I an genuinely confused how to get vendor security patches.
I ordered a Fairphone 5 from Murena with /e/eOS pre-installed. See screenshot.
The vendor security patch level is from 5 june 2024, so more than a year ago.
I returned the phone. If the phone has outdated security patches from the beginning onwards, it’s basically a broken product.
Is there any way to obtain vendor security patches from Fairphone for phones that have /e/OS? Or is it simply impossible to update the vendor security patches once /e/OS is installed?
I am not asking about the Android security patches. Those were there.
I have a FP5 with /e/ OS 3.0.1 (official).
Still the vendor security patch level is June 5th, 2024.
so @smilingoctopus’s concern definitely has a point.
You created a lot of headache for yourself for no reason. Vendor security patch levels don’t mean squat. You might get one with an /e/os update, but if you don’t it’s nothing to worry about. The only thing that matters is the Android SPL (security patch level) which gets updated when you do an /e/os update.
Now as far the SPL updates they do stop at some point when a version of Android gets old enough. In that case you have to go to a newer version of Android to get the latest security patches.
@jaror@CraigHB - true, just strings, but ofc they have a well defined independent meaning OEMs follow. Vendor levels are relevant.
The FP5 receives vendor firmware updates and a reason (as you mentioned CraigHB) it’s behind is the device not having migrated yet to A14 where corresponding updated vendor firmware is shipped with the major version. A valid reason to send back a new phone.
Here’s a screenshot taken from my FP5, bought from Murena in January 2024, did every OTA update since then (except 3.0.0, directly went from 2.9.0 to 3.0.1):
Murena can provide also vendor security patches through their OTA updates (and did at least once)
the last vendor security patch delivered by /e/ OS is one year old.
I was not able to find information about the current vendor security patch date for original Fairphone FP5 OS or for Lineage OS, and I did not even try to research on patches offered by the chipset manufacturer. So I cannot tell if only /e/ OS (Android 13 build) is lagging behind, if even Fairphone is lagging behind or if there actually are no security patches (and everything is fine, because there are no issues to be patched).
Considering that Fairphone decided for the IoT chipset used in FP5 because of the long vendor support time, and that Fairphone and Murena are cooperating, one could assume that the current vendor security level is fine, but at least from my side, this is just guessing.
I assume, /e/OS is lagging behind. I installed /e/ 3.0.1-a14 some time ago and had the latest FPOS installed before. My vendor security patch is the same date the SPL of FPOS was beforehand: May 2025.
Yes I probably over-stated that. Vendor patch levels do have “some” significance. However they cover such a small portion of code the phone actually runs there’s no need to get overly concerned about it.
It’s possible a critical security flaw could originate from vendor specific software, but it’s going to happen at such a low frequency it’s not that much of a consideration. The vast majority of risk comes from software covered by the Android SPL.
So basically, returning a phone because the Vendor patch level is a year old is an over-reaction.
The evidence in this thread seems to point to Fairphone not updating Vendor SPL on this phone (during the past 12 months) until the Upgrade to A14 when we now see reported May 2025.
Up to date Vendor SPL is a requirement of Google supervision and enforcement of their system. By enforcement I refer to this as a requirement imposed by Google on the manufacturer.
Failure to have “Google registered” current Vendor SPL is expected to result in Settings > Trust showing “Vendor Out of date”. However, as I understand, up until May 2025 the Vendor SPL of June 2024 would be expected to show “Up to date”.
My opinion, one might reasonably feel that a manufacturer which did not have to keep adding Vendor security patches demonstrates good design.
You do not state the date of your purchase … if since early May it would seem reasonable to expect “Up to date” that would mean Android 14, but maybe your transaction was “on the cusp”?
Ignoring the exposure, one can say the probability is very low to have any vulnerability exploited (I agree), but it’s another school of thought.
The kernel counts toward vendor patch level in devices that came to market pre A12, not only periphery firmware. The story is muddied per (LineageOS-) maintainer, but they do backport to ancient kernels. Google GKI grabs some code back into the system patch level (true for FP5), but vendor code is very much not “a small portion of code the phone actually runs” - that is a misconception, no idea how you came to that conclusion.
The OP is more of a logistics topic and I root for murena to get it right. First impressions.
I want to switch from iodeOS to /e/OS (or as an intermediate to FPOS).
Is this possible ATM without bricking my phone?
If I understand the antirollback feature, I am not supposed to use a date earlier than already installed.
So, do I have to wait until e-OS comes out with an android security patch level of 1st June (or later) ?
Yes, if you are okay with not locking your bootloader, anti-rollback does not concern you. Anti-rollback will only kick in if you have an older SPL and lock the bootloader.
Only, if you want or need to lock your bootloader. Some apps like banking apps require a locked bootloader.
Please also bear in mind, that locking the bootloader always wipes all data. This means, if you start using the phone without locking and want to lock it later, you will have to do backups and reconfigure everything after bootloader lock.
/e/ 3.1 is supposed to arrive this month. 3.1 will probably carry a more recent SPL. Waiting some time might be a good idea.
thank you very much for the very precise answer. That makes now a lot of sense.
I did not lock my bootloader, when I had finished installing iodeOS.
I dare to have one question:
Assume I want to have iodeOS later with a locked bootloader. I have now iodeOS with SPL 1.June.25 and Android 15, but it does not quite work well enough.
The bootloader is unlocked, OEM is unlocked, USB-Debugging enabled
Do you think it is possible to:
I install current /e/-OS with a patch level 1.May.2025 and do not lock the bootloader
I test and I am not happy
I install the current FPOS with a patch level of 5.June.2025 and do not lock the bootloader
I test and see that I have no hardware error, I am happy.
Later all major bugs are fixed in /e/-OS or iodeOS and I am happy to reinstall either of those, e.g. with another patchlevel, which is lower than the current FPOS.
can I then downgrade to /e/-OS or iodeOS, e.g. again 1. June 2025 and lock the bootloader?
It is clear that everytime the data partition(s) get wiped and I have to configure anew.
I will not vouch for this to be “no risk” because I still do not understand whether or not there is a difference between the 1st of a month and 5th of a month versions of SPL, but:
I flashed FPOS with an SPL reported as 05.05.2025 and after that /e/OS with an SPL reported as 01.05.2025 and was able to lock the bootloader.
If I remember correctly, every new version of SPL changes the rollback Index. As long as the SPL of a ROM has the same rollback index as the already installed one, it is safe to lock the bootloader.
Anti-rollback triggers (and bricks your device) when the rollback index of the new OS is lower than the already present one and a bootloader lock is attempted.
It’s outside my expertise but I think it is probable, that there is a fastboot command to read the rollback index present on the device before and after flashing a Custom ROM to check that. Maybe someone more knowledgeable can weigh in on this and inform us about this.
