Upcoming Jolla Phone bootloader locking and flashability

The anti theft protection is a legal obligation in many countries.

I don’t think Jolla have much choice here.

Yes, and even if the phone is rendered 100% unusable (for example an iPhone that’s in “lost“ mode and also has its parts like the screen locked to that individual phone so can’t scavenge parts) some most desperate thieves (like addicts) will just disconnect the battery connection and try to sell it to people saying it’s out of charge until someone falls for that. Trying to deter that kind of theft is impossible, all the “theft prevention” mechanisms just end up bricking non-stolen phones that would otherwise work fine but now end up in landfills.

Interesting, can you link some said laws? Is there EU regulation for this? As i understand, with Android google obligates implementing FRP if you want Google (Play) services in the device.

There is a US one : https://www.congress.gov/bill/117th-congress/house-bill/7362

That’s just a bill. It’s only a bill, and it’s been sittin’ there on Capitol Hill . . . referred to a committee and never got out, so not a law.

If you want to see how the process works – in song, no kidding – here it is:

And the bill became a law.

Google, Apple and BlackBerry didn’t add theses anti theft features because of consumers concern, but because they were obligated to do so.

Hate the phrasing. They always do that, and not just in the USA. It’s never a “bill to consolidate corporate power over consumers”

Honestly? Yes.

If anyone is buying the phone as a secondary device for toying/tinkering with. It would be very much in the cards to try and flash out of tree builds of SFOS, or give PMOS or even Ubuntu Touch a shot.

It is not exactly outlandish to ask wether or not the linux phone (whose device drivers can be moved around with ease as they should be already in the mainline kernel) can or not have other flavours of linux installed.

And honestly, yeah, knowing if the bootloader is unlockable and having a flashtool of sorts for shenanigans would be a positive.

No. The federal bill 2022 that died in committee didn’t come back to life, go back in time and become two different state laws in 2014.

You don’t have to wait for the J2 or pay a premium price if you want to do that. If you’re actually interested in that sort of thing and not just typing that in the abstract, then the OnePlus 6(t) can be acquired cheaply and flashed with all of those you noted and tinkered away on with little risk. That’s just my favorite example from among numerous devices that would fill that need.

this is deeply alarming to me. i will be very upset if the J2 is not fully user flashable. for one thing, i flash my device on each upgrade, and reconfigure the device with an automated script that i maintain.

for another; i edit the flashable binary image to skip encrypting the home partition and keep nemo as the the default user.

also, why shouldn’t i be able to flash android or UT on a phone i will be maying money for and, at least in theory, will own?

finally, it’s simply disgusting that any devices are allowed to be bootloader locked by the manufacturer, and not by the enduser. we expect this sort of anti-consumer behavior from large corporations, but Jolla should do better.

Out of curriosty, why keep the nemo user ?

It’s been a while since that change.

Probably nothing more than an sentimental reason for people who have been using SFOS from the beginning.

I still wonder why people seem to get stuck on this topic and react so strongly, even though nothing in Jolla’s past suggests that the boot loader would be locked.

But theses laws exist and that’s why Google, Apple and BlackBerry with BB10 10.3 implemented the need to have the password even after a reset.

Sorry if I didn’t find the right bill or law to link.

1. the user for a device i own should be my username, not hardcoded to any value
2. nemo is 4 chars, defaultuser is 11. i spend a lot of time in a terminal
3. i have many scripts and programs with thousands of LOC. it would be annoying to change
4. nemo is a cool, aesthetic, and thematically appropriate
5. defaultuser is a TERRIBLE username. it should have been ‘sailor’.
   • you shouldnt name entities after the category of the entity. a bucket named bucket can lead to confusion. #define DEFAULTUSER "defaultuser" , s/DEFAULTUSER/nemo/i, etc
   • its NOT the default user, it is the ADMIN account, and the only user. default implies you can change it.
   • it is BOOOORING, and long, and you cannot change it

edit: on a side note, i know that they had a business need to un-hardcode ‘nemo’ and change the username, as mer/nemo branding was no longer appropriate.
but they then had the opportunity to generalize on the username, and make it officially and easily customizable, with very little additional effort. its been, what, 5 years? since the switch, and nemo still works just fine for me, so it’s obvious that customization wouldn’t be brittle. useradd/groupadd and$HOME creation isn’t done until after you enter the pin for encryption anyway (or else my flash image edit hacks wouldn’t work). it would have been trivial to add a textbox for username to the first-boot-wizard….and maybe a UI for skipping the (pointless, breakable, short numeric pin keyed) LUKS encryption.

