[ROM] DivestOS 20.0 for mata

[SkewedZeppelin]

DivestOS is a more private and more secure aftermarket system.

Essential Phone Notes:
- please install PH1-Images-QQ1A.200105.032.zip to both slots first!
edit 2022: firmware is included for a while now
- relocking does work, just take the steps slow and test before locking
- device must be relocked to enable verified boot
- phone call audio can be weird, toggling speaker phone usually fixes it
- phone call audio over bluetooth doesn't always work
- phone call speaker phone volume cannot be adjusted
- in-place upgrade from 17.1 to 18.1 has been tested working
- in-place upgrade from 18.1 to 19.1 has been tested working

Features:
- strong focus on FOSS
- various system hardening
- various privacy enhancements
- automated removal of unnecessary proprietary blobs
- automated kernel hardening and CVE patching
- ability to relock bootloader on supported devices
- verified boot on supported devices
- no root support
- SELinux always enforcing
- encrypted by default
- monthly updates
- OTA delta updates
- OTA updates over Tor (optional)
- F-Droid included
- hardened system WebView with rapid updates: https://divestos.org/misc/ch-dates.txt

Extra Features (not installed by default & also compatible with all systems):
- Mull, our hardened fork of Fenix with rapid updates: https://divestos.org/misc/ffa-dates.txt
- Hypatia, our real-time malware scanner
- Extirpater, our free space eraser

Links:
- Website: https://divestos.org
- Onion: http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion
- Downloads: https://divestos.org/index.php?page=devices&base=LineageOS#device-mata
- Changelogs: https://divestos.org/index.php?page=news
- Project History: https://divestos.org/index.php?page=history
- Known Issues: https://divestos.org/index.php?page=broken#mata
- Screenshots: https://divestos.org/index.php?page=screenshots
- Security Patching Overview: https://divestos.org/index.php?page=patch_levels
- About + Credits + Notices: https://divestos.org/index.php?page=about
- Donate: https://divested.dev/donate
- Source Code: https://github.com/divested-mobile or https://gitlab.com/divested-mobile
- XMPP Chat Room: xmpp:[email protected]

Device Specific Links
- Device Tree: https://github.com/LineageOS/android_device_essential_mata
- Kernel: https://github.com/LineageOS/android_kernel_essential_msm8998
- Kernel CVE Patches Applied: https://github.com/Divested-Mobile/..._Patchers/android_kernel_essential_msm8998.sh

Other Bits:
- Good and bad feedback is welcomed. Else how can we improve?
- If you find a bug, please report it below or via GitHub/GitLab.
- Testing/Translations/Code contributions are gratefully appreciated.

Important Notes for New Users:
- Please make a backup of your device and copy it to another computer.
- You must wipe before installing this OS.
- This OS has userdata encrypted by default
- You are intended to relock your bootloader with this OS (if your device is marked supported for that).

DivestOS does *not* support the following:
- Google Apps (OpenGAPPS)
- DRM (Widevine)
- alternative recoveries (TWRP)
- root (Magisk)
- runtime modification frameworks (Xposed or theme engines)

All downloads are GPG signed with the following key:

#B874 4D67 F9F1 E14E 145D FD8E 7F62 7E92 0F31 6994
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEXupIxBYJKwYBBAHaRw8BAQdAC1RiTvrqJaAQ4FIHsxX+gzEgdT4mspISS+p0
y847Nge0SERpdmVzdE9TIFJlbGVhc2UgU2lnbmluZyAoMjAyMCAjMSkgPHN1cHBv
cnQrcmVsZWFzZXNpZ25pbmdAZGl2ZXN0b3Mub3JnPoiQBBMWCAA4FiEEuHRNZ/nx
4U4UXf2Of2J+kg8xaZQFAl7qSMQCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQf2J+kg8xaZR1BgEAwwLVVsG7kbp8M3GTV987XpVl5cZeTtDc/g+66briCHUB
APiuH/dk8eRnhFnq4Up2/j7uD/8FtSvxPbHiz6t1MdgB
=VzP2
-----END PGP PUBLIC KEY BLOCK-----

 

[chrisrg]

relocking does work, just take the steps slow and test before locking

I'm interested to try DivestOS on mata, especially because of the potential for relocking.

