Asus refunds Zenfone buyer for failing to provide bootloader unlock tools
androidauthority.comI just sent feedback to ASUS expressing my concern at the loss of bootloader unlocking. I have 2 perfectly good cell phones that are e-waste now, simply because the vendor stopped issuing patches, and the bootloader can't be unlocked to use LineageOS. I bought a Zenfone recently because I thought I'd be avoiding that issue. If they don't fix this, I won't be buying another one. ASUS CEO contact page: https://www.asus.com/us/support/article/787/
I just sent feedback as well. I bought an Asus phone in the past and was planning on buying more in the future. I used to recommend them everywhere. I will not be purchasing any more Asus phones until this is fixed.
I was on the fence about buying a zenphone but waiting to see if the bootloader unlock ever showed back up.
Still holding a pixel 3, unlocked, with lineage. There are no small phones with good specs and unlockable. Zenphone seemed the way, until they stopped with their unlocks.
What a market to be burying in the mud.
Rewarding their bad behaviour by buying more devices doesn't feel right.
I have an old Huawei P20 Pro floating around. When it was new, you could contact Huawei and get a code for unlocking the bootloader after providing your phone's serial number. Great I thought, I'll do that later when it stops receiving updates. Stupid me, at some point those arseholes stopped giving out the unlock codes. I wonder if one could sue, but from googling around a bit I can't find a trace of them ever making this a selling point explicitly.
On this page:
https://consumer.huawei.com/en/community/details/P20-Pro-Boo...
there's someone from Huawei who acknowledges the policy change, with a date. Maybe check archive.org for the mentioned time and url? HTH.
Long is gone the time where unlocking bootloaders and installing custom ROMs was the best path to follow. Even if you are able to unlock it (with difficulties such as this one, or others that involve opening the device and soldering a shortcut), you will have a device where apps check for unlocked bootloaders and rooted OS, and forbid you from use the application.
the only app ive seen balk at bootloader status (to date) is google wallet. Using a phone to pay for stuff is an opsec nightmare youd only entertain so long as becoming an integrated and saleable asset in a data brokers portfolio is a life goal. 'pm uninstall' and move on, the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)
the point of oem unlock, and rooting at all, is diametrically opposed to the vendors interest in nearly every facet. The vendor will bark "hackers" as a thinly veiled threat for the uninitiated, but we are initiated. what the vendor doesnt need you doing is erasing their telemetry and walled garden spyware. they dont need you developing alternatives to their store and to their apps, and they especially dont need you turning this effort into something as simple as an ubuntu installation for older phones they expect to follow the strict trade-in model of "buy a new phone every year"
arguably Asus refunded the purchase because this person isn't playing by the rules and being a good consumer.
> Using a phone to pay for stuff is an opsec nightmare
Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.
> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)
I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.
AFAIK it only beats magnetic stripe cards, not EMV chip cards
EMV chip cards still contain your card number and expiry date.
Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.
With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).
They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.
https://en.wikipedia.org/wiki/Chip_Authentication_Program
You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.
No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.
If I could I'd delete my original comment since I did more research and you're right.
https://stackoverflow.com/questions/14861908/apdu-command-to...
Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off
You can't dremel it out of the chip, though.
Well technically you can. The card won't be so usable after that though. ;)
Destroying the chip is easy, actually chiseling away the correct trapped electrons making up the PAN in the EEPROM is the challenge ;)
Any responsible user will learn the CVC, like any other password, and then erase it from the card.
I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it
I have done it since many years ago
You can always tell what part of the HN regularly goes outside and interacts with normal people. I’m sorry but “just memorize the CVV and erase it from the card” isn’t something anyone really does. The comment that Google Wallet is more secure is a generally applicable comment.
You can always tell which part of HN does things right and which part does things easy.
That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.
In the end, you'll always have to enter it on payment websites anyway.
Bank apps, Netflix, and Disney+ also won't work. There are spoofing measures though I've been burned by unlocking and rooting too often to try again, at least not while my devices are still under warranty.
My solution
* use bank website for the one bank that requires it, otherwise I got a new bank account without silly fake security.
* thepiratebay has everything Netflix and Disney does and it works anywhere
I always use websites when possible instead of installing yet more spyware disguised as a useful app. My bank, however, has the TOTP built in the app. You can't make a transaction without the phone app connected to the internet.
you can't use magisk to remove tho root and make it work?
I meant to emphasize that they force us to install their app. I can't use the website without installing the app, missing the point of using the website.
Magisk + a few modules and most apps should work. The warranty part, this depends a lot in the country, but at least in Europe I don't think they can deny repairs just because you unlocked the bootloader.
Commercial copyright interests will always seek to maximize their control over the devices that play back copyrighted stuff. Banks at least have more legitimate security concerns since they involve the end user getting screwed rather than the copyright holder.
I'm in Canada and I can literally just tap the card itself on the reader. Every card has this ability and it can't be skimmed.
There are many demonstrations of contactless cards being “skimmed.”