the idea of the bootloader being locked was a new and shocking one to me, i am just registering my dismay at the possibility. i didn’t know about the situation with the J1.

see my above post regarding nemo ‘sentiment’. you are not wrong, sentiment/aesthetics is part of it, but also…you’re wrong

I spend also a lot time in terminal and see no problems entering that username, because you can just enter the first two chars “de” and press tab for autocomplete, voila!

But for the tidyness of things it would be good if SailfishOS-Usernames follow the default Linux behaviour aka choose an own username at install.

I checked the laws you linked, thanks, this sent me down a rabbit hole…

https://www.congress.gov/bill/117th-congress/house-bill/7362/text

H.R.7362 - Cell Phone Theft Prevention Act of 2022 - Not a law, very loosely defined draft, mostly about IMEI blacklisting but what comes closest to this topic is this:

”A person may not manufacture for retail sale in the United States, or import into the United States for retail sale in the United States, a smart phone unless such phone is—” “equipped with pre-loaded anti-theft functionality at no additional cost to purchasers of such phone, or capable of downloading anti-theft functionality that is available at no additional cost to purchasers of such phone”

That sounds like the “protection“ could be opt-in and not by default, and in my opinion it should be opt-in (and not by default, automatically activated by logging in with an account and entering a passcode, like FRP/iCloud lock are now)

This completely different 2014 California bill SB 962 though, BINGO!

”Requires any smartphone manufactured on or after July 1, 2015,
and sold in California after that date to include a
technological solution at the time of sale, to be provided by
the manufacturer or operating system provider, that, once
initiated and successfully communicated to the smartphone, can
render the essential features, as defined, of the smartphone
inoperable to an unauthorized user when the smartphone is not
in the possession of an authorized user.”

”Requires that the technological solution be able to withstand
a hard reset or operating system downgrade.”

“Requires that the technological solution prevent reactivation
of the smartphone on a wireless network except by an
authorized user.”

“Requires that an authorized user of a smartphone be able to
affirmatively elect to disable or opt-out of enabling the
technological solution at any time.“

So THIS is what led to FRP . Well, now we know the bill we can blame for opening this pandora’s box. As often happens, a local bill passed somewhere has led to a worldwide policy change by Apple and Google and defined an industry standard.

Before someone asks how i would fix this law: 1. Add an exemption for devices with an open bootloader and 2. The “Activation lock“ should only last, say, two weeks by default, and become permanent only if the “Authorized user“ is proactive and reports the phone as stolen within two weeks. No report=”Activation lock” automatically disables.

Now i am interested in how Purism Librem devices are assembled in California, but all info i can find points towards their bootloader being open… Can someone familiar with their products confirm?

I have an OP6, i know it is great for tinkering. The point is not that i personally need to fill a need for tinkering with something right now. My point is that as a preorderer of the device, i want to express that i think an open device should have an open bootloader, and this device should be setting an example. So, i am talking about the “bigger picture“. Here’s an example why we need to talk about this and push for more new devices to have an open bootloader:

OnePlus used to be great in offering actual control over your phone, customizability and repairablity. However, they have changed their ways and are now with some latest phones engaging in anti-consumer practices, for example they are utilizing e-fuses in order to prevent rollback to previous software versions. If you revert back to older software the phone will be hard-bricked:

Imagine if Sony copies that idea and you can’t then roll back to the proper version needed for Sailfish! Locked bootloader is what makes most of these anti-consumer practices possible, so that’s why i think we need to fight for an open bootloader where we have a chance, and i think with this project there’s a good chance!

When the general trends in the industry are as depressing as they are, it would kind of feel hopeless if even J2 would have a locked bootloader. In the big picture it isn’t much of a consolation that there once was OP6 released in 2018 that is great for tinkering.

I still think people are trying to raise a fight where there is nothing to see and other forums would be better ground for this.