• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

EOL [ROM][Unofficial][9.0.0][microG][signed]hardened LineageOS 16.0 for Oneplus 3/3T

Status
Not open for further replies.
Search This thread
D

Deleted member 8085016

Guest
I can't find a download: https://www.sharpconsumer.com/support/gave me

Search results for: Sharp Aquos P1

Nothing found
I only found a 4PDA link on the Sharp phone and not on XDA

I mean yeah its a dead end on 820/821 phones and tablets, some say Lenovo ZUK Z2 Pro has Galileo but after watching reviews its not true. Treble would be the cause SD835 got Galileo. Hypothesis, after the SD820/821 series got replaced by the SD835, where the 820/821 architecture downgraded to the SD6XX series chipset? Would the solution be found there?
Edit: What about open sourced implementation of GNSS?
 
Last edited by a moderator:
Regarding 17.1: does this mean your LOS16 build is gonna be deprecated? If so, I'd like to share my concern about missing Privacy Guard, new permission hub is not a proper replacement, as it doesn't allow to spoof permissions, like Privacy Guard or XPrivacy. Also, in my very personal opinion, newer Android versions don't bring much new stuff to the table, so in my, again, personal case, I don't see any benefit of losing Privacy Guard to get some new minor features.
Yes - eventually, my 16.0 builds will be deprecated. See my comments below...


Lost features in LineageOS 17.1
As mentioned in my previous post about the LineageOS 17.1 Test build, a couple of features are lost, and I would like to share some comments about them. Android 10 in fact does have some security improvements under the hood, so if there aren't any hardware restrictions of the device hindering you from moving on, there is always a time to consider moving on. I am definitely not within the early adopters, but I have now worked on it.

LockClock:
The Chronus app (play store) comes from the same authors and is the "by far better" LockClock app, if somebody (like me) likes it - with enabled Google blocker, it only nags sometimes with an "update playservices" notification.

Privacy Guard:
I have tried to port Privacy Guard to my 17.1 build and thus learned the "hard way", why it hasn't been ported to LineageOS 17.1 by the LineageOS devs. I "somehow" consider this also as a loss (if you scroll back a while, you will find also a statement from me), but to be honest, in the last 1-2 years, I hadn't actually really used it, except for the Sensor restrictions, for which I ship a replacement feature.
I meanwhile simply don't want to use "hostile" apps - in fact, there are for almost every purpose FOSS apps or at least apps with decent behavior; and I don't know, whether you can truly control a privacy-hostile app with PG, there are still too many possibilities for such apps. I could also observe that PG had some "glitches" (try e.g. disabling the coarse location AppOp while still granting location permission or watch apps definitely not using location appearing in the coarse location stats) and a knowledgeable person also explained me, that certain AppOps aren't fully implemented in all code places and partly (e.g. background) could be misunderstood.
In fact, the ApOps API is still there, PG was only a GUI frontend and the really nice feature was the "ask mode".
Nevertheless, for certain "lab" conditions, where you would have to e.g. block access, while still granting the permissions, you can still use the 'appops' shell commands via adb - e.g. I remember having read somewhere, that the Instagram app (*yikes* such crap will never find its way to my phone!) insists on first stealing your contacts to initialize (i.e. does not initially launch until you grant contacts permission), before it allows you to revoke that permission again.
As you can see for the Sensor restrictions, I can still make use of the AppOps API for special cases (unfortunately, only without "ask mode"), so if you give me a solid reason, why certain AppOps should be user-switchable, I can for sure implement further such AppOp functionality - similar to the Sensor restrictions.

Root AddOn:
During my attempt to port PG, I found one big show stopper being the inability to re-implement the ask mode (without going in too much details, but two protected methods of formerly the same class belong now to two different classes in Android 10). As the LineageOS Root AddOn was based on Privacy Guard's "ask mode", I gues that was the main reason for LineageOS to drop this (there have always been rumors anyhow, that this was exploitable). So - following LineageOS's official guidance - if you want root, flash Magisk.
My own philosophy was in my builds to deliver useful features requiring root as part of the system with customized SEPolicy rules (e.g. adblock, blocking scripts, firewall), so I also did not really use root on my device recently, except for analyses/debugs via adb, which still is supported.


Native WireGuard support in Kernel:
I have learned recently (scroll back a bit), that you need to grant root access to the WireGuard app, to allow making use of the native WireGuard kernel support. (I originally thought it was the other way round). Hence shipping a feature, for which you would need to first flash a root solution in order to be able to use it, does not really make sense to me! You can still use WireGuard w/o root via the WG app as an ordinary VPN.
Unless you show me an easy way, how to make use of native WG kernel support w/o needing to flash a root solution, I will be glad to reconsider my decision.
 
