[ROM] DivestOS 18.1 for oneplus3(t)

[SkewedZeppelin]

DivestOS is a more private and more secure aftermarket system.

OnePlus 3 Notes:
- In theory this device should have basic relocking support, however our signing method used is not currently compatible.
edit October 2022: a user recently reported bootloader locking this device without issue

Features:
- strong focus on FOSS
- various system hardening
- various privacy enhancements
- automated removal of unnecessary proprietary blobs
- automated kernel hardening and CVE patching
- ability to relock bootloader on supported devices
- verified boot on supported devices
- no root support
- SELinux always enforcing
- encrypted by default
- monthly updates
- OTA delta updates
- OTA updates over Tor (optional)
- F-Droid included
- hardened system WebView with rapid updates: https://divestos.org/misc/ch-dates.txt

Extra Features (not installed by default & also compatible with all systems):
- Mull, our hardened fork of Fenix with rapid updates: https://divestos.org/misc/ffa-dates.txt
- Hypatia, our real-time malware scanner
- Extirpater, our free space eraser

Links:
- Website: https://divestos.org
- Onion: http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion
- Downloads: https://divestos.org/index.php?page=devices&base=LineageOS#device-oneplus3
- Changelogs: https://divestos.org/index.php?page=news
- Project History: https://divestos.org/index.php?page=history
- Known Issues: https://divestos.org/index.php?page=broken#oneplus3
- Screenshots: https://divestos.org/index.php?page=screenshots
- Security Patching Overview: https://divestos.org/index.php?page=patch_levels
- About + Credits + Notices: https://divestos.org/index.php?page=about
- Donate: https://divested.dev/donate
- Source Code: https://github.com/divested-mobile or https://gitlab.com/divested-mobile
- XMPP Chat Room: xmpp:divestos-mobile@conference.konvers.me

Device Specific Links:
- Device Tree: https://github.com/LineageOS/android_device_oneplus_oneplus3
- Kernel: https://github.com/LineageOS/android_kernel_oneplus_msm8996
- Kernel CVE Patches Applied: https://github.com/Divested-Mobile/...VE_Patchers/android_kernel_oneplus_msm8996.sh

Other Bits:
- Good and bad feedback is welcomed. Else how can we improve?
- If you find a bug, please report it below or via GitHub/GitLab.
- Testing/Translations/Code contributions are gratefully appreciated.

Important Notes for New Users:
- Please make a backup of your device and copy it to another computer.
- You must wipe before installing this OS.
- This OS has userdata encrypted by default
- You are intended to relock your bootloader with this OS (if your device is marked supported for that).

DivestOS does *not* support the following:
- Google Apps (OpenGAPPS)
- DRM (Widevine)
- alternative recoveries (TWRP)
- root (Magisk)
- runtime modification frameworks (Xposed or theme engines)

All downloads are GPG signed with the following key:

#B874 4D67 F9F1 E14E 145D FD8E 7F62 7E92 0F31 6994
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEXupIxBYJKwYBBAHaRw8BAQdAC1RiTvrqJaAQ4FIHsxX+gzEgdT4mspISS+p0
y847Nge0SERpdmVzdE9TIFJlbGVhc2UgU2lnbmluZyAoMjAyMCAjMSkgPHN1cHBv
cnQrcmVsZWFzZXNpZ25pbmdAZGl2ZXN0b3Mub3JnPoiQBBMWCAA4FiEEuHRNZ/nx
4U4UXf2Of2J+kg8xaZQFAl7qSMQCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQf2J+kg8xaZR1BgEAwwLVVsG7kbp8M3GTV987XpVl5cZeTtDc/g+66briCHUB
APiuH/dk8eRnhFnq4Up2/j7uD/8FtSvxPbHiz6t1MdgB
=VzP2
-----END PGP PUBLIC KEY BLOCK-----

 

[Deleted member 11396015]

With relocking support based on the right signing, this would be a nice upgrade to a more secured and hardened LOS variant!

Is DivestOS recovery a 'rebranded' LOS recovery and/or does it give functionality like command line and file browser like TWRP?

 

[SkewedZeppelin]

With relocking support based on the right signing, this would be a nice upgrade to a more secured and hardened LOS variant!

Is DivestOS recovery a 'rebranded' LOS recovery and/or does it give functionality like command line and file browser like TWRP?

The signing bit is a predicament.
DivestOS is signed with release-keys, including for verity.
But the oneplus3 bootloader appears to only accept test-keys, and won't lock.
It is likely possible to simply not perform the verity signing, leaving the default test-keys for verity and release-keys for system, but I do not have a device to personally test it with.

As for the recovery, it is indeed rebranded LineageOS recovery with a few minor tweaks.
Files are not expected to be edited from recovery, as no modifications are officially supported to /system.

 

[sinkoo1979]

Running smooth on my Oneplus 3. Thanks for the rom

 

[Deleted member 11396015]

Running smooth on my Oneplus 3. Thanks for the rom

Locked BL or not?

