looks awesome 🙂
update: how to root with Magisk and install a firewall (scroll down and behave – slave of the digital dictatorship!)
„Pretty much everything you do on the phone is data-mined by Google. The mic is on listening most of the time (waiting for OK Google), it’s always monitoring WiFi and/or GPS, email and text get indexed, all your images get sent to the cloud (if you opt-in), etc. This is very standard for Google. Google uses this data for advertising (this allows them to offer you these services for ‚free‘) and to make its services more convenient for the user (easily search emails, Google Maps knows what traffic is like, etc.). For many, it’s an unacceptable invasion of privacy.“ (src: reddit.com)
Some relevant links, for people who missed the continuation of the projects:
Install documentation: https://grapheneos.org/install
Build documentation: https://grapheneos.org/build
Information on the Auditor app and AttestationServer: https://attestation.app/about
Next generation hardened malloc implementation: https://github.com/GrapheneOS/hardened_malloc
Archive of some old repositories with features that still need to be ported over: https://github.com/AndroidHardeningArchive
Announcement of rename from AndroidHardening to GrapheneOS: https://www.reddit.com/r/CopperheadOS/comments/b6muvh/androidhardening_project_renamed_to_grapheneos/
the cool thing, you can do this completely from linux now 🙂
you will need those files:
(for osx and windows look here)
(it is said you can extract the very latest radio vendor bootloader img from official google zip here)
before you precede: backups! backups! backups!
if this is not a „virgin“ device, you shall backup all your:
- pictures (simply attach an Anker USB-C to your PC / Laptop, enable File-Transfer-Mode at the Mobile and copy and paste)
- contacts (how to export more than 500 contacts at a time to file.vcf)
- AND APPS!
- YES YOU CAN EXPORT/BACKUP YOUR APPS into App.apk WITH the very cool App:
- sha256sum 704657cce87448ef0b8fb853c49886a5353c6349ab5720bc86dd541b6900b9f1
- sha512sum fcc8988088ec852ef8e57d094428b0299f0484cb23fde0efed12289a50882c9a469d3d8720a7feea7637e8654cdd1a83f5891d0a773c11d3ca51ceadf556ca8e
(and backup them to your PC/Laptop)
not exactly sure if this is the same app: https://f-droid.org/en/packages/axp.tool.apkextractor/
# you need to work as root unzip platform-tools_r28.0.1-linux.zip; mkdir $HOME/adb-fastboot; mv platform-tools_r28.0.1-linux $HOME/adb-fastboot/platform-tools export PATH="$HOME/adb-fastboot/platform-tools:$PATH" # test adb --version Android Debug Bridge version 1.0.40 Version 4986621 Installed as /root/adb-fastboot/platform-tools/adb # connect to wifi and apply all vendor updates # avoid this hazzle of: (you can skip those steps later!) # fastboot flash radio radio-angler-angler-03.88.img # fastboot flash vendor vendor-angler-opm7.181205.001.img # fastboot flash bootloader bootloader-angler-angler-03.84.img # tap the build number 7x times to unlock developer mode # enable USB debugging # put a screen lock pin # this pin will be used to encrypt your harddisk, which android now does per default # step is necessary because alternative bootloader TWRP will not be able to access or write to encrypted partitions # connect device via usb cable to pc (i would use usb 2.0 port) # upload rom to device under this folder: /sdcard/lineage-15.1-20190224-nightly-angler-signed.zip # power off device # now hold down power and volume+down # you should now see the bootloader adb start-server adb devices List of devices attached ENUSERIALOFDEVICE device adb reboot bootloader fastboot devices ENUSERIALOFDEVICE fastboot fastboot flashing unlock (bootloader) Device already unlocked! FAILED (remote: '') Finished. Total time: 0.017s fastboot devices # go where you downloaded the files cd /run/media/root/SOFTWARE/ANDROID/NEXUS_P6/ # crc check sha256sum -c twrp-3.2.3-0-angler.img.sha256 twrp-3.2.3-0-angler.img: OK # flash alternative bootloader to device fastboot flash recovery twrp-3.2.3-0-angler.img Sending 'recovery' (16816 KB) OKAY [ 0.469s] Writing 'recovery' OKAY [ 0.245s] Finished. Total time: 0.741s fastboot reboot-bootloader adb devices List of devices attached ENUSERIALOFDEVICE recovery # this way you can upload rom.zips even when the device is not fully booted adb push lineage-15.1-20190224-nightly-angler-signed.zip /sdcard/lineage-15.1-20190224-nightly-angler-signed.zip lineage-15.1-20190224-nightly-angler-signed.zip: 1 file pushed. 8.8 MB/s (445945632 bytes in 48.171s) # YOU SHOULD NOT NEED THIS STEP # IF YOU UPDATED YOUR DEVICE TO LATEST STOCK FIRMWARE! fastboot flash radio radio-angler-angler-03.88.img Sending 'radio' (48728 KB) OKAY [ 1.823s] Writing 'radio' OKAY [ 2.163s] Finished. Total time: 4.010s fastboot reboot-bootloader rebooting into bootloader OKAY [ 0.010s] Finished. Total time: 0.060s fastboot flash vendor vendor-angler-opm7.181205.001.img Sending 'vendor' (192577 KB) OKAY [ 5.728s] Writing 'vendor' OKAY [ 3.378s] Finished. Total time: 9.132s fastboot reboot-bootloader rebooting into bootloader OKAY [ 0.013s] Finished. Total time: 0.063s fastboot flash bootloader bootloader-angler-angler-03.84.img Sending 'bootloader' (3554 KB) OKAY [ 0.568s] Writing 'bootloader' OKAY [ 0.206s] Finished. Total time: 0.802s # now select recovery and press power button to select # you should see the TWRP alt boot loader asking your for pin to unlock encrypted partition # go to wipe -> advanced -> wipe system partition # go to install -> select rom you uploaded to device # hit install :) # wipe dalvik cache and cache # reboot and lineageOS should ask you for your pin
screenshots are done like this: push and hold both the power button and the volume down key at the same time. Push both at exactly the same time, hold for a moment, and let go
fix No Sim Card Detected:
This has been happening on many custom ROMs.
