Introduction

Almost a year ago I bought a BlackBerry Passport with intend of running Linux on it. The problem is that I did not do a lot of research on this topic. I assumed that "of course you can install whatever you want on it, back in the 2014 every phone had its bootloader unlocked". Maybe every phone had, but with exception of BlackBerry.
BlackBerry do not have a standard Android installed. What is installed on this phone, is BlackBerry 10 OS, which uses QNX kernel under the hood (UNIX), and Android emulation layer on top of it. All of the 10.3.x releases (only those apply to the BlackBerry Passport) are based on the modified version of QNX 6.6. You can run on it both BAR, and APK apps. BAR is a BlackBerry OS application, and APK is an Android application.
The version that my device is running it the latest one - 10.3.3.3216, released in 2018. When you run uname -a on it, it would tell you that the QNX version is 8.0.0, but this is not true, as the latest QNX version released at the time was QNX SDP 7.0, and it is probably not the one, that is running on my device. The Android emulation layer version is Android 4.3 Jelly Bean (API 18).

Applications and Terminal

The BlackBerry 10 OS has two app-stores - BlackBerry World and Amazon Appstore. There is no Google Play, because it is not an Android phone, and it do not meet the Google's requirements for its apps to be provided.
BlackBerry World was turned off in January 2022, and I could not figure out how to login into Amazon Appstore, so we have to get our apps the other way.
First you have to complete the setup process, here is the detailed guide on how to do this: https://forums.crackberry.com/blackberry-10-os-f269/fix-bb10-devices-stuck-setup-sideloading-issue-1193846/ You cannot simply log into your BlackBerry ID, as it was also turned off.
There is a reupload site for BlackBerry apps, and Android apps that support API 18. https://bbstore.vercel.app/apps
There is also an F-droid store, that allows you to download open-source apps from different F-droid repositories. https://f-droid.org/en/
You can easily install Android apps from unknown sources, but when it comes to installing BAR files, it is not as easy as downloading it on your device and running it.

BAR - BlackBerry apps

In order to install BAR files on your phone, you need to complete the setup on your phone (see above), download and install BlackBerry Link with BlackBerry drivers - https://www.blackberry.com/us/en/products/devices/software/desktop/blackberry-link, download and install DBBT - https://bbstore.vercel.app/tools/0001, connect your device, and in the DBBT select and install your BAR file.

Terminal

The most interesting BAR application, that I wanted to try out was the terminal. There are multiple terminal emulators available, but the most interesting one is Term48 and its fork Term49.
I took my terminal app from https://bbstore.vercel.app/apps/pXamnItRxbzmRZLwIJUN It is some sort of modded Term48/Term49. You can also install the Term49 from its GitHub page https://github.com/BerryFarm/Term49/releases

UNIX tools

After installing it, you now have access to QNX shell, but you may notice, that there are not a lot of tools accessible inside of it.
This is where BerryMuch comes in handy. In order to install it, take a look at the guide at BerryMuch's GitHub page - https://github.com/BerryFarm/berrymuch#user If you have problems with running the script, remember to change the permissions of the file - chmod +x.

Jailbreak

The bootloader on BlackBerry devices is locked, and protected by a security chip. Without major changes to the hardware, you would not be able to install your own operating system. Only the images signed by the BlackBerry can be installed. But not all hopes should be lost, the part protected by the security chip is only the QNX kernel in /.boot and /base directories, so theoretically with root access, you could modify everything in the user space, without bricking the phone. You could possibly change everything and leave only the kernel in place.
The problem is that you do not have access to the root account. And there is no documented way of getting an access to it.

Privilege escalation

There are multiple CVEs documenting privilege escalation vulnerabilities in the QNX kernel https://www.opencve.io/cve?cvss=&search=qnx The problem is that most of them are not public, with very little information about the vector of attack. The only documented one I have found for my version of QNX - 6.6, was this one - https://www.opencve.io/cve/CVE-2017-3891 and it did not work on my device.

So is it possible?

If you could find more information, about how this CVE was discovered https://www.opencve.io/cve/CVE-2021-32025 then of course. You still would not have the ability to remove QNX kernel and replace it with your own, but at least you could change the version of Android emulation, or install the Linux virtual machine. There is also the other way of desoldering the memory chip, and changing the files not secured by the chip directly, although I do not know much about it.

Best regards,
mble