[EOL] Osprey LineageOS 13 with microG patch

Status
Not open for further replies.

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region
Hi,

this thread aims at keeping the LineageOS 13.0 version alive for the Moto G 2015 (osprey) device with current security patches from LineageOS (branch 'cm-13.0'). The build here has already a history in this thread on XDA - it may be worth to scroll through it to find additional information.

The build has got the following features:
  • LineageOS 13 with current security patches
  • Patched for microG (see https://microg.org, signature spoofing as switchable permission)
  • Squid kernel for the Osprey device (own fork)
  • LineageOS Jelly Browser
  • Current Android System Webview
  • CMUpdater is not part of this build
  • Renewed CA-certificates from AOSP master branch
  • VoLTE (may not work in all cases!)

Current build data
Download here
  • AOSP tag android-6.0.1_r81
  • Security string 2018-06-01
  • Android System Webview on M66 (stable, taken from LineageOS 14.1)
  • Contains the fix for the KRACK attack against WPA2
  • Root access included (can be switched on/off in developer settings)

Unofficial microG-build as 2nd build variant
Download here
Hardened build with pre-installed microG apps. For more information, see https://lineage.microg.org/
(This is an unofficial build for LineageOS 13 f. osprey based on the work described on the project page)
Different from the 1st build, the following features apply, everything else is the same:
  • No root available (can be flashed separately)
  • Pre-installed microG apps (see lineage.microg.org page)
  • SQLite 'secure delete' feature enabled
  • Access to /proc/net blocked for user apps
  • Enhanced Privacy Guard (1): Switches for motion sensors and other sensors available
  • Enhanced Privacy Guard (2): Switches for read phone state and storage (read/write) available
  • Oreo backport: SET_TIME_ZONE permission restricted to system apps
  • Oreo backport: Access to timers in /proc restricted
  • Cloudflare DNS (1.1.1.1) as default fallback
  • Privacy-preferring default settings

Source Code links
LineageOS: https://github.com/LineageOS
Kernel: https://github.com/MSe1969/android_kernel_motorola_msm8916/tree/mse_cm13
microG patch: https://github.com/microg/android_p...aster/patches/android_frameworks_base-M.patch
microG-Build: https://github.com/lineageos4microg
local manifest: https://github.com/cm13-microG/local_manifests
hardening features: see reserved post further below

Installation instructions

YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty information available.

Pre-Requisites
  • Get familiar with the hardware keys of the Motorola Moto G 2015 (osprey) device, especially how to enter fastboot mode (switch phone off hold power + volume down together for about 3 seconds) and recovery mode (in fastboot mode, switch with volume key to the reboot recovery option and select with power key)
  • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
  • Download the most current .ZIP file of this ROM and place it to your phone's internal memory or SD card
  • If you wish to install Google apps (GApps), please refer to the GApps section further below
  • An unlocked bootloader (read the warnings carefully and backup your data!

Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. If you have already a working custom recovery on your device, there is no necessity to replace it.
However - I recommend to use the TWRP recovery linked here. The following instructions are based on TWRP.
To install TWRP, download the TWRP.img file (Note: replace "TWRP.img" in the following instructions with the real file name) from this section to your PC, get it into 'fastboot mode', connect the device via USB to your PC and enter the following command on your PC:
Code:
fastboot flash recovery TWRP.img
Afterwards, directly boot into 'recovery mode' (see above) - I recommend not to boot the phone's Android system after having flashed TWRP. Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP should be TWRP in recovery mode.

Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped.
Make sure NOT to wipe "Internal memory" or "SD Card". Swipe to confirm the deletion and get back into the main menu.

GApps
The following instructions only apply for the 1st variant, do not flash Gapps over the "microG build":
You do not need to install GApps, but you may wish to do so. In that case, download GApps from here and put the .ZIP also to the SD card or Internal memory of your device.
Choose ARM as platform, Android 6.0 and the flavor of your choice. I recommend "pico", as this leaves you the most freedom to only install, what you really need; you can later still install all the Google products you want and do not need to live with pre-installed Google applications you have no use for. The 'microG patch' in this ROM has no negative impact on installing Gapps.

Install the ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard) or your SD card (path /external_sd).
Choose the .ZIP file of this ROM and swipe to flash. If you update from a previous version of this ROM, you don't need to perform a wipe.
If you had GApps already installed before the update, there is no need to flash them again. They will be automatically restored during the flash process.
(Note: If you wish to get rid of GApps, navigate to TWRP's file manager in the Advanced section of the main menu, go to path /system/addon.d and delete the file 70-gapps.sh, before flashing the ROM update)
If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
If you wish to install GApps, select the respective .ZIP file directly afterwards, do not boot into Android before having flashed GApps. When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into Lineage OS 13.0 - be patient, the first boot after flashing a new ROM takes quite long!



microG Installation

These instructions apply to the 1st 'default' variant, not the 'microG build' (which has already microG installed)
The ROM is patched for the use of microG, but it does not contain the microG system components.

