Trapped in fastboot mode with locked bootloader and corrupted custom ROM

If you are comfortable on the command line you can use edl as well. That’s at least open source software and not leaked Qualcomm tools only available on some dodgy websites :slightly_smiling_face:

But without a firehose file you arrived at the prompt to stare at I mentioned before…

Edit: The more appropriate general instructions on what to do are here

3 Likes

That sounds good. And @FireCubex has remarked that the device is already in EDL/QDL Mode (9008).
So you mean that the same way of unbricking works with the FP4? Or is there another MBN-File for Soc SM7225 needed (in Fairphone 3 unbricking the file update.zip contains only prog_emmc_firehose_8953_ddr.mbn) ?

1 Like

Yeah, without a firehose file for the Snapdragon 750G (SM7225) there’s not much we can do in EDL mode.
Someone with access to factory equipment has to leak a firehose file (doesn’t necessarily need to be for the Fairphone 4, others might work as well). So far I haven’t been able to find one.

The exact process to unbrick the phone has to come afterwards, generally it should work a similar way. But without actual access this is purely theoretical at this point.

3 Likes

Ok I used the open source EDL this time. My first attempts ended here:

$ ./edl printgpt --memory=ufs
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main
main - [LIB]: Please first install libusb_win32 driver from Zadig
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID:              0x001630e100210001 (MSM_ID:0x001630e1,OEM_ID:0x0021,MODEL_ID:0x0001)
CPU detected:      "sd7250"
PK_HASH:           0x1c3d8d7ea24e435d7b540e0ffb34aa4bd57421c5f3570eef54f354610953a24c
Serial:            0x6b5c62d3

So I searched for a loader which is kinda the same as the requested one.
I used OnePlus Nord CE 5G because it has the same SoC (SM7225).
But it looks like the signature won’t be accepted or the problem is something else.

$ ./edl printgpt --memory=ufs --loader=Loaders/oneplus/0000000000515198_2354228eebcbc203_fhprg_op_nordce.bin --debugmode
...
(many upload_loader stuff)
...
sahara - [LIB]: Unexpected error on uploading, maybe signature of loader wasn't accepted ?
'NoneType' object is not subscriptable
No suitable loader found :(

Here the debug log:
https://paste.ofcode.org/CjaGeVXVBJuqKmvRYW4yN8

Does anybody know how to continue at this point?

2 Likes

How did I miss that loader? :see_no_evil:
I’ll have a look, let’s see if I get the same output… :thinking:


Edit: Yeah, whatever I do, I get the exact same output (on Linux) as you did. So I guess the wait continues…

Maybe they are validating those signatures this time around, or the hardware is just too dissimilar :roll_eyes:

1 Like

Wasnt’t this irony?

I don’t think it was, as far as I understand that topic, the Fairphone 3 was able to use a generic loader :thinking: But then again I haven’t been around when those posts were written, I’m just grasping for straws here in search for answers about low level Qualcomm stuff…

:point_up_2: This :point_up_2:
I get why they can’t do it, but boy would it be easier if Fairphone just released the necessary files.
Why does the right to repair have to stop at some random proprietary wall? :roll_eyes:

10 Likes

Does anybody know if there is a possibility to extract the edl-loader-bin from stock-rom or ota-update-zip or one of the device partitions?
Or is the edl-loader completely independent from the software on the device?

1 Like

If you mean firehose files (or loaders in edl speak), those aren’t on device. I like to think of them more of like a map to the internals and if you don’t have one you get lost. I mean the mode is called Sahara for a reason :smirk:
The edl readme has this useful piece of piece of information

or sniff existing edl tools using Totalphase Beagle 480

So you can extract them yourself, you just need access to an official programmer and a protocol analyzer for the cheap price of $1,295.00…

5 Likes

Unfortunately, I think @hirnsushi is right.
I couldn’t find a working edl loader on the internet and it seems you need to have the right one to unbrick your phone.
You could try reaching out to the developer of edl, maybe he can help.
Or you could ask @k4y0z where he got the edl loader for FP3.

2 Likes

Hmm, speaking about edl, doesn’t this paragraph allow you somehow to enable OEM unlock?

