Development [ROM][13][UNOFFICIAL][Raven/Oriole] Magisk Patched GrapheneOS for Pixel 6/Pro

Search This thread

FireRattus

Senior Member
Feb 26, 2022
139
93
Magisk Patched Unofficial GrapheneOS for the Pixel 6 / 6 Pro (oriole/raven)

This ROM will allow you to lock the boot loader. Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root.
This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition.
In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed.
This effectively renders the device hard bricked.

I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure. If you would like to have more security and peace of mind then I highly recommend you follow This Guide to build this rom using your own encryption keys.

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. It was founded in 2014 and was formerly known as CopperheadOS.

The features page provides an overview of the substantial privacy and security improvements added by GrapheneOS to the Android Open Source Project (AOSP). Many of the past features were contributed to AOSP, Linux and other projects to improve privacy and security for billions of users so they're no longer listed on the features page.

More info:
Official releases are available on the releases page (Not Magisk Patched) and installation instructions are on the install page.
GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, our modern privacy / security focused camera app, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.

No Google apps or services

GrapheneOS will never include either Google Play services or another implementation of Google services like microG. It's possible to install Play services as a set of fully sandboxed apps without special privileges via our sandboxed Google Play compatibility layer. See the FAQ section for more details on our plans for filling in the gaps from not shipping Play services and Google apps.

Installation Instructions: Fashing-factory-image
Locking the bootloader is Optional but does increase the device security Locking-the-bootloader


Update Instructions: simply follow these instructions Updates-sideloading to sideload the latest patched OTA update package (You can update from any previous version if using full ota update)

Android OS Version: 13
Current Version: See Post #2
Download: See Post #2

Sources: GrapheneOS - AVBRoot - Magisk -
Patch Guide

PayPal Donation Link
 
Last edited:

FireRattus

Senior Member
Feb 26, 2022
139
93
Builds for Pixel 6 (Oriole)

Magisk-Patched GrapheneOS Factory Install Build
Full system install builds for clean and new installs

Build based on release#2023012500 (2023-01-25)
SourceForge_Download

Build based on release#2023011000 (2023-01-10)
SourceForge_Download

Build based on release#2023010300 (2023-01-03)
SourceForge_Download | 1fichier_Download

Build based on release#2022122000 (2022-12-20)
Anonfiles Download | 1fichier Download

Build based on release#2022121400 (2022-12-14)
Anonfiles Download | 1fichier Download

Build based on release#2022121100 (2022-12-11)
Anonfiles Download | 1fichier Download

Build based on release#2022120300 (2022-12-03)
Anonfiles Download | 1fichier Download

Build based on release#2022113000 (2022-11-30)
Anonfiles Download

Build based on release#2022112500 (2022-11-25)
Anonfiles Download
Magisk Patched OTA Update packages
Full OTA Builds will let you update from any older version

Patched OTA based on release#2023012500 (2023-01-25)
SourceForge_Download

Patched OTA based on release#2023011000 (2023-01-10)
SourceForge_Download

Patched OTA based on release#2023010300 (2023-01-03)
Anonfiles Download | SourceForge_Download | 1fichier Download

Patched OTA based on release#2022122000 (2022-12-20)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022121400 (2022-12-14)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022121100 (2022-12-11)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022120300 (2022-12-03)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022113000 (2022-11-30)
Anonfiles Download

Patched OTA based on release#2022112500 (2022-11-25)
Anonfiles Download

Builds for Pixel 6 Pro (Raven)

Always do a backup of your data before flashing any updates, just in case.

I make no promises that this works or that I will provide regular updates. I will attempt to provide updates when they are available and I have time, you may have issues with this rom, you could lose your data or brick your device (although it's very unlikely if you follow the instructions and use common sense)
 
Last edited:

