• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[ROM][Unofficial][10.0][microG][signed]hardened LineageOS 17.1 Oneplus 7T Pro

Search This thread

bestouff

Senior Member
Mar 9, 2014
62
16
Grenoble
Hi,
I finally took the plunge and flashed this ROM, and now my phone has been on the looping bootanim for half an hour.
I tried an adb logcat but even an lsusb can't find it. Is there a way I can provide some debug info to troubleshoot this ?
 
Hi,
I finally took the plunge and flashed this ROM, and now my phone has been on the looping bootanim for half an hour.
I tried an adb logcat but even an lsusb can't find it. Is there a way I can provide some debug info to troubleshoot this ?
I would need some more info to be able to help. E.g. exact phone model (see my previous post), and what exactly you did. Did you e.g. really follow the OP instructions 100%, or did you decide to do e.g. things differently?

EDIT: Press vol up, vol down and power simultaneously to force you out of the loop (phone should either power off or land in boot loader, from where you can control next steps)
 
Last edited:

Coolmobile2u

New member
Jun 16, 2021
4
0
我需要更多信息才能提供帮助。例如确切的手机型号(请参阅我之前的帖子),以及您究竟做了什么。例如,您是否真的 100% 地遵循 OP 说明,或者您是否决定以不同的方式做事?

编辑:同时按下 vol up、vol down 和 power 以强制您退出循环(手机应该关闭电源或进入引导加载程序,您可以从中控制后续步骤)
都快一个月了,还以为是零件有问题,检查后一切正常
我需要更多信息才能提供帮助。例如确切的手机型号(请参阅我之前的帖子),以及您究竟做了什么。例如,您是否真的 100% 地遵循 OP 说明,或者您是否决定以不同的方式做事?

编辑:同时按下 vol up、vol down 和 power 以强制您退出循环(手机应该关闭电源或进入引导加载程序,您可以从中控制后续步骤)
 

Attachments

  • IMG_20210617_230837.jpg
    IMG_20210617_230837.jpg
    3.3 MB · Views: 18
  • IMG_20210617_230906.jpg
    IMG_20210617_230906.jpg
    2.9 MB · Views: 17
都快一个月了,还以为是零件有问题,检查后一切正常
English, please! (see forum rules)
I used "Google translate" to get the following translation:
"It's almost a month, I thought it was a problem with the part, and everything was normal."

My post, which you have quoted, was to answer @bestouff 's described bootloop issue after flashing my ROM.
In my post before, I had answered to you, that this ROM is not suitable for your 5G device (HD1925).
 
  • Like
Reactions: RayfG

RayfG

Senior Member
Jan 28, 2016
439
108
outa space
@[IMG alt="MSe1969"]https://forum.xda-developers.com/data/avatars/s/7929/7929484.jpg?1600604027[/IMG]

MSe1969

Well, I would like to say, that this is the best supported thread ever. Thank u very much for quality and steaddiness.
The rom is great, reliable and fits all my suggestion of a really good rom. If possible, i would like to donate some bucks.
Great work here , and as i stated before, If u ever switch to 18.1 i'll stay with u for next rom, whenever u plan....
Thank u again, Great job!
 
  • Like
Reactions: MSe1969

bestouff

Senior Member
Mar 9, 2014
62
16
Grenoble
I would need some more info to be able to help. E.g. exact phone model (see my previous post), and what exactly you did. Did you e.g. really follow the OP instructions 100%, or did you decide to do e.g. things differently?
I did it exactly as written, without the factory reset.
So now I did a factory reset and it works, excepted I can't seem to give root to Titanium Backup to retrieve my backup and reinstall my apps. Does anyone have a tip to run TB ?
 
  • Like
Reactions: MSe1969
I did it exactly as written, without the factory reset.
So now I did a factory reset and it works, excepted I can't seem to give root to Titanium Backup to retrieve my backup and reinstall my apps. Does anyone have a tip to run TB ?
In LineageOS 17.1, the only way to grant root to apps (like e.g. TB) would be Magisk.
If you have already Magisk working: TB does not seem to be actively developed any longer, so not sure, whether your issue may come from that end...?
 