Unless you store it in a wallet with a faraday cage, this is a laughable opinion to express.
It's not the same as traditional card skimming since you can clone the magnetic stripe you skimmed onto another card and buy things with it.
If you grab data from a tap transaction, you can't use that data to perform another tap transaction.
Your claim that using a smartphone for payments is a privacy(?) nightmare sounds quite baseless.
The more pertinent factor is probably the fact that you’re using an operating system built by an advertising company.
It sure isn't what it used to be, but if you buy the right phone and make a few moderate compromises, it's still a great option.
Installing crDroid on my OnePlus 9 Pro took half an hour, another half to install Magisk Delta with a few modules. The universal dark mode alone (Xposed module "DarQ") is worth the effort, but also the ability to clone apps, have proper clipboard sync, make full-system backups and customise the look and functions of my OS to a currently unparalleled degree.
The only compromise is I can't seem to be able to do NFC card payments (send or receive), one of my 4 banking apps needs a custom patch every few months to start working and a friend tells me the McDonald's app doesn't work.
Do you keep a factory image for your OnePlus 9 pro in case you want to restore it? If so, how do you go about doing that?
After OnePlus decided to stop publishing factory images, I decided to stop buying their phones. It's a real shame, because they really do make some great stuff and prices are quite reasonable generally speaking. I used to buy a new OnePlus phone nearly every year. The OnePlus 6 was one of my favorite phones of all time.
I wasn't aware they stopped publishing them so I didn't back it up, but I can't say I really care for my use case. The only reason I'd need it is to resell the phone, but my plan is to use it until it's either broken beyond repair or backporting new Android versions becomes impossible, at which point nobody would buy it anyways.
I agree the OP6 is great (my girlfriend is still using hers), but I was still on my OP 3 like a year ago, until future ROM updates were deemed impossible thanks to Qualcomm binary blobs.
It's a real shame it's all over now. The OP 9 Pro was the last OnePlus phone made in their old way (or close to it) - not too expensive, well built, close to stock ROM, easy to reflash, decently repairable. Hopefully it lasts me as long as the 3 did because currently I don't see anything else like that on the market.
I might have my hardware/software/firmware components (or your argument) mixed up and conflated. Does Oxygen Updater not source from published images?
https://oxygenupdater.com/article/438/
Yes, I am still on my beloved OnePlus 6 running Lineage and had been looking around for a used 7 or 8 for 5G capability (I'm a bit sketched out by the overall throttling hoopla of 9th gen). Perhaps it's time to expand the search beyond OnePlus.
Eh... that's why I'm pondering going back to OnePlus (after short affair with Samsung for the past 2 years) because it's somewhat annoying not being able to tweak stuff...
Alas, it's also annoying that some dumb banks (I'm looking at you ING Poland) consider rooted device as "insecure" but thay have no problem if I open a bank page using admin/root account on the computer)
> I'm looking at you ING Poland
Hmm, funnily enough at least a few years ago German Ing-Diba didn't care about rooted phones. I switched banks at some point though, so I have no idea whether that's still true.
It's only a brand, there is almost nothing in common between local branches.
As for ING - about 4-5 years ago it was possible to spoof the check but about 3 years ago they went full bonkers and if you didn't get the app from playstore (so for example aurora) it refused to launch...
This is rubbish. I'm running GrapheneOS and have left my bootloader unlocked, and there's no app that has refused to work. The only caveat is some of them need Google Play services. No, I am not rooted, but my last phone was rooted and there might have been one or two apps out of dozens that wouldn't work with root even with Magisk trying to hide the root status. Using a custom ROM is easily one of the beat choices I have made.
Do you use a banking app? Last I read depending on the type of check used some apps can still be problematic.
So I guess next thing we need is someone sueing the fucking banks that do that. Mine luckily doesn't because I explicitly use an old phone with LineageOS, the banking app, and nothing else on it for online banking. It's arguably way more secure than using your main phone with a bazillion other Apps installed and online at all times.
How would that stick? You can just sign into the bank via your web browser in the case of a nonfunctional app. The apps just give you added security assurances beyond using the web.
"The app can't function in a low security environment, but complainant is free to use the web client in such event." case dismissed
(obviously an oversimplification, but the point stands)
This is definitely not the case everywhere.
Where I live the app is 100% needed because it’s the „second factor“ in the login process.
There has to be a fallback like SMS and/or automated call.
For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.
SMS is magnitudes less secure than the Secure Enclave in my phone.
Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.
I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.
SMS 2FA is not great, but still seems to be more secure than a rooted phone.
If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.
Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.
Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.
Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)
> SMS is magnitudes less secure than the Secure Enclave in my phone.
The secure enclave on a rooted phone that no longer has execution integrity?
Curious, can you name this institution that only allows the app to be used as the second factor without fallbacks?
In Germany: all of them.
Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.
There are app-only banks too. Some of them provide a web interface, but it depends on the app to sign you into the web interface (similar to the way whatsapp requires you to use the app to sign into whatsapp web).
