Development [ROM][13][UNOFFICIAL][Raven/Oriole] Magisk Patched GrapheneOS + Lockable Bootloader

[Tresans]

Hello,

Can I install it on a pixel6a with grapheneos

Kindly regards

 

[FireRattus]

No but you can build it for the pixel 6a yourself

Guide to Lock Bootloader while using Rooted GrapheneOS (Magisk Root)

This guide is intended to help people to achieve having a Pixel 6 Pro using GrapheneOS with Root (using Magisk) and a Locked Boot Loader Though it should be possible to do this with any device that GrapheneOS officially supports. Do not ever...

forum.xda-developers.com

 

[FireRattus]

an error in source forge has caused recently uploaded files to disappear for a lot of people
I see at least 6 new tickets opened in the last hour about it from different people
So I am just going to wait and see what happens, at the moment those links are down but I believe they will come back up

Edit: It's fixed now

 

[FireRattus]

New Release #2023012500
Changes since the 2023011000 release:

• don't send IMSI / Phone number to SUPL server when SUPL is enabled (note: using SUPL is always an optional choice in APN configuration on GrapheneOS, unlike AOSP and the stock OS)
• SELinux policy: drop auditing for apk_data_file execute/execute_no_trans (research is done)
• SELinux policy: add back apk_data_file execute/execute_no_trans for adb shell for debugging use cases (removing it isn't really useful for hardening and we plan on hardening ADB for the verified boot model another way)
• Settings: revert to standard Android 13 minimum threshold of 10% for automatic battery saver since lowering it below 10% doesn't work as intended without more invasive changes outside the scope of GrapheneOS
• fully disallow installing instant apps instead of permitting ADB shell and system apps to do it (this will simplify future work)
• extend self app-op spoofing used for Network permission compatibility to unsafeCheckOpRaw()
• fix upstream bug causing crash from isServiceTokenValidLocked() being called without holding the lock
• Sandboxed Google Play compatibility layer: support enabling compatibility layer for any package on debuggable builds to help with development
• Sandboxed Google Play compatibility layer: coerce Play Store into not attempting to auto install AR services
• Sandboxed Google Play compatibility layer: fix issues with Play Store updates of Play services
• Sandboxed Google Play compatibility layer: avoid our implementation of the Play services location API returning null for getCurrentLocation() to avoid crashes in apps not handling it
• Sandboxed Google Play compatibility layer: increment compatibility layer version to 1001
• Sandboxed Google Play compatibility layer: use the most recent available version map in GmsCompatConfig to simplify defining configuration
• Sandboxed Google Play compatibility layer: improve stack trace parser used for dynamic exception shims
• Sandboxed Google Play compatibility layer: add shim for making Bluetooth adapter discoverable
• Sandboxed Google Play compatibility layer: improve UX for "Action required in Play Store" notification
• Sandboxed Google Play compatibility layer: add new shims to support requesting temporary screen capture from the user via the standard unprivileged approach for Chromecast screen casting (currently lacks shims to support audio capture)
• GmsCompatConfig: add stub for LocationManager.registerGnssStatusCallback()
• GmsCompatConfig: update max supported version of Play services and Play Store
• stop re-enabling deprecated 2-button navigation option since Android no longer has official support for it and is gradually breaking support for it including making changes knowingly introducing bugs with it since it's not meant to be used (traditional 3-button navigation is still fully supported)
• Settings: add GrapheneOS Camera to list of mandatory components since only system camera apps can provide the media capture intents required by other apps on Android 11 and above (can still be disabled via ADB but we want to avoid easy ways to break the OS in the UI)
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.80
• extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles
• Apps: update to version 13
• add GrapheneOS fs-verity public key as a supported key
• require fs-verity for installing system app updates (will be enforced at boot for verified boot enhancement in a future release due to the need to phase in the feature properly because of future out-of-band app updates on earlier OS releases)
• Vanadium: update Chromium base to 109.0.5414.118
• SettingsIntelligence: drop no longer required QUERY_ALL_PACKAGES permission now that more precise queries are defined upstream providing the necessary package visibility for Settings app search

Download in Post #2

 

[Sebacestmoi]

Hi,
First, thank you for your dedication releasing all these patched version of the ROM.
I'm actually using ProtonAOSP but I'm highly thinking about switching to GrapheneOS and I need Root.
If I flash your GrapheneOS build but one day you will stop updating your rooted release, will I be able to update it with my own version or does it change something about the signing of the ROM ?
Kind regards

 

[FireRattus]

