(answered) Install /e/ on FP5 with newer Security Patches

Hi there, sorry if this was answered before, I could not find it.
I have read this thread but also could not find the answer Fairphone 5 upgraded to Android 14

Does " * Rollback protection errors are IGNORED when the bootloader is UNLOCKED ." mean, if I unlock the bootloader, i can install /e/os with an older Security Patch Date?

I have a FP5 with Android 14, Security Patch Date January 5th 2025

So if I unlock the bootloader, is it possible to install current community build or official build?

/e/OS build : U community (Security patch: 2024-11-01)
/e/OS build : T official (Security patch: 2024-11-05)

Greetings from Germany
Jörg

Perhaps it helps to quote the full advice from the install page, Install /e/OS on a Fairphone FP5 - “FP5”

Caution: The FP5 comes with an anti-rollback feature. Google Android anti-roll back feature is supposedly a way to ensure you are running the latest software version, including the latest security patches.

If you try installing a version of /e/OS based on a security patch that is older than the one on your device, you will brick your device. Click on Details below for detailed information
To check the security patch level on your phone with a locked bootloader, prior to installing /e/OS, open your phone Settings » About Phone » Android Version » Android Security Patch Level.Then compare it against the level of the security patch on the /e/OS build as visible in the Downloads for FP5 section below.

The following values control whether anti-rollback features are triggered on FP5:

  • Rollback protection errors trigger if you install an update whose version number is LESS than the rollback index’s value stored on device.
  • The value of rollback index is UPDATED to match ro.build.version.security_patch’s value of the currently installed version, but only if the bootloader is LOCKED.
  • The value of rollback index is NOT dependent on the currently installed ANDROID VERSION.
  • The value of rollback index can NEVER be DOWNGRADED.
  • Rollback protection errors are FATAL when the bootloader is LOCKED.
  • Rollback protection errors are IGNORED when the bootloader is UNLOCKED.

Here are some examples to help you understand how anti-rollback features work:

Example 1

  • Your FP5 with Google Android has a Security Patch Level saying June 5, 2022
  • The /e/OS build available says: /e/OS build : R official (Security patch: 2022-05-05)
  • In this example, the /e/OS build has an older Security Patch level than the origin, so the anti-roll back protection will trigger, and you will brick your phone

Example 2

  • Your FP5 with Google Android has a Security Patch Level saying June 5, 2022.
  • The /e/OS build available says: /e/OS build : R official (Security patch: 2022-06-05)
  • In this example, the /e/OS build has the same Security Patch level than the origin, so the anti-roll back protection will pass, and you will be able to install /e/OS with no issues.

Example 3

  • Your FP5 runs Google Android -R while /e/OS is now available based on AOSP -S.
  • Your FP5 with Google Android has a Security Patch Level saying 2022-10-03 or October 3rd, 2022.
  • The /e/OS build available says: /e/OS build : S official (Security patch: 2022-06-05)
  • In this example, the /e/OS build has an older Security Patch level than the origin, so the anti-roll back protection will trigger, even if the /e/OS version runs on a more recent version of AOSP. In this example, you will brick your phone.

/quote.

The instructions tell us to unlock the bootloader in order to allow to install /e/OS.

The real danger is expressed

Rollback protection errors are FATAL when the bootloader is LOCKED.
Rollback protection errors are IGNORED when the bootloader is UNLOCKED.

Rollback protection errors + user locks the Bootloader; the phone is bricked.

Rollback protection errors + user does not relock the Bootloader; the error is ignored.

2 Likes

So, just to make sure:

  1. I unlock the bootloader
  2. Install /e/os
  3. leave the bootloader unlocked at least until I installed /e/os with newer Security Patch date as previous installed Android (in my case January 5th 2025)

Thank you very much, this worked as expected.

2 Likes

I am a bit in hesitation what to do:

The FP5 (Android 14) has a securitypatch of 5 February 2025.
The E.OS Community build U has update Security patch: 2025-01-01

Should I better wait until the commnity update is moved to newer securitylevel?

If the Fairphone is locked now at 05/02/2025, then a change to 01/01/2025 would be a roll back.

Bit we are now advised that Community builds cannot be locked.

As long as you are to avoid locking, the roll back we are told will be ignored.

1 Like

hello, how can I find out what Security Patch the actual e/OS has when using the easy-installer /e/OS Installer ? thanks

The manual install page Install /e/OS on a Fairphone FP5 - “FP5” is linked in Post#2 .

This screenshot is from that page today

Web Installer is expected to install the latest official build.

Releases · e / os / 🚀 Releases · GitLab

:warning: Security fixes

This /e/OS 2.9 version includes the Android security patches available as of March 2025.