What happens when you primary bank has been one of these app-only banks for the last 5 years, and you decide to make a technology change to your phone, and can now no longer get into your banking app?
When you reject GrapheneOS, the most secure mobile OS on the planet but accept a no-name chinese ROM I feel like that you can't invoke security reasons anymore.
Signing transactions usually take you back to the 2FA app here, where the amount and receiver is repeated.
Even if someone hijacks my computers web browser, the worst they can do is see my statements, any attempt to transfer out will pop up a prompt in the phone.
The app is for 2fa.
A lot of this actually seems to have come from recent regulatory pressure for 2FA (which I support in principle, don't get me wrong). I don't even think most of them have given much thought to rooted phones, rather they're just cargo culting Industry Standard Best Practices and turning all the device verification options to max. Luckily, most of them realize they still have customers without a compliant smartphone, or one at all, and offer a fallback, which is almost always SMS...
Though you get those newer "app only" banks. I've never used any since I see that as a major downside, not a selling point, so idk whether they tolerate root. Even with traditional banks, I've come across a few features which can only be accessed via the phone app - in this case likely due to the belief that "web? Everyone just uses apps!" rather than security
It's far from secure. You are using an outdated phone, which hasn't received any kind of firmware or vendor security patches in a while. And as far as I remember, LineageOS doesn't support relocking the bootloader which further reduces the overall security of your phone
What's the attack vector? There is nothing else installed on this phone, and I only turn it on when the banking website asks me to confirm the login via their app. So it's connected to my wifi for like 5 minutes.
Meanwhile my main phone is always on the mobile network, using a proprietary modem that's running ridiculously complex firmware that does edge, lte, 5g, VoIP, has its own tcp/ip stack and a dozen other super complex protocols, is closed source, gets no security reviews and is exposed to at least my mobile provider at all times. And that's just the modem. Don't let me get started with all the value-add software the phone vendor loaded the device up with. Some of which is running with elevated privileges. You seriously think this is more secure?
For UK banks on my Graphened Pixel 6a I can use the apps for HSBC, First Direct, Barclays, NatWest, RBS, Co-Operative Bank and Metro Bank with no issues, and have only had trouble with the Lloyds Bank app as of an update from maybe 2-3 months ago which throws an error saying they've detected I'm using a jailbroken/rooted device
I get a message that the device is not secure but I can still make transfers and such from the banking app on a rooted OP9Pro. Never tried to use NFC payments though.
Try using Monzo or Sterling.
Both will nail you to the ground.
> Do you use a banking app? Last I read depending on the type of check used some apps can still be problematic.
It's important to distinguish between banking app and payment app. If you just want to check your account balance or find an ATM, the banking app will probably not mind that you're on a device that can't pass integrity checks.
If you want to use your phone's NFC to pay for coffee, though, you're going to have a bad time.
Also many "corporate" things, usually depending on your org's policy. E.g. I can't run OpsGenie (it may actually be the Microsoft SSO step failing, I'm not entirely sure, but the error definitely mentions my device not meeting security policies)
I use N26, Revolut, ING, and others. No issues, I just add the apps I need to the magisk hide list. I also use NFC payments. Only Google wallet does not work.
Yes. Wells Fargo, Discover, Alliant CU, Venmo, Paypal, and M1 Finance all work.
Same with McDonald's, interestingly enough
Yeah, my bank app both did not work with rooted phones, last I checked, and they also appear to whitelist phone models or something - at one point I had an uncommon mid-range Chinese phone and I had to contact support to have them approve my phone.
What are the downsides with GrapheneOS? I had a few problems with root (Netflix and banking apps) but would love my privacy. My main reason for root is the firewall to block outgoing connections from apps that are not supposed to do it
It's really a downside of the Google app ecosystem and not GrapheneOS per se, but apps requiring higher levels of integrity per Google attestation (Play Integrity/SafetyNet) generally won't work. Intentionally breaking apps on "untrusted" configurations is basically the point of that feature, and GrapheneOS does provide the relevant services, but would need to be specifically enabled by the app developer.
So Netflix and such DO NOT work on phone? That's really frustrating
Firewall wouldn't be necessary with GrapheneOS. There's a network toggle which you can use to completely cut off internet access for an app. As for the downsides, I would say close to zero. It feels just like a stock OS, without any kind of bloatware and a lot more secure
GrapheneOS is not rooted, so you won't have those issues.
GrapheneOS also gives you a Network permission per-app; if you uncheck it, the app has no connectivity, period.
Highly recommended.
Based on the other comment thread, it seems like Play Integrity and SafetyNet do not succeed and as such, can't really use Netflix, is that correct?
Apparently Google is playing games in the Play Store, but if you can get it installed then it runs fine:
https://discuss.grapheneos.org/d/696-issues-with-netflix-app
I just verified that I could download it just fine using Aurora Store, and I don't have Google anything installed.
No NFC payments with Google wallet.
