FORUMS
Remove All Ads from XDA

[ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T

733 posts
Thanks Meter: 1,546
 
By MSe1969, Senior Member on 21st January 2019, 03:07 PM
Post Reply Email Thread
12th April 2019, 04:49 PM |#101  
MSe1969's Avatar
OP Senior Member
Flag Frankfurt Rhine-Main metropolitan region
Thanks Meter: 1,546
 
More
Quote:
Originally Posted by DeadlyToast

Hey, I have few questions before i install this ROM.
Can I use the F-Droid repos for MicroG and Bromite to update them or will I need to wait for your ROM updates?

Yes, you can. The delivered microG apk files have the F-Droid keys. And Bromite uses an own F-Droid repo, so obviously the same keys as the apks to download from Bromite.org (where I get them as well).

Quote:
Originally Posted by DeadlyToast

Can I use a custom kernel with your ROM or did you do some modifications to it when you were adding features?

No additional modifications related to any feature of the ROM, so you can use a different kernel, if you like. Of course, I can't assure you that you won't have issues and I can't give you any support, but I think that should be clear anyhow.

Quote:
Originally Posted by DeadlyToast

How long are you planning to stay on oreo? I like this ROM since it has some nice privacy addons and it's based on oreo so I can use Xposed.

Short answer: Still for a longer while
Long answer: I have started to test building Pie and bring the features of this ROM to a pie build. Besides this by far not finished yet, I have some significant issues right now with microG and coarse location: Sometimes it works, sometimes it does not work - have seen also similar issues raised by other OP3T users using the "official" lineage-16.0 microG ROM to the GMSCore repo of microG, but no clear indication yet. Have so far not come close to the issue (ok, did also not spend time with that recently) - don't know whether related, but the weather widget is also frozen in those cases and the lineage-15.1 fix to remove the unnecessary wake-lock did not help here . . .
If someone reading this has an idea, I will be grateful for any hint - @anupritaisno1 : maybe you have any idea? You are building pie already for the OP3T . . .
The Following 2 Users Say Thank You to MSe1969 For This Useful Post: [ View ] Gift MSe1969 Ad-Free
 
 
12th April 2019, 09:43 PM |#102  
Member
Thanks Meter: 9
 
More
Quote:
Originally Posted by MSe1969

Yes, you can. The delivered microG apk files have the F-Droid keys. And Bromite uses an own F-Droid repo, so obviously the same keys as the apks to download from Bromite.org (where I get them as well).


No additional modifications related to any feature of the ROM, so you can use a different kernel, if you like. Of course, I can't assure you that you won't have issues and I can't give you any support, but I think that should be clear anyhow.


Short answer: Still for a longer while
Long answer: I have started to test building Pie and bring the features of this ROM to a pie build. Besides this by far not finished yet, I have some significant issues right now with microG and coarse location: Sometimes it works, sometimes it does not work - have seen also similar issues raised by other OP3T users using the "official" lineage-16.0 microG ROM to the GMSCore repo of microG, but no clear indication yet. Have so far not come close to the issue (ok, did also not spend time with that recently) - don't know whether related, but the weather widget is also frozen in those cases and the lineage-15.1 fix to remove the unnecessary wake-lock did not help here . . .
If someone reading this has an idea, I will be grateful for any hint - @anupritaisno1 : maybe you have any idea? You are building pie already for the OP3T . . .

Thanks for the answers!
19th April 2019, 04:50 AM |#103  
Senior Member
Thanks Meter: 326
 
More
What about battery performance on this ROM, search returned no result about it.
19th April 2019, 09:02 AM |#104  
MSe1969's Avatar
OP Senior Member
Flag Frankfurt Rhine-Main metropolitan region
Thanks Meter: 1,546
 
More
Quote:
Originally Posted by mnsiw

What about battery performance on this ROM, search returned no result about it.

Is OK Form my point of view, I don't experience any issues using it as my daily driver and haven't received any complaints so far.
20th April 2019, 04:16 PM |#105  
Junior Member
Flag Belfast
Thanks Meter: 4
 
More
Hey thanks for the rom, seems mega sofar google free woohoo ;d took awhile to work out howto sync google contacts but after that it is mega, just if I bring back a TWRP backup it fails everytime.. I am on latest TWRP version 3.3 for our phones anybody else have issues ?
20th April 2019, 05:41 PM |#106  
MSe1969's Avatar
OP Senior Member
Flag Frankfurt Rhine-Main metropolitan region
Thanks Meter: 1,546
 
More
Quote:
Originally Posted by Jonny5isalivetm

Hey thanks for the rom, seems mega sofar google free woohoo ;d took awhile to work out howto sync google contacts but after that it is mega, just if I bring back a TWRP backup it fails everytime.. I am on latest TWRP version 3.3 for our phones anybody else have issues ?

