Fairphone 3 unbricking

Sorry, I did not read everything, but I’m quite certain that aboot catches the “both volume buttons pressed” situation, since I got output from aboot when that happened.
Aboot falls back to EDL mode if it crashes and I would expect SBL to do the same thing.

Yes, me too, but I am quite certain that the boot process never reaches aboot…

At the beginning the SBL partition was corrupted, and indeed the device would fallback into EDL mode. Actually I suppose it was the PBL bringing the device to EDL mode when it could not properly run the SBL. Then I flashed some of the partitions anew (namely aboot, rpm, sbl1, splash and tz for both slots a and b) in EDL mode, which were those available in the above-mentioned unbrick.zip. So now the SBL should be in a good shape, just as aboot, but I don’t think that the boot process ever gets into aboot. The SBL probably detects something is wrong and sets the device in memory dump mode instead of setting it in EDL mode. Then I am pretty sure that the volume-buttons combination is only caught by aboot and not by the SBL or the PBL.

Which leads me to the following question: do you think that the PBL/SBL would catch the “signal” set by a USB EDL cable? If not, my only option is probably that of k4y0z:

Regarding the UART buffer, I did not find it in the memory dump. I’m not even convinced that it is actually produced by the SBL. A grep of “Android Bootloader” (or similar, and also ignoring case) leads to nothing.

Any new ideas are extremely welcome :grinning:. And in the absence of ideas, a good guess of where the above-mentioned pins are could also be welcomed (but I would only try that as a very last solution).

I think you are right and it currently is loading sbl1, then loads aboot, which crashes for whatever reason.
UART seems to be disabled in sbl1, therefore you don’t see anything usefull in the memory-dump.
One more thing you could try is plugging in a charger, with the battery removed.
Then insert the battery while still connected and connect to PC and see, what mode it is in.
If you are going to try shorting, I’d probably start with testpoints that are close to the EMMC and CPU.

I, L and K seem like good canditates.

Could also be that the required points are under the metal shielding.

You can first try an “EDL-Cable” which is basically a cable that shorts D+ to GND during power on, here is a schematic:

1 Like

You should set up a fundraiser. I don’t have much money, but seeing how active you are in the FP3 root community (you basically are it), I’d donate to keep you invested in that.


I fully agree with CosmoSteve, I am amazed you could learn so much about it without having your own to play with.

I quite disagree in this part of the diagnostic, correct me if I am wrong. If the SBL was able to go as far as to load aboot, I should be able to enter the EDL mode by keeping both Vol+ and Vol- pressed, at least if I understand properly what is written in https://alephsecurity.com/2018/01/22/qualcomm-edl-1/:

We also encountered SBLs that test the USB D+/GND pins upon boot (e.g. Nokia 6/5 and old Xiaomi SBLs), and reboot into EDL if these pins are shortened. This is known as the EDL or ‘Deep Flashing’ USB cable. Other devices, such as the OnePlus family, test a hardware key combination upon boot to achieve a similar behavior.

If the SBL went as far as to load aboot, it would certainly have detected the Vol+/Vol- key combinations, shouldn’t it?

By the way, I tested also the EDL-USB cable trick, by shortening GND and V+ (and testing the cable with a multimeter). It did not work, but that did not surprise me either: if the SBL was getting far enough for this to work (assuming this trick is implemented), it would already have detected the Vol+/Vol- keys without any need of EDL-USB cable.

@k4y0z: there is still one doubt that subsists from my side. I checked the SBL in your unbrick zip (sbl1_a.bin and sbl1_b.bin), and compared it to the original file I had on my phone. Well, they differ. This could be due of course to some OTA update (I did none). Question: is the Vol+/Vol- combination normally working with the SBL you gave me? Where did you get it from? If someone still has that very same version on his phone (md5sum of sbl1: 1a1ecf739d7050341f39088b2b924493), I would be glad to know if that combination still works.

I have paypal, maybe I should add a link to my threads :wink:
Would certainly make things easier having one myself.

I am not sure anymore, I was under the impression that it was aboot that reboots into EDL.

@basxto and I did some tests today, including an EDL cable.
And it worked.
We’ve put the phone into the same situation you are in currently and it stopped working.
We did manage to bring it back though.
You need to short the points marked as L and K here:

We used an 1KΩ resistor for safety.
Also redownload the unbrick package, it includes more partitions that will get you into fastboot:

The image-files are from the 110 firmware.

1 Like

I’d like to give you a few handfuls of euros for the work you do for us. :slight_smile: Whether or not you buy a Fairphone for it, I leave it to you. However, it would be great if you could develop better.

In the end the Fairphone Open might be based on your work.

Wait, that’s not fair, many here are doing good work for the community. I would like to give you money to buy a Fairphone 3. It would be very nice if you would continue working on it, but that’s not a condition of mine.