Apr 13, 2021
27
2
HI,
I am trying to update (via sideolading and preinstalling the reference lineageos recovery) my privately signed rom but I always end up in a bootloop.
to clarify:
rom compiles fine,
sideoladed rom reaches 47% then does the two step install and then I am back to recovery.
I have really modified a minimum of files (just trying to learn) but nothing more than what I already modified in initial build.
the only thing funny I noticed my rom suggest me to update via OTA to your rom release (I suppose it is just a matter of yout hardcoded server) I have not updated to it, I suppose it will fail for signature mismatch...
but I always end up in an infinite bootloop in the lineage logo step.

I could downgrade to the working rom, so no big problem but, do yu have any clue why I am stuck?
could it be something related to DATA encryption?
 
Apr 13, 2021
27
2
Other question...
Do you think it is possible to preinstall a root requiring app, let's say such as appwarden, (and have it working w/o root) by giving at build time, requested privileged permissions?
I have taken a look at the AndroidManifest.xml of the app and tried to push a private-permission.xml and tried to copycat the structure ofthe Android.mk of the privileged droid installer .
But since I cannot sideolad my updated rom I am stuck without having the possibility to try it....
 
HI,
I am trying to update (via sideolading and preinstalling the reference lineageos recovery) my privately signed rom but I always end up in a bootloop.
to clarify:
rom compiles fine,
sideoladed rom reaches 47% then does the two step install and then I am back to recovery.
Then all fine with ROM signing and flashing. Did you compile your recovery or use the one I have linked?

I have really modified a minimum of files (just trying to learn) but nothing more than what I already modified in initial build.
If you have a boot loop, either something wrong with your compiled ROM or e.g. using a different signature...?

the only thing funny I noticed my rom suggest me to update via OTA to your rom release (I suppose it is just a matter of yout hardcoded server) I have not updated to it, I suppose it will fail for signature mismatch...
but I always end up in an infinite bootloop in the lineage logo step.

I could downgrade to the working rom, so no big problem but, do yu have any clue why I am stuck?
could it be something related to DATA encryption?
Tell me, is the animation very slow, or is it moving normally?
 
Other question...
Do you think it is possible to preinstall a root requiring app, let's say such as appwarden, (and have it working w/o root) by giving at build time, requested privileged permissions?
I have taken a look at the AndroidManifest.xml of the app and tried to push a private-permission.xml and tried to copycat the structure ofthe Android.mk of the privileged droid installer .
But since I cannot sideolad my updated rom I am stuck without having the possibility to try it....
In general: No.
This depends on the way, the developer has coded the app. A typical "root" app wants to call the su binary, which must be visible and callable from the untrusted_app SELinux context. It cannot use any android API requiring privileged permissions.
A privileged app declares permissions, which are only granted to a privileged app. To become a privileged app, it must be located in /system/priv-app and even be white-listed.
These two approaches are different and require different coding. They also aim at different targets. You have certainly an overlap, but you cannot replace all privileged API calls with rooted Linux file operations, and you don't have an API in Android for all the things you could do with root in the Linux layer of Android.
An app developer however may decide to support both approaches by coding his solution for both situations, if both approaches allow to reach the intended target. In such a case only, you could foresee the app being privileged. AuroraStore for example is such a "hybrid". No idea about AppWarden, but I think it really needs to shoot Linux commands via su.
 
  • Like
Reactions: bestouff
Apr 13, 2021
27
2
Then all fine with ROM signing and flashing. Did you compile your recovery or use the one I have linked?
my compiled version,
If you have a boot loop, either something wrong with your compiled ROM or e.g. using a different signature...?
I thought the same, possibly having mismatched the signatures but the releasekey.x509.pem in the recovery matches the one in the updated roms
Tell me, is the animation very slow, or is it moving normally?
normally....
i'm trying to do a virgin build (with my sig) and I'll try to flash it.
do you suggest reference or hmalloc?
 
Apr 13, 2021
27
2
In general: No.

