Those wondering why they cannot unlock their Pixel 6a currently, you (most likely) need to wait for Google's servers to begin authenticating Pixel 6a OEM unlocking. Hopefully should happen soon!
Conversation
Replying to
Wait, OEM unlocking in Pixel is tied to online service? I thought it was a local process in Pixel unlike other OEMs that issue unlock key for your device.
1
It checks the service to determine if the Pixel is unlocked. Hardware, firmware and software is identical across all Pixels whether or not they're locked by carriers. That's the point of the service. It allows the same hardware to be sold as unlocked or as locked carrier devices.
1
5
Where does this OEM Unlocking enabled/disabled byte is stored? I'm guessing, in Titan M so that the user cannot physically tamper with the byte?
1
Stored in the OEM lock data block which is backed by Titan M on Pixels just like lock state, verified boot rollback indexes for the OS, user flashed verified boot key, Weaver tokens used as an extra input for encryption for throttling, factory reset protection data block, etc.
On Pixel 2, before the Titan M, Weaver was the only part of that provided by the secure element.
OEM lock state, lock state, rollback indexes, user vboot key, etc. were stored with RPMB (Replay Protected Memory Block) feature of Qualcomm's TEE (TrustZone) implementation (QSEE).
1
3
OEM unlocking was introduced as part of implement anti-theft (factory reset protection). Gating whether it can be toggled based on the seller of the phone allowing it was added later to avoid needing actual carrier variants of Pixels. It's not why the feature exists at all.
1
2
Show replies
Is there a specific instruction that goes from the OS to Titan M that tells the chip that the user has toggled OEM unlocking? I'm wondering if I can physically fake that signal. This of course will require dismantling the SoC and technical proficiency to pull this off.
1
There's authenticated encryption for the connection between the Titan M and the TEE or secure core in the SoC. They're paired together at the factory.
The carrier locking system is entirely implemented at the UI layer and bypassing that just requires OS (not even root) exploit.
1
2
5
Show replies