Trapped in fastboot mode with locked bootloader and corrupted custom ROM

What happens to the slot-retry-count if you select Start in fastboot? According to this graphic from the docs

…there should be at least some mechanism built in to fallback to recovery automatically. Is the retry count for a actually decreasing? :thinking:


It seems that the command “fastboot reboot recovery” is not supported in any situations. In example on my FP2 (LOS, rooted, TWRP) this command yields also to: “fastboot: usage: unknown reboot target recovery”.
But booting into twrp recovery from adb or by buttons is no problem.

1 Like

Maybe /e/ removed support for that, not sure :thinking:
On the two FP4 I have access to (both still vanilla FPOS) it works.

After rebooting (pressing start in fastboot mode) two times the slot-retry-count is still 6 on a and 7 on b.

1 Like

Well it was worth shot, definitely one more for the list of bad signs, maybe you are already at the fallback stage :thinking:
I’m running out of ideas here… This is my first A/B device, maybe someone more seasoned in that subject can help here :see_no_evil:


Ok maybe you do not see the forest because of the trees. :wink:

"I" have done that, just start all over again.

Yess we … ääh you can :grin:
But just the “normal” way . . .

  • Remove any USB-C cable and turn off your Fairphone 4. If you cannot turn your device off, remove the battery for about 5 seconds, then put it back in.
  • Press and hold the Volume Down button.
  • Insert a USB-C cable connected to the power (can either be a power outlet or a computer).
  • Release the Volume Down button as soon as you see the FAIRPHONE logo.
  • Use the Volume buttons to select the option . . .

And only exactly like this.
If now the /e/ recovery comes, be careful !
Either adb “or” fastboot, you can’t mix in the console anymore!
Try adb devices and fastboot devices, then you know in which “mode” you are (seems fastboot).
And always allow debugging, the stupid phone does not remember that, . . . despite check mark :face_with_raised_eyebrow:
Anyway, that’s how I did it . . . like this or similar :innocent:

If you look in the first post you can see the relevant difference to your situation:

So I think getting into recovery is not possible because fastboot mode is starting everytime. Most likely due to bootloader/device is in locked state (and can’t be unlocked in the normal way) or other security issues or recovery partition is not bootable.


You think or you are sure that it will not enter recovery mode (FP-way)?
I’ve been there and thought I can send the phone back or throw it in the trash.
I am glad that I have the theater behind me and do not play with the phone to reproduce the error.
This will probably also be difficult because for some the move works without any problems.
We will see what happens. :slightly_smiling_face:

Ok, we need a method to enable “oem unlocking” without a working OS/recovery.
After some investigation I found this topic Fairphone 3 unlocking without oem unlocking from @k4y0z .

Is there a possibility to do this or something similar for a FP4 device?


Yes this is true, following your instructions @Josh_FP3 I get back to fastboot mode again:

USB connection informations are by the way:
On Windows = Kedacom USB Device (Android Bootloader Interface)
On Linux = Bus 007 Device 127: ID 18d1:d00d Google Inc. Android

After some testing I think I got the EDL mode working. I pressed Volume Up + Down and plugged in the USB cable. The logo flashed shortly and the display is black and I see the device on Windows as “Qualcomm HS-USB QDLoader 9008”.

From this site I installed this tool:

Inside the “QPST Software Download” program I see my FP4 listed as “COM4 Phone in Download Mode” and “Q/QCP-XXX (Sahara Download)”. Is this the right way to continue? I never worked with this software before…

Maybe someone can give me a helping hand here if possible.


If you are comfortable on the command line you can use edl as well. That’s at least open source software and not leaked Qualcomm tools only available on some dodgy websites :slightly_smiling_face:

But without a firehose file you arrived at the prompt to stare at I mentioned before…

Edit: The more appropriate general instructions on what to do are here


That sounds good. And @FireCubex has remarked that the device is already in EDL/QDL Mode (9008).
So you mean that the same way of unbricking works with the FP4? Or is there another MBN-File for Soc SM7225 needed (in Fairphone 3 unbricking the file contains only prog_emmc_firehose_8953_ddr.mbn) ?

1 Like

Yeah, without a firehose file for the Snapdragon 750G (SM7225) there’s not much we can do in EDL mode.
Someone with access to factory equipment has to leak a firehose file (doesn’t necessarily need to be for the Fairphone 4, others might work as well). So far I haven’t been able to find one.

The exact process to unbrick the phone has to come afterwards, generally it should work a similar way. But without actual access this is purely theoretical at this point.


Ok I used the open source EDL this time. My first attempts ended here:

$ ./edl printgpt --memory=ufs
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - [LIB]: Please first install libusb_win32 driver from Zadig
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
HWID:              0x001630e100210001 (MSM_ID:0x001630e1,OEM_ID:0x0021,MODEL_ID:0x0001)
CPU detected:      "sd7250"
PK_HASH:           0x1c3d8d7ea24e435d7b540e0ffb34aa4bd57421c5f3570eef54f354610953a24c
Serial:            0x6b5c62d3

So I searched for a loader which is kinda the same as the requested one.
I used OnePlus Nord CE 5G because it has the same SoC (SM7225).
But it looks like the signature won’t be accepted or the problem is something else.

$ ./edl printgpt --memory=ufs --loader=Loaders/oneplus/0000000000515198_2354228eebcbc203_fhprg_op_nordce.bin --debugmode
(many upload_loader stuff)
sahara - [LIB]: Unexpected error on uploading, maybe signature of loader wasn't accepted ?
'NoneType' object is not subscriptable
No suitable loader found :(

Here the debug log:

Does anybody know how to continue at this point?


How did I miss that loader? :see_no_evil:
I’ll have a look, let’s see if I get the same output… :thinking:

Edit: Yeah, whatever I do, I get the exact same output (on Linux) as you did. So I guess the wait continues…

Maybe they are validating those signatures this time around, or the hardware is just too dissimilar :roll_eyes:

1 Like

Wasnt’t this irony?

I don’t think it was, as far as I understand that topic, the Fairphone 3 was able to use a generic loader :thinking: But then again I haven’t been around when those posts were written, I’m just grasping for straws here in search for answers about low level Qualcomm stuff…

:point_up_2: This :point_up_2:
I get why they can’t do it, but boy would it be easier if Fairphone just released the necessary files.
Why does the right to repair have to stop at some random proprietary wall? :roll_eyes:


Does anybody know if there is a possibility to extract the edl-loader-bin from stock-rom or ota-update-zip or one of the device partitions?
Or is the edl-loader completely independent from the software on the device?

1 Like

If you mean firehose files (or loaders in edl speak), those aren’t on device. I like to think of them more of like a map to the internals and if you don’t have one you get lost. I mean the mode is called Sahara for a reason :smirk:
The edl readme has this useful piece of piece of information

or sniff existing edl tools using Totalphase Beagle 480

So you can extract them yourself, you just need access to an official programmer and a protocol analyzer for the cheap price of $1,295.00…


Unfortunately, I think @hirnsushi is right.
I couldn’t find a working edl loader on the internet and it seems you need to have the right one to unbrick your phone.
You could try reaching out to the developer of edl, maybe he can help.
Or you could ask @k4y0z where he got the edl loader for FP3.