FireRattus

Senior Member
Feb 26, 2022
139
93
New Release #2022120300
Changes since the 2022113000 release:
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): add back our change enabling ARM64_SSBD now that upstream issues with it are resolved for this branch
  • Sandboxed Google Play compatibility layer: avoid chain crash of GmsCompat app following process death from OOM killer, etc.
  • Vanadium: update Chromium base to 108.0.5359.79
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.76
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): update to latest GKI LTS branch revision
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro): update Mali GPU driver to r37p0 (current release is r41p0 but there are substantial changes to the driver for the Tensor SoC on Pixels and it will take substantial work to upgrade all the way)
  • remove broken, obsolete upstream code causing install permissions defined by user install apps not being automatically granted for user installed apps installed before the app defining the permissions unless the app is reinstalled
  • Messaging: update MMS configuration database based on Google Messages 20221115_01_RC01
  • Dialer: update visual voicemail (VVM) configuration database based on Google Phone 90.0.477356402
  • Dialer: adjust VVM configuration database entries for compatibility with AOSP
Download in Post #2
 

nutzfreelance

Senior Member
Mar 6, 2022
217
65
does the full system install include the android 13 boot loader? if someone was still on A12 should they do a full oem update first?
 

FireRattus

Senior Member
Feb 26, 2022
139
93
brilliant thanks!! can i ask a reallly random stupid question please. if i have a stock pixel 6 rom, can i just run the ota update to keep present apps/data in place and to upgrade it to graphene or would that break my phone if not already running graphene?
You must install Graphene OS first, and if you want to lock the bootloader then you will need to erase your data anyway

People from GrapheneOS will permanently suspend your account on their forums for simply telling people that it is in fact possible to ROOT Graphene and Lock the Bootloder
They like to LIE to people and tell them it's impossible, while preventing anyone from contradicting them
 
Last edited:

Sbodezzi

Senior Member
Jul 5, 2013
76
24
I flashed the oriole image flawlessy, everythings seems to be fine except for the magisk manager that keeps crashing. I need to do something in order to make it works?

Edit: my bad, i was installing a super old version of magisk:rolleyes: Sorry.
Thank you so much for you hard work(y)
 
Last edited:
  • Like
Reactions: FireRattus

timuh

New member
Jul 23, 2009
4
0
i cant find any information if its possbile to use google pay and android auto again with a rooted grapheneos and working magisk modul.
i like graphene and the features but it sucks to use an iphone for my car and cant use my galaxy watch for paying something :/

any1 got an idea or is the only possibility to flash stock google for both apps
 

FireRattus

Senior Member
Feb 26, 2022
139
93
i cant find any information if its possbile to use google pay and android auto again with a rooted grapheneos and working magisk modul.
i like graphene and the features but it sucks to use an iphone for my car and cant use my galaxy watch for paying something :/

any1 got an idea or is the only possibility to flash stock google for both apps
You cannot use google pay with official Graphene, I mean it works with loyalty cards but not NFC payment cards
So you should not expect it to work with a magisk patched Graphene, maybe you can find some magisk module and a configuration to get safety net passing and google pay working. But I am not aware of anything that works with Graphene
 
  • Like
Reactions: timuh

boom15

Member
Oct 27, 2021
38
5
Why so much headache as go trough build for such simple task as resign especially for Graphene? Just get ota, follow instruction in readme.txt avbroot and that it.
I understand if you do any changes to source (patches, unneeded apps, own apps, implement of root). But just for locked bootloader? Bootloader locked or not doing it job.
If you loose and somebody stole your device how locked bootloader helps? Get your data from recovery (it stock, not custom) over adb shell if you use pass not possible. Find device or location not on graphene build. You can't pass Safetycheck or use phone for contactless payments (NFC)
So all that wind just not allow to thief reflash and use device?
 
Last edited:

FireRattus

Senior Member
Feb 26, 2022
139
93
Why so much headache as go trough build for such simple task as resign especially for Graphene? Just get ota, follow instruction in readme.txt avbroot and that it.
I understand if you do any changes to source (patches, unneeded apps, own apps, implement of root). But just for locked bootloader? Bootloader locked or not doing it job.
If you loose and somebody stole your device how locked bootloader helps? Get your data from recovery (it stock, not custom) over adb shell if you use pass not possible. Find device or location not on graphene build. You can't pass Safetycheck or use phone for contactless payments (NFC)
So all that wind just not allow to thief reflash and use device?
If you think it's too much headache, that's fine, it's not for you.
I prefer to build it from source myself using my own keys for the whole process, it may be possible as you say just to patch the provided ota with avbroot, but I haven't tested this and don't have any plans to

I don't want to argue about the potential security benefits or downsides, If you don't believe it's secure and you don't feel safe using it then just don't use it. I like my data being secure and not easily accessible, regular backups are important

