Refurbished

Man they have the p8p for $399 but unfortunately they are carrier unlocked therefore, bootloader locked. They have a brand new one but I’m not buying something that expensive and says nonrefundable. I know at this point im just going to wait for cyber monday, lol. I will have a new p8p by christmas. Then the next step of my privacy journey begins. Been reading the graphene website. It seems like as soon as you flash it you’re pretty much set.

This sounds very incorrect, is there a typo possibly, or do we have conflicting understandings? (my knowledge of the newest generation Pixels is limited)

The last pixel I purchased was a 4A, but I’ve only ever bought (carrier) unlocked Pixel, and Nexus devices, and all have had unlockable bootloaders. Has this changed in recent generations?

Not conflicting did you buy refurbished

I’m only referring to refurbished on Amazon and its not always like that just because I’m ready to buy my pixel 8 pro, lol. It’s just not my time.

I looked into this a bit more, and I think my knowledge is possibly outdated. So ignore my previous comment, I’m not sure that it’s wrong, but I’m also no longer confident that it is right so best just ignore me on that point.

did you buy refurbished

I typically always buy used, I’m not sure if there is any way to tell if a second hand device was originally sold as ‘new’ or ‘refurb’ I’ve never bothered to look into it.

(also these days on Amazon/Ebay a lot of what is advertised as refurb/renewed/recert seems like they are just selling used devices under a different name).

I’ve always preferred used, in-person purchases, because I can check out the phone for myself before any money is exchanged, check its in the condition it was advertised, confirm with my own eyes it can be unlocked and will work with my carrier. Also, its a nice private-by-default and no-strings-attached, way to buy. Some people are uncomfortable buying used or timid about in-person transactions, but for me it’s a good fit if you are properly cautious and skeptical.

The only reason i would never buy a second hand phone is because you will have the IMEI someone else used before. If they did something naughty, although chances are low, you might be caught up in that. In most cases it is probably fine.

2 Likes

Apparently, the sellers are acting like bootload police right now. One seller checks if the carrier left it unlocked and locks it if necessary. He claims it’s not for the average person, it requires technical knowledge. I pointed out that asking about it implies knowledge, and the average person wouldn’t inquire now would he. He didn’t respond. Another seller just keeps responding it’s unlocked for all carriers and then there’s the one that has too much stock to be able to verify if the bootloader is unlocked. I’m not sure about all carriers but definitely verizon doesn’t want to lose their proprietary rights. I have know idea if I used the right word but it sounds good. Thats all I’ve come across were verizon phones at the moment on Amazon but that will change. I know first hand about verizon. I made the mistake of getting a refurbished that was unlocked by Verizon. Even disabled their apps ran continuously and I wasn’t even a verizon customer.

I’m patient and will obtain my new or used Pixel 8 Pro before Christmas and then learn how to flash grapheneOS

Lol, I like that amazon has the 90 days policy and I dont mind sending it back that’s why I’m in the position I’m in right now. Bought a brand new pixel 8a sry it had a minor scratch probably once the screen protector was on you wouldn’t even see. But it was the principle it was my first brand spanking new phone in like 5 yrs. I was the type of person that bought a phone every year. So I took that as a sign to stick with refurb. I upgraded to the 8 pro since I was getting a used one. It was supposed to be in excellent condition it was not. I definitely dont have a problem sending back things that are not as promised.

One seller checks if the carrier left it unlocked and locks it if necessary. He claims it’s not for the average person, it requires technical knowledge

One thing I might confirm/clarify with that seller is if there was possibly a miscommunication between you and this seller (slight distinction between the terms unlocked and unlockable though they are often used interchangeably). Are you sure that seller wasn’t just referring to toggling “Oem Unlocking” to “off” in developer settings (which is reversible). I wouldn’t have thought it was possible for random amazon sellers to permanently lock or unlock a bootloader, but I could be wrong. How do the rest of y’all interpret this?

I think its difficult/unreliable to rely on bulk resellers or ‘refurbishers’ to give you a high degree of confidence that the device is unlockable or not (though if they explicitly state that it is, it gives you grounds to return it if you are wrong). If you buy new from Google or a reputable seller you trust, or buy used and can verify yourself that it can be unlocked.



Semi-on/off-topic response to @ph00lt0 on pros/cons/risks of buying used

Some other potential good reasons:

  1. cash transaction is private by default
  2. human to human transaction (i see this as a pro, but others may reasonably see it as a con)
  3. price/value
  4. doesn’t contribute to e-waste
  5. not (directly) supporting corporations I consider to be hostile to my own interests, and to a healthy internet.
  6. When dealing with an individual seller directly, its easier to get answers to questions that can be hard to get from online resellers or refurbishers who deal in bulk and often don’t know much about individual specific devices they sell and won’t/can’t take the time to find out (the issue @Cntrygirlatheart has run into)

If they did something naughty, although chances are low, you might be caught up in that.

Not impossible but highly improbable to the point of being pretty improbable in my eyes.

