English

Fairphone 3 unbricking

Yes, you are right, there is no signature verification. But there is some sort of verification, at least of whether or not chain booting suceeded: if there is crap in the SBL partition, the PBL will make the device enter into EDL mode.

And now that you mention it: the PBL is not veryfying the signature of the programmer we used to reflash the images, so we could do it. Does that really mean that it also does not verify the signature of the SBL?

In androidfilehost, once you finish downloading a file, you get a message:

Don’t forget to share the love with your developers, without whom this download wouldn’t be here. Contact them to say thanks or send a donation their way.

It suggests it could be possible for you to indicate some contact/donate information also there.

Yes it does, since there is only one PK_HASH fuse, which basically stores the hash of the root-certificate used for signing sbl or programmer.
Since the fuse wasn’t burnt in, it CAN’T verify the signatures. (Which is probably also the reason, the fastboot screen displays “Secure boot disabled” even on a locked bootloader.

I do have a paypal-donation link on my XDA-profile, I don’t think androidfilehost has a mechanism for that itself.

EDIT:
I have added a paypal link at the top :wink:

2 Likes

We had a working deep flash cable, what could possibly go wrong?
It looked like the usb-shorting was caught by PBL since there was no aboot output on UART.

I connected my FP3 and lsusb didn’t give me more than Bus 001 Device 036: ID 05c6:900e Qualcomm, Inc.. I tried getting the phone into a different mode, but I can’t figure out if it has changed.

What exactly did you do, to end up there?
Did you try taking out the battery, replacing it and boot into fastboot by holding Volume Down + Power?

I tried taking out the battery. I couldn’t boot into fastboot. I tried connecting the phone in time, but the computer didn’t recognize it either.
I was (probably wrongly) flashing the single images in the upper package (TWRP installable stock firmware packages for Fairphone 3) via fastboot. After I flashed the b slot and rebooted the system it didn’t start (or at least it didn’t show anything on the display). My Pc sees that there is a Qualcomm device connected to it, but nothing more

How did you try to boot into fastboot, what do you mean by “connecting in time”?

I’ve already told you in SIM not recognised after flashing FP3_A0105 image that these ZIPs are to be installed using TWRP.

You’ll have to be a bit more precise in what you are doing…

I tried it using this suggestion to connect the phone as you press Volume + & -, so that it goes into EDL (right?)
mode.
I am trying to get the phone to be sth. like this Qualcomm, Inc. Gobi Wireless Modem (QDL mode) and get the methods in the main thread working
I’m sorry if I am not precise enough, I’m trying the best I can

That is not what I suggested to you.
I asked you to remove the battery and put it back in.
Then press Vol Down + Power and see if you can access fastboot.

I tried, but as I plug in the battery, there is no response on the display, also nothing after pressing Vol Down + Power. Can’t access fastboot either.

There should be no response when you plug in the battery.
There should be no cable connected.
You press and hold “Vol Down” + “Power”.
If you still don’t get a response, remove the battery AGAIN and put it back in.
Then hold both volume-buttons while plugging the device in.

Still nothing. I put the battery in (not pressing anything) and held the buttons while connecting it to the pc. Fastboot didn’t find a device and the edl script also didn’t

So you tried the fastboot button-combination?
That didn’t work?
You removed the battery again and replaced it?
Then tried both volume buttons while plugging in?
What USB device does it show?

Yes, nothing of it gave any response.
Bus 001 Device 051: ID 05c6:900e Qualcomm, Inc.

I thought it might be the same problem. I was able to dump the memory, but didn’t know where else to go afterwards.

If you are in the same situation and you have confirmed, that neither of the button combinations works from a powered off state, the only option is to take the device apart and short two testpoints using a resistor (Or sending it in for repair)
You might want to ask someone who has some experience tinkering with electronics to help you.

Oh dang, okay, however, thank you.
What about those EDL cables? Are they worth a try?

If pressing both volume-buttons doesn’t work, the EDL-cable likely won’t either.

What about the SBL?! It was also clear to me that both key combinations or USB-shortening were caught (if caught at all) before aboot. I was also definitely sure that my phone was reaching the SBL (otherwise it would have gone into EDL on its own), so I knew that the key-combinations were caught by the SBL at some later stage than where I was caught. However, I had some hope for the USB-shortening, and it was dissipated both by reading

We also encountered SBLs that test the USB D+/GND pins upon boot (e.g. Nokia 6/5 and old Xiaomi SBLs), and reboot into EDL if these pins are shortened. This is known as the EDL or ‘Deep Flashing’ USB cable. Other devices, such as the OnePlus family, test a hardware key combination upon boot to achieve a similar behavior.

in https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ and by testing myself (I tested with absolutely no hope, given what I had read).

aboot catches the key combination since aboot gives output via UART.

Even if the EDL-cable or key-combinations were caught by sbl1 that should happen way before trying to load other stuff.
So it seems kind of weird it is implemented such, that sbl1 can fall back into memory-dump before catching the button-combination or EDL-cable.
Since as you said @calvofl0, if sbl1 wasn’t working at all, it should go straight into EDL.