English

FP3 custom rom development based on released source code

To boot twrp on the fairphone 3 you also need to be able to boot a custom kernel first. We are stuck at the step before porting stuff.

btw: again i didn’t solder anything on my fp3, i haven’t even opened it yet. pigpig did open it and messured debug pins (without soldering stuff to it).

I just ordered a usb type-c breakout board and try to see if the unused type-c pins are used for uart. But the adpter comes from china so it will arrive in 2week-2month.

4 Likes

Feel free to open another topic.
Please don’t get me wrong (this is not meant as an offense), but this is the “participate/Development” category. And if you read some of the (126) posts you’ll see most of them are really fitting in this category! So please let them discuss technical details here. I think it’s really great what some have already found out!

10 Likes

After I got such elaborate technical and promising (though unfortunately not fruitful) reply to the question about JTAG, I asked the same contact from support about UART.

The support person was again very helpful and forwarded the question. However they received this slightly unsettling reply:

- Debug UART is not accessible for customers

I interpret that as “There is a debug UART, but we don’t want you to know about it” – which doesn’t look promising regarding helping the community getting this phone opened up. Quite a contrast to FP2. I wonder why.

That probably means we best keep reverse engineering this piece of locked down hardware, as if it was an Iphone. Maybe we should start looking into root-exploits.

For people interested in active development this probably means its better to not install updates anymore for the time being, so you don’t get patched out of potential local privilege escalation vulnerabilities you might need later.

Not happy about this. Can’t blame the support, but not happy about this.

Edit: This actually increases the probability that we are on the right track with the solder pads.

8 Likes

TWRP is linux based and needs a device tree configuration to boot. (Basically tells Linux device drivers which periphery chip is connected to which pin/bus of the CPU)
Technically, we already have the device tree, - although its a bit cryptic - it came with the open source kernel, but the bootloader doesn’t accept it. Keeps saying “dtb not found” regardless what kernel and device config you give it. That’s also what you get when you try to boot TWRP.
Aside that only first generation FP3s are even unlockable without hazzle. Any updated phone needs a code, for which someone had to actually reverse engineer some of fairphones proprietary software extensions. Not exactly what you’d expect from a “fair” phone.

5 Likes

Pretty far from it. I doubt there’s a direct connection, but can’t rule it out either, as its a many layer board, traces could be routed all over the place

1 Like

Back to the oscilloscope, if someone else can try, it would be nice. Since my device is bricked, it is not sure it was in the right phase & it can’t have the boot signal.

1 Like

we don’t know for sure if the bootloader actually uses the debug uart. Looking at aboot sourcecode for a different phone, it can give more info about whats wrong over serial uart, but that’s an optional compile flag to actually enable that, it could be compiled without. (In which case the uart probably is a dead end)
the stock kernel however has uart enabled, so latestly when android boots you should see all the kernel boot messages on the osci/COM device.

2 Likes

whats the frequency of these peaks? I hope that’s not just a clock :wink:

1 Like

Actually I wonder if it wasn’t only the sector freq… (If it was only in charging mode??)

1 Like

well its nice rectangular flanks, that DOES look like a binary signal, not an artifact.

1 Like

I agree for the signal.

It seems that the flashing program from qualcomm (hXXps://www.qpstflash.com/) (link changed as site is very suspect, see below) is able to do some backup. Someone has a computer with Wind*ws and can check it?

Nobody tried the treble option to have an AOSP with su?? (just be carrefull with the slots -what I wasn’t-, I can give the cmds)

1 Like

Sure that the site isn’t scam? It has a couple of red flags, like no legal information, bad grammar, encrypted zip files and implausible claims.

1 Like

I don’t know. Someone gave this link on another thread. Search for qualcomm qpst flash

1 Like

You should definitely not try it. A quick whois shows for qptsflash.com:
(Edit: you should at least be careful and aware that it does not come from an official source, see the next post)

Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama

Instead, if you do the very same for qualcomm.com, you get:

Registry Registrant ID:
Registrant Name: Host Master
Registrant Organization: Qualcomm Inc.
Registrant Street: 5775 Morehouse Drive,
Registrant City: San Diego
Registrant State/Province: CA

In other terms, qptflash.com is hiding its identity (and qualcomm.com is not). This is far too quite suspicious.

3 Likes

These tools are usually not released by chipset vendors, at least not outside of a small group of qualified technicians. One of those sometimes leaks the tool, after which it ends up on some vague site on the net (packaged with or without malware). The tool for the MTK chipset in the FP1 also came from a shady source, if I recall correctly.
Rock / hard place.

2 Likes

This looks fishy. That tool, among a number of others are all listed on
https://androidmtk.com/download-qpst-flash-tool (scroll down to section “Alternative Qualcomm Flash Tool”

they all have different names, they all claim to be able to flash firmware for “any qualcomm chipset” - they all call it “download” when really they mean flashing a firmware onto the device, and they are all shady windows programs from shady webpages with zero other content.

I downloaded one of those zip files. automatic virus analysis failed because (what a surprise) the zip its password protected (with the password written on the webpage in cleartext) hindering automatic analysis

I went to the trouble and unzipped it, extracted the files from the msi installer and sent them to virustotal. No known malware was detected, but the heuristics went bonkers:

https://www.virustotal.com/gui/file/c8c5155db91e87434d38185e0baba7868476ccd71b190ef9354739f56d6157de/detection

TL;DR don’t dare installing and executing that stuff unless you do it on a virtual machine running on a RAM disk on a battery powered raspberry in a sealed room with lead walls, and burn it afterwards. Connect your phone at your own risk, especially if its unlocked. If the malware is any good, it might actually install itself on your phone.

Edit: After snooping a bit more in the contents, it looks like there is some actual qualcomm tools in there, but they are from 2015 and likely don’t support the newer chips like the 632, so don’t get your hopes up too high.

Edit2: Since I didn’t want to upload every single file to virustotal for checking i re-zipped the unpacked folder (without password) these are the results:
https://www.virustotal.com/gui/file/0841fc9e1624e376f5a50b5a3096b74d95bbba175dd8526e2ad2c2dae39d1370/detection

while nothing specific has been found, I have to say, this does not look safe

4 Likes

btw if these “qualcomm downloader” tool were to work, then THIS here https://www.96boards.org/documentation/consumer/guides/qdl.md.html would work, too. has anyone checked that?

Edit: This uses edl modem this page describes how edl mode is engaged if available

Edit again: Neither adb nor aboot on the FP3 know anything about the “edl” which is likely because thats qcom msm based chipsets specific (which have that emergency bootloader hardcoded in the main cpu - great for unbricking!)
apparently there is even a special USB cable for these chipsets that shorts a pin to force boot the phone into edl mode - available from some forensic supply shops.

probably wont help us, as this is a USB2 cable and FP3 is USB3/USB-C - its possible that something equivalent exists for the SDM6xx series, but since qcom doesn’t release docu and there is nothing in the wild… the msm series had the advantage that there are dev boards openly sold and tools for download from qcom. while for the newer SDM those are only available for OEMs.

It seems like Fairphone the company isn’t even the OEM. The more I learn about the firmware and the device itself, it looks like Fairphone outsourced parts of phone design and manufacturing to a company in far east - which did the actual hardware design. As such the knowledge and NDA’s are between that company and qualcomm, while Fairphone is out of the loop and doesn’t even have that info about their own phone.

I don’t know that for certain, but there are indications, such as the Service Menu app, (com.arima.servicemenu) - it doesn’t include an “about” info anywhere, but this here might make sense:
http://www.arimacomm.com.tw/en/technology-1.php?index_id=2

another bit of info is the info from customer support that qualcomm NDA related info is not known to fairphone employees even. Which would totally make sense if Arima designed and certified the phone for Fairphone.

6 Likes

FP3 is actually USB2/USB-C

3 Likes

btw, must see easter egg:

adb pull /system/priv-app/ServiceMenu/ServiceMenu.apk
mkdir ServiceMenu
cd ServiceMenu
unzip ../ServiceMenu.apk
vlc res/raw/testvideo2.3gp

enjoy

also,
res/raw/test.mp3 : “I will be” from “Avril Lavigne”, Album “The best damn thing” 2007 (cut off after 27 sec)
res/raw/speaker.mp3: beautiful excerpt from “故乡的云” by “徐美澜” - as listed here

res/raw/test_sound.mp3 – actually a RIFF wav file! 4.8 seconds of spanish music
res/raw/test_sound1.mp3 – an actual audio test file - useful for testing mic and speakers

sm_compass_calibration_manual_icn

2 Likes

that again makes it more likely that there are hidden extra functions on the unused wires (serial, etc…)

1 Like