You can get unlucky with your bank app but someone maintains a wiki of compatible banking apps
Android auto works OK.
One big downside is being limited to Pixel phones, without good reason.
You should not leave your bootloader unlocked if you care about the security of your device and data.
Unfortunately, locking (and unlocking) it wipes user data, so it should be relocked right after installation of GrapheneOS.
Don't most phones only wipe on unlock?
Also can Graphene still update if the bootloader is locked?
The Pixels wipe on both lock and unlock.
Yes, it can still update just fine. It installs its own certificate at install time and all updates are signed with it.
I acknowledge that.
what? safetynet is absolutely a pain in the ass. i think there are some xposed and magisk modules or whatever that can work around it but that's a cat-and-mouse thing and can break. lot of bank and financial apps, lot of stuff with DRM will break.
No, parent is 100% correct. Unlocking your bootloader trips SafetyNet.
GrapheneOS is not a ROM. It's an OS.
What's the difference?
If you root, you can bypass those issues in most cases. I have 3 apps detecting it, that I can bypass, and only the German health insurance app from TK detects it (according to the internet, it's getting past most solutions somehow). It's not something I'd recommend the average person, but for people who care enough to fiddle, it's still the best way.
I think since my first Android (HTC Desire Z/T-Mobile G2) I spent a total of 1 week on stock, never was a fan of any of them.
Largely depends on your priorities and level of effort.
You can bypass all current app checks using Magisk and Play Integrity Fix, but it's a bit of work to maintain and can break occasionally. You gain in this case full control of your device like a desktop OS, block ads, modify app behavior, disable unwanted system features, but you have to put in effort to maintain it.
However if you don't want to deal with that, you can also just not use those apps, use it like you would a Librem or PinePhone, load primarily open source software to it, optionally don't even bother with play store, etc. Might not be for everyone, but if you don't care that much for Google Wallet or multi-player games on your phone, it's not a bad option.
> but it's a bit of work to maintain and can break occasionally.
Which is a major problem because my tolerance for my bank's app not working when I open it is so low it might as well be non-existent.
I personally gave up this fight.
Or switch banks and stop fighting.
I just switched to another bank. No one should accept apps with such checks.
> where apps check for unlocked bootloaders and rooted OS
Magisk and PINE[1] have solved this for me. Yes, even Google Wallet is all good with my LineageOS ROM. PINE is an auto-updating PIF.
Stock ROMs are still filled with ads and useless extras, rarely providing meaningful features over an AOSP like LineageOS.
> Long is gone the time where unlocking bootloaders and installing custom ROMs was the best path to follow.
...wha? I just installed GrapheneOS on my Pixel 8 Pro and it is, by a decent margin, the best custom ROM experience on a phone I've had to date.
I have it on my Pixel 7a, and it's a great experience, but I also don't need to run apps that check for phone "security" or integrity. This is the case OP is talking about.
>GrapheneOS
This was not a project I expected to use Discord for support. Sad.
https://grapheneos.org/contact#community
> Our chat rooms are bridged across Discord, Telegram and Matrix so you can choose your preferred platform.
> We have an official forum for longer form posts, which is publicly accessible and easier to search. We are using Flarum for our forum.
https://discuss.grapheneos.org/
If they mandated discord as a closed support community sure, but you can't be too upset by the mere affiliation with a discord channel when they also offer all the above
I'm just disappointed that they associate with Discord at all, given that it is the antithesis of privacy and Freedom.
The focus is security. Be disappointed in all the other free platforms that cannot provide adequate moderation or stability.
Do you happen to know a suitable alternative?
I’m disappointed that you associate with Hacker News given the (presumably) myriad anti-Freedom anti-privacy startups Y Combinator has funded.
If I remember correctly, their matrix channel was flooding with spam and abuse which was primarily coming from Calyx, which by the way is an terrible OS. Even a stock OS would perform marginally better in terms of security than CalyxOS
This is untrue, I do this now with my Pixel and have to no issues.
With KernelSU, this is no longer the case. It's Magisk that causes most problems.
Huh.
I guess I must not run any of those apps?
With the increasing difficulty (impossibility) of bootloader unlocking that most manufacturers are building into their Android devices, I wonder whether it's market reasons (the longer the devices are operational, the longer upgrade cycle) or pressure from intelligence agencies due to minimised Google / telemetry data back doors in custom ROMs.
Using the "simplest answer is often the best" approach, it would historically be the profit motivation at 99% probability. Currently, though, feels like surveillance and intelligence gathering is edging to the higher likelihood.
Edited to add: and maybe it's not even intelligence agencies, maybe it's purely profit driven from the personal-data-selling industry.
It would then be quite shocking to know that Google's Pixel phones consistently allowed unlocking without any nonsense like online verification. They also support relocking your bootloaders as well as using your own signing keys for secure boot.
The refund is probably not worth the time spent building the case but it sends a valuable message. Keep your promises.