I'm fairly sure that when I first unlocked bootloader it was with fastboot flashing unlock followed by fastboot flashing unlock_critical.

If relocking is still possible would I have to fastboot flashing lock_critical first, followed by fastboot flashing lock?

 

[SkewedZeppelin]

I'm interested to try DivestOS on mata, especially because of the potential for relocking.

I'm fairly sure that when I first unlocked bootloader it was with fastboot flashing unlock followed by fastboot flashing unlock_critical.

If relocking is still possible would I have to fastboot flashing lock_critical first, followed by fastboot flashing lock?

Lock should cover critical.

 

[chrisrg]

Thanks for that.
Carefully following instructions here to prepare the phone and subsequent flashing of the DivestOS all went smoothly.
Post install I downloaded the latest OTA update and did a bit of testing before locking the bootloader with fastboot flashing lock command.
Very nice, thanks .

 

[sumitplall]

Want to give this a try on my PH-1. I am on LineageOS 18.1 latst build. Anything in specific I should take care of? Any pitfalls?

Edit: Took sometime to clean-up and go back to the mentioned stock firmware. The flash went through fine. Will test things out first and then dare to relock

 

[WillWire]

Dear DivestOS maintainer.
I`m using a DivestOS for almost a year.
Recently i start facing an issue, that my camera cannot send information to the servers. I cannot use it for a face identification and QR codes approvals.
Is this a new feature? Or i mess with something and have to reflash the rom?

 

[SkewedZeppelin]

Dear DivestOS maintainer.
I`m using a DivestOS for almost a year.
Recently i start facing an issue, that my camera cannot send information to the servers. I cannot use it for a face identification and QR codes approvals.
Is this a new feature? Or i mess with something and have to reflash the rom?

Can you elaborate?
mata is my daily driver, it is very stable.

If you mean no camera app works, do you have the 'sensors off' tile enabled? That disables the camera in addition to sensors.
If you mean the camera app works, but some apps that use the camera don't, can you say which app?

 

[WillWire]

Can you elaborate?
mata is my daily driver, it is very stable.

If you mean no camera app works, do you have the 'sensors off' tile enabled? That disables the camera in addition to sensors.
If you mean the camera app works, but some apps that use the camera don't, can you say which app?

Sorry for a late reply. Forced to flash back to latest LOS.
Apps which are not working are Binance, Wirex, WhatsApp(I hate it, but have to use it)
Basically operations such as scan QR code or Face Id were not working.

 

[WillWire]

Can you elaborate?
mata is my daily driver, it is very stable.

If you mean no camera app works, do you have the 'sensors off' tile enabled? That disables the camera in addition to sensors.
If you mean the camera app works, but some apps that use the camera don't, can you say which app?

It appears to be LOS or MicroG issue. Same here on latest LOS. i was thinking of Bromite, but problem persists on LOS WebView.

 

[SkewedZeppelin]

Sorry for a late reply. Forced to flash back to latest LOS.
Apps which are not working are Binance, Wirex, WhatsApp(I hate it, but have to use it)
Basically operations such as scan QR code or Face Id were not working.

The first two sound SafetyNet related.
I don't use WhatsApp, but afaik it should fully work without Google Apps.

 

[WillWire]

The first two sound SafetyNet related.
I don't use WhatsApp, but afaik it should fully work without Google Apps.

Nope, SafetyNet is passable using MicroG.
WhatsApp is .... , but it required to communicate with my employer.
Otherwise i'm using only Matrix/Telegram/Status/Briar.

 

[WillWire]

The first two sound SafetyNet related.
I don't use WhatsApp, but afaik it should fully work without Google Apps.

Nope, SafetyNet is passable using MicroG.
WhatsApp is .... , but it required to communicate with my employer.
Otherwise i'm using only Matrix/Telegram/Status/Briar.

The first two sound SafetyNet related.
I don't use WhatsApp, but afaik it should fully work without Google Apps.

Just after couple another atempts, i may say that it is looks like a Zygisk issues. Whent i enable Denylist Binance is giving a WebView error.
I was thinkinh of Bromite WebView at first, but apparently it was not as issue.
Great Rom, will be comming back soon)).
Another anoyance for myself, why Mata camera360 and AptX drivers are disabled? As they are available in LOS.
Camera is heavilly GMS dependant, i understand. But AptX is not.
Is there any security concern regarding this thechnology?