Haven't tried the newest TWRP, yet. What is the error raised by TWRP?
20th April 2019, 05:48 PM |#107  
Junior Member
Flag Belfast
Thanks Meter: 4
 
More
There is no error it restores all fine, but bootloops before it reaches the lineage logo
20th April 2019, 07:02 PM |#108  
anupritaisno1's Avatar
Senior Member
Thanks Meter: 1,617
 
More
Quote:
Originally Posted by MSe1969

Hi @anupritaisno1 - thanks for your feedback.


Indeed a valid point - do you have a good idea how to "establish a link" between Settings in the ROM and the "backup tool" (see also next item)? One of my objectives is to provide functionality not necessarily requiring active root - so anything which would need to remount the system partition (which can only be done with root access) is out of scope.


Issue is that the backup tool by default first takes the contents of /system/addon.d, then executes the "pre-backup" tasks, then flashes the new ROM, then executes the "past-flashing" tasks - still with the /sytem/addon.d files from the previous ROM! The only thing I could think of would somehow be a modified updater-script in the flashable ZIP - which brings me to the question, where to find the place in the build tree, where that is defined (I have started searching for it, but wasn't lucky finding it yet - because if I consider that approach, I would like to make sure to build and use that modified updater-script automatically in the ROM ZIP). Any thoughts?


Well, a point which definitely is subject to the individual point of view. I don't want to object to your point stating "leave it up to the user", because you are right!
Nevertheless, this ROM has the idea of some "pre-delivered privacy" in focus (which means something "ready to use" rather than "gain root, search the net and take care yourself") and people keen on using microG instead of Google are usually also not the kind of people who consider unrelated ad pop-ups on sites, they visit, as something valuable, which they would miss, if not present . . .
My ROM e.g. also uses Bromite WebView and not the "vanilla AOSP" Webview and the question "why not leave that up to the user, whoever wants Bromite should flash it himself" would be equally valid. . .

EDIT:

True - Alternative is to activate root and use e.g. the AdAway app (from which I take my updates).
Without root, a frequent monthly update is better than nothing (one objective of this ROM is to provide features, for which you normally would need root).
/EDIT


The idea of defining an own DNS is still on my to-do list - independently of ad-blocking. More to come.
The motivation to use a different DNS is driven by different factors: circumvent censorship (which also is a topic in the "free and democratic countries", if you ask me - of course, it is then called "copyright" or "ban of fake news" instead of "censorship" ), no logging ("Hey Google!") or - as you indicated - filter out ads. The DNS servers recommended by those organizations supporting data privacy and net freedom have especially no-logging and no-filtering in mind - to my knowledge, ad-blocking DNS are mostly operated by commercial companies who in parallel are interested to sell their solutions. Different from the hosts file, which can be viewed by everybody, the filtering of such an ad-blocking DNS is not necessarily transparent. Maybe you have some DNS to recommend, which would address those concerns?
Further - some public WiFi / Hotel WiFI etc. have "funny" setups enforcing their specific DNS, which you can't really circumvent. The hosts file still works under those conditions . . .
Also, web sites fighting against ad-blockers are quite good in doing so if you use browser add-ins, but they mostly still work with an ad-blocking hosts file.

There's a blank reserve partition on the device. This partition is used for storing dm-verity metadata and the crypto footer but
Op3 doesn't use this partition to store the metadata
The crypto footer is the last 16 kib of the userdata partition

By spec the FRP bit is the last byte on the config partition on the op3. You can take that code as an example and use it to write a value out the the reserve partition which can then be read by the ROM installer

Backuptool is actually disabled by default. It is only shipped if the --backup=true argument is supplied to ota_from_target_files.py

Look for a commit "releasetools: squash backuptool support" in build/make or grep for "backup=true" in build

Webview discussion will be added in the next post I write

Actually that's quite a bad idea. Let us say you do define a DNS. A DNS server is as secure as your entropy source can be but if you're running on a vhost or some VPS you're not going to really have great entropy. The only way to make it secure would be to run a private DNS server yourself

True, you could buy a dedicated server, use Intel's probably backdoored entropy generator and mix it with haveged to get an almost random source but I'd leave that up to you

For DNS i just have a general rule:

"Any public-facing DNS server is inherently insecure"

I don't really care what you think about this. It's just my opinion and that's it

While I'm at it here's my DNS server configuration

Code:
server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key

  num-threads: 4

  #list of Root DNS Server
  root-hints: root.hints

  #Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  interface: ::0
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 allow
  access-control: 127.0.0.1                 allow
  access-control: ::/0                      allow
  # Hide DNS Server info
  harden-short-bufsize: yes
  harden-large-queries: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-algo-downgrade: yes
  use-caps-for-id: yes
  val-clean-additional: yes
  hide-identity: yes
  qname-minimisation: yes
  hide-trustanchor: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  aggressive-nsec: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Minimum lifetime of cache entries in seconds
  msg-cache-size: 128k
  msg-cache-slabs: 2
  rrset-cache-size: 8m
  rrset-cache-slabs: 2
  key-cache-size: 32m
  key-cache-slabs: 2
  cache-min-ttl: 3600

