They are closing entire phone business, but it does not make the point about leaving unsupported devices locked-up in perpetuity moot.
We seriously need to start adding some legislation (in any sufficiently representative customer base country because mobile phones are easily transported between countries) to reduce e-waste and breathe second life into all the devices which run out of their "supported" lifecycle: if a company can't support a device anymore, it needs to allow it to be unlocked forever.
I am sure all the manufacturers can set up a shared IMEI-to-unlock-code DB at a relatively small cost.
Sure, that would be ideal. For some reason, phone manufacturers have started requiring registration to get an unlock code.
So while I'd be ecstatic for us to get you-own-the-hardware-device-you-bought legislation, at this point in time, I'd be happy with your-device-needs-not-go-in-the-trash-once-we-stop-giving-you-security-updates at least.
In a sense, we should push for both, but we don't have to push for both with the same initiative.
The OEMs' justification for this is to try to make it harder for greybox importers/resellers or box shifters to tamper with the firmware on phones.
It's not unheard of for modified firmwares with malware to get put onto phones that are being sold into different markets.
If you need to register phones one by one, it slows the process down and makes it harder to modify a large number of phones, as they can try detect and prevent bulk requests. In theory that is believed to make it less likely that a customer buys their phone and ends up with a bad experience (keylogger in the modified firmware) that they attribute to the OEM.
There's obviously a self interest from OEMs to use this to also enforce market segmentation - they don't want people box shifting handsets from low margin markets into high margin markets and undercutting the official retail price. Some OEMs like Samsung have added region locks to their phones in the past because of this (which are released after 5 minutes of a call is made while connected to a mobile network from the original sales market.
> Some OEMs like Samsung have added region locks to their phones in the past because of this (which are released after 5 minutes of a call is made while connected to a mobile network from the original sales market.
What's this accomplishing? If you're willing to replace the firmware, you're willing to make a local call to yourself. That's much less invasive.
It's not accomplishing a lot, but it just plays into making it harder to logistically do the grey box imports. You need multiple SIM cards going into your pile of devices, you need to have someone in the original market working with you to reliably make that call with every device.
This adds friction to the process for someone trying to do it at scale. Just like how needing to register accounts to request the bootloader code can slow them down. Some OEMs even added waiting periods (you'll get your code a week or so after verifying your phone number, and they limit how many requests an account can make).
The idea is that eventually it won't be worth modifying greybox devices if there's enough small barriers that annoy the person trying to unlock the device bootloader.
They stop giving you updates, you unlock the bootloader, flash LineageOS and use the device safely and in an up to date fashion for another couple of years.
Developer portal is used for unlocking the bootloader for LG phones, which would allow you to install your own custom Android software.
LG has promised Android updates for 3 years after them exiting the smartphone business, but once those 3 years are up, third-party software would be the only way to get updates.
I feel like when companies withdraw support like this, they should provide a generic unlocked firmware that can be installed so that devices don't become ewaste.
Such a shame. So right now Google is the only phone manufacturer that allows unlocking the bootloader without losing any functionality or enrolling into some developer program
I don't understand why mobile apps need special security verification. I can use my bank website on any computer's web browser without issue. Why can't I use the mobile website to do the same? Why does it have to be an app?
The only decent defence I know is DRM. Streaming companies are afraid of people ripping their 4K streams through hacked devices. They'd rather deprive their customer base of features than risk letting go of their strict requirements. I still see high res WEBDL torrents appearing online every time streaming services release new episodes, so whatever they're doing is clearly not working anyway.
For banking apps there may be a certain level of liability ascribed to the bank. depending on local jurisdiction, but I don't think banks need top of the line security to comply with those regulations; even if there is legislation, security only needs to be good enough so that basic rooted malware can't steal money.
I think the wording in the errors and warnings for broken apps say all. When an app doesn't work because the device is rooted, the messaging is usually "your device does not support X" or "your system does not meet the requirements" or "your device is not secured". It's never "you may have malware" or any other potentially helpful message; the wording always seems to punish the user for daring to modify the software on their phone.
> Streaming companies are afraid of people ripping their 4K streams through hacked devices.
Or maybe they are afraid that people will see that instead of 4k they get 720i scaled to 4k.
If they are so afraid of people ripping they could always insert a break in the stream and downgrade the quality, blaming internet connection.
Some bank apps skip annoying authentication like webapp because they are in "trusted" environment. I wish those app have "untrusted" mode but unlikely happen.
GPay is not available in my country, but the two bank apps that I use have no problem with contactless payments or normal bank transfers. I did get a popup once that the device was not in the original state, but that only seems to happen once per install.
Your experience will depend on the laws of your country and the terms of your bank, but unlocking a bootloader with Magisk and using the right masking tools is all you need to work around most SafetyNet validation.
