Xiaomi apparently have also stopped unlocking their bootloaders, so the "workaround" was to go to an official store and ask them perform a downgrade, and before the staff can relock the bootloader, grab the phone and run:
I did that years ago when I bought a Redmi Note 4 in Shenzhen and discovered that the Chinese ROM is very locked down. I created the Mi post, but I don't remember having to make a forum post (although it does ring a slight bell). AFAIK it was just sending a DM to support on the forum / app to explain why you needed to install the Global ROM rather than the Chinese ROM (and being a foreigner was accepted as a valid reason). About a day later they unlocked the phone bootloader remotely, and then I could install any version of the Global ROM I wanted.
I've bought all my subsequent ones (Note 5, Note 8, Note 11, Note 12Pro) in either HK or UK so they all came with the Global ROM, and I've not felt the need to unlock any of them, so not tried to process since. But it definitely used to be pretty easy.
I suspect the reason for the weird process is legal to ensure that phones in China don't get unlocked in order to circumvent content controls.
I dont think you need to do the forum posts but you need to request unlocking every two days and pray it works. Supposedly at 00:00 chinese local time for any chances of getting permission. Took me several months of trying non continuously.
I did that a few years ago. Had to download some tool to my PC.
Then make a request that takes 2 weeks to go through. and enter the or whatever (this was like 2016 or something).
Whole process was clearly designed to make you give up.
Their phones where junk then though and i just got something else in the end.
They're a lot better now so actually unlocking it is probably worth something now.
When you say junk then, I find that interesting as my first was a Redmi Note 4 launched in 2016, that I got in 2017 (and did this unlock process on, as I bought it in China), and the reason I got that phone in particular was its price (in the UK it was £120, in China I got it slightly cheaper at 1100 CNY) and that it was actually the fastest Android phone available at the time according to the AnTuTu benchmarks.
The modern Redmi Note series is usually a generation behind on performance now, but I keep buying them as they're still faster than I need and there's always still a decent phone less than £150. Only complaint is with the camera, which never seems to get any better even when they claim to have upgraded it.
They mix up Google-vendor (pixels are absolutely the best and most unlocking-friendly hardware at this point), with Google Play Services services/limitations (ie dominant player in android ecosystem) AND Google, the dominant contributor to AOSP project.
And it's also partially false, as Gemini works just fine after unlocking/relocking, and all the advanced features (full performance of the cameras, NPU access, secure element) work even on non-Google OS. Things that do not work (mostly wallet) are valid issue, but then again, they work just fine after flashing OEM firmware And relocking The bootloader.
So I can only guess the quality of the contribution is similar with other phone brands.
I mean for the Microsoft Android phones it kinda makes sense, since they're not exactly shipping Android by choice. They'd much rather you use the Windows Phones which this says ARE locked down.
Apologies for being unclear, it's true Microsoft didn't have the option of Windows Phone for their Surface Duo devices, so they had no choice but to use Android. To clarify, when I phrase something as being an unwilling outcome it does not mean both were equally viable options and they picked the one they wanted, rather that Microsoft's hand was forced due to this development. I hope this helps.
Unfortunately, it's hard to make Fairphone secure. No separate secure element (so much easier to do brute force PIN attacks) and always lags in monthly security bulletin patches and major OS releases (remember that the monthly patches typically only address high/critical vulnerabilities, for the rest you need OS updates, QPRs, etc.).
Until Graphene works out the deal with the OEM that they are talking to, Pixel is pretty much the only secure phone that allows installing alternative firmware.
As someone else mentioned, GOS requires that the bootloader properly support relocking with a custom key. Additionally, GOS has a rule that any device supported must keep up with all security and quarterly patches in a timely manner, and none of the Fairphone devices do.
No secure element, no memory tagging support, no proper cellular baseband isolation, no verified boot, taking months to ship security updates .. the list is long.
From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
> From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
Compared to Pixel phones this is without a doubt true, but how does it compare against your average mid-range Android device? Do those typically have any of the features you mentioned?
Very roughly, and assuming mid-range is around 400-500 bucks like the fairphone:
- Memory tagging is still pixel exclusive for now, but it's part of ARMv9 so it should be available on more devices in the future unless they disable it
- Most devices now have a secure element, though the exact capabilities vary
- Baseband isolation - no idea really, most chipsets should support IOMMU (or SMMU as ARM calls it) but is not very obvious if that's setup sanely or even used at all on your average device. So I'm guessing most devices are about the same.
- Security patches certain vendors are much better (like Samsung, for their non-budget devices anyway) but a lot do much the same. It shouldn't generally be worse because of Google's requirements.
For people out of the loop, parent is referring to TikTag[0], a side-channel speculative execution attack breaking MTE in a probabilistic defense scenario, and the weird cope coming from some people that "MTE was only supposed to be a debugging feature anyway".
However, you need some form of code execution beforehand already for this attack, and more importantly it doesn't affect any of the deterministic guarantees of MTE. And those are the main appeal to GrapheneOS in the first place, preventing things like use-after-free by tagging the memory such that it simply can't be accessed anymore. So it's very much a security feature.
The number of combinations is irrelevant if you're not relying on randomness. Graphene sets the tag to a static value on deallocation[0] to prevent use-after-free, you don't even need to guess! The same is true for a lot of buffer overflows, as their allocator ensures two adjacent allocations have different tags, so unless the vuln allows you to skip ahead you'll always trigger a fault.
I can't find the link, but a couple days ago, they said in a thread here it was due to their lack of support of some important security features, and remarked that it didn't look like they were even interested in supporting them.
Yeah, otherwise the bad guys can just wait till you're not looking at your phone, reflash your it with a backdoored version, and wait for you to unlock it (evil maid attack).
If your phone was in hands of police you better sell it anyway because they could install a physical GPS tracker, etc. So locked bootloader doesn't change much.
Also if you live in a truly democratic country you don't even need to set the PIN code - your rights are protected by the law.
It would be relatively difficult to add a physical GPS tracker to a modern phone. Also, it's unnecessary, the government just needs to take a note of the IMSI and/or IMEI and then use the cell tower records to track you (rather accurately I should add).
The problem is not the tracking inherent in the design of mobile telephony networks, which you can circumvent by using burner phones. The problem is for example abuse of tools such as cellebrite to gain warrantless access to your phone at various opportunities.
This is also why proper baseband isolation is important. Baseband firmware is unaudited and likely to have government backdoors.
If the government wants to surveil me, they'll have to put in some actual effort instead of just taking opportunities.
As others have said they have some security concerns (I don't know enough about that stuff to know how justified or surmountable those concerns are). However with the big manufacturers all locking down their devices more than ever I wonder will they have much of a choice in the end. We're going to need a manufacturer (or preferably several) to actively stand behind the possibility to use custom ROMs, and at the moment Fairphone seem like the only one who might do that.
The curious thing is that being GrapheneOS open source, I would think that somebody could potentially create a ROM for them, even if it is not as secure as GrapheneOS would like. However, absolutely nobody has done it yet...
AXP.OS (axpos.org) is LineageOS-based (formerly DivestOS-based), but includes security backports from GrapheneOS and CalyxOS. No doubt it is less secure than GrapheneOS, but surely more secure than LineageOS, and supports bootloader relocking on some devices.
So, notice Graphene OS was able to port Android 16 on all the supported devices (from Pixel 6 up) basically within a week without device trees already, without the early (OEM) access to the release.
It's a big inconvenience but not a showstopper for them. Pixels are still viable.
The only blocker with pixels would be if they stopped allowing OEM unlocking or relocking (which is a must).
It is really a pity, as this means Android OS is closing down.
Without supported Consumer Hardware available on the market in sufficient volume, even less end-users will use an alternative OS, which will affect quality and size of the alternative OS-market and fragment the remaining users even more.
This will put the future of the entire alternative-OS ecosystem firmly back into the hands of Google. If they start further restricting BL-unlock on the Pixel-series to e.g. only Google Developer Account-Holders, the whole ecosystem will finally close down.
I’ve always said that it’s been “Google’s Android”, and wellp —- Welcome to Google’s Android, where the garden walls have been turned into a razorwire fence and you’re not welcome to leave.
It’s really funny that Apple’s finally allowing carefully controlled access outside of their own fences and slowly adding more APIs and expansion (hell, Apple are the only platform now with third party APIs for RCS in the EU) while Google’s spun an about face and will get away with it.
Of course it's been Google's Android, I don't think anyone ever questioned that. The whole reason why the OS still lives as a single entity and the app-ecosystem is not completely fragmented is due to Google's governance to keep it in check.
All the stuff Apple now slowly starts to allow on iOS due to EU's Digital Markets Act is still just scratching the surface of what Android already supports.
> hell, Apple are the only platform now with third party APIs for RCS in the EU
They provide third party API's to use APPLE's RCS-Service. The alternative would have been to support registering alternative RCS-services as default on the OS (and then, allow the user to choose a service).
> while Google’s spun an about face and will get away with it
Android already allows to install and configure alternative applications for RCS, in fact Samsung uses their own RCS Messaging service on its devices.
> Samsung uses their own RCS Messaging service on its devices
No? They’ve switched to Google Messages, and most/all carriers have switched to Google Jibe RCS (again, Google forcing its services into operator hands), which basically forces SafetyNet attestation to use.
Sorry, you're right. I stand corrected, Samsung discontinued their own RCS-Service in January 2025. Yet the point stands, Google doesn't restrict usage of alternative RCS-services on its devices, Apple does.
> again, Google forcing its services into operator hands
Frankly no. Carriers tried to make RCS work and failed for many years. I was involved in so many meetings, individual projects, interoperability testfests, just to make all the crazy "flavors" of RCS required from different operators work with each other. Each of the large carriers thought he could do RCS better than the next one, destroying simplicity, reliability, interoperability.
Many of them rolled out their own RCS-service initially, with flaky UX and ridiculous limitations making it weaker than WhatsApp at that time.
Google didn't start this mess, and didn't force itself into this matter. But yes, they ended it by acquiring Jibe and unifying the platform.
>They provide third party API's to use APPLE's RCS-Service. The alternative would have been to support registering alternative RCS-services as default on the OS (and then, allow the user to choose a service).
RCS messaging is carrier-controlled and configured via carrier bundles in iOS. Apple doesn't run a "RCS service". TelephonyMessageKit [0] in iOS 26+ exposes a standard interface to the carrier SMS, MMS, and RCS services, as applicable, allowing for 3rd party applications to send and receive carrier standards-based messages.
In 3GPP standards, RCS is just another service using the IP Multimedia Subsystem (IMS) framework. Carriers can either run their own RCS service in their IMS core or use a 3rd party service (as many do with Google's Jibe).
You're ignoring an elephant here: Apple meticulously enables these extras functionality exclusively in the EU. They cut these features out for the rest of the world as much as they can. In that regard, they feel like the corporate equivalent of a stubborn 3 tear old.
Google is first and foremost an advertising company. They're going to do whatever makes them the most profit. It always had razor wire fences unfortunately.
I'd argue that they are not merely an advertising company, they are an "attention facilitating company", taking and curating attention of large groups of users and making it systematically available to other parties, acting as middleman.
You know, like Apple...
> [A] is first and foremost a [B] company. They're going to do whatever makes them the most profit.
This is the definition of any commercial business.
I have to disagree... while most "corporations" are chartered in such a way that shareholder value is maximized, you can put other provisions and leadership goals into a corporate charter, and privately owned businesses can have much more leeway in terms of structure and goals.
Many NPOs are corporations/companies legally, but their founding structure isn't to maximize shareholder profits/value. Beyond this, most businesses have two operating models, one is for maximum stock price, which increases the value, but that remains static without trade and/or to provide dividends from profits, which tends to keep stock values more level. With the latter, a business might not be chasing a 20% growth every year, but a healthy margin and predictable dividends to shareholders.
IANAL, this is not legal advice... but if you start a company, and want to emphasize values beyond pure growth/value, then what I would do is definitely talk to a good corporate attorney and tune the founding charter documents to that effect.
As someone who roots single-purpose Android devices, this is one of those things that sucks big-time but makes total sense.