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
This is a configuration file for unbound
This was taken from an archlinux machine. You'll have to read your distribution's docs before you use it

It enables all the security features cloudflare and Google employ and enables a few more

A good entropy source is a must for running a DNS server

---------- Post added at 23:12 ---------- Previous post was at 23:04 ----------

Quote:
Originally Posted by MSe1969

Yes, you can. The delivered microG apk files have the F-Droid keys. And Bromite uses an own F-Droid repo, so obviously the same keys as the apks to download from Bromite.org (where I get them as well).


No additional modifications related to any feature of the ROM, so you can use a different kernel, if you like. Of course, I can't assure you that you won't have issues and I can't give you any support, but I think that should be clear anyhow.


Short answer: Still for a longer while
Long answer: I have started to test building Pie and bring the features of this ROM to a pie build. Besides this by far not finished yet, I have some significant issues right now with microG and coarse location: Sometimes it works, sometimes it does not work - have seen also similar issues raised by other OP3T users using the "official" lineage-16.0 microG ROM to the GMSCore repo of microG, but no clear indication yet. Have so far not come close to the issue (ok, did also not spend time with that recently) - don't know whether related, but the weather widget is also frozen in those cases and the lineage-15.1 fix to remove the unnecessary wake-lock did not help here . . .
If someone reading this has an idea, I will be grateful for any hint - @anupritaisno1 : maybe you have any idea? You are building pie already for the OP3T . . .

Actually glassrom has a very liberal stance on this and doesn't force the user to stay with any single configuration. You can boot without gapps, use microg and still use chrome's proprietary webview as a user app or you can just install the bromite webview to the system yourself

You can flash whatever gapps and so on

In other words there's no single "correct" way to use glassrom. Users often decide what they want and surprisingly few users actually use microg

I have these users:
Users who flash gapps (that includes me)
Users who don't flash gapps at all

However I don't know of anyone who's using microg on glassrom. Yes there is streetwalrus who added the microg support commits to glassrom but he does his own private builds and uses an op2 so I only know that the feature itself works but nobody really has used it on the op3, at least on glassrom that is

So I'm sorry about that. I cannot answer this question

In my testing GPS was fine but that was with the opengapps stock package

---------- Post added at 23:16 ---------- Previous post was at 23:12 ----------

Quote:
Originally Posted by Jonny5isalivetm

There is no error it restores all fine, but bootloops before it reaches the lineage logo

After the bootloop immediately go to TWRP and copy all files in /sys/fs/pstore

Note that during bootloops there's often a fair bit of memory corruption going on too so you might have to reproduce the bootloop at least 3 times and collect 3 unique logs

While these logs usually do not contain any personally identifiable information it is best to submit these in private

---------- Post added at 23:32 ---------- Previous post was at 23:16 ----------

Another addition: do not edit the global updater-script unless you have a proper reason to do so

Example commit: https://github.com/GlassROM/android_...78d4fd1e71cc09

You should instead edit releasetools.py in your device tree and only make changes to this file if absolutely required
The Following 2 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
21st April 2019, 02:47 AM |#109  
Junior Member
Flag Belfast
Thanks Meter: 4
 
More
heh well it is working and took awhile to sort out all the small configuration stuff and I do not fancy breaking it again <_<
The Following User Says Thank You to Jonny5isalivetm For This Useful Post: [ View ] Gift Jonny5isalivetm Ad-Free
24th April 2019, 01:13 PM |#110  
MSe1969's Avatar
OP Senior Member
Flag Frankfurt Rhine-Main metropolitan region
Thanks Meter: 1,546
 
More
Quote:
Originally Posted by anupritaisno1

There's a blank reserve partition on the device. This partition is used for storing dm-verity metadata and the crypto footer but
Op3 doesn't use this partition to store the metadata
The crypto footer is the last 16 kib of the userdata partition

By spec the FRP bit is the last byte on the config partition on the op3. You can take that code as an example and use it to write a value out the the reserve partition which can then be read by the ROM installer

Backuptool is actually disabled by default. It is only shipped if the --backup=true argument is supplied to ota_from_target_files.py

Look for a commit "releasetools: squash backuptool support" in build/make or grep for "backup=true" in build

Webview discussion will be added in the next post I write

Actually that's quite a bad idea. Let us say you do define a DNS. A DNS server is as secure as your entropy source can be but if you're running on a vhost or some VPS you're not going to really have great entropy. The only way to make it secure would be to run a private DNS server yourself