 

[hedgecore44]

very happy with this rom so far. I have been using it as a daily driver for 2 weeks now and I will continue to use it. i will be sure to post any issues i find here.... thanks!

 

[chaseadam]

Anyone had issues with the "adb sideload copy-partitions-mata.zip"? It fails for me on setup to install sideloaded zip with `permission denied` on unmount of /vendor/firmware_mnt.

This particular phone really doesn't like fastboot (any version) and/or my USB cables, but occasionally it will work. One lucky session I got DivestOS (system, vendor, and boot) onto slot a successfully.

Aside: I appear to have triggered the dm-verity corruption along the way with my flashing of various ASOP (GSI thread) and lineageOS. I don't think it is related to this error.

 

[SkewedZeppelin]

It fails for me on setup to install sideloaded zip with `permission denied` on unmount of /vendor/firmware_mnt.

This is a known issue with the DivestOS recovery for mata. I have no idea why it happens, spent hours trying to figure it out.

This particular phone really doesn't like fastboot (any version) and/or my USB cables, but occasionally it will work. One lucky session I got DivestOS (system, vendor, and boot) onto slot a successfully.

Mata was my daily driver, and is still actively tested. It does work well aside from the recovery quirk.

Aside: I appear to have triggered the dm-verity corruption along the way with my flashing of various ASOP (GSI thread) and lineageOS. I don't think it is related to this error.

Recommend flashing stock then DivestOS again.
The official mata stock is no longer available, but you can find mirrors of it.
Here is the sha512sum for you to verify against
a9d979fdde4b2b59ff9c0c1256f440b4d5250242179648494a9b641ca75b4911cae666b6197162b6a93009b94cdc07f9f04df2bd0a72e819db09f7392f60ddde PH1-Images-QQ1A.200105.032.zip

 

[chaseadam]

This is a known issue with the DivestOS recovery for mata. I have no idea why it happens, spent hours trying to figure it out.

So if you haven't run that copy-partitions-mata.zip, did you re-lock your bootloader? If so, what was your procedure? My understanding is both slots need to be the same for the re-lock to work (without bricking?)

Mata was my daily driver, and is still actively tested. It does work well aside from the recovery quirk.

That quirk is annoying, and just when I am about to give up, it starts a "working" fastboot session

Recommend flashing stock then DivestOS again.
The official mata stock is no longer available, but you can find mirrors of it.
Here is the sha512sum for you to verify against
a9d979fdde4b2b59ff9c0c1256f440b4d5250242179648494a9b641ca75b4911cae666b6197162b6a93009b94cdc07f9f04df2bd0a72e819db09f7392f60ddde PH1-Images-QQ1A.200105.032.zip

Had that stock already downloaded, so after a bunch of "banging" at it, the flashboot writes finally got through (lots of reboots and re-plugging).

This was my sequence to get past the "device is corrupt” dm-verity message and boot to DivestOS

• slot A has latest Stock
• slot B has DivestOS
• Boot to slot A
• adb reboot "dm-verity enforcing"
• boot into Stock
• switch to slot B
• format userdata
• boot DivestOS without dm-verity warning!

 

[chaseadam]

double post

 

[chaseadam]

double post

 

[SkewedZeppelin]

So if you haven't run that copy-partitions-mata.zip, did you re-lock your bootloader? If so, what was your procedure? My understanding is both slots need to be the same for the re-lock to work (without bricking?)

My bootloader has been locked for like 3 years, never unlocked except for testing.
In the case of mata, that isn't needed because firmware is included.

Also try cleaning out your usb port, and using a usb-2.0 port on your computer.

 

[chaseadam]

My bootloader has been locked for like 3 years, never unlocked except for testing.
In the case of mata, that isn't needed because firmware is included.

Great news! I hope to get to a locked state soon as well.

I see references to "firmware is included" (your comment) and "firmware-empty" and "A/B devices only without firmware enabled".

What is this "firmware" in relation to the boot, system, vendor and other images? Is the firmware related to AVB?

Is the PH-1 an AVB device? (does it require working with `avb_custom_key` in fastboot)

I am attempting to be thorough because of all the warnings about locking resulting in a brick.

Aside: There is mention of "full" and "yes, ue" in the firmware-empty status. What do "ue" and "full" mean?