1 Like

Are you crazy :scream:?!? Well, thank you so much! Testing shortening L and K pins was going to be my next step, but I wanted first to have a close look to these pins and the main board, and post some more detailed pictures for checking with you if L and K really looked like the right ones. Nevertheless, there was no point in trying to burn a second phone: mine was already in a situation in which there was nothing else left to do than testing.

I left behind a lot of stuff such as my multimeter, resistors, soldering iron… when moving out some time ago. Then testing electronics-related stuff is a bit slow for me: I need to find people to borrow the stuff. I’ll try to resurrect my phone when I get hand on a resistor: even if it worked for you I think it is still better not to directly shortcut two pins…

It seems it is possible to reboot into EDL at different stages. For me it was very instructive to read both https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ and https://www.timesys.com/security/secure-boot-snapdragon-410/. The second link allows us to make a good interpretation of what happened when trying to unbrick the phone:

  1. The SBL, aboot, tz, rpm and splash were properly restored. However the other partitions remained corrupted
  2. When booting, the PBL checked the SBL, which was fine, properly signed, and accepted, and chain booted on it without going to EDL mode
  3. The SBL started verifying the authenticity of other partitions, including aboot, tz and rpm, but also lksecapp and maybe others, which were still corrupted
  4. Failing to do so at the SBL stage brings the phone to memory dump mode as a fallback, unlike the normal EDL fallback at the PBL stage when verification of the SBL is unsuccessful

I fully support the found raising idea :smiley:.

Well, we did that only after testing the EDL-cable, which did work before.
After that didn’t work anymore either, I couldn’t leave @basxto with a bricked phone :joy:

ifixit has some nice pictures of the internals:


As said, we did use a resistor as well.

I have read the first one a while ago, I’ll check out the second link, thank you.

Forget about checking the SBL, as we already established there is no signature checking done on SBL.

After your first unbrick attempt aboot, tz and rpm were all fine and I would have assumed that that’s enough to get fastboot.
Apparently more is needed for that, which is why the new unbrick-zip also contains lksecapp, keymaster, cmnlib(64) and devcfg.
devcfg was the last partition I added, after adding only lksecapp, keymaster and cmnlib(64) wasn’t working either.

Again, forget about the verification of SBL, that isn’t happening.

I’ll add a paypal link to my threads, unless you have a better idea how to do that…

Yes, you are right, there is no signature verification. But there is some sort of verification, at least of whether or not chain booting suceeded: if there is crap in the SBL partition, the PBL will make the device enter into EDL mode.

And now that you mention it: the PBL is not veryfying the signature of the programmer we used to reflash the images, so we could do it. Does that really mean that it also does not verify the signature of the SBL?

In androidfilehost, once you finish downloading a file, you get a message:

Don’t forget to share the love with your developers, without whom this download wouldn’t be here. Contact them to say thanks or send a donation their way.

It suggests it could be possible for you to indicate some contact/donate information also there.

Yes it does, since there is only one PK_HASH fuse, which basically stores the hash of the root-certificate used for signing sbl or programmer.
Since the fuse wasn’t burnt in, it CAN’T verify the signatures. (Which is probably also the reason, the fastboot screen displays “Secure boot disabled” even on a locked bootloader.

I do have a paypal-donation link on my XDA-profile, I don’t think androidfilehost has a mechanism for that itself.

I have added a paypal link at the top :wink:


We had a working deep flash cable, what could possibly go wrong?
It looked like the usb-shorting was caught by PBL since there was no aboot output on UART.

I connected my FP3 and lsusb didn’t give me more than Bus 001 Device 036: ID 05c6:900e Qualcomm, Inc.. I tried getting the phone into a different mode, but I can’t figure out if it has changed.

What exactly did you do, to end up there?
Did you try taking out the battery, replacing it and boot into fastboot by holding Volume Down + Power?

I tried taking out the battery. I couldn’t boot into fastboot. I tried connecting the phone in time, but the computer didn’t recognize it either.
I was (probably wrongly) flashing the single images in the upper package (TWRP installable stock firmware packages for Fairphone 3) via fastboot. After I flashed the b slot and rebooted the system it didn’t start (or at least it didn’t show anything on the display). My Pc sees that there is a Qualcomm device connected to it, but nothing more

How did you try to boot into fastboot, what do you mean by “connecting in time”?

I’ve already told you in SIM not recognised after flashing FP3_A0105 image that these ZIPs are to be installed using TWRP.

You’ll have to be a bit more precise in what you are doing…

I tried it using this suggestion to connect the phone as you press Volume + & -, so that it goes into EDL (right?)
I am trying to get the phone to be sth. like this Qualcomm, Inc. Gobi Wireless Modem (QDL mode) and get the methods in the main thread working
I’m sorry if I am not precise enough, I’m trying the best I can

That is not what I suggested to you.
I asked you to remove the battery and put it back in.
Then press Vol Down + Power and see if you can access fastboot.

I tried, but as I plug in the battery, there is no response on the display, also nothing after pressing Vol Down + Power. Can’t access fastboot either.