Hi everyone,
I recently flashed /e/OS 2.9 on my Fairphone 5 and everything is working well so far. However, the bootloader is still unlocked, which is causing some issues with security-sensitive apps like banking apps or Google Wallet.
I’d like to re-lock the bootloader, but I want to make sure I don’t end up with a bricked device or a bootloop.
Has anyone successfully re-locked the bootloader on the FP5 with /e/OS installed? Is there a safe and tested method or guide for this?
Warning: The bootloader is lockable in official builds only. The procedure to lock the bootloader will not work on community builds. See also Different Build Types.
Caution: FP5 comes with an anti-rollback feature. Please read the paragraph marked Caution in Requirements section of this guide, before you proceed to install /e/OS on FP5.
This reads:
Caution: The FP5 comes with an anti-rollback feature. Google Android anti-roll back feature is supposedly a way to ensure you are running the latest software version, including the latest security patches.
If you try installing a version of /e/OS based on a security patch that is older than the one on your device, you will brick your device. Click on Details below for detailed information
Next follows the Details section of that Caution
To check the security patch level on your phone with a locked bootloader, prior to installing /e/OS, open your phone Settings » About Phone » Android Version » Android Security Patch Level.Then compare it against the level of the security patch on the /e/OS build as visible in the Downloads for FP5 section below.
The following values control whether anti-rollback features are triggered on FP5:
Rollback protection errors trigger if you install an update whose version number is LESS than the rollback index’s value stored on device.
The value of rollback index is UPDATED to match ro.build.version.security_patch’s value of the currently installed version, but only if the bootloader is LOCKED.
The value of rollback index is NOT dependent on the currently installed ANDROID VERSION.
The value of rollback index can NEVER be DOWNGRADED.
Rollback protection errors are FATAL when the bootloader is LOCKED.
Rollback protection errors are IGNORED when the bootloader is UNLOCKED.
Here are some examples to help you understand how anti-rollback features work:
Example 1
Your FP5 with Google Android has a Security Patch Level saying June 5, 2022
The /e/OS build available says: /e/OS build : R official (Security patch: 2022-05-05)
In this example, the /e/OS build has an older Security Patch level than the origin, so the anti-roll back protection will trigger, and you will brick your phone Example 2
Your FP5 with Google Android has a Security Patch Level saying June 5, 2022.
The /e/OS build available says: /e/OS build : R official (Security patch: 2022-06-05)
In this example, the /e/OS build has the same Security Patch level than the origin, so the anti-roll back protection will pass, and you will be able to install /e/OS with no issues.
Example 3
Your FP5 runs Google Android -R while /e/OS is now available based on AOSP -S.
Your FP5 with Google Android has a Security Patch Level saying 2022-10-03 or October 3rd, 2022.
The /e/OS build available says: /e/OS build : S official (Security patch: 2022-06-05)
In this example, the /e/OS build has an older Security Patch level than the origin, so the anti-roll back protection will trigger, even if the /e/OS version runs on a more recent version of AOSP. In this example, you will brick your phone.
The above explains that you should only attempt on official build.
You need to be sureof the Android SPL of the last Android build which was locked on the phone.
May I add to aibd, locking will wipe your data soo you need to backup and restore later.
And I am also wondering if locking your bootloader is the solution. I have a unlocked one with a community build and none of my apps (even one banking one) complained about it. Maybe try to make sure that it really does work after locking it, would be wasted time if it doesn’t work after the lock. I suppose you are using Google Wallet with a Google account…? Maybe try to get away from that since your having an OS which helps you with that. There is Curve which works in some regions, might not be perfect but better than Google Wallet.
Thank you very much for your detailed and informative response!
Your explanation of the anti-rollback mechanism and the warning about re-locking the bootloader only on official builds was extremely helpful. I’m currently on the community build, since I was told that the official version can only be pre-installed by Murena and not manually flashed.
That said, I’d like to double-check one point:
The last Android version that was locked on my phone had a security patch level (SPL) of 2025-01-05, and the /e/OS build I flashed is from early March 2025. So as far as I understand, this SPL should be newer, and rollback protection should not be triggered — if I were using the official build. Would you agree?
Also, do you know if there is any way to manually flash the official build? Perhaps with an image that can be requested from Murena or through another process? If that’s possible, I’d definitely consider switching to the official version in order to safely re-lock the bootloader.