The trick seems to be to fake the type of attestation available to make the system think hardware attestation (which can't be faked reliably by software) isn't available, falling back to basic software attestation which can be spoofed. Software developers could theoretically detect this bypass by keeping their own mapping of device type to device properties (available hardware etc. to validate the model number and prevent quick spoofing, available attestation to prevent SafetyNet bypasses, and so on) but they'd have to disable some obscure devices or accept the spoofing.
>but keeping the bootloader locked is also giving up on their reputation.
To a few dozen HN readers who probably don't even own an LG phone ? I'm a pretty tech savvy person but the last time I had the time to install a custom OS on my device cyanogenmod was still around and cheap Chinese phones with custom roms were the only thing available in the affordable phone segment. Modern phones are cheap enough to replace when the OS updates stop coming and you can find distros with minimal crapware preinstalled and functional UI in any price range.
Trusting some internet rando not to inject spyware into a ROM build seems riskier than a first party distro. Ditto for OSS that doesn't really get vetted (I wonder how many people review the niche device support code in projects like these) and building from source would probably cost me more in hours spent on it than getting a new flagship.
I'll take "being able to do as I desire with my mass produced device to the fullest extent permissible currently" over "being forced to bin (or forever keep offline) a multi hundred dollars soon-to-be-ewaste device because it became obsolete few years after production and without software updates and security patches the few remaining applications working are a giant security hole where even viewing an image embedded with malicious code can turn it into a botnet peer and a threat to your network". I'll also take this "risk" which could be applied to various extents to basically all community driven projects such as package managers and more. To me this is a middle finger from LG to its users (of which they may not even be fully aware or caring of, since they're closing the department), but as far as I'm aware their reputation in software has never been brilliant anyway.
Went with it to LG, but didn't get a single response. I guess 8 hundred votes is something they don't care about. We would need at least 100 times more to have some significance.
Now I really keen to legislation approach. We already have a movement like "right to repair", now we need a movement "right to own your device".
Some commenters are wondering why LG would do this. LG announced they are quitting the smartphone business entirely, and therefore don't have to worry about their developer portal or any reputational damage.
T-Mobile even gave away free LG 5G phones last Monday (probably because nobody would pay full price for a discontinued product).
i would reconsider the statement about reputational damage, LG still does many things and honestly if their approach when closing departments is leave me with an expensive paper holder, then it won't be at least my first choice, i mean all vendors do the same crap more or less, there is not really anything that gives one or the other a huge competitive advantage, so in this context I'm not sure why I should buy from a company with this track record
After they announced their exit from the smartphone business, LG promised 3 years of software updates. I don't know if they'll live up to that claim, but my LG Velvet phone recently got a software update dated November 30th, so at least their support team (different from the developer portal) hasn't been shut down yet.
The submitted title ("After December 31, LG phones' bootloaders will no longer be able to be unlocked") seems badly editorialized, which is against the site guidelines: "Please use the original title, unless it is misleading or linkbait; don't editorialize." We've reverted it now.
Submitters: If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
Apologies, I wasn't sure what to title the submission; I linked to this specific URL because it's served as a pop-up (and is automatically blocked by most browsers) on LG's bootloader unlocking page[0], which details that process specifically.
I appreciate the heads up, and I'll keep in mind the "level playing field" next time I post.
I did client-facing tech consulting for mobile handset mfgrs. There is often a suite of servers that powers each type of phone too. Whenever they turn those off, large portions of the phone, or the whole phone, may stop working too. Motorola and Danger were particularly notorious for this.
Caring about reputation after closing down the whole division is a hard thing to do for them [1]. After all, they aren't manufacturing them anymore. The few ones still out there are >1 year old stock.
> From [1] source: "LG will provide service support and software updates for customers of existing mobile products for a period of time which will vary by region."
It they had good will they would keep the service running for 2 or 3 years instead of shutting it down after 7 months.
I bought one appliance from them a few years ago, it's quite noisy and not as great as I supposed it was. With news like this one I'll just avoid buying things from their active divisions.
They are closing phone business altogether: keeping the unlock service running in perpetuity would be an unneeded cost.
Still, they should make a simple dump to allow all phones to be unlocked anytime in the future, but to get that, I think we'll need to get some legislation involved (basically, any product you stop supporting, you must provide unlock keys for any encryption).
They don’t want to pay to upkeep a dev portal for phones they no longer make? They’re probably laying off all the people who would maintain such a thing.
There are plenty of developers and hobbyists that would, take a look at XDA Developers. Hell, there are people still maintaining Maemo and Palm/HP Pre-era webOS despite the hardware and platforms being dead for nearly a decade.
