Unlock Pixel 3a Bootloader

[Jayme Chouinard]

forexample, T-Mobile Pixels are standard Pixels but are locked until you pay off your subsidized phone by having your plan for a certain number of months (not a high amount), and then you can request to lift the locking

this approach is taken to have standard hardware, firmware and software across all of them despite having locked carrier ones, and without needing to statically provision them as locked in the factory

The reason Pixels are mentioned at all in this post is because they are the only phones which allow safely unlocking the bootloader, putting them ahead of every other phone on the market in respecting the user. All phones should allow users to safely unlock the bootloader. Google should still do better.

Is it a Verizon USA handset? If so the bootloader is unable to be unlocked unfortunately. Though I have seen on some international models where it is greyed out in settings (because it has previously been unlocked before) so if you go into fastboot and unlock bootloader and it will still unlock.

I also just came across this page for OEM unlocking Verizon Pixels, and from the comments it seems that people have had mixed results. Also my Pixel came upgraded to Android 10, which might complicate things.

Hi guys. So I finally found a way to unlock a bootloader on a Verizon Pixel. Without further ado, let's get started. This method works on Pixel and Pixel XL.1. Remove Google account and any kind of screen lock (fingerprint, PIN, pattern, etc.)...

Hi, yes, I performed this just last week on a used Pixel, and got /e/ installed successfully. It will only work on Android 9 and below. Many of the used and refurb Pixels are running Android 9 still and were not upgraded to 10.

This page contains binary image files that allow you to restore your Nexusor Pixel device's original factory firmware. You will find these files usefulif you have flashed custom builds on your device, and wish to return yourdevice to its factory state.

These files are for use only on your personal Nexus or Pixel devices and maynot be disassembled, decompiled, reverse engineered, modified or redistributedby you or used in any way except as specifically set forth in the licenseterms that came with your device.

After taking an Android 13 update and successfully booting the device postupdate, an Android 12 build resides in the inactive slot (seamless updatesfor more information on slots) of the device. The inactive slot contains anolder bootloader whose anti-rollback version has not been incremented.If the active slot is then flashed with a build that fails to boot, thefallback mechanism of seamless updates kicks in and the device tries toboot from the inactive slot. Since the inactive slot contains the olderbootloader, the device enters an unbootable state.

To avoid hitting this state, if you are flashing a Pixel 6, Pixel 6a, orPixel 6 Pro device with an Android 13 build for the first time, pleaseflash the bootloader partition to the inactive slot after successfullyupdating and booting into Android 13 at least once. This can be done byfollowing these steps:

Option 1 (recommended):After a successful boot into Android 13 for the first time, sideload thefull OTA image corresponding tothat build and reboot the device to ensure that both slots have a bootableimage.

Extract the contents of the factory ROM .zip file, identify thebootloader image in the extracted files, and follow the sequence of eventsas listed below to flash the bootloader to both the slots. Substitute thename of the bootloader image with that of your device for the Pixel 6 andPixel 6a.

Flash the Android 13 bootloader to the inactive slot. The following commandis specific to a particular build of a Pixel 6 Pro device. Substitute thename of the bootloader image determined in the first step above, ifdifferent, for the image file name argument.

After flashing the inactive slot bootloader to an Android 13 bootloader,reboot to that slot to ensure that the bootloader will be marked asbootable. Important: Please run the exact sequence of commands as listedbelow. Don't forget to enter the full line fastboot reboot bootloader whenrebooting. Failure to do so may leave your device in an unbootable state.

While it may be possible to restore certain data backed up to your GoogleAccount, apps and their associated data will be uninstalled. Before proceeding,please ensure that data you would like to retain isbacked up to your Google Account.

Downloading of the system image and use of the device software is subject to theGoogle Terms of Service. Bycontinuing, you agree to theGoogle Terms of Service andPrivacy Policy. Yourdownloading of the system image and use of the device software may also besubject to certain third-party terms of service, which can be found inSettings > About phone > Legal information, or as otherwise provided.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

I was trying to flash a custom ROM on my phone (Pixel 6) and something went wrong. i was following the instructions on screen and the last one was to lock the bootloader which I did. Now the phone seems to be stuck in the boot loop (I keep getting the google screen) when I start. On the boot screen I am unable to use the recovery or rescue mode, they bring me back to the boot screen. I'm very concerned about what to do now. Can someone please help!

On our previous blog post, we had access to read and write primitives. Great! The next step is now to be able to directly execute our own code without using ROP programming. And for this purpose we need to either find some WX memory maps, or to create some.

Through various means you can find that abl contains part of little kernel lk. Having a look at lk source code, we can find information about memory layout. I started digging with arch_mmu_query that returns flags based on a virtual address and some arch_aspace_t struct.

The arch_mmu_query from LK makes the walk from the initial entry to the page table descriptor like the CPU would do. If you are not familiar with the Virtual Memory System of the AARCH64 architecture, a good reading could be this one

The last value of pte will be the descriptor of the virtual memory we are looking at, and from here, we can check what kind of right the page has (is it readable, writable, executable?)

The purpose of this script is to put everything the compiler will generate in the text section, and to include offsets and memory locations from different files. The format of the offsets locations is the following one

In this part we will try to change the page table we previously used in order to find a WX memory to get write and execute access rights to some part of our code, we will copy/paste some code from lk and change it to quickly get a pointer to the page table. I called this method get_pte in the repository. Then the only thing we have to do is to update the access rights

If you are interested by this first blog post and want to work on research projects around bootloaders and internals of Android/iOS,we are looking for kind people! Patch Analysis, Fuzzing and Code Emulation will be 80% of your daily tasks.

I am in the process of doing some development work with my Google Pixel 3XL and am getting hung up at some stages due to the "OEM unlocking" feature being disabled. My understanding is that this is because the phone has been purchased from Verizon.

I am disappointed that after spending a sizable chunk of money on this phone, its capacity as a productivity tool is severely handicapped simply because of where it was purchased. Would a member from the Verizon team please direct me to the policy or agreement which enforces the prohibition of OEM unlocking?

If Verizon Wireless does not make any alterations to the boot loader or restrict any developer options on devices, why does Google sell the phones with the bootloader unlocked and without any developer options disabled, but when you buy that same! exact! phone! from Verizon those options are locked? I have written communications with the Google company that states they do not lock the bootloader or lock any developer options before selling them to other retailers.

"The bootloader is a tool used by the manufacturer that allows interaction with the base programming or OS, we do not suggest anyone try to unlock that system, as doing so can damage the device and void any warranty from the manufacturer. There should be no reason to interact with that system. ChristopherS_VZW"

Thank you, we understand that. You telling me there should be no reason to interact with that system is like telling someone that bought their car there should be no reason to change their own oil since the auto body shop can do that for them. You completely understand what we are asking and have once again avoided answering the question.

I know for a fact when the device is purchased directly from the mfg unlocked, the bootloader's unlocked. Which means I can use a SIM card from any part of the country. But with a device purchased from Verizon the bootloader's locked forever which means I can't use a prepaid SIM card from overseas.

I had contacted Google & Verizon numerous times with no luck, both just blaming each other. I purchased the device last October & til this day I still cannot use a SIM from another carrier. Verizon had confirmed my device's already unlocked but I think it's bogus!

VZWSupport - "Hello, (lyonster89). We do not have information on how to load ROM's on your device and do not advise doing this action as it voids the warranty of the device. Was there anything else I could help with? *TXH"

3a8082e126