Moderator Announcement: THREAD CLOSED on request of OP. If you're interested in the hardened LOS for the OnePlus 3 or 3T please follow this thread in the cross-device section in future: https://forum.xda-developers.com/oneplus-3/oneplus-3--3t-cross-device-development/rom-hardened-lineageos-16-0-oneplus-3t-t4034869
This thread is dedicated to provide hardened Lineage-OS 15.1 builds with microG included for the OnePlus 3/3T with current security patches.
This thread is discontinued, please visit the LineageOS 16.0 successor thread
Features of this ROM
Download here
Current release levels
Security string: 2020-01-05
AOSP tag: 8.1.0_r52
Bromite System Webview: M79
Source-code and build instructions
Kernel: https://github.com/lin15-microG/android_kernel_oneplus_msm8996/tree/lin-15.1-microG
Build manifest: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites
Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
IMPORTANT NOTE - The official TWRP 3.2.3-1 is broken - DO NOT USE!
Please use the TWRP link in the official LineageOS install instructions instead.
To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and hold Power and vol.down) - DO NOT boot into the phone's Android system after having flashed TWRP! Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP must be TWRP in recovery mode.
Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
Install ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
If you update from a previous version of our ROM, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!
Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.
This happens at your own risk - make a backup with TWRP before!
SafetyNet:
Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.
If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)
If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.
The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.
microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system.A sandboxed version of DroidGuard has been added to this microG build as a prebuilt “DroidGuard Helper” app to run the Google code in an isolated environment. The chosen approach in my build is proposed and discussed within the microG project, but not yet officially implemented by microG.
As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
So, if you need SafetyNet and you also need root, Magisk would be the way to go.
To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
Currently not working, hence not bundled
There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)
IMPORTANT
I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
(Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we?
- At least I, besides others, exactly for that reason, do not use Gapps!)
Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.
Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits
AOSP project
LineageOS project
microG project
CopperheadOS project
csagan5 (Bromite)
Yeriomin (Yalp)
XDA:DevDB Information
[ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T, ROM for the OnePlus 3T
Contributors
MSe1969
Source Code: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
ROM OS Version: 8.x Oreo
ROM Kernel: Linux 3.x
Based On: LineageOS
Version Information
Status: Stable
Stable Release Date: 2020-01-13
Created 2019-01-21
Last Updated 2020-04-30
This thread is dedicated to provide hardened Lineage-OS 15.1 builds with microG included for the OnePlus 3/3T with current security patches.
This thread is discontinued, please visit the LineageOS 16.0 successor thread
Features of this ROM
Download here
- Pre-installed microG and F-Droid same as the LineageOS for microG project
- Pre-installed AuroraStore
[*]Pre-Installed pre-release of microG DroidGuard helper to have a working SafetyNet attestation (see comments below!) - Adapted LockClock app without wake-locks (fix of frozen weather widget after boot)
- OTA Support
- Additional security hardening features listed below
- Access to /proc/net blocked for user apps
- Bundled netmonitor app to allow network monitoring
- Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
- Cloudflare as default DNS (instead of Google)
- Privacy-preferred default settings
- Optional blocking of Facebook- and Google-Tracking
- Optional disabling of captive portal detection
- Option to define own DNS
- No submission of IMSI/phone number to Google/Sony when GPS is in use
- Default hosts file with many blocked ad/tracking sites
- Privacy-enhanced Bromite SystemWebView
- Option to deny new USB connections
- Additional restrictions for secondary users
- Increased password length
- Kernel kept up to date with ASB patches and Google kernel/common 'android-3.18' branch
Current release levels
Security string: 2020-01-05
AOSP tag: 8.1.0_r52
Bromite System Webview: M79
Source-code and build instructions
Kernel: https://github.com/lin15-microG/android_kernel_oneplus_msm8996/tree/lin-15.1-microG
Build manifest: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites
- Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
- Download the most current .ZIP file of the ROM and place it to your phone's internal memory
- An unlocked bootloader (see e.g. LineageOS install instructions)
- You need at least OxygenOS 5.0 firmware, otherwise you'll get error 7 when installing the zip. (Recommended 5.0.8 - DO NOT use 9.x firmware)
Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
IMPORTANT NOTE - The official TWRP 3.2.3-1 is broken - DO NOT USE!
Please use the TWRP link in the official LineageOS install instructions instead.
To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
Code:
fastboot flash recovery twrp-x.x.x-x-oneplus3.img
Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
Install ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
If you update from a previous version of our ROM, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!
Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.
This happens at your own risk - make a backup with TWRP before!
- Download and extract the file migration.sh from this archive
- This file helps you to migrate from a build signed with the publicly available test keys (i.e. all builds around, which do not state that they are signed). If you come from another signed build (e.g. official LineageOS), you have to adapt the file accordingly (see below links).
- boot into TWRP
- push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
- launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
- (In case you receive an error, try sh ./migration.sh official instead)
- flash the ROM .zip
- wipe Cache and Dalvik/ART Cache
- reboot system
SafetyNet:
Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.
If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)
If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.
The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.
microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system.
As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
So, if you need SafetyNet and you also need root, Magisk would be the way to go.
To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
Currently not working, hence not bundled
There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)
IMPORTANT
I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
(Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we?
Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.
Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits
AOSP project
LineageOS project
microG project
CopperheadOS project
csagan5 (Bromite)
Yeriomin (Yalp)
XDA:DevDB Information
[ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T, ROM for the OnePlus 3T
Contributors
MSe1969
Source Code: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
ROM OS Version: 8.x Oreo
ROM Kernel: Linux 3.x
Based On: LineageOS
Version Information
Status: Stable
Stable Release Date: 2020-01-13
Created 2019-01-21
Last Updated 2020-04-30