An easy fix is to go to security settings and change screen lock to swipe or none, then reboot.
That will remove the device protection that caused the no sim problem.
After the reboot, the problem is fixed and won’t happen anymore.
Then you can go back into security settings and change it back to whatever screen lock option you want.
how do i install Apps on my device if without using Google’s PlayStore?
you can use the vey cool indeed „Open Source Only“ App-Store
or simply copy back your AppExtractor.apk exported Apps to your Nexus and install them.
how to root:
go into recovery mode:
- power phone off
- hold down power and volume+down
- chose „recovery mode“ via volume buttons
- you should be TWRP boot loader
- install the .zip Magisk-uninstaller-20190501.zip
- looks like this:
- apply privacy enhancing front camera tape!
… why all this stress? so you can have a
WARNING! You will have to allow Teethering in the Firewall! Or you will not be able to use Teethering! (use SmartPhone as Wifi Hotspot/Router to mobile internet)
(thanks to kuketz-blog.de and all involved 🙂
on your mobile device 🙂
why would you want a firewall on android?
to only allow specific devices to communicate with the internet and enhance your privacy.
what is forgotten in this video: you have to hit „BuildNumber“ several times to enable developer mode…
„Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2 (API 17). It covers the fundamental parts for Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.
Furthermore, Magisk provides a Systemless Interface to alter the system (or vendor) arbitrarily while the actual partitions stay completely intact. With its systemless nature along with several other hacks, Magisk can hide modifications from nearly any system integrity verifications used in banking apps, corporation monitoring apps, game cheat detections, and most importantly Google’s SafetyNet API.“
OpenSource! GREAT 🙂
„Magisk works systemless-ly, and it doesn’t modify or alter your system partition. If you want to install a banking application or if you want to install official OTA updates, and much more. You can install the OTA updates without losing the root privileges, and that is everyone need. They don’t need to root again and again.
Magisk roots your Android device and it is based on phh’s SuperUser. Magisk is an open source rooting solution for Android. If you want to install magisk, then you can do so with the help of Magisk Manager application.
Magisk has Universal Systemless Interface. It means that if you want to create your mod or app, you can do so with the help of magisk. Magisk is mostly same as Xposed Framework and in the Xposed framework, there are different modules which you can install on your device.
Unfortunately, the Xposed framework is not available for Android Nougat. You can use the Magisk Manager on your device, and the Xposed Framework is mixed into it, and you can install some modules on your device with the help of magisk manager. You can hide root from other applications.“
for windows users:
the SafteyNet: more of a problem than a solution
„However, a modified system partition can become a Problem since Google’s SafetyNet (similar to PC verison of verified/signed programms/Apps/TrustedComputing/SecureBoot/DRM etc.) service was introduced.
SafetyNet is intended to detect“ dangerous “ modifications such as Root and is intended to protect the app provider from potential misuse.
Especially when using Custom ROMs or rooted devices SafetyNet is becoming more and more a nuisance.
Among other things, apps such as Netflix, Snapchat, Banking Apps, and so on will deny the service if the SafetyNet Check fails.“
(auto translated from src: kuketz-blog.de)
Similar technology: Microsoft’s SecureBoot
„UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run.“ (src: debian.org, well spot the problem here, if „SecureBoot“ has gained 90% market share in UEFI-BIOSES, they (Microsoft) will let the lock click… and that is it for Linux.)