This is a short and sweet piece on flashing the Google Pixel 4 5G Edition and install GrapheneOS.
GrapheneOS, is a custom ROM for the Pixel line of smartphones, and totally "Google Free", so no Google shit running in the background, wasting resources, monitoring you and bugging you, and so on. It's also made for privacy, so that's nice. And yet, the irony doesn't escape me, that the only phone you can run a Google free OS on, is a Google made phone :)
So, what is GrapheneOS, and why's is it so different from other Android phones ? First let's have a closer look :)
From the website
GrapheneOS is a private and secure mobile operating system with great functionality and usability. It starts from the strong baseline of the Android Open Source Project and takes great care to avoid increasing attack surface or hurting the strong security model. GrapheneOS makes substantial improvements to both privacy and security through many carefully designed features built to function against real adversaries. The project cares a lot about usability and app compatibility so those are taken into account for all of our features.
Let's look closer at some of the features it brings to the table. This is a shortened list, for the full list, see https://grapheneos.org/features and https://grapheneos.org/faq#security-and-privacy
Partial list of GrapheneOS features beyond what AOSP 11 provides:
- Hardened app runtime
- Stronger app sandbox
- Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
- Hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory. The hardened_malloc README has extensive documentation on it. The hardened_malloc project is portable to other Linux-based operating systems and is being adopted by other security-focused operating systems like Whonix. Our allocator also heavily influenced the design of the next-generation musl malloc implementation which offers substantially better security than musl's previous malloc while still having minimal memory usage and code size.
- Hardened kernel
- Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
- Filesystem access hardening
- Enhanced verified boot with better security properties and reduced attack surface
- Enhanced hardware-based attestation with more precise version information
- PIN scrambling option
- LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
- Default enabled per-connection MAC randomization as an improvement over Android's default per-network MAC randomization reusing the same MAC address until the DHCP lease with that network expires (can still use the standard implementation or fully disable it)
- Vanadium: hardened WebView and default browser — the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
- Hardware-based security verification and monitoring: the Auditor app app and attestation service provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device. A strong pairing-based approach is used which also provides verification of the device's identity based on the hardware backed key generated for each pairing. Software-based checks are layered on top with trust securely chained from the hardware. For more details, see the about page and tutorial.
- PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
- Encrypted backups via integration of the Seedvault app with support for local backups and any cloud storage provider with a storage provider app
- Secure application spawning system avoiding sharing address space layout and other secrets across applications
First, you'll need at least 2 GB RAM, 8 GB Storage, and of course a USB cable for the phone.
First OEM unlocking needs to be enabled from within the operating system. Enable the developer options menu by going to Settings ➔ About phone and repeatedly pressing the build number menu entry until developer mode is enabled. Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the 'Enable OEM unlocking' setting. This requires internet access on devices with Google Play services as part of Factory Reset Protection (FRP) for anti-theft protection.
Use the same terminal for the whole installation process. If you close it, you'll loose the setup of the environment for the installation.
# On Debian, Kali, Ubuntu clients, install the standalone tools.
sudo apt install libarchive-tools
curl -O https://dl.google.com/android/repository/platform-tools_r31.0.1-linux.zip
echo 'e347361d1e6f8802da64272903b07180199e75f1a3b6636f851744d32b2fb090 platform-tools_r31.0.1-linux.zip' | sha256sum -c
bsdtar xvf platform-tools_r31.0.1-linux.zipNext, we add the tools to PATH for the current shell session
export PATH="$PWD/platform-tools:$PATH"Next, we need to check the Fastboot version, run
fastboot --versionNote, Fastboot should be at least 29.0.6 for this project. Next we install the android-sdk-platform-tools
sudo apt install android-sdk-platform-tools-commonNow we need to switch the phone into the bootloader interface. To do this turn off the phone, hold down the volume button, and turn on the phone again, until you're in the bootloader.
Next, plug the phone into the computers USB port again, and let the computer set up udev rules ifself. It should do this automatically when the phone plugs in.No we unlock the bootloader.
From the console, run
fastboot flashing unlockYou need to confirm this on the phone, and when you do, it will wipe the phone data. Use one of the volume buttons to switch selection on the phones menu, and the power button to confirm your selection.The next step is to download the OS image file itself from the GrapheneOS website. https://grapheneos/releases.
curl -O https://releases.grapheneos.org/bramble-factory-2021.03.19.14.zipNow, we need to unpack the zip file, so we can start the flashing process.
tar xvf bramble-factory-2021.03.19.14.zipWhen it's done, we're ready to flash. Jump into the unpacked directory, and run the flash tool.
#jump into the directory that we unzipped.
cd bramble-factory-2021.03.19.14
#run the flash script.
./flash-all.shLet it run, and if it finishes without errors, we lock the bootloader back up again, with the command
fastboot flashing lockIn the phones settings, remember to turn off OEM unlocking under developer settings, and finally turn off developer menu. This is recommended for everyday use of the phone.
Now, a piece of advice for some apps, because Graphene itself won't have anything but the bare minimum.
"Signal IM", You have to download a "De-Googled" version of signal, and install it from your own machine, get the apk from here. https://signal.org/android/apk/
Simply visit the signal website link from the phones browser, and download the app. Remember to allow the installation of third party apps from settings, and turn if off again when you're done installing Signal.
"Conversations", A jabber client that features OMEMO encryption and encrypted groupchat. It can be used with public Jabber servers, or with your own server, depending on use case.
"Etar", Calendar app,
"OsmAnd", A map app, using OpenstreetMap maps and can be used both online and offline depending on what you want, since the maps are downloaded to the phone on first use.
"DAVx", Sync to cardDAV / calDAV servers, contacts, calender and to-do list. Requires opentask app also.
So, there you have it, a short list of apps for getting up and running. Note, there's also Nextcloud Talk, NextCloud clients and a bunch of other stuff in F-Droid, so check it out.
Now, enjoy you private "De-Googled" phone :)