A privileged app declares permissions, which are only granted to a privileged app. To become a privileged app, it must be located in /system/priv-app and even be white-listed.
I knew the first thing but I learned the second!
thank you.
dumb question:how do I whitelist it?
:)
AuroraStore for example is such a "hybrid".No idea about AppWarden, but I think it really needs to shoot Linux commands via su.
Well, it's the same dev, I'll try to ask him.
I think it could be a very nice addon for every rom,
the ability to silence off trackers without root.
 
Last edited:
I knew the first thing but I learned the second!
thank you.
dumb question:how do I whitelist it?
:)
To be precise, it is called permission white-listing, an XML file listing the privileged permissions needs yo be placed into /system/etc/permissions - see e.g. my repo to include the prebuilt AuroraStore and AitoraServices.

Well, it's the same dev, I'll try to ask him.
I think it could be a very nice addon for every rom,
the ability to silence off trackers without root.
Sure, ask him - I am however pretty sure this app needs root.
 
my compiled version,
...
I thought the same, possibly having mismatched the signatures but the releasekey.x509.pem in the recovery matches the one in the updated roms
That is why the flashing works. But have you changed the ROM' s signing keys between the last and this build?

normally....
i'm trying to do a virgin build (with my sig) and I'll try to flash it.
do you suggest reference or hmalloc?
reference is only for repo sync, as no patches are applied. Default is, if you wish to build "vanilla" LineageOS, microG is omitting the hardened malloc for older devices - so hmalloc is the one to use
 
Apr 13, 2021
27
2
That is why the flashing works. But have you changed the ROM' s signing keys between the last and this build?
no, they are still the same keys. i changed nothing.
reference is only for repo sync, as no patches are applied. Default is, if you wish to build "vanilla" LineageOS, microG is omitting the hardened malloc for older devices - so hmalloc is the one to use
just for this troubleshooting session, my goal is just trying to reduce the variables. i will just use the rom for solving the error I have.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    New build with July ASB patches available

    Hi all,
    a new build is available and will later today also be offered via the Updater app. For manual download and flashing, see here:


    • ASB Security string 2021-07-05
    • Bromite System Webview and Browser updated to 91.0.4472.146
    • microG 0.2.21.212158-2
    • Kernel: Many sec. patches applied (taken from Divest-OS, thanks to @SkewedZeppelin)
    • AuroraStore 4.0.7
    Regards, M.
    1
    : "he" (not 'she') :) (not that this would matter in regards to ROM development, but FYI)
    Eh, that was a "he/she" because I don't know you. I have no problem with any of that :)
    Anyway glad to know you're on the 18.1 subject, and that your perfect ROM will come updated to our devices eventually (and yes, we also have "éventuellement" in my mother tongue which means the same thing as in yours).
    1
    I will give u a feedback of comparism of rooted and unrooted device with this rom.
    Doengrade worked fluently. Lineageos 17,1 hardened absolutely smooth installation. All works buttersmooth as expected. There is one differece between rooted and unrooted device. If rooted, i have to untick iptables Block-Script and tick it again, to get it started. Unrooted all works without doing that.
    Thank u for this rom. The best rom i used to use.
    1
    Eh, that was a "he/she" because I don't know you. I have no problem with any of that :)
    Me neither :LOL:
    Anyway glad to know you're on the 18.1 subject, and that your perfect ROM will come updated to our devices eventually (and yes, we also have "éventuellement" in my mother tongue which means the same thing as in yours).
    Ah, tu parles français - d'accord.
    Will still take a while, but I'm on it - next 17.1 update will bring lots of Kernel patches, coming soon.
    1
    Thx for providing another update.

    I downloaded the file via OTA and I wonder if the file is not up to date as the build date is given as Jun 2011 after aplying the update, see attached screenshots ...

    Or does it simply take some more time until the update server has synched?

    Kind regards

    View attachment 5359283View attachment 5359285
    Thanks for reporting this, I have by accident missed to update the download URL in the .json file, sorry. It is fixed now. Plesse try again (you may have to force a manual refresh in the updater vor even purge the file)
  • 12
    This thread is dedicated to provide hardened Lineage-OS 17.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.

