• If you are experiencing issues logging in, we moved to a new and more secure software and older account passwords were not able to be migrated. We recommend trying to reset your password, then contacting us if there are issues.
  • Nearly done! Migration cleanup is mostly done. There are a small number of issues left that we continue to work on, but all the heavy lifting is done. We still would love to hear feedback over at this thread and also check out the new XDA app! Thanks and we hope you enjoy the new forums, and thanks for your support of XDA <3

[ROM] JAGUAR OREO 8.1 ONEPLUS 5 OFFICIAL - Updated JANUARY 12

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
Welcome to Jaguar Oreo 8.1. As some may know, the emphasis of the project is on Security and Performance. I have recently transitioned from Lenovo Zuk Z2 plus and previously from Sony Xperias, and the rom is still actively maintained for Zuk Z2. You are welcome to visit the thread for user feedback: https://forum.xda-developers.com/lenovo-zuk-z2/development/jaguar-oreo-8-1-official-t3734597

In addition to most, if not all, familiar Oreo features starting from multiple options in statusbar, navbar, QS, gestures etc. to alarm blocker, wakelock blocker, smart pixels and omni features (I am not going to list all of them), you will have the following:

1. Hardened/fortified bionic (over 150 commits) to prevent bad behavior by system and third party apps.

2. Many classes and resources are NOT pre-loaded or compiled during boot. Instead, they are compiled after the initial startup and put in ram and cache. So, after initial settling, you will have increased speed in almost everything: interface transitions, app startup time, etc. . In addition, it takes 4-5 seconds to fully boot, after Oneplus logo ends (initial boot after flashing will obviously take longer).

3. Most runtime permissions are limited to 'read only'.

4. FBE encryption is replaced with FDE, and it is not forced. Plus, you can have separate passwords, one longer for boot and another short one for screen lock. I, personally, don't like FBE. I think it is weaker than FDE. Also, I don't want my device to boot at all or be partially decrypted, unless I enter boot password.

5. Many additional security features are enabled in kernel. Kernel is based on DU for Oneplus 5 (the work on it just started).

6. Yama security to replace Selinux.

7. Wireguard support in kernel

8. DNS over TLS

9. Background WIFI scanning is hard-disabled

10. Type zero sms: phone's silent response 'received and processed' (without user noticing) eliminated. If you don't know what type zero sms is, Google it. Not class zero sms, which flashes on screen, but doesn't get saved, but rather type zero, which doesn't show at all, but nonetheless is silently acknowledged. Creepy.

11. MicroG support.

12. Builtin CPU power profiles, based on AKT profiles (heavily modified)

13. Sound control and KCAL are added in kernel

14. Fully working native recorder (in Dialer on active call)


INSTRUCTIONS:

1. Be on 5.1.4 firmware
2. If you are encrypted, you must do factory reset in TWRP (you will have to type 'YES' for factory reset). This will result in all data including internal SD erased. So, transfer the contents to your PC. If you are decrypted, you may skip this step. You may think you are decrypted, but make sure that it is in fact so: check in Settings/Security. If it says phone encrypted, you must do factory reset in TWRP.
3. After factory reset, reboot in TWRP and format system/dalvik-cache/data/internal SD again, as TWRP apparently leaves some remnants of encryption after factory reset.
4. Transfer the rom, Gapps, Magisk and whatever else you need to internal card; flash the rom; flash Gapps (optionally) and reboot
5. Go back to TWRP and flash Magisk (optionally). Why not flash Magisk right away? Because Gapps need to run once before Magisk to get appropriate permissions


ROM DOWNLOAD: https://androidfilehost.com/?fid=1322778262904007030
Subsequent releases (and I will continue to update until Android 9 becomes stable) will be in post #3.

