Trapped in fastboot mode with locked bootloader and corrupted custom ROM

After installing the custom ROM /e/ I locked the bootloader and unfortunately disabled “OEM unlocking” in the development settings. Then I restarted my device and always got in the fastboot mode (see attached image). I can’t even go to the recovery anymore. So I have no access to anything (not even adb) except to the restricted (because OEM is locked) fastboot command.

Is there a possibility to reset back to stock ROM or unlock the OEM bootloader from fastboot mode with some secret code?

Can someone help me maybe?
I already informed the support about this issue.

I have no personal data on the device by the way so it is possible to wipe
everything.

Here are all important values from “fastboot getvar all”:
(bootloader) parallel-download-flash:yes
(bootloader) hw-revision:10000
(bootloader) unlocked:no
(bootloader) off-mode-charge:0
(bootloader) charger-screen-enabled:0
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4113
(bootloader) version-baseband:
(bootloader) version-bootloader:
(bootloader) erase-block-size: 0x1000
(bootloader) logical-block-size: 0x1000
(bootloader) variant:SM_ UFS

(bootloader) has-slot:modem:yes
(bootloader) has-slot:system:no
(bootloader) current-slot:a
(bootloader) has-slot:boot:yes
(bootloader) slot-retry-count:b:7
(bootloader) slot-unbootable:b:no
(bootloader) slot-successful:b:no
(bootloader) slot-retry-count:a:6
(bootloader) slot-unbootable:a:yes
(bootloader) slot-successful:a:yes
(bootloader) slot-count:2
(bootloader) secure:yes
(bootloader) product:FP4
(bootloader) snapshot-update-status:none
(bootloader) is-userspace:no
(bootloader) max-download-size:805306368
(bootloader) kernel:uefi

Result from “fastboot flashing get_unlock_ability”:
(bootloader) get_unlock_ability: 0

1 Like

Ok, thats bad.
In Install /e/ on a Fairphone FP4 - “FP4” (beta) there was no such issue until now.
There is a similar topic Fairphone 4 “locked in fastboot mode” but this solution only works with oem unlocked.
The question is how can “oem unlocking” be enabled without a working OS.
Maybe @z3ntu or @Roboe have some ideas.

1 Like

Doesn’t sound great indeed… I know @hirnsushi loves a good challenge when he sees one :smiley:

2 Likes

That’s a hard one…

… I mean successfully booted and unbootable at the same time :thinking:

Some more information would be great, I don’t have a locked phone to reproduce this:

  • I assume you already tried changing the slot to b (is that even possible while locked)
  • I assume you already tried running fastboot flashing unlock, Android docs only mention it shouldn’t work
  • What actually happens if you choose Recovery mode in the bootloader or use fastboot reboot recovery

If all else fails, Emergency Download Mode (EDL) would be a way forward, but I haven’t found leaked firehose files for the SoC yet. So support are probably the only ones who can help you there.

@Aaanze :grinning_face_with_smiling_eyes:

8 Likes

Yeah “fastboot --set-active=b” (Slot Change is not allowed in Lock State) and “fastboot flashing unlock” (Flashing Unlock is not allowed) doesn’t work either because OEM is locked.
If I try to “fastboot reboot recovery” it says “unknown reboot target”.

Even if I try to “fastboot reboot emergency” I get back to fastboot mode. I hope firehose files can even help me if this happens…

That seems to be possible. Found in this Android Doc:
“A successful slot should be able to boot, run, and update itself. A bootable slot that was not marked as successful (after several attempts were made to boot from it) should be marked as unbootable by the bootloader.”

Perhaps @AnotherElk could also know something about recovering a bricked device.

1 Like

Not great, not great at all :roll_eyes:

One of the other methods to get into EDL probably still works, but since that’s only another prompt to stare at, no reason to try at the moment.

@Antimailer Possible yes, but a slot that successfully booted and then got unbootable is definitely not a good sign.

What happens to the slot-retry-count if you select Start in fastboot? According to this graphic from the docs

…there should be at least some mechanism built in to fallback to recovery automatically. Is the retry count for a actually decreasing? :thinking:

4 Likes

It seems that the command “fastboot reboot recovery” is not supported in any situations. In example on my FP2 (LOS, rooted, TWRP) this command yields also to: “fastboot: usage: unknown reboot target recovery”.
But booting into twrp recovery from adb or by buttons is no problem.

1 Like

Maybe /e/ removed support for that, not sure :thinking:
On the two FP4 I have access to (both still vanilla FPOS) it works.

After rebooting (pressing start in fastboot mode) two times the slot-retry-count is still 6 on a and 7 on b.

1 Like

Well it was worth shot, definitely one more for the list of bad signs, maybe you are already at the fallback stage :thinking:
I’m running out of ideas here… This is my first A/B device, maybe someone more seasoned in that subject can help here :see_no_evil:

3 Likes

Hello
Ok maybe you do not see the forest because of the trees. :wink:

“I” have done that, just start all over again.

Yess we … ääh you can :grin:
But just the “normal” way . . .

  • Remove any USB-C cable and turn off your Fairphone 4. If you cannot turn your device off, remove the battery for about 5 seconds, then put it back in.
  • Press and hold the Volume Down button.
  • Insert a USB-C cable connected to the power (can either be a power outlet or a computer).
  • Release the Volume Down button as soon as you see the FAIRPHONE logo.
  • Use the Volume buttons to select the option . . .

And only exactly like this.
If now the /e/ recovery comes, be careful !
Either adb “or” fastboot, you can’t mix in the console anymore!
Try adb devices and fastboot devices, then you know in which “mode” you are (seems fastboot).
And always allow debugging, the stupid phone does not remember that, . . . despite check mark :face_with_raised_eyebrow:
Anyway, that’s how I did it . . . like this or similar :innocent:

If you look in the first post you can see the relevant difference to your situation:

So I think getting into recovery is not possible because fastboot mode is starting everytime. Most likely due to bootloader/device is in locked state (and can’t be unlocked in the normal way) or other security issues or recovery partition is not bootable.

4 Likes

Hello
You think or you are sure that it will not enter recovery mode (FP-way)?
I’ve been there and thought I can send the phone back or throw it in the trash.
I am glad that I have the theater behind me and do not play with the phone to reproduce the error.
This will probably also be difficult because for some the move works without any problems.
We will see what happens. :slightly_smiling_face:

Ok, we need a method to enable “oem unlocking” without a working OS/recovery.
After some investigation I found this topic Fairphone 3 unlocking without oem unlocking from @k4y0z .

Is there a possibility to do this or something similar for a FP4 device?

3 Likes

Yes this is true, following your instructions @Josh_FP3 I get back to fastboot mode again:

USB connection informations are by the way:
On Windows = Kedacom USB Device (Android Bootloader Interface)
On Linux = Bus 007 Device 127: ID 18d1:d00d Google Inc. Android

After some testing I think I got the EDL mode working. I pressed Volume Up + Down and plugged in the USB cable. The logo flashed shortly and the display is black and I see the device on Windows as “Qualcomm HS-USB QDLoader 9008”.

From this site I installed this tool:

Inside the “QPST Software Download” program I see my FP4 listed as “COM4 Phone in Download Mode” and “Q/QCP-XXX (Sahara Download)”. Is this the right way to continue? I never worked with this software before…

Maybe someone can give me a helping hand here if possible.

4 Likes

If you are comfortable on the command line you can use edl as well. That’s at least open source software and not leaked Qualcomm tools only available on some dodgy websites :slightly_smiling_face:

But without a firehose file you arrived at the prompt to stare at I mentioned before…

Edit: The more appropriate general instructions on what to do are here

3 Likes

That sounds good. And @FireCubex has remarked that the device is already in EDL/QDL Mode (9008).
So you mean that the same way of unbricking works with the FP4? Or is there another MBN-File for Soc SM7225 needed (in Fairphone 3 unbricking the file update.zip contains only prog_emmc_firehose_8953_ddr.mbn) ?

1 Like

Yeah, without a firehose file for the Snapdragon 750G (SM7225) there’s not much we can do in EDL mode.
Someone with access to factory equipment has to leak a firehose file (doesn’t necessarily need to be for the Fairphone 4, others might work as well). So far I haven’t been able to find one.

The exact process to unbrick the phone has to come afterwards, generally it should work a similar way. But without actual access this is purely theoretical at this point.

3 Likes