It seems you have a clue. Which e/os to install on fp 5 with android 14, patch level march 05 2025. The official 2.9 on the e-website is headlined with android 13 and the community-one lacks a real patch-date or I didn’t get it. Can you help me out? Thanks

Looking at the install page Install /e/OS on a Fairphone FP5 - “FP5” today I see
FP5-SPL

I see a real patch date of 2025-03-01 … if you are thinking why not the 5th of the month, I cannot fully explain … but everyone is being upfront in saying that this is behind the notional expectation of 5th of the month.

Did you read Different Build Types to help you decide if you prefer official or community ??

After that you might read A discussion about bootloader locking/unlocking… AKA I want to relock my bootloader, should I?

Build community is behind but community builds are not suitable for relocking.

As said by @piero double check the dates from Releases · e / os / 🚀 Releases · GitLab

1 Like

Hello @Lars1, Welcome to the /e/ forum.

You can expect a new version In the next days !
(i think in 16hours in fact)

Hi, I know this topic has been discussed a lot and maybe you think I should create a separate thread for this. Let me know and I will. But this thread seems quite related.

I have a Fairphone 5 since a few months, to my great dismay it came with Google Android, I assumed all Fairphones came with eOS. Anyway I managed to install eOS a few months back using /e/OS Installer. It left the bootloader unlocked (I get that “hacker screen” and the security warning on every start/restart).

This “hacker screen” was also to my great dismay, being a life long Apple fan boy until now. And as you know with Apple everything just works. I couldn’t imagine I’d get a “hacked phone” as a result, even if it seems from this conversation you as a user are informed of this before launching the installer. So my bad I guess.

I chose to ignore this until now considering the risks of bricking the phone discussed here.

I would now like to try and sort this issue out. But I would really need step by step instructions and am hoping someone could help me with that.

First off these are my android eOS versions
Android 13
Security patch Android: 5 mars 2025
/e/OS 2.9-t-202503211478215-official-FP5

Would this combination be a candidate for fixing the issue or should I wait for newer eOS updates before attempting to lock the bootloader? On the surface the Android patch is from 2025-03-05 and the eOS version is from 2025-03-21, which means eOS is “newer” than the security patch in Android. But maybe the margin is too slim? Does anyone know?

And I would need simple step by step instructions for how to lock the bootloader.

Sorry for a long winded post. Like I said, let me know if I should put it as it’s own thread.

All the best

1 Like

The vital missing detail is the Android SPL at the time you unlocked the phone in order to install /e/OS.

You will be aware from the above that the index on your phone “remembers” the SPL in its last locked state.

No good in hindsight but if you had any evidence of the “locked in SPL” there would be no guesswork. If however you guess that say the next /e/OS build released about now today is ahead of locked in SPL you might decide to lock it after that update.

  • Locking the phone will delete all data

The commands to lock the bootloader are at the foot of the install page first link in Post #10 .

Thanks for the reply. But I think I would need a step by step instruction.

  1. connect the phone to your computer
  2. Launch bla bla
  3. Select lorem
  4. Execute the command ipsum
    etc

Hello together

I’m also confused about the security patch levels and the locking ability.

I bought a Fairphone 5 a few days ago. I unlocked it and flashed the official 3.0-a14 release. The release notes (gitlab.e.foundation/e/os/releases/-/releases) are saying “This /e/OS 3.0 version includes the Android security patches available as of May 2025.”

The original OS on the Fairphone had the same patch level, so I tried to lock the phone after flashing /e/OS. But after reboot, the phone told me, that the system is corrupted. I was able to recover from this and reflashed /e/Os in an unlocked state.

Then I check the android version:

  • Android security update: 1 May 2025
  • Vendor security patch level: 5 May 2025

So it seems, e/OS is four days behind or the original OS was four days ahead.

The e/OS release notes are pointing me to /source.android.com/docs/security/bulletin/2025-05-01. But the page content is talking about security patch of 05.05.2025.

I guess, e/OS and the vendor of the original OS are pointing to the same patch level by using different timestamps?

So I think I have to wait for the next official release before I can lock the phone (on resetting it again in the process)?

Have a nice day,
Elia

This is the wrong comparison. Vendor security patch is something else.

Full “rules” in Post #2

This is a new problem because this is an approximation, it is possible to be anywhere in the range 1st to 5th.

Edit, you do say that you established your current /e/ build has Android SPL 1st May.

Without more exact info of the original Fairphone build you are likely best to wait a month. All data will be lost when you lock at that point.

The true Android SPL on a device is found from Settings > About phone > tap Android version.

Hello aidb

Wow, that was a fast response. Then it seems, I messed up with noting the original android version. I’m easy switching numbers. I tried fastboot getvar rollback-index which does not return a result. Without being sure about the original version, I will going to wait the month (or I could try to flash the last OS version provided by Fairephone and check the version string there).

In the meantime, I can at least try out the phone, with keeping in mind that it will be in reset state after the next lock try.

Thank you very much for your help,
Elia

1 Like

As a note to others, in the excitement of opening and the flashing of a new or secondhand phone it is a good idea to save an image showing the (old) “pre intervention” current Android SPL and Vendor SPL.

2 Likes