Annoying list:
- Realme (supposedly ok, but needs to wait for "deep testing apk" for specific model which can take forver)
- Xiaomi/POCO (needs to wait up to one month after first boot)
Should be ok, but YMMV:
- Asus/ROG
- Nubia/ZTE/RedMagic
- Mediatek nonames/unknown brands
- Qualcomm nonames/unknown brands
Pixel is pretty much the primary choice - you don't need to contact the OEM for unlock, the firmware sources are published and you can even relock the phone with your own firmware which others mostly don't allow.
Hardware attestation includes pubkey used to sign firmware. Yours will obviously be different from Google's. (Note that Hardware Attestation doesn't in itself "pass" or "fails", it simply does a signed report of whether bl is locked or not, and which is the pubkey. It's really SafetyNet's server-side interpretation which fails)
SafetyNet is NOT meant to ensure your device is secure, but only to ensure that it is running the firmware Google certified the smartphone with (including its known flaws and malwares)
Ever since the G2, every generation of phone sold less and less. Pretty soon there weren't enough economies of scale to pay the engineers to build the next generation of phone.
Nobody will since they're closing up shop - that is why they're doing away with this program. That said it royally sucks that vendors have such control past the first sale and it is one of the reasons I either try to steer away from hardware which is encumbered with this type of restriction or, it that is not feasible, get rid of the restrictions before I ever use the device.
This post is a great way to establish how many people never read past the title of an HN submission: keep them coming all those "I'll never buy from you again" :)
I wasn't sure exactly what to title this submission, since there was no clear title on the page (which is just a link to a pop-up window); I think the more interesting discussion here is around property ownership, versus the "I'll never buy from you again" comments.
Would we accept that we couldn't update to Windows 10, or switch to Ubuntu, on our laptops, because the Compaq brand was discontinued in 2013?
IMO, the sales & service model of mobile devices has been focused on centralized top-down control, which can often serve to harm the user more than it helps them; especially in cases like this. There's a lot of variability in a statement like that though—why I thought it would be an interesting discussion topic.
I think "LG disables unlocking of phones on Dec 31 as it stops producing them" would have helped with this.
This one about who read past the title is definitely orthogonal, but quite a simple to figure out if someone "did read"/"didn't read", so I'd really love to see someone collate the results: it is useful information to have, to at least compare HN users to the general public (which there already are studies on title-reading on, which drives all the tabloid out-of-context titles approach already).
We seriously need to start adding some legislation (in any sufficiently representative customer base country because mobile phones are easily transported between countries) to reduce e-waste and breathe second life into all the devices which run out of their "supported" lifecycle: if a company can't support a device anymore, it needs to allow it to be unlocked forever.
I am sure all the manufacturers can set up a shared IMEI-to-unlock-code DB at a relatively small cost.
If a code is for some reason required, print it on a sticker in the box it comes in or something.
So while I'd be ecstatic for us to get you-own-the-hardware-device-you-bought legislation, at this point in time, I'd be happy with your-device-needs-not-go-in-the-trash-once-we-stop-giving-you-security-updates at least.
In a sense, we should push for both, but we don't have to push for both with the same initiative.
It's not unheard of for modified firmwares with malware to get put onto phones that are being sold into different markets.
If you need to register phones one by one, it slows the process down and makes it harder to modify a large number of phones, as they can try detect and prevent bulk requests. In theory that is believed to make it less likely that a customer buys their phone and ends up with a bad experience (keylogger in the modified firmware) that they attribute to the OEM.
There's obviously a self interest from OEMs to use this to also enforce market segmentation - they don't want people box shifting handsets from low margin markets into high margin markets and undercutting the official retail price. Some OEMs like Samsung have added region locks to their phones in the past because of this (which are released after 5 minutes of a call is made while connected to a mobile network from the original sales market.
What's this accomplishing? If you're willing to replace the firmware, you're willing to make a local call to yourself. That's much less invasive.
This adds friction to the process for someone trying to do it at scale. Just like how needing to register accounts to request the bootloader code can slow them down. Some OEMs even added waiting periods (you'll get your code a week or so after verifying your phone number, and they limit how many requests an account can make).
The idea is that eventually it won't be worth modifying greybox devices if there's enough small barriers that annoy the person trying to unlock the device bootloader.
That's what any modding friendly brand supports. There's no need for codes, DBs, costs to OEMs, etc.
LG has promised Android updates for 3 years after them exiting the smartphone business, but once those 3 years are up, third-party software would be the only way to get updates.
It's not that new phones will be locked - there will be no new phones.
Does Google Pay work with unlocked bootloader?
Any bank apps that require SafetyNet attestation?
For banking apps there may be a certain level of liability ascribed to the bank. depending on local jurisdiction, but I don't think banks need top of the line security to comply with those regulations; even if there is legislation, security only needs to be good enough so that basic rooted malware can't steal money.
I think the wording in the errors and warnings for broken apps say all. When an app doesn't work because the device is rooted, the messaging is usually "your device does not support X" or "your system does not meet the requirements" or "your device is not secured". It's never "you may have malware" or any other potentially helpful message; the wording always seems to punish the user for daring to modify the software on their phone.
