FP3 custom rom development based on released source code

Are the pads connected to the bottom module? Aka is there a chance that they are connected the the type c connector

1 Like

Right, I also believe that R, S and T is the next and best option.
I have a Bitscope Micro at hand. That should do it to see what is going on. Unfortunately, I can’t record longer waveforms with that device yet. I will find out or try to build a level-shifter and connect that to my bus-pirate or another uart interface. Will probably take one or two days …

1 Like

Hi, thanks a lot for the pictures!
The signal at T does not really look like a UART transmission. It could be only zeros (with start and stop bit (?)). However, it still looks pretty different to what Matombo has measured here:

1 Like

You understood me wrong. I didn’t messure anything. Thats just a random picture i found on duckduck when i searched for “uart oszilloscope”. I havn’t even opened my phone yet.

1 Like

wait a moment. I didn’t read all posts, but… are you seriously trying to revers engineer the source code through hardware signals?

So, @Fairphone published a not working or even wrong source code and you accept that as a fact and start melting down your phones? That is really sad. Once more I am thinking about giving back my phone on warranty due to “failed promises (GPL) and expectations (fair)”.

There’s your mistake.
Before you rant on, you might want to correct it :wink: .

I don’t claim to understand everything or even most of the stuff here, but if I’m not mistaken the main thing missing now is a complete install image to easily get access to the boot image for the Fairphone 3. Fairphone said they would provide it, same as the source code, but it’s not there yet.

That doesn’t keep people from trying to expertly make do with what’s already there, though, and here we are :wink: .


I didn’t mean to rant - that was a question. no, it was two questions. admittedly a little bit polemic.

And thanks for answering my questions in your edit. :slightly_smiling_face:

maybe a separate topic “Actual News about TWRP and Custom Rom” might be cool, so everyone not having a Oszilloscope and who is still interested in the progress doesn’t have to read 126 messages till he knows what’s going on. Would be a great… service to the others. :sweat_smile:
I’d do it, but… I didn’t read it all… and I didn’t plan to follow the whole procedure of oscilloscope researching etc…

Edit: and by the way: yay, progress! Thanks to everyone who’s working on it!


tl;dr: We have the kernel, but we are missing crucial configuration information.
Try and error is not really an option because it can soft- or hardbrick the phone.
So we try to collect as many informations as possible to reconstruct these configurations.
(ofc it would be really nice of a fp dev to provide them to us, hint hint :expressionless:)


@hirntot and any interested person willing for a summary in non-too-technical terms:

Just some clarification of the steps made so far…

  1. Fairphone published (as promised) the kernel source code, but not yet the complete install image.

  2. In this topic, a few people managed to compile the image properly and outside of the android’s build environment, but

  3. having the kernel source code does not mean having a compiled and running kernel. If you are a Linux user, just go to kernel.org, grab the latest Linux release, compile and replace your existing kernel. If you are experienced it is fairly easy, but it is not a trivial thing to do. Now, when it comes to doing the same for a smartphone, it gets a bit more tricky. No one here actually managed to boot the compiled kernel on FP3.

  4. The trick seems to properly package the compiled kernel into a boot image, and this seems to be very much device-dependent and it is not specifically documented for FP3. It is not possible to directly see how it is done on FP3 because there is no access on the phone to the relevant data without rooting the phone first (which is what people are trying to do here!). In order to break this vicious circle, corvuscorax proposed to

  5. check automatic phone updates, and try to grab the boot image from them. The problem was that these updates would not provide the whole system in the phone, but just the differences between the system in the phone and the updated system; a lot of impressive work was done in order to extract as much information as possible from these differences, but nothing really useful was found so far (even though in a future update the full system might be provided, and we are ready for intercepting it if this happens). That’s why, meanwhile, it was proposed to

  6. come back to the boot process, and try to understand what goes wrong. The problem is that there is a lack of debugging information during the boot process. Actually, debugging information is normally not conveyed through the screen when a smartphone boots, but often (and this is device dependent) through a signal across 3 pins on the motherboard.
    That’s why Matombo took the initiative of soldering wires on his phone. That’s why pigpig took the initiative of probing debug pins candidates inside his FP3. It seems no one here has attemtped soldering anything yet :stuck_out_tongue:.