    Features of this ROM
    Download here
    • Pre-installed microG and F-Droid like LineageOS for microG project (own fork)
    • Pre-installed AuroraStore
    • OTA Support
    • eSpeakTTS engine
    • Bromite as default browser
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
    • Debloated from Oneplus blobs for Soter and IFAA
    • Hardened bionic lib and constified JNI method tables


    Current release levels
    Security string: 2021-07-05
    AOSP tag: 10.0.0_r41
    Bromite System Webview: M91


    Source-code and build instructions
    Kernel: https://github.com/lin17-microg/android_kernel_oneplus_sm8150/tree/lin-17.1-mse
    Build manifest: https://github.com/lin17-microg/local_manifests/tree/lin-17.1-hmalloc


    Installation Instructions

    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!

    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites
    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
    • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

    Please read carefully:
    I refer in general to the LineageOS install instructions, but there are some deviations!
    It is recommended to really go through the instructions once, before doing anything. You have been warned.


    Install the dedicated Lineage recovery for this ROM
    For the Oneplus 7T Pro (hotdog), there is currently no official TWRP available! The unofficial TWRP did not work for me.
    Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
    Flash this specific recovery with the below commands:
    Code:
    fastboot flash recovery_a lineage-17.1-20210118-recovery-microG-signed-hotdog.img
    fastboot flash recovery_b lineage-17.1-20210118-recovery-microG-signed-hotdog.img
    Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

    If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
    Please note, that you may get error messages stating
    Partition product_b dd: /dev/block/dm-1: write error: No space left on device
    Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
    You can ignore those, as long as it is product or vendor.

    Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP.
    It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.


    Update Instructions

    This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
    You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
    IMPORTANT:
    If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot! Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version. Don't ask me, why. I will have to find out, how to solve that issue.


    Frequently asked Questions

    1. AuroraStore
    I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:

    Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
    A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!

    Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
    A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
    If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!


    2. Google/Facebook iptables blocking
    Q: How does the Google/Facebook blocking work?
    A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!

    Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
    A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".

    Q: Which apps are on your exception list?
    A: see here

    Q: But if Google is blocked for almost every app, can I still get push messages?
    A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.


    3. etc/hosts ad blocking
    Q: What is the etc/hosts ad-blocking and how does it work?
    A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).

    Q: Which anti-tracker lists do you use?
    A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.

    4. Firewall UI
    Q: What is the Firewall UI and how does it work?
    A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.

    Q: How do I use it? What are the typical use-cases:
    A: It of course depends on your specific requirement, but below some very typical use-cases:
    a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
    This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
    b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
    c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data

    5. Privacy features / data privacy of this ROM
    Q: Does this ROM protect my privacy by design/default?
    A: First of all, you will never get any "auto-protection" without having to take care, what you do!
    What this ROM provides to you in addition to an "official" LineageOS:
    • This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
    • You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
    • Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
    • Some hardening measures known from the GrapheneOS project have been added
    HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
    • You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
    • If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
    • Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
    • Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
    • And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...



    Dealing with signed builds
    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".


    Bug reports:
    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits
    AOSP project
    LineageOS project
    microG project
    Graphene OS project
    csagan5 (Bromite)
    WhyOrean (Aurora)
    SkewedZeppelin (Kernel patches)
    5
    Change log

    2021-07-10

    • ASB Security string 2021-07-05
    • Bromite System Webview and Browser updated to 91.0.4472.146
    • microG 0.2.21.212158-2
    • Kernel: Many sec. patches applied (taken from Divest-OS)
    • AuroraStore 4.0.7

    2021-06-13
    • ASB Security string 2021-06-05
    • Bromite System Webview and Browser updated to 91.0.4472.102
    • microG 0.2.19211515-9
    • Kernel WLAN driver (qcacld-3.0) patched to include mitigations against "Frag" vuln.

    2021-05-10
    • ASB Security string 2021-05-05
    • Bromite System Webview and Browser updated to 90.0.4430.204
    • Upstreamed microG (no new version)
    • Update: AuroraServices 1.1.1

    2021-04-10
    • ASB Security string 2021-04-01
    • Bromite System Webview and Browser updated to 90.0.4430.59
    • F-Droid updated to 1.12
    • Update: AuroraStore 4.0.4 with AuroraServices 1.1.0

    2021-03-08
    • Security string 2021-03-05
    • Kernel slightly patched
    • Bromite System Webview updated to 88.0.4324.207
    • Bromite Browser updated to 88.0.4324.207
    • F-Droid 1.11
    • microG 0.2.18.204714

    2021-02-05
    • Security string 2021-02-05
    • Kernel slightly patched
    • Bromite System webview updated to 88.0.4324.141
    • Bromite Browser updated to 88.0.4324.141
    • F-Droid 1.10-alpha-234
    • microG 0.2.17.204714-5
    2021-01-22 - Initial build
    • Security string 2020-01-05
    • Pre-installed microG (0.2.16.204713-10) and F-Droid like the LineageOS for microG project (own fork)
    • Pre-installed AuroraStore
    • Bromite as default browser (87.0.4280.106)
    • eSpeak TTS engine (FOSS TTS solution)
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView (87.0.4280.131)
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Constified JNI method tables and hardened bionic lib
    5
    Security Hardening Features - Details

    1. Pre-installed microG and F-Droid

    same as the LineageOS for microG project

    2. Pre-installed AuroraStore
    works w/o having to enable the "unknown sources feature"

    3. Extra control of sensor access for additionally installed user apps
    Special access under app permissions

    4. Cloudflare (instead of Google) default DNS
    Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

    5. Privacy-preferred default settings
    When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later):
    • Anonymous LineageOS statistics disabled (proposal during Setup)
    • The standard browsing app does not get the location runtime permission automatically assigned
    • Sensitive information is hidden on the lock screen
    • Camera app: Location tagging disabled by default
    Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without

    6. Optional blocking of Facebook- and Google-Tracking
    Settings => Network & Internet (scroll down)
    When activated, all outgoing connection attempts to Facebook servers will be suppressed.
    Same applies to Google, but certain apps on an internal exception list will still be able to connect (AuroraStore, microG, or e.g. NewPipe, if installed)

    7. Optional disable captive portal detection and to select Captive portal server URL provider
    Settings => Network & Internet (scroll down)
    When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)

    8. No submission of IMSI or phone number to Google when GPS is in use
    GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties :rolleyes:) to provide this data . . .

    9. Default hosts file with many blocked ad/tracking sites
    The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)

    10. Privacy-enhanced Bromite SystemWebView
    Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.

    11. Bromite as shipped Browser
    A chromium based browser with many privacy features.

    12. Firewall UI
    Settings => Privacy - Firewall
    Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
    This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)

    13. Maximum password length increased to 64
    4
    Thank you for your support here. Everything works very fine. Last but not least i need root access for the rom.
    is it too late now for root because all is set up now or can i root the phone after all this? If yes, can you point me to the correct img or what ever and explane how to root.
    Sorry for getting on your nerves....
    If I may offer my step-by-step guide to root a fresh installation. I am not so sure whether that works in Linux (so I keep an old computer with Windows for this purpose). You won't lose any data or customization.

    1. You need to extract the boot.img from the rom you are using.
    You can find many guides for payloading a boot image, essentially you have to:
    - Install python for windows, and extract the payload dumper tool into that python folder.
    - Change into the python installation folder.
    - Unpack the rom and copy the payload.bin file into the python folder.
    - Open a command prompt in that folder, use these two commands to install dependencies and extract the payload.bin file:
    # python -m pip install -r requirements.txt
    # python payload_dumper.py payload.bin
    - In the python folder there is a subfolder called "output", in this you will find the extracted boot.img.

    2. Patch the boot.img.
    - Download and install the latest MagiskManager, and change the channel to "beta".
    - Copy the boot.img file to your device (e.g. via adb).
    - In MagiskManager chose "Magisk - install - chose file and patch", chose your boot.img, this will put a magisk_patched.img in your Download-folder on the device.

    3. Root your phone.
    - Copy the magisk_patched.img to your computer.
    - Open a command prompt and reboot your device to bootloader.
    - Type:
    # fastboot boot magisk_patched.img
    - Your phone will reboot after that and is rooted.
    - Don't forget the last step: In Magisk Manager chose "direct install" - this will flash the boot.img and gain permanent root.

    -------------------------------------------

    @MSe1969 - I hope you don't mind me posting this here. I could also remove it if you think it is off-topic for this rom.