The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
This is a huge problem for banking and music apps that absolutely rely on this capability. Samsung is, by far, the biggest seller of Android phones in the US. (I think Xiaomi is the biggest globally), so they are under much more pressure to clamp down on this.
That said, rooting Samsung devices has been a worthless pursuit for a long time. Doing so irreversibly (via eFuse) disables KNOX, which prevents DeX and Samsung Health from working. It also trips SafetyNet, which disables a whole suite of key apps (banking apps and Apple Music don't work; not sure about Spotify). There's a Magisk module that uses well-known device IDs to work around these, but these only work temporaily. Many people have also reported issues with the camera (a popular reason for buying Samsungs in the first place), and you no longer get OTA updates. I believe you also get degraded camera performance if you flash another ROM since the device module is closed-source and relies on One UI to work. This is before considering that stock ROMs have gotten really good over the years (especially Samsung's), and many of the reasons why we had to root have mostly gone away.
You can work around this by buying a Pixel for now, but I think we're a few years away from bootloader unlocking going away entirely.
That said, I stll root Android devices that will only serve a single-purpose, like my BOOX eBook readers that I use Firefox on. This lets me run AFWall so that I can block network traffic for everything except Firefox (and a few other apps). However, I won't be logging into my Google account on them, and they aren't ever going to run banking apps or anything like that.
My response would be it doesn't make any sense. There are so many reasons why blocking rooting is a stupid idea. Just some of them:
- If you're capable of rooting a device then you're capable of understanding the risks which come with doing so.
- The number of users who root their devices will always be so comparitively tiny that the increased risk of data exfil is incredibly small. Also, similarly to above, if you're technical enough to root your device then you're probably not regularly putting yourself at risk by downloading shady apps etc. anyway.
- Rather than decreasing security, rooting allows you to enhance the security of your device by installing lower-level tools and, most importantly, removing all the bloatware crap which comes on most phones. This reduces the surface area of attack.
Let's be honest and admit that the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture which is so valuable to companies.
The main reason IMO to block rooting is to stop resellers selling phones with preinstalled malware. If the phone has two Amazon/Aliexpress sellers, you're going to pick the cheaper one right? With who-knows-what alterations? It's a really prevalent problem and most people are not going to notice the "insecure" warning at bootup.
Phones can and do have a warning that they were rooted on boot. So this is not an excuse. But don't worry, I'm sure there are several marketing teams at work on new excuses why your computers should be controlled by benevolent corporations and not you.
- If you're capable of rooting a device then you're capable of understanding the risks which come with doing so.
Spend an hour in xdaforums and you'll see how untrue that is.
Many people root just to get YouTube Revanced or something like that. Meanwhile, you have launchers masquerading as a stock launcher that will happily steal refresh tokens for your Google account.
> The number of users who root their devices will always be so comparitively tiny that the increased risk of data exfil is incredibly small
> the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture
You contradict yourself, if the number of users which will root their devices is tiny, the lost profits from tracking, data mining, analytics is tiny as well.
Not necessarily if you consider the level of paranoia of these companies regarding controlling how their devices are used, as well as the tech sectors growth at all costs mantra.
There's also the argument that if tiny percent can do it, could it start to catch on and slowly grow to a larger percent?
More so in an economic environment where spending $2,000 on a new phone every year is decreasing in popularity, especially when the differences between model X and model X+1 have to squinted at ever harder to determine.
> Let's be honest and admit that the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture which is so valuable to companies.
I'm with you on the general sentiment, but how do the companies that block rooting benefit from any of the nefarious activities you mentioned? Those are executed by different organizations, typically.
They benefit from user buying a new phone when they stop providing updates for it. If the bootloader can be unlocked, the community can take over support & the device will be used for longer. Kinda like a 10+ old laptop is perfectly functional and usually fully supported by moder Linux distros, but 10 year old phone is more often than not a paperweight.
> The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
What are you smoking?
The only reason I've ever unlocked a bootloader has been to replace the OS with a different one. And it had nothing to do with rooting. I have no interest in having a rooted phone on my person at all times. But I have full interest in having GrapheneOS protecting me, among many other things, from opportunistic government spying.
> This is a huge problem for banking and music apps that absolutely rely on this capability.
In the case of banking, unlocking the bootloader usually requires a full device reset and leaves a very obvious message when you boot up the phone—you can't grab someone's locked device, root it, and grab their financial data just like that.
As for music apps and other apps that download copyrighted content to the user's device, leaving the moral aspects of stripping the user of control of files on their own device aside, preventing their use on rooted devices just loses them users since
- Those are by no means essential apps
- If you know how to root your phone, you probably know how how to pirate media as well
- People can just use computers to exfiltrate copyrighted media instead since most of those apps have PC versions
It "doesn't make total sense", it never has. It's just a kneejerk reaction that conveniently aligns with stripping the user of control.
The problem with banking isn't rooting itself as an attack vector, but the insecurity and laxk of reliability guarantees of rooted phones so that banks rightfully don't want any liability when something goes wrong with their apps.
which is idiotic as you can have things like locked through adb root that only grants you root if you use adb to connect and you need to approve the request to connect on the phone first. This has nothing to do with guarantees but is just a security theater to sound like they are doing something
My argument isn't as much about the tech as it is about managing risk on the bank's side.
Imagine claims like "the XYZ bank app mangled my input and now my money is gone". I'm certain that people have sued for less. How can the bank argue in court that this wasn't their fault? What if the plaintiff demonstrates some actual glaring app misbehavior in court, but the root cause is in a broken third party Android build?
Are they "managing risk" or are they just "doing stuff"? How often does it happen that an alternative Android OS causes issues to banking apps? I have personally never heard of that, and it would be very bad publicity for the OS.
In my experience, because a company does that kind of "risk management" does not mean, at all, that it is a useful thing to do.
This is a huge problem for banking and music apps that absolutely rely on this capability
Yeah, I immediately cleared application data and uninstalled it, once I discovered my bank, of all organizations, was relying on Android to silo a token that grants access to my bank account with nothing else but a 4-digit PIN.
I had submitted a vulnerability report, because the option to require a password could be turned off without a password, and their response was that it works as expected, because they only require a PIN and providing a password is optional. That isn't to say that I have the option to make my account require passwords, it's that providing a password isn't needed, but I have the option of providing one anyway.
With only the PIN requirement, and four attempts before a lockout, a security vulnerability in the OS immediately becomes a 1 in 250 chance they'll have full access to may bank account, if I have a truly random PIN, or a 1 in 5 chance, if I have one of the four most common PINs and it always tries those. All that without having to wait to capture me logging in.
Also, Google explicitly states that the phones storage should not be used for sensitive data.
Phones are portable, and thus more likely to suffer from a physical attack. But that's about it.
It is, and always was a flimsy excuse to the strip user of control over his own device.
"Secure Boot" isn't actually there to protect the device from an attacker. It's there to "protect" the device from its own user. It's used to "secure" DRM schemes and App Store revenue streams.
>"Secure Boot" isn't actually there to protect the device from an attacker. It's there to "protect" the device from its own user. It's used to "secure" DRM schemes and App Store revenue streams.
1. Basically all the serious DRMs (eg. widevine L1) rely on the content being encrypted all the way to the display itself. The OS, secure boot or not, never sees the content in cleartext, because decryption happens in a secure enclave and is immediately encrypted to the display using HDCP.
2. The "app store revenue stream" excuse doesn't really make sense, because you can easily install third party apps on Android, even though nearly all phones have locked bootloaders.
This is exactly what it is.
Google only implemented playintegrity api to please banks and governments. This is all to lock out users and secure revenue and spying agencies.
I don’t get this too. Laptops are just as portable but don’t have this limitation (yet). This argument that it’s to protect banking and music apps is silly, those products work fine on pcs while maintaining security.
In the EU, banking apps no longer do. They require a trusted companion device for 2FA, e.g. a smartphone app or a dedicated chip-and-pin device. This is enforced by the PSD2 directive [1], which has been in effect since 2019.
In contrast to that, you’re always allowed to do banking on an iOS/Android banking app. Banks seem to trust the integrity of the OS enough that they allow the app to be its own second factor.
To clarify, that line was implying something that makes a big impact:
It is impossible to protect [the owner from accessing] data on rooted phones
It matters a lot to distributors why like to trick copyright holders into thinking that DRM is effect, which could only be the case if it works 100% of the time on 100% of the users, which it generally doesn't.
If PCs were newly invented today, they may well have been locked down from the start. You already seeing the big names, Apple and Microsoft, with MacOS and Windows, respectively, inching along in that direction.
I'm not sure if this is true, or for how long it has been true. I rooted my company phone (Samsung Galaxy S4), removed the crapware, and un-rooted it so that it could join the corporate network. This was a long time ago.
I decided to part with my Huawei Mate 20 X after about 7 years of ownership not because it was a bad phone - on the contrary, it has a nice big screen, decent enough camera, is still plenty fast enough etc - but because the OS hadn't received any updates in a long time.
Rather than see it go to landfill I donated it to a friend who's happy to use it but what an absolute waste.
Bought a Pixel purely because they are committed to updating their phones for a long time.
I've been using Xiaomi phones but I had to buy a new phone every year or two just because they get so sluggish. My other Android phones kind of had the same, except my Nothing 2 has been going strong.
Has this been your experience as well, or have your phones been OK with responsiveness? Seven years is a long time, I imagine the phone must have been unusable by then.
I've used a xiaomi redmi note 4 (mediakek) for many years before i got it stolen. I've purchased a xiaomi redmi note 10 after that (i am supposing there were six years in between). I was still using it but then I needed one of these big folding phones and bought a samsung z fold 5. It broke down in 2 years, i am back to my redmi note 10. Still going strong. I will never buy an expensive phone again it was a dumb move. Just the cheapest android on aliexpress.
My Huawei was still absolutely fine for me speed-wise. I moved to a Xiaomi 14 for a little while which was obviously faster but not in a "holy shit it's fast" sort of way.
The Pixel is slower than the Xiaomi in benchmarks but I can barely tell any difference in day to day usage.
Maybe if I went back to the Huawei it would feel slow but honestly I would still be using it if it had been updated. Unless the new OS slowed it down.
This is already in place in the EU via the WEEE directive (Waste from Electrical and Electronic Equipment), but the costs have apparently been absorbed just fine already by this industry, so it doesn't seem to hurt them sufficiently to be incentivized for longevity.
As much as I hate it, the strongest incentive would maybe be to legally define vendors who supply hardware with a non-interchangable OS-ecosystem as service-providers and put restrictions on the price they can charge for the hardware to render the service (like i.e. a cable-modem from an ISP).
This could force the large players to decide between high-margin hardware or high-margin OS-ecosystem instead of aiming for both.
Come to think of it, these market-dynamics would be interesting to observe...
Is any other product forced to do such a thing? Considering a phone lasts for years and is very small, it produces very little garbage over time compared to disposable product people use. Think how big a garbage can is compared to a phone.
But think of banks and music services, comrade! Banks need the waste to protect you, and poor music services will go out of business if you control your own phone!
You still own the device even if the bootloader is locked. It's like saying you don't own a CPU because you can't add your own instructions. There are always going to be limits to what you can easily customize for a device.
Adding cpu instructions is something that you can't physically do, however unlocking the bootloader is something you can do via software, and if a vendor chooses to lock it down they're basically taking away your ability to do anything you would want to do with a device. Sadly this is has been the case for a while and it's probably going to continue being the case.
You can physically do it with a microcode update. Nothing is being taken away since this change is for new products. They just are not providing an additional feature to these products.
> You can physically do it with a microcode update.
It's also anti-consumer that CPU vendors don't let customers who own the CPU perform whatever updates they want because they don't give out signing keys.
If malware could install microcode it could break the security of the system. There is more consumer benefit than harm by locking it down to trusted updates.
The security model could allow the end user to install keys for the root of trust for the CPU, much like how UEFI Secure Boot allows you to install your own keys. That CPUs don't have this functionality may not be purposefully anti-consumer (and just laziness), but the net effect is anti-consumer.
As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).
> As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).
That would be less of an issue if the updates were auditable (that is, security researchers could read and study them), even if users weren't able to modify them. Unfortunately, other than some early CPU designs, AFAIK microcode updates are always encrypted. I suspect that their reason is to protect "trade secrets" on details of their CPU design.
> > Adding cpu instructions is something that you can't physically do
> You can physically do it with a microcode update.
Do these ARM CPUs even have microcode? Unlike on x86 CPUs where there are some very complex instructions which have to be microcoded, on ARM all instructions are simple enough that their decoding into micro-operations can be completely hard-coded in the decoder logic.
Yes, it's too risky to make CPUs without microcode. Being able to fix bugs, or at least disable things so you don't have a complete paperweight is still important even for ARM.
Disabling things can be done through "chicken bits" on configuration registers, no microcode necessary.
Do you know of any ARM cores used on smarphones which actually have updatable microcode? I've never heard of any. All errata fixes I've seen are of the "set this bit in a specific register" kind.
It being your own device and removing a feature being anticonsumer can both be true. Every feature comes with trademarks off from the company providing them. It's up to consumers to validate products by buying them if they think the features offered is worth the price. If removing this feature doesn't hurt the sales of the device this feature may be more trouble than it's worth for them to provide.
I don't believe a user lacking the ability to perform a microcode update impacts their freedom in any meaningful way. The CPU still executes whatever instructions it's given unless the user is deprived of that freedom.
The writing's been on the wall for custom ROMs in general for a while, so I've been starting to think about a mobile phone vendor I could actually have a decent business relationship with. I.e. use their stock ROM and be fairly happy with it.
Any opinions? Samsung was a candidate for their somewhat unified ecosystem. Maybe even apple.
I still really like Sony phones. Excellent hardware. They have no online services they are trying to push, they just want you to buy their phones. As a result, the stock software is very clean Google Android without much extra. But they're not available in every region, and quite expensive. Used to have very short software support but now they do 4 major Android version updates / 6 years of security updates.
You get no ecosystem benefits though, it's really just plain Android.
I really wanted a Sony phone as it ticked all the boxes. Headphone jack, SD card slot and bootloader unlock with LineageOS support. AFAIK no one else does that in current phones.
But the sad reality hit when there were all kinds of hurdles around getting 5G/4G working in Australia. Was not going to risk ~$900 dollars on a phone that could end up being a paperweight and returned it.
It's a sad state and makes me miss the good old days.
Sony phones generally have a ok-ish hardware(their old 4k oled screen is still top-tier for watch videos to date in my opinion) and emmmm-ish software support. And depends on your region, the software support can be even worse. For example, TW-version sony phones have a serious delayed update schedule. You may get an update that others already received for half an year (and pixel phones have already got two years ago)
The last few years it's been tougher and tougher to get them. Even in Europe you can now only buy them directly from Sony, and Amazon in a few countries. Sony is not selling them via any other retailers or operators at all from this year onwards.
You still don't get any better support than with Pixel though. I wish it was different. And I'll be using my Pixel 9 with GOS until its no longer supported (so several more years), and if then there are no viable Android options? Well, so be it, iOS (which i despise but Android with Google pervasive surveillance is unusable. I know, iOS is not much better but at lease is about as secure as gos).
In this domain, things change so fast that I decided to just focus on my next phone, or like the following 2-3 years.
The future is as bleak for the custom ROMs as is their past. They are aftermarket modifications of the phone software, entirely dependent on the manufacturers and Google, and these release new things yearly.
Pixels are a good choice I think because they come with the least amount of bloat, and with Android, the connection to Google is always there anyways.
Samsung carries a lot of advertising crap, tracking, etc. Pretty much every phones is going to be worse than Pixel in that respect, since you get Google's tracking + whatever pile of crap the vendor added (which in the end they all seem to do).
So it's basically:
Pixel with GrapheneOS > iPhone >> Google Pixel with PixelOS
I wouldn't recommend anything else. Theoretically Fairphone + e/OS may have been an option, but the security is crap.
I guess there is Sony, you could even install Sailfish OS, no experience though.
I've owned a few pixels but for whatever reason in my case the hardware had a habit of randomly dying just outside of the warranty period. But maybe I can revisit.
Sony Xperia models have been my choice since the Sony Ericsson days. Unlockable bootloader, LineageOS available, microsd card, headphone jack, good screen, decent camera, reasonably powerful SoC, water/dust resistant, and probably several other benefits that I'm forgetting at the moment.
I don't know if any US carrier offers them, but last time I was shopping, models with North American radios could be bought online.
My main complaints about Xperia phones:
- They don't support re-locking the bootloader at all, let alone with custom keys. This could be problematic for folks who depend on mobile banking apps that require full Google Play Integrity (SafetyNet) attestation, or risky for folks who leave their phone unattended around potential adversaries. To be fair, almost all smartphones have this problem.
- Their wonderful Xperia Compact line, comprising smaller versions of their flagship phones, seems to have been abandoned. Even their most recent "compact" models were bulky compared to their predecessors.
Yep. Everyone I know who bought a Samsung anything (TV/Phone/Washer/Dryer) last time said it's their last Samsung product. Samsung sure know how to piss off customers.
Well, I dunno. I've seen it as a lesser evil compared to many others.
In ye olden times I had such a horrible time with my cheapo Samsung when trying to upgrade it from Android 1.5 to 2.1 that I swore it'd be my last Samsung, and it was, for well over a decade. During that time I went through some iPhones and a handful of the most popular alternative Android brands.
Since the thread is about Android I'll focus on that. Every manufacturer was hamstrung by one or more of the following issues:
- Subpar hardware
- Difficult and slow RMA process where your device flies around the globe for repairs
- Software bloat, just like Samsung, but from a country I trust even less (China vs SK)
- Very infrequent updates (if you are lucky enough to get them at all), especially once a newer model is out
Now since this thread is about bootloaders this is probably a hot take, but I spend enough of my time troubleshooting stuff at work, so when I use my phone I want it to "just work" and not have to play some stupid anti integrity protection cat and mouse game to access my bank's app. So the last two are not solved with an open bootloader.
Samsung on the other hand has in recent years given me the "just works" experience on decent hardware, paired with frequent updates. And while their authorized repair shop might not be in my city, it is at least in my country and just a train ride away.
That being said, the nerd in me is disappointed in this move, and the recent EU ruling that forces manufacturers to actually support the stuff they sell for a reasonable time even after it's off the shelves might change things for the better w.r.t. other manufacturers.
I've got a Samsung dryer and when it had a fault with the door sensor they got it fixed pretty quickly. I had better service from them than Bosch or Miele - I replaced a Bosch dryer when I was totally fed up of trying to organise Bosch to fix it and being told it was at least a 6 week wait - Samsung half the price, and surprised us that it is a better dryer (faster, easier to use etc).
I don't love their phones, though my wife has one. However, again on the service front, when my samsung S7 had a problem they fixed it pretty quickly. When my iPhone 5 came with the wifi not working it took weeks to convince Apple that it was actually broken and get a replacement.
All anecdotal of course, and probably varies a lot by location and over time.
It’s amazing how nothing goes wrong with my 20+ year old Maytags, Whirlpools, or Estates by Whirlpool (their budget subbrand). No logic board failures, drain pump failures.
Acquired from yard sales and then subject to duty cycles of 5-10 loads a day.
Somewhat relevant, I have 3 relatives/colleagues still sporting iPhone 8’s/8 Pluses. The only issue is that some newer apps are slow. Told them to grab iPhone SE 3rd gens before they’re discontinued; one of them has it sitting unopened in the box, waiting for their 8 to die.
> It’s amazing how nothing goes wrong with my 20+ year old Maytags, Whirlpools, or Estates by Whirlpool (their budget subbrand). No logic board failures, drain pump failures.
whirlpool tumble driers are notorious in the UK for catching fire
> At a parliamentary hearing in July, the US appliance company told MPs the numbers were higher than feared, after 1.7 million products were modified following the scandal.
> Whirlpool said that its machines could be linked to 750 fires in the last 11 years, or one every five days.
the grenfell disaster was also started by a whirlpool fridge
and their factory in peterborough also caught fire
This is also anecdotal; but I heard it from someone who works in Home Appliance repair, but Samsung has been getting their act together in the last couple of years because they know their reputation has been horrible. Making their appliances more reliable and easier to repair. They worked with the home assistant recently to get their appliances (smart things) to be able to properly with it.
It's actually incredible how consistent they are with it. I'm hesitant to buy a foldable or a display from them for this very reason, even though I'd be otherwise interested.
Is the alternative really better overall. We upgraded to a samsung fridge last year from two consecutive cheapo-chinese-local walmart-brands and it was worth every penny. It will pay itself in energy savings in less than two years.
I think their phone in the high end is the best phone on the market, unless ios is a requirement for you. Also, I bought a Samsung AC and really like the smart features. Really nice integration with Alexa too.
samsung is the only smartphone manufacturer that still makes phones (though not many) with all the features I want: microSD slot, dual physical sim, side-mounted fingerprint reader, headphone jack, nfc, and regular (long-lasting) security updates
they also have service centers pretty much everywhere in the world, so I can always get my phone fixed (for a reasonable price, as a result of their ubiquity) if and when I inevitably break it
would I also prefer the option to unlock my bootloader? yes. if I'm honest with myself, is it a deal-breaker? sadly, no, I no longer use custom ROMs
They seem to skip some years when bringing updated models to the US for some reason, but Sony Xperia phones check most of these boxes. I have an Xperia 1 V that I use as an app dev test device and as a backup phone and have found it pretty nice. The hardware feels great and their Android build isn’t nearly as junked up as Samsung’s. I’m always surprised they aren’t more popular.
There are no smartphones or pocket computers that tick these boxes anymore, since general-purpose computing is an anathema to the modern, specialized enshittification slop. For a modern device to serve most, if not all, relevant features, it takes a company that is built around principles that go beyond just shareholder satisfaction. You see the dilemma...
AFAIR, the Samsung Galaxy Note9 was the last device that deserved to be called general-purpose pocket computer. EMR stylus, 3.5 mm audio, mSD card slot, USB-C 3.1, good CPU, adequate memory for the time (8 GB), good cameras. If you're willing to forgive the non-removable battery, the only suck was the screen if you were sensitive to PWM, especially with regards to lower flicker frequencies.
Alas, seven years ago Samsung got the itch and divorced from good pocket computer design. The Note9 seems almost like an accident, given Samsung's market policies of today.
I have an xcover 6 pro with dual sim, 3.5 jack, removable battery and micro sd support, it works great (except buying an original battery is not super easy). I know the 7 is out too but I think its reviews were worse on amazon
> samsung is the only smartphone manufacturer that still makes phones (though not many) with all the features I want
Not to mention the built-in EMR stylus. That makes such a difference in using the device, I cannot believe they are not more common. And they are a terrific backup for the not unusual case of a broken screen being unresponsive.
you're just speaking of the Galaxy S line, there are at least four other Galaxy lines, some of which dropped these features only this year and one of which has all of them (XCover), though it looks like this year's release makes you choose between fingerprint and headphone jack (XCover7 vs XCover7 Pro)
Those 300 people include some experts at spiritual warfare which will guarantee that all involved in this decision will reincarnate into durian fruits in the next life.
What do you use? Samsung are anti-consumer but none of the other big phone manufacturers seem to be much better (and historically at least Samsung's flagship phones have been pretty good hardware-wise).
Same here. I got so tired of fighting "the system" that wanted to manage everything, and post-updates meant mire wasted time switching off bloat/features I didn't need.
Either freedom or zip. I'd sooner bang rocks together than use a phone I can't compile the OS for. The number of required binary blobs is a foul enough insult already.
Did you spend a few thousand on a purism, tolerate the woeful hot and slow character of a pinephone, or something else?
Less sardonically: I am a Linux Person but couldn't imagine really using one of those things today. It would probably kneecap my whole life in subtle ways; in the US using android already does.
It is getting incredibly difficult to obtain a non-backdoored smartphone nowadays.
I tried to find which phones support alternative OSes, without Google control and telemetry, but it turned out that alternative OSes (LineageOS, PostmarketOS, Graphenos) support mostly support outdated models and it makes no sense to buy them. There is also "Google Pixel", but the prices start at around $600 which is 3 times more than a reasonable price for a phone.
So now I am wondering if it is possible to extract the ROM from a reasonably priced Samsung phone, remove the components I don't like and write it back.
GrapheneOS supports the newest Pixels, and only the Pixels that are still getting updates from Google. Right now the least bad option is probably a one-generation-old NOS or Open Box Pixel with GrapheneOS.
I have to wonder what Samsung's motivation is here. Of course they probably have some bloatware they profit from, but someone who plans to unlock the bootloader just won't buy their device now. Samsung only benefits if they lose money on device sales (do they?) and make it up on "services".
Google's own Pixel devices have easy unlocking, so this would surprise me. Google's strategy to keep devices users actually control from being too mainstream is remote attestation.
I'm guessing this is your post? Way too anacdoal to make generalizations to OneUI 7.0 as a whole (and, expecting the demands to work in a community forum is funny, and, was the prompt "hey chatGPT, write a frustrated forum post?")
I just unlocked the bootloader on my Xiaomi Mi Pad 5 today (which was a nightmare to do btw.). Why did I unlock it? The device has nice hardware, but is stuck with Android 13 and does not get any security updates either, so flashing a custom ROM is my only chance of having an up-to-date device.
Next step will be to try PostmarketOS and see how that goes
No I'm talking about what you said about someone not buying their phone because of bootloader locking. Majority of the majority don't care about the bootloader, so is Samsung.
My point isn't that it will cost them sales in an amount they care about.
My point is that someone at Samsung made an active choice to remove unlocking, presumably thinking that choice would bring some benefit to Samsung's business. I'm curious as to what they believe that benefit to be.
Damn, I got a samsung instead of an asus phone because I could unlock it. Now what:s left? Really annoyed at all those companies who refuse to let me own my own phone.
And before anyone asks me if I really need to unlock my phone... It's the principle of it, if I bought it, I own it and I should be able to run what I want on it. I will not buy a phone from a company that denies me that right.
That said, I do use root for a few things:
- AFWall+ (previously I used netguard but can't run multiple VPN on android so I couldn't have that running together with tailscale)
- Neo-backup. Some messaging apps believe that keeping chat history is not important. Or they believe that it's fine that the only way to transfer chat history is to upload it to Google cloud without encrypting it. I hate losing my chat history and I do not want it uploaded somewhere without encrypting it so I need a backup solution. Enters neobackup
- Sometimes, it is useful to be able to spoof one's GPS without the app being the wiser from a privacy perspective.
- A very stupid banking app I have prevent screenshots but then doesn't allow me to download a proof of transfer. So I use root to remove the restriction against screenshots
Exactly. This is why I won't buy from these companies even when conditions look good. It'll be bait and switch every sigle time. Fairphone all the way.
Jim not sure what you're getting at. Right now I'm stuck in the Samsung ecosystem because the S Ultra devices are the only devices that have a built in EMR stylus. They're great devices, I'm not complaining, but diversity and other options would be nice.
Normally, I'd go and say "vote with your wallet" - but sadly, in the tablet sphere, it's either ultra low spec Alibaba junk or it's Samsung. No Fairphone, no Pixel, nothing.
Seriously Samsung, go and screw yourselves.
The reason I insist on rooting in the first place is because unlike iOS which has a true full backup that you can trigger from your Mac (and restore afterwards), Android decidedly does not, and a bunch of apps don't do any kind of cloud sync.
Believe it or not I did consider going the full Apple route. The problem is, Apple doesn't offer anything in the 8 inch zone. I need a tablet that fits into my pant pockets.
And on top of that, there's no way to migrate the data from a bunch of these apps from the Google walled garden to the Apple walled garden, not to mention purchased licenses.
Oppo is Chinese, so is Oneplus, so is Xiaomi - those are what I meant with "alibaba garbage", especially when it comes to performance. I don't trust either of these brands to deliver updates on time or for more than two years, spare parts just the same, and that's before the question if one wants a brand that may be targeted by US sanctions like Huawei, locking the user out of Play Services.
With Samsung there are established networks on how to get spare parts and they have a proven track record of delivering updates on time.
Lenovo's offerings are a disaster performance-wise.
what do you mean "alibaba garbage", Have you checked them ?
The lenovo 12.7 pro 2025 has D8300 cpu, which is on par with QC 8g2.
Oppo Pad flagship using 8 elite CPU, and you still think they have trouble with performance ?
I never had the chance to root any Android device (unknown models, locked bootloaders, no benefit on rooting, or simply bad hardware), guess I'll never have it again.
Do you mean the new One UI update that made the notification pull down split into left and right swipes instead swipe down and then swipe down again? Because if that's what you mean, you can configure it to be the way it used to be again.
Little pencil button, then panel settings and choose together instead of separate.
Unlikely, bootloader unlock is a controlled process and state of the OS for many years now.
The procedure explicitly hands over the responsibility of OS-integrity to the end-user, it's not Samsung's responsibility after that and the user needs to confirm that.
It's much more likely that the cost/benefit profile to develop/maintain/support that feature and its related unlock-process is simply not sufficient, all while several of the biggest customers explicitly require unlock to NOT be supported.
What's the cost to develop/maintain/support the feature?
It's a simple switch, and since it's probably in AOSP there's cost in removing it, not in leaving it there
The cost is in managing a permitted device-state without a full trust-chain, and maintaining the unlock-logic and service of such an unlock of a device.
It should be simple, but since some carriers required BL-unlock to not be supported at all, many carriers required the availability of a list of all devices being unlocked and all required unlock to be irreversible, there are quite a few considerations to keep this working securely whenever something is touched in the trust-chain of a device.
I hate to say it in this case because I was advocating for BL-unlock for YEARS, but if there's no sufficient commercial demand and no "higher motivation" to justify it, it's a security-risk that's easy to avoid and easy to descope...
I don't understand your points, to my eyes if the bootloader is unlocked you simply either:
- don't provide the features for which you require a locked bootloader
- and don't do anything with the rest of the features
And anyhow, I'm almost sure that this is AOSP code (with a quick search I didn't manage to find it).
And, I don't know any carriers that require a locked bootloader outside of the US, and Samsung already only sold models without bootloader unlocking in the US.
You should read up a bit more on the matter then. The bootloader is not shipped in an unlocked state, even on a device which supports BL-unlock.
Bootloader-unlock describes a feature which supports a controlled break of the trust-chain of the device, so telling the bootloader that it should continue executing the bootshell even if the signature check has failed.
In this state the OS should continue to boot despite of this state, and applications should gracefully handle such a condition.
The crucial parts of this are also not part of AOSP, it relies heavily on the chipset manufacturer and the OS-implementation of the device-vendor.
Xiaomi apparently have also stopped unlocking their bootloaders, so the "workaround" was to go to an official store and ask them perform a downgrade, and before the staff can relock the bootloader, grab the phone and run:
https://x.com/kobe_koto/status/1949154478298456531
Absolutely hilarious.
This is amazing. Imagine getting the cops called on you for this and having to explain why the phone company was against you stealing your own phone
It's still possible outside of China but you have to have a Mi account and for newer phones you have to make some forum posts or some dumb shit.
I did that years ago when I bought a Redmi Note 4 in Shenzhen and discovered that the Chinese ROM is very locked down. I created the Mi post, but I don't remember having to make a forum post (although it does ring a slight bell). AFAIK it was just sending a DM to support on the forum / app to explain why you needed to install the Global ROM rather than the Chinese ROM (and being a foreigner was accepted as a valid reason). About a day later they unlocked the phone bootloader remotely, and then I could install any version of the Global ROM I wanted.
I've bought all my subsequent ones (Note 5, Note 8, Note 11, Note 12Pro) in either HK or UK so they all came with the Global ROM, and I've not felt the need to unlock any of them, so not tried to process since. But it definitely used to be pretty easy.
I suspect the reason for the weird process is legal to ensure that phones in China don't get unlocked in order to circumvent content controls.
I dont think you need to do the forum posts but you need to request unlocking every two days and pray it works. Supposedly at 00:00 chinese local time for any chances of getting permission. Took me several months of trying non continuously.
So you were actually successful in the end? I've given up on it.
With the time difference I had to do it at 3am or something ridiculous like that.
They have effectively disabled bootloader unlocking. They can kindly fuck off.
Compared to my previous Xiaomi, which required an account of a certain age and active phone use. But after that the unlocking just worked.
This was before the new system, yes.
Wow, that's insane. Well done.
I had to do something similar with my old HTC m7, but nowhere this.... ridiculous.
I did that a few years ago. Had to download some tool to my PC.
Then make a request that takes 2 weeks to go through. and enter the or whatever (this was like 2016 or something).
Whole process was clearly designed to make you give up.
Their phones where junk then though and i just got something else in the end. They're a lot better now so actually unlocking it is probably worth something now.
When you say junk then, I find that interesting as my first was a Redmi Note 4 launched in 2016, that I got in 2017 (and did this unlock process on, as I bought it in China), and the reason I got that phone in particular was its price (in the UK it was £120, in China I got it slightly cheaper at 1100 CNY) and that it was actually the fastest Android phone available at the time according to the AnTuTu benchmarks.
The modern Redmi Note series is usually a generation behind on performance now, but I keep buying them as they're still faster than I need and there's always still a decent phone less than £150. Only complaint is with the camera, which never seems to get any better even when they claim to have upgraded it.
The two week process was to irritate resellers who change the phone to target markets it wasn't designed for.
Pixel stopped providing device trees, kernel history,
Samsung has been doing this for a while now.
Which are the devices/vendors that still allow / encourage this?
Even Graphene OS reported that they're in talks with some vendor... Have there been any updates towards that?
The main reason i used to root devices are:
* Get longer support/OS updates than what the vendor provided
* System level adblock using adaway
* Titanium backup
These days firefox/brave browser gets me half way through adblocking and i lost interest in the ad filled apps..
Syncing gets me good level of syncing for backup on my NAS etc .
Here's an updated list of relatively popular phone manufactures and their bootloader unlocking potential.
https://github.com/melontini/bootloader-unlock-wall-of-shame...
They mix up Google-vendor (pixels are absolutely the best and most unlocking-friendly hardware at this point), with Google Play Services services/limitations (ie dominant player in android ecosystem) AND Google, the dominant contributor to AOSP project.
And it's also partially false, as Gemini works just fine after unlocking/relocking, and all the advanced features (full performance of the cameras, NPU access, secure element) work even on non-Google OS. Things that do not work (mostly wallet) are valid issue, but then again, they work just fine after flashing OEM firmware And relocking The bootloader.
So I can only guess the quality of the contribution is similar with other phone brands.
Was anyone else shocked to see Microsoft in the top tier of their list of unlock-friendly phone manufacturers?
Given that they're a monopolist?
No, that's exactly the sort of tactic you'd expect from them.
I mean for the Microsoft Android phones it kinda makes sense, since they're not exactly shipping Android by choice. They'd much rather you use the Windows Phones which this says ARE locked down.
Wasn’t windows phone discontinued like 10 years ago?
Apologies for being unclear, it's true Microsoft didn't have the option of Windows Phone for their Surface Duo devices, so they had no choice but to use Android. To clarify, when I phrase something as being an unwilling outcome it does not mean both were equally viable options and they picked the one they wanted, rather that Microsoft's hand was forced due to this development. I hope this helps.
That literally makes no sense. What forced their hands?
Yes.
Surprise that Oppo is in avoid list, while oneplus is in safe list. Both of them are from same company.
This proves there is no technical difficulty to provide unlock bootloader
Fairphone does!
https://www.fairphone.com/en/bootloader-unlocking-code-for-f...
Unfortunately, it's hard to make Fairphone secure. No separate secure element (so much easier to do brute force PIN attacks) and always lags in monthly security bulletin patches and major OS releases (remember that the monthly patches typically only address high/critical vulnerabilities, for the rest you need OS updates, QPRs, etc.).
Until Graphene works out the deal with the OEM that they are talking to, Pixel is pretty much the only secure phone that allows installing alternative firmware.
Does that mean Graphene plans to support phones from other manufacturers than Google?
Do anyone know why GrapheneOS doesn't support fairphone?
As someone else mentioned, GOS requires that the bootloader properly support relocking with a custom key. Additionally, GOS has a rule that any device supported must keep up with all security and quarterly patches in a timely manner, and none of the Fairphone devices do.
No secure element, no memory tagging support, no proper cellular baseband isolation, no verified boot, taking months to ship security updates .. the list is long.
From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
> From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
Compared to Pixel phones this is without a doubt true, but how does it compare against your average mid-range Android device? Do those typically have any of the features you mentioned?
Very roughly, and assuming mid-range is around 400-500 bucks like the fairphone:
- Memory tagging is still pixel exclusive for now, but it's part of ARMv9 so it should be available on more devices in the future unless they disable it
- Most devices now have a secure element, though the exact capabilities vary
- Baseband isolation - no idea really, most chipsets should support IOMMU (or SMMU as ARM calls it) but is not very obvious if that's setup sanely or even used at all on your average device. So I'm guessing most devices are about the same.
- Security patches certain vendors are much better (like Samsung, for their non-budget devices anyway) but a lot do much the same. It shouldn't generally be worse because of Google's requirements.
- Verified boot is pretty standard
> no memory tagging support
That's not a security feature though... We established that. Fair enough on the other points.
For people out of the loop, parent is referring to TikTag[0], a side-channel speculative execution attack breaking MTE in a probabilistic defense scenario, and the weird cope coming from some people that "MTE was only supposed to be a debugging feature anyway".
However, you need some form of code execution beforehand already for this attack, and more importantly it doesn't affect any of the deterministic guarantees of MTE. And those are the main appeal to GrapheneOS in the first place, preventing things like use-after-free by tagging the memory such that it simply can't be accessed anymore. So it's very much a security feature.
[0] https://news.ycombinator.com/item?id=40715018
> MTE was only supposed to be a debugging feature anyway
It literally was. MTE is a padlock with 16 combinations.
The number of combinations is irrelevant if you're not relying on randomness. Graphene sets the tag to a static value on deallocation[0] to prevent use-after-free, you don't even need to guess! The same is true for a lot of buffer overflows, as their allocator ensures two adjacent allocations have different tags, so unless the vuln allows you to skip ahead you'll always trigger a fault.
[0] https://github.com/GrapheneOS/hardened_malloc/blob/7481c8857...
Interesting, fair point! I guess it helps for vulnerabilities that don't allow pointer control (which is probably a lot of them).
I can't find the link, but a couple days ago, they said in a thread here it was due to their lack of support of some important security features, and remarked that it didn't look like they were even interested in supporting them.
You cant re-lock the bootloader with a custom key which grapheneos considers a cornerstone of their security model.
Yeah, otherwise the bad guys can just wait till you're not looking at your phone, reflash your it with a backdoored version, and wait for you to unlock it (evil maid attack).
>the bad guys can just wait till you're not looking at your phone, reflash your it with a backdoored version
I hate it when the bad guys do this to my phone
The bad guys e.g. the police detaining you during a protest and temporarily seizing your property, or the border police "scanning" your phone.
If your phone was in hands of police you better sell it anyway because they could install a physical GPS tracker, etc. So locked bootloader doesn't change much.
Also if you live in a truly democratic country you don't even need to set the PIN code - your rights are protected by the law.
It would be relatively difficult to add a physical GPS tracker to a modern phone. Also, it's unnecessary, the government just needs to take a note of the IMSI and/or IMEI and then use the cell tower records to track you (rather accurately I should add).
The problem is not the tracking inherent in the design of mobile telephony networks, which you can circumvent by using burner phones. The problem is for example abuse of tools such as cellebrite to gain warrantless access to your phone at various opportunities.
This is also why proper baseband isolation is important. Baseband firmware is unaudited and likely to have government backdoors.
If the government wants to surveil me, they'll have to put in some actual effort instead of just taking opportunities.
[dead]
>a physical GPS tracker
Every mobile phone already is one.
https://www.androidauthority.com/fairphone-gen-6-us-graphene...
As others have said they have some security concerns (I don't know enough about that stuff to know how justified or surmountable those concerns are). However with the big manufacturers all locking down their devices more than ever I wonder will they have much of a choice in the end. We're going to need a manufacturer (or preferably several) to actively stand behind the possibility to use custom ROMs, and at the moment Fairphone seem like the only one who might do that.
The curious thing is that being GrapheneOS open source, I would think that somebody could potentially create a ROM for them, even if it is not as secure as GrapheneOS would like. However, absolutely nobody has done it yet...
AXP.OS (axpos.org) is LineageOS-based (formerly DivestOS-based), but includes security backports from GrapheneOS and CalyxOS. No doubt it is less secure than GrapheneOS, but surely more secure than LineageOS, and supports bootloader relocking on some devices.
So, notice Graphene OS was able to port Android 16 on all the supported devices (from Pixel 6 up) basically within a week without device trees already, without the early (OEM) access to the release.
It's a big inconvenience but not a showstopper for them. Pixels are still viable.
The only blocker with pixels would be if they stopped allowing OEM unlocking or relocking (which is a must).
You can block ads without root by using Adguard DNS.
You can use nextdns for DNS adblocking.
> Which are the devices/vendors that still allow / encourage this?
GNU/Linux phones (Librem 5 and Pinephone).
You can use AdGuard to block in-app ads on Android as an FYI
You mean w/ DNS? or an app?
It sets up a VPN and routes your Android traffic through it. But because of battery optimizations etc.. it has been a little flaky for me
Besides the VPN route you can set a Private DNS Server eg: dns.adguard-dns.com
It is really a pity, as this means Android OS is closing down.
Without supported Consumer Hardware available on the market in sufficient volume, even less end-users will use an alternative OS, which will affect quality and size of the alternative OS-market and fragment the remaining users even more.
This will put the future of the entire alternative-OS ecosystem firmly back into the hands of Google. If they start further restricting BL-unlock on the Pixel-series to e.g. only Google Developer Account-Holders, the whole ecosystem will finally close down.
I’ve always said that it’s been “Google’s Android”, and wellp —- Welcome to Google’s Android, where the garden walls have been turned into a razorwire fence and you’re not welcome to leave.
It’s really funny that Apple’s finally allowing carefully controlled access outside of their own fences and slowly adding more APIs and expansion (hell, Apple are the only platform now with third party APIs for RCS in the EU) while Google’s spun an about face and will get away with it.
Of course it's been Google's Android, I don't think anyone ever questioned that. The whole reason why the OS still lives as a single entity and the app-ecosystem is not completely fragmented is due to Google's governance to keep it in check.
All the stuff Apple now slowly starts to allow on iOS due to EU's Digital Markets Act is still just scratching the surface of what Android already supports.
> hell, Apple are the only platform now with third party APIs for RCS in the EU
They provide third party API's to use APPLE's RCS-Service. The alternative would have been to support registering alternative RCS-services as default on the OS (and then, allow the user to choose a service).
> while Google’s spun an about face and will get away with it
Android already allows to install and configure alternative applications for RCS, in fact Samsung uses their own RCS Messaging service on its devices.
> Samsung uses their own RCS Messaging service on its devices
No? They’ve switched to Google Messages, and most/all carriers have switched to Google Jibe RCS (again, Google forcing its services into operator hands), which basically forces SafetyNet attestation to use.
Sorry, you're right. I stand corrected, Samsung discontinued their own RCS-Service in January 2025. Yet the point stands, Google doesn't restrict usage of alternative RCS-services on its devices, Apple does.
> again, Google forcing its services into operator hands
Frankly no. Carriers tried to make RCS work and failed for many years. I was involved in so many meetings, individual projects, interoperability testfests, just to make all the crazy "flavors" of RCS required from different operators work with each other. Each of the large carriers thought he could do RCS better than the next one, destroying simplicity, reliability, interoperability.
Many of them rolled out their own RCS-service initially, with flaky UX and ridiculous limitations making it weaker than WhatsApp at that time.
Google didn't start this mess, and didn't force itself into this matter. But yes, they ended it by acquiring Jibe and unifying the platform.
[dead]
>They provide third party API's to use APPLE's RCS-Service. The alternative would have been to support registering alternative RCS-services as default on the OS (and then, allow the user to choose a service).
RCS messaging is carrier-controlled and configured via carrier bundles in iOS. Apple doesn't run a "RCS service". TelephonyMessageKit [0] in iOS 26+ exposes a standard interface to the carrier SMS, MMS, and RCS services, as applicable, allowing for 3rd party applications to send and receive carrier standards-based messages.
In 3GPP standards, RCS is just another service using the IP Multimedia Subsystem (IMS) framework. Carriers can either run their own RCS service in their IMS core or use a 3rd party service (as many do with Google's Jibe).
[0]: https://developer.apple.com/documentation/telephonymessaging...
You're ignoring an elephant here: Apple meticulously enables these extras functionality exclusively in the EU. They cut these features out for the rest of the world as much as they can. In that regard, they feel like the corporate equivalent of a stubborn 3 tear old.
Google is first and foremost an advertising company. They're going to do whatever makes them the most profit. It always had razor wire fences unfortunately.
I'd argue that they are not merely an advertising company, they are an "attention facilitating company", taking and curating attention of large groups of users and making it systematically available to other parties, acting as middleman.
You know, like Apple...
> [A] is first and foremost a [B] company. They're going to do whatever makes them the most profit.
This is the definition of any commercial business.
I have to disagree... while most "corporations" are chartered in such a way that shareholder value is maximized, you can put other provisions and leadership goals into a corporate charter, and privately owned businesses can have much more leeway in terms of structure and goals.
Many NPOs are corporations/companies legally, but their founding structure isn't to maximize shareholder profits/value. Beyond this, most businesses have two operating models, one is for maximum stock price, which increases the value, but that remains static without trade and/or to provide dividends from profits, which tends to keep stock values more level. With the latter, a business might not be chasing a 20% growth every year, but a healthy margin and predictable dividends to shareholders.
IANAL, this is not legal advice... but if you start a company, and want to emphasize values beyond pure growth/value, then what I would do is definitely talk to a good corporate attorney and tune the founding charter documents to that effect.
It's a datamining company, and there are many ways to profit off of that...
It's like saying Disney is an "image showing" company.
As someone who roots single-purpose Android devices, this is one of those things that sucks big-time but makes total sense.
The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
This is a huge problem for banking and music apps that absolutely rely on this capability. Samsung is, by far, the biggest seller of Android phones in the US. (I think Xiaomi is the biggest globally), so they are under much more pressure to clamp down on this.
That said, rooting Samsung devices has been a worthless pursuit for a long time. Doing so irreversibly (via eFuse) disables KNOX, which prevents DeX and Samsung Health from working. It also trips SafetyNet, which disables a whole suite of key apps (banking apps and Apple Music don't work; not sure about Spotify). There's a Magisk module that uses well-known device IDs to work around these, but these only work temporaily. Many people have also reported issues with the camera (a popular reason for buying Samsungs in the first place), and you no longer get OTA updates. I believe you also get degraded camera performance if you flash another ROM since the device module is closed-source and relies on One UI to work. This is before considering that stock ROMs have gotten really good over the years (especially Samsung's), and many of the reasons why we had to root have mostly gone away.
You can work around this by buying a Pixel for now, but I think we're a few years away from bootloader unlocking going away entirely.
That said, I stll root Android devices that will only serve a single-purpose, like my BOOX eBook readers that I use Firefox on. This lets me run AFWall so that I can block network traffic for everything except Firefox (and a few other apps). However, I won't be logging into my Google account on them, and they aren't ever going to run banking apps or anything like that.
My response would be it doesn't make any sense. There are so many reasons why blocking rooting is a stupid idea. Just some of them:
- If you're capable of rooting a device then you're capable of understanding the risks which come with doing so.
- The number of users who root their devices will always be so comparitively tiny that the increased risk of data exfil is incredibly small. Also, similarly to above, if you're technical enough to root your device then you're probably not regularly putting yourself at risk by downloading shady apps etc. anyway.
- Rather than decreasing security, rooting allows you to enhance the security of your device by installing lower-level tools and, most importantly, removing all the bloatware crap which comes on most phones. This reduces the surface area of attack.
Let's be honest and admit that the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture which is so valuable to companies.
The main reason IMO to block rooting is to stop resellers selling phones with preinstalled malware. If the phone has two Amazon/Aliexpress sellers, you're going to pick the cheaper one right? With who-knows-what alterations? It's a really prevalent problem and most people are not going to notice the "insecure" warning at bootup.
Phones can and do have a warning that they were rooted on boot. So this is not an excuse. But don't worry, I'm sure there are several marketing teams at work on new excuses why your computers should be controlled by benevolent corporations and not you.
Agreed. There truly is no good reason to prevent people from unlocking their phones' bootloaders. There are plenty of bad ones.
- If you're capable of rooting a device then you're capable of understanding the risks which come with doing so.
Spend an hour in xdaforums and you'll see how untrue that is.
Many people root just to get YouTube Revanced or something like that. Meanwhile, you have launchers masquerading as a stock launcher that will happily steal refresh tokens for your Google account.
> The number of users who root their devices will always be so comparitively tiny that the increased risk of data exfil is incredibly small
> the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture
You contradict yourself, if the number of users which will root their devices is tiny, the lost profits from tracking, data mining, analytics is tiny as well.
Not necessarily if you consider the level of paranoia of these companies regarding controlling how their devices are used, as well as the tech sectors growth at all costs mantra.
There's also the argument that if tiny percent can do it, could it start to catch on and slowly grow to a larger percent?
More so in an economic environment where spending $2,000 on a new phone every year is decreasing in popularity, especially when the differences between model X and model X+1 have to squinted at ever harder to determine.
> Let's be honest and admit that the only reason to prevent users from rooting their phones is to protect companies' profits by ensuring users can't fight back against the blatant tracking, data mining, and analytics capture which is so valuable to companies.
I'm with you on the general sentiment, but how do the companies that block rooting benefit from any of the nefarious activities you mentioned? Those are executed by different organizations, typically.
They benefit from user buying a new phone when they stop providing updates for it. If the bootloader can be unlocked, the community can take over support & the device will be used for longer. Kinda like a 10+ old laptop is perfectly functional and usually fully supported by moder Linux distros, but 10 year old phone is more often than not a paperweight.
First party apps, carrots and sticks from large players like alphabet and meta, pressure from banks, pressure from governments.
> The only reason one would unlock a bootloader is to root the system partition. It is impossible to protect data on rooted phones and makes data exfiltration attacks significantly easier to do.
What are you smoking?
The only reason I've ever unlocked a bootloader has been to replace the OS with a different one. And it had nothing to do with rooting. I have no interest in having a rooted phone on my person at all times. But I have full interest in having GrapheneOS protecting me, among many other things, from opportunistic government spying.
> This is a huge problem for banking and music apps that absolutely rely on this capability.
In the case of banking, unlocking the bootloader usually requires a full device reset and leaves a very obvious message when you boot up the phone—you can't grab someone's locked device, root it, and grab their financial data just like that.
As for music apps and other apps that download copyrighted content to the user's device, leaving the moral aspects of stripping the user of control of files on their own device aside, preventing their use on rooted devices just loses them users since
- Those are by no means essential apps
- If you know how to root your phone, you probably know how how to pirate media as well
- People can just use computers to exfiltrate copyrighted media instead since most of those apps have PC versions
It "doesn't make total sense", it never has. It's just a kneejerk reaction that conveniently aligns with stripping the user of control.
The problem with banking isn't rooting itself as an attack vector, but the insecurity and laxk of reliability guarantees of rooted phones so that banks rightfully don't want any liability when something goes wrong with their apps.
which is idiotic as you can have things like locked through adb root that only grants you root if you use adb to connect and you need to approve the request to connect on the phone first. This has nothing to do with guarantees but is just a security theater to sound like they are doing something
My argument isn't as much about the tech as it is about managing risk on the bank's side.
Imagine claims like "the XYZ bank app mangled my input and now my money is gone". I'm certain that people have sued for less. How can the bank argue in court that this wasn't their fault? What if the plaintiff demonstrates some actual glaring app misbehavior in court, but the root cause is in a broken third party Android build?
Are they "managing risk" or are they just "doing stuff"? How often does it happen that an alternative Android OS causes issues to banking apps? I have personally never heard of that, and it would be very bad publicity for the OS.
In my experience, because a company does that kind of "risk management" does not mean, at all, that it is a useful thing to do.
I had submitted a vulnerability report, because the option to require a password could be turned off without a password, and their response was that it works as expected, because they only require a PIN and providing a password is optional. That isn't to say that I have the option to make my account require passwords, it's that providing a password isn't needed, but I have the option of providing one anyway.
With only the PIN requirement, and four attempts before a lockout, a security vulnerability in the OS immediately becomes a 1 in 250 chance they'll have full access to may bank account, if I have a truly random PIN, or a 1 in 5 chance, if I have one of the four most common PINs and it always tries those. All that without having to wait to capture me logging in.
Also, Google explicitly states that the phones storage should not be used for sensitive data.
> It is impossible to protect data on rooted phones
What makes securing rooted phones different from securing rooted PCs?
Phones are portable, and thus more likely to suffer from a physical attack. But that's about it.
It is, and always was a flimsy excuse to the strip user of control over his own device.
"Secure Boot" isn't actually there to protect the device from an attacker. It's there to "protect" the device from its own user. It's used to "secure" DRM schemes and App Store revenue streams.
>"Secure Boot" isn't actually there to protect the device from an attacker. It's there to "protect" the device from its own user. It's used to "secure" DRM schemes and App Store revenue streams.
1. Basically all the serious DRMs (eg. widevine L1) rely on the content being encrypted all the way to the display itself. The OS, secure boot or not, never sees the content in cleartext, because decryption happens in a secure enclave and is immediately encrypted to the display using HDCP.
2. The "app store revenue stream" excuse doesn't really make sense, because you can easily install third party apps on Android, even though nearly all phones have locked bootloaders.
Which is why even "unlocked" bootloader doesn't let the user load his own code into TrustZone.
The name "TrustZone" is rather ironic. It's most commonly used to run DRM code the user should never ever trust.
This is exactly what it is. Google only implemented playintegrity api to please banks and governments. This is all to lock out users and secure revenue and spying agencies.
I don’t get this too. Laptops are just as portable but don’t have this limitation (yet). This argument that it’s to protect banking and music apps is silly, those products work fine on pcs while maintaining security.
> those products work fine on pcs
In the EU, banking apps no longer do. They require a trusted companion device for 2FA, e.g. a smartphone app or a dedicated chip-and-pin device. This is enforced by the PSD2 directive [1], which has been in effect since 2019.
In contrast to that, you’re always allowed to do banking on an iOS/Android banking app. Banks seem to trust the integrity of the OS enough that they allow the app to be its own second factor.
[1]: https://en.wikipedia.org/wiki/Payment_Services_Directive
To clarify, that line was implying something that makes a big impact:
It matters a lot to distributors why like to trick copyright holders into thinking that DRM is effect, which could only be the case if it works 100% of the time on 100% of the users, which it generally doesn't.In other words, security against the user.
Magic rock complicated. Grog say Grug too dumb to do magic rock right, so only Grog have secret magic rock key.
Grug pay Grog many shiny rock for make magic rock work, or Grog use key and magic rock stop working.
???
What?
https://grugbrain.dev/
Nothing. They just perceive the users as more stupid and incapable of handling their personal property properly.
The scariest part is, they might actually be.
If PCs were newly invented today, they may well have been locked down from the start. You already seeing the big names, Apple and Microsoft, with MacOS and Windows, respectively, inching along in that direction.
> The only reason one would unlock a bootloader is to root the system partition.
This couldn't be more wrong. You need to unlock the bootloader if you want to install an alternative OS. Which is a completely valid use-case.
> music apps
It is so silly though. Someone who knows how to root a phone can probably also figure out how to download songs from Spotify (librespot wink wink.)
Banking app do not need to protect data, they are just websites really.
I'm not sure if this is true, or for how long it has been true. I rooted my company phone (Samsung Galaxy S4), removed the crapware, and un-rooted it so that it could join the corporate network. This was a long time ago.
Rooting certainly blows the Vault eFuse. Knox Vault, etc. are newer than the S4 (Knox Vault was introduced in the S21).
For removing bloatware from the user partition you don't need to root, adb or the universal android debloater will do.
My S24 Ultra is unlocked and rooted and I use DeX every day.
More devices we no longer own and that are bound to become trash in a few years, and for what reason? So companies can make more profits?
I decided to part with my Huawei Mate 20 X after about 7 years of ownership not because it was a bad phone - on the contrary, it has a nice big screen, decent enough camera, is still plenty fast enough etc - but because the OS hadn't received any updates in a long time.
Rather than see it go to landfill I donated it to a friend who's happy to use it but what an absolute waste.
Bought a Pixel purely because they are committed to updating their phones for a long time.
I've been using Xiaomi phones but I had to buy a new phone every year or two just because they get so sluggish. My other Android phones kind of had the same, except my Nothing 2 has been going strong.
Has this been your experience as well, or have your phones been OK with responsiveness? Seven years is a long time, I imagine the phone must have been unusable by then.
I've used a xiaomi redmi note 4 (mediakek) for many years before i got it stolen. I've purchased a xiaomi redmi note 10 after that (i am supposing there were six years in between). I was still using it but then I needed one of these big folding phones and bought a samsung z fold 5. It broke down in 2 years, i am back to my redmi note 10. Still going strong. I will never buy an expensive phone again it was a dumb move. Just the cheapest android on aliexpress.
My Huawei was still absolutely fine for me speed-wise. I moved to a Xiaomi 14 for a little while which was obviously faster but not in a "holy shit it's fast" sort of way.
The Pixel is slower than the Xiaomi in benchmarks but I can barely tell any difference in day to day usage.
Maybe if I went back to the Huawei it would feel slow but honestly I would still be using it if it had been updated. Unless the new OS slowed it down.
unlock the bootloader and flash Lineage OS.
They should be economically incentivized to pick up their trash.
This is already in place in the EU via the WEEE directive (Waste from Electrical and Electronic Equipment), but the costs have apparently been absorbed just fine already by this industry, so it doesn't seem to hurt them sufficiently to be incentivized for longevity.
As much as I hate it, the strongest incentive would maybe be to legally define vendors who supply hardware with a non-interchangable OS-ecosystem as service-providers and put restrictions on the price they can charge for the hardware to render the service (like i.e. a cable-modem from an ISP).
This could force the large players to decide between high-margin hardware or high-margin OS-ecosystem instead of aiming for both.
Come to think of it, these market-dynamics would be interesting to observe...
Is any other product forced to do such a thing? Considering a phone lasts for years and is very small, it produces very little garbage over time compared to disposable product people use. Think how big a garbage can is compared to a phone.
I dump a whole bin of paper every two weeks; most of it is recyclable.
Phones are electrowaste. Recyclability of electronics is... not good.
But think of banks and music services, comrade! Banks need the waste to protect you, and poor music services will go out of business if you control your own phone!
You still own the device even if the bootloader is locked. It's like saying you don't own a CPU because you can't add your own instructions. There are always going to be limits to what you can easily customize for a device.
Adding cpu instructions is something that you can't physically do, however unlocking the bootloader is something you can do via software, and if a vendor chooses to lock it down they're basically taking away your ability to do anything you would want to do with a device. Sadly this is has been the case for a while and it's probably going to continue being the case.
You can physically do it with a microcode update. Nothing is being taken away since this change is for new products. They just are not providing an additional feature to these products.
> You can physically do it with a microcode update.
