I am creating new thread to summarize what I know about unlocking bootloader offline and to reach your help to simplify this process.
My previous successful attempt was a bit overkill:
For build F04.SP25.B.058.20230318
- setup and start simple openvpn server(like How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN) - its needed to intercept traffic,
- connect to it from FP4
- route traffic from openvpn to burp suite proxy
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
- install burp suite, bind proxy to port 8080 on all interfaces, also tick “support invisible proxying”, in “proxy” tab, turn on intercept - its needed for iptables to work
- install CA certificate from burp suite on FP4 - its needed to decrypt traffic
- attempt to OEM unlock on FP4; enter any code
- drop this request
- on FP4 click “allow”
What doesnt work:
- Domain blocking(“No internet connection found” thing)
I am sure that easier way exists.
- on PC: install burp suite, go to settings, bind proxy listener to port 8080 on all interfaces, set “use self signed certificate”
- on FP: set proxy on your wifi to: [ip of your computer] and port 8080
- on FP: navigate to OEM unlock, input any code, dont click “turn on” yet
- on PC: in burp suite go to “Proxy” and turn intercept on
- on FP: click “turn on”
- on PC: if you can see GET request to factory.fairphone.com, you need to drop it and its done
I will edit this post with updated information
Worked perfectly for me. I had the exact same issue with a replacement board that then couldn’t unlock. I’m working to follow up with FairPhone to see why their unlock policy is in place to begin with.
I have open ticket to fairphone support regarding this issue since 19.04.2023. Its been 2 weeks and I dont think this matter will be resolved in reasonable time(or at all).
They told me, that “non-working bootloader-unlocking after a motherboard replacement is a relatively unusual issue” - it doesnt look like this,
I asked them a few questions regarding logging of unlocked bootloaders, if they respond I will update this thread.
Given these cases happened in pretty rapid succession, my guess is a batch of IMEI and SNs didn’t get properly uploaded. Can you check to see if your old IMEI/SN combo still generates an unlock code? Mine did.
Ah okay. It looks like how the process works is that when you request an unlock code from Bootloader Unlocking Code for Fairphone 3 - Fairphone that gets stored in their server. After you hit the “Verify code” button, a GET request is sent to factory.fairphone.com/$IMEI/$SERIAL_NUM/$ENTERED_UNLOCK_CODE . The endpoint then checks whether $ENTERED_UNLOCK_CODE is equal to the code the server generated above. If there is no response the phone unlocks.
Interestingly enough factory.fairphone.com is not hosted along with the rest of the fairphone.com website. The IP address resolves as belonging to Quark VPN. Similarly the SSL cert is a “Let’s Encrypt” one rather than rather than the Sectigo cert used for fairphone.com. This is especially interesting as the Sectigo cert is valid for *.fairphone.com.
Dumb question, since networking is not my thing. When you drop something in BurpSuite, what gets sent back to the original requester?
from Proxy intercept - PortSwigger
Drop a request to prevent it from reaching the server.
I am not sure what it is exactly, based on this description I think nothing gets back to original requester(behaves as if server would be offline for this request only)
My best guess is that the request will run into a timeout and then the client handles that however it was programmed to do. In case of the unlock procedure it seems to fall back to the (user-friendly) option of allowing the action.
I dont think its user friendly feature, its just a bug imo.
At this point I could modify this request to input known good data(like my old IMEI and SN) and server would allow me to unlock my property (its ridiculous btw)
system_ext/privapp/Settings.apk is the bit of code that does the check. The only thing that gets checked for is the response code from the server, so setting up a local HTTPS server (with cert that matches the domain) that just replies 200 OK to everything and adding a static entry on your router’s DNS pointing to factory.fairphone.com should also work.
I agree with @rogal that this is not intended behavior, and the support person that I talked to seemed really surprised.
Any chance to get this done with Ubuntu in a terminal?
I am sure it could be done on ubuntu as well cuz I did it on arch.
Try it and report back
A lot has happened in the meantime. The service team has taken care of my case and worked internally with IT on my matter. Since this is probably a problem that does not occur frequently after the main board has been replaced, it took some time to find the cause. In the meantime, Fairphone has offered a complete replacement of the Fairphone4. As I urgently need the phone for work, the old Chinese one doesn’t really work anymore, I gratefully accepted the offer. Now the new Fairphone4 is on its way, including the screen protector. Thanks to the service team for this!
Since I am also very interested in the technical and organisational part of this matter, I entered the necessary data on the website (Unlook Bootloader) again today. And I received the Unlook code. So the problem of transferring the data from the repair (replacement mainboard) to the IT DB seems to have been solved. Unfortunately, I have to conclude that I was not patient enough, because 3 days ago the service department told me that the problem would be solved in 2-3 days and that I could receive my unloock coed from the website. Well, I hope other affected people can learn from my case, so I am writing this update here. As soon as the new phone is with me and I have received the Unlook code for it, I will report back here.