[ROM][Unofficial][10.0][microG][signed]hardened LineageOS 17.1 Oneplus 7T Pro

Search This thread

MSe1969

Senior Member
Dec 16, 2016
1,656
2,929
Frankfurt Rhine-Main metropolitan region
This thread is dedicated to provide hardened Lineage-OS 17.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.

Features of this ROM
Download here
  • Pre-installed microG and F-Droid like LineageOS for microG project (own fork)
  • Pre-installed AuroraStore
  • OTA Support
  • eSpeakTTS engine
  • Bromite as default browser
  • Additional security hardening features listed below:
  • Cloudflare as default DNS (instead of Google)
  • Privacy-preferred default settings
  • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
  • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
  • Firewall UI (under Trust)
  • Increased max. password length of 64
  • No submission of IMSI/phone number to Google when GPS is in use
  • Default hosts file with many blocked ad/tracking sites
  • Privacy-enhanced Bromite SystemWebView
  • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
  • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
  • Debloated from Oneplus blobs for Soter and IFAA
  • Hardened bionic lib and constified JNI method tables


Current release levels
Security string: 2021-04-05
AOSP tag: 10.0.0_r41
Bromite System Webview: M90


Source-code and build instructions
Kernel: https://github.com/lin17-microg/android_kernel_oneplus_sm8150/tree/lin-17.1-mse
Build manifest: https://github.com/lin17-microg/local_manifests/tree/lin-17.1-hmalloc


Installation Instructions

YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!

Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

Pre-Requisites
  • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
  • An unlocked bootloader (see e.g. LineageOS install instructions)
  • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
  • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

Please read carefully:
I refer in general to the LineageOS install instructions, but there are some deviations!
It is recommended to really go through the instructions once, before doing anything. You have been warned.


Install the dedicated Lineage recovery for this ROM
For the Oneplus 7T Pro (hotdog), there is currently no official TWRP available! The unofficial TWRP did not work for me.
Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
Flash this specific recovery with the below commands:
Code:
fastboot flash recovery_a lineage-17.1-20210118-recovery-microG-signed-hotdog.img
fastboot flash recovery_b lineage-17.1-20210118-recovery-microG-signed-hotdog.img
Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
Please note, that you may get error messages stating
Partition product_b dd: /dev/block/dm-1: write error: No space left on device
Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
You can ignore those, as long as it is product or vendor.

Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP.
It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.

DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.


Update Instructions

This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
IMPORTANT:
If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot! Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version. Don't ask me, why. I will have to find out, how to solve that issue.


Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".


Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

Credits
AOSP project
LineageOS project
microG project
Graphene OS project
csagan5 (Bromite)
WhyOrean (Aurora)
 
Last edited:

MSe1969

Senior Member
Dec 16, 2016
1,656
2,929
Frankfurt Rhine-Main metropolitan region
Change log

2021-04-10

  • ASB Security string 2021-04-01
  • Bromite System Webview and Browser updated to 90.0.4430.59
  • F-Droid updated to 1.12
  • Update: AuroraStore 4.0.4 with AuroraServices 1.1.0

2021-03-08
  • Security string 2021-03-05
  • Kernel slightly patched
  • Bromite System Webview updated to 88.0.4324.207
  • Bromite Browser updated to 88.0.4324.207
  • F-Droid 1.11
  • microG 0.2.18.204714

2021-02-05
  • Security string 2021-02-05
  • Kernel slightly patched
  • Bromite System webview updated to 88.0.4324.141
  • Bromite Browser updated to 88.0.4324.141
  • F-Droid 1.10-alpha-234
  • microG 0.2.17.204714-5
2021-01-22 - Initial build
  • Security string 2020-01-05
  • Pre-installed microG (0.2.16.204713-10) and F-Droid like the LineageOS for microG project (own fork)
  • Pre-installed AuroraStore
  • Bromite as default browser (87.0.4280.106)
  • eSpeak TTS engine (FOSS TTS solution)
  • Additional security hardening features listed below:
  • Cloudflare as default DNS (instead of Google)
  • Privacy-preferred default settings
  • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
  • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
  • Firewall UI (under Trust)
  • Increased max. password length of 64
  • No submission of IMSI/phone number to Google when GPS is in use
  • Default hosts file with many blocked ad/tracking sites
  • Privacy-enhanced Bromite SystemWebView (87.0.4280.131)
  • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
  • Constified JNI method tables and hardened bionic lib
 
Last edited:

MSe1969

Senior Member
Dec 16, 2016
1,656
2,929
Frankfurt Rhine-Main metropolitan region
Security Hardening Features - Details

1. Pre-installed microG and F-Droid

same as the LineageOS for microG project

2. Pre-installed AuroraStore
works w/o having to enable the "unknown sources feature"

3. Extra control of sensor access for additionally installed user apps
Special access under app permissions

4. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

5. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later):
  • Anonymous LineageOS statistics disabled (proposal during Setup)
  • The standard browsing app does not get the location runtime permission automatically assigned
  • Sensitive information is hidden on the lock screen
  • Camera app: Location tagging disabled by default
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without

6. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet (scroll down)
When activated, all outgoing connection attempts to Facebook servers will be suppressed.
Same applies to Google, but certain apps on an internal exception list will still be able to connect (AuroraStore, microG, or e.g. NewPipe, if installed)

7. Optional disable captive portal detection and to select Captive portal server URL provider
Settings => Network & Internet (scroll down)
When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)

8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties :rolleyes:) to provide this data . . .

9. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)

10. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.

11. Bromite as shipped Browser
A chromium based browser with many privacy features.

12. Firewall UI
Settings => Privacy - Firewall
Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)

13. Maximum password length increased to 64
 

steadfasterX

Recognized Developer
Nov 13, 2013
5,671
14,995
@MSe1969 wow.. Ok first of all thanks ! It's great seeing another privacy lover put there !
2 questions:


1. Why not going with /e/ ? Or at least push your great extensions (like firewall ui etc etc) upstream there? Just curious if there is anything preventing you going that route

2. Did you ever tried locking the bootloader with the OP 7t pro? I have read that it is possible when saving the signing key via fastboot
 
  • Like
Reactions: MSe1969

MSe1969

Senior Member
Dec 16, 2016
1,656
2,929
Frankfurt Rhine-Main metropolitan region
@MSe1969 wow.. Ok first of all thanks ! It's great seeing another privacy lover put there !
2 questions:


1. Why not going with /e/ ? Or at least push your great extensions (like firewall ui etc etc) upstream there? Just curious if there is anything preventing you going that route

2. Did you ever tried locking the bootloader with the OP 7t pro? I have read that it is possible when saving the signing key via fastboot

Hi, thanks for the positive feedback.

I know /e/ and I also watch their repositories from time to time to obtain new ideas or simply see, what they do (same I do e.g. with GlassROM, GrapheneOS, divestos, ...). More a question of my personal taste to have my own build variant, which I provide meanwhile for a couple of devices (LineageOS 14.1 f. falcon & peregrine, a 16.0 treble build for Huawei P9 and 17.1 builds f. oneplus3, osprey and hotdog), but definitely no "hard" reason or any negative attitude towards /e/.

Regarding locking BL, well - as I develop for this device, locking the BL does not provide any advantage for me, in the contrary...
 

todevrandom

Member
Jan 22, 2021
5
2
Will have a look this week - the kernel right now is identical to the LineageOS "official" kernel (plus some patches). Is my understanding correct, that this is needed for USB tethering?
Yeah, for communicating with Arduino/Discovery board from Linux Deploy. It works in lieage16 for samsung. I had tried to build Lineage18.1 today following official guide but run in some issues while building (maybe openjdk version). Next try will be the next weekend.
Will have a look this week
Many thank's!
Anyway, thank's for this ROM
 

steadfasterX

Recognized Developer
Nov 13, 2013
5,671
14,995
Hi, thanks for the positive feedback.

I know /e/ and I also watch their repositories from time to time to obtain new ideas or simply see, what they do (same I do e.g. with GlassROM, GrapheneOS, divestos, ...). More a question of my personal taste to have my own build variant, which I provide meanwhile for a couple of devices (LineageOS 14.1 f. falcon & peregrine, a 16.0 treble build for Huawei P9 and 17.1 builds f. oneplus3, osprey and hotdog), but definitely no "hard" reason or any negative attitude towards /e/.

Regarding locking BL, well - as I develop for this device, locking the BL does not provide any advantage for me, in the contrary...
Afaik it is possible to lock the bootloader when using own signing keys (which you do) and just enabling the signature in fastboot. A big advantage and you won't loose anything as you can still put custom ROMs on it as long as they have the enabled signature .. Or what do i miss here?
 

MSe1969

Senior Member
Dec 16, 2016
1,656
2,929
Frankfurt Rhine-Main metropolitan region
Afaik it is possible to lock the bootloader when using own signing keys (which you do) and just enabling the signature in fastboot. A big advantage and you won't loose anything as you can still put custom ROMs on it as long as they have the enabled signature .. Or what do i miss here?
Well, for example fastboot boot testkernel.img wouldn't work any more. As said, "me doing development work" - for a user of my ROM it definitely would be beneficial. To be honest - I am not 100% sure, whether it really works (I would have to gain more information first, the 7T is brand new to me, I know it is possible with the 3T).
Would you mind testing it and confirming? (I know: If it doesn't work - you may end up in having to fully wipe, so not an easy answer - you wanted also to re-assure before simply doing it)
 
  • Like
Reactions: steadfasterX

Azev

Senior Member
Dec 31, 2007
280
95
Metz
OK, glad you've found the way to stop the loop.
What exactly have you done (step by step), when you attempted to root the device?

- Transfer Boot.img from your rom to phone
- Flash boot.img with latest Magisk Manager
- Transfer patched-magisk.img to PC
- Connected phone to PC with cable
- Launch Power shell Windows
- Command > ./adb reboot bootloader
- Command > ./fastboot boot magisk_patched.img
- Bootlop before i can start for flash definitively

BTW great rom, smooth and battery friendly.
 
Last edited by a moderator:
  • Like
Reactions: MSe1969

Azev

Senior Member
Dec 31, 2007
280
95
Metz
Since i have changed accent color with Styles and Wallpapers in settings, the app crash. I have reboot the phone many times. I have used this option 4 times after a reboot, you will can see it in the logcat
I put a screenshot and a locat file
 

Attachments

  • Screenshot_20210125-030300_Settings[291].png
    Screenshot_20210125-030300_Settings[291].png
    199.4 KB · Views: 79
  • logcat_01-25-2021_03-12-43.zip
    96 KB · Views: 7
Last edited by a moderator:
  • Like
Reactions: MSe1969

steadfasterX

Recognized Developer
Nov 13, 2013
5,671
14,995
Well, for example fastboot boot testkernel.img wouldn't work any more. As said, "me doing development work" - for a user of my ROM it definitely would be beneficial. To be honest - I am not 100% sure, whether it really works (I would have to gain more information first, the 7T is brand new to me, I know it is possible with the 3T).
Would you mind testing it and confirming? (I know: If it doesn't work - you may end up in having to fully wipe, so not an easy answer - you wanted also to re-assure before simply doing it)
Ah ok i see. Well.. Its my DD and so nothing i can do easily. I'll build /e/ for this device as soon as my time permits as the plan was to go with /e/.. Now with the appearance of your ROM I am not sure which to choose lol
 
  • Like
Reactions: MSe1969

Azev

Senior Member
Dec 31, 2007
280
95
Metz
I have problems with notifications too, if the screen is off, i dont have notifications from SMS and chats (telegram, Signal)
Edit: Notifications fixed, my bad 🙄
Re-Edit: second attempt for root was the good one
 

Attachments

  • Screenshot_20210125-121606_Magisk_Manager.png
    Screenshot_20210125-121606_Magisk_Manager.png
    203.6 KB · Views: 62
Last edited by a moderator:
  • Like
Reactions: MSe1969

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    First of all: thanks a lot to MSe1969 for this awesome ROM!

    I’ve been using it for more than two weeks now and I’m very happy with it. No lagging and not a single forced reboot!

    The recent OTA update went smooth as well.

    In the past I tried to set up microG and Bromite SystemWebView on other phones but didn’t succeed, so this ROM is very much appreciated.

    Highly recommended for users who have some experience in flashing custom roms but are not Android geeks ;)
    Thanks for the positive feedback, appreciated. Will comment further below some points and try to answer questions.

    Basically had no problems so far, except for AuroraStore causing some troubles after I fiddled with the settings (maybe also related to the major version bump to 4.xx?!). A clean install solved the problem anyway; v4.0.4.35 is working fine so far).
    In regards to Aurora:
    My recommendation is, that if Aurora really misbehaves after flashing this month's ROM, which performs a major upgrade from 3.2.9 to 4.0.4, go to Settings - Apps - pick AuroraStore and delete cache and memory.

    Some things I noticed (NO criticism!):
    • using Lawnchair launcher instead of Trebuchet works just fine
    • gesture navigation works well but it feels slightly less smooth than in OxygeneOS (last version I used was OOS 11 open beta 3)
    • settings for display resolution and refresh rate are missing; what are the default values in this ROM?
    • in the quick settings I’m missing the tile to easily switch to night mode (OOS has it, maybe it’s just not there in LineageOS?)
    • no always on display option in LOS (but wasn’t properly working in OOS anyway, massive battery drain …)
    Well, it's LineageOS and not OOS. I have no influence on this...

    • battery life / SOT is ok but not outstanding (app killing seems to be way more agressive in OOS; this ROM seems to make better use of the ample RAM the phone offers)
    The agressive app killing in OOS is something, which is a really bad practice (see https://dontkillmyapp.com/oneplus), so I am glad, that LineageOS does not do this ****. Besides, it has to be said, that indeed Stock ROMs are usually slightly better in battery behavior (not only because of stupid app killing to compensate their own bloatware apps, which of course are exempt from the app killing).

    • if I could choose I’d probably prefer some TWRP recovery to the LOS recovery that comes with this ROM (mainly because it’s so easy to backup all data in TWRP)
    Unfortunately, there is no fully working TWRP for our device, yet. I would love to use TWRP myself! I have tried the experimental TWRP, which exists for this ROM, but came back to Lineage Recovery. But hoping that the dev working on TWRP for our device will eventually succeed...

    • okcupid app (something related to webview) and ebayKleinanzeigen app (some error message about trouble with the WLAN connection) don’t work (not really a problem)
    No idea about okcupid, but eBay is known to be "nosy" and hence deeply integrate with the genuine Google spy services; many apps work just fine with microG, but not all...

    Thanks for the hint - for sure interesting for others reading

    • AuroraStore displays one app that I didn’t actively install (see bootom of screenshot) – what is eSpeak?
    View attachment 5277263
    On this ROM, I ship a fork of the eSpeak NG TTS app, to provide a Google-free TSS engine. This in fact the prebuilt apk taken from here, which is a fork of espeak-ng . The eSpeak app in the play store (link leads to Github) which is - wrongly - referred to as installed app in Aurora, is also a fork of espeak-ng. As it however uses the same app name, this reference is made in AuroraStore.
    1
    Depends, what you exactly mean, when you say "firmware":
    The /vendor partition is also newly built as part of the build process (same as further partitions). The so-called "vendor blobs" are frequently extracted from the recent Oxygen-OS images by the LineageOS maintainers, which is then also used by me for the builds.
    Different from e.g. the Oneplus 3/3T device (where flashing the most current firmware zips is a necessity to have the ROMs working properly), I haven't seen any separate "firmware" zips files, to e.g. update the modem.
    Yeah the multiple new firmware partitions on newer devices is kinda harder to understand. And I've seen some roms use custom images for those partitions, different from the stock partitions. Like custom vendor.img, or vbmeta.img, or odm.img , etc.

    My guess is they are referring to whatever firmware partitions are updated with OOS11, which was released a couple days ago in the stable channel for the 7T Pro. So I'm guessing they want to know if it's ok to flash the ROM over a OOS 11 base, or if you need an OOS 10 base.
    1
    New build with April ASB patches available

    Hi all, a new build is available and also offered via the Updater app. For manual download and flashing, see here:
    • ASB Security string 2021-04-01
    • Bromite System Webview and Browser updated to 90.0.4430.59
    • F-Droid updated to 1.12
    • Update: AuroraStore 4.0.4 with AuroraServices 1.1.0
    Regards, M.
    1
    New build with April ASB patches available

    Hi all, a new build is available and also offered via the Updater app. For manual download and flashing, see here:
    • ASB Security string 2021-04-01
    • Bromite System Webview and Browser updated to 90.0.4430.59
    • F-Droid updated to 1.12
    • Update: AuroraStore 4.0.4 with AuroraServices 1.1.0
    Regards, M.
    Updated flawless. Great Thy.
    1
    First of all: thanks a lot to MSe1969 for this awesome ROM!

    I’ve been using it for more than two weeks now and I’m very happy with it. No lagging and not a single forced reboot!

    The recent OTA update went smooth as well.

    In the past I tried to set up microG and Bromite SystemWebView on other phones but didn’t succeed, so this ROM is very much appreciated.