WARNINGS: Usual XDA: Get ready to be burned and don't complain

CREDIT: AOSP, CopperheadOS, DU, Omni, Slim, Lineage, Benzo, Carbon, Xtended, AKT profiles team

Also, credit for a Jaguar bootanimation to @Ashish9 and @The.Night.King who made one of the header's icons

Kernel Source for October 8 release and on: https://github.com/AOSPME/android_kernel_oneplus_msm8998

Kernel Source: https://github.com/optimumpr/android_kernel_oneplus_msm8998

Bionic Source where most commits came from: https://github.com/CopperheadOS/platform_bionic

XDA:DevDB Information
JAGUAR OREO ONEPLUS 5, ROM for the OnePlus 5

Contributors
optimumpro, optimumpro
Source Code: https://github.com/optimumpr/android_kernel_oneplus_msm8998

ROM OS Version: 8.x Oreo
ROM Kernel: Linux 4.x
ROM Firmware Required: Unlocked bootloader and 5.1.4 firmware
Based On: AOSP, DU, Lineage, Omni, Xtended, Carbon, Benzo, Slim

Version Information
Status: Stable
Stable Release Date: 2018-09-16

Created 2018-09-16
Last Updated 2019-01-12
 

Attachments

Last edited:

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
Instructions on FDE encryption

How to encrypt the phone:

The rom has FDE, instead of FBE, and it is not forced. So, you will be decrypted, unless you encrypt.

You can encrypt within Settings, but the preferred way is to do it via ADB. This way, you could have 2 separate passwords one longer for boot and another shorter for screen lock. YOU MUST HAVE MAGISK INSTALLED FOR ADB method to work.

1. DON'T set up screen lock pin/password/pattern yet
2. Enable ADB in Developer settings
3. Connect the phone to your PC. Open terminal (on PC) and type adb devices to make sure that the phone is listed
4. Type adb shell and press enter; type su and press enter - at this point, you should have Magisk prompt (on the phone) for root; grant it for at least 20 minutes - the prompt on terminal should change to root
Now the fun part:
5. type vdc cryptfs enablecrypto inplace password "your actual password" and press enter
WARNING: No quotation marks anywhere in terminal, and don't type the words 'your actual password', but rather your chosen password. There is no limit on the length of boot password.

The phone will reboot and start encrypting. In about 10-15 minutes, you will get a familiar prompt for boot password. After the first password input, the phone might not fully boot (it happened to me). In this case, just force-shutdown and reboot.


After encrypting, you will lose root. So, re-flash Magisk. Otherwise, you might have kernel panic, due to Magisk not being able to find your lockscreen pin.
.
6. After everything is done and Magisk is working, set up a short pin/pattern/password for screen. WHEN ASKED IF YOU WANT SECURE BOOT, SELECT NO, because you already have it. If you select 'yes, your long boot password will be overwritten, which you don't want.


P.S. You can also do the same on phone's Terminal. In this case, skip 'adb shell' and start with 'su'. But in my experience, if you make a slight mistake with the password, you won't be able to boot, and you will have to do factory reset in TWRP, which will result in the loss of all data. On PC, you can still see the password you set and boot the phone
 
Last edited:

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
Updates are in this post

January 12. New release

1. January security patches
2. Oreo release 60
3. New and hardened clang chain
4. Separate ringtones for Sim1/2
5. Updated kernel


1. If you are on a previous release, you may flash dirty. Just make sure to wipe dalvik/cache
2. Coming from another rom, read the OP about doing factory reset


Download rom January 12 release: https://androidfilehost.com/?fid=11410963190603897246

November 8. New release

November security patches

Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset


Download rom release November 8: https://forum.xda-developers.com/devdb/project/dl/?id=30812


October 11. New release

1. Fully working native call recording
2. KCAL in kernel
3. Sound control in kernel


Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset


Download rom, October 11 release: https://forum.xda-developers.com/devdb/project/dl/?id=30630
____________________________________________________________________________________________________________________
October 8. Major release

1. Different kernel. EAS thrown out, as providing no benefits, and actually slowing down the phone. Now you have one of the best governors, Interactive, back
2. CPU profiles built in. Based on AKT profiles, but heavily modified. Now, you have 16 working CPU profiles (must be on Interactive)


Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset


Download rom October 8 release: https://forum.xda-developers.com/devdb/project/dl/?id=30586
_______________________________________________________________________________________________________________________

