FP3 custom rom development based on released source code

On an unlocked device the kernels signature isn’t checked, therefore you can just flash a custom kernel as you wish.
That’s exactly what is happening when flashing Magisk or TWRP (using the twrp-installer) to the device.
They both modify the boot partition.

Installing Magisk actually disables verity so you can modify the system/vendor partitions without breaking it.

Regarding EDL you would typically need a manufacturer signed firehose-programmer.
This is basically sbl1 with the added implementation of the firehose protocol.

The certificate-chain used for verifying sbl1 is apparently using test-certificates ?!:

Subject: C = US, ST = California, L = San Diego, OU = General Use Test Key (for testing 13 only), OU = CDMA Technologies, O = QUALCOMM, CN = QCT Root CA 1
Subject: C = US, ST = CA, L = San Diego, OU = CDMA Technologies, O = QUALCOMM, CN = QUALCOMM Attestation CA
Subject: C = US, CN = SecTools Test User, L = SANDIEGO, O = SecTools, ST = CA, OU = 01 0000000000000000 SW_ID, OU = 02 000BA0E100000000 HW_ID, OU = 04 0000 OEM_ID, OU = 05 00000168 SW_SIZE, OU = 06 0000 MODEL_ID, OU = 07 0001 SHA256, OU = 03 0000000000000002 DEBUG
8 Likes

Do these certificates have expiry dates? One thing test-certificates usually have in common is a very short lifetime. That would kinda suck, if the phone would refuse to boot beyond 2022 or something like that.

How did you extract the certificates? sbl1 strings finds the strings in both sbl1.img and aboot.img

strings also finds debugging symbols in sbl1, source code file names, function names, etc… Oddly enough however objdump claims it’s a stripped binary, that doesn’t add up.

2 Likes

The root CA (which is what matters) expires Dec 13 08:23:22 2038 GMT.
Although I doubt the bootrom actually checks the expiry-date.
What If you had the battery removed, how would it know the current time?

I used binwalk to extract them from sbl1

those may not be debugging symbols, but just prints and similar, although I haven’t looked at sbl1 in detail.

3 Likes

Its possible the ELF header is fake. This isn’t really a file loaded by an OS but an image loaded by the ebl and probably run with a hardcoded start address. I’m surprised they bothered with an ELF header (or something that looks like it) to begin with.

Normally you would extract the raw, headerless binary from the elf with
objcopy -O binary source.elf target.bin
But with the sbl1 that just reports “sbl1 has no sections” - which indicates this isn’t really a valid ELF at all. (Same with aboot)

3 Likes

This is really great news. Is there any estimate how long it might take until there could be a lineage or other Android without Google? Or is that still unlikely?

Is there anything I could help with? I can only program python and some C++ for Arduino microcontrollers.

I don’t have a Fairphone 3 yet, I would buy one soon, if I knew for sure an OS without google would come. Also to maybe help somehow.

1 Like

Yiha! I have lineage on the FP3! (with gsi)

I used the treble_arm64_bvN image.

  1. Install magisk
    Note the slote !

  2. Flash back stock vendor & system, erase userdata

    fastboot getvar current-slot
    fastboot --set-active={slot with magisk} # if needed
    fastboot flash vendor vendor.img # Not sure if needed
    fastboot flash system system.img # Not sure if needed
    fastboot -w

  3. Flash the gsi on the two slots!

    fastboot flash system_a {gsi_image}
    fastboot flash system_b {gsi_image}

  4. Reboot and wait

    fastboot reboot

Note: Can someone try directly from step 3? or only with fastboot -w boot needs to be changed.
Note2: The slots need to have success

fastboot getvar all
[...]
(bootloader) current-slot:a
(bootloader) slot-retry-count:b:6
(bootloader) slot-success:b:Yes
(bootloader) slot-active:b:No
(bootloader) slot-unbootable:b:No
(bootloader) slot-retry-count:a:6
(bootloader) slot-success:a:Yes
(bootloader) slot-active:a:Yes
(bootloader) slot-unbootable:a:No

To get a slot-success=Yes, you have to do : (with stock system)

bootloader --set-active=a
bootloader reboot (go until system)
bootloader --set-active=b
bootloader reboot

Note3 :
To get the navigation bar, as mentionned by @dyd0u,

Maybe we could change it directly in the boot props.

Note4:
Some unwanted packages are still there (because of the way treble works). It is easy to disable/uninstall them.

adb shell pm disable-user --user 0 com.qualcomm.qti.qms.service.telemetry
adb shell pm disable-user --user 0 com.qualcomm.qti.qms.service.connectionsecurity
adb shell pm disable-user --user 0 com.qualcomm.qti.optinoverlay
adb shell pm disable-user --user 0 com.orange.update
adb shell pm disable-user --user 0 com.orange.aura.oobe
19 Likes

Thats really cool! I will probably try install it tomorrow and I will let everyone know how it goes here.

3 Likes

Nice. Is there a newer version of that image? Did you check whether things actually work (GSM, LTE, GPS, camera, power+charge mgmt, whatever)?

Here is a list of gsi available :

I just start to test it.
For the moment the home, history and back button aren’t here, which is quick anoying ^^ Solved

GSM, GPS, cameras, wifi, charging works fine :slight_smile:

5 Likes

Thanks to you, I successfully booted Treble LineageOS on my FP3!
I got the navigation bar by using Magisk module MagiskHidePropsConf and setting prop qemu.hw.mainkeys to 0.

7 Likes

That sounds great.
What has to work for official lineageOS support?

Not all heroes wear capes. You are my heroes.

1 Like

first of all needs a capable maintainer :wink:
And GSI is not “standard” LOS…

1 Like

I’m really impressed of the acceleration this project just took: soon after TWRP, a “generic” LineageOS is already available :smile: . Project Treble is definitively a good thing, I remember the months of development for the LOS port for FP2…

What do you mean? Is there some features missing in this Generic System Image? Does working on a dedicated port for FP3 is anyway needed?

EDIT: Awesome work, guys :slight_smile:

2 Likes

The GSI contains the full google apps.

Treble is not always making our lifes easier, especialy if you maintain older devices :sweat_smile:
Due the fact I don’t own a GSI-capable device - I’m not very experienced with this. But I know no offical supported device on LOS with GSI-images - but maybe someone knows this better :wink:
But all official LOS-devices have device-tree+kernel

4 Likes

Not all GSI. For example the lineage one I mentioned don’t.

Actually, the gsi have their own maintainer. It is easy to do the update from FP ones for other partitions. We just have to do a patch from the FP one witout system and with a patched boot.
The only thing which can be hard to do is a patch for the vendor implementation. And I’m not sure there is any.

The maintain chain is really different from “standard” custom rom : we still need FP support, and the system is done by the gsi maintainer.

3 Likes

the question was official Lineage-Support - but most people have a weired imagination of “official” support :wink:

2 Likes

As GSI seems to be easier to get it running, anyone tried Bliss-rom already?

1 Like

Feel free to try, and let us know! Just follow the same steps :slight_smile:

Edit: GSI for BLISS, is an official image :wink:

1 Like