True, you could buy a dedicated server, use Intel's probably backdoored entropy generator and mix it with haveged to get an almost random source but I'd leave that up to you

For DNS i just have a general rule:

"Any public-facing DNS server is inherently insecure"

I don't really care what you think about this. It's just my opinion and that's it

While I'm at it here's my DNS server configuration

Code:
server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key

  num-threads: 4

  #list of Root DNS Server
  root-hints: root.hints

  #Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  interface: ::0
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 allow
  access-control: 127.0.0.1                 allow
  access-control: ::/0                      allow
  # Hide DNS Server info
  harden-short-bufsize: yes
  harden-large-queries: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-algo-downgrade: yes
  use-caps-for-id: yes
  val-clean-additional: yes
  hide-identity: yes
  qname-minimisation: yes
  hide-trustanchor: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  aggressive-nsec: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Minimum lifetime of cache entries in seconds
  msg-cache-size: 128k
  msg-cache-slabs: 2
  rrset-cache-size: 8m
  rrset-cache-slabs: 2
  key-cache-size: 32m
  key-cache-slabs: 2
  cache-min-ttl: 3600

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
This is a configuration file for unbound
This was taken from an archlinux machine. You'll have to read your distribution's docs before you use it

It enables all the security features cloudflare and Google employ and enables a few more

A good entropy source is a must for running a DNS server

---------- Post added at 23:12 ---------- Previous post was at 23:04 ----------



Actually glassrom has a very liberal stance on this and doesn't force the user to stay with any single configuration. You can boot without gapps, use microg and still use chrome's proprietary webview as a user app or you can just install the bromite webview to the system yourself

You can flash whatever gapps and so on

In other words there's no single "correct" way to use glassrom. Users often decide what they want and surprisingly few users actually use microg

I have these users:
Users who flash gapps (that includes me)
Users who don't flash gapps at all

However I don't know of anyone who's using microg on glassrom. Yes there is streetwalrus who added the microg support commits to glassrom but he does his own private builds and uses an op2 so I only know that the feature itself works but nobody really has used it on the op3, at least on glassrom that is

So I'm sorry about that. I cannot answer this question

In my testing GPS was fine but that was with the opengapps stock package

---------- Post added at 23:16 ---------- Previous post was at 23:12 ----------



After the bootloop immediately go to TWRP and copy all files in /sys/fs/pstore

Note that during bootloops there's often a fair bit of memory corruption going on too so you might have to reproduce the bootloop at least 3 times and collect 3 unique logs

While these logs usually do not contain any personally identifiable information it is best to submit these in private

---------- Post added at 23:32 ---------- Previous post was at 23:16 ----------

Another addition: do not edit the global updater-script unless you have a proper reason to do so

Example commit: https://github.com/GlassROM/android_...78d4fd1e71cc09

You should instead edit releasetools.py in your device tree and only make changes to this file if absolutely required

Many thanks for all the information provided, good to know.
Don't want to quote each single statement, just would like to thank you for all the useful information and feedback - really appreciated.

Just a comment regarding DNS:
My point was to reply to your previous stance "why not use a DNS to filter ads?" - Different from Pie, Oreo does not provide an option to overwrite the default DNS. I am working on an approach to provide a similar functionality in this Oreo build to let the user decide whether such a feature is wanted and if yes, to let the user decide which DNS to use.

To the op3 partition / backup-tool / updater-script topic:
I would like to have a device-independent approach - so right now, I think that I only have the choice between my current approach (only working and backing up the hosts file if data partition is decrypted) and to in general disable the backup-tool, which in my opinion also is not really a good idea . . .
So sticking to my current approach for now (but giving a hint to the user in the respective settings menu)

Thanks again - regards, M.
9th May 2019, 10:36 PM |#111  
MSe1969's Avatar
OP Senior Member
Flag Frankfurt Rhine-Main metropolitan region
Thanks Meter: 1,546
 
More
New build with May 2019 ASB
Hi all,

a new build with the May 2019 ASB is available for download:
https://androidfilehost.com/?fid=1395089523397962294

It consists of the following new features and changes:
  • Kernel upstreamed to 3.18.139
  • Bromite System Webview updated to 74.0.3729.106
  • The "network extras" (captive portal detection and iptables block script) has been moved from 'Data usage' to the 'Network and Internet' main fragment
  • Option to set an own DNS (Settings: Network and Internet) by specifying an IPv4 and IPv6 address (uses iptables netfilter)
  • Option to deny new USB connections (Settings: Security and Privacy)
  • Increased maximum password length to 64
  • Additional options to restrict secondary users (disallow app installation and audio recording)

Regards, M.
The Following 4 Users Say Thank You to MSe1969 For This Useful Post: [ View ] Gift MSe1969 Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes