Development [ROM][13][UNOFFICIAL][Raven/Oriole] Magisk Patched GrapheneOS + Lockable Bootloader

[pixel7]

How to get safetynet CTS profile check?

 

[FireRattus]

How to get safetynet CTS profile check?

Unfortunately I don't know https://forum.xda-developers.com/t/...-using-rooted-grapheneos-magisk-root.4510295/

Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity

 

[baraasoliman]

Can I also do that with calyxOS ?

 

[FireRattus]

It has been a while since the last update because I was waiting for google to release the stable update for this months security patches etc but it was delayed until the 20th
So this release skips over / combines updates from a few Graphene Releases

New Release #2023032000​

Changes since the 2023022300 release:

• override carrier selected SUPL server (usually the fallback supl.google.com) to supl.grapheneos.org by default
• Settings: replace toggle for disabling SUPL with a new toggle for choosing between GrapheneOS proxy (default), Standard (carrier choice, usually supl.google.com) and Disabled (users with our previous disable toggle enabled will have their setting preserved as Disabled and users who had disabled it then enabled it will have Standard as the default while anyone who hasn't touched it will have the new GrapheneOS proxy as the initial setting since it's the default)
• Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro: enable and enforce TLSv1.2 for Broadcom gpsd SUPL connections rather than using SSLv2, SSLv3, TLSv1 and TLSv1.1 without TLSv1.2 enabled like the stock OS (Pixel 6a will be changed in the next release)
• GmsCompatConfig: update to version 35
• GmsCompatConfig: update to version 36
• Sandboxed Google Play compatibility layer: add debugging option to skip GNSS location updates
• Sandboxed Google Play compatibility layer: support forcing PhenotypeFlags to their default values
• Sandboxed Google Play compatibility layer: support spoofing self permission checks
• Sandboxed Google Play compatibility layer: add support for GmsCompatConfig force_default_flags section
• Sandboxed Google Play compatibility layer: add support for GmsCompatConfig spoof_self_permission_checks section
• Vanadium: update to version 110.0.5481.154.1
• Vanadium: update to version 111.0.5563.49.0
• System Updater: simplify the title for the silent/collapsed already up-to-date notification
• disallow apps reading Global/Secure settings added by GrapheneOS via the new infrastructure since we currently have no settings apps need to read
• skip INTERNET pre-grant checkbox when installing a system app in a profile where it isn't considered installed since it doesn't work correctly
• add infrastructure for properly handling initial installation of system apps in Apps (our app repository client)
• improve OS debug build developer option for skipping install time fs-verity requirement
• reuse shared infrastructure for our implementation of enforcing a greater rather than greater or equal version for package updates
• replace disabling install time greater versionCode check in OS debug builds with a similar debug build developer option as we use for skipping fs-verity checks at install time
• Apps: update to version 16

Changes since the 2023030400 release:

• full 2023-03-01 security patch level
• full 2023-03-05 security patch level
• rebased onto TQ2A.230305.008.C1 release, which is the second quarterly maintenance/feature release for Android 13
• Pixel 6a: enable and enforce TLSv1.2 for Broadcom gpsd SUPL connections rather than using SSLv2, SSLv3, TLSv1 and TLSv1.1 without TLSv1.2 enabled like the stock OS
• disable compressed APEX support since it only wastes space when not heavily using out-of-band APEX updates and adds more verified boot attack surface
• Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: switch Qualcomm xtra-daemon service to standard time.xtracloud.net server from Pixel-specific time.google.com (we plan to provide the option to use GrapheneOS servers for XTRA time and PSDS data on Qualcomm devices in the future as we do for newer generation Tensor Pixels already, and we have the server-side part implemented already)
• add infrastructure for allowing apps with INSTALL_PACKAGES to avoid trying to install the same package at the same time
• new PIN scrambling implementing extending PIN scrambling to SIM PIN/PUK and redoing PIN scrambling each time the PIN UI is opened
• Settings: reimplement PIN scrambling toggle via modern GrapheneOS settings infrastructure
• Vanadium: update to version 111.0.5563.58.0
• Camera: update to version 60
• GmsCompatConfig: update to version 37

Changes since the 2023031300 release:

• keep PIN scrambling state up-to-date in all cases to make toggling it on or off kick in immediately instead of next time it opens
• adevtool: remove overlay setting config_systemBluetoothStack to the wrong value (caused Bluetooth to break for users with exec-based spawning disabled, which is why the previous release only made it to Beta and not Stable)
• adevtool: remove other unnecessary overlays
• Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: disable GSI keys

Changes since the 2023031500 release:

• Pixel 6, Pixel 6 Pro, Pixel 6a: switch to QPR2 stable release vendor files instead of using the QPR2 3.2 Beta release
• Pixel 6, Pixel 6 Pro, Pixel 6a: stop freezing the patch level at a lower value which we were doing in case QPR2 3.2 Beta was missing firmware and other updates from the 2023-03-05 Pixel patch level
• disable screenshot sound when touch sounds are disabled
• adevtool: add support for converting privileged apps to unprivileged apps
• adevtool: include PixelNfc app on all supported Pixels to enable support for FeliCa on Japanese Pixel models
• adevtool: convert PixelNfc app into an unprivileged app since it doesn't need any privileged APIs
• adevtool: implementation quality improvements
• Settings: remove missing display resolution animation
• CellBroadcastReceiver: drop out-of-sync translations for presidential alerts string
• disable unnecessary auto-grant of Camera permission to eSIM activation app
• Settings: revoke Camera permission from eSIM activation app before enabling it since it was auto-granted in the past
• Sandboxed Google Play compatibility layer: don't spoof self permission checks that come from the compatibility layer itself
• Sandboxed Google Play compatibility layer: add missing CHANGE_WIFI_STATE (Wi-Fi control) special access permission to the list of potential issues shown to users
• GmsCompatConfig: update to version 39
• GmsCompatConfig: update to version 40
• Apps: update to version 17

Download in Post #2

 

[FireRattus]

Can I also do that with calyxOS ?

what do you want to do?

 

[KojakFR]

Is that possible to install LSPosed with that rom?

 

[zubair1836]

Hi, I might be in the wrong thread, but I'm working on a similar project.
Having issues in unpacking and repacking the system.img of GrapheneOS build.
Getting error of "extra 4000 features" when mounting the img. Can anyone help please?

 

[FireRattus]

New Release #2023041100
Changes since the 2023032000 release:

• UPDATED TO MAGISK v26.1
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.169
• allow toggling VoWiFi while roaming by default
• ignore carrier configuration disabling VoWiFi, VoLTE and VoNR toggles to make them available for all newly provisioned setups
• Pixel 6, Pixel 6 Pro, Pixel 6a: add missing SELinux policy context for resku_rescue_kicker (only currently used on Pixel 6a)
• improve infrastructure for GosPackageState and permission self-check spoofing
• fix work profile Storage Scopes link
• only strip out carrier configuration refering to carrier apps that are not included in GrapheneOS to improve compatibility
• Pixel 6, Pixel 6 Pro, Pixel 6a: ship pvmfw as part of over-the-air updates for future use
• Pixel 4, Pixel 4 XL: revert incompatible display mode change
• Dialer: update visual voicemail (VVM) configuration database based on Google Phone 100.0.512999549
• GmsCompatConfig: update to version 41
• GmsCompatConfig: update to version 42
• GmsCompatConfig: update to version 43
• Vanadium: update to version 111.0.5563.116.0
• Camera: update to version 61

Changes since the 2023032600 release:

• Keyboard: apply fix for upstream spell checking bug causing words followed by periods to be flagged as invalid for some configurations
• enable auto-reboot feature by default with a very conservative 72 hour timer (i.e. the device will automatically reboot after 3 days without a successful unlock of any profile by default with users encouraged to set a shorter value to get their data automatically back at rest faster)
• Dialer: add modernized call recording implementation using modern Android storage (no files permission) and with unnecessary cruft removed including not locking availability or playing a recording tone based on region (users are responsible for respecting regional laws including informing the other party or obtaining explicit consent if required)
• Dialer: replace disabling bytecode optimization with a specific rule to keep fragment constructors
• add generic compatibility shim catching the exception from the Gservices provider being missing to enable apps like Google Camera and the Pixel eSIM firmware app (Google eSIM activation app is separate) to work without GSF installed since they don't have any actual hard dependency on either GSF or Play services
• remove unnecessary INTERNET (Network) permission from Pixel eSIM firmware app
• enable Pixel eSIM firmware app by default instead of it being part of the eSIM activation toggle which is now only used for the eSIM activation app (Google eUICC LPA)
• restrict Pixel eSIM firmware app from communication with non-system components to prevent it trying to get flags from GSF or a fake GSF
• Settings: add Pixel eSIM firmware app to the list of apps which can't be disabled via GUI since it updates firmware
• Launcher: hide "all apps" view when search starts to avoid upstream race condition where the wrong app can be opened when pressing too quickly
• Launcher, Keyboard: drop GrapheneOS prefix from naming to match other GrapheneOS apps
• update timezone data to Android mainline (based on tzdata 2022g)
• kernel (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): add back our slab allocator canary feature
• kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): align with linux-hardened BPF JIT configuration (always on with JIT hardening enabled in all cases)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.176
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.98
• Settings: reimplement remote attestation key provisioning toggle via modern GrapheneOS settings infrastructure
• Vanadium: update to version 112.0.5615.48.0
• GmsCompatConfig: update to version 44
• Sandboxed Google Play compatibility layer: improve support for compatibility layer development

Changes since the 2023040400 release:

• full 2023-04-01 security patch level
• full 2023-04-05 security patch level
• rebased onto TQ2A.230405.003.E1 release
• Settings: add toggle for controlling direct access to Tensor hardware accelerators (TPU, GXP) by certain Google apps for users to choose whether Google apps can use more than the portable Android hardware acceleration features such as the Neural Networks API (direct access does not give them any additional data)
• Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: add dynamic control over direct TPU access
• Pixel 7, Pixel 7 Pro: add dynamic control over GXP access by Google Camera
• add support for providing Camera vendor extensions on Pixels via Pixel Camera Services app (at the moment, only the Camera2 Night extension is available for certain devices and CameraX extensions aren't available yet)
• add support for runtime resource overlays (RROs) to exec spawning
• remove support for disabling app visibility filtering since our Pixel eSIM firmware app integration depends on it
• change standard Android package installer behavior to preserving packages being disabled after updating them
• Launcher: add padding to background behind app drawer search bar to work around upstream layout issue
• Contacts: use proper theme for AndroidX dialogs to fix crash
• System Updater: directly enforce respecting network type parameter instead of it solely depending on the JobScheduler constraint
• System Updater: improve code quality and robustness
• System Updater: ask the OS to allocate required storage space before starting update download
• SELinux policy: add back app_data_file execute for adb shell run-as domain
• Sandboxed Google Play compatibility layer: coerce Play Store into updating disabled apps by hiding disabled state from it
• Sandboxed Google Play compatibility layer: add infrastructure for bypassing permission requirements of services provided by Play services
• GmsCompatConfig: update to version 45
• GmsCompatConfig: update to version 46
• TalkBack (screen reader): update base code to 13.0 and overhaul our changes for it including removing proprietary library dependency
• TalkBack (screen reader): update dependencies
• kernel (5.10, 5.15): fix build for non-arm64 architectures

Download in Post #2

 

[FireRattus]

Is that possible to install LSPosed with that rom?

I believe LSPosed should work without any issues

Hi, I might be in the wrong thread, but I'm working on a similar project.
Having issues in unpacking and repacking the system.img of GrapheneOS build.
Getting error of "extra 4000 features" when mounting the img. Can anyone help please?

I'm sorry but I don't think I can help with this, I am basically just using AVBRoot to patch the image with Magisk and sign it
I am not attempting to mount and make any modifications to the system like that

 

[zubair1836]

I'm sorry but I don't think I can help with this, I am basically just using AVBRoot to patch the image with Magisk and sign it
I am not attempting to mount and make any modifications to the system like that

AVBroot requires partition device ID, are you using old magisk or the IDs are all same for raven/oriole?

 

[FireRattus]

AVBroot requires partition device ID, are you using old magisk or the IDs are all same for raven/oriole?

For Raven (Pixel 6 Pro) I was able to get the device ID with my own device, but for the Pixel 6 (Oriole) I was not able to get the device ID and so I have kept that build at 15.2 until someone can provide me with the correct device ID

 

[zubair1836]

For Raven (Pixel 6 Pro) I was able to get the device ID with my own device, but for the Pixel 6 (Oriole) I was not able to get the device ID and so I have kept that build at 15.2 until someone can provide me with the correct device ID

15.2 or 25.2 for Magisk ?
If I'm not worng, all oriole will have same partition name? I thought it was unique for each oriole device.

 

[FireRattus]

15.2 or 25.2 for Magisk ?
If I'm not worng, all oriole will have same partition name? I thought it was unique for each oriole device.

ah sorry I did mean 25.2, and I don't really know, I think it could be different for different roms on the same device

 

[zubair1836]

Thanks for the knowledge, I'm struggling with setting up Magisk patched GrapheneOS for a Pixel 4a (sunfish).
I'm using Magisk 26.0, tried Magisk 25.2 also.
Everything goes fine. But at the end, I don't have a writable system partition. Tried Root Explorer and nothing happens when I mount rw.
Tried adb to remount as rw, getting: 'sysfs' not user mountable in fstab .
Could you help in this?

 

[FireRattus]

Thanks for the knowledge, I'm struggling with setting up Magisk patched GrapheneOS for a Pixel 4a (sunfish).
I'm using Magisk 26.0, tried Magisk 25.2 also.
Everything goes fine. But at the end, I don't have a writable system partition. Tried Root Explorer and nothing happens when I mount rw.
Tried adb to remount as rw, getting: 'sysfs' not user mountable in fstab .
Could you help in this?

I don't really understand exactly what you are doing or not doing to have that issue
I believe it's likely you are missing dependencies or something so that the script is failing to run properly and you end up with a corrupted system instead
You should follow all the instructions to run AVBRoot carefully and you can even try using the VM provided by Artem https://forum.xda-developers.com/t/...-grapheneos-magisk-root.4510295/post-88366269

 

[FireRattus]

New Release #2023050100​

Changes since the 2023041100 release:

• add Storage Scopes link to "All files access" screen
• Launcher: revert additional padding (will need a different workaround for the upstream issue)
• disable UWB (Ultra Wide Band) by default
• Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: enforce XTRA version 3 for PSDS downloads (GNSS satellite almanacs)
• Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: fix generic certificate authority configuration for future use with our Qualcomm PSDS proxy
• Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: remove access to SoC information from GPS user to prevent xtra-daemon from reading SoC serial number and including it in User-Agent
• hwui: backport null pointer check from AOSP master
• keystore: backport generating fallback operation challenge with SecureRandom from AOSP master
• Launcher: backport null pointer check from AOSP master
• backport fix for Bluetooth related system_server crash
• backport 8 media framework memory corruption fixes from AOSP master
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.177
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.104
• kernel (5.15): enable RANDOMIZE_KSTACK_OFFSET_DEFAULT
• kernel (5.10, 5.15): panic on memory corruption detected by kfence
• kernel (5.10, 5.15): use hardened configuration for x86_64 GKI used by the emulator
• GmsCompatConfig: update to version 47
• GmsCompatConfig: update to version 48
• GmsCompatConfig: update to version 49
• Vanadium: update to version 112.0.5615.101.0
• Vanadium: update to version 112.0.5615.136.0
• Vanadium: update to version 113.0.5672.62.0
• Vanadium: update to version 113.0.5672.62.1
• Apps: update to version 18
• Auditor: update to version 69
• Camera: update to version 62

Changes since the 2023042900 release:

• full 2023-05-01 security patch level
• full 2023-05-05 security patch level
• rebased onto TQ2A.230505.002 release
• GmsCompatConfig: update to version 50

Download in Post #2