The best way to obtain them is to include the microG repository into the F-Droid store as described on the microG Download page, where you will also find links for the direct download of the .apk files.

Please refer to the official installation instructions. However, there are three pieces of information, which are explained on the microG pages, but unfortunately not directly in the installation instructions, so I would like to point them out here:

  1. Download the 'unstable' Gms Core version 0.2.4-105-... to avoid "outdated play services" warnings
  2. The Location Provider functionality is included in Gms Core, but also available as separate application. I recommend Gms Core - however, the explanation is not included in Gms Core, but only here
  3. To grant the signature spoofing permission, go to Settings - Apps - Advanced (the 'gear' icon) - App Permissions - Spoof package signature; it is not possible when you enter the individual app's permissions menu



Credits
Android Open Source project (AOSP)
LineageOS project
squid2 (Kernel)
microG project


XDA:DevDB Information
Osprey LineageOS 13 with microG patch, ROM for the Moto G 2015

Contributors
MSe1969
Source Code: https://github.com/cm13-microG/local_manifests

ROM OS Version: 6.0.x Marshmallow
ROM Kernel: Linux 3.10.x
Based On: LineageOS

Version Information
Status: Testing

Created 2017-10-23
Last Updated 2018-07-24
 

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region
Change Log

June 20th, 2018
Announcement to discontinue the cm-13.0 builds - please visit my Lineage OS 14.1 microG thread, which continues with LineageOS 14.1

June 10th, 2018
  • Security string 2018-06-01

May 22nd, 2018
  • Security string 2018-05-01
  • Android System Webview M66
  • Cloudflare DNS as default (instead of Google)
  • Privacy-preferred default settings
  • Kernel fix for in-call sound issue

April 11th/12th, 2018
  • Security string 2018-04-01
  • Android System Webview M65

March 16th/17th, 2018
  • Security string 2018-03-01
  • Squid Kernel r22c (Oreo)
  • Renewed CA certificates from AOSP master branch
  • Bugfix of date/time reset on reboot, when no carrier sync
  • Bugfix in microG build: Always skip GMS page in SetupWizard

February 19th, 2018
  • Update after ASB merge in LineageOS 13.0
  • Webview now on stable M64

February 10th, 2018
  • Security string 2018-02-01
  • Squid Kernel r22c (Oreo)
  • Privacy Guard enhancements
  • Further security hardening in 2nd "microG build" variant

January 16th, 2018
  • Security string 2018-01-01
  • Squid Kernel r22 (Oreo)
  • System Webview switched back to M63-stable
  • 2nd build variant "unofficial microG build"

December 21st, 2017
  • Security string 2017-12-01
  • Squid Kernel r21 (Oreo) forked
  • Recent Jelly build
  • Android System Webview 64.0.3282.30 (beta)

November 24th, 2017
  • Security string 2017-11-01
  • Squid Kernel (Nougat) forked and merged 3.10.108 updates from kernel.org

October 23rd, 2017
  • Fix of KRACK attacks
  • Security string 2017-10-01
  • AOSP tag 6.0.1_r81
  • Android System Webview updated to M64
  • Squid Kernel (Nougat)

- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Historical entries from this thread:

September 21st, 2017
  • Security string 2017-09-01
  • AOSP tag 6.0.1_r80
  • Jelly updates
  • Fix of 'Blueborne' attack (part of Sept. security patches)

September 2nd, 2017
  • Security string 2017-08-01
  • Android System Webview updated to M60

July 14th, 2017
  • Security string 2017-07-01

June 14th, 2017
  • Security string 2017-06-01
  • Android System Webview updated to M59

May 28th, 2017
  • Replaced Gello with new LineageOS Jelly Browser
  • Android System Webview updated to M58

May 26th, 2017
  • Security string 2017-05-01

April 17th, 2017
  • Security string 2017-04-01
  • AOSP tag 6.0.1_r79

March 24th, 2017
  • Security string 2017-03-01
  • Included Kernel from cm-14.1 branch to regularly receive sec. patches

March 13th, 2017
  • Security string 2017-02-01

February 21st, 2017
  • Security string 2017-01-01
  • Rebranded LineageOS
 
Last edited:

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region
Security Hardening (microG build)

Details about additional security hardening in the "microG build"