You can't pass safetynet or use google pay for contactless payments on official graphene, so please take it up with them to fix that as rooting it isn't going to make you more likely to pass safetynet

The thief can always just reflash and use the device unless you disable OEM unlocking in the developer settings
But you should not do this, because if something happened and your phone started to boot loop or something then there would be no way to fix it and you will brick your device, but at least your data will be safe if you had the bootloader locked
 

boom15

Member
Oct 27, 2021
38
5
If you think it's too much headache, that's fine, it's not for you.
I prefer to build it from source myself using my own keys for the whole process, it may be possible as you say just to patch the provided ota with avbroot, but I haven't tested this and don't have any plans to

I don't want to argue about the potential security benefits or downsides, If you don't believe it's secure and you don't feel safe using it then just don't use it. I like my data being secure and not easily accessible, regular backups are important

You can't pass safetynet or use google pay for contactless payments on official graphene, so please take it up with them to fix that as rooting it isn't going to make you more likely to pass safetynet

The thief can always just reflash and use the device unless you disable OEM unlocking in the developer settings
But you should not do this, because if something happened and your phone started to boot loop or something then there would be no way to fix it and you will brick your device, but at least your data will be safe if you had the bootloader locked
Read one more time my comment
  1. I'm not said that I will or plan to use your guide to build. I said that it to much work for average person.
  2. I saw your post where you clearly state that you wanna locked bootloader. I pointed to easiest way to do that. Don't like it? Do what you like.
  3. For patching ota by using avbroot. I did it and tested on my own pixels(6a,2 -6, not pro) and not pushing you to do that. As all here I wanna show people another option.
  4. I don't need rom signed you or any one else. It personal rom and I do not have time and willing to inspect it. For me enough that I trust graphene team! I already build rom for my self with implemented of root, patching some graphene code, remove some apks and replaced it with mine and settings that I need. Of cause I sign but that rom it for me and my family not for public. So no any need in secondhand roms.
  5. I did't tell that you responcible for NFC, Saftynet pass just wanna point out that locking bootloader not helps with these issue.Not expect you fix that. You said that you didn't touch code. It's Graphene and it on their side. I used Graphene long enough to know advantages and disadvantages.
  6. And I as you don't intend to start security discussion here or with someone else. Don't worry and have a good day!
 
Last edited:
  • Like
Reactions: FireRattus

FireRattus

Senior Member
Feb 26, 2022
139
93
Read one more time my comment
  1. I'm not said that I will or plan to use your guide to build. I said that it to much work for average person.
  2. I saw your post where you clearly state that you wanna locked bootloader. I pointed to easiest way to do that. Don't like it? Do what you like.
  3. For patching ota by using avbroot. I did it and tested on my own pixels(6a,2 -6, not pro) and not pushing you to do that. As all here I wanna show people another option.
  4. I don't need rom signed you or any one else. It personal rom and I do not have time and willing to inspect it. For me enough that I trust graphene team! I already build rom for my self with implemented of root, patching some graphene code, remove some apks and replaced it with mine and settings that I need. Of cause I sign but that rom it for me and my family not for public. So no any need in secondhand roms.
  5. I did't tell that you responcible for NFC, Saftynet pass just wanna point out that locking bootloader not helps with these issue.Not expect you fix that. You said that you didn't touch code. It's Graphene and it on their side. I used Graphene long enough to know advantages and disadvantages.
  6. And I as you don't intend to start security discussion here or with someone else. Don't worry and have a good day!

1.I already know this, I thought this would be obvious. I think using Graphene OS at all is too much for the average person, the average person will just use their phone as it comes and never put a custom rom onto it. This was never intended for the average person.

2. I appreciate that there is an easier way to do it, But I already said I was going to do what I like instead.

3. I appreciate that you have tested this works, I will likely update the guide I have created with this information for people who don't want to build it from source but would also prefer to patch official builds with magisk themselves

4. I do highly recommend everyone does build it themself, I think you should not rely on and trust graphene to always provide updates that have not been modified in some malicious way, it's always possible they could get hacked and an update build could be silently replaced with a malicious version

5. Locking the bootloader has nothing to do with safetynet for me, It's more about the other protections that locking the bootloader enables, like making it much harder for someone to be able to access my data or use the phone without erasing the data
Thankfully there is several banking apps which work and even let you use NFC for payments, while you do not pass safetynet

6. I appreciate it, thank you. I hope you have a good day also.
 

Klavaro

New member
May 6, 2017
3
2
1.I already know this, I thought this would be obvious. I think using Graphene OS at all is too much for the average person, the average person will just use their phone as it comes and never put a custom rom onto it. This was never intended for the average person.

2. I appreciate that there is an easier way to do it, But I already said I was going to do what I like instead.

3. I appreciate that you have tested this works, I will likely update the guide I have created with this information for people who don't want to build it from source but would also prefer to patch official builds with magisk themselves

4. I do highly recommend everyone does build it themself, I think you should not rely on and trust graphene to always provide updates that have not been modified in some malicious way, it's always possible they could get hacked and an update build could be silently replaced with a malicious version

5. Locking the bootloader has nothing to do with safetynet for me, It's more about the other protections that locking the bootloader enables, like making it much harder for someone to be able to access my data or use the phone without erasing the data
Thankfully there is several banking apps which work and even let you use NFC for payments, while you do not pass safetynet

6. I appreciate it, thank you. I hope you have a good day also.
I spent half of my week following your guide because with my old ass I7-3770K running Debian within VMware takes days since I didn't know there was another way. 😂The main building part (m target-files-package took 6,5 hours to complete) Reading what boom15 said I'd be very happy if I never had to go down this route ever again.

Thank both of you gentlemen for spreading information about this, I wound't be able to figure it out by myself.

I guess I only have to download the OTA from grapheneos.org/releases and follow avbroot's readme, right? (I feel like a retard right now for wasting that much time setting up my VM, it running out of disk space, reinstalling it, etc.. 😂😂)
 
  • Like
Reactions: FireRattus

FireRattus

Senior Member
Feb 26, 2022
139
93
I spent half of my week following your guide because with my old ass I7-3770K running Debian within VMware takes days since I didn't know there was another way. 😂The main building part (m target-files-package took 6,5 hours to complete) Reading what boom15 said I'd be very happy if I never had to go down this route ever again.

Thank both of you gentlemen for spreading information about this, I wound't be able to figure it out by myself.

I guess I only have to download the OTA from grapheneos.org/releases and follow avbroot's readme, right? (I feel like a retard right now for wasting that much time setting up my VM, it running out of disk space, reinstalling it, etc.. 😂😂)
I do completely understand and sympathize, I have already updated the guide with this simple method of patching graphene for those who are unable to or don't want to build it from source themselves
I think you have gained some valuable experience and knowledge though which will likely help you in the future with other endeavors.
At least you didn't spend a good couple of weeks trying to patch graphene with magisk manually before I even discovered AVBRoot was a thing, so glad that exists
 

Klavaro

New member
May 6, 2017
3
2
I do completely understand and sympathize, I have already updated the guide with this simple method of patching graphene for those who are unable to or don't want to build it from source themselves
I think you have gained some valuable experience and knowledge though which will likely help you in the future with other endeavors.
At least you didn't spend a good couple of weeks trying to patch graphene with magisk manually before I even discovered AVBRoot was a thing, so glad that exists
I understand your side too, my end goal would be using only self built opensource software on every device I have, but you gotta start somewhere, right? Maybe once I'll have nothing better to spend money on I'll build myself a newer pc and dual boot linux so it doesn't take ages to build graphene.

I'm all about doing new things, getting experience and knowledge, so I'm not even mad, but just feel relieved that I'll be able to update it easily. Atleast now I'm getting familiar with Debian, which will come in handy when I'll get myself to continue setting up my VPS, so I can selfhost everything I need..

Well I didn't try that, mainly because I'm curious if I'll be able to use my banking app if I root my phone and lock the bootloader, since that sucker won't even let me use contactless payment with a stock os combined with an unlocked bootloader. 🤷‍♂️
 
  • Like
Reactions: FireRattus

FireRattus

Senior Member
Feb 26, 2022
139
93
New Release #2022121100
Missed a couple of update releases due to build errors then other errors I have finally resolved so

Changes since the 2022120300 release:
  • resolve upstream bug in Android 13 QPR1 causing screen brightness dimming on user profile changes
  • Settings: replace hard-wired refresh rate in the text for the smooth display toggle with the actual max refresh rate used for the device model (Android has the string hard-wired to say 90Hz and expects the device to provide an overlay with the correct string which isn't present in AOSP for Pixels)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.156
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.77
  • Sandboxed Google Play compatibility layer: new infrastructure for controlling Play Store updates of Play Store and Play services with a max version of Play services and the Play Store set via GmsCompatCompat and an override toggle for allowing it to update to any version
  • Sandboxed Google Play compatibility layer: hide GrapheneOS Auditor variant (app.attestation.auditor) from the Play Store so it doesn't try to update it (note: we plan to fully switch to app.grapheneos.auditor.play for the Play Store and we can remove this workaround once we unpublish the GrapheneOS variant of the app there and stop updating it)
  • Pixel 7, Pixel 7 Pro: remove unused Google Camera SELinux policy
  • Auditor: update to version 67
  • Camera: update to version 58

    2022120700
  • Launcher: fix Recent Apps activity crashing when using the TalkBack screen reader due to an incorrect port of the Storage Scopes shortcut to Android 13 QPR1

    2022120600
  • full 2022-12-01 security patch level
  • full 2022-12-05 security patch level
  • rebased onto TQ1A.221205.011 release, which is the first quarterly maintenance/feature release for Android 13
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: rewrite under display fingerprint scanner integration
  • Sandboxed Google Play compatibility layer: set GmsCompat versionCode to 1000 (v1) to prepare for defining dependencies on the compatibility layer version for the Google Play apps mirrored in our app repository
  • Pixel 6, Pixel 6 Pro, Pixel 6a: use Scudo instead of hardened_malloc for camera service for consistency with the Pixel 7 and Pixel 7 Pro until memory corruption issues with it are resolved
  • add back support for OS device controls and wallet quick tiles
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.152
Download in Post #2
 
Last edited:
  • Like
Reactions: Mustkeg

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    New Release #2023012500
    Changes since the 2023011000 release:
    • don't send IMSI / Phone number to SUPL server when SUPL is enabled (note: using SUPL is always an optional choice in APN configuration on GrapheneOS, unlike AOSP and the stock OS)
    • SELinux policy: drop auditing for apk_data_file execute/execute_no_trans (research is done)
    • SELinux policy: add back apk_data_file execute/execute_no_trans for adb shell for debugging use cases (removing it isn't really useful for hardening and we plan on hardening ADB for the verified boot model another way)
    • Settings: revert to standard Android 13 minimum threshold of 10% for automatic battery saver since lowering it below 10% doesn't work as intended without more invasive changes outside the scope of GrapheneOS
    • fully disallow installing instant apps instead of permitting ADB shell and system apps to do it (this will simplify future work)
    • extend self app-op spoofing used for Network permission compatibility to unsafeCheckOpRaw()
    • fix upstream bug causing crash from isServiceTokenValidLocked() being called without holding the lock
    • Sandboxed Google Play compatibility layer: support enabling compatibility layer for any package on debuggable builds to help with development
    • Sandboxed Google Play compatibility layer: coerce Play Store into not attempting to auto install AR services
    • Sandboxed Google Play compatibility layer: fix issues with Play Store updates of Play services
    • Sandboxed Google Play compatibility layer: avoid our implementation of the Play services location API returning null for getCurrentLocation() to avoid crashes in apps not handling it
    • Sandboxed Google Play compatibility layer: increment compatibility layer version to 1001
    • Sandboxed Google Play compatibility layer: use the most recent available version map in GmsCompatConfig to simplify defining configuration
    • Sandboxed Google Play compatibility layer: improve stack trace parser used for dynamic exception shims
    • Sandboxed Google Play compatibility layer: add shim for making Bluetooth adapter discoverable
    • Sandboxed Google Play compatibility layer: improve UX for "Action required in Play Store" notification
    • Sandboxed Google Play compatibility layer: add new shims to support requesting temporary screen capture from the user via the standard unprivileged approach for Chromecast screen casting (currently lacks shims to support audio capture)
    • GmsCompatConfig: add stub for LocationManager.registerGnssStatusCallback()
    • GmsCompatConfig: update max supported version of Play services and Play Store
    • stop re-enabling deprecated 2-button navigation option since Android no longer has official support for it and is gradually breaking support for it including making changes knowingly introducing bugs with it since it's not meant to be used (traditional 3-button navigation is still fully supported)
    • Settings: add GrapheneOS Camera to list of mandatory components since only system camera apps can provide the media capture intents required by other apps on Android 11 and above (can still be disabled via ADB but we want to avoid easy ways to break the OS in the UI)
    • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.80
    • extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles
    • Apps: update to version 13
    • add GrapheneOS fs-verity public key as a supported key
    • require fs-verity for installing system app updates (will be enforced at boot for verified boot enhancement in a future release due to the need to phase in the feature properly because of future out-of-band app updates on earlier OS releases)
    • Vanadium: update Chromium base to 109.0.5414.118
    • SettingsIntelligence: drop no longer required QUERY_ALL_PACKAGES permission now that more precise queries are defined upstream providing the necessary package visibility for Settings app search
    Download in Post #2
    1
    New Release #2023010300
    Changes since the 2022122000 release:
    2022122700
    • fix upstream Android 13 QPR1 recent apps list bug mainly triggered after user profile switches (Android 13 QPR1 "App not available" bug)
    • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision which provides a proper fix for a backport mistake we discovered and reported
    • block updating system packages to versions with the same versionCode since system packages without releases outside the OS rarely have their versionCode increased when changes are made and therefore it makes it possible to downgrade them which is a security weakness in Android's approach
    • prefer package from OS image over equal version packages installed as an update to improve security by dropping potentially downgraded packages particularly for the verified boot security model, with the bonus of saving disk space by dropping out-of-band updates installed from our app repository once they're redundant
    • add an API for system apps with the privileged INSTALL_PACKAGES permission to search for packages across all profiles in order to avoid redownloading packages that are already installed in another user and to prevent attempting to downgrade a package with a newer version already installed in another user (used by the GrapheneOS app repository client within GrapheneOS to provide a better experience than it can when not integrated into the OS)
    • restore previous lockscreen clock font from before Android Open Source Project 13 QPR1 since the stock Pixel OS overrides it and most people seem to prefer the previous font
    • TalkBack (screen reader): update base code to 13
    • TalkBack (screen reader): update dependencies
    2023010300
    • full 2023-01-01 security patch level
    • full 2023-01-05 security patch level
    • rebased onto TQ1A.230105.002 release
    • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): add Valve Steam Controller driver security fix from the January release not already included in the QPR2 Beta 1 kernel we use as the base (was already included for other devices)
    • add sandboxed Play Store to the dependencies of Google's eUICC packages (eSIM)
    • eUICC compat toggle (eSIM): listen and react to changes to relevant packages
    • add extra logging to debug upstream issue causing AppOps to be reset after reboot
    • fix upstream bug in lite package parser causing targetSdkVersion to not be read in all cases which among other things was causing Android 12+ unattended update support to fail for updating PayPal without user intervention
    • TalkBack (screen reader): revert base code update due to multiple upstream regressions such as Braille keyboard crashes until these issues are resolved
    • System Updater: replace icons with new Material symbols
    • System Updater: use dedicated icons for success and failure notifications
    • Vanadium: enable new third party storage partitioning
    • Storage Scopes: don't show the link for system components with force enabled storage permissions
    • Apps: update to version 8
    • Apps: update to version 9
    • Apps: update to version 10
    • Apps: update to version 11
    • GmsCompatConfig: update max supported versions of Play services and Play Store
    Download in Post #2
    1
    In this case I suggest moving to SourceForge. This'll provide you with mirrors AND they have the ability to use `scp` to push the builds directly to them.
    Here's the documentation for that: https://sourceforge.net/p/forge/documentation/SCP/
    Thank you for this, I found that FileZilla connecting with SFTP was the best way for me to upload directly to source forge, it does appear to be a bit slower than Anonfiles was but I usually just leave it uploading overnight anyway so it works well, I prefer how SourceForge shows you the file hash so I can verify it was uploaded successfully
    1

    New Release #2023011000

    Changes since the 2023010300 release:
    • fix upstream bug leading to AppOps being reset after reboot (may occur for users one last time due to corrupt state from before this update)
    • add more logging to resolve another upstream AppOps bug
    • enable adaptive brightness by default
    • Sandboxed Google Play compatibility layer: improve logging of GmsCompatConfig parser errors
    • Sandboxed Google Play compatibility layer: update BluetoothAdapter.enable() shim for Android 13
    • Sandboxed Google Play compatibility layer: fix deadlock when reading state of "Google Location Accuracy" toggle
    • Sandboxed Google Play compatibility layer: delay notification about Google Play crash until after potential config update
    • Sandboxed Google Play compatibility layer: allow bound Google Play apps to request update of GmsCompatConfig
    • Sandboxed Google Play compatibility layer: don't block Play Store from installing APK splits for Play services and itself
    • Sandboxed Google Play compatibility layer: try to update GmsCompatConfig before update of Play services or Play Store
    • GmsCompatConfig: update max supported versions of Play services and Play Store
    • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.161
    • Settings: hide missing illustration for quickly open camera not covered by our earlier fix
    • kernel (Pixel 7, Pixel 7 Pro): update Mali GPU driver to QPR2 Beta 2 release
    • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR2 Beta 2
    • Vanadium: update Chromium base to 109.0.5414.86
    • Apps: update to version 12
    • switch to signing OS source releases (Git tags) with OpenSSH instead of GPG to fully phase out usage of our GPG key (public key list: allowed_signers, key rotation proof via signify: allowed_signers.sig, key rotation proof via GPG: allowed_signers.asc)
    Download in Post #2
  • 3
    Builds for Pixel 6 (Oriole)

    Magisk-Patched GrapheneOS Factory Install Build
    Full system install builds for clean and new installs

    Build based on release#2023012500 (2023-01-25)
    SourceForge_Download

    Build based on release#2023011000 (2023-01-10)
    SourceForge_Download

    Build based on release#2023010300 (2023-01-03)
    SourceForge_Download | 1fichier_Download

    Build based on release#2022122000 (2022-12-20)
    Anonfiles Download | 1fichier Download

    Build based on release#2022121400 (2022-12-14)
    Anonfiles Download | 1fichier Download

    Build based on release#2022121100 (2022-12-11)
    Anonfiles Download | 1fichier Download

    Build based on release#2022120300 (2022-12-03)
    Anonfiles Download | 1fichier Download

    Build based on release#2022113000 (2022-11-30)
    Anonfiles Download

    Build based on release#2022112500 (2022-11-25)
    Anonfiles Download
    Magisk Patched OTA Update packages
    Full OTA Builds will let you update from any older version

    Patched OTA based on release#2023012500 (2023-01-25)
    SourceForge_Download

    Patched OTA based on release#2023011000 (2023-01-10)
    SourceForge_Download

    Patched OTA based on release#2023010300 (2023-01-03)
    Anonfiles Download | SourceForge_Download | 1fichier Download

    Patched OTA based on release#2022122000 (2022-12-20)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022121400 (2022-12-14)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022121100 (2022-12-11)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022120300 (2022-12-03)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022113000 (2022-11-30)
    Anonfiles Download

    Patched OTA based on release#2022112500 (2022-11-25)
    Anonfiles Download

    Builds for Pixel 6 Pro (Raven)

    Always do a backup of your data before flashing any updates, just in case.

    I make no promises that this works or that I will provide regular updates. I will attempt to provide updates when they are available and I have time, you may have issues with this rom, you could lose your data or brick your device (although it's very unlikely if you follow the instructions and use common sense)
    2
    Magisk Patched Unofficial GrapheneOS for the Pixel 6 / 6 Pro (oriole/raven)

    This ROM will allow you to lock the boot loader. Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root.
    This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition.
    In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed.
    This effectively renders the device hard bricked.

    I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure. If you would like to have more security and peace of mind then I highly recommend you follow This Guide to build this rom using your own encryption keys.

    GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. It was founded in 2014 and was formerly known as CopperheadOS.

    The features page provides an overview of the substantial privacy and security improvements added by GrapheneOS to the Android Open Source Project (AOSP). Many of the past features were contributed to AOSP, Linux and other projects to improve privacy and security for billions of users so they're no longer listed on the features page.

    More info:
    Official releases are available on the releases page (Not Magisk Patched) and installation instructions are on the install page.
    GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, our modern privacy / security focused camera app, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.

    No Google apps or services

    GrapheneOS will never include either Google Play services or another implementation of Google services like microG. It's possible to install Play services as a set of fully sandboxed apps without special privileges via our sandboxed Google Play compatibility layer. See the FAQ section for more details on our plans for filling in the gaps from not shipping Play services and Google apps.

    Installation Instructions: Fashing-factory-image
    Locking the bootloader is Optional but does increase the device security Locking-the-bootloader


    Update Instructions: simply follow these instructions Updates-sideloading to sideload the latest patched OTA update package (You can update from any previous version if using full ota update)

    Android OS Version: 13
    Current Version: See Post #2
    Download: See Post #2

    Sources: GrapheneOS - AVBRoot - Magisk -
    Patch Guide

    PayPal Donation Link
    2
    New Release #2023012500
    Changes since the 2023011000 release:
    • don't send IMSI / Phone number to SUPL server when SUPL is enabled (note: using SUPL is always an optional choice in APN configuration on GrapheneOS, unlike AOSP and the stock OS)
    • SELinux policy: drop auditing for apk_data_file execute/execute_no_trans (research is done)
    • SELinux policy: add back apk_data_file execute/execute_no_trans for adb shell for debugging use cases (removing it isn't really useful for hardening and we plan on hardening ADB for the verified boot model another way)
    • Settings: revert to standard Android 13 minimum threshold of 10% for automatic battery saver since lowering it below 10% doesn't work as intended without more invasive changes outside the scope of GrapheneOS
    • fully disallow installing instant apps instead of permitting ADB shell and system apps to do it (this will simplify future work)
    • extend self app-op spoofing used for Network permission compatibility to unsafeCheckOpRaw()
    • fix upstream bug causing crash from isServiceTokenValidLocked() being called without holding the lock
    • Sandboxed Google Play compatibility layer: support enabling compatibility layer for any package on debuggable builds to help with development
    • Sandboxed Google Play compatibility layer: coerce Play Store into not attempting to auto install AR services
    • Sandboxed Google Play compatibility layer: fix issues with Play Store updates of Play services
    • Sandboxed Google Play compatibility layer: avoid our implementation of the Play services location API returning null for getCurrentLocation() to avoid crashes in apps not handling it
    • Sandboxed Google Play compatibility layer: increment compatibility layer version to 1001
    • Sandboxed Google Play compatibility layer: use the most recent available version map in GmsCompatConfig to simplify defining configuration
    • Sandboxed Google Play compatibility layer: improve stack trace parser used for dynamic exception shims
    • Sandboxed Google Play compatibility layer: add shim for making Bluetooth adapter discoverable
    • Sandboxed Google Play compatibility layer: improve UX for "Action required in Play Store" notification
    • Sandboxed Google Play compatibility layer: add new shims to support requesting temporary screen capture from the user via the standard unprivileged approach for Chromecast screen casting (currently lacks shims to support audio capture)
    • GmsCompatConfig: add stub for LocationManager.registerGnssStatusCallback()
    • GmsCompatConfig: update max supported version of Play services and Play Store
    • stop re-enabling deprecated 2-button navigation option since Android no longer has official support for it and is gradually breaking support for it including making changes knowingly introducing bugs with it since it's not meant to be used (traditional 3-button navigation is still fully supported)
    • Settings: add GrapheneOS Camera to list of mandatory components since only system camera apps can provide the media capture intents required by other apps on Android 11 and above (can still be disabled via ADB but we want to avoid easy ways to break the OS in the UI)
    • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.80
    • extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles
    • Apps: update to version 13
    • add GrapheneOS fs-verity public key as a supported key
    • require fs-verity for installing system app updates (will be enforced at boot for verified boot enhancement in a future release due to the need to phase in the feature properly because of future out-of-band app updates on earlier OS releases)
    • Vanadium: update Chromium base to 109.0.5414.118
    • SettingsIntelligence: drop no longer required QUERY_ALL_PACKAGES permission now that more precise queries are defined upstream providing the necessary package visibility for Settings app search
    Download in Post #2
    1
    Thanks for this!
    1
    I flashed the oriole image flawlessy, everythings seems to be fine except for the magisk manager that keeps crashing. I need to do something in order to make it works?

    Edit: my bad, i was installing a super old version of magisk:rolleyes: Sorry.
    Thank you so much for you hard work(y)