Bootloader unlock on Verizon P6

[OkashiOdayakana]

I have a Verizon Pixel 6 and just successfully ran this. Is there any files I can modify as root to allow bootloader unlocking?

[polygraphene]

I don't have accurate information about Verizon version, but unlocking protection seems implemented in a secure way by quick looking at recent AOSP source. I don't think it is breakable by root privilege.

isOemUnlockAllowedByCarrier setOemUnlockAllowedByCarrier

To call setOemUnlockAllowedByCarrier, it requires (cryptographic?) signature. (Perhaps backed by TrustZone?)

[polygraphene]

devinfo partition has information about device model. https://forum.xda-developers.com/t/converting-japanese-pixel-6-to-global-version.4365275/

There is high possibility to brick phone by rewrite partition with bootloader locked. Do it on your own responsibility.

[OkashiOdayakana]

devinfo partition has information about device model. https://forum.xda-developers.com/t/converting-japanese-pixel-6-to-global-version.4365275/

There is high possibility to brick phone by rewrite partition with bootloader locked. Do it on your own responsibility.

Will try. Hopefully it works.

[OkashiOdayakana]

Not too sure if changing the SKU would allow bootloader unlocking. Might be mistaken, though. Will try changing the SKU to GLUOG (Or maybe GF5KQ, the Japanese sku)

[OkashiOdayakana]

Also, if I were to pull /dev/block/by-name/boot_a, patch it with Magisk, and flash it back, would that give me persistent root? Or just brick my device

[polygraphene]

That bricks device. Locked bootloader checks modification of boot partition, then refuses to boot device. It will be complete brick. No recovery method.

Editing devinfo might also produce same result. I don't recommend to proceed.

[ebowen747]

This is for Pixel 6 only or Pixel 6 Pro also? When i run bat i get read only file system can't copy files. Kernel 5.10.43

[elliwigy]

My spr/tmb pixel 6 I just had them sim unlock it and was able to unlock the BL

[aeppacher]

Verizon sim unlocked mine and said it should be bootloader unlockable after. It wasn't. Was escalated to higher tier of tech support and they said they had no means to unlock it and to contact Google.

Google said they cannot unlock it

[elliwigy]

Verizon sim unlocked mine and said it should be bootloader unlockable after. It wasn't. Was escalated to higher tier of tech support and they said they had no means to unlock it and to contact Google.

Google said they cannot unlock it

Must be different than spr/tmb variant than since carrier versions as stated already implement security to where it doesnt allow bl to be unlocked on carrier locked devices which unlocking carrier should allow it as mine did.. I believe this github is for dirty pipe exploit which is able to gainroot, unlocking the BL on carrier locked models is a whole other topic and isnt an "issue" in relation to this poc

[CleverUnderDog]

This is for Pixel 6 only or Pixel 6 Pro also? When i run bat i get read only file system can't copy files. Kernel 5.10.43

I have successfully run it on my Pixel 6 Pro. The first time it did not open a shell to reverse shell but after a reboot it worked with no problem. As stated in the README you have to disable the device check with -f parameter.

[Justsnoopy30]

My spr/tmb pixel 6 I just had them sim unlock it and was able to unlock the BL

I have a Pixel 6 Pro that is sim locked to T-Mobile the next few years due to this phone plan, and thus the OEM unlocking setting is "unavailable on carrier-locked devices." Since it's not as locked down as verizon (which does not allow bootloader unlock at all), is it possible to somehow sim-unlock with root access?

[elliwigy]

My spr/tmb pixel 6 I just had them sim unlock it and was able to unlock the BL

I have a Pixel 6 Pro that is sim locked to T-Mobile the next few years due to this phone plan, and this the OEM unlocking is disabled. Since it's not as locked down as verizon (which does not allow bootloader unlock at all), is it possible to somehow sim-unlock with root access?

anything is possible.. question is will anyone attempt it.

[elliwigy]

Can you add the -f for the new release 1.0.3? The beta was working perfect on pixel 6 pro Would like to use this since I have the Verizon pixel 6 pro

Just edit run.bat or run.sh (whichever you use) in any text editor and add the -f?

[twistedlayerz]

what files need to be deleted to run exploit again? ran the first time with -f, worked and installed magisk i restarted phone with magisk uninstalled now running exploit will not repush magisk to phone

dirtypipe-android: 1 file pushed, 0 skipped. 76.6 MB/s (45400 bytes in 0.001s) env-patcher: 1 file pushed, 0 skipped. 46.1 MB/s (13224 bytes in 0.000s) startup-root: 1 file pushed, 0 skipped. 30.4 MB/s (6899 bytes in 0.000s) magisk/: 8 files pushed, 0 skipped. 45.9 MB/s (15195612 bytes in 0.316s) 11 files pushed, 0 skipped. 44.9 MB/s (15261135 bytes in 0.324s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=raven Fingerprint=google/raven/raven:12/SP2A.220405.004/8233519:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib/libldacBT_enc.so stage2_param_libname: /vendor/lib/libstagefright_soft_mp3dec.so Offset found: shellcode_offset: a2de0 hook_offset: 5a9dc first instruction: a9be7bfd Empty space size: 544 bytes Run index: 27 Stage1 debug filename: /dev/.dirtypipe-0027 Shell code size: 344 0x158 bytes It worked! Press any key to continue . . .

[elliwigy]

what files need to be deleted to run exploit again? ran the first time with -f, worked and installed magisk i restarted phone with magisk uninstalled now running exploit will not repush magisk to phone

dirtypipe-android: 1 file pushed, 0 skipped. 76.6 MB/s (45400 bytes in 0.001s) env-patcher: 1 file pushed, 0 skipped. 46.1 MB/s (13224 bytes in 0.000s) startup-root: 1 file pushed, 0 skipped. 30.4 MB/s (6899 bytes in 0.000s) magisk/: 8 files pushed, 0 skipped. 45.9 MB/s (15195612 bytes in 0.316s) 11 files pushed, 0 skipped. 44.9 MB/s (15261135 bytes in 0.324s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=raven Fingerprint=google/raven/raven:12/SP2A.220405.004/8233519:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib/libldacBT_enc.so stage2_param_libname: /vendor/lib/libstagefright_soft_mp3dec.so Offset found: shellcode_offset: a2de0 hook_offset: 5a9dc first instruction: a9be7bfd Empty space size: 544 bytes Run index: 27 Stage1 debug filename: /dev/.dirtypipe-0027 Shell code size: 344 0x158 bytes It worked! Press any key to continue . . .

looks to me like it pushed 8 files from magisk to me...

[twistedlayerz]

what files need to be deleted to run exploit again? ran the first time with -f, worked and installed magisk i restarted phone with magisk uninstalled now running exploit will not repush magisk to phone

dirtypipe-android: 1 file pushed, 0 skipped. 76.6 MB/s (45400 bytes in 0.001s) env-patcher: 1 file pushed, 0 skipped. 46.1 MB/s (13224 bytes in 0.000s) startup-root: 1 file pushed, 0 skipped. 30.4 MB/s (6899 bytes in 0.000s) magisk/: 8 files pushed, 0 skipped. 45.9 MB/s (15195612 bytes in 0.316s) 11 files pushed, 0 skipped. 44.9 MB/s (15261135 bytes in 0.324s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=raven Fingerprint=google/raven/raven:12/SP2A.220405.004/8233519:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib/libldacBT_enc.so stage2_param_libname: /vendor/lib/libstagefright_soft_mp3dec.so Offset found: shellcode_offset: a2de0 hook_offset: 5a9dc first instruction: a9be7bfd Empty space size: 544 bytes Run index: 27 Stage1 debug filename: /dev/.dirtypipe-0027 Shell code size: 344 0x158 bytes It worked! Press any key to continue . . .

looks to me like it pushed 8 files from magisk to me...

No magisk app, it worked the first time, I uninstalled magisk, rebooted the phone, tried again, and won't push magisk again. Not sure why it says it's pushing tho.

I tried to pull the files using adb and tried again, no luck.

rm '/data/local/tmp/dirtypipe-android' rm '/data/local/tmp/env-patcher' rm '/data/local/tmp/startup-root' rm '/data/local/tmp/magisk/boot_patch.sh' rm '/data/local/tmp/magisk/busybox' rm '/data/local/tmp/magisk/magisk' rm '/data/local/tmp/magisk/Magisk-v24.3.apk' rm '/data/local/tmp/magisk/magiskboot' rm '/data/local/tmp/magisk/magiskinit' rm '/data/local/tmp/magisk/magiskpolicy' rm '/data/local/tmp/magisk/util_functions.sh' rmdir '/data/local/tmp/magisk' rm '/data/local/tmp/dirtypipe-run-index' rm '/data/local/tmp/root-log1' rm '/data/local/tmp/mylog2' rm: /data/local/tmp/reverse-fifo: Permission denied rm: /data/local/tmp: Permission denied Press any key to continue . . .

---

After checking the directory , the files are pushed but magisk does not show up in app drawer, and if i manually install magisk, i dont have access to root.

[twistedlayerz]

Fixed!!! i reran the 1.0.3beta4 then reran 1.0.3 and all is back to working!!!

not sure what the issue was tho,,

[oakieville]

My spr/tmb pixel 6 I just had them sim unlock it and was able to unlock the BL

I have a Pixel 6 Pro that is sim locked to T-Mobile the next few years due to this phone plan, and thus the OEM unlocking setting is "unavailable on carrier-locked devices." Since it's not as locked down as verizon (which does not allow bootloader unlock at all), is it possible to somehow sim-unlock with root access?

https://www.imeigurus.com/products/google-pixel-usb-unlock?_pos=1&_psq=Pixel&_ss=e&_v=1.0

[elliwigy]

My spr/tmb pixel 6 I just had them sim unlock it and was able to unlock the BL

I have a Pixel 6 Pro that is sim locked to T-Mobile the next few years due to this phone plan, and thus the OEM unlocking setting is "unavailable on carrier-locked devices." Since it's not as locked down as verizon (which does not allow bootloader unlock at all), is it possible to somehow sim-unlock with root access?

https://www.imeigurus.com/products/google-pixel-usb-unlock?_pos=1&_psq=Pixel&_ss=e&_v=1.0

lmao

[Andrewcpu]

Has anyone attempted this yet?

[elliwigy]

Has anyone attempted this yet?

has anyone tried what? Clearly it's been tried/used on Pixel devices.

[Andrewcpu]

Has anyone attempted this yet?

has anyone tried what? Clearly it's been tried/used on Pixel devices.

Not dirty pipe, the bootloader unlock with the temporary root

[elliwigy]

Has anyone attempted this yet?

has anyone tried what? Clearly it's been tried/used on Pixel devices.

Not dirty pipe, the bootloader unlock with the temporary root

Not sure what that hasto do with this git lol.. im sure its been tried on all the other pixels that had some type of root prior to p6 devices and dont think it was ever successful

[Andrewcpu]

Has anyone attempted this yet?

has anyone tried what? Clearly it's been tried/used on Pixel devices.

Not dirty pipe, the bootloader unlock with the temporary root

Not sure what that hasto do with this git lol.. im sure its been tried on all the other pixels that had some type of root prior to p6 devices and dont think it was ever successful

Isn't this literally the Git issue asking if it's possible to use Dirty Pipe root to unlock the Verizon Bootloader on a Pixel 6? ("Bootloader unlock on Verizon P6")

[elliwigy]

Has anyone attempted this yet?

has anyone tried what? Clearly it's been tried/used on Pixel devices.

Not dirty pipe, the bootloader unlock with the temporary root

Not sure what that hasto do with this git lol.. im sure its been tried on all the other pixels that had some type of root prior to p6 devices and dont think it was ever successful

Isn't this literally the Git issue asking if it's possible to use Dirty Pipe root to unlock the Verizon Bootloader on a Pixel 6? ("Bootloader unlock on Verizon P6")

This is git for rooting p6 using dirtypipe.. not unlocking bootloader on carrier locked models which is entirely different