1. SQLite 'Secure Delete' feature
This sanitizes deleted data by overwriting it with zeroes, rather than having it persist within SQLite's free list.
Backport from Oreo, see https://android-review.googlesource.com/q/topic:"secure_delete"

2. Restrict SET_TIME_ZONE permission to system apps
Backport from Oreo, see here

3. Enhanced Privacy Guard (1) - Sensor permission switches
An own sensor template to control access to motion sensors (ask mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Commits: (1), (2), (3)

4. Enhanced Privacy Guard (2) - Switches for 'Read phone state' and 'Storage'
The existing AppOps to read the phone's IMEI and to control access to the SD card have been made accessible.
This is a cherry-pick of the proposed LineageOS change here

5. Restrict access to /proc/net for user apps
An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. This is the main commit. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitorhas been bundled

6. Access to timing information in /proc restricted
To prevent side-channel attacks as described here, the respective Oreo patch has been back-ported.

7. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

8. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 14.1 (all setting can be changed at any time later):
  • Privacy Guard is enabled on install (proposal during Setup)
  • Anonymous LineageOS statistics disabled (proposal during Setup)
  • The standard browsing app does not get the location runtime permission automatically assigned
 
Last edited:

shadowbone

Senior Member
Oct 6, 2017
89
22
0
Every time the ambient display lights up the screen, it is in on a high brightness mode. And the moment I tap, it gets back to normal brightness. I know this could be a cm13 issue but, any way to resolve this ?
 
Last edited:

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region
VoLTE

As you can see in the old thread, there have been some discussions about VoLTE support (and also some attempts from my side to get it running).

Let me quickly summarize:
  • I have tried the VoLTE patch(es) from XDA - VoLTE menu was there but no VoLTE calls on my phone
  • I have tried to create a test build with the contents of those patches and also looked at what was done in cm-14.1 - same result: menu there, but no VoLTE calls (LTE symbol disappears when calling)
  • Got mixed feedbacks from people using the test build - works well for the ones and does not work or stops working after reboot for others . . .
  • LineageOS 14.1 is supposed to have VoLTE support f. osprey - same story, not on my phone (menu entry there, but *#*#4636#*#* menu and IMS status there tells VoLTE not available - tested with SIM cards from different carriers)

So I'm having trouble to get it working on my device (XT1541 16GB) at all. On my repo's at github, the msm8916 device and vendor tree have two volte branches for testing.

Any insight, advice and/or build suggestions welcome :)
 

rahul9999

Senior Member
Oct 22, 2012
1,861
2,017
113
India - Mumbai
As you can see in the old thread, there have been some discussions about VoLTE support (and also some attempts from my side to get it running).

Let me quickly summarize:
  • I have tried the VoLTE patch(es) from XDA - VoLTE menu was there but no VoLTE calls on my phone
  • I have tried to create a test build with the contents of those patches and also looked at what was done in cm-14.1 - same result: menu there, but no VoLTE calls (LTE symbol disappears when calling)
  • Got mixed feedbacks from people using the test build - works well for the ones and does not work or stops working after reboot for others . . .
  • LineageOS 14.1 is supposed to have VoLTE support f. osprey - same story, not on my phone (menu entry there, but *#*#4636#*#* menu and IMS status there tells VoLTE not available - tested with SIM cards from different carriers)

So I'm having trouble to get it working on my device (XT1541 16GB) at all. On my repo's at github, the msm8916 device and vendor tree have two volte branches for testing.

Any insight, advice and/or build suggestions welcome :)
You could get some help from this post.. check by integrating this patch. https://forum.xda-developers.com/2015-moto-g/themes-apps/osprey-volte-patch-android-n-roms-t3527635

Edit - post added
 
Last edited:

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region

MSe1969

Senior Member
Dec 16, 2016
1,415
2,578
133
Frankfurt Rhine-Main metropolitan region
It isn't that big a difference but perhaps I could provide you a log, if that could help.
Hi, haven't really noticed anything unusual in the log, I also use afwall and Xprivacy. Only noticed you use a battery app, but log does not indicate any issues... So I am afraid I can't really help, as I can't reproduce this behavior on my device.
 
  • Like
Reactions: shadowbone

shadowbone

Senior Member
Oct 6, 2017
89
22
0
Hi, haven't really noticed anything unusual in the log, I also use afwall and Xprivacy. Only noticed you use a battery app, but log does not indicate any issues... So I am afraid I can't really help, as I can't reproduce this behavior on my device.
Yeah, I use the betterbatterystats from xda. I guess I will try and do a dalvik cache clear and if possible do a clean rom flash in the near future and try again. Else, it must be some device specific issue.
Anyway thanks a lot for your time. I appreciate it.
 
Status
Not open for further replies.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone