I am currently preparing to install iodéOS on my SHIFT8.1. I am very impressed with the project’s approach to privacy and data control.
As part of my hardening strategy, I am evaluating the necessity and possibility of relocking the bootloader after a successful installation. I am aware of the significant risks involved (e.g., potential soft-bricking, AVB verification issues) and fully understand that this would be an advanced operation.
Could anyone provide guidance on the following:
Feasibility: Is there currently a documented or community-proven path to relock the bootloader on the SHIFT8.1 while running iodéOS?
AVB/Keys: Since the device requires custom AVB keys to verify a non-stock OS, is there a supported method within the current iodéOS build for the SHIFT8.1 to integrate these keys?
Risk Mitigation: Are there specific “no-go” areas regarding the vbmeta partition for this specific model that I should be aware of to avoid a permanent security lock (Orange/Red State)?
My goal is to achieve an optimal balance between device integrity and the privacy benefits of iodéOS. Any documentation, links, or personal experiences from those who have tinkered with the SHIFT line would be greatly appreciated.
Thank you for your hard work and for maintaining this platform.
in the installation intructions I read: Due to anti-rollback protection, it may permanently brick your device. It will happen if the vendor security patch level of the system, the last time the bootloader was locked, was higher than the vendor security patch level of the iodéOS version you flash.
So.. does anyone know what the current security patch level is?
The installer suggests this by default. Everyone I know uses a relocked SHIFTphone 8.
platform: 20260427
vendor: I’m not sure, maybe 20251205
Since you’ll end up in a boot loop if you start the unlocked device and the vendor version of the current system is older than the previous one (rollback protection), I’d simply check whether that happens.
ShiftOS lets you reset the Rollback-Indices so I think that should not be a problem. Anyway, with new AVB keys from IodéOS the trust chain is different, isn’t it?
Sorry I don’t have access to a Shift device, but typically if you make sure that “Allow OEM Unlocking” is enabled before you install, then if you do hit ARB or another issue and it won’t boot, you can always unlock and retry again. This “belt and suspenders” approach for extra safety gets you to a running system, if all is good and you want to disable “Allow OEM Unlocking” later that is easy to do.
Sorry I don’t know an answer to this, more knowledgeable people will have to help answer