It's also anti-consumer that CPU vendors don't let customers who own the CPU perform whatever updates they want because they don't give out signing keys.
If malware could install microcode it could break the security of the system. There is more consumer benefit than harm by locking it down to trusted updates.
The security model could allow the end user to install keys for the root of trust for the CPU, much like how UEFI Secure Boot allows you to install your own keys. That CPUs don't have this functionality may not be purposefully anti-consumer (and just laziness), but the net effect is anti-consumer.
As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).
> As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).
That would be less of an issue if the updates were auditable (that is, security researchers could read and study them), even if users weren't able to modify them. Unfortunately, other than some early CPU designs, AFAIK microcode updates are always encrypted. I suspect that their reason is to protect "trade secrets" on details of their CPU design.
Trusted, sure
> > Adding cpu instructions is something that you can't physically do
> You can physically do it with a microcode update.
Do these ARM CPUs even have microcode? Unlike on x86 CPUs where there are some very complex instructions which have to be microcoded, on ARM all instructions are simple enough that their decoding into micro-operations can be completely hard-coded in the decoder logic.
Yes, it's too risky to make CPUs without microcode. Being able to fix bugs, or at least disable things so you don't have a complete paperweight is still important even for ARM.
Disabling things can be done through "chicken bits" on configuration registers, no microcode necessary.
Do you know of any ARM cores used on smarphones which actually have updatable microcode? I've never heard of any. All errata fixes I've seen are of the "set this bit in a specific register" kind.
After looking further into it, you are right.
I disagree. If they have to go out of their way to remove functionality the previous phones had, that's anti-consumer.
It being your own device and removing a feature being anticonsumer can both be true. Every feature comes with trademarks off from the company providing them. It's up to consumers to validate products by buying them if they think the features offered is worth the price. If removing this feature doesn't hurt the sales of the device this feature may be more trouble than it's worth for them to provide.
> they're basically taking away your ability to do anything....
... with your property, with is a violation of your rights in most western jurisdictions.
I don't believe a user lacking the ability to perform a microcode update impacts their freedom in any meaningful way. The CPU still executes whatever instructions it's given unless the user is deprived of that freedom.
The writing's been on the wall for custom ROMs in general for a while, so I've been starting to think about a mobile phone vendor I could actually have a decent business relationship with. I.e. use their stock ROM and be fairly happy with it.
Any opinions? Samsung was a candidate for their somewhat unified ecosystem. Maybe even apple.
I still really like Sony phones. Excellent hardware. They have no online services they are trying to push, they just want you to buy their phones. As a result, the stock software is very clean Google Android without much extra. But they're not available in every region, and quite expensive. Used to have very short software support but now they do 4 major Android version updates / 6 years of security updates.
You get no ecosystem benefits though, it's really just plain Android.
Do they work well on the big US carriers? Especially the ones starting with V?
I really wanted a Sony phone as it ticked all the boxes. Headphone jack, SD card slot and bootloader unlock with LineageOS support. AFAIK no one else does that in current phones.
But the sad reality hit when there were all kinds of hurdles around getting 5G/4G working in Australia. Was not going to risk ~$900 dollars on a phone that could end up being a paperweight and returned it.
It's a sad state and makes me miss the good old days.
Sony phones generally have a ok-ish hardware(their old 4k oled screen is still top-tier for watch videos to date in my opinion) and emmmm-ish software support. And depends on your region, the software support can be even worse. For example, TW-version sony phones have a serious delayed update schedule. You may get an update that others already received for half an year (and pixel phones have already got two years ago)
Though for Americans, Sony sadly doesn't release their phones in the USA anymore
The last few years it's been tougher and tougher to get them. Even in Europe you can now only buy them directly from Sony, and Amazon in a few countries. Sony is not selling them via any other retailers or operators at all from this year onwards.
Whatever floats your boat. I'll remain with the latest vendor making custom OS possible.
FYI Pixels still allow flashing custom ROMs, they've just slightly inconvenienced developers.
It's not necessarily about it being possible, but the level of support and refinement.
The future I'm seeing is one in which custom ROMs still exist as hobby projects, but aren't suitable for use in "production".
You still don't get any better support than with Pixel though. I wish it was different. And I'll be using my Pixel 9 with GOS until its no longer supported (so several more years), and if then there are no viable Android options? Well, so be it, iOS (which i despise but Android with Google pervasive surveillance is unusable. I know, iOS is not much better but at lease is about as secure as gos).
In this domain, things change so fast that I decided to just focus on my next phone, or like the following 2-3 years.
The future is as bleak for the custom ROMs as is their past. They are aftermarket modifications of the phone software, entirely dependent on the manufacturers and Google, and these release new things yearly.
Pixels are a good choice I think because they come with the least amount of bloat, and with Android, the connection to Google is always there anyways.
Samsung carries a lot of advertising crap, tracking, etc. Pretty much every phones is going to be worse than Pixel in that respect, since you get Google's tracking + whatever pile of crap the vendor added (which in the end they all seem to do).
So it's basically:
Pixel with GrapheneOS > iPhone >> Google Pixel with PixelOS
I wouldn't recommend anything else. Theoretically Fairphone + e/OS may have been an option, but the security is crap.
I guess there is Sony, you could even install Sailfish OS, no experience though.
I've owned a few pixels but for whatever reason in my case the hardware had a habit of randomly dying just outside of the warranty period. But maybe I can revisit.
Check Nothing
Apple is good out of the box, and has a strong ecosystem.
Sony Xperia models have been my choice since the Sony Ericsson days. Unlockable bootloader, LineageOS available, microsd card, headphone jack, good screen, decent camera, reasonably powerful SoC, water/dust resistant, and probably several other benefits that I'm forgetting at the moment.
I don't know if any US carrier offers them, but last time I was shopping, models with North American radios could be bought online.
My main complaints about Xperia phones:
- They don't support re-locking the bootloader at all, let alone with custom keys. This could be problematic for folks who depend on mobile banking apps that require full Google Play Integrity (SafetyNet) attestation, or risky for folks who leave their phone unattended around potential adversaries. To be fair, almost all smartphones have this problem.
- Their wonderful Xperia Compact line, comprising smaller versions of their flagship phones, seems to have been abandoned. Even their most recent "compact" models were bulky compared to their predecessors.
dont worry, samsung knows only 300 people will actually care.
As for me, I already swore off Samdung for their whole Samsung account bs and apps they bundle and won't let me remove (or disable).
Yep. Everyone I know who bought a Samsung anything (TV/Phone/Washer/Dryer) last time said it's their last Samsung product. Samsung sure know how to piss off customers.
Well, I dunno. I've seen it as a lesser evil compared to many others.
In ye olden times I had such a horrible time with my cheapo Samsung when trying to upgrade it from Android 1.5 to 2.1 that I swore it'd be my last Samsung, and it was, for well over a decade. During that time I went through some iPhones and a handful of the most popular alternative Android brands.
Since the thread is about Android I'll focus on that. Every manufacturer was hamstrung by one or more of the following issues:
- Subpar hardware
- Difficult and slow RMA process where your device flies around the globe for repairs
- Software bloat, just like Samsung, but from a country I trust even less (China vs SK)
- Very infrequent updates (if you are lucky enough to get them at all), especially once a newer model is out
Now since this thread is about bootloaders this is probably a hot take, but I spend enough of my time troubleshooting stuff at work, so when I use my phone I want it to "just work" and not have to play some stupid anti integrity protection cat and mouse game to access my bank's app. So the last two are not solved with an open bootloader.
Samsung on the other hand has in recent years given me the "just works" experience on decent hardware, paired with frequent updates. And while their authorized repair shop might not be in my city, it is at least in my country and just a train ride away.
That being said, the nerd in me is disappointed in this move, and the recent EU ruling that forces manufacturers to actually support the stuff they sell for a reasonable time even after it's off the shelves might change things for the better w.r.t. other manufacturers.
I've got a Samsung dryer and when it had a fault with the door sensor they got it fixed pretty quickly. I had better service from them than Bosch or Miele - I replaced a Bosch dryer when I was totally fed up of trying to organise Bosch to fix it and being told it was at least a 6 week wait - Samsung half the price, and surprised us that it is a better dryer (faster, easier to use etc).
I don't love their phones, though my wife has one. However, again on the service front, when my samsung S7 had a problem they fixed it pretty quickly. When my iPhone 5 came with the wifi not working it took weeks to convince Apple that it was actually broken and get a replacement.
All anecdotal of course, and probably varies a lot by location and over time.
It’s amazing how nothing goes wrong with my 20+ year old Maytags, Whirlpools, or Estates by Whirlpool (their budget subbrand). No logic board failures, drain pump failures.
Acquired from yard sales and then subject to duty cycles of 5-10 loads a day.
Somewhat relevant, I have 3 relatives/colleagues still sporting iPhone 8’s/8 Pluses. The only issue is that some newer apps are slow. Told them to grab iPhone SE 3rd gens before they’re discontinued; one of them has it sitting unopened in the box, waiting for their 8 to die.
> It’s amazing how nothing goes wrong with my 20+ year old Maytags, Whirlpools, or Estates by Whirlpool (their budget subbrand). No logic board failures, drain pump failures.
whirlpool tumble driers are notorious in the UK for catching fire
https://inews.co.uk/news/business/peterborough-fire-hotpoint...
> At a parliamentary hearing in July, the US appliance company told MPs the numbers were higher than feared, after 1.7 million products were modified following the scandal.
> Whirlpool said that its machines could be linked to 750 fires in the last 11 years, or one every five days.
the grenfell disaster was also started by a whirlpool fridge
and their factory in peterborough also caught fire
This is also anecdotal; but I heard it from someone who works in Home Appliance repair, but Samsung has been getting their act together in the last couple of years because they know their reputation has been horrible. Making their appliances more reliable and easier to repair. They worked with the home assistant recently to get their appliances (smart things) to be able to properly with it.
It's actually incredible how consistent they are with it. I'm hesitant to buy a foldable or a display from them for this very reason, even though I'd be otherwise interested.
Is the alternative really better overall. We upgraded to a samsung fridge last year from two consecutive cheapo-chinese-local walmart-brands and it was worth every penny. It will pay itself in energy savings in less than two years.
Mine cost me a whole fridge of food which was the energy savings gone. Which was my last Samsung product.
I think their phone in the high end is the best phone on the market, unless ios is a requirement for you. Also, I bought a Samsung AC and really like the smart features. Really nice integration with Alexa too.
samsung is the only smartphone manufacturer that still makes phones (though not many) with all the features I want: microSD slot, dual physical sim, side-mounted fingerprint reader, headphone jack, nfc, and regular (long-lasting) security updates
they also have service centers pretty much everywhere in the world, so I can always get my phone fixed (for a reasonable price, as a result of their ubiquity) if and when I inevitably break it
would I also prefer the option to unlock my bootloader? yes. if I'm honest with myself, is it a deal-breaker? sadly, no, I no longer use custom ROMs
They seem to skip some years when bringing updated models to the US for some reason, but Sony Xperia phones check most of these boxes. I have an Xperia 1 V that I use as an app dev test device and as a backup phone and have found it pretty nice. The hardware feels great and their Android build isn’t nearly as junked up as Samsung’s. I’m always surprised they aren’t more popular.
Which of their phones have all of these?
https://m.gsmarena.com/samsung_galaxy_a06-13265.php This year, no NFC.
https://m.gsmarena.com/samsung_galaxy_a15-12637.php Last year, but they removed 3.5mm this year
That I know, in Latin America, they don't have all that anymore. And there is only one left with 3.5mm.
That's what I expected, especially the 3.5 mention made me suspicious.
check out the XCover line, though apparently this year's model makes you choose between fingerprint and headphone jack (XCover7 vs XCover7 Pro)
you do give up a lot camera-wise, though
There are no smartphones or pocket computers that tick these boxes anymore, since general-purpose computing is an anathema to the modern, specialized enshittification slop. For a modern device to serve most, if not all, relevant features, it takes a company that is built around principles that go beyond just shareholder satisfaction. You see the dilemma...