Hi,
First, thank you for your dedication releasing all these patched version of the ROM.
I'm actually using ProtonAOSP but I'm highly thinking about switching to GrapheneOS and I need Root.
If I flash your GrapheneOS build but one day you will stop updating your rooted release, will I be able to update it with my own version or does it change something about the signing of the ROM ?
Kind regards

I am glad you appreciate it, so to answer your questions
You will be able to update it with your own build of grapheneOS if you didn't lock the bootloader
But if you did lock the bootloader, to my understanding you will either need to unlock the bootloader or build your version of the rom signed with the same keys I used. it's possible for you to easily backup everything on your phone with a thing like Swift Backup if your phone is rooted, so you could perform a full backup in order to switch to your build
when you lock the bootloader, everything you flash will need to be signed correctly with the correct keys
which is why I use AVBRoot to patch and sign the OTA files

 

[FireRattus]

New Release #2023020200
Changes since the 2023012500 release:

• Settings: fix issue preventing users from re-enabling system apps they previously disabled which can no longer be disabled
• fix upstream Android bug causing out-of-band updates to system components using original-package to be rolled back after reboot if they're still using the old package name, which will allow us to ship Vanadium updates out-of-band without the browser package updates being rolled back for users with an older install where it's still org.chromium.chrome instead of app.vanadium.browser
• SELinux policy: drop base OS apk_data_file restrictions to avoid blocking out-of-band updates to APK-based system components (this was a minor security feature that's being replaced with our recent and ongoing improvements to package manager and verified boot security to close major weaknesses in the standard Android verified boot security model)
• disable package parser cache since it provides a verified boot bypass for system component updates for regular boots while saving less than a second of boot time
• perform additional boot-time checks on system package updates in order to extend verified boot to out-of-band system package updates including enforcing having valid signed fs-verity metadata for continuous verification (Android does not even provide working boot-time verification for out-of-band APK updates for non-APEX components)
• reimplement requiring fs-verity when installing system package updates in a better way
• remove unnecessary warning for failed virtual A/B sideloaded updates since it's atomic just like A/B updates
• drop our extension to the install available apps feature (which is still available, without this extension) making it work for apps not installed in Owner since this is risky in a situation where there are actually separate people using secondary users and while we want to provide this feature, we'd need to come up with a way to address this to add it back
• SetupWizard: stop enabling Wi-Fi automatically
• SetupWizard: stop sending unused sticky broadcast
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.89
• kernel (Pixel 7, Pixel 7 Pro): update Mali GPU driver to QPR2 Beta 3 release
• kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR2 Beta 3 providing 2023-02-05 security patch level for the kernel
• Apps: update to version 14
• Auditor: update to version 68
• Camera: update to version 59
• Vanadium: update Chromium base to 110.0.5481.61

Download in Post #2

 

[FireRattus]

New Release #2023020600​

Changes since the 2023020200 release:

• full 2023-02-01 security patch level
• full 2023-02-05 security patch level
• rebased onto TQ1A.230205.002 release
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.162
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.91
• Seedvault: update to latest revision (we plan on replacing this with a new backup implementation since Seedvault is buggy/unreliable, has consistently needed security fixes applied downstream, has failed to provide the originally planned core features and despite being initially created by a GrapheneOS community member for GrapheneOS was taken over by a group hostile towards it)
• Seedvault: require lock method to enable backups to prevent accessing internal app data for a device that has been unlocked without the lock method for the user profile, similar to how enabling developer options requires the lock method
• SetupWizard: update GrapheneOS string branding
• fix renaming of original-package Vanadium provider authorities regressed in the previous release due to the fix for an upstream Android 13 bug
• Dialer: add dark mode to call UI dial pad
• Pixel 4, Pixel 4 XL: switch to TP1A.221005.002.B2 (February 2022) vendor files
• GmsCompatConfig: update max supported version of Play services and Play Store

Download in Post #2

 

[Sebacestmoi]

I am glad you appreciate it, so to answer your questions
You will be able to update it with your own build of grapheneOS if you didn't lock the bootloader
But if you did lock the bootloader, to my understanding you will either need to unlock the bootloader or build your version of the rom signed with the same keys I used. it's possible for you to easily backup everything on your phone with a thing like Swift Backup if your phone is rooted, so you could perform a full backup in order to switch to your build
when you lock the bootloader, everything you flash will need to be signed correctly with the correct keys
which is why I use AVBRoot to patch and sign the OTA files

Hi, thank you for the answer and sorry for answering so lately, I was on holiday.
If i keep the bootloader unlocked, can I just manually sideload the updates, patch the boot with Magisk Manager and flash it and do it like that every month or is there something else special to do ?

 

[FireRattus]

Hi, thank you for the answer and sorry for answering so lately, I was on holiday.
If i keep the bootloader unlocked, can I just manually sideload the updates, patch the boot with Magisk Manager and flash it and do it like that every month or is there something else special to do ?

not a problem, and well basically if you keep the bootloader unlocked
Once you have root by flashing a patched boot which you patch with magisk
then when you want to update, you download and install the OTA like normal when it asks you to update but you do NOT Restart, before restarting you open magisk and install to the inactive slot
then when you restart you will still have root, if you forget to do this and install the OTA then restart without installing to the inactive slot, then you will only lose root, and will have to patch and flash the boot image again

 

[Sebacestmoi]

Thank you for all your precious tips about GrapheneOS

 

[abalam]

A question. Is this rom suitable for running aosp mod and project theme?

 

[FireRattus]

A question. Is this rom suitable for running aosp mod and project theme?

I have not tried, it would be fairly easy to try for yourself
I may try using AOSPMods but Project Themer costs money so I am not able to test that

Thank you for all your precious tips about GrapheneOS

My Pleasure

 

[pixel7]

I have not tried, it would be fairly easy to try for yourself
I may try using AOSPMods but Project Themer costs money so I am not able to test that


My Pleasure

How Can i contact you?

Thanks in advance

 

[FireRattus]

How Can i contact you?

Thanks in advance

Sure, not a problem

 

[Armadillo0106]

I tried to install but it shows for ./flash as invalid and tried just flash without ./ and it says fastboot missing... When tried fastboot --version its showing a valid fastboot, tried to reinstall and all
Nothing worked

 

[FireRattus]

I tried to install but it shows for ./flash as invalid and tried just flash without ./ and it says fastboot missing... When tried fastboot --version its showing a valid fastboot, tried to reinstall and all
Nothing worked

you need to use that command in the location you have that file
like open the terminal in the location of the flash.sh or flash.bat so that using ./ will point it to the right file

 

[Armadillo0106]

you need to use that command in the location you have that file
like open the terminal in the location of the flash.sh or flash.bat so that using ./ will point it to the right file

So its not via command in adb... Unzip tha file and open command line and proceed right

 

[FireRattus]

So its not via command in adb... Unzip tha file and open command line and proceed right

yes exactly, follow the installation instructions https://grapheneos.org/install/cli#flashing-factory-images

 

[FireRattus]

New Release #2023022300​

Changes since the 2023021000 release:
Include changes since the 2023020600 release:

• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.168
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.94
• HTTPS-based network time: switch to custom X-Time header with UTC time in milliseconds to improve precision
• HTTPS-based network time: establish HTTPS connection with another request in advance and then reuse it to improve accuracy
• HTTPS-based network time: set clock offset field used by tests
• HTTPS-based network time: improve logging
• HTTPS-based network time: simplify implementation
• reduce time update threshold to 50ms from Android's default 2000ms instead of allowing the clock to get up to 2s out-of-date
• reduce system clock drift warning to 250ms from Android's default 2000ms
• simplify our implementation of disabling cellular-based automatic time by using the standard permitted origin configuration
• simplify our implementation of disabling network time refresh when automatic time is disabled (unlike GrapheneOS, Android always performs network time checks and the user only controls whether the results from any of the automatic time methods are used)
• Messaging: avoid crash caused by upstream bug when forwarding a message
• Seedvault: add back restore action in settings without marking it experimental
• Settings: fix accessibility settings links for SetupWizard
• add shared infrastructure for GrapheneOS settings and port the settings to it (improves UI of Settings)
• Settings: only allow Owner to control our added toggle for camera availability on lockscreen since it's global
• hardened_malloc: preserve errno for free calls (future POSIX requirement)
• simplify infrastructure for special runtime permissions (Network, Sensors)
• Sandboxed Google Play compatibility layer: remove obsolete shim now handled by GmsCompatConfig
• GmsCompatConfig: update to version 33
• GmsCompatConfig: update to version 34
• Vanadium: update to version 110.0.5481.65
• Vanadium: update to version 110.0.5481.154
• use C.UTF-8 locale for build environment to avoid dependency of the en_US.UTF-8 locale being available

• ---- 2023020600 release changes ----
• add toggle to Settings ➔ Location for force disabling SUPL as a carrier-independent replacement for editing APN configuration since editing APN configuration is unintuitive, not fully respected on Tensor SoC devices and users with no carrier should be able to disable it without using airplane mode
• Vanadium: update Chromium base to 110.0.5481.64
• GmsCompatConfig: update max supported version of Play Store
• Apps: update to version 15

Download in Post #2