English

Has anybody received the latest security update yet?

Tags: #<Tag:0x00007f05d965ee98>

Yesterday evening I received the update. Worked flawlessly.

Guessing here: You are trying to skip one update and that might not be possible. Perhaps you need to install the October update first, then the December one?

Everyone: Are updates incremental again now? No full updates anymore?

1 Like

I was just searching information about ota and bsdiff, trying to possibly learn what’s in the package and how to extract it. Interestingly, Google states ever 4 or 5 updates should be full updates, so people do not need to do lots of updates after the other and just can jump to a funny up to date system. So, maybe the next update might be a full update? Let’s hope for the best!

3 Likes

Yes, I had the same thought. I’m a bit busy right now but will try it later. Thank you all for the help!

1 Like

Well, no luck either with the October update…

1 Like

The number 09261600 refers to the pre-september build A.0095 according to the metadata in the various update packages that I have seen so far. So you would need to start with d1e85d55938fdd545fcdc4b4b11098c5d183636f.zip which has:

pre-build-incremental=09261600
post-build-incremental=10011803

then the october update a1b56846df6bb6c656a511eeae9f732f5b35fbf9.zip with:

pre-build-incremental=10011803
post-build-incremental=11150009

and finally the december update eab40c208c6bd6899b51e7103822972d7a40336c.zip with:

pre-build-incremental=11150009
post-build-incremental=12171325

But this will probably not work as adb sideload seems to be broken, see post #18, since update_engine_sideload is not there, I just tried sideload for the december update and it validated but then failed to install with the same error about the update_engine_sideload. Probably something similar to this would be needed for the FPOS recovery.

PS: There are (at least) two different september updates, which depend on the version that was installed when the device shipped:

  • for A.0081 (08161740): 39ce8b1b568149d8ecb8b4b7fc0d37beefc388fb.zip
  • for A.0095 (09261600): d1e85d55938fdd545fcdc4b4b11098c5d183636f.zip
1 Like

Thanks for the insight!
Tried the update you suggested and got the same sideload answer.
Have filed a support ticket…

2 Likes

OK, I’m in contact with someone from the support team. They’re looking into the issue and will get back to me in a few days hopefully. I’ll let you know how they solve the problem.

5 Likes

Just for info. It looks like the OTA updates Fairphone is pushing are"differential.updates"-aka patches - not complete images - even for the system partition

Thishas nasty implications. It means, if any changes got made to tge/system partitions, as one would see when rooting the device through an exploit.or otherwise, the device can no longer be updated by OTA updates

Worse, an attempted OTA update could worse case corrupt more data and under some - hopefully unlikely circumstances - brick the phone. Just keep that in mind.

Fairphone could mitigate that issue by providing a full / not differential image which could then be used to sideload an intact system under any circumstances.

Cheers

7 Likes

I assume that’s what they mean by

We are working towards making available:

  • a flashable image for download and manual flash

on https://support.fairphone.com/hc/en-us/articles/360032971751-Operating-systems-OS-for-the-Fairphone-3

6 Likes

Yep. it would also help those a lot who try to make a custom ROM/recovery :slight_smile:

4 Likes

These implications might be “nasty” from a hacker’s perspective. For the vast majority of average users this simply means smaller downloads and faster updates.

Fairphone should of course provide a recovery image which can be used via sideload. And I guess they will do that sooner or later.

3 Likes

Also for “normal” people who miss updates and can’t get to intermediate updates any longer, as you need to apply those differential updates one after another.

1 Like

I’ve got one Fairphone 3 user who reports that he only received the 26 December update today. He had kept reporting checking for it repeatedly before.

Anyone else with such a long wait? Any ideas what could explain such a long delay? It seems unlikely to me that the update was supposed to be spread over such a period.

I got the December Update (Version 5th December 2019) only today (8th January 2020).
I checked several times in the time between for updates, but only today i got it.
Before December Update I had the October 2019 Version.

2 Likes

As far as I know, this is normal.
The Android OTA algorithm includes a lottery based on a unique identifier. When a phone checks the server for the first time if an update is available, the server will remember the unique identifier and assign a random number. this random number will not change - no matter how more often you click on “check updates” - and based on the random number the server decides WHEN you get your update.
a small number of users will get it right away. (tens of devices)
a bigger number of users will get it after a week (hundreds of devices)
there might be a third and even a fourth stage - upscaling to half the users and all the users - if you are in the second half, you might have to wait over a month extra, and theres almost nothing you can do about it :frowning:
(some forums suggested wiping the data of the updater service, thus causing a new unique ID to be assigned, which might or might not run the lottery again)
I don’t have the link where I read about this, but google should find it.

the reason for that is to catch catastrophic updates before they affect too many users. sometimes updates have bugs that don’t show up during internal testing because they only affect people in certain regions or certain situations. Assume the phone would crash and never ever boot again when you took a phone call from a chinese number between midnight and 1 am - or something like that. that wouldn’t show up in testing, but you might get a few error reports from affected users and could stop the update from going out to the rest of them.

8 Likes

Also a full update would be interesting to me. I have uninstalled Google Services Framework and thus my FP3 lost its update ability (the menu simply vanished).

Android is so fundamentally broken if you cannot even receive a zip without a Google proprietary framework…

6 Likes

Absolutely, we DO need complete a complete update image.

Edit: One issue with an update image is, they would have to update it every time they release any patch or new version. Phones that comply with googles’ “Android Verified Boot” do not allow downgrades of the system, only upgrades. If you install any update, going back to the old version is impossible once the new version booted once, as the bootloader will remember that. So even with a full image available, you could only install it, if its the same or a newer version than what you have on the phone, not an older one. https://android.googlesource.com/platform/external/avb/+/master/README.md
Booting an older version is only possible if the phone/bootloader has been unlocked.

That being said, I think your problem can be fixed using adb, as the app is still in /system, just “not installed for user 0”. Try

adb shell pm install --user 0 /system/priv-app/GoogleServicesFramework/GoogleServicesFramework.apk

this should work for any apps that have been removed using

adb shell pm uninstall --user 0

as suggested in

4 Likes

Excuse me? You’ve been tampering with your phone’s operating system at your own risk. So don’t blame Google now.

I think he has valid critique.

Android is an open source system with proprietary extensions.

The latter is OK, because it’s Google’s business model, and people are free to build a phone or phone ROM without it. (LineageOS for example)

Or people are forced to do it without it because of political reasons, for example because a US embargo forbids Google to do business with you.

Some people might simply opt to want a phone without Google - for whatever reason (trust, privacy, political, …), and (since so far no alternate ROM is available) uninstalling or disabling the proprietary apps from Android is the only option.

The issue is, the update mechanism Fairphone uses to update Fairphone 3 only works with this proprietary google extension, which is installed in a privileged way.

That being said, how privileged are google play services (formerly known as google service framework) actually? Could a user install an open source app and use that to trigger updates (providing the update URL manually) the same way he/she could use adb to sideload the update from the recovery system?
I think that should be possible, after all the google play services don’t run as root, but should be using an android API call which needs enhanced (device administrator) privileges that the app can be given by the user.
worth looking into.

Edit: This is what LineageOS uses: https://github.com/LineageOS/android_packages_apps_Updater

Edit again: You don’t need proprietary stuff to install updates. The capability is exposed through
https://developer.android.com/reference/android/os/RecoverySystem
and
and android.os.UpdateEngine

there is an underlying daemon process running with root privileges, but that is open source:
https://android.googlesource.com/platform/system/update_engine/

So, long story short, you don’t really need Google Play Services, you could write your own app to do it. (Edit: But because Fairphone uses Google Services to announce updates, this would possibly require significant amounts of reverse engineering, see https://habr.com/en/post/446790/
)

Another issue is that Fairphone utilizes google cloud to provide information which updates are available to phones and lets them download it. But while that is using google services server side, they can be queried from third party apps as well.

4 Likes