[ROM] JAGUAR OREO 8.1 ONEPLUS 5 OFFICIAL - Updated JANUARY 12

[optimumpro]

Welcome to Jaguar Oreo 8.1. As some may know, the emphasis of the project is on Security and Performance. I have recently transitioned from Lenovo Zuk Z2 plus and previously from Sony Xperias, and the rom is still actively maintained for Zuk Z2. You are welcome to visit the thread for user feedback: https://forum.xda-developers.com/lenovo-zuk-z2/development/jaguar-oreo-8-1-official-t3734597

In addition to most, if not all, familiar Oreo features starting from multiple options in statusbar, navbar, QS, gestures etc. to alarm blocker, wakelock blocker, smart pixels and omni features (I am not going to list all of them), you will have the following:

1. Hardened/fortified bionic (over 150 commits) to prevent bad behavior by system and third party apps.

2. Many classes and resources are NOT pre-loaded or compiled during boot. Instead, they are compiled after the initial startup and put in ram and cache. So, after initial settling, you will have increased speed in almost everything: interface transitions, app startup time, etc. . In addition, it takes 4-5 seconds to fully boot, after Oneplus logo ends (initial boot after flashing will obviously take longer).

3. Most runtime permissions are limited to 'read only'.

4. FBE encryption is replaced with FDE, and it is not forced. Plus, you can have separate passwords, one longer for boot and another short one for screen lock. I, personally, don't like FBE. I think it is weaker than FDE. Also, I don't want my device to boot at all or be partially decrypted, unless I enter boot password.

5. Many additional security features are enabled in kernel. Kernel is based on DU for Oneplus 5 (the work on it just started).

6. Yama security to replace Selinux.

7. Wireguard support in kernel

8. DNS over TLS

9. Background WIFI scanning is hard-disabled

10. Type zero sms: phone's silent response 'received and processed' (without user noticing) eliminated. If you don't know what type zero sms is, Google it. Not class zero sms, which flashes on screen, but doesn't get saved, but rather type zero, which doesn't show at all, but nonetheless is silently acknowledged. Creepy.

11. MicroG support.

12. Builtin CPU power profiles, based on AKT profiles (heavily modified)

13. Sound control and KCAL are added in kernel

14. Fully working native recorder (in Dialer on active call)


INSTRUCTIONS:

1. Be on 5.1.4 firmware
2. If you are encrypted, you must do factory reset in TWRP (you will have to type 'YES' for factory reset). This will result in all data including internal SD erased. So, transfer the contents to your PC. If you are decrypted, you may skip this step. You may think you are decrypted, but make sure that it is in fact so: check in Settings/Security. If it says phone encrypted, you must do factory reset in TWRP.
3. After factory reset, reboot in TWRP and format system/dalvik-cache/data/internal SD again, as TWRP apparently leaves some remnants of encryption after factory reset.
4. Transfer the rom, Gapps, Magisk and whatever else you need to internal card; flash the rom; flash Gapps (optionally) and reboot
5. Go back to TWRP and flash Magisk (optionally). Why not flash Magisk right away? Because Gapps need to run once before Magisk to get appropriate permissions

ROM DOWNLOAD: https://androidfilehost.com/?fid=1322778262904007030
Subsequent releases (and I will continue to update until Android 9 becomes stable) will be in post #3.

WARNINGS: Usual XDA: Get ready to be burned and don't complain

CREDIT: AOSP, CopperheadOS, DU, Omni, Slim, Lineage, Benzo, Carbon, Xtended, AKT profiles team

Also, credit for a Jaguar bootanimation to @Ashish9 and @The.Night.King who made one of the header's icons

Kernel Source for October 8 release and on: https://github.com/AOSPME/android_kernel_oneplus_msm8998

Kernel Source: https://github.com/optimumpr/android_kernel_oneplus_msm8998

Bionic Source where most commits came from: https://github.com/CopperheadOS/platform_bionic

XDA:DevDB Information
JAGUAR OREO ONEPLUS 5, ROM for the OnePlus 5

Contributors
optimumpro, optimumpro
Source Code: https://github.com/optimumpr/android_kernel_oneplus_msm8998

ROM OS Version: 8.x Oreo
ROM Kernel: Linux 4.x
ROM Firmware Required: Unlocked bootloader and 5.1.4 firmware
Based On: AOSP, DU, Lineage, Omni, Xtended, Carbon, Benzo, Slim

Version Information
Status: Stable
Stable Release Date: 2018-09-16

Created 2018-09-16
Last Updated 2019-01-12

 

[optimumpro]

Instructions on FDE encryption

How to encrypt the phone:

The rom has FDE, instead of FBE, and it is not forced. So, you will be decrypted, unless you encrypt.

You can encrypt within Settings, but the preferred way is to do it via ADB. This way, you could have 2 separate passwords one longer for boot and another shorter for screen lock. YOU MUST HAVE MAGISK INSTALLED FOR ADB method to work.

1. DON'T set up screen lock pin/password/pattern yet
2. Enable ADB in Developer settings
3. Connect the phone to your PC. Open terminal (on PC) and type adb devices to make sure that the phone is listed
4. Type adb shell and press enter; type su and press enter - at this point, you should have Magisk prompt (on the phone) for root; grant it for at least 20 minutes - the prompt on terminal should change to root
Now the fun part:
5. type vdc cryptfs enablecrypto inplace password "your actual password" and press enter
WARNING: No quotation marks anywhere in terminal, and don't type the words 'your actual password', but rather your chosen password. There is no limit on the length of boot password.

The phone will reboot and start encrypting. In about 10-15 minutes, you will get a familiar prompt for boot password. After the first password input, the phone might not fully boot (it happened to me). In this case, just force-shutdown and reboot.

After encrypting, you will lose root. So, re-flash Magisk. Otherwise, you might have kernel panic, due to Magisk not being able to find your lockscreen pin..
6. After everything is done and Magisk is working, set up a short pin/pattern/password for screen. WHEN ASKED IF YOU WANT SECURE BOOT, SELECT NO, because you already have it. If you select 'yes, your long boot password will be overwritten, which you don't want.


P.S. You can also do the same on phone's Terminal. In this case, skip 'adb shell' and start with 'su'. But in my experience, if you make a slight mistake with the password, you won't be able to boot, and you will have to do factory reset in TWRP, which will result in the loss of all data. On PC, you can still see the password you set and boot the phone

 

[optimumpro]

Updates are in this post

January 12. New release

1. January security patches
2. Oreo release 60
3. New and hardened clang chain
4. Separate ringtones for Sim1/2
5. Updated kernel

1. If you are on a previous release, you may flash dirty. Just make sure to wipe dalvik/cache
2. Coming from another rom, read the OP about doing factory reset

Download rom January 12 release: https://androidfilehost.com/?fid=11410963190603897246

November 8. New release

November security patches

Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset

Download rom release November 8: https://forum.xda-developers.com/devdb/project/dl/?id=30812


October 11. New release

1. Fully working native call recording
2. KCAL in kernel
3. Sound control in kernel

Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset

Download rom, October 11 release: https://forum.xda-developers.com/devdb/project/dl/?id=30630
____________________________________________________________________________________________________________________
October 8. Major release

1. Different kernel. EAS thrown out, as providing no benefits, and actually slowing down the phone. Now you have one of the best governors, Interactive, back
2. CPU profiles built in. Based on AKT profiles, but heavily modified. Now, you have 16 working CPU profiles (must be on Interactive)

Instructions:

1. If you are on a previous release, you may flash dirty
2. Coming from another rom, read the OP about doing factory reset

Download rom October 8 release: https://forum.xda-developers.com/devdb/project/dl/?id=30586
_______________________________________________________________________________________________________________________

October 5. New release

1. October security patches, Google Oreo release 48
2. Kernel overclocked to 2035 and 2592

Download Rom, October5 release: https://forum.xda-developers.com/devdb/project/dl/?id=30551

Instructions

If you are on a previous release, you can flash dirty. If coming from another rom, clean flash. If force-encrypted, you need to do factory reset in TWRP, reboot in TWRP and manually format /system/data/dalvik/cache/internalSD. Why? Because Jaguar has FDE, as opposed to FBE encryption, and it is not forced.
________________________________________________________________________________________________________________________
September 26. New release

1. Alert slider is fixed - all options work
2. System update toggle removed

Instructions: if you are on a previous release (or the original one), dirty flash; otherwise - clean flash

Download rom September 26 release: https://forum.xda-developers.com/devdb/project/dl/?id=30488

September 20. Rom updated

1. DNS-over-TLS (in Development settings)
2. Wireguard support added
3. A bunch of other commits in kernel.

Download rom release September 20: https://forum.xda-developers.com/devdb/project/dl/?id=30444

If you are on a previous release, dirty flash is fine.

 

[d1n0x]

What's U/B? And does the ROM support signature spoofing?

 

[optimumpro]

What's U/B? And does the ROM support signature spoofing?

U/B is unlocked bootloader. Signature spoofing is missing. Next release will have it.

 

[d1n0x]

U/B is unlocked bootloader. Signature spoofing is missing. Next release will have it.

Well considering you need to have an unlocked bootloader to flash TWRP and consequently custom ROMs, it's kind of redundant info

Alright, gonna try out the next release with MicroG!

 

[canteo]

Nice to see you here, i used to use jaguar at my z2 plus, WELCOME!!!

 

[caki25]

Welcome @optimumpro ? your ROMs for the Xperia Z1 were legendary. Good to see you here.

 

[optimumpro]

Well considering you need to have an unlocked bootloader to flash TWRP and consequently custom ROMs, it's kind of redundant info

Alright, gonna try out the next release with MicroG!

Most devs stopped implementing Microg, because you have both Xposed and Magisk modules for that.

 

[Im_Mattgame]

Security and performance, I see! What about battery life?

 

[The.Night.King]

Security and performance, I see! What about battery life?

That's superior too, but emphasis is on security & performance.
This is a ROM that's truly user customized, request a useful feature and watch it get added.
Keep it up OP.:good:

 

[Zocker1304]

Does this have MAC randomizer?

 

[optimumpro]

Does this have MAC randomizer?

The rom has it, but I haven't implemented it in kernel yet.

 

[MtBlackstar]

@optimumpro keep it up .

And to others .
The JAGUAR ROM emphasise mainly on SECURITY & RAW PERFORMANCE. Since you have a SD 835 , this ROM will make sure to use everything it has to offer .
So if you are searching for a performance ROM this is it.

PS : Jaguar is best served GAAPS LESS so if you are a anti google guy this might be the ROM for you.

 

[Zocker1304]

The rom has it, but I haven't implemented it in kernel yet.

Means when implemented it will randomize my Mac on every reconnect?

 

[Vcolumn]

WOW!

thank you!

learned from this thread already and hope very much to see this project continue.

is the fact that this is a userdebug build, test keys, and a permissive kernel a security/ privacy concern? maybe some of this will change? maybe xposed is the reason?

I lost track of xposed stuff quite awile back, maybe it will returning to my life! lol

ROM is very feature rich already, and the randomizer post a few back really caught my attention. Know of the reasoning for, but never have had the oportunity to use anything of the like

concerning the type zero sms. After googling about it im still not exactly sure about it all, but a question about it if i may. Does it matter what sms app is used?
I have been a fan if Signal for some time. I understand how it is best utilized when both/all parties use it. Seems it hides your sms from other apps tho too. Opinions of it? recomendations for differs?

please excuse my ignorance on amy of this, so much has changed over the past couple of years reguarding tech, privacy/security and android OS, while at that same time my time in front of a PC has grown less and less. I havent kept up as well as i should. I am not a dev, but always managed to follow along to maximize user control. I can read! lol


scorch away! but i wont be posting like a lil school girl any more. will be watching tho! :cyclops:



Fellings about bromite browser? maybe it can be implemented as the default webview? or even default browser?
https://www.bromite.org/

opinions on dnscrypt magisk module? i use it in its default installed iptables config


:good::highfive::silly:

 

[optimumpro]

thank you!

is the fact that this is a userdebug build, test keys, and a permissive kernel a security/ privacy concern? maybe some of this will change? maybe xposed is the reason?

ROM is very feature rich already, and the randomizer post a few back really caught my attention. Know of the reasoning for, but never have had the oportunity to use anything of the like

concerning the type zero sms. After googling about it im still not exactly sure about it all, but a question about it if i may. Does it matter what sms app is used?
I have been a fan if Signal for some time. I understand how it is best utilized when both/all parties use it. Seems it hides your sms from other apps tho too. Opinions of it? recomendations for differs?

Fellings about bromite browser? maybe it can be implemented as the default webview? or even default browser?

opinions on dnscrypt magisk module? i use it in its default installed iptables config

User debug builds are no less secure than user builds. Instead of Selinux, you have Yama security implemented in kernel. I don't like Selinux. Apart from questionable origins, it is a huge monster that is, in my view, an unnecessary overhead.

Test key, as opposed to development/release key is just a name. All my keys, including the test key, have been uniquely re-generated. So, they are not Google's outdated keys that are included by default in all custom builds.

I use Icecat browser. With regard to dnscrypt, I have a better idea: DNS over TLS, and it is already done (will be in the next release), see picture.

Signal: There are many problems with the app and the developer. It's a long discussion, and I have already posted about in on XDA. One I would mention: the dev used to be harassed by TSA in airports. Then all of a sudden, he obtained over a $13 million funding channeled to him through a known government hand for "development" purposes. Then again, all of a sudden, he got lucrative contracts to provide "security" for one of the widely known "bastions" of privacy What'sup/Facebook. You don't get that for nothing. Next, he removed encryption capabilities from SMS portion of the app, the ones that really were forcing adversaries to go through the pains of targeting individual phones through the air, which is expensive. To tell you more: as long, as you have Gapps installed, any encryption is useless, as Google can get your outgoing messages before they are encrypted, and incoming ones after they are decrypted. People may say "sand box", "permissions", but as long as you have Google Services Framework, which is the central part of Google apps, it can do with your device whatever it wants without you ever noticing. And Signal can't work without Google services.

I use Silence for SMS.

Means when implemented it will randomize my Mac on every reconnect?

Yes. Although, it is somewhat difficult, because Qualcomm has a proprietary (as opposed to open source) implementation of MAC.

 

[vdbhb59]

@optimumpro
Mate, any snapshots, please? Also, will MicroG or Nano-Droid work?
Also, does the GPS work, cause, that is the only reason, I am not able to get out of GApps. I want to be free of Google's Slavery Programme.
Danke. Vishal

 

[optimumpro]

@optimumpro
Mate, any snapshots, please? Also, will MicroG or Nano-Droid work?
Also, does the GPS work, cause, that is the only reason, I am not able to get out of GApps. I want to be free of Google's Slavery Programme.
Danke. Vishal

Microg should work with either Xposed or Magisk module. Without Google services, GPS would work with most apps, but not with Google maps, which require Gapps.

 

[d1n0x]

User debug builds are no less secure than user builds. Instead of Selinux, you have Yama security implemented in kernel. I don't like Selinux. Apart from questionable origins, it is a huge monster that is, in my view, an unnecessary overhead.

Test key, as opposed to development/release key is just a name. All my keys, including the test key, have been uniquely re-generated. So, they are not Google's outdated keys that are included by default in all custom builds.

I use Icecat browser. With regard to dnscrypt, I have a better idea: DNS over TLS, and it is already done (will be in the next release), see picture.

Signal: There are many problems with the app and the developer. It's a long discussion, and I have already posted about in on XDA. One I would mention: the dev used to be harassed by TSA in airports. Then all of a sudden, he obtained over a $13 million funding channeled to him through a known government hand for "development" purposes. Then again, all of a sudden, he got lucrative contracts to provide "security" for one of the widely known "bastions" of privacy What'sup/Facebook. You don't get that for nothing. Next, he removed encryption capabilities from SMS portion of the app, the ones that really were forcing adversaries to go through the pains of targeting individual phones through the air, which is expensive. To tell you more: as long, as you have Gapps installed, any encryption is useless, as Google can get your outgoing messages before they are encrypted, and incoming ones after they are decrypted. People may say "sand box", "permissions", but as long as you have Google Services Framework, which is the central part of Google apps, it can do with your device whatever it wants without you ever noticing. And Signal can't work without Google services.

I use Silence for SMS.



Yes. Although, it is somewhat difficult, because Qualcomm has a proprietary (as opposed to open source) implementation of MAC.

Thank you for the detailed insight. Although I have to say that Signal does work without Google play services. However, it falls back to a legacy polling method (increasing battery drain a bit) and shows a persistent notification in the status bar.

Great to see some privacy-conscious people here, amidst all of the Google fanboys who share every part of their life with Google and in the process jeopardize other people's privacy for the sake of "convenience".