[CLOSED][ROM][Unofficial][10.0][microG][signed]hardened LineageOS 17.1 Oneplus 3/3T

[MSe1969]

Answer me wider please. So is it possible to consider that Xposed is a hole in security? And because of this, author disabled opportunity to install Xposed in this firmware?

@nvertigo67 has already perfectly explained this, also in his recent response.

Just to add to this:
I did not actively disable stuff by means of "yeah, let's block feature 'xyz' " (unless I have put an option in the Settings leaving the user a choice), but I knowingly decided to include many hardening features from the GrapheneOS project into my ROM; which puts a significantly stricter limitation in place in regards of what the OS core components are allowed versus non-core components and 3rd party stuff ("user space"). The aim is to reduce the attack surface of especially yet unknown potential attacks.
The fact that Xposed, Gapps and other stuff cannot be flashed and/or do not work properly because of that is neither surprising, nor unwanted.

 

[Deleted member 4405529]

The fact that Xposed, Gapps and other stuff cannot be flashed and/or do not work properly because of that is neither surprising, nor unwanted.

*lol* Bro, you made my day. That's humble. I'd call these effects "proof of concept" or "proof of hardening in place" - "neither surprising, nor unwanted" is an awesome phrase in this context! Still laughing...

 

[MSe1969]

LineageOS 18.1

Hi all,

a LineageOS 18.1 test build is available here:

https://sourceforge.net/projects/lin18-microg/files/oneplus3/lineage-18.1-20210818-UNOFFICIAL-microG-signed-oneplus3.zip/download

It has the same features, as described in the OP for this 17.1 build, with the following additions:
- AuroraDroid app replaces F-Droid app to access F-Droid repositories
- Option to only use fingerprint unlock for apps and not for the device
- Optional timeout for Bluetooth and WLAN connections
- Some more hardening features ported from GrapheneOS
- Kernel is based on the upstreamed kernel of this build (with many necessary adaptations for 18.1, of course)
- Sec. string 2021-08-05

Right now, this is still a test build, this means:
I truly appreciate any feedback (especially, if things don't work as expected). And there definitely will be an update for 17.1 with ASB patches for September. It is possible to "dirty-flash" over this 17.1 build, but make a backup in TWRP before, to be able to get back.

Feedback appreciated - Thanks & regards, M.

EDIT:
Kernel source: https://github.com/lin18-microG/android_kernel_oneplus_msm8996/tree/lin-18.1-mse2
Build Manifest: https://github.com/lin18-microG/local_manifests/tree/lin-18.1-hmalloc

EDIT2 (2021-08-22):
Seems the kernel needs more rework: on my device, it always crashes after a while. If you use the "original" LineageOS kernel (e.g. extract and flash boot.IMG from an official LineageOS ROM Zip), it will work.

 

[MSe1969]

LineageOS 18.1 - 2nd Test build

I have chosen a different approach for now with the kernel and created a 2nd test build here, which seems to run well:

https://sourceforge.net/projects/lin18-microg/files/oneplus3/lineage-18.1-20210830-UNOFFICIAL-microG-signed-oneplus3.zip/download

Kernel source: https://github.com/lin18-microG/android_kernel_oneplus_msm8996/tree/lin-18.1-mse3
Build Manifest: https://github.com/lin18-microG/local_manifests/tree/lin-18.1-hmalloc

Please test and provide feedback!
Assuming this build runs smoothly and stable, I plan to provide a last time a 17.1 build with September ASB and afterwards LineageOS 18.1 builds.

Regarding Kernel:
I haven't yet abandoned the idea of a fully upstreamed kernel, which I used to provide so far for my 16.0 and 17.1 builds.
However, right now I am struggling to find the root cause of the kernel panics in my upstreamed kernel (branch 'lin-18.1-mse2').
Main reason is, that pstore doesn't work either right now, which makes it impossible to get proper logs. Any help appreciated!
For the time being, the working kernel used is the official Lineage 18.1 kernel with the missing official ASB patching plus further patches - taken from the updater script of Divest-OS (and a lot of manual work to get the proper commit history).

 

[Cashmeousside]

Hey!
I've been using this test build mk2 for nearly a day. And its very good. Kudos!
The issue that I've come across is that using the touchscreen gestures on screen off causes the device to reboot.
I apologise for no logs as my phone can only charge through the USB port (hardware issue)

 

[MSe1969]

Hey!
I've been using this test build mk2 for nearly a day. And its very good. Kudos!
The issue that I've come across is that using the touchscreen gestures on screen off causes the device to reboot.
I apologise for no logs as my phone can only charge through the USB port (hardware issue)

Thanks for the feedback, I can confirm your observation:

09-01 22:32:40.306  2784  3296 F libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 3296 (InputReader), pid 2784 (system_server)
09-01 22:32:40.492  2784  3297 I HidlSensorManager: hidl_ssvc_poll: spurious wake up, back to work
09-01 22:32:40.495  7016  7016 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-01 22:32:40.496  2229  2229 I tombstoned: received crash request for pid 3296
09-01 22:32:40.501  7016  7016 I crash_dump64: performing dump of process 2784 (target tid = 3296)
09-01 22:32:40.564  7016  7016 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-01 22:32:40.565  7016  7016 F DEBUG   : LineageOS Version: '18.1-20210830-UNOFFICIAL-microG-signed-oneplus3'
09-01 22:32:40.565  7016  7016 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus3/OnePlus3T:8.0.0/OPR1.170623.032/02281230:user/release-keys'
09-01 22:32:40.565  7016  7016 F DEBUG   : Revision: '0'
09-01 22:32:40.565  7016  7016 F DEBUG   : ABI: 'arm64'
09-01 22:32:40.566  7016  7016 F DEBUG   : Timestamp: 2021-09-01 22:32:40+0200
09-01 22:32:40.566  7016  7016 F DEBUG   : pid: 2784, tid: 3296, name: InputReader  >>> system_server <<<
09-01 22:32:40.566  7016  7016 F DEBUG   : uid: 1000
09-01 22:32:40.566  7016  7016 F DEBUG   : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
09-01 22:32:40.566  7016  7016 F DEBUG   : Abort message: 'Inlined method resolution crossed dex file boundary: from android.view.KeyEvent org.lineageos.lineageparts.gestures.KeyHandler.handleKeyEvent(android.view.KeyEvent) in /system/priv-app/LineageParts/LineageParts.apk/0x31659ec220 to int lineageos.providers.LineageSettings$System.getInt(android.content.ContentResolver, java.lang.String, int) in /system/framework/org.lineageos.platform.jar/0x3165918b60. This must be due to duplicate classes or playing wrongly with class loaders. The runtime is in an unsafe state.'

Have already an idea how to avoid this...

 

[MSe1969]

LineageOS 18.1 - 3rd Test build

Fixed the Keyhandler crash from previous post (this is the commit for those interested):

https://sourceforge.net/projects/lin18-microg/files/oneplus3/lineage-18.1-20210901-UNOFFICIAL-microG-signed-oneplus3.zip/download

 

[NWD]

I tried Divest-OS earlier today, since it stated I might be able to lock the bootloader, it worked, but still gave a message about a dodgy ROM when it booted...

I tried flashing your ROM using the same method (thanks to this tip https://www.reddit.com/r/OnePlus3T/comments/hubb7r ) it seems to be working fine...

Locked BootLoader (no messages during reboots)
Encrypted with Boot Password and LockScreen Password

Thanks for the hard work you put in to keep this hardware working

 

[NWD]

Thought it'd be a good idea to post these instructions in case anyone else needs them...

0. Install TWRP if needed...
fastboot flash recovery twrp.img

1. Boot into FastBoot/Bootloader run command ->
fastboot devices

2. To re-Lock the bootloader (select no (bug in op3 firmware))
fastboot oem lock

3. Reboot into TWRP

Format Data
Wipe All Partitions

3b. Reboot back into TWRP

4. Run adb sideload, then run commands

adb devices

adb sideload lineage-18.1-20210901-UNOFFICIAL-microG-signed-oneplus3.zip

5. Reboot phone manually in TWRP

Encrypt Phone, Set Boot PIN/Pass etc...

Done

 

[MSe1969]

New build available with September Security patches

Hi all,
a new build is available for download and already offered via Updater app:

https://sourceforge.net/projects/lin17-microg/files/oneplus3/lineage-17.1-20210909-UNOFFICIAL-microG-signed-oneplus3.zip/download

• ASB Security string 2021-09-05
• Kernel upstreamed to tag ASB-2021-09-05_3.18
• microG microG 0.2.22.212658-2

Happy flashing!
Regards, M.

 

[MSe1969]

Final LineageOS 18.1 Testbuild
Hi all, I have made another test build - in my opinion it is now "ready to go", but I would like to get your feedback:

https://sourceforge.net/projects/lin18-microg/files/oneplus3/lineage-18.1-20210915-UNOFFICIAL-microG-signed-oneplus3.zip/download

I have applied the September ASB patches and also fixed some minor bugs, which I have experienced during my testing.
Happy flashing - regards, M.

 

[borisSweden]

How do I stop wifi from shutting down when the screen turns off stays idle? Also any tips on how to configure GPS settings? I downloaded all NLP apps from F-droid. Accuracy is 10m while OOS was around 5m.
I also wonder if I need to contact LOS team for GnssStatus.getCarrierFrequencyHz() API support or does the ROM follow OxygenOS code?

 

[MSe1969]

How do I stop wifi from shutting down when the screen turns off stays idle?

Could you please give a more explicit example?

Also any tips on how to configure GPS settings? I downloaded all NLP apps from F-droid. Accuracy is 10m while OOS was around 5m.

OOS uses, as any stock ROM, the genuine Google spy services as coarse location provider. It has to be admitted, that the accuracy is really good, but to the price of Google knowing your location at any time.
Seems that the combo of GPS and Google's Wifi DB is able to better calibrate the location.
Just a guess...

I also wonder if I need to contact LOS team for GnssStatus.getCarrierFrequencyHz() API support or does the ROM follow OxygenOS code?

The ROM is a modified LineageOS, which itself is a modified AOSP - no idea about the specifics of OOS.

 

[borisSweden]

Could you please give a more explicit example?


OOS uses, as any stock ROM, the genuine Google spy services as coarse location provider. It has to be admitted, that the accuracy is really good, but to the price of Google knowing your location at any time.
Seems that the combo of GPS and Google's Wifi DB is able to better calibrate the location.
Just a guess...


The ROM is a modified LineageOS, which itself is a modified AOSP - no idea about the specifics of OOS.

IDK what I did but wifi work now, battery optimization must have done something or its the wifi enhancer in dev options.

Yeah your explanation pretty much answers why GNSS isnt that good. But which NLP apps do I need? Not all of them of course.

I sent a PM to the LOS team and Im waiting for their answer.

 

[MSe1969]

Yeah your explanation pretty much answers why GNSS isnt that good. But which NLP apps do I need? Not all of them of course.

Depends on your personal preference. I think for the address resolution, there is only Nominatim. For the Coarse location, I in fact see two options (personal opinion):

a. With the shipped Mozilla one, you have a very good "allrounder". However, you may dislike, that it also requires internet connection, as it uses Mozilla's servers to calculate your location, based on your device's provided data. You don't need an account for that, but at least a "fingerprint" of your device is being tracked.

b. I personally use the combo of GSM Location Provider and DéjàVu - it is less accurate, but entirely "offline".
GSM Location provider needs to initially download cell tower data to build a database and yes, whenever you feel like it, you download an update - but the location calculation itself happens offline (after downloading the cell tower data, you can even cut the internet connection for that app, if you like). DéjàVu simply watches, when your GPS is on, locations and nearby WiFi ID's and stores, if certain combinations happen "statistically often enough", such points. Hence it learns (no internet connection!), where you are located usually and at least those points are identified with a remarkable accuracy.

