OEM unlocking

Please read avoid carrier variants of device first!

There are a couple ways to check if the device’s bootloader can be unlocked.

A device can be carrier unlocked, but not bootloader unlocked. They are two different things. 99% of people only know about carrier unlocking, meaning the device will work on any carrier. — Carrillo

If you are here and reading this snippet, then you have not followed our web method installation guide accurately!

Follow GrapheneOS instructions

Please read the instructions carefully and follow the step for Enabling OEM unlocking!

This requires internet access from the Stock OS with Google Play services as part of Factory Reset Protection (FRP) for anti-theft protection:
1. Connect to Wi-Fi or use your mobile data.

Enable developer mode:
2. SettingsAbout phone
3. Tap Build number 7 times → Enter your pin/passYou are now a developer!

Enable OEM unlocking:
4. SettingsSystemDeveloper optionsOEM unlocking


  • It may take several minutes after connecting to the internet before the OEM unlocking toggle is active.
  • For Pixel 6a users:

For the Pixel 6a, OEM unlocking won’t work with the version of the stock OS from the factory. You need to update it to the June 2022 release or later via an over-the-air update. After, you’ve updated it you’ll also need to factory reset the device to fix OEM unlocking.

Alternative method via CLI

Using the terminal to verify if the device’s bootloader may be unlocked.

Turning on USB debugging:

  1. Enable developer mode.
  2. SettingsSystemDeveloper optionsDebuggingUSB debugging
  1. Open Terminal:
adb shell getprop ro.boot.cid
  1. If it returns ANY value except 000000 than the handsets bootloader is locked.


OEM unlocking is disabled (greyed out - unable to toggle it on or off) and value returned is not 000000 from getprop ro.boot.cid means you won’t be able to install GrapheneOS on that device.

Sieve e-mail filtering

Sieve filter to reject non-encrypted E-mail(s) when using Protonmail’s custom domain by checking X-Pm-Content-Encryption header for end-to-end encryption and respond with an automated message

require ["reject", "imap4flags", "envelope"]; 
if allof (
    envelope :domain "to" "example.ca",
    not header :matches "X-Pm-Content-Encryption" "end-to-end"
) { 
    reject "Input your response reason for rejecting recipients mail.";


Protect parked domain without email

<domain.tld>TXT600"v=spf1 -all"
*._domainkeyTXT600"v=DKIM1; p="
_dmarcTXT600"v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"
<domain.tld>MX6000 .


exiftool -a -u -g1 -ee3 -api RequestAll=3 picture.jpg

Created a function chckexif() added to $ZSH_CUSTOM/function.zsh.

function chckexif(){
    exiftool -a -u -g1 -ee3 -api RequestAll=3 "$@"

Reading meta data information from a file using exiftool. The application documentation states the following:

Print all meta information in an image, including duplicate and unknown tags, sorted by group (for family 1). For performance reasons, this command may not extract all available metadata. (Metadata in embedded documents, metadata extracted by external utilities, and metadata requiring excessive processing time may not be extracted). Add -ee3 and -api RequestAll=3 to the command to extract absolutely everything available.