October 5. New release

1. October security patches, Google Oreo release 48
2. Kernel overclocked to 2035 and 2592


Download Rom, October5 release: https://forum.xda-developers.com/devdb/project/dl/?id=30551

Instructions

If you are on a previous release, you can flash dirty. If coming from another rom, clean flash. If force-encrypted, you need to do factory reset in TWRP, reboot in TWRP and manually format /system/data/dalvik/cache/internalSD. Why? Because Jaguar has FDE, as opposed to FBE encryption, and it is not forced.
________________________________________________________________________________________________________________________
September 26. New release

1. Alert slider is fixed - all options work
2. System update toggle removed


Instructions: if you are on a previous release (or the original one), dirty flash; otherwise - clean flash

Download rom September 26 release: https://forum.xda-developers.com/devdb/project/dl/?id=30488

September 20. Rom updated

1. DNS-over-TLS (in Development settings)
2. Wireguard support added
3. A bunch of other commits in kernel.


Download rom release September 20: https://forum.xda-developers.com/devdb/project/dl/?id=30444

If you are on a previous release, dirty flash is fine.
 
Last edited:

d1n0x

Elite Member
Oct 4, 2010
3,996
1,765
113
U/B is unlocked bootloader. Signature spoofing is missing. Next release will have it.
Well considering you need to have an unlocked bootloader to flash TWRP and consequently custom ROMs, it's kind of redundant info ;)

Alright, gonna try out the next release with MicroG!
 

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
Well considering you need to have an unlocked bootloader to flash TWRP and consequently custom ROMs, it's kind of redundant info ;)

Alright, gonna try out the next release with MicroG!
Most devs stopped implementing Microg, because you have both Xposed and Magisk modules for that.
 

Vcolumn

Senior Member
Nov 25, 2008
141
46
0
WOW!

thank you!

learned from this thread already and hope very much to see this project continue.

is the fact that this is a userdebug build, test keys, and a permissive kernel a security/ privacy concern? maybe some of this will change? maybe xposed is the reason?

I lost track of xposed stuff quite awile back, maybe it will returning to my life! lol

ROM is very feature rich already, and the randomizer post a few back really caught my attention. Know of the reasoning for, but never have had the oportunity to use anything of the like

concerning the type zero sms. After googling about it im still not exactly sure about it all, but a question about it if i may. Does it matter what sms app is used?
I have been a fan if Signal for some time. I understand how it is best utilized when both/all parties use it. Seems it hides your sms from other apps tho too. Opinions of it? recomendations for differs?

please excuse my ignorance on amy of this, so much has changed over the past couple of years reguarding tech, privacy/security and android OS, while at that same time my time in front of a PC has grown less and less. I havent kept up as well as i should. I am not a dev, but always managed to follow along to maximize user control. I can read! lol


scorch away! but i wont be posting like a lil school girl any more. :D will be watching tho! :cyclops:



Fellings about bromite browser? maybe it can be implemented as the default webview? or even default browser?
https://www.bromite.org/

opinions on dnscrypt magisk module? i use it in its default installed iptables config


:good::highfive::silly:
 
Last edited:
  • Like
Reactions: d1n0x

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
thank you!

is the fact that this is a userdebug build, test keys, and a permissive kernel a security/ privacy concern? maybe some of this will change? maybe xposed is the reason?

ROM is very feature rich already, and the randomizer post a few back really caught my attention. Know of the reasoning for, but never have had the oportunity to use anything of the like

concerning the type zero sms. After googling about it im still not exactly sure about it all, but a question about it if i may. Does it matter what sms app is used?
I have been a fan if Signal for some time. I understand how it is best utilized when both/all parties use it. Seems it hides your sms from other apps tho too. Opinions of it? recomendations for differs?

Fellings about bromite browser? maybe it can be implemented as the default webview? or even default browser?

opinions on dnscrypt magisk module? i use it in its default installed iptables config
User debug builds are no less secure than user builds. Instead of Selinux, you have Yama security implemented in kernel. I don't like Selinux. Apart from questionable origins, it is a huge monster that is, in my view, an unnecessary overhead.

Test key, as opposed to development/release key is just a name. All my keys, including the test key, have been uniquely re-generated. So, they are not Google's outdated keys that are included by default in all custom builds.