Or maybe they are afraid that people will see that instead of 4k they get 720i scaled to 4k. If they are so afraid of people ripping they could always insert a break in the stream and downgrade the quality, blaming internet connection.
Your experience will depend on the laws of your country and the terms of your bank, but unlocking a bootloader with Magisk and using the right masking tools is all you need to work around most SafetyNet validation.
The trick seems to be to fake the type of attestation available to make the system think hardware attestation (which can't be faked reliably by software) isn't available, falling back to basic software attestation which can be spoofed. Software developers could theoretically detect this bypass by keeping their own mapping of device type to device properties (available hardware etc. to validate the model number and prevent quick spoofing, available attestation to prevent SafetyNet bypasses, and so on) but they'd have to disable some obscure devices or accept the spoofing.
The only good side on all this is that I have another good example why owning the device you paid for is so important.
To a few dozen HN readers who probably don't even own an LG phone ? I'm a pretty tech savvy person but the last time I had the time to install a custom OS on my device cyanogenmod was still around and cheap Chinese phones with custom roms were the only thing available in the affordable phone segment. Modern phones are cheap enough to replace when the OS updates stop coming and you can find distros with minimal crapware preinstalled and functional UI in any price range.
Trusting some internet rando not to inject spyware into a ROM build seems riskier than a first party distro. Ditto for OSS that doesn't really get vetted (I wonder how many people review the niche device support code in projects like these) and building from source would probably cost me more in hours spent on it than getting a new flagship.
https://www.change.org/p/lg-electronics-lg-to-open-source-th...
Went with it to LG, but didn't get a single response. I guess 8 hundred votes is something they don't care about. We would need at least 100 times more to have some significance.
Now I really keen to legislation approach. We already have a movement like "right to repair", now we need a movement "right to own your device".
T-Mobile even gave away free LG 5G phones last Monday (probably because nobody would pay full price for a discontinued product).
https://www.washingtonpost.com/business/2021/04/05/lg-quitti...
http://www.lgnewsroom.com/2021/04/lg-announces-three-year-pl...
Submitters: If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
I appreciate the heads up, and I'll keep in mind the "level playing field" next time I post.
[0] https://developer.lge.com/resource/mobile/RetrieveBootloader...
You’ll catch a bad rep among power-users, and what do you gain which is good enough to counter-act that?
Anyone got any explanation for this kind of behaviour and what kind of (commercial) motivations which are driving it?
> From [1] source: "LG will provide service support and software updates for customers of existing mobile products for a period of time which will vary by region."
It they had good will they would keep the service running for 2 or 3 years instead of shutting it down after 7 months.
I bought one appliance from them a few years ago, it's quite noisy and not as great as I supposed it was. With news like this one I'll just avoid buying things from their active divisions.
[1] https://www.lg.com/us/press-release/lg-to-close-mobile-phone...
Still, they should make a simple dump to allow all phones to be unlocked anytime in the future, but to get that, I think we'll need to get some legislation involved (basically, any product you stop supporting, you must provide unlock keys for any encryption).
Annoying list: - Realme (supposedly ok, but needs to wait for "deep testing apk" for specific model which can take forver) - Xiaomi/POCO (needs to wait up to one month after first boot)
Should be ok, but YMMV: - Asus/ROG - Nubia/ZTE/RedMagic - Mediatek nonames/unknown brands - Qualcomm nonames/unknown brands
Ok: - OnePlus - Samsung (EXCEPT US MARKET) - Moto - Pixel
Hardware attestation includes pubkey used to sign firmware. Yours will obviously be different from Google's. (Note that Hardware Attestation doesn't in itself "pass" or "fails", it simply does a signed report of whether bl is locked or not, and which is the pubkey. It's really SafetyNet's server-side interpretation which fails)
SafetyNet is NOT meant to ensure your device is secure, but only to ensure that it is running the firmware Google certified the smartphone with (including its known flaws and malwares)
If LG can do this to their existing phone customers, they won't hesitate to pull the plug on future customers. Buyer Beware!
only for apple.
eg. https://www.counterpointresearch.com/global-handset-market-o...
Would we accept that we couldn't update to Windows 10, or switch to Ubuntu, on our laptops, because the Compaq brand was discontinued in 2013?
IMO, the sales & service model of mobile devices has been focused on centralized top-down control, which can often serve to harm the user more than it helps them; especially in cases like this. There's a lot of variability in a statement like that though—why I thought it would be an interesting discussion topic.
This one about who read past the title is definitely orthogonal, but quite a simple to figure out if someone "did read"/"didn't read", so I'd really love to see someone collate the results: it is useful information to have, to at least compare HN users to the general public (which there already are studies on title-reading on, which drives all the tabloid out-of-context titles approach already).