    Highly recommended for users who have some experience in flashing custom roms but are not Android geeks ;)


    Basically had no problems so far, except for AuroraStore causing some troubles after I fiddled with the settings (maybe also related to the major version bump to 4.xx?!). A clean install solved the problem anyway; v4.0.4.35 is working fine so far).



    Some things I noticed (NO criticism!):
    • using Lawnchair launcher instead of Trebuchet works just fine
    • gesture navigation works well but it feels slightly less smooth than in OxygeneOS (last version I used was OOS 11 open beta 3)
    • settings for display resolution and refresh rate are missing; what are the default values in this ROM?
    • in the quick settings I’m missing the tile to easily switch to night mode (OOS has it, maybe it’s just not there in LineageOS?)
    • no always on display option in LOS (but wasn’t properly working in OOS anyway, massive battery drain …)
    • battery life / SOT is ok but not outstanding (app killing seems to be way more agressive in OOS; this ROM seems to make better use of the ample RAM the phone offers)
    • update process took waaay longer than in OOS but it worked flawlessly and provided current security patch – shame on oneplus for being behind in that regard!
    • if I could choose I’d probably prefer some TWRP recovery to the LOS recovery that comes with this ROM (mainly because it’s so easy to backup all data in TWRP)
    • ad blocking works very well: so far, no ads have come through (haven't touched any of the default settings; in Firefox I've installed the uBlock Origin & Privacy Badger add-ons). In that regard this ROM offers a similar experience to OOS with Blokada
    • my banking app works fine
    • okcupid app (something related to webview) and ebayKleinanzeigen app (some error message about trouble with the WLAN connection) don’t work (not really a problem)
    • GCam works (I installed the recommended one from https://www.celsoazevedo.com/files/android/p/gcam-oneplus-7-t-pro/); minor problem: it doesn’t open the pictures I take in the app I set as default gallery app (https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/)
    • AuroraStore displays one app that I didn’t actively install (see bootom of screenshot) – what is eSpeak?
    img1.png




    Once again, thx a lot to the OP, keep up your excellent work!
  • 8
    This thread is dedicated to provide hardened Lineage-OS 17.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.

    Features of this ROM
    Download here
    • Pre-installed microG and F-Droid like LineageOS for microG project (own fork)
    • Pre-installed AuroraStore
    • OTA Support
    • eSpeakTTS engine
    • Bromite as default browser
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
    • Debloated from Oneplus blobs for Soter and IFAA
    • Hardened bionic lib and constified JNI method tables


    Current release levels
    Security string: 2021-04-05
    AOSP tag: 10.0.0_r41
    Bromite System Webview: M90


    Source-code and build instructions
    Kernel: https://github.com/lin17-microg/android_kernel_oneplus_sm8150/tree/lin-17.1-mse
    Build manifest: https://github.com/lin17-microg/local_manifests/tree/lin-17.1-hmalloc


    Installation Instructions

    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!

    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites
    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
    • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

    Please read carefully:
    I refer in general to the LineageOS install instructions, but there are some deviations!
    It is recommended to really go through the instructions once, before doing anything. You have been warned.


    Install the dedicated Lineage recovery for this ROM
    For the Oneplus 7T Pro (hotdog), there is currently no official TWRP available! The unofficial TWRP did not work for me.
    Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
    Flash this specific recovery with the below commands:
    Code:
    fastboot flash recovery_a lineage-17.1-20210118-recovery-microG-signed-hotdog.img
    fastboot flash recovery_b lineage-17.1-20210118-recovery-microG-signed-hotdog.img
    Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

    If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
    Please note, that you may get error messages stating
    Partition product_b dd: /dev/block/dm-1: write error: No space left on device
    Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
    You can ignore those, as long as it is product or vendor.

    Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP.
    It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.


    Update Instructions

    This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
    You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
    IMPORTANT:
    If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot! Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version. Don't ask me, why. I will have to find out, how to solve that issue.


    Dealing with signed builds
    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".


    Bug reports:
    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits
    AOSP project
    LineageOS project
    microG project
    Graphene OS project
    csagan5 (Bromite)
    WhyOrean (Aurora)
    5
    Change log

    2021-04-10

    • ASB Security string 2021-04-01
    • Bromite System Webview and Browser updated to 90.0.4430.59
    • F-Droid updated to 1.12
    • Update: AuroraStore 4.0.4 with AuroraServices 1.1.0

    2021-03-08
    • Security string 2021-03-05
    • Kernel slightly patched
    • Bromite System Webview updated to 88.0.4324.207
    • Bromite Browser updated to 88.0.4324.207
    • F-Droid 1.11
    • microG 0.2.18.204714

    2021-02-05
    • Security string 2021-02-05
    • Kernel slightly patched
    • Bromite System webview updated to 88.0.4324.141
    • Bromite Browser updated to 88.0.4324.141
    • F-Droid 1.10-alpha-234
    • microG 0.2.17.204714-5
    2021-01-22 - Initial build
    • Security string 2020-01-05
    • Pre-installed microG (0.2.16.204713-10) and F-Droid like the LineageOS for microG project (own fork)
    • Pre-installed AuroraStore
    • Bromite as default browser (87.0.4280.106)
    • eSpeak TTS engine (FOSS TTS solution)
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView (87.0.4280.131)
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Constified JNI method tables and hardened bionic lib
    5
    Security Hardening Features - Details

    1. Pre-installed microG and F-Droid

    same as the LineageOS for microG project

    2. Pre-installed AuroraStore
    works w/o having to enable the "unknown sources feature"

    3. Extra control of sensor access for additionally installed user apps
    Special access under app permissions

    4. Cloudflare (instead of Google) default DNS
    Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

    5. Privacy-preferred default settings
    When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later):
    • Anonymous LineageOS statistics disabled (proposal during Setup)
    • The standard browsing app does not get the location runtime permission automatically assigned
    • Sensitive information is hidden on the lock screen
    • Camera app: Location tagging disabled by default
    Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without

    6. Optional blocking of Facebook- and Google-Tracking
    Settings => Network & Internet (scroll down)
    When activated, all outgoing connection attempts to Facebook servers will be suppressed.
    Same applies to Google, but certain apps on an internal exception list will still be able to connect (AuroraStore, microG, or e.g. NewPipe, if installed)

    7. Optional disable captive portal detection and to select Captive portal server URL provider
    Settings => Network & Internet (scroll down)
    When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)

    8. No submission of IMSI or phone number to Google when GPS is in use
    GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties :rolleyes:) to provide this data . . .

    9. Default hosts file with many blocked ad/tracking sites
    The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)

    10. Privacy-enhanced Bromite SystemWebView
    Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.

    11. Bromite as shipped Browser
    A chromium based browser with many privacy features.

    12. Firewall UI
    Settings => Privacy - Firewall
    Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
    This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)

    13. Maximum password length increased to 64
    4
    Thank you for your support here. Everything works very fine. Last but not least i need root access for the rom.
    is it too late now for root because all is set up now or can i root the phone after all this? If yes, can you point me to the correct img or what ever and explane how to root.
    Sorry for getting on your nerves....
    If I may offer my step-by-step guide to root a fresh installation. I am not so sure whether that works in Linux (so I keep an old computer with Windows for this purpose). You won't lose any data or customization.

    1. You need to extract the boot.img from the rom you are using.
    You can find many guides for payloading a boot image, essentially you have to:
    - Install python for windows, and extract the payload dumper tool into that python folder.
    - Change into the python installation folder.
    - Unpack the rom and copy the payload.bin file into the python folder.
    - Open a command prompt in that folder, use these two commands to install dependencies and extract the payload.bin file:
    # python -m pip install -r requirements.txt
    # python payload_dumper.py payload.bin
    - In the python folder there is a subfolder called "output", in this you will find the extracted boot.img.

    2. Patch the boot.img.
    - Download and install the latest MagiskManager, and change the channel to "beta".
    - Copy the boot.img file to your device (e.g. via adb).
    - In MagiskManager chose "Magisk - install - chose file and patch", chose your boot.img, this will put a magisk_patched.img in your Download-folder on the device.

    3. Root your phone.
    - Copy the magisk_patched.img to your computer.
    - Open a command prompt and reboot your device to bootloader.
    - Type:
    # fastboot boot magisk_patched.img
    - Your phone will reboot after that and is rooted.
    - Don't forget the last step: In Magisk Manager chose "direct install" - this will flash the boot.img and gain permanent root.

    -------------------------------------------

    @MSe1969 - I hope you don't mind me posting this here. I could also remove it if you think it is off-topic for this rom.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone