looks awesome 🙂
update: how to root with Magisk and install a firewall (scroll down and behave – slave of the digital dictatorship!)
“Pretty much everything you do on the phone is data-mined by Google. The mic is on listening most of the time (waiting for OK Google), it’s always monitoring WiFi and/or GPS, email and text get indexed, all your images get sent to the cloud (if you opt-in), etc. This is very standard for Google. Google uses this data for advertising (this allows them to offer you these services for ‘free’) and to make its services more convenient for the user (easily search emails, Google Maps knows what traffic is like, etc.). For many, it’s an unacceptable invasion of privacy.” (src: reddit.com)
Some relevant links, for people who missed the continuation of the projects:
Install documentation: https://grapheneos.org/install
Build documentation: https://grapheneos.org/build
Information on the Auditor app and AttestationServer: https://attestation.app/about
Next generation hardened malloc implementation: https://github.com/GrapheneOS/hardened_malloc
Archive of some old repositories with features that still need to be ported over: https://github.com/AndroidHardeningArchive
Announcement of rename from AndroidHardening to GrapheneOS: https://www.reddit.com/r/CopperheadOS/comments/b6muvh/androidhardening_project_renamed_to_grapheneos/
the cool thing, you can do this completely from linux now 🙂
you will need those files:
- 686c69e9d4a9ddbc5cf53a89a84abe9be62c883b22bf1bf83a613d3e2ba95b19a71b1fbb3ffd37b180a7a2a63f3d26a145db26ca6e583d94bcf4497537d5ba1d bootloader-angler-angler-03.84.img
- twrp-3.2.3-0-angler.img (take latest)
- 115ead764a896f559459e6fa2e230f35bbef1066f25d4354e3728309317917081318c32549c3b10c584720e911338f077d6716f711506bf7407b082f0c64d28c twrp-3.2.3-0-angler.img
- 34164f38b13325a6c20c193f806c71a66e57c45c82db9bbbe1e2f6a8370e1d6a1db61cfe55c8691f7c0cd35abfc458d81ea62480fe2bbf292673c7de6c74d9b7 lineage-15.1-20190224-nightly-angler-signed.zip
- 59953ebbdf694358ddc1ae43cd372d4b94bc478db26c0b4db28ad020c8d5ddb88c6fa5ee9cc35608ad2735307f7509ee66aef5b6dd8841a3b709cdfa8222967d radio-angler-angler-03.88.img
- 68295f1dc236fc30a2b8fed3db08d460b148fff517d72b3c6b05f6b95f5f7aae86f15986b4df4ff818dfe493fb8cb1f682122ed4e39b8f3d8b150c75da1907d0 vendor-angler-opm7.181205.001.img
(it is said you can extract the very latest radio vendor bootloader img from official google zip here)
before you proceed: backups! backups! backups!
if this is not a “virgin” device, you shall backup all your:
- pictures (simply attach an Anker USB-C to your PC / Laptop, enable File-Transfer-Mode at the Mobile and copy and paste)
- contacts (how to export more than 500 contacts at a time to file.vcf)
- AND APPS!
- YES YOU CAN EXPORT/BACKUP YOUR APPS into App.apk WITH the very cool App:
- sha256sum 704657cce87448ef0b8fb853c49886a5353c6349ab5720bc86dd541b6900b9f1
- sha512sum fcc8988088ec852ef8e57d094428b0299f0484cb23fde0efed12289a50882c9a469d3d8720a7feea7637e8654cdd1a83f5891d0a773c11d3ca51ceadf556ca8e
(and backup them to your PC/Laptop)
not exactly sure if this is the same app: https://f-droid.org/en/packages/axp.tool.apkextractor/
# you need to work as root unzip platform-tools_r28.0.1-linux.zip; mkdir $HOME/adb-fastboot; mv platform-tools_r28.0.1-linux $HOME/adb-fastboot/platform-tools export PATH="$HOME/adb-fastboot/platform-tools:$PATH" # test adb --version Android Debug Bridge version 1.0.40 Version 4986621 Installed as /root/adb-fastboot/platform-tools/adb # connect to wifi and apply all vendor updates # avoid this hazzle of: (you can skip those steps later!) # fastboot flash radio radio-angler-angler-03.88.img # fastboot flash vendor vendor-angler-opm7.181205.001.img # fastboot flash bootloader bootloader-angler-angler-03.84.img # tap the build number 7x times to unlock developer mode # enable USB debugging # put a screen lock pin # this pin will be used to encrypt your harddisk, which android now does per default # step is necessary because alternative bootloader TWRP will not be able to access or write to encrypted partitions # connect device via usb cable to pc (i would use usb 2.0 port) # upload rom to device under this folder: /sdcard/lineage-15.1-20190224-nightly-angler-signed.zip # power off device # now hold down power and volume+down # you should now see the bootloader adb start-server adb devices List of devices