Fairphone 3 unlocking without oem unlocking

If you have a pin, you have access to the data anyway.
It is also possible, to dump all partitions without even unlocking at all :thinking:

Yes, that is the checksum of the file i uploaded.

Yeah I guess that’s what Cellebrite etc do.

In The Netherlands one can be forced to give fingerprint for device.

In Belgium one can be forced to give PIN.

Both recent jurisprudence.

A good password is always better than a fingerprint.
Fingerprints can be copied…

Sure. Depends on the adversary though.

I’ve been able to see patterns and PINs by just glancing over shoulders. Same with passwords. I heard from a friend of a co employee cameras on Amsterdam CS can do it as well.

It did not work for me btw (though it does say unlocked). My device is now in a loop, and I got till Android recovery. Do you have the original devinfo locked for me?

If we talk about cameras, they can also take pictures of fingerprints, you’d be surprised.

Does Android recovery give you the try again option?

Here is the locked file:
devinfo-locked.gpx (1 MB)

1 Like

I wouldn’t be surprised. I know about it before the attack on CCC. It just depends on the adversary though. A thief can easily watch over my shoulder. They cannot easily make a picture of my finger and fabricate a capacitive fingerprint.

Yeah it does give me that option.

My device boots again. Nothing has been lost AFAICT.

2 Likes

A little update on this.
So this does unlock without forcing a factory-reset or without needing to enable oem unlocking.
However, since the decryption keys change due to the unlocking, data will be inaccessible and a manual wipe is required.

Would it be possible to not encrypt data in the first place?
Yes I know, definitely not recommended for production use, but for device testing and such …

Not on a locked device, since encryption is forced.

I’m confused , how are you able to flash devinfo partition when bootloader is locked?

I have not tried this myself fastboot flash should fail when bootloader is locked.

For some odd reason flashing “critical” partitions is possible even in locked state.

Qualcomm chipset baseline by default enables critical unlock in user/production build this could mean they are building debug builds for NON-HLOS counterparts.
Also Secure boot is disabled i think .

Yes, secure boot is disabled.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.

From a practical point of view: Will this allow me to boot into TWRP to get data from a bricked FP3?

If data was unencrypted then maybe, depending on what kind of brick we are talking about (Is fastboot still working?).
If it was encrypted you may be able to unbrick it and then relock it via this method to decrypt data.
There is also this more involved unbricking guide here (in case fastboot does not work): Fairphone 3 unbricking

2 Likes

Thanks very much for your prompt reply! Fastboot and recovery mode are luckily working. This is the original story:

I have a FP3 of a friend, which does not boot anymore. After her little baby took one edge into her mouth, it started to vibrate and reboot various times. Then the vibrating stopped and a screen appeared, saying that data might be corrupted. With two options:

  • Try again (reboot)
  • Factory data reset

Unfortunately the phone’s bootloader is locked and USB debugging is deactivated as well. (I have tried adb, fastboot, Fairphone’s flash executable…).