There probably wasn’t much time spent building the case. Generally solicitors aren’t involved in these cases because it’s not possible to reclaim legal costs, regardless of who wins. Instead most people just represent themselves, and companies will often just send a local manager to represent them. So super low stakes legal process, where in the worst case scenario your out of pocket for the filing costs (£70) plus reasonable expenses for the other party (travel costs, lost earnings etc) which are all tightly capped, so unlikely to more than another £100-£200.
I would be surprised if Asus even sends a lawyer to defend against small claims.
Might be better to form a class action.
> I would be surprised if Asus even sends a lawyer to defend against small claims.
Wouldn't that be a good reason to do small claims? I can't imagine why I'd want to wait for years in a class action when I can just do a small claims.
If this went down the small claims track in the UK then ASUS wouldn’t bother with a lawyer because you’re not allowed to reclaim legal costs in the small claims court. So unless ASUS thinks they’re gonna see a flood of similar claims happening, then the cost of a lawyer would probably be triple the cost of settling, or even winning the case.
Also class action cases are very rare in the UK. In the past the courts have generally refused to approve class action cases. It not like in the U.S. where there’s a cottage industry around class action cases. I’ve personally never heard of a class action case happening in the UK, I know they do happen, but they’re so rare that they don’t make it into the news, and most people will never involved in one either directly or indirectly.
I would bet that neither small claims or class action is possible in the US because ASUS has a forced binding arbitration clause in their End User Agreement that almost no one read when they activated their phones.
I do hope that (for example) EU would force makers to provide a way to unlock the device and install any OS/distribution I want...
The EU wants to mandate 5 years of security updates, which is a lot more relevant to the immense majority of consumers.
One doesn't (have to) rule out the other?
Would it be OK if you were forced to use only the single OS that your computer came preinstalled with?
Besides the point here, but why is it so diabolically hard to decline cookies on this site?
I'm not sure cookie declining is the way to go these days. You can use "I still don't care about cookies" to stop the dumb pop ups and something like "Firefox Total Cookie Protection" if you don't want to be tracked?
Personally I set Firefox to auto clear cookies on window close except some whitelisted sites. I just use accept all most of the times since it will be cleared anyways.
This is a false sense of security. Cookies isn’t random data. It is fingerprints and all kinds of dark wizardry. Chances are your cookies will be the same each time they are generated.
You have to disable cookies or tell the company responsible that you don’t want it. The latter, I believe (though ianal), is legally binding.
I’m on mobile though, which makes it harder, but thanks for the tip for my desktop!
Okay - so which devices are left that are easily rootable? I will be in the market for new one soon. It's good if EU after mandating usb-c also mandates unlockable bootloaders for whomever wants it.
All pixel phones are very easy to unlock the bootloader, and Google publishes factory images. So if your root goes wrong or you need to revert to stock, it is very easy. The actual process of obtaining root is as easy as it is on any other device, which is to say, I wish it was a lot easier, but it is very doable.
As a bonus, it also opens the door for Graphene OS should you choose to go that direction.
Pixels can also be re-locked with a custom ROM present (I think Graphene is the only one that does this, though). For that reason alone I'll be transitioning back to Pixel (once this phone is beyond help).
CalxyOS is the other one, with less problematic developer history.
Up until your comma the comment suited me just fine, but then... let's not get personal about developers' health issues. It isn't helpful, and there has already been an HN discussion on the topic that you've unfortunately exhumed. There has been great progress at solving problems that had come up during a sad time for GrapheneOS and CalyxOS.
I understand that position, but one can also not simply ignore the situation. It'd be okay if the project had removed the maintainer, but they did not, instead he just sabotaged the Mozilla location service discussion while purporting to speak in the name of the Graphene foundation. There is a responsibility to warn users about that risk factor.
GrapheneOS and CalyxOS are great at what they do, and the present situation for both is positive and good. It can be exhausting digging up old interpersonal stuff that does not have a technical bearing on the present, especially as there are/were health and wellbeing issues that are/were at play. Choose to let it go, for once and for all. Peace out.
No, that's sadly not true. With the stepping down having been cancelled and the recently repeated paranoid accusations in https://github.com/mozilla/ichnaea/issues/2065#issuecomment-... the present situation of GrapheneOS is far from good, it's an "absolutely do not use and do not recommend the project"-situation. This maintainer being active and continuing his bullying is way too risky for the users of the project (and the FOSS android ecosystem as a whole).
But let's indeed let it be here, it gets OT for the ASUS topic. The GrapheneOS warning just had to be mentioned as it was related to the bootloader re-locking.
CalyxOS has been working well for me and I recommend it. I appreciate how the included microG allows me to disable Firebase Cloud Messaging for any app that I don't need push notifications for. Having push notifications without Google Ads or Google Analytics is great.
What are the history problems with graphene?
https://news.ycombinator.com/item?id=36089104
In tech as in all of life, wellness of those in leadership can be ephemeral and is never to be taken for granted or assumed. I wish good health to all involved.
I'll judge a tech project on it's technological merits and developers by their technical skills. GrapheneOS is by far the superior choice.
No aux port though.
From Electrical Engineering apps to my various current/normal/legacy hardware that uses aux... I don't want to carry around a dongle. Ever. I don't want to attach them to things. I just want my phone to have the $3 peripheral.
The pixel 4a is the last good phone that's small, rootable, with a headphone jack and good rom options.
I just looked it up... they actually sell Factory 5a... what? No...
Maybe I misunderstand the posting.
They stopped including headphone jacks at some point, IIRC after the 4a.
Lenovo's Moto phones
I recently got Lenovo Moto G7 Plus (not recent but recent enough for their purpose), because LineageOS fully supports them [1].
Then I found out to unlock the bootloader I had to:
1. get a string via a `fastboot` command
2. create a motorola.com account
3. paste string in some motorola.com page to get an "unlock code" emailed IF Motorola decides your device is "unlockable"
4. `fastboot oem unlock UNLOCK_CODE`
5. connect phone to the Internet and wait between 3 and 7 days [2] (turned out to be 3 or 4)
Until I did all that shit, the option to unlock the bootloader in system settings was grayed out.
Afterwards the device works well, but it was a terrible experience and I DO NOT recommend Motorola devices for rooting based on this.
[1]: https://wiki.lineageos.org/devices
[2]: https://nerdschalk.com/how-to-fix-oem-unlock-greyed-out-or-o...
Oh, ew, they've really regressed then. Step 5 is new:(
Seriously sad. I am such an Asus fan after their insanely good gaming laptops.. $500-900 and you can run AI Art and LLMs.
I didn't expect their laptop dominance to exactly extend to Androids. I was hopeful.
I should have probably known better, apparently they don't do native linux support. I had to use some Fedora fanboy stuff to get my peripherals to work. It was easy, but still couldn't use most distros.
Xiaomi phones are also pretty good for Custom ROMs.
I'm in love with fairphones
> This has set a basic precedent
I would note that technically the small claims court in the UK does not set precedents. That would be the function of a higher court.
The article also says that ASUS settled too:
Isn't that fairly common when companies don't want a verdict to happen, as they expect to lose?Timothy provided us with documentation of the court case and proof that ASUS has settled.How so? I thought a precedent was just any case that has been ruled in a certain way, irrespective of the court it has happened in.
It seems like this court does not have the authority to set ‘legal precedent’, though colloquially it has ‘set a precedent’ in the sense that it did something for the first time.
Not all courts have the power to set precedent. Small claims courts in England don’t.
The way it's been explained to me is precedent is often referring to rulings that start with the similar courts geographically to other ones.
It's not that simple either. Common law jurisdictions often use rulings at higher courts in completely different countries (as long as they are also common law jurisdictions) as precedent if it helps come to a suitable judgment.
Absolutely. Depends on the court, country, and how relevant it might be. A friend recently walked me through the order of precedent for one area of law
This is incorrect, courts have specific rules about what cases may be cited as precedent, and whether that precedent is optional guidance for the court it is presented to (persuasive precedent) or rules that must be followed where the decision conditions in the earlier ruling apply to the current case (binding precedent).
For instance, in a US District Court on most questions of federal law, as regards decisions of other federal courts: published decisions of any federal court can be cited as persuasive (most district court decisions are unpublished), and decisions of the Court of Appeals for the circuit in which the District Court is located, or of the US Supreme Court, may be entered as persuasive precedent.
There was no ruling. The parties settled.
Hard to believe that it actually reached the Small Claims Court, let alone succeeded! Well done that person!
> Hard to believe that it actually reached the Small Claims Court
It's easy to file a small claim in the UK. More info on the process for England & Wales here: https://www.gov.uk/make-court-claim-for-money
> let alone succeeded!
The article is light on details, but it sounds like the parties settled before any hearing or ruling.
In Ontario, Canada, part of the small claims process is a pre-trial conference, with a retired judge moderating. Further, nothing disclosed may be used as part of the trial.
Its goal is to help with an amicable settlement.
More info: In small claims, lawyers are not forbidden, but they may only speak for their client, and their client must be there, or present remorely, listening and ready to accept offers or deals.
And if lawyers use legalese, the residing judge must explain to you what is being said, and will look unfavorably at the lawyer for not speaking plainly, and wasting everyone's time.
Technically lawyers are not allowed as lawyers, but accommodations must be made for a company 1000s of km or more away. Someone must speak for them.
Did you intend to reply to a different comment?
No! My comments re: Ontario pre-court conference, were meant to highlight a reaspn why this might have been settled before small claims coirt.
I suspect a similar thing happens in the UK, and that forced conference ensures companies must hear reasoning, arguments in full before the case.
In Ontario, it's very informal. You just talk. The retired judge only intercedes if it becomes heated, or runs long.
It helps solve things.
Mediation is offered in the UK, in the hope that it reduces the number of cases that proceed to a hearing. I don't know whether it was used in this case.
I think this is the original thread:
https://xdaforums.com/t/court-action-against-asus-false-prom...
It's not clear whether a standard refund is an option for buyers whose phones are still under warranty. Did Timothy try that before going to small claims court?
>Given that ASUS has one of the worst software support commitments in the Android world [...] It started removing posts about bootloader unlocking in its ZenTalk forums.
Which is why I never understood why Asus Zenfone kept being recommended on HN all the time when people asked for good android phones to buy. I thought this community appreciated long SW support. I think the people recommending it were not dogfooding it.
Why not go for something that has 5-7 years of SW updates like a Pixel or a S-series? The Zenfone wasn't any cheaper than those either(at least in EU) so you were also getting a poor value for money.
Asus allowed bootloader unlock up until a few months ago, which is why I bought the device, i.e even if the company abandons it I can just unlock the bootloader and slap on LineageOS on it. Seems like a mistake now.
> Why not go for something that has 5-7 years of SW updates like a Pixel or a S-series? The Zenfone wasn't any cheaper than those either(at least in EU) so you were also getting a poor value for money.
SW updates aren't the only criteria when choosing a device, if you're looking for a small phone with a headphone jack and a non-glass/metal back, the number of options are very limited (iirc, Zenfone 9 is literally the only phone which satisfies the constraints).
The Zenfones mainly carved out a following because they're the smallest flagship-tier Android phones on the market. Asus has terrible support, but if you want a small-ish device there isn't a great deal of choice nowadays.
Also, it's one of the rare remaining flagship-tier phone who still allows headphone jack, which is the main reason why I bought a Zenfone last year.
>they're the smallest flagship-tier Android phones
They're the same size as the Galaxy S series
Does the Galaxy S series have headphone jacks as well?
No, but can't you use a USB-C earphone?
For some people, the ability to use wired headphones/earphones while charging has a lot of value. Additionally, some invest in quality earphones or IEM's and replacing those with the lower-quality limited selection of USB-C earphones is not desirable. Likewise with Bluetooth.
The 3.5mm audio connection is nowhere near dead yet.
FWIW for IEMs with detachable cables, which pretty much all of the good ones do, you can get replacement USB-C cables now. That has the advantage of decoupling the sound quality from the highly variable quality of the phones internal DAC since the DAC is instead part of the cable, and some of those cables even have configurable hardware DSP features. It doesn't solve the charging problem though.
That's more expensive and less convenient.
Not while charging.
USB C to 3.5mm Headphone and Charger Adapter, 2-in-1 USB Type C to Aux Jack Dongle Cable with PD 60W Fast Charging
$8.99
I like headphone jacks too but I’m not going to pretend that this isn’t a solved problem.
Yeah I bet that 9$ widget definitely won't induce audio quality issues while you pump 60W through it...
Let’s keep moving the goalposts…
Unless you own the product and know it has that problem I don’t know why you would invent it out of nowhere.
Can we also acknowledge that this is a general purpose smartphone and not an audiophile playback device? A ton of phones with headphone jacks had/have terrible DACs because they are general purpose devices designed to be good enough for the average person.
Someone who wants an audiophile playback device should buy an audiophile playback device.
People up-thread were talking about high end IEMs not general purpose devices.
They were connecting high end IEMs to consumer smartphone headphone jacks.
I bet it’s better to just have a product like this compared to a smartphone headphone jack with a run of the mill DAC:
yep! i've got a k5 kicking around on my desk, a proper dac is good stuff. they've still gotta make one we can cram 60W through though!
ed: i guess i should add that i just use a pair of bluetooth cans or even bone-conducting set when i am listening to stuff from my phone 'cause it's just podcasts and youtube videos
Indeed, today if you want a phone that isn't gigantic the options are really limited. Zenfone also had benefit of being quite sturdy since the back wasn't made from glass/metal, so you can go without a protective case. I have dropped mine a couple of times, but it hasn't suffered any damage until now.
You can go without protective shell, but it is so slippery you want one just to avoid airborne phones.
>The Zenfones mainly carved out a following because they're the smallest flagship-tier Android phones on the market.
They're literally the same dimensions as the basic Samsung S23, which was cheaper than the Zenfone as had better SW updates.
what good is SW updates on a pixel that can't even get cellular connectivity
Honestly, I switched from Pixel to Zenfone for the form factor.
Ever since the visor redesign with the Pixel 6, the Pixel series has been too big for my hands.
I do miss the great Pixel software though...
Same thing here. Zenfone android is similar to pixel android while I find Samsung's android insanely ugly. I just miss some of the Google app integrations
We'll, TIL that the Zenfone 11 is now a big phone. So I guess I'm going back to Pixel whenever I buy my next phone.
https://www.phonearena.com/phones/size/Asus-Zenfone-10,Asus-...
> Why not go for something that has 5-7 years of SW updates like a Pixel or a S-series?
Or an iPhone. People love to hate on Apple, but they actually support their devices.
On top of the iOS restrictions vs Android, an iPhone comes with a set of constraints that the type of user that cares about bootloader unlocking doesn't want to deal with. From apps that are not on the store to custom ROMs that have features that the stock OS doesn't have... iPhones are terrible for this.
iPhones are good, but in this case it's a bit like recommending a Chromebook to someone that is used to build their own computers and runs linux.
Tbh I don't share the sentiment that the community appreciates long SW support. Otherwise we'd see Windows being recommended over Linux more often.
This is more about device support for updated OS, which any PC does. Especially with Linux, unlike Windows 11 that can't be installed on older PCs without some hacks.
You mean Microsoft Windows which dropped support for Zen 1 with Win11 not even 5 years after Zen 1 was released? Meanwhile, Linux will still run on a 30+ year old CPU...
They said software support, not hardware support.
You can take a win 95 gui app and run it on windows 10 without issue. You can’t do the same on Linux.
For many old windows games (and probably other apps) you'll actually have better luck running them on linux than a modern version of windows, thanks to wine/proton.
E.g. see this user report: https://www.reddit.com/r/SteamDeck/comments/1743cec/almost_s...
Pretty much.
For the sake of nostalgia, I downloaded an Encarta 2000 ISO form Internet Archive, then spun up a Windows 98 VM to run it on but that VM had a lot of sound issues in Virtual Box, then I realized that Encarta would also run just fine installed on Windows 11 lol.
This kind of backwards compatibility is not something I need on a daily basis but it's pretty neat that I can just run very old SW on my main OS without fiddling with VMs.
This is not 100% true. Some legacy Windows software does not run on current Windows. Never got Slave Zero running on Windows XP or Windows 2000 after upgrading from Windows 98 & ME. https://en.wikipedia.org/wiki/Slave_Zero
In context, it looks like they meant software updates, which is closer to what your calling hardware support.
Windows 10 support continues until October of 2025. Zen 1 will be 8 years old at that point.
It’s pretty much guaranteed that Microsoft will add an extended support period to windows 10. Windows 7 just left extended support last year.
Isn't Windows 10 still supported?
I looked into it. Consumer installs of Windows 10 have updates until 2025.
It's really not the same kind of support. We get plenty of active support and development in the Linux world, and open source more broadly.
Windows only offers essential life support, trying to ensure that something written 20 years ago still runs today, despite being completely abandoned for 19 years with no reasonable way of fixing it.
Lol, I guess Linux did just drop 386 and 486 a couple years ago.
> ASUS makes some of the best Android phones you can buy
> ASUS has one of the worst software support commitments in the Android world
How can you possibly say both things in the same article?
The type of consumer buying an ASUS device is the type of consumer that thinks the spec sheet tells them how good something is. Eg, faster CPU and more RAM, or higher screen refresh rate or whatever is good regardless of any other variables or the package as a whole.
This means they are "some of the best Android phones you can buy", as in, they have some of the best specs per $ you can buy. Not that they are actually good phones.
It makes total sense someone could think they are great phones while they also have terrible software support since software support is not a simple hardware number on the spec sheet.
This is very like PC people that hyper-focus on a few metrics like CPU frequency since it is simple and numerical and easily compared, even if it is not actually sufficient to tell you much about full system performance.
Example ASUS phone description from enthusiast: "It's got good speakers, 2 charge ports, 165 refresh rate, optimal cooling, a set of ultra sonic buttons, ip54, crazy good battery, acceptable camera, storage is crazy high 256GB for 1 grand, 512 for 1.1 grand, 12G ram for 1k, 16G ram for 1.1k, can take 2 sim cards."
I disagree - I don't care about most specs, but ASUS Zenfone is still one of the best small phones, especially for the money.
Fair enough! Tho I am curious what you mean by "especially for the money"?
Well the Samsung S-series and Sony 5-series are also decent small phones, better in several ways but more expensive.
There is very little competition.
The article casually refers to Asus breaking “their promise” but nothing in the rest of the article suggests Asus ever promised anything of the sort. That they used to provide the tools wasn’t a promise. Did they ever advertise or up-front communicate that these tools would be made available and maintained?
A lot of the zenphone series had bootloader unlock as a listed feature which was then removed when they disabled and took down the tool. The Zenfone 10 was advertised as going to have the feature as well before and even after the launch for a bit. Asus claimed that the tool was coming at several points but the date in their promises kept getting pushed back and eventually turned into we don't know and now it appears to be never. This is stuff that was in writing from them, search it up, but you'll need to check the Internet archive for the info that they've removed from their own sites (like the repeated pushing and cancelling of the return of the unlock tool)
Asus even used to send free phones to developers over at XDA Developers so they could create custom ROMs and stuff like that, so that excuse doesn't work for them.
It doesn’t matter because my guess is Asus couldn’t be bothered to show up to small claims court over $900.
There was system part in developer settings which they removed AFTER you bought the phone. Thus clearly removing functionality that was supposed to be there.