[EOL][ROM][Osprey][LineageOS 14.1][Substratum][microG] (hardened)

[MSe1969]

This thread is discontinued - Please visit my LineageOS 16.0 Osprey thread


Hi,

this is my unofficial LineageOS 14.1 microG-enabled build series for the Moto G 2015 (osprey) device with current security patches.

The builds here have already a history in Osprey LineageOS 13 with microG patch thread for the 'cm-13.0' branch - it may be worth to scroll through it to find additional information.

The builds have got the following features:

• LineageOS 14.1 with current security patches (from official LineageOS repositories)
• Security string 2020-05-05, AOSP tag 7.2.1_r36
• Squid kernel for the Osprey device (currently own fork with most recent patches)
• Adapted LineageOS Jelly Browser (additionally having Startpage and Qwant as search engines)
• OTA Support
• Root is not included and would need to be flashed separately
• VoLTE support is same as in official LineageOS (supposed to work, can't test myself)
• System certificates taken from AOSP Oreo branch
• Device encryption fully functional

There are three build variants available:

A. Default LineageOS 14.1 with substratum and microG patch
For those who simply want to use LineageOS 14.1 with substratum theme engine
Download here

• Patched for the use of microG - you can either flash Gapps or manually install microG as apps (or use neither of those)
• Patched for the use of the substratum theme engine (the substratum app and the themes need to be downloaded separately)
• System Webview M81

B. Hardened build with pre-installed microG and F-Droid
For the security/privacy focused
Download here

• Pre-installed microG same as the LineageOS for microG project
• Pre-installed AuroraStore / AuroraServices
• Additional security hardening features listed below
• SQLite 'secure delete' feature enabled
• Access to /proc/net blocked for user apps
• Bundled netmonitor app to allow network monitoring
• Enhanced Privacy Guard: Switches for motion sensors and other sensors available
• Oreo backport: SET_TIME_ZONE permission restricted to system apps
• Oreo backport: Access to timers in /proc restricted
• Cloudflare as default DNS (instead of Google)
• Privacy-preferred default settings
• No submission of IMSI/phone number to Google when GPS is in use
• Bromite System Webview M81

C. Above hardened microG build with substratum patch
Download here

• Same features as above (B), but . . .
• Patched for the use of the substratum theme engine (substratum app and themes need to be downloaded separately)

Source Code links
LineageOS: https://github.com/LineageOS
Kernel: https://github.com/lin14-mGoms/android_kernel_motorola_msm8916/tree/mse_v2
microG patch: https://github.com/microg/android_p...aster/patches/android_frameworks_base-N.patch
microG-Build: https://github.com/lineageos4microg
Patches for Substratum: https://github.com/LineageOMS
local manifest: https://github.com/lin14-mGoms/local_manifests
hardening features: see reserved post further below

Installation instructions

YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty information available.

Pre-Requisites

• Get familiar with the hardware keys of the Motorola Moto G 2015 (osprey) device, especially how to enter fastboot mode (switch phone off hold power + volume down together for about 3 seconds) and recovery mode (in fastboot mode, switch with volume key to the reboot recovery option and select with power key)
• Activate the Developer options (Settings, about phone: tap 7 times on the build number), get into the new menu Developer options and activate, if available, the option "OEM unlocking")
• Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb (you need to activate the option "USB debugging" in the Developer options)
• Download the most current .ZIP file of this ROM and place it to your phone's internal memory or SD card
• This build variants B and C come with microG pre-installed, so not applicable for Gapps (you can flash Gapps only on build variant A)
• An unlocked bootloader (read the warnings carefully and backup your data!

Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. If you have already a working custom recovery on your device, there is no necessity to replace it.
However - I recommend to use the official TWRP recovery from the TWRP site. The following instructions are based on TWRP.
To install TWRP, download the TWRP.img file (Note: replace "TWRP.img" in the following instructions with the real file name) from this section to your PC, get it into 'fastboot mode', connect the device via USB to your PC and enter the following command on your PC:

fastboot flash recovery TWRP.img

Afterwards, directly boot into 'recovery mode' (see above) - I recommend not to boot the phone's Android system after having flashed TWRP. Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP should be TWRP in recovery mode.

Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and specify "Dalvik", "System", "Cache" and "Data" to be wiped.
Make sure NOT to wipe "Internal memory" or "SD Card". Swipe to confirm the deletion and get back into the main menu.

Install the ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard) or your SD card (path /external_sd).
Choose the .ZIP file of this ROM and swipe to flash. If you update from a previous version of this ROM, you don't need to perform a wipe.
If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into Lineage OS 14.1 - be patient, the first boot after flashing a new ROM takes quite long!

Credits
Android Open Source project (AOSP)
LineageOS project
squid2 (Kernel)
microG project
CopperheadOS project
Substratum team


XDA:DevDB Information
[EOL][ROM][Osprey][LineageOS 14.1][Substratum][microG] (hardened), ROM for the Moto G 2015

Contributors
MSe1969
Source Code: https://github.com/lin14-mGoms

ROM OS Version: 7.x Nougat
ROM Kernel: Linux 3.10.x
Based On: LineageOS

Version Information
Status: Stable
Stable Release Date: 2020-05-07

Created 2018-03-22
Last Updated 2020-07-12

 

[MSe1969]

Change Log

12.07.2020 - EOL announcement
Please visit my LineageOS 16.0 thread for the Osprey device

07.05.2020 - May 2020 ASB

• ASB Security string 2020-05-05
• System Webview on 81.0.4044.117 (Build Variant A)
• Bromite Webview on 81.0.4044.127 (Build Variants B and C)
• AuroraStore updated to 3.2.8 (Build Variants B and C)

10.04.2020 - April 2020 ASB

• ASB Security string 2020-04-05
• Fix for CVE-2020-8597 (external/ppp)
• Kernel: CVE-2019-10638 siphash 128bit for IP generation
• System Webview on 80.0.3987.132 (Build Variant A)
• Bromite Webview on 81.0.4044.76 (Build Variants B and C)
• AuroraStore updated to 3.2.4 (Build Variants B and C)

09.03.2020 - March 2020 ASB

• ASB Security string 2020-03-01
• System Webview on 80.0.3987.117 (Build Variant A)
• Bromite Webview on 80.0.3987.118 (Build Variants B and C)
• AuroraStore updated to 3.2.0 (Build Variants B and C)
• Added Netguard app (F-Droid version) to SELinux domain allowing /proc/net (Build Variants B and C)

07.02.2020 - February 2020 ASB

• ASB Security string 2020-02-01
• System Webview on 79.0.3945.136 (Build Variant A)
• Bromite Webview on 79.0.3945.139 (Build variants B and C)
• Updated AuroraStore 3.1.8 (Build variants B and C)

13.01.2020 - January 2020 ASB

• ASB Security string 2020-01-01
• System Webview on 79.0.3945.116 (Build Variant A)
• Bromite Webview on 79.0.3945.107 (Build variants B and C)
• Updated AuroraStore 3.1.7 (Build variants B and C)
• Updated AuroraServices 1.0.5 (Build variants B and C)

07.12.2019 - December 2019 ASB

• ASB Security string 2019-12-01
• System Webview on 78.0.3904.108 (Build Variant A)
• Bromite Webview on 78.0.3904.119 (Build variants B and C)
• Updated AuroraStore 3.1.5 (Build variants B and C)

10.11.2019 - November 2019 ASB

• ASB Security string 2019-11-01
• Bromite Webview on 78.0.3904.72 (Build variants B and C)
• Updated microG GMS core 0.2.9.x (Build variants B and C)

16.10.2019 - October 2019 ASB

• ASB Security string 2019-10-01
• System Webview on 77.0.3865.116 (Build variant A)
• Bromite Webview on 77.0.3865.104 (Build variants B and C)
• Aurorastore 3.1.3 with AuroraServices 1.0.4 (Build variants B and C)

10.09.2019 - September 2019 ASB

• ASB Security string 2019-09-01

11.08.2019 - August 2019 ASB

• ASB Security string 2019-08-01
• Additional patches from AOSP branch 'nougat-mr2-security-release'
• OTA Support
• Bromite Webview on 76.0.3809.100 (Build variants B and C)
• Aurorastore 3.0.9 with AuroraServices install method (Build variants B and C)
• Updated microG GMS core 0.2.8.x (Build variants B and C)

05.07.2019 - July 2019 ASB

• ASB Security string 2019-07-01
• System Webview updated to 75.0.3770.101 (Build variant A)
• Bromite Webview on 75.0.3770.109 (Build variants B and C)

13.06.2019 - June 2019 ASB

• ASB Security string 2019-06-05
• System Webview updated to 74.0.3729.157 (Build variant A)
• Bromite Webview on 75.0.3770.86 (Build variants B and C)
• Replaced Yalpstore with Aurorastore (Build variants B and C)
• Updated F-Droid & priv. extension (Build variants B and C)
• Updated microG GMS core 0.2.7.x (Build variants B and C)

10.05.2019 - May 2019 ASB

• Security string 2019-05-05
• System Webview updated to M74 (Bromite, too)
• Build variants B and C only: pre-installed Yalpstore

08.04.2019 - April 2019 ASB

• Security string 2019-04-05

12.03.2019 - March 2019 ASB

• Security string 2019-03-05
• SystemWebView updated (includes CVE-2019-5786): M72 (build variant A) / M73-Bromite (build variants B and C)
• Various patches merged from Squid kernel

08.02.2019 - February 2019 ASB

• Security string 2019-02-05

18.01.2019 - January 2019 ASB

• Security string 2019-01-05
• System Webview updated to M71
• Additional 'spectre v1' mitigations in kernel
• Update of Timezone data
• No submission of IMSI/phone number to Google when GPS is in use (only applies to build variants with pre-installed microG)
• Privacy-enhanced Bromite SystemWebView M71 (only applies to build variants with pre-installed microG)
• Opt-in (instead of opt-out) for apps having the PACKAGE_USAGE_STATS permission (only applies to build variants with pre-installed microG)

08.12.2018 - December 2018 ASB

• Security string 2018-12-05
• Fix of 'adb root' bug

09.11.2018 - November 2018 ASB

• Security string 2018-11-05

20.10.2018 - October 2018 ASB

• Security string 2018-10-05
• System Webview upgraded to M69
• Added Qwant suggestion provider in Jelly browser
• Settings: Option in Networks => Datausage to switch off Captive Portal Detection (only applies to build variants with pre-installed microG)
• microG updated to 0.2.6 (only applies to build variants with pre-installed microG)
• Menu entry for microG in Settings (only applies to build variants with pre-installed microG)
• Dialer: Removed Google as forward lookup agent (only applies to build variants with pre-installed microG)

09.09.2018 - September 2018 ASB

• Security string 2018-09-05
• Squid Kernel r23 (own fork)
• microG updated to 0.2.5 (only applies to build variants with pre-installed microG)

11.08.2018 - August 2018 ASB

• Security string 2018-08-05

24.07.2018 - July 2018 ASB

• Security string 2018-07-05
• System Webview upgraded to M67
• System certificates from AOSP Oreo branch

21.06.2018 - Added build variants in OP

• Substratum-patched default build
• Hardened microG-build
• microG-build with Substratum-patch

10.06.2018 - June 2018 ASB

• Security string 2018-06-05

22.05.2018 - May 2018 ASB

• Security string 2018-05-05
• System Webview upgraded to M66

27.04.2018 - April 2018 ASB

• Security string 2018-04-05
• System Webview upgraded to M65
• Cloudflare DNS as default (instead of Google)
• Privacy-preferred default settings
• Privacy-Guard: Motion Sensor AppOp now in 'ask' mode by default

22.03.2018 - Initial upload

• AOSP tag android-7.1.2_r36
• Security string 2018-03-05
• Squid kernel r22c
• Pre-installed microG apps
• Adapted LineageOS Jelly Browser (additionally having Startpage and Quant as search engines)
• SQLite 'secure delete' feature enabled
• Access to /proc/net blocked for user apps
• Bundled netmonitor app to allow network monitoring
• Enhanced Privacy Guard (1): Switches for motion sensors and other sensors available
• Enhanced Privacy Guard (2): All available AppOps are shown
• Oreo backport: SET_TIME_ZONE permission restricted to system apps
• Oreo backport: Access to timers in /proc restricted

 

[MSe1969]

Details about additional security hardening

1. SQLite 'Secure Delete' feature
This sanitizes deleted data by overwriting it with zeroes, rather than having it persist within SQLite's free list.
Backport from Oreo, see https://android-review.googlesource.com/q/topic:"secure_delete"

2. Restrict SET_TIME_ZONE permission to system apps
Backport from Oreo, see here

3. Enhanced Privacy Guard - Sensor permission switches
An own sensor template to control access to motion sensors ('ask' mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Commits: (1), (2), (3)

4. Restrict access to /proc/net for user apps
An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. This is the main commit. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitorhas been bundled.

5. Access to timing information in /proc restricted
To prevent side-channel attacks as described here, the respective Oreo patch has been back-ported.

6. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS while still supporting DNS-over-TLS.
In the default DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
(Please note: Cloudflare is "less bad than Google by means of privacy" and thus good as a default, but I personally recommend to look for better alternatives if concerned about privacy)

7. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 14.1 (all setting can be changed at any time later):

• Privacy Guard is enabled on install (proposal during Setup)
• Anonymous LineageOS statistics disabled (proposal during Setup)
• The standard browsing app does not get the location runtime permission automatically assigned
• Sensitive information is hidden on the lock screen
• Apps having the PACKAGE_USAGE_STATS permission appear by default as "not allowed" under Settings => Security & privacy => Apps with usage access (instead of opting out here, the user needs to explicitly opt-in in order to have the app collecting this data)

8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties, who are always keen on "improving the overall user experience") to provide this data . . .

 

[stonny20]

Any review or some screenshots pls.

 

[jemail]

ROM installs with no problems. Microg works well. I don't use volte so can't comment.

This ROM would be suitable as a daily driver.

However I find the lack of OMS support to be a major drawback. I use black themes too much to go back to eye blinding white.

It is a rock solid ROM that is kept up to date which is a big plus.

 

[MSe1969]

Any review or some screenshots pls.

Can add some screenshots after my vacations ...

EDIT: Added some screenshots now

 

[MSe1969]

ROM installs with no problems. Microg works well. I don't use volte so can't comment.

This ROM would be suitable as a daily driver.

However I find the lack of OMS support to be a major drawback. I use black themes too much to go back to eye blinding white.

It is a rock solid ROM that is kept up to date which is a big plus.

Thanks a lot for your review and feedback.
Regarding OMS, as already mentioned in my cm-13.0 thread, there are own support threads on XDA.
I have had a closer look now and it seems that to patch LineageOS to support Substratum is a bigger effort. There are some repositories on github with those patches, it seems however a continuous effort to merge LineageOS patches and features and make OMS working again afterwards.
Since it is no "one-off" effort, but continuous work and even involves to weaken some SELinux settings, I am afraid that I won't go that path.
I am currently on vacation, only mobile access. Can only check after my return. So wil get back on this topic.

 

[MSe1969]

New build with April Sec.patches

Hi,

I've uploaded a new build:
https://www.androidfilehost.com/?fid=962187416754477482

• Security string 2018-04-05
• AOSP tag 7.1.2_r36
• System Webview M65
• Cloudflare instead of Google default DNS
• Privacy-adapted default settings

 

[Hunimix]

Is it compatible with substratum?

 

[Vvk380]

Hi,

I've uploaded a new build:
https://www.androidfilehost.com/?fid=962187416754477482

Security string 2018-04-05
AOSP tag 7.1.2_r36
System Webview M65
Cloudflare instead of Google default DNS
Privacy-adapted default settings

Whatsapp video sharing working ??

 

[MSe1969]

However I find the lack of OMS support to be a major drawback. I use black themes too much to go back to eye blinding white.

I'll give it a try and will work in making a test build soon, which (hopefully) will support OMS

 

[MSe1969]

Is it compatible with substratum?

No, not at the moment, but working on it...

 

[MSe1969]

Whatsapp video sharing working ??

I am not using WA, so don't know. However, why shouldn't it?

 

[Vvk380]

I am not using WA, so don't know. However, why shouldn't it?

It is not working on official nightlies

 

[MSe1969]

It is not working on official nightlies

Well, then - most probably - it won't work here either...
However, what is the nature of the issue?
I am using a different kernel with this ROM, so maybe worth a try?
Further, have you tried disabling HW overlays in developer settings? Just guessing...

If you have a way of reproducing the issue without having to install WA, I am happy to have a deeper look.

 

[Vvk380]

Well, then - most probably - it won't work here either...
However, what is the nature of the issue?
I am using a different kernel with this ROM, so maybe worth a try?
Further, have you tried disabling HW overlays in developer settings? Just guessing...

If you have a way of reproducing the issue without having to install WA, I am happy to have a deeper look.

Actual issue is u cant share videos recorded through camcorder(moto camera) on whatsapp
I checked disabling HW overlays..didnt worked
And I'll see if i can reproduce this issue in some other way...
Thnks

 

[rahul9999]

Well, then - most probably - it won't work here either...
However, what is the nature of the issue?
I am using a different kernel with this ROM, so maybe worth a try?
Further, have you tried disabling HW overlays in developer settings? Just guessing...

If you have a way of reproducing the issue without having to install WA, I am happy to have a deeper look.

Hi.. The issue is related to updated lux OMX blobs.. i have fixed this for Oreo using Aex N blobs as Aex N source have not merged Lux Kernel sources.. As after we have fixed camcorder it's again broken..

 

[MSe1969]

OMS-enabled test build

However I find the lack of OMS support to be a major drawback. I use black themes too much to go back to eye blinding white.
It is a rock solid ROM that is kept up to date which is a big plus.

Is it compatible with substratum?

I've prepared an OMS-enabled test build - characteristics as described before, but OMS patches included (taken from https://github.com/LineageOMS and adapted, where necessary):
https://www.androidfilehost.com/?fid=674106145207484704

Please test and feedback.
Thanks M.

 

[MSe1969]

deleted

 

[MSe1969]

You may have read this XDA story already. The security hardening of this ROM already takes care, see the dedicated reserved post in this thread.