To conclude with, if you wish to get rid of google on your phone/to have it rooted/to install a free OS on it, you have a variety of options:

  1. Wait till Fairphone actually does it (I really think they will, even though they have no obligation, but it will certainly take time)
  2. Wait till Fairphone makes a full image publicly available (I don’t think they have any obligation of doing it, but they promised to do so; it might also take some time, but less than the previous option)
  3. Do the whole work yourself from the published source code (that’s what is tried here, but see, it’s hard and not clear if it will take less time than the previous option)
  4. Wait till someone external to Fairphone does the job in hopefully less time than Fairphone (that is my strategy, trying maybe also to help a bit here and there when possible)

Anyhow, whenever there is significant progress, for sure you will know very quickly, even if you don’t read all posts in this topic. This is my bet: if you don’t see any new post here for 3 days in a row, then the custom ROM is running on FP3 :smiley:.


hummm. I always thought, trying to run a TWRP build (without installation) and then just copying the /sys partition to another place might have been easier…
well, I guess TWRP needs some configuration as well, but I couldn’t understand what configurations when I tried to research it some weeks ago.

1 Like

To boot twrp on the fairphone 3 you also need to be able to boot a custom kernel first. We are stuck at the step before porting stuff.

btw: again i didn’t solder anything on my fp3, i haven’t even opened it yet. pigpig did open it and messured debug pins (without soldering stuff to it).

I just ordered a usb type-c breakout board and try to see if the unused type-c pins are used for uart. But the adpter comes from china so it will arrive in 2week-2month.


Feel free to open another topic.
Please don’t get me wrong (this is not meant as an offense), but this is the “participate/Development” category. And if you read some of the (126) posts you’ll see most of them are really fitting in this category! So please let them discuss technical details here. I think it’s really great what some have already found out!


After I got such elaborate technical and promising (though unfortunately not fruitful) reply to the question about JTAG, I asked the same contact from support about UART.

The support person was again very helpful and forwarded the question. However they received this slightly unsettling reply:

- Debug UART is not accessible for customers

I interpret that as “There is a debug UART, but we don’t want you to know about it” – which doesn’t look promising regarding helping the community getting this phone opened up. Quite a contrast to FP2. I wonder why.

That probably means we best keep reverse engineering this piece of locked down hardware, as if it was an Iphone. Maybe we should start looking into root-exploits.

For people interested in active development this probably means its better to not install updates anymore for the time being, so you don’t get patched out of potential local privilege escalation vulnerabilities you might need later.

Not happy about this. Can’t blame the support, but not happy about this.

Edit: This actually increases the probability that we are on the right track with the solder pads.


TWRP is linux based and needs a device tree configuration to boot. (Basically tells Linux device drivers which periphery chip is connected to which pin/bus of the CPU)
Technically, we already have the device tree, - although its a bit cryptic - it came with the open source kernel, but the bootloader doesn’t accept it. Keeps saying “dtb not found” regardless what kernel and device config you give it. That’s also what you get when you try to boot TWRP.
Aside that only first generation FP3s are even unlockable without hazzle. Any updated phone needs a code, for which someone had to actually reverse engineer some of fairphones proprietary software extensions. Not exactly what you’d expect from a “fair” phone.


Pretty far from it. I doubt there’s a direct connection, but can’t rule it out either, as its a many layer board, traces could be routed all over the place

1 Like

Back to the oscilloscope, if someone else can try, it would be nice. Since my device is bricked, it is not sure it was in the right phase & it can’t have the boot signal.

1 Like

we don’t know for sure if the bootloader actually uses the debug uart. Looking at aboot sourcecode for a different phone, it can give more info about whats wrong over serial uart, but that’s an optional compile flag to actually enable that, it could be compiled without. (In which case the uart probably is a dead end)
the stock kernel however has uart enabled, so latestly when android boots you should see all the kernel boot messages on the osci/COM device.


whats the frequency of these peaks? I hope that’s not just a clock :wink:

1 Like

Actually I wonder if it wasn’t only the sector freq… (If it was only in charging mode??)

1 Like

well its nice rectangular flanks, that DOES look like a binary signal, not an artifact.

1 Like