FP4 - cant unlock bootloader after replacing motherboard

Maybe try with the old one (if not done so) who knows what Cordon really did :speak_no_evil:

Cordon experience overall seems to be not so good however, most times you only read about the bad experience and those with good experience are quiet…

1 Like

The old ones will probably produce a working code, but I don’t think you’d be able to unlock the phone with it.

The phone needs a wifi connection to get unlocked, so I’d imagine IMEI and S/N probably get checked, and those wouldn’t match.

But you are right, worth a try, maybe the system doesn’t actually check for that :thinking:

1 Like

I just copied them from settings, they match sticker on the inside

My old IMEI and SN outputs code, but when I input it, “No such phone” toast is shown.
I created new request, I hope they will help me

I wonder if it could be possible to sniff traffic FP sends to server, intercept it and send fake “correct” signal.

Sounds like Cordon didn’t notify FP about the new IMEI + S/N or FP didn’t update their DB. Both cases wouldn’t surprise me :roll_eyes:

One would hope that data is encrypted, but I haven’t checked :thinking:

They went from a unlock code that could be calculated (FP3) to one that’s stored online, so the system did get more sophisticated. To the detriment of us FP4 owners of course.

1 Like

So, basically I spent whole evening figuring this out.
I did it, guys!
Its possible to unlock bootloader offline on build FP4.SP25.B.058.20230318

tl;dr: just drop request to factory.fairphone.com

What I (over)did:

  1. setup and start simple openvpn server(like How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN)
  2. connect to it from FP4
  3. route traffic from openvpn to burp suite proxy
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -s -o enp3s0 -j MASQUERADE
  1. install burp suite, bind proxy to port 8080 on all interfaces, also tick “support invisible proxying”, in “proxy” tab, turn on intercept
  2. install CA certificate from burp suite on FP4
  3. drop this request
  4. on FP4 click “allow”

Hi @rogal !
I’m really happy you figured it out :smiley: That opens a new way of unlocking bootloader for other FP4 users!

However I didn’t understood what you did with openvpn and burp… Are you asking the correct unlock code that is stored on the device, or are you somehow pretending you are the fairphone server to validate any random code? :thinking:

EDIT: or are you pretending the factory.fairphone server is offline?

Awesome work :metal:

So did I get this right, the payload isn’t encrypted, neither is the connection, and if you drop the request you don’t even need an unlock code :astonished:

That really hasn’t gotten more sophisticated at all. Could this be a preparation for a day FP stops existing and people still should be able to unlock their phones? :thinking:

Interesting find! I’m just wondering if there would be some simpler ways to exploit this, but maybe I don’t yet understand what exactly happens there.
For example: What happens if you block lookup of the domain or respond with a different (local) IP? This would be far simpler than dropping the individual request.

I had the same problem. Since I couldn’t find anything in the settings, I contacted support. After a day of chatting, it was clear that the problem could not be solved by me. So I was allowed to send in the FP4. Now I have had it back since yesterday. It seems to work with the original operating system. But since I want to install an alternative OS, which FP recommends, the bootloader has to be unlocked with the IMEI and the serial number. The FP website no longer recognises my data from the phone and I cannot generate an unlock code. I wonder if this has something to do with the mainboard that FP says it replaced or with the website’s service for the code, which doesn’t always seem to work. Has anyone else here had this problem?

Hi and welcome, moved your post here, maybe the above will help you else I think only support can help

1 Like

Support is offline now and has a day off tomorrow :frowning: Sitting here with my FP4 and can do nothing but waiting.
Anyway, thanks a lot for moving me here!!

In the Netherlands we celebrate the Kings birthday on April 27th.

1 Like

Where on their site and what do they recommend? I thought they didn’t recommend only mentioned maybe e/OS?

I didn’t understood what you did with openvpn and burp

openvpn - because i couldnt get this traffic to use simple proxy
burp suite - because I wanted to decrypt this traffic(thats why I had to install CA certificate from burp suite on my FP4)

I think dns server with “factory.fairphone.com” pointing to could work too.
I will continue in new thread: Unlocking bootloader offline


yes. I am looking for a google free OS.

Congrats to all of you! Got it this morning in the news. Celebrate and enjoy!

I’m coming back here today after about 5 weeks. Unfortunately, my new Fairphone 4 is still not ready for use.
Here it has already been reported that after the replacement of the motherboard two new IME numbers will be assigned with the phone. This is what happened with my phone.

Since I got it back, I am trying to get the unlock code for the botloader via the Fairphone service. completely unsuccessful, unfortunately. Three employees made a real effort to help me and apparently failed due to internal interfaces at Fairhone between departments in France and the Netherlands.

I am now frustrated and currently see no other solution than to complain about the phone as defect again and return it.

If I look at this process against the background of sustainability, I find it difficult to imagine that this phone can ever have a good balance.

check out this thread: Unlocking bootloader offline
I found a way to unlock bootloader without code


Yes and may thanks! I found this. Great job you did. But I am not an IT person and do have my doughs I will get this done.
And in the end I think Fairphone should provide a proper solution some how.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.