  • Like
Reactions: knpk13 and soozie_

gonococcus

Member
Apr 18, 2020
22
8
Yes - eventually, my 16.0 builds will be deprecated. See my comments below...
That's as sad as it is inevitable

Yes, PG is known to be glitchy sometimes and there are ways to work around it for app devs(thank Google for the whole zoo of different-but-the-same APIs). The blessing was is that LOS is not nearly as popular as stock ROMs, so no one would bother.
It was also mostly abandoned by LOS devs, so instead of fixing it to work in a more reliable way, they just killed it, which is still a big regression, in my view.
Kudos for your attempt to port it, but even if you've succeeded, it would probably too much to ask you to maintain it to keep it working in future builds.


Native WireGuard support in Kernel:
That one I actually didn't see coming. Because the deal is that if you have root, you can use kernel support, if you don't have root, you just use userspace implementation. I don't see how it would hurt to ship kernel support for those users who want it, as it doesn't take anything away from non-rooted users - Google has even included wireguard kernel support starting from Android 12. However, it also depends if it's pain in the ass for you to maintain it: as far as I've heard patches are pretty simple to apply, but you also use other patchsets, so your mileage may vary, of course.

That said, I'll probably stay on 16 as long as possible(until there's a new RCE vulnerability or smth). Not only because I will miss Privacy Guard(XPrivacyLUA is a potential solution here, but needs xposed), but also because I don't really see what benefits 17.1 brings.
I do believe hardening makes things potentially more secure, but from my experience in the field the biggest attack vector is human factor, so additional hardening is not the main feature of this ROM for me, but microg, privacy features and removing Google crap like captive portal and DNS - those have much more value for me. So yeah, in the end, I don't feel it's worth updating for me.

As always, thank you for your work!
 
  • Like
Reactions: MSe1969

soozie_

Member
Jun 19, 2020
9
2
I'm not that savvy in terms of android development but move to 17.1 does looks exciting. Apart from security and privacy (enhancements), there are some good UI changes as well that I'm looking forward to.
 

nvertigo67

Senior Member
Dec 28, 2011
6,008
12,321
Edit: What about open sourced implementation of GNSS?
The used opensource part of the gnss stack isupporting galileo, as far as I understand the sources:

EDIT: Enter sended again instead of inserting a linefeed, seems to haapen only after paste...

That's why I hope for sd821 galileo supporting blobs. Early (oos 3x) there has been a statement in the oneplus forum, that galileo will be supported in future updates, butit has never been implemenzed by oneplus.
 
Last edited:
That's as sad as it is inevitable
Unless I receive feedback about severe issues, I plan to start a thread with my current test build as initial build and provide a final 16.0 build in this thread in January.
As I have also a "Treble" thread for the Huawei P9, I will continue keeping the sources of Lineage 16.0 up to date.
So building the 16.0 ROM yourself could maybe be an option for you (you would have to migrate the ROM's signature, of course)?

Yes, PG is known to be glitchy sometimes and there are ways to work around it for app devs(thank Google for the whole zoo of different-but-the-same APIs). The blessing was is that LOS is not nearly as popular as stock ROMs, so no one would bother.
It was also mostly abandoned by LOS devs, so instead of fixing it to work in a more reliable way, they just killed it, which is still a big regression, in my view.
Kudos for your attempt to port it, but even if you've succeeded, it would probably too much to ask you to maintain it to keep it working in future builds.
I had at first a similar impression of unwillingness on LineageOS side, that is why I started to try on my own. As indicated, I have changed my point of view and definitely see the issues - the major overhaul of the AppOps API by Google and the major overhaul of certain system services, which are heavily used by the PG "ask mode" has made it most probably impossible to port PG, without entirely re-designing it - at least the "ask mode" part, which is the true core-feature of PG.
Of course, I am by far not a skilled (Android) Java programmer, so my judgement could simply be based on my own limitations (in fact I have almost no experience in Java, but I do have profound programming experience in general, which has enabled me to also do Java stuff for Android). But I do respect now their decision to abandon it.

