FP3 custom rom development based on released source code

Tags: #<Tag:0x00007f05dacb4c60> #<Tag:0x00007f05dacb4aa8> #<Tag:0x00007f05dacb48f0>

I’ll give that a try.

From https://source.android.com/devices/architecture/dto I understood that you need to include only a single .dtb - the correct one, but I haven’t really figured out how the bootloader figures out the dtb blob address to tell the kernel, especially when sideloading a kernel without actually flashing. I assume including just one dtb into the kernel image itself (before the ramdisk) might be the way to go. I’ll play around a bit.

1 Like


which compiler (gcc version) are you using to compile the fairphone kernel? I tried both a stock cross compilation GCC (ubuntu, gcc-7) and the cross compiler that comes with android studio (4.9 based)

I run into the same error every time:

drivers/bluetooth/btfm_slim.c:26:10: fatal error: btfm_slim.h: No such file or directory
     #include <btfm_slim.h>

btfm_slim.h is in drivers/bluetooth so replacing the braces in #include with
#include "btfm_slim.h"

fixes this, but there are other, similar instances, including one where the include comes from a trace file macro

1 Like

Use the branch I’ve linked above (named compile), I’ve fixed those errors there. These errors are because the kernel is compiled in-tree or something (“not compiled with the Android build system”). But if you came that far, your compiler should be fine :slight_smile:
Anyways, I’m using that:

aarch64-linux-gnu-gcc (GCC) 9.2.0

thanks — oops, I missed the branch with the make-it-compile fixes :slight_smile:

I needed to add a few extra modifications because there were still more warnings treated as errors, probably because I had a different GCC version (aarch64-linux-gnu-gcc Ubuntu/Linaro 7.4.0-1ubuntu1~18.04.1)

I added the patch with the changes 0001-suppress-warning-that-are-treated-as-errors.patch.not.a.pdf (4.7 KB)
(renamed to pdf to allow uploading, its txt :wink: )

1 Like

stupid question, how do I unlock the bootloader on FP3?

I tried to allow OEM unlocking in the developer options, as suggested by Wiki, but I get this:

1 Like

Looks like Oem unlock "input verify code" , I didn’t see a solution in there though

1 Like

If I put on my tin foil hat and read about “alternative operating systems for the fairphone”, then maybe Fairphone disabled the possibility to unlock the bootloader and will only come up with new possibilities later (Google’s long arm?).
Mine’s been unlocked from the first minute in my hands, so maybe I can test something for you?


I contacted support, but its still holidays, so no reply yet.
What I wanted to try - without flashing anything yet - was just to override kernel, dtb and kernel commandline for a single boot using a fastboot command.

If you managed to compile the kernel, as above, can you try if you can boot into it at all with something like

fastboot boot arch/arm64/boot/Image.gz --dtb arch/arm64/boot/dts/qcom/sdm632-ext-codec-mtp-s4.dtb

note, NO flash command, it’d be a smart idea not to flash anything to the phone’s partitions before testing it in one-shot mode

this should - if it works - boot the phone up into the default android system, but using the self compiled kernel.

if that works, as a next step I’d try

fastboot boot arch/arm64/boot/Image.gz --dtb arch/arm64/boot/dts/qcom/sdm632-ext-codec-mtp-s4.dtb --cmdline “init=/bin/sh”
to try to just run a shell instead of android.

this likely will result in a blank screen (but if you’re really lucky, the kernel has a working framebuffer console. then you could connect a keyboard via a USB-C OTG cable and browse the file-system)

if there was no framebuffer console, maybe the kernel can be recompiled with one enabled, (make menuconfig) but its possible additional cmdline options need to be supplied to setup the screen correctly

once you have a shell, the next step would be to compile a ramdisk image with busybox or similar and an ssh server, wifi support (wpa-supplicant) etc, to have a working linux to play.

from there its a very small step to a working ubuntu image or similar.


ok, the --dtb commandline option doesn’t work, fastboot complains about the option not being valid for “version 0” boot images… - back to square 1 :wink:
the fact the sourcecode had to be patched to allow compiling dtb’s the phone isn’t using suggests that for the real thing, only the correct dtb gets compiled, so I still think only one dtb is to be included in the image. I’ll play around with that a bit.

big shoutout to @_tmp for supplying the script to generate the bootloader unlock code in Oem unlock "input verify code" :smiley:


I remembered now another thing so your extra warning patch isn’t needed (I’m guessing gcc-wrapper.py complained about disallowed warnings):

make -j9 CC=aarch64-linux-gnu-gcc

If you look into the Makefile you can see CC being set to CC = $(srctree)/scripts/gcc-wrapper.py $(REAL_CC) but you can override that by giving make the real gcc directly through make. I’ll adjust my post from before for that


I couldn’t get past the “dtb” not found. I am wondering if this could help:

apparently there is a particular boot image layout used by some bootloaders on qualcomm chipset devices using a separate header describing the dtb’s available and the supported chipsets.
i found that by following links from here:

1 Like

that “dtbtool” can be compiled simply with “gcc dtbtool.c -o dtbtool”
it can be run succesfully with
export PATH=$PATH:[path-to-kernel]/scripts/dtc
./dtbtool -o dtbtreeimage [path-to-kernel]/arch/arm64/boot/dts/

if dtc is not in the PATH, it will fail to parse the dtb’s and extract the relevant qualcomm chip ids.

now I have the dtb table, but I don’t have a complete boot image yet (nor a way to load it without flashing, does anyone know if a boot image instead of just a kernel is even an option with fastboot? the forum entries suggest fastboot boot might work too)

1 Like

To compile the kernel, I had to disable some warnings.

diff --git a/Makefile b/Makefile
index a12cc2722114..777d421cfdc3 100644
--- a/Makefile
+++ b/Makefile
@@ -654,6 +654,20 @@ KBUILD_CFLAGS      += $(call cc-disable-warning,frame-address,)
 KBUILD_CFLAGS  += $(call cc-disable-warning, format-truncation)
 KBUILD_CFLAGS  += $(call cc-disable-warning, format-overflow)
 KBUILD_CFLAGS  += $(call cc-disable-warning, int-in-bool-context)
+KBUILD_CFLAGS   += $(call cc-disable-warning, attribute-alias)
+KBUILD_CFLAGS   += $(call cc-disable-warning, sizeof-pointer-memaccess)
+KBUILD_CFLAGS   += $(call cc-disable-warning, stringop-truncation)
+KBUILD_CFLAGS   += $(call cc-disable-warning, stringop-overflow)
+KBUILD_CFLAGS   += $(call cc-disable-warning, array-bounds)
+KBUILD_CFLAGS   += $(call cc-disable-warning, address-of-packed-member)
+KBUILD_CFLAGS   += $(call cc-disable-warning, packed-not-aligned)
+KBUILD_CFLAGS   += $(call cc-disable-warning, missing-attributes)
+KBUILD_CFLAGS   += $(call cc-disable-warning, misleading-indentation)
+KBUILD_CFLAGS   += $(call cc-disable-warning, bool-operation)
+KBUILD_CFLAGS   += $(call cc-disable-warning, bool-compare)
+KBUILD_CFLAGS   += $(call cc-disable-warning, maybe-uninitialized)
+KBUILD_CFLAGS   += $(call cc-disable-warning, parentheses)
+KBUILD_CFLAGS   += $(call cc-disable-warning, memset-elt-size)

It seems we can change the boot image header version created with mkbootimg
(https://source.android.com/devices/bootloader/recovery-image - and another interesting link: https://source.android.com/devices/bootloader/boot-image-header).

Note : I have bricked my phone trying to deal with the treble function (I have only access to bootloader). I can help to test things if needed. I hope I’ll have some images soon ^^.
Strangely, my boot image header version changed (without touching it) :

Argument dtb not supported for boot image header version 0


as far as i understand it, that “boot image header” is the header of the “bootimage” that the fastboot executable compiles on the fly when you use the “fastboot boot” command in this way.

(fastboot runs mkbootimg internally and compiles a header and a boot image from kernel, ramdisk, dtd and commandline, then sends the entire image to the phones bootloader which takes it apart again)

you can tell it to create a header version 2 with

fastboot boot --header-version 2

but I have’t been able to get around the dtb error that way either

1 Like

Actually, it was an answer to this error :


fastboot can do both, it can “create” a boot-image on the fly from specified kernel, ramdisk, dtd (if using header-version>=2) and commandline in this case output will look like this:

fastboot boot arch/arm64/boot/Image.gz --dtb dtimage --header-version 2

creating boot image…
creating boot image - 27367424 bytes
Sending ‘boot.img’ (26726 KB) OKAY [ 0.835s]
Booting FAILED (remote: ‘dtb not found’)
fastboot: error: Command failed

or one can create one’s own boot image using mkbootimage

mkbootimg --kernel ~/src/android_kernel_fairphone_sdm632/arch/arm64/boot/Image.gz --dt ~/src/android_kernel_fairphone_sdm632/dtimage -o boot.img
fastboot boot boot.img

Sending ‘boot.img’ (26726 KB) OKAY [ 0.878s]
Booting FAILED (remote: ‘dtb not found’)
fastboot: error: Command failed

I tried that both using individual dtb’s and compiled dtb’s using dtbtool, both with v2 and v3 dtb image version (I assume v1 is a flat single dtb) I also tried a flat concatenation of all dtb’s like the kernel make file creates.
So far I haven’t gotten past “dtb not found” – but if we had a working boot or recovery image from Fairphone (or offloaded from a phone somehow) we could analyze that to at least figure out which format the bootloader expects - and then figure out which dtb version we need

1 Like

lacking any working images for FP3, I looked at the TWRP image for FP2.
This boot image uses a combined dtb image using dtbtool in version 2
trying to boot from it kinda unsurprisingly results in a “dtb not found” error
@z3ntu , where did you get the parameters for fp3 as in:
--base 0x80000000 --second_offset 0x00f00000 --kernel_offset 0x00008000 --ramdisk_offset 0x01000000 --tags_offset 0x00000100 --pagesize 2048

the TWRP fp2 image uses different offsets. I have no clue how important/critical those are.

1 Like

You should rather compare images for other sdm632 devices (asus X01AD, motorola river, etc) than FP2 images

1 Like

These are the addresses on moto G7 (same chipset)


interestingly the twrp image for the moto G7 has the device tree concatenated old school to the kernel image (using a single device tree file) but this might be depending on the bootloader used
the descriptor info says:

model = "Qualcomm Technologies, Inc. SDM632 + PMI632 MTP S3";
compatible = "qcom,sdm632-mtp", "qcom,sdm632", "qcom,mtp";
qcom,msm-id = <0x15d 0x0>;
qcom,msm-name = "SDM632";
interrupt-parent = <0x1>;
qcom,board-id = <0x8 0x3>;
qcom,pmic-id = <0x10016 0x25 0x0 0x0>;
channel-id-map = [00];

that matches the entries in fairphones sdm632-mtp-s3.dtb

however trying to load that (twrp) image results in (you guessed it) “‘dtb not found’”

1 Like