Fairphone 3 unlocking without oem unlocking

I possibly have an easy way to unlock without factory resetting.

Thanks to @Ingo for checking that Before explaining how it works, I would like to ask someone who has never been unlocked to get me a dump of the devinfo partition.

To do that, you’ll need:


And the attached prog_emmc_firehose_8953_ddr.gpx (434.9 KB)

  • Power off your phone
  • Run
    ./edl.py r devinfo devinfo.bin --loader=prog_emmc_firehose_8953_ddr.gpx && ./edl.py reset
  • Then plug the phone in, while holding both volume-buttons.

This should create a file devinfo.bin, which I would ask you to send me.

The following will unlock your device without requiring oem unlock and without forcing a factory-reset.
However since unlocking causes the decryption-keys to change wiping data is still necessary (as it can’t be decrypted anymore)

  • Download devinfo-unlocked.gpx (1 MB)

  • Reboot into fastboot

  • fastboot flash devinfo devinfo-unlocked.gpx

  • fastboot reboot bootloader

19 Likes

With a bit of luck and community support, you might even get to do this yourself :wink:

2 Likes

Hope more donations come your way, https://paypal.me/steinjoel
see also “Fairphone 3 unbricking

2 Likes

Hmm, from a forensics PoV this is also very interesting.

Well, the data is still encrypted…

If you already have the PIN, you could get root on the device without wiping or overwriting data. Without the PIN.

With 4 numerical characters that is 5.8 bits.

With 6 numerical characters that is 9.7 bits.

With 8 numerical characters that is 13.6 bits.

Sure, one could set a password. Most people don’t though.

1 Like

64e756f73a184643e59fbf4a4c280738b5f9bc47a0eae660602d56a8cd8d9ecd devinfo-unlocked.gpx

sha256sum does it check out with you? I’m up for the YOLO.

If you have a pin, you have access to the data anyway.
It is also possible, to dump all partitions without even unlocking at all :thinking:

1 Like

Yes, that is the checksum of the file i uploaded.

Yeah I guess that’s what Cellebrite etc do.

In The Netherlands one can be forced to give fingerprint for device.

In Belgium one can be forced to give PIN.

Both recent jurisprudence.

A good password is always better than a fingerprint.
Fingerprints can be copied…

Sure. Depends on the adversary though.

I’ve been able to see patterns and PINs by just glancing over shoulders. Same with passwords. I heard from a friend of a co employee cameras on Amsterdam CS can do it as well.

It did not work for me btw (though it does say unlocked). My device is now in a loop, and I got till Android recovery. Do you have the original devinfo locked for me?

1 Like

If we talk about cameras, they can also take pictures of fingerprints, you’d be surprised.

Does Android recovery give you the try again option?

Here is the locked file:
devinfo-locked.gpx (1 MB)

1 Like

I wouldn’t be surprised. I know about it before the attack on CCC. It just depends on the adversary though. A thief can easily watch over my shoulder. They cannot easily make a picture of my finger and fabricate a capacitive fingerprint.

Yeah it does give me that option.

1 Like

My device boots again. Nothing has been lost AFAICT.

2 Likes

A little update on this.
So this does unlock without forcing a factory-reset or without needing to enable oem unlocking.
However, since the decryption keys change due to the unlocking, data will be inaccessible and a manual wipe is required.

Would it be possible to not encrypt data in the first place?
Yes I know, definitely not recommended for production use, but for device testing and such …

Not on a locked device, since encryption is forced.

I’m confused , how are you able to flash devinfo partition when bootloader is locked?

I have not tried this myself fastboot flash should fail when bootloader is locked.

1 Like

For some odd reason flashing “critical” partitions is possible even in locked state.