If you use coarse location for things like weather widget and/or supporting a faster initial GPS fix, "b." is sufficient.
"a." is less effort and more accurate, but the location calculation happens at a server, which needs to keep track of your device - without account and hence somehow "pseudonymously".

 

[mar.ste]

Wanted to revive my still good but unused 3T and since OnePlus is not delivering anymore security patches I ditched OxygenOS. Intalled this ROM and for now all ok. In the next days I'll play with it and if good I'll swith to it my main phone!

 

[borisSweden]

Depends on your personal preference. I think for the address resolution, there is only Nominatim. For the Coarse location, I in fact see two options (personal opinion):

a. With the shipped Mozilla one, you have a very good "allrounder". However, you may dislike, that it also requires internet connection, as it uses Mozilla's servers to calculate your location, based on your device's provided data. You don't need an account for that, but at least a "fingerprint" of your device is being tracked.

b. I personally use the combo of GSM Location Provider and DéjàVu - it is less accurate, but entirely "offline".
GSM Location provider needs to initially download cell tower data to build a database and yes, whenever you feel like it, you download an update - but the location calculation itself happens offline (after downloading the cell tower data, you can even cut the internet connection for that app, if you like). DéjàVu simply watches, when your GPS is on, locations and nearby WiFi ID's and stores, if certain combinations happen "statistically often enough", such points. Hence it learns (no internet connection!), where you are located usually and at least those points are identified with a remarkable accuracy.

If you use coarse location for things like weather widget and/or supporting a faster initial GPS fix, "b." is sufficient.
"a." is less effort and more accurate, but the location calculation happens at a server, which needs to keep track of your device - without account and hence somehow "pseudonymously".

Alrigth, I deleted GSMLocationNlPBackend, RadioCells.orgRF, Apple UnifiedNlP.

BTW, are there apps like location.service.google and izat.location.qualcomm ?

Also what do I need to do for RCS chat to work? Is it because of Safety Net?

 

[MSe1969]

BTW, are there apps like location.service.google and izat.location.qualcomm ?

Not aware - could you please explain in more detail, what you mean?

Also what do I need to do for RCS chat to work? Is it because of Safety Net?

I am not really experienced in the "RCS" topic (I use Signal as messenger and SMS app), so I have searched a little.
How did you attempt to use RCS? I.e. which app did you install? G* messages?
As G* hasn't opened the APIs to app developers, this seems to be some "exclusive" feature combo of the Google messages app and the G* proprietary spy services...
If that's the case, I can't give you any good advice - proprietary G* apps are usually very deeply integrated with the genuine G* spy services, especially, when it comes to making use of even undocumented functions, so in general, proprietary G* apps tend to work worse with microG. I don't think this is due to Safety net, as Google normally uses SN for REAL needs (not like some other app manufacturers, who even use it for no valid reason, like e.g. the app of a known fastfood franchise).

 

[mar.ste]

Wanted to revive my still good but unused 3T and since OnePlus is not delivering anymore security patches I ditched OxygenOS. Intalled this ROM and for now all ok. In the next days I'll play with it and if good I'll swith to it my main phone!

Installed few apps, and they seems good but for now I have one fail: for some reason lichess (a wonderful and open source chess application with a vibrant community) is not able to connect to play games, even though I was able to login to the server: there is some traffic blocking functionality?
ps: not sure if useful but I still didn't insert my SIM and I'm still using wifi connection (luckily I've FTTH here )

 

[MSe1969]

Installed few apps, and they seems good but for now I have one fail: for some reason lichess (a wonderful and open source chess application with a vibrant community) is not able to connect to play games, even though I was able to login to the server: there is some traffic blocking functionality?

I don't know the details about lichess. Can you somehow produce a log or at least more details about the error, which you face?