attached ENUSERIALOFDEVICE device adb reboot bootloader fastboot devices ENUSERIALOFDEVICE fastboot fastboot flashing unlock (bootloader) Device already unlocked! FAILED (remote: '') Finished. Total time: 0.017s fastboot devices # go where you downloaded the files cd /run/media/root/SOFTWARE/ANDROID/NEXUS_P6/ # crc check sha256sum -c twrp-3.2.3-0-angler.img.sha256 twrp-3.2.3-0-angler.img: OK # flash alternative bootloader to device fastboot flash recovery twrp-3.2.3-0-angler.img Sending 'recovery' (16816 KB) OKAY [ 0.469s] Writing 'recovery' OKAY [ 0.245s] Finished. Total time: 0.741s fastboot reboot-bootloader adb devices List of devices attached ENUSERIALOFDEVICE recovery # this way you can upload rom.zips even when the device is not fully booted adb push lineage-15.1-20190224-nightly-angler-signed.zip /sdcard/lineage-15.1-20190224-nightly-angler-signed.zip lineage-15.1-20190224-nightly-angler-signed.zip: 1 file pushed. 8.8 MB/s (445945632 bytes in 48.171s) # YOU SHOULD NOT NEED THIS STEP # IF YOU UPDATED YOUR DEVICE TO LATEST STOCK FIRMWARE! fastboot flash radio radio-angler-angler-03.88.img Sending 'radio' (48728 KB) OKAY [ 1.823s] Writing 'radio' OKAY [ 2.163s] Finished. Total time: 4.010s fastboot reboot-bootloader rebooting into bootloader OKAY [ 0.010s] Finished. Total time: 0.060s fastboot flash vendor vendor-angler-opm7.181205.001.img Sending 'vendor' (192577 KB) OKAY [ 5.728s] Writing 'vendor' OKAY [ 3.378s] Finished. Total time: 9.132s fastboot reboot-bootloader rebooting into bootloader OKAY [ 0.013s] Finished. Total time: 0.063s fastboot flash bootloader bootloader-angler-angler-03.84.img Sending 'bootloader' (3554 KB) OKAY [ 0.568s] Writing 'bootloader' OKAY [ 0.206s] Finished. Total time: 0.802s # now select recovery and press power button to select # you should see the TWRP alt boot loader asking your for pin to unlock encrypted partition # go to wipe -> advanced -> wipe system partition # go to install -> select rom you uploaded to device # hit install :) # wipe dalvik cache and cache # reboot and lineageOS should ask you for your pin
screenshots are done like this: push and hold both the power button and the volume down key at the same time. Push both at exactly the same time, hold for a moment, and let go
fix No Sim Card Detected:
This has been happening on many custom ROMs.
An easy fix is to go to security settings and change screen lock to swipe or none, then reboot.
That will remove the device protection that caused the no sim problem.
After the reboot, the problem is fixed and won’t happen anymore.
Then you can go back into security settings and change it back to whatever screen lock option you want.
how do i install Apps on my device if without using Google’s PlayStore?
you can use the vey cool indeed “Open Source Only” App-Store
or simply copy back your AppExtractor.apk exported Apps to your Nexus and install them.
how to root:
Magisk-uninstaller-20190501.zip 2.21 MB
- e3db7e9fa901e9c5a7a8cd05879bc207990679462781c2c2280753eb4ea903112e050e54880b7b7c7b44ad98f80d1535b0ebeb3a6159950bfb097911d08d0edf Magisk-uninstaller-20190501.zip
- sha512sum: 8be387bfad2555f7fed2f8686d9d2254e3e882960d5496a7002f5f459a9f54d0cab80948f3f23ab15149179a8f08959ab963cd653d2ef11b9d13f69d66507225 Magisk-v19.1.zipto your phone
go into recovery mode:
- power phone off
- hold down power and volume+down
- chose “recovery mode” via volume buttons
- you should be TWRP boot loader
- select and flash Magisk-v19.1.zip
- there is also an app: Magisk Manager sha512sum: bd857cfe16536c9c032abe16762a7f9d6114d2b2246bba31473816f8c56361026085618412c108fb4116cae203d92cde11175c496c6c479d9b9506bf10e21877 MagiskManager-v7.1.2.apk
- get the latest version here
- looks like this:
… why all this stress? so you can have a
WARNING! You will have to allow Teethering in the Firewall! Or you will not be able to use Teethering! (use SmartPhone as Wifi Hotspot/Router to mobile internet)
(thanks to kuketz-blog.de and all involved 🙂
on your mobile device 🙂
why would you want a firewall on android?
to only allow specific devices to communicate with the internet and enhance your privacy.
what is forgotten in this video: you have to hit “BuildNumber” several times to enable developer mode…
“Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2 (API 17). It covers the fundamental parts for Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.