Thanks again for your help and for pointing out these critical technical details!
I did not find that quote is a quick search, but I remember it has come up before that a
sentence with the intended meaning “Only official builds are installed in Phones from the Murena shop”, is used in introductory pages; the wording used is inconcise (in that only seems in the wrong position) and looks rather as you interpreted. [2]
In this quote you show the /e/OS date in advance of the pre-installed build – is OK.
Yes you just follow the install page linked above.
… and while this image shows the /e/OS SPL please confirm it from release notes scrolling down and searching for “ Security fixes” in the the intended release.
Notice that change of community to official will involve downgrade of Android version, not a problem with the install script, except the current official release will lag community in Android version for some unknown time. This keeps official stable, but some users would like to be closer to “bleeding edge” so official is not for them. [1]
Do not take a backup on the same device as some of these actions will format the device and delete the backup.
… the flash script is likely to format the phone (-- read the script for precision)
[1] Edit: the above refers to your community phone being OTA Updated with /e/OS version (~monthly). (Manual upgrade of Android version will be required at some time in the future.)
The official build will similarly receive monthly OTA updates, but when the time comes offers OTA Upgrade of Android version.
[2] I just noticed that the Documentation error is repeated in Different Build Types
These builds are currently only available on the Murena smartphones .
Means "Only these builds are currently available on the Murena smartphones. They are also available on the Web Installer
Unless there is some undocumented plan to hide official builds at some in the future.
Thank you so much for your helpful reply and for sharing your experience!
You raise a great point — re-locking the bootloader might not even solve my issue, and it would be quite frustrating to go through the process only to find that the app still doesn’t work. I’m actually not using Google Wallet or a Google account at all. The issue is with a non-Google secure app that appears to check the bootloader status, which is why I was considering locking it.
Thanks also for mentioning Curve — I wasn’t familiar with it before. I now understand it’s a kind of virtual wallet that can act as an alternative to Google Wallet, especially on phones that don’t use Google services. I’ll check if it’s available in my country and whether it could be a viable solution.
Appreciate your thoughtful input — it definitely gave me something to think about before jumping into risky changes!
Thanks again for your detailed response — and especially for clarifying the documentation wording regarding official builds. That makes a lot more sense now. I can see how the phrasing like “only available on the Murena smartphones” could be interpreted the wrong way. I had assumed this meant that manual flashing of official builds wasn’t possible, but now I understand that it’s actually allowed and supported — great to know!
Also, I really appreciate the confirmation regarding the security patch level (SPL). I’m relieved that my flashed build from early March 2025 is newer than the SPL of the original firmware (2025-01-05), so there should be no rollback issue.
So just to clarify:
I understand now that switching from the community build (which might already be on Android 14) to the official build (currently still on Android 13) will be considered a downgrade in Android version. But that’s okay — the official install script handles this correctly, even if it involves wiping the device.
So just to confirm — I should flash the /e/OS build T official (Security patch: 2025-03-05)?
There’s barely any data on the device yet, as I’m still in the process of setting it up, so data backup isn’t really a concern for me.
Please let me know if this understanding is correct.
For my use case, stability is more important than staying on the bleeding edge, so I think the official build might suit me better — especially if it enables safe bootloader re-locking. Which I hope helping me with the app.
I’ll make sure to double-check the security fixes in the release notes and understand exactly what the flash script does before proceeding — including data wipe.
Much appreciated again for walking me through all of this!
I’d like to briefly share the steps I followed. I registered on the official Murena website and used the web installer to flash /e/OS 2.9-t-numbers-official-FP5 on my Fairphone 5. I simply followed the instructions provided – everything worked smoothly and without issues.
After the successful installation, I re-locked the bootloader (switched from unlocked to locked), and that process also completed without any problems. So far, everything went well.
A big thank you to @aibd and @mihi for your valuable support and the time you took to help me through this process – I truly appreciate it.
Unfortunately, the end result didn’t resolve my issue completely. I’ll open a new thread soon where I’ll describe the problem I’m facing – namely that a financial app refuses to run on the device due to custom firmware.
I’ll also try the app Curve, as mentioned by @mihi, as it might offer a workaround.
Thanks again – I’m grateful for the great community here.
Security fixes” in the the intended release.