Throwing this here for more knowledgeable people to look at, I was just reading through the edl README :slight_smile:

2 Likes

Thanks, but edl modules oemunlock enable also requires the right edl loader

Output
Qualcomm Sahara / Firehose Client V3.53 (c) B.Kerler 2018-2021.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara - 
------------------------
HWID:              0x001630e100210001 (MSM_ID:0x001630e1,OEM_ID:0x0021,MODEL_ID:0x0001)
CPU detected:      "sd7250"
PK_HASH:           0x1c3d8d7ea24e435d7b540e0ffb34aa4bd57421c5f3570eef54f354610953a24c
Serial:            0x3de6ed5b

sahara
sahara - [LIB]: Couldn't find a loader for given hwid and pkhash (001630e100210001_1c3d8d7ea24e435d_[FHPRG/ENPRG].bin) :(
Device is in an unknown sahara state, resetting
resp={'cmd': 1, 'len': 48, 'version': 2, 'version_min': 1, 'max_cmd_len': 1024, 'mode': 0, 'res1': 0, 'res2': 0, 'res3': 0, 'res4': 0, 'res5': 0, 'res6': 0, 'object_size': 48, 'raw_data': bytearray(b'\x01\x00\x00\x000\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')}
5 Likes

Sadly there won’t be anything interesting in edl (apart from looking at some hardware info) without a loader.
edl itself knows nothing about the hardware layout, so we won’t be able to modify the system at the current state :see_no_evil:

5 Likes

It seems @k4y0z got the EDL loader from the Xiaomi Redmi 7 firmware package:

I tried the EDL loader from the Xiaomi Mi 10T Lite which also has a Qualcomm Snapdragon 750G but also got the signature error. The EDL loader for the FP4 is signed, so loaders for other smartphones won’t work as on the FP3.

4 Likes

A Fairphone employee just confirmed me they can’t publish the EDL loader because of the legal situation and because publishing it would work around parts of the security model of Qualcomm devices.

Makes sense to me, reading this blog post discussing the security implications of leaked / published EDL loaders: Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals

Unfortunately, this only leaves the option with the official programmer and the protocol analyzer for $1,295.00 for EDL unbricking as @hirnushi pointed out. Reading about the security implications of this, I don’t think even that would be a good idea.

Maybe there’s another way not involving EDL mode, but based on countless other online forum posts of other people in your situation, I think the only way is to send it to Fairphone.

9 Likes

That’s what I feared :see_no_evil:

That has always been the case, but good to know there’s an official response on that matter :+1:

Since there are already official programmers out there, this isn’t really a concern to me. At some point that loader will get leaked and the question is, will there be people selling access to it or does the community benefit from it.

I’m pretty sure EDL is the last resort already, but maybe we missed something along the way :thinking: (not getting my hopes up)

7 Likes

Using this guide from XDA combined with this XDA forum post I was able to extract hidden FP4 fastboot commands from the bootloader. They are the same on FP OS and /e/ OS.

/e/ OS extraction on Linux
unzip IMG-e-0.21-r-20220112156786-stable-FP4.zip
binwalk -e abl.img
cd _abl.img.extracted
strings -f 3078 | grep oem

3078: oem clear-rollback-index
3078: oem enable-charger-screen
3078: oem disable-charger-screen
3078: oem off-mode-charge
3078: oem select-display-panel
3078: oem device-info
3078: oem enable-root
3078: oem disable-root
3078: Enter fastboot oem off-mode-charge 0/1

Unfortunately, these commands won’t help us.

What happens if you try to boot the newest boot.img from code.fairphone.com or the one included in the /e/ OS image?

fastboot boot boot.img

6 Likes

Great find :metal:

I’m pretty sure fastboot boot requires a unlocked bootloader though… :thinking:

1 Like

Yeah the boot command isn’t available if OEM/bootloader is locked:

$ fastboot boot boot.img
downloading 'boot.img'...
OKAY [  2.345s]
booting...
FAILED (remote: Fastboot boot command is not available in locked device)
finished. total time: 2.350s

Is it maybe possible to spoof the loader signature somehow?

1 Like

Nope, that won’t work.
Not only would we need a loader we know actually works, but we would also need to pad that binary until we somehow end up with the exact hash that’s required. Even with a HPC cluster from a university I’m pretty sure that’s not easily achievable.
At that point that protocol analyzer and bribing someone with access to a programmer might be cheaper :smirk:

4 Likes