AFAIR, the Samsung Galaxy Note9 was the last device that deserved to be called general-purpose pocket computer. EMR stylus, 3.5 mm audio, mSD card slot, USB-C 3.1, good CPU, adequate memory for the time (8 GB), good cameras. If you're willing to forgive the non-removable battery, the only suck was the screen if you were sensitive to PWM, especially with regards to lower flicker frequencies.
Alas, seven years ago Samsung got the itch and divorced from good pocket computer design. The Note9 seems almost like an accident, given Samsung's market policies of today.
I have an xcover 6 pro with dual sim, 3.5 jack, removable battery and micro sd support, it works great (except buying an original battery is not super easy). I know the 7 is out too but I think its reviews were worse on amazon
Other than the side mounted fingerprint meter, I replaced my Note 10 Lite with another Note 10 Lite because it had all the other features.
Yup, and it was released 6 years ago and is no longer getting security updates.
> microSD slot
That stopped from S21 on.
> side-mounted fingerprint reader
It is in the screen since S10?
> headphone jack
Not since S20.
Just speaking of the Galaxys of course.
you're just speaking of the Galaxy S line, there are at least four other Galaxy lines, some of which dropped these features only this year and one of which has all of them (XCover), though it looks like this year's release makes you choose between fingerprint and headphone jack (XCover7 vs XCover7 Pro)
Those 300 people include some experts at spiritual warfare which will guarantee that all involved in this decision will reincarnate into durian fruits in the next life.
What do you use? Samsung are anti-consumer but none of the other big phone manufacturers seem to be much better (and historically at least Samsung's flagship phones have been pretty good hardware-wise).
I try to avoid big <anything> manufacturers by default.
Some of the Samsung apps are better than alternatives. Google is not the best at everything.
Same here. I got so tired of fighting "the system" that wanted to manage everything, and post-updates meant mire wasted time switching off bloat/features I didn't need.
Been compiling and running lineageos for nigh on five years now. Attention corporate tyrants: I will never give up.
Seems you may have to start getting good at SMD rework soon.
Either freedom or zip. I'd sooner bang rocks together than use a phone I can't compile the OS for. The number of required binary blobs is a foul enough insult already.
You can always move to a phone that runs on mainline Linux proper.
Not seriously, IMO.
I have been daily driving one for two years.
Did you spend a few thousand on a purism, tolerate the woeful hot and slow character of a pinephone, or something else?
Less sardonically: I am a Linux Person but couldn't imagine really using one of those things today. It would probably kneecap my whole life in subtle ways; in the US using android already does.
The former. And yes, it did change my life for the worse for a while. I think I’m well past the trough of despair by now though.
It is getting incredibly difficult to obtain a non-backdoored smartphone nowadays.
I tried to find which phones support alternative OSes, without Google control and telemetry, but it turned out that alternative OSes (LineageOS, PostmarketOS, Graphenos) support mostly support outdated models and it makes no sense to buy them. There is also "Google Pixel", but the prices start at around $600 which is 3 times more than a reasonable price for a phone.
So now I am wondering if it is possible to extract the ROM from a reasonably priced Samsung phone, remove the components I don't like and write it back.
GrapheneOS supports the newest Pixels, and only the Pixels that are still getting updates from Google. Right now the least bad option is probably a one-generation-old NOS or Open Box Pixel with GrapheneOS.
I did this. I got an open box Pixel 9A at Best Buy for $450 about a month ago. I immediately installed GrapheneOS on it.
Will this stop you from purchasing a new Samsung device?
Yes. I was buying Samsung devices for years because of size (A5, A7, S10e) and ability to unlock bootloader for Lineage OS. Time to look elsewhere.
Yep, if Samsung phones are now just as closed as Apple, well.. Android phones certainly aren't superior in many dimensions. Bummer.
I have to wonder what Samsung's motivation is here. Of course they probably have some bloatware they profit from, but someone who plans to unlock the bootloader just won't buy their device now. Samsung only benefits if they lose money on device sales (do they?) and make it up on "services".
I’ve got five bucks on this being a new requirement from Google to Tier 1 OEMs to eliminate bootloader locking.
Google's own Pixel devices have easy unlocking, so this would surprise me. Google's strategy to keep devices users actually control from being too mainstream is remote attestation.
Samsung botched UI 7.0.[1] Their approach to UI 8.0 is more of the same. Removing features is one thing, this is something worse.
[1] https://us.community.samsung.com/t5/Galaxy-S22/One-UI-7-0-Up...
I'm guessing this is your post? Way too anacdoal to make generalizations to OneUI 7.0 as a whole (and, expecting the demands to work in a community forum is funny, and, was the prompt "hey chatGPT, write a frustrated forum post?")
No. I could have picked dozens of other posts.
How many people are there that unlock their bootloader?
I just unlocked the bootloader on my Xiaomi Mi Pad 5 today (which was a nightmare to do btw.). Why did I unlock it? The device has nice hardware, but is stuck with Android 13 and does not get any security updates either, so flashing a custom ROM is my only chance of having an up-to-date device.
Next step will be to try PostmarketOS and see how that goes
Few, and far fewer than in the early days of Android. It's odd that a company Samsung's size would care about this.
No I'm talking about what you said about someone not buying their phone because of bootloader locking. Majority of the majority don't care about the bootloader, so is Samsung.
My point isn't that it will cost them sales in an amount they care about.
My point is that someone at Samsung made an active choice to remove unlocking, presumably thinking that choice would bring some benefit to Samsung's business. I'm curious as to what they believe that benefit to be.
Damn, I got a samsung instead of an asus phone because I could unlock it. Now what:s left? Really annoyed at all those companies who refuse to let me own my own phone.
And before anyone asks me if I really need to unlock my phone... It's the principle of it, if I bought it, I own it and I should be able to run what I want on it. I will not buy a phone from a company that denies me that right.
That said, I do use root for a few things:
- AFWall+ (previously I used netguard but can't run multiple VPN on android so I couldn't have that running together with tailscale)
- Neo-backup. Some messaging apps believe that keeping chat history is not important. Or they believe that it's fine that the only way to transfer chat history is to upload it to Google cloud without encrypting it. I hate losing my chat history and I do not want it uploaded somewhere without encrypting it so I need a backup solution. Enters neobackup
- Sometimes, it is useful to be able to spoof one's GPS without the app being the wiser from a privacy perspective.
- A very stupid banking app I have prevent screenshots but then doesn't allow me to download a proof of transfer. So I use root to remove the restriction against screenshots
Exactly. This is why I won't buy from these companies even when conditions look good. It'll be bait and switch every sigle time. Fairphone all the way.
When Fairphone comes out with a phone with an EMR stylus built in, I'll be the first in line.
That's very picky. I'm sure there are better ways to solve your problem.
Jim not sure what you're getting at. Right now I'm stuck in the Samsung ecosystem because the S Ultra devices are the only devices that have a built in EMR stylus. They're great devices, I'm not complaining, but diversity and other options would be nice.
Normally, I'd go and say "vote with your wallet" - but sadly, in the tablet sphere, it's either ultra low spec Alibaba junk or it's Samsung. No Fairphone, no Pixel, nothing.
Seriously Samsung, go and screw yourselves.
The reason I insist on rooting in the first place is because unlike iOS which has a true full backup that you can trigger from your Mac (and restore afterwards), Android decidedly does not, and a bunch of apps don't do any kind of cloud sync.
Even then, Samsung lags hard in the tablet space.
IMO there is kinda only one option... an iPad.
It's an order of magnitude better than anything else out there. And that's coming from someone who doesn't really like Apple products.
Given that your major reason for rooting is something that... Apple solves for. Maybe there is another option?
Believe it or not I did consider going the full Apple route. The problem is, Apple doesn't offer anything in the 8 inch zone. I need a tablet that fits into my pant pockets.
And on top of that, there's no way to migrate the data from a bunch of these apps from the Google walled garden to the Apple walled garden, not to mention purchased licenses.
Is an iPad Mini too big? That’s an 8.3” display.
Interesting, thanks. The price tag is heavy on them though, the Samsung Galaxy Active Tab 5 is at less than 400€, the iPad Mini about 800€.
there are countless decent android tablet not from Samsung. Lenovo, oppo, oneplus, xiaomi.
Oppo is Chinese, so is Oneplus, so is Xiaomi - those are what I meant with "alibaba garbage", especially when it comes to performance. I don't trust either of these brands to deliver updates on time or for more than two years, spare parts just the same, and that's before the question if one wants a brand that may be targeted by US sanctions like Huawei, locking the user out of Play Services.
With Samsung there are established networks on how to get spare parts and they have a proven track record of delivering updates on time.
Lenovo's offerings are a disaster performance-wise.
what do you mean "alibaba garbage", Have you checked them ?
The lenovo 12.7 pro 2025 has D8300 cpu, which is on par with QC 8g2. Oppo Pad flagship using 8 elite CPU, and you still think they have trouble with performance ?
What a fucking nonsense.
I never had the chance to root any Android device (unknown models, locked bootloaders, no benefit on rooting, or simply bad hardware), guess I'll never have it again.
Samsung also removed my flashlight recently. The whole pull-down that contained it is gone. Not sure what they're thinking over there.
You're gonna have to explain that one.
Do you mean the new One UI update that made the notification pull down split into left and right swipes instead swipe down and then swipe down again? Because if that's what you mean, you can configure it to be the way it used to be again.
Little pencil button, then panel settings and choose together instead of separate.
That was it!! How was i supposed to know to swipe down and then right? Grrr!
Glad I could help :)
I think they have like a one time pop up to explain which is easy to miss.
... Use the edit functionality to add it back?
I assure you that Samsung doesn't care to remove your... flashlight.
This likely just got removed from a fat finger/phone being on in your pocket/etc.
And fuck you over with data mining everything all the time without you having any means to cut it out
Doesn’t seem to be any vendor option to avoid this other than Apple, or the niche guys like Fairphone.
Apple 1000% datamines you, it's in their ToS that you agree for them to use your data for their own marketing.
I'm surprised they let it go on as long as they did.
Given the timing, it’s likely related to: https://news.ycombinator.com/item?id=44705240
Unlikely, bootloader unlock is a controlled process and state of the OS for many years now.
The procedure explicitly hands over the responsibility of OS-integrity to the end-user, it's not Samsung's responsibility after that and the user needs to confirm that.
It's much more likely that the cost/benefit profile to develop/maintain/support that feature and its related unlock-process is simply not sufficient, all while several of the biggest customers explicitly require unlock to NOT be supported.
What's the cost to develop/maintain/support the feature? It's a simple switch, and since it's probably in AOSP there's cost in removing it, not in leaving it there
The cost is in managing a permitted device-state without a full trust-chain, and maintaining the unlock-logic and service of such an unlock of a device.
It should be simple, but since some carriers required BL-unlock to not be supported at all, many carriers required the availability of a list of all devices being unlocked and all required unlock to be irreversible, there are quite a few considerations to keep this working securely whenever something is touched in the trust-chain of a device.
I hate to say it in this case because I was advocating for BL-unlock for YEARS, but if there's no sufficient commercial demand and no "higher motivation" to justify it, it's a security-risk that's easy to avoid and easy to descope...
I don't understand your points, to my eyes if the bootloader is unlocked you simply either:
- don't provide the features for which you require a locked bootloader
- and don't do anything with the rest of the features
And anyhow, I'm almost sure that this is AOSP code (with a quick search I didn't manage to find it).
And, I don't know any carriers that require a locked bootloader outside of the US, and Samsung already only sold models without bootloader unlocking in the US.
You should read up a bit more on the matter then. The bootloader is not shipped in an unlocked state, even on a device which supports BL-unlock.
Bootloader-unlock describes a feature which supports a controlled break of the trust-chain of the device, so telling the bootloader that it should continue executing the bootshell even if the signature check has failed.
In this state the OS should continue to boot despite of this state, and applications should gracefully handle such a condition.
The crucial parts of this are also not part of AOSP, it relies heavily on the chipset manufacturer and the OS-implementation of the device-vendor.