FP4 and LineageOS

FP4. Upto date. Installing latest LineageOS +Recovery (lineage-20.0-20230129-nightly-FP4-signed.zip)
Follow the all steps to unlock bootloader. Installed Lineage. All OK and Recovery too.
Do the ‘fastboot flashing lock’ and lose the ability to boot Lineage. Recovery and fastboot still OK.

I’m set to use slot b (another post suggests) setting to slot a, so unlock and switch then relock. Still no dice.

Do the ‘fastboot flashing unlock’ and I can boot into LineageOS again. Sigh.

What gives? This used to work fine on my old FP3+.

Moved your post here, as far as I understand its currently not possible to lock the bootloader after installing LOS

Well that’s not good news. I just assumed it would be the same as the FP3+. Does anyone know if this a specific problem with LineageOS that will get rectified by the maintainer? Would another flavour like /e work as expected?

Please read a bit above and do some search in the forum and pay special attention to the trapped in fastboot hints…

Just leave the bootloader unlocked. Yes, the popup at boot is annoying, but all this security stuff people are talking about is mostly hysterical bla bla. Every computer has had the equivalent of an unlocked bootloader since the dawn of time and nobody bats an eye about that either.

This is the equivalent of sticking tape over your laptop’s webcam but leaving your phone camera clear even though you take the latter with you on the toilet, so a potential hacker could blackmail you a lot better.

Moreover, the storage partition is encrypted anyway, so it would take a lot of effort to get to your data if someone had access to your phone. I would be more concerned about Facebook, Google and all the other companies stealing your data compared to a random dude who found your lost phone.

One shouldn’t merely leave their bootloader unlocked despite that, because it violates SafetyNet.

So what? SafetyNet is just an excuse by Google to have more control over your device.

If your apps don’t care, what difference does it make exactly?

It’s not like passing SafetyNet will give you access to Google Pay or something.

Unfortunately there are some apps that do care though.

Its not alot of apps, but for me the ones thay care tend to be of essential functionality for managing finances or healthcare.

Indeed, banking applications were my rationale.

Are you certain? What else allows Pay to decide whether to provide access?

It has to pass ctsProfileMatch. That basically means you need an OS verified by Google (in this case by Fairphone) or you have to spoof that you are verified by Google.

Are 3rd-party ROMs (such as CalyxOS) able to acquire such a thing?—or does that mean that Google Pay is deliberately limited to 1st-party software from large organizations?

I have no idea if they could legitimately get that certification. It’s probably never happened at least.

The only thing they can do now is spoof it. My Pixel XL has a ROM from XDA that makes it pretend to be a Pixel 3 to pass. Wouldn’t recommend it though as you don’t know what the creator put in.

I have yet to find an app that does not work in LineageOS 20 on an FP4 with Universal SafetyNet Fix, Shamiko, and Props Config set to an FP3 signature (and MindtheGapps). Some banking apps that check for root/magisk outside of SafetyNet do seem to require being added to the Magisk blacklist, but that’s all that seems to be required. This includes access to Google Pay (yes, I have successfully made NFC payments with this configuration).

There’s always the chance that this will fail at some point in the future, but for now, everything is working.

Are 3rd-party ROMs (such as CalyxOS) able to acquire such a thing?—or does that mean that Google Pay is deliberately limited to 1st-party software from large organizations?

From my understanding, there is essentially no chance that non-manufacturer distributions would be given SafetyNet certification by Google. The privacy goals of CalyxOS would also be fundamentally incompatible with SafetyNet, so they would not seek it to begin with.

It is specifically the encryption that makes bootloader locking, or more generally verified boot processes, important. Without encryption, physical access is fatal to security, because the attacker can just read and write everything directly. With encryption, the next vulnerability becomes an evil maid attack, where an attacker with physical access changes the firmware secretly, and then waits for the user to unlock the device and for the storage to be decrypted.

However, on the FP4, the verified boot private keys are publicly available, and Fairphone apparently has no intention of addressing this problem. So a locked bootloader on an FP4 is arguably not that much protection compared to an unlocked one. Generally, the FP4 should probably not be considered a secure device; there’s probably a reasonable argument for asking that Google revoke SafetyNet certification for the stock OS.

Most modern computers do have something similar to a locked bootloader, in having something like Secure Boot. My Framework laptop, for example, is running ArchLinux, uses signed boot images, and is set to enforce Secure Boot. Setting this up was quite simple and well-documented. The difference is that, on many computers, verified boot processes generally work in ways that can be easily utilized by the user to increase security, while locked bootloaders on most devices, other than Google’s own, are set up by manufacturers, including Fairphone, in ways that harm users who want to run anything other than the manufacturer’s software.

I mean, you can still install one of the ROMs that implement a custom root-of-trust (CalyxOS, DivestOS, iodéOS … ), or build LOS yourself and sign it with your own keys, then that issue doesn’t really concern you.

My guess is, the reason for the bootloader using test keys is /e/OS, they sign their releases with test keys as well.
If Fairphone had used private keys, they would either have to share them with Murena, or sign every release themselves. With a custom root-of-trust people would get a nice yellow screen, warning them that their device is “loading a different operating system”, and customers who bought their phones from Murena might understandably get freaked out by that.

But, as mentioned in the topic you linked, having the keys doesn’t actually help you without an EDL loader / firehose files available. As long as those don’t get leaked, even a phone running stock FPOS with a locked bootloader is reasonably secure.

Following up from my post on Jan 16 about the issue with outgoing audio…
I’ve posted a logcat file on github.

As I described previously, after a reboot the person on the other end of the call will not here any outgoing audio from the FP4. Switching the FP4 to speakerphone immediately causes the outgoing audio to start working, and then it continues to work after speakerphone is witched off, and on subsequent calls, until the phone is rebooted. I have tested this with the stock phone app, and also the Google Phone app, and with bluetooth off and on.

The logcat file starts with the call being placed, and 17 seconds later, after the call connected, and the outgoing audio issue was verified, the audio is switched to speakerphone. About 22 seconds in speakerphone is switched off.

Any suggestions would be appreciated. I have submitted this issue as a bug report for LOS, too.

Testing now, I can’t reproduce. 20230122 nightly, MindTheGapps 13 20221025_100653. I rebooted immediately before making an outbound call, in case previous speaker use would prevent the problem from occurring. I had no problems with outbound audio. I tested this with a 3G connection, and 4G connection that seems to have used VoLTE. I can try testing with a 5G connection in a few days. I do see a 4G status, and have 4G calling on. This is on Vodafone IE.

You don’t happen to be in the US?

Yes, I am in the US,. I switched from the stock OS to LOS after reading the reports in the “Fairphone owners in the US” forum in December indicating that VoLTE was working properly for phones running LOS and e/OS, and after the first official LOS build supporting FP4 was released in January.

Previously, with the stock OS, I did not have this issue with outgoing audio, but the phone was apparently using 3G (or even 2G) for voice calls.

I am using Mint (T-mobile).

Let me try disabling 5G and 4G and checking whether the issue still occurs…

I tried setting the “Preferred network type” to “GSM only” and still have the same issue.