Furthermore, Magisk provides a Systemless Interface to alter the system (or vendor) arbitrarily while the actual partitions stay completely intact. With its systemless nature along with several other hacks, Magisk can hide modifications from nearly any system integrity verifications used in banking apps, corporation monitoring apps, game cheat detections, and most importantly Google’s SafetyNet API.”
OpenSource! GREAT 🙂
“Magisk works systemless-ly, and it doesn’t modify or alter your system partition. If you want to install a banking application or if you want to install official OTA updates, and much more. You can install the OTA updates without losing the root privileges, and that is everyone need. They don’t need to root again and again.
Magisk roots your Android device and it is based on phh’s SuperUser. Magisk is an open source rooting solution for Android. If you want to install magisk, then you can do so with the help of Magisk Manager application.
Magisk has Universal Systemless Interface. It means that if you want to create your mod or app, you can do so with the help of magisk. Magisk is mostly same as Xposed Framework and in the Xposed framework, there are different modules which you can install on your device.
Unfortunately, the Xposed framework is not available for Android Nougat. You can use the Magisk Manager on your device, and the Xposed Framework is mixed into it, and you can install some modules on your device with the help of magisk manager. You can hide root from other applications.”
ultimate privacy enhacement:
- apply privacy enhancing front camera tape!
for windows users:
the SafteyNet: more of a problem than a solution
“However, a modified system partition can become a Problem since Google’s SafetyNet (similar to PC verison of verified/signed programms/Apps/TrustedComputing/SecureBoot/DRM etc.) service was introduced.
SafetyNet is intended to detect” dangerous ” modifications such as Root and is intended to protect the app provider from potential misuse.
Especially when using Custom ROMs or rooted devices SafetyNet is becoming more and more a nuisance.
Among other things, apps such as Netflix, Snapchat, Banking Apps, and so on will deny the service if the SafetyNet Check fails.”
(auto translated from src: kuketz-blog.de)
Similar technology: Microsoft’s SecureBoot
“UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run.” (src: debian.org, well spot the problem here, if “SecureBoot” has gained 90% market share in UEFI-BIOSES, they (Microsoft) will let the lock click… and that is it for Linux.)
free open source hardware: what can users do?
where the user controls the program
not the program controls the user
- ask and pay (!) for products that respect the user’s privacy
- COVER TAPE FRONT CAM OF (surveillance) SmartPhone
- use great Open Source software like the easy to install GNU Linux Debian 10
- use LibreOffice instead of M$ Office or Google Docs
- it is Java based and works well (Writer = Word, Calc = Excel)
- use Mozilla (ex Netscape) Firefox instead of Chrome browser!
- it is available for ALL PLATFORMS (Windows, OSX, Linux)
- even as App for Android and IPhone
- while surely not perfect, Mozilla at least seems to try to protect the user’s private data (aka not upload it to Google/Facebook)
- alternative Smart Phones
- affordable! Pine64Phone NICE! https://www.pine64.org/pinephone/
- well at $749.00 it is rather pricey but still cheaper than the latest IPhone (which is guranteed to spy on the user)
- remove Google from existing SmartPhones
- alternatives to Google:
- alternatives to gmail: https://mail.tutanota.com/
- use Thunderbird and Enigmail
- it will store the user’s mails ONLY in encrypted format (even when using gmail’s infrastructure)
- stay away from the cloud madness as much as the user can
- only share absolutely essential data with “the cloud” aka hybrid-cloud where the user stores 100% of data on a local server and uploads only the data that is not privacy intrusive and that really needs to be easily accessible via clouds
- instead of: cloud per default
- now the toughest: uninstall WhatsApp, WeChat and Telegram or move on to a different device not installing those Apps there
- they are all privacy intruding Apps
- or: remove the sim card, move the sim card over to (of course) Librem 5 or LineageOS enabled Phone
- leave the non-sim enabled phone with WhatsApp, WeChat and Telegram at home, not carrying around
- with a little investment! it can be done! see “building a RISCV based computer”
- this also needs to be done “ANYWAY” if citizens should be able to compute safely and securely in order to tackle the Intel SPECTRE and MELTDOWN problems