I use Icecat browser. With regard to dnscrypt, I have a better idea: DNS over TLS, and it is already done (will be in the next release), see picture.

Signal: There are many problems with the app and the developer. It's a long discussion, and I have already posted about in on XDA. One I would mention: the dev used to be harassed by TSA in airports. Then all of a sudden, he obtained over a $13 million funding channeled to him through a known government hand for "development" purposes. Then again, all of a sudden, he got lucrative contracts to provide "security" for one of the widely known "bastions" of privacy What'sup/Facebook. You don't get that for nothing. Next, he removed encryption capabilities from SMS portion of the app, the ones that really were forcing adversaries to go through the pains of targeting individual phones through the air, which is expensive. To tell you more: as long, as you have Gapps installed, any encryption is useless, as Google can get your outgoing messages before they are encrypted, and incoming ones after they are decrypted. People may say "sand box", "permissions", but as long as you have Google Services Framework, which is the central part of Google apps, it can do with your device whatever it wants without you ever noticing. And Signal can't work without Google services.

I use Silence for SMS.

Means when implemented it will randomize my Mac on every reconnect?
Yes. Although, it is somewhat difficult, because Qualcomm has a proprietary (as opposed to open source) implementation of MAC.
 

Attachments

Last edited:

vdbhb59

Elite Member
Feb 15, 2016
1,301
480
83
@optimumpro
Mate, any snapshots, please? Also, will MicroG or Nano-Droid work?
Also, does the GPS work, cause, that is the only reason, I am not able to get out of GApps. I want to be free of Google's Slavery Programme.
Danke. Vishal
 

optimumpro

Senior Member
Jan 18, 2013
6,266
13,594
113
@optimumpro
Mate, any snapshots, please? Also, will MicroG or Nano-Droid work?
Also, does the GPS work, cause, that is the only reason, I am not able to get out of GApps. I want to be free of Google's Slavery Programme.
Danke. Vishal
Microg should work with either Xposed or Magisk module. Without Google services, GPS would work with most apps, but not with Google maps, which require Gapps.
 
  • Like
Reactions: vdbhb59

d1n0x

Elite Member
Oct 4, 2010
3,996
1,765
113
User debug builds are no less secure than user builds. Instead of Selinux, you have Yama security implemented in kernel. I don't like Selinux. Apart from questionable origins, it is a huge monster that is, in my view, an unnecessary overhead.

Test key, as opposed to development/release key is just a name. All my keys, including the test key, have been uniquely re-generated. So, they are not Google's outdated keys that are included by default in all custom builds.

I use Icecat browser. With regard to dnscrypt, I have a better idea: DNS over TLS, and it is already done (will be in the next release), see picture.

Signal: There are many problems with the app and the developer. It's a long discussion, and I have already posted about in on XDA. One I would mention: the dev used to be harassed by TSA in airports. Then all of a sudden, he obtained over a $13 million funding channeled to him through a known government hand for "development" purposes. Then again, all of a sudden, he got lucrative contracts to provide "security" for one of the widely known "bastions" of privacy What'sup/Facebook. You don't get that for nothing. Next, he removed encryption capabilities from SMS portion of the app, the ones that really were forcing adversaries to go through the pains of targeting individual phones through the air, which is expensive. To tell you more: as long, as you have Gapps installed, any encryption is useless, as Google can get your outgoing messages before they are encrypted, and incoming ones after they are decrypted. People may say "sand box", "permissions", but as long as you have Google Services Framework, which is the central part of Google apps, it can do with your device whatever it wants without you ever noticing. And Signal can't work without Google services.

I use Silence for SMS.



Yes. Although, it is somewhat difficult, because Qualcomm has a proprietary (as opposed to open source) implementation of MAC.
Thank you for the detailed insight. Although I have to say that Signal does work without Google play services. However, it falls back to a legacy polling method (increasing battery drain a bit) and shows a persistent notification in the status bar.

Great to see some privacy-conscious people here, amidst all of the Google fanboys who share every part of their life with Google and in the process jeopardize other people's privacy for the sake of "convenience".