://xdaforums.com/t/unlocking-bootloader-voids-warranty.3749583/
  5. https://blog.chimeratool.com/2025/09/04/unlock-samsung-bootloader-step-by-step-for-professionals/
  6. https://slashdot.org/story/25/01/03/0437208/drastically-reduced-xiaomi-bootloader-unlock-policy-raises-questions-over-device-ownership
  7. https://inquisitiveuniverse.com/2025/09/12/bootloader-unlocking-is-going-extinct/
  8. https://www.ifixit.com/Guide/How%2Bto%2Bunlock%2Bthe%2Bbootloader%2Bof%2Ban%2BAndroid%2BPhone/152629
  9. https://cellebrite.com/en/glossary/boot-loader-mobile-device-forensics/
  10. https://cellebrite.com/en/cellebrite-webinar-everything-about-bootloaders/
  11. https://www.androidauthority.com/why-should-use-custom-rom-benefits-3494511/
  12. https://surfshark.com/blog/custom-android-roms
  13. https://www.avast.com/c-rooting-android
  14. https://www.techtarget.com/searchsecurity/answer/Android-bootloader-How-does-it-work-and-what-is-the-risk
  15. https://insights.samsung.com/2022/07/28/what-are-the-security-risks-of-rooting-your-smartphone-4/
  16. https://image-us.samsung.com/SamsungUS/samsungbusiness/solutions/topics/iot/071421/Knox-Whitepaper-v1.5-20210709.pdf
  17. https://en-us.support.motorola.com/euf/assets/docs/Bootloader-Legal_Agreement_and_Warning.pdf
  18. https://ec.europa.eu/growth/sectors/electrical-engineering/radio-equipment_en
  19. https://en.bitsea.de/blog/2025/09/understanding-radio-equipment-directive-what-it-means-for-foss-and-sboms/
  20. https://www.androidauthority.com/google-phones-nexus-pixel-history-3260339/
  21. https://www.pcworld.com/article/499731/how_to_unlock_the_nexus_s_bootloader.html
  22. https://9to5google.com/2011/05/26/htc-to-unlock-all-bootloaders/
  23. https://www.droid-life.com/2011/04/26/motorola-eases-up-on-locked-bootloader-stance-plans-to-unlock-portfolio-in-2011/
  24. https://www.droid-life.com/2012/01/05/its-2012-and-motorola-still-hasnt-announced-official-plans-to-unlock-any-bootloaders-we-look-back-at-the-year-of-bootloaders/
  25. https://developers.google.com/android/images
  26. https://9to5google.com/2018/05/24/huawei-bootloader-unlock-stop/
  27. https://9to5google.com/2021/12/06/lg-bootloader-unlock-program-closing/
  28. https://www.extremetech.com/mobile/samsung-disables-bootloader-unlocking-with-one-ui-8-update
  29. https://9to5google.com/2025/07/26/samsung-galaxy-one-ui-8-bootloader-unlock/
  30. https://xdaforums.com/t/all-in-one-how-to-unlock-lock-bootloader-root-install-custom-recovery-rom-fix-bootloops-reflash-stock-rom-on-samsung-galaxy-s20-fe.4753793/
  31. https://service.oneplus.com/us/search/search-detail?id=2085382
  32. https://9to5google.com/2025/08/14/oneplus-bootloader-unlock-android-16-changes/
  33. https://xiaomitime.com/xiaomi-updates-2025-bootloader-unlocking-requirements-23074/
  34. https://forums.lenovo.com/t5/MOTOROLA-Android-Developer-Community/Issue-with-Unlocking-Bootloader-OEM/m-p/5374924
  35. https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web
  36. https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf
  37. https://www.theverge.com/2019/9/27/20886835/iphone-exploit-checkm8-axi0mx-security-flaw-vunerability-jailbreak-permanent-bootrom-ios
  38. https://www.wired.com/story/ios-exploit-jailbreak-iphone-ipad/
  39. https://github.com/axi0mX/ipwndfu
  40. https://dev.to/numbpill3d/jailbreaking-iphones-in-2025-what-still-works-and-what-doesnt-5e1j
  41. https://i.blackhat.com/eu-20/Thursday/eu-20-Hu-Story-Of-Jailbreaking-IOS-13-wp.pdf
  42. https://support.apple.com/en-us/103179
  43. https://ieeexplore.ieee.org/document/7774861
  44. https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/
  45. https://www.macrumors.com/2020/10/06/apples-t2-chip-unpatchable-security-flaw/
  46. https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac
  47. https://www.malwarebytes.com/iphone-jailbreaking
  48. https://support.apple.com/guide/deployment/system-extensions-in-macos-depa5fb8376f/web
  49. https://forum.xda-developers.com/t/windows-phone-internals-unlock-bootloader-enable-root-access-create-custom-rom.3257483/
  50. https://www.theregister.com/2016/07/15/windows_fix_closes_rt_unlock_loophole/
  51. https://www.chromium.org/chromium-os/developer-library/guides/device/developer-mode/
  52. https://www.androidauthority.com/asus-zenfone-10-bootloader-unlock-root-impossible-3384936/
  53. https://www.wired.com/story/starlink-internet-dish-hack/
  54. https://www.quora.com/How-do-you-relock-the-bootloader-of-a-Samsung-phone
  55. https://android.stackexchange.com/questions/86244/how-to-re-lock-bootloader-on-samsung-galaxy-s5
  56. https://support.apple.com/guide/security/boot-process-for-iphone-and-ipad-devices-secb3000f149/web
  57. https://support.apple.com/en-us/108925
  58. https://www.malwarebytes.com/blog/news/2019/09/new-ios-exploit-checkm8-allows-permanent-compromise-of-iphones
  59. https://source.android.com/docs/security/features/verifiedboot/device-state
  60. https://www.howtogeek.com/how-to-check-if-your-phones-bootloader-is-unlocked/
  61. https://zentalk.asus.com/t5/rog-phone-ii/resolved-bootloader-relock-does-not-restore-widevine-l1/td-p/319557
  62. https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/
  63. https://discuss.grapheneos.org/d/13543-risk-of-hard-bricking-when-relocking-the-bootloader
  64. https://forum.fairphone.com/t/guide-to-bootloader-and-bricking-2025/121352
  65. https://xdaforums.com/t/knox-reset.4556729/
  66. https://www.quora.com/Can-data-from-a-factory-reset-iPhone-be-recovered-if-no-passcode-was-set-Apple-Support-says-set-a-passcode-to-enable-data-protection-which-encrypts-your-data-using-AES-256-data-bit-encryption
  67. https://github.com/ReneLergner/WPinternals
  68. https://woa-project.github.io/LumiaWOA/guides/unlock/
  69. https://android.stackexchange.com/questions/189285/unlocking-boot-loader-doesnt-wipe-data-how-is-it-a-security-threat
  70. https://source.android.com/docs/security/features/verifiedboot/verified-boot
  71. https://discuss.grapheneos.org/d/26248-leaving-bootloader-unlocked
  72. https://www.mi.com/global/support/faq/details/KA-07238/
  73. https://xdaforums.com/t/unlock-bootloader-and-lock-again.4223487/
  74. https://www.xda-developers.com/huawei-stop-providing-bootloader-unlock-codes/
  75. https://consumer.huawei.com/en/community/details/Unlock-Bootloader/topicId-53593/
  76. https://xdaforums.com/t/how-to-unlock-bootloader-asus-rog-phone-3-06-27-2023.4600075/
  77. https://zentalk.asus.com/t5/rog-phone-8/when-will-the-bootloader-unlocking-tool-be-back/td-p/478667/page/2
  78. https://www.sammobile.com/news/say-goodbye-to-your-custom-roms-as-one-ui-8-kills-bootloader-unlock/
  79. https://dantri.com.vn/cong-nghe/cach-khac-phuc-khi-smartphone-khong-the-su-dung-vneid-phien-ban-moi-nhat-20240610221330440.htm
  80. https://www.phonearena.com/news/If-you-have-an-unlocked-bootloader-on-your-phone-Android-Pay-will-now-no-longer-work_id86896
  81. https://digital-markets-act.ec.europa.eu/about-dma_en
  82. https://www.u-blox.com/en/blogs/insights/navigating-red-cybersecurity-requirements
  83. https://en.xiaomi-miui.gr/xiaomi-restricts-bootloader-unlocking-at-180-days/
  84. https://securityonline.info/xiaomi-limits-hyperos-bootloader-unlocking-to-one-device-per-account/
  85. https://www.thehindu.com/business/Industry/the-right-to-repair-movement-in-india-explained/article69572632.ece
  86. https://github.com/thelordalex/WAHideBootloader
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.