This is right. A Blob is often Firmware, or a Driver for some Hardware. Some definitions like in EU Law for WLAN usage defines that a driver have to control and stay in some range of usage to fit the legislation have to ensure that some user or Admin who install the driver, can not set the device into some illegal mode. And that is why we have some drivers with closed source. - I thinks its to to discover third party exploitation and information sneaking too, but that’s another story.
So yes you have a driver as a blob as a firmware on your phone. But you can still interact by the Kernel which loads this and have some parameters as Boot or initialize arguments to interact with it as runtime or during boot. And too, on the Librem5 you have the hardware kill switches to disconnect the hardware physically.
Sharon try to buy a jumpdrive and run that firemware update by some USB/JTAG or ask the support to fix it for you for some money. Or buy a new phone.
What you describe sounds like an Android Stage… exploit issue where one layer add another one to boot some kernel or Boot System to just have a launch on your hardware.
You should be able to install the official Librem5 Software like initialize a Biosupdate on your phone too. Coreboot is your Bios, but if i am not wrong its still takes place like a BIOS Update on your hardware.
Oh, after some searching the internet suggest that the jumpdrive is really only a USB Stick with Booting header like (boot from) external USB? I thought it was some USB Wire to some JTAGS on the Mainboard of the Librem5, with physical access after dissemble it and offer some physical access.
Sharon keep in mind that, every layer before the boot. Is kind of a safe zone and a stage if something goes wrong, to debug the Device on an easy way before the brick with higher effort or knowledge. So that is why we have this different stages and some try to ensure a chain of trust during boot and to hide DRM firmware. To take care that no evil or superworm can intervene and keeps owners out.
The Android Community however, often do not share knowledge and use exploits to got install in the first place so there on old Hardware often some old Kernel or Driver exploit was replaced and launch a Bootmanager, and this itself a new or uptodate Android Kernel and Android SDK environment to be able to run modern versions of Android. And if you just use some creepy homemade Android Versions you might have stacked up some of these layers and it do not cares of a clean fresh installation as it should have… and that way you could end up like to speak in images - use one VM in another… after every installation. If you are not sure how to access and interact or change the firmware on the top layers (which is always risky - cause use could end up with a brick) you will not get easily rid of it.
I think the official firmware upgrade of coreboot and L5 update should get it done. If you are not sure and you have valuable information on your L5 and can not back up it - i would buy another one at second hand and try it there first. You just can collect more experience / win.