I’d place it at a non-zero but very close to zero percent chance. I think the most realistic risks of buying used in person are (1) someone trying to offload a not-immeidately-obvious lemon (2) physical risks of an in-person cash transaction (3) half joking but probably the highest probability risk is an accident driving to or from the meeting :slight_smile:

But I do understand that everyone has their own risk tolerances, and their own perspective on how they weigh the respective cost/benefits of buying new vs used vs refurb. For me it has been a dependable way to buy (as has buying refurbished for the most part)

The gist is that the trust implictly moves from the OEM to the refurbish-er. Though, as it stands, trusted compute base (what various Verified Boot implementations help establish) is a very good mitigation against physical tampering.

Verified Boot is a good enough insurance for most, but Average_Joe is right to point out that there do exist some forms of physical tampering it cannot defend against.

You’d be surprised by just how much cryptography you use daily was designed to thwart adversaries, such as those with resources similar to state actors. Verified Boot, which many might consider table stakes, was in fact a response to “evil maid” attacks (mirror) (alleged to be used by “state actors”).

This is to say, better safe than sorry.

1 Like

If you can provide a single example of a refurb place actually targeting random people with a hardware backdoor in a modern (<5 years old) smartphone[1], I would say that it’s something worth worrying about for the majority of people. Otherwise, it’s feeding the egotistical “I’m so special and worth targeting” delusions common in privacy spaces


  1. And I picked this timeframe because of the Titan chip being about that old, as well as that being around when Apple fully patched the exploit chain for checkm8 in their A series SoCs (as far as is known publicly) ↩︎

Let’s just roll with that scenario.

You buy a used Pixel that was used by a fraudster. ISPs can see your approximate location, IMEI, IMSI, and what domains you connected to or that you’re connecting to a VPN or Tor.

Because the previous owner did something naughty, now LE will also have their hands on that information, and they will instantly see the following after your purchase:

  1. IMSI changed.
  2. Location changed.
  3. Moving and traveling patterns changed.

It’s pretty obvious that the phone was sold, but even if it wasn’t, LE would only get access to your approximate location, IMSI, and the fact that you’re connecting to a VPN or Tor.

Environment and the money that can be saved by buying used or refurbished are a lot more substantial than this risk of having the same IMEI that someone else had.

1 Like

Here are his exact words to me. I very well could have worded my question wrong. All I know it involves OEM and a bootloader. I don’t know much about that yet but I’m gonna find out soon but he doesn’t know that. I asked if the OEM and bootloader are unlocked allowing me to change OS

October 30, 2024 7:03 am

“It is carrier unlocked, and we do check the bootloader to ensure it’s not unlocked.
Unlocked bootloader is not guaranteed and is not part of this sale.
Warranty: Unlocking the bootloader will usually void any warranties on the device.
Data security: Unlocking the bootloader may make the device more susceptible to data theft.
Data loss: Unlocking the bootloader may lead to data loss on Android and ChromeOS devices.
Security apps: Some security apps may stop working after unlocking the bootloader.
Unnecessary: Unlocking the bootloader is not recommended for most users and is unnecessary.
A bootloader is a tool that loads the system software on a device and determines the priority for processes that run on the phone. New phones come with a locked bootloader to prevent unauthorized use or modification. Unlocking the bootloader allows users to access special system functions, such as installing custom firmware or modifying the phone’s pre-loaded software”

“I don’t need privacy, I’ve nothing to hide.”?

One can’t get more specific to dismiss a general point I made about cybersecurity being mostly about taking on highly sophisticated adversaries.

I think this is a slight misunderstanding. I think @ignoramous was saying “better safe than sorry” to the idea of technology, that can thwart state level actors, reaching the common masses.

And I do agree with their point: Most of the tech available to use IS supposed to stand against state level actors (encryption, hardware security, 2FA, hardware keys built into phones, etc.). Raising the baseline for all does mean someone else using secure systems is not highlighted, plus it increases the costs of dragnet attacks.

An interesting attack on PoS machines in some countries is attaching a card reader on top of the actual card reader that rides along with PoS internet and collects data for the hacker. Often the hacker is the redistribution centre manager who refurbishes the PoS machines they received back from another vendor before they pass it on. So these attacks are:

  1. Hardware based
  2. Against random shopkeepers and their customers
  3. Still happening
1 Like

What a bad faith misrepresentation of what I was suggesting.

The actual intended meaning is that people need to be realistic in their threat modelling and that without a specific example, you are likely feeding unrealistic, overblown threat models.

So in this example, to bring it back on-topic, spending the extra money for a brand new phone to avoid having to trust a refurbisher is not worth it in the same way that a small business buying a fancy EDR is also not worth it.

In both cases, saving money for other, higher impact things is worth more than mitigating the low likelihood of a state actor or similar embedding hardware backdoors in a random phone or that state actor trying to breach Mom and Pop’s Coffee Shop for Reasons.

There’s a reason IT risk management is a whole field, and it’s not just because muh box ticking…

Exactly.

I think you’re reading past what I said. @Anon47486929 laid it out even better than I did:

And I do agree with their point: Most of the tech available to use IS supposed to stand against state level actors (encryption, hardware security, 2FA, hardware keys built into phones, etc.). Raising the baseline for all does mean someone else using secure systems is not highlighted, plus it increases the costs of dragnet attacks.

Certified refurbished phones are okay.