That one I actually didn't see coming. Because the deal is that if you have root, you can use kernel support, if you don't have root, you just use userspace implementation. I don't see how it would hurt to ship kernel support for those users who want it, as it doesn't take anything away from non-rooted users - Google has even included wireguard kernel support starting from Android 12. However, it also depends if it's pain in the ass for you to maintain it: as far as I've heard patches are pretty simple to apply, but you also use other patchsets, so your mileage may vary, of course.
Well, the inclusion indeed is easy, almost trivial. And there is not much to do with additional tags, as it seems that the WG development for that sub-project has been finished, so only small bugfixes are added each month. From that point of view, you would be right and it should be a no-brainer. I also see your point in suggesting to simply leave it in.
However, each feature shipped is also expected to be supported - @nvertigo67 and I have spent hours in finding the one bad commit, when applying the kernel upstream fixes last time. And that is, where my decision comes from and what causes the p.i.t.a. - ok, could be, that this was a one-off exception and will never happen again, who knows? But I consider it more honest to stop shipping a "courtesy/favor" feature (in which I am at least right now not fundamentally intrerested myself) and annouce it, rather than continuing it and - when the next major issue comes - simply state "hey guys, tough luck - I confirm it's an issue, but I am not in the mood to fix it". And also, my stated argument persists, that it does not make sense to me to ship a feature, which can only be activated, if a root solution will be flashed.
 
D

Deleted member 8085016

Guest
The used opensource part of the gnss stack isupporting galileo, as far as I understand the sources:

EDIT: Enter sended again instead of inserting a linefeed, seems to haapen only after paste...

That's why I hope for sd821 galileo supporting blobs. Early (oos 3x) there has been a statement in the oneplus forum, that galileo will be supported in future updates, butit has never been implemenzed by oneplus.
Oneplus like many others didnt add support. Maybe cost because Qualcomm is greedy or there needsto be extra hardware. we dont know. Maybe GnssStatus.getCarrierFrequencyHz() is missing or some other API. Did you enable full GNSS measurments in developer options? I was able to get a EU SBAS in my radar.
The dev behind GPStest just started to collect data on devices GNSS tech. There where many classifications. I think all 820/821 phones intercept the raw GNSS but cant decode QZSS ,Galileo, NavIC, GAGAN signal. As of now there are no other phones with possible blobs to experiment with then the Edge and S3. Question would CAF software help?
 
  • Like
Reactions: nvertigo67
D

Deleted member 8085016

Guest
The source of the opensoirce based part of the gnss stack is actually caf:
The source of the opensoirce based part of the gnss stack is actually caf:
All right now I know. One thing I found out is that many budget LG devices since 2017,2018,2019 have been released with the 821 but has no Galileo.Same with the 820A for cars and 820E for single board computers since 2019. Also Idk what Oneplus did but I remember that there where many GPS "fix updates ", no idea what they fixed, could be updates for the A-GPS,A-Glonass. I dont think Oneplus unoffically added Galileo support without the certification, I looked up every satallite number I collected from GNSSlogger and I saw no Gallileo in the report.
 
Last edited by a moderator:

pilikia

New member
Dec 19, 2020
2
2
Just dirty flashed the LOS17 zip you upped a week ago. I like the newer cleaner security settings. There are some slight "improvements" to the overall gui but the 2 problems I had forced me to flash back to 16.
Firewall went from 'network/data' to 'privacy/firewall' and the somewhat confusing options for background data and unlimited were removed. Other than a slightly changed system gui it kinda broke my phone. Weirdly the bottom left phone button for access to the overview screen, next to the home/fingerprint, back buttons, just stopped working altogether. I was forced to either back out of everything in order to close anything if there wasn't an actual exit button. This also means if I wanted to switch between aps, I couldn't. I had to hit home and then reopen it if I wanted 2 or more aps open. That was the dealkiller. The other was fdroid forcing me to give it full network access in it's settings, both data and wifi. In updates if the 'Over Data" slider was set to never, fdroid refused to connect to the network. Flatout refused! By the time I figured that bs out I got it to throw an error about how one db was older than the other???
I remember just months back when my phone told me that f-droid's owner had an islamic name so that makes sense, not. It seeemd like some kind of db error was thrown and made public. So fdroid refusing to function without being able to update over data makes more sense now. Pretending it has anything to with security is a laugh. If I have to I'll simply bypass fdroid and go straight to the website. I really don't gas.

I use Lawnchair 2.0-2589 and I 'removed' trebuchet (not installed for this user) which well may be the problem but I don't see how. I'm going to run this rom forever because of the basic security aspects but tbh, I'm going to switch to a pinephone running debian asap. Chasing google's horse**** is a complete and utter waste of my friggin time.
Thank You for making undoubtably one of the best rom's anywhere. Hopefully the next iteration of your LOS17 fixes my hardware button issue because if not, this phone will very soon be relegated to a glorified remote control or a usbcam, or something. I despise google personally.

Forgot to mention for those wanting to dirty flash over the 16 version.
Put the magisk zip, the los17 zip, and the supersu16 remove zip in same folder. flash the supersu remover first, the los17 2nd, and the magisk 3rd, THEN reboot. I lost root, had to grab the su remover and boot back into twrp to get a proper root. Lineage OS extras does not incl a supersu17 version. I do not ike being coralled by software on a phone and I will not be forced to do jack google wants. *em. Google like MS et al is their own worst enemy. They are literally putting themselves out of business pretending to be king of squat. But you could have figured that out when Android 5,6,7 was released.

A good example of the hypocrisy is Apple telling everyone your phone is encrypted by default when IN FACT, nothing else is. As soon as your data, call, text, whatever leaves your phone, you're left with the 'security' of the networks themselves. They even said that there are devices which will hack ANY iphone regardless of encryption or OS version (and there's your security-right in the trash-all lies). If communications aren't ALL, and I mean ALL, end to end encrypted, there is no "security", period. Seriously, wgaf if the phone is secure if all your coms aren't? And that is the very reason 5G is being shoved down everyone's throats. It's not so you can grab movies. It's so google et al can grab you. If you disable the advanced lte option the phones will say 5g is disabled. That's undoubtedly a lie too, or will be in google's next version.
 
Last edited:
Hi,
first of all, thanks for your feedback and your positive opinion about my 16.0 build!
I am going to comment on the technical aspects on the 16.0 => 17.1 ROM switch further below.
To your other comments - I am - like you - not really a "Google fanboy" (you have stated it less diplomatically than me, but you're right) - otherwise I would not have tried to create a ROM, which I could at least use to an extent, I am able to tolerate.

Firewall went from 'network/data' to 'privacy/firewall' and the somewhat confusing options for background data and unlimited were removed.
The firewall commits haven't been merged by LineageOS, yet. This is in fact "version 1", in 16.0, there was a "version 2" moving it to network/data, which hasn't been picked into 17.1 yet. In 17.1, there is also a newer patch set, but my first attempt to pick that wasn't functional. We'll see...

Weirdly the bottom left phone button for access to the overview screen, next to the home/fingerprint, back buttons, just stopped working altogether. I was forced to either back out of everything in order to close anything if there wasn't an actual exit button. This also means if I wanted to switch between aps, I couldn't. I had to hit home and then reopen it if I wanted 2 or more aps open. That was the dealkiller.
[ . . .]
I use Lawnchair 2.0-2589 . . .
As indicated, I am using now since two weeks the 17.1 build on my device and I don't have these issues. I am however not using any alternative launcher. Could you please try uninstalling Lawnchair to see whether that fixes? Maybe it would be required to first uninstall any alternative launcher, then dirty-flash and then install any alternative launcher?


The other was fdroid forcing me to give it full network access in it's settings, both data and wifi. In updates if the 'Over Data" slider was set to never, fdroid refused to connect to the network. Flatout refused!
I can't reproduce this behavior on my own device at all. Anyhow, all I do it to compile F-Droid from source "as is" for the sake of giving it a different signature. So any issues, the F-Droid app has, should be looked up on F-Droid's issue tracker.

By the time I figured that bs out I got it to throw an error about how one db was older than the other???
I remember just months back when my phone told me that f-droid's owner had an islamic name so that makes sense, not. It seeemd like some kind of db error was thrown and made public. So fdroid refusing to function without being able to update over data makes more sense now. Pretending it has anything to with security is a laugh. If I have to I'll simply bypass fdroid and go straight to the website. I really don't gas.
As indicated before, I can't reporduce the behavior - however, in my November update (16.0 build), I have explained, that any updates of the F-Droid app need to be uninstalled. Did you dirty-flash from a pre-November build to 17.1 w/o uninstalling system app updates first, maybe?

I use Lawnchair 2.0-2589 and I 'removed' trebuchet (not installed for this user) which well may be the problem but I don't see how.
Did you simply install and set lawnchair as 2nd launcher, or did you also explicitly do a "pm uninstall --user 0" via adb for Trebuchet? Maybe the latter is the issue?

Thank You for making undoubtably one of the best rom's anywhere. Hopefully the next iteration of your LOS17 fixes my hardware button issue because if not, this phone will very soon be relegated to a glorified remote control or a usbcam, or something.
Maybe the advices given before could solve your issue?

Forgot to mention for those wanting to dirty flash over the 16 version.
Put the magisk zip, the los17 zip, and the supersu16 remove zip in same folder. flash the supersu remover first, the los17 2nd, and the magisk 3rd, THEN reboot.
Thanks - that'll be documented accordingly.

I lost root, had to grab the su remover and boot back into twrp to get a proper root. Lineage OS extras does not incl a supersu17 version.
The reason for that was explained already in one of my previous posts (PG ask mode not available any longer) - Magisk is the way forward for those wanting root.

Hope that helps, regards - M.
 
  • Like
Reactions: gonococcus

EinsteinXXL

Senior Member
Jul 10, 2014
71
42
In the regular LineageOS 16.0 build: Settings - Network & Internet - Data usage - Manage data restrictions
In the LineageOS 17.1 Test build: Settings - Privacy - Firewall
Thanks for your fast answer. (y)

Now to another little problem that I have with your Linage build. I understand your concept of a hardened and google free ROM, but it is unfortunately not 100% possible to use FOSS apps. For example, I use cryptowallets and apps from various exchanges and they often include trackers. Recently I was still using Android 6 with xprivacy, which is no longer possible with Android 8+. Now I am looking for a way to continue to manage different internet connections of an app. Netguard offers this function, but unfortunately not with your hardened version. Netguard is unable to filter network traffic, only fw on/off per app is possible. Is there any workaround to fix this?
 
Last edited:
Thanks for your fast answer. (y)

Now to another little problem that I have with your Linage build. I understand your concept of a hardened and google free ROM, but it is unfortunately not 100% possible to use FOSS apps. For example, I use cryptowallets and apps from various exchanges and they often include trackers. Recently I was still using Android 6 with xprivacy, which is no longer possible with Android 8+. Now I am looking for a way to continue to manage different internet connections of an app. Netguard offers this function, but unfortunately not with the hardened version of you. Netguard is unable to filter network traffic, only fw on/off per app is possible. Is there any workaround to fix this?
The Netguard app, if dowloadeed from F-Droid (hence having the F-Droid signature) is added to the SEPolicy exceptions and thus should be able to work.
 
  • Like
Reactions: EinsteinXXL

pilikia

New member
Dec 19, 2020
2
2
I used to use netguard when I didn't have root. If I recall, netguard only offers filtering if you donate. I stopped using it because I changed phones and lost the pro features at the same time. I refused to have to login to google just to be able to use what I already payed for. The unlock method the netguard dev uses apparently involves a 3rd party or whatever, and I consider that too involved, if you will.

On my 1+3T, I have the correct radio, I believe-9.0.6/11.20.19, to dirty flash from this v16 microg rom to the nightly lineageOS 17.1 official. Anyways, after flashing, rebooting to twrp, rebooting to the OS, I still lost my left-most hardware button, just like with your rom. WEIRD. I give up. I'll try one more iteration of yours but for the life of me can't figure out how a successful boot from 16-17 roms, known to be good, renders a hardware button unusable. As for fdroid, or any ap, I do not want to use adb commands just to install a rom which is dirty-flashable. The only option the phone gives me is to disable fdroid. That's it. The whole aps being signed by fdroid bs I don't want to be involved with. I just want it to update and work. If it doesn't that fdroids problem, not mine.

I noticed the new network permission settings in the v17 microg rom had some lame options. "Only allow when active?" LAME. If you allow a permission it should never depend on whether or not the ap you installed is "active". Say you give an ap the ability to use the gps chip. If you aren't using the ap and your gps is on for some other ap usage, why need a setting to differentiate between active and not active? WHY? The entire 'fuse' bs google uses is exactly what makes controlling all your permissions a major PITA. Albeit they are somewhat simpler in 17, it's obvious google is moving forward with obfuscating any real control by the user. In essence pretending permission/security depends on a checkbox labeled "active?, no?, maybe?" is pure utter BS!
Google sells their own phone. The pixels? There are 2 roms, graphene and calyx, that will only work on google phones. They are similar to this one in a lot of ways, but just using their hardware and then putting ANY version of android on it is, imo, a security risk. Like I said. Who cares if your phone is encrypted if your comms aren't? That's why I love mse's rom. He gets it and strives for control. Unfortunately, every next version of google's android is like chasing your own tail. Google changes the permissions, always with more "security" features (snicker), and the community has to figure out what in the f the problem is now. Believe me when I say the newer permission settings are pure BS. Google tries to figure out how to fool the masses into some 'trust' postion of pretentious, "But I checked the box...". Really I'd go back to an older flip phone before I'd trust google ever again, ever. I started dumping google before their gmail was even out of beta.
I tried. Too bad you don't own a oneplus 6. I'd have bought one just for your rom (my 3T was pre-owned when I bought it). I also will never own a 5G phone for that matter. I don't care the phones change and get better hardware, but the roms should not 'require' a specific versioning of said hardware. If the phone works good still, any rom install should cater to the existing hardware, not the other way around. And that in a nutshell is the problem with smartphones. They keep forcing newer roms, which then force you to 'upgrade' the device. The pattern is obvious and it's one of a carrot on a stick you never actually get to hold on to. "I like my phone, I think I'll hold on to it". Google's response? NOPE. FU GOOGLE!
 
Last edited:

EinsteinXXL

Senior Member
Jul 10, 2014
71
42
Are there any problems with LineageOS 16 and GPS?? I am unable to get a gps fix.

I got this error msgs in logcat after gps was enabled:

12-21 01:59:22.768: E/GnssLocationProvider(1387): Unable to initialize GNSS Xtra interface
12-21 01:59:22.769: E/GnssHal_GnssGeofencing(547): setCallback]: mApi is NOT nullptr
12-21 01:59:22.770: E/LocSvc_APIClientBase(547): onCtrlCollectiveResponseCb:189] ERROR: 3 ID: 232
12-21 11:21:28.631: W/LocationHelper(2705): java.lang.SecurityException: "passive" location provider requires ACCESS_FINE_LOCATION permission.
12-21 11:21:28.632: W/LocationHelper(2705): java.lang.SecurityException: "gps" location provider requires ACCESS_FINE_LOCATION permission.
12-21 11:21:28.632: W/LocationHelper(2705): java.lang.SecurityException: "network" location provider requires ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission.

Update: Problem solved. Made clean flash again and it works.
 
Last edited:
  • Like
Reactions: MSe1969
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 24
    Thread is discontinued: Please visit the my LineageOS 17.1 successor thread

    This thread is dedicated to provide hardened Lineage-OS 16.0 builds with microG included for the OnePlus 3/3T with current security patches.

    It is the successor of my Lineage 15.1 thread.
    It may be worth to also look there, if you are looking for information.

    Features of this ROM
    Download here
    • Pre-installed microG and F-Droid like LineageOS for microG project (own fork)
    • Pre-installed AuroraStore
    • OTA Support
    • eSpeakTTS engine
    • Additional security hardening features listed below
    • Access to /proc/net blocked for user apps
    • Bundled netmonitor app to allow network monitoring
    • Enhanced Privacy Guard: Switches for motion sensors and other sensors
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking
    • Optional disabling of captive portal detection
    • Firewall UI
    • No submission of IMSI/phone number to Google/Sony when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Additional restrictions for secondary users
    • Increased password length
    • Kernel kept up to date with ASB patches and Google kernel/common 'android-3.18' branch
    • Debloated from Oneplus blobs for Alipay, WeChatpay, Soter and IFAA
    • Native Wireguard support in shipped kernel
    • Hardened bionic lib and constified JNI method tables

    Current release levels
    Security string: 2021-01-05
    AOSP tag: 9.0.0_r46
    Bromite System Webview: M87


    Source-code and build instructions
    Kernel: https://github.com/lin16-microg/android_kernel_oneplus_msm8996/tree/lin-16.0-mse2
    Build manifest: https://github.com/lin16-microg/local_manifests/tree/lin-16.0-microG


    Installation Instructions

    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!

    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites
    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • Flash the OxygenOS 9.0.x firmware, which is needed for LineageOS 16.0 - READ THE OP OF THIS THREAD CAREFULLY !
    • Download the most current .ZIP file of the ROM and place it to your phone's internal memory

    OxygenOS 9.x Firmware
    Once again: READ THE OP OF THIS THREAD CAREFULLY !
    I can't explain it better and I am not going to repeat or summarize this. It really is in your interest to carefully read it - you have been notified and warned.
    Please also pay attention to the last section named "Alipay, WeChatpay, Soter and IFAA" - I strongly recommend to use the debloated firmware

    Install TWRP recovery
    If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
    To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
    Code:
    fastboot flash recovery twrp-x.x.x-x-oneplus3.img
    Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and hold Power and vol.down) - DO NOT boot into the phone's Android system after having flashed TWRP! Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP must be TWRP in recovery mode.

    Advanced Wipe
    ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!

    Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.

    Install ROM
    In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
    If you update from a previous version of my ROM, including my LineageOS 15.1 build, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
    When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into Lineage OS 16.0 - be patient, the first boot after flashing a new ROM takes quite long!


    Dealing with signed builds
    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.

    This happens at your own risk - make a backup with TWRP before!
    • Download and extract the file migration.sh from this archive
    • This file helps you to migrate from a build signed with the publicly available test keys (i.e. all builds around, which do not state that they are signed). If you come from another signed build (e.g. official LineageOS), you have to adapt the file accordingly (see below links).
    • boot into TWRP
    • push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
    • launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
    • (In case you receive an error, try sh ./migration.sh official instead)
    • flash the ROM .zip
    • wipe Cache and Dalvik/ART Cache
    • reboot system
    More background information and the "theory behind" can be found in the LineageOS wiki and AOSP reference.



    Bug reports:
    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits
    AOSP project
    LineageOS project
    microG project
    Graphene OS project
    csagan5 (Bromite)
    WhyOrean (Aurora)
    nvertigo67 (for the modded 9.x firmware)

    XDA:DevDB Information
    [ROM][Unofficial][9.0.0][microG][signed]hardened LineageOS 16.0 for Oneplus 3/3T, ROM for the OnePlus 3T

    Contributors
    MSe1969
    Source Code: https://github.com/lin16-microg/local_manifests/tree/lin-16.0-microG

    ROM OS Version: 9.x Pie
    ROM Kernel: Linux 3.x
    Based On: LineageOS

    Version Information
    Status:
    Testing
    Stable Release Date: 2020-12-11

    Created 2020-01-14
    Last Updated 2020-12-13
    11
    Hi all,
    a new build is available for download and will soon be also offered via OTA update:
    https://sourceforge.net/projects/li...NOFFICIAL-microG-signed-oneplus3.zip/download

    • ASB Security string 2020-07-05
    • Kernel: Wireguard tag v1.0.20200623 (of course, as every month, kernel is upstreamed from here)
    • microG: updated prebuilt GmsCore fom /e/ project (fixed FCM registration issues and delay with Signal app)
    • F-Droid updated to 1.8 / F-Droid privileged extension updated to 0.2.11
    • Aurorastore updated to 3.2.9 / AuroraServices updated to 1.0.6

    Happy flashing, regards M.

    P.S.: Meanwhile, there is TWRP 3.4.0 available for our device, I recommend to update it as well (not a requirement, but recommended)
    9
    February ASB update

    Hi all, a new build is available for download:
    https://sourceforge.net/projects/li...NOFFICIAL-microG-signed-oneplus3.zip/download

    • Security string 2020-02-05
    • Bromite System Webview 79.0.3945.139
    • AuroraStore 3.1.8

    It is also offered by the updater up as OTA update.
    Regards, M.
    8
    LineageOS 17.1 successor thread and final 16.0 build with January 2021 ASB patches

    Hi all,
    a new build with January 2021 ASB patches is available for download and will soon be offered as OTA update:
    • ASB Security string 2021-01-05
    • Bromite Webview on 87.0.4280.131
    • Updated microG from upstream to 0.2.16.204713-10 (picked until 2f29b93)
    • Updated F-Droid to 1.10-alpha1-212
    Please note, that this build is the final LineageOS 16.0 build. - As announced and as some of you may already have seen, I have opened a new thread for the LineageOS 17.1 successor build of this hardened microG ROM:

    You can simply "dirty-flash" the "microG" LineageOS 17.1 build over the "microG" build of this thread. I recommend to go this path in the near future.

    Of course, I will keep this thread open for a while and answer topics related to this 16.0 build and how to migrate to the 17.1 successor build. I would like to take the opportunity to thank you for your interest in this build and look forward to seeing you in my new 17.1 successor thread.

    Happy flashing, cheers - M.
    7
    Change log

    January 17th, 2021

    • ASB Security string 2021-01-05
    • Bromite Webview on 87.0.4280.131
    • Updated microG from upstream to 0.2.16.204713-10 (picked until 2f29b93)
    • Updated F-Droid to 1.10-alpha1-212

    December 13th, 2020
    • ASB Security string 2020-12-05
    • Kernel: Upstreamed to tag ASB-2020-12-05_3.18
    • Bromite Webview on 87.0.4280.106
    • Updated microG from upstream to 0.2.14.204215-15 (picked until 720b089)
    • Updated F-Droid to 1.10-alpha1-114

    November 08th, 2020
    • ASB Security string 2020-11-05
    • Kernel: Upstreamed to tag ASB-2020-11-05_3.18
    • Kernel: Fix of bug causing crashes with Wireguard in native mode
    • Fix of AOSP E-Mail widget
    • Fix for CVE-2020-15999
    • Bromite Webview on 86.0.4240.181
    • Updated microG with fixes in GCM and EN API
    • Replaced weak F-Droid signatures with ROM's V2 signatures

    October 08th, 2020
    • ASB Security string 2020-10-05
    • Bromite Webview on 86.0.4240.73
    • Kernel: Upstreamed to tag ASB-2020-10-05_3.18
    • microG 0.2.12.203315 - including "Exposure notification API" for use of Covid tracing apps
    • Additional hardening (bionic and constified JNI method tables)

    September 12th, 2020
    • ASB Security string 2020-09-05
    • Bromite Webview updated to 85.0.4183.86
    • Kernel: Upstreamed to tag ASB-2020-09-05_3.18
    • Kernel: Wireguard tag v1.0.20200908
    • Kernel: Fix USB-OTG unplug crash (thanks to @nvertigo67)
    • Added eSpeak TTS engine (FOSS TTS solution)

    August 8th, 2020
    • ASB Security string 2020-08-05
    • Bromite Webview updated to 84.0.4147.113
    • Kernel: Upstreamed to tag ASB-2020-08-05_3.18
    • Kernel: Wireguard tag v1.0.20200729
    • Kernel: qcacld-2.0 merge of CAF tag LA.UM.7.6.r1-07800-89xx.0
    • Location of the firewall functionality has moved to Network > Data usage in Settings (latest cherry-pick from here)

    July 10th, 2020
    • ASB Security string 2020-07-05
    • Kernel: Wireguard tag v1.0.20200623
    • microG: updated prebuilt GmsCore fom /e/ project (fixed FCM registration issues)
    • F-Droid updated to 1.8 / F-Droid privileged extension updated to 0.2.11
    • Aurorastore updated to 3.2.9 / AuroraServices updated to 1.0.6

    June 10th, 2020
    • ASB Security string 2020-06-05
    • Kernel: Wireguard tag v1.0.20200520
    • Bromite Webview on 83.0.4103.101
    • Sepolicy: Netmonitor exception f. "Tracker Control" app

    May 6th, 2020
    • ASB Security string 2020-05-05
    • Telephony: Option to set different ringtones in case of Dual SIM
    • Kernel: Native Wireguard support
    • Kernel: Merged CAF tag LA.UM.7.6.r1-07400-89xx.0 (also f. WLAN)
    • Kernel: Misc. optimizations
    • Bromite Webview on 81.0.4044.127
    • AuroraStore updated to 3.2.8

    April 10th, 2020
    • ASB Security string 2020-04-05
    • Fix for CVE-2020-8597 (external/ppp)
    • Kernel: CVE-2019-10638 siphash 128bit for IP generation
    • Bromite Webview on 81.0.4044.76
    • AuroraStore updated to 3.2.4

    March 16th, 2020 - interim release
    • Vendor blob update to reflect OOS 9.0.6 - vendor sec. patch level now 2019-10-01
    • Debloated from Alipay, WeChatpay, Soter and IFAA

    March 7th, 2020
    • Security string 2020-03-05
    • Bromite System Webview 80.0.3987.118
    • AuroraStore 3.2.0
    • Added Netguard app (F-Droid) to SELinux domain allowing /proc/net

    February 19th, 2020 - interim release
    • Kernel fix for crash when doing VoIP telephony

    February 7th, 2020
    • Security string 2020-02-05
    • Bromite System Webview 79.0.3945.139
    • AuroraStore 3.1.8

    January 14th, 2020
    Initial feature list:
    • Pre-installed microG and F-Droid same as the LineageOS for microG project
    • Pre-installed AuroraStore (Version 3.1.7) with AuroraServices 1.0.5
    • OTA Support
    • Access to /proc/net blocked for user apps
    • Bundled netmonitor app to allow network monitoring
    • Enhanced Privacy Guard: Switches for motion sensors and other sensors
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking
    • Optional disable captive portal detection
    • Firewall UI
    • No submission of IMSI/IMEI to Google/Sony when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView 79.0.3945.107
    • Additional restrictions for secondary users
    • Increased password length