 

[sinkoo1979]

Locked BL or not?

not

 

[Antsu]

Hey @SkewedZeppelin

Question about kernel patches. Even though the version of the kernel isn't upstreamed, from 3.18.124 to 3.18.140, could it be considered that there are the same patches than in actual upstreamed 3.18.140 kernel has?

 

[SkewedZeppelin]

Hey @SkewedZeppelin

Question about kernel patches. Even though the version of the kernel isn't upstreamed, from 3.18.124 to 3.18.140, could it be considered that there are the same patches than in actual upstreamed 3.18.140 kernel has?

That is a hard question to answer.

Does the shipping kernel include some of the 3.18.124-140 patches? Likely. All of them? No.
Does it include patches that aren't in those? Yes
Would it be helpful to be updated to 3.18.140? Yes, but that takes a non-trivial amount of effort, and moreso to bringup all the other devices too.
Patches welcome.

Of extra note, 3.18 is still maintained jointly by Google/Linaro and receives monthly updates, hence why there are so many 3.18 patches in my CVE repo. I use the CIP scripts to automatically identify the corresponding patches in the Google repo, and pull into my patch repo.

For example, 3.18.140 was released 798 days ago, but through my patcher the oneplus3 kernel is mitigated against CVE-2021-33909 despite only being published 2 days ago.

 

[Deleted member 10638705]

Hi @SkewedZeppelin, thanks for your work. Are you planning a degoogled version (without connections to Google) for this amazing Rom?

 

[SkewedZeppelin]

Hi @SkewedZeppelin, thanks for your work. Are you planning a degoogled version (without connections to Google) for this amazing Rom?

What do you think DivestOS does to disqualify it from being degoogled?

The captive portal check is the only periodic connection to Google and that has a toggle in the Settings app.

 

[Deleted member 10638705]

What do you think DivestOS does to disqualify it from being degoogled?

The captive portal check is the only periodic connection to Google and that has a toggle in the Settings app.

I was talking about connectivity check and fallback dns. These things, obviously, don't disqualify your work.

 

[SkewedZeppelin]

I was talking about connectivity check and fallback dns. These things, obviously, don't disqualify your work.

Fallback DNS is Quad9, not Google.

Network Connections - DivestOS Mobile

divestos.org

Privacy Policy - DivestOS Mobile

divestos.org

 

[Deleted member 10638705]

Fallback DNS is Quad9, not Google.

Network Connections - DivestOS Mobile

divestos.org

Privacy Policy - DivestOS Mobile

divestos.org

I did a mistake, sorry

 

[Deleted member 11396015]

Next week will be a nice moment to install Divest ;-)
As I understand from the website, locking BL still not supported on OP3t?

 

[Deleted member 8538501]

I do not want to end up with a brick so I would like to ask for some clarification what "Relockable: Yes, test-keys only?" means? Some downloads are provided with avb key to flash before relocking. What do test keys mean and how do I flash them?

 

[Deleted member 11396015]

I do not want to end up with a brick so I would like to ask for some clarification what "Relockable: Yes, test-keys only?" means? Some downloads are provided with avb key to flash before relocking. What do test keys mean and how do I flash them?

At this moment I think it is not possible to relock for the OP3T as I understand:

https://xdaforums.com/t/rom-divestos-18-1-for-oneplus3-t.4285915/post-85114089

Some info about the test keys can be found doing a simple Google search, but not 100 percent sure if this is what you ment:

Sign builds for release | Android Open Source Project

source.android.com

mjg59 | Self-signing custom Android ROMs

mjg59.dreamwidth.org

For me this issue is the reason I did not try DivestOS already but kept my LOS installation.

 

[SkewedZeppelin]

The issue with op3, is that when locked it seems it will only boot a test-keys signed image.
But locking with a test-keys signed image largely defeats the purpose of locking.
Because anyone can just sign their malware with test-keys and flash it over no issue.

You should note however that locking is one of many security features DivestOS offers over other ROMS. op3 for example has well over 400 kernel security patches, far fewer proprietary blobs, out of box ad/tracker blocking, along with a hardened and rapidly updated WebView among many other features as documented on the website.

 

[Deleted member 11396015]

The issue with op3, is that when locked it seems it will only boot a test-keys signed image.
But locking with a test-keys signed image largely defeats the purpose of locking.
Because anyone can just sign their malware with test-keys and flash it over no issue.

<cut>

Good explanation, thanks.
It would be nice though if, even when it is not for the purpose of safety, it could be locked again to remove the ugly warning at boot. But you are right, it is not giving an extra layer of security, in fact for the OP3T I think it is only cosmetic, so not a reason not to switch... ;-)

 

[Deleted member 11396015]

<cut>
It is likely possible to simply not perform the verity signing, leaving the default test-keys for verity and release-keys for system, but I do not have a device to personally test it with.
<cut>

When you want me to test something without the risc of bricking, please let me know ;-)

 

[Dimon76]

Can you put a magisk for root? And for hiding banking applications