[ROM][Unofficial][11.0][microG][signed]hardened LineageOS 18.1 Oneplus 7T Pro

Search This thread
This thread is dedicated to provide hardened Lineage-OS 18.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
You can consider this thread as the successor of my respective LineageOS 17.1 thread.

Features of this ROM

Download here

  • Pre-installed microG like LineageOS for microG project (own fork)
  • Pre-installed AuroraStore, AuroraDroid and AuroraServices
  • OTA Support
  • eSpeakTTS engine
  • Bromite as default browser
  • Additional security hardening features listed below:
  • Cloudflare as default DNS (instead of Google)
  • Privacy-preferred default settings
  • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
  • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
  • Firewall UI (under Trust)
  • Increased max. password length of 64
  • No submission of IMSI/phone number to Google when GPS is in use
  • Default hosts file with many blocked ad/tracking sites
  • Privacy-enhanced Bromite SystemWebView
  • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
  • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
  • Debloated from Oneplus blobs for Soter and IFAA
  • Hardened bionic lib and constified JNI method tables
  • Option to only use fingerprint unlock for apps and not for the device
  • Optional timeout for Bluetooth and WLAN connections
  • Per connection WiFi randomization option

Current release levels

Security string: 2022-11-05
AOSP tag: 11.0.0_r46
Bromite System Webview & Browser: M106


Source-code and build instructions

Kernel: https://github.com/lin18-microg/android_kernel_oneplus_sm8150/tree/lin-18.1-mse2
Build manifest: https://github.com/lin18-microg/local_manifests/tree/lin-18.1-hmalloc


Installation Instructions​


YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

Pre-Requisites​

  • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
  • An unlocked bootloader (see e.g. LineageOS install instructions)
  • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
  • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

Please read carefully:​

I refer in general to the LineageOS install instructions, but there are some deviations!
It is recommended to really go through the instructions once, before doing anything. You have been warned.

Let's go!​

Install the dedicated Lineage recovery for this ROM​

For the Oneplus 7T Pro (hotdog), there is currently no fully working official TWRP available! The offered official one can't decrypt the /data partition and I don't fully trust the rest.
Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
Unzip and flash this specific recovery with the below commands (your device must be in 'fastboot mode'):
Code:
fastboot flash recovery_a lineage-18.1-recovery-20210903.img
fastboot flash recovery_b lineage-18.1-recovery-20210903.img
Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

If you come from Stock ROM, synchronize the a/b partitions​

If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
Please note, that you may get error messages stating
Partition product_b dd: /dev/block/dm-1: write error: No space left on device Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
You can ignore those, as long as it is product or vendor.

Upgrade the firmware​

Please refer to the LineageOS documentation on upgrading the firmware
BTW, this thread contains a huge collection of OOS images.

Install the ROM​

Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP (download link above).
It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
Please note: Even if you come from my previous hardened LineageOS 17.1 ROM, you can't "dirty-flash" - the device encryption is not compatible. You must format the /data partition! Please keep in mind, that formatting the /data partition also wipes the shared internal memory - backup first!

DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
If Gapps is a 'must' for you, please use the official LineageOS build for this device.


Update Instructions​


This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
IMPORTANT:
If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot!
Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version.


Frequently asked Questions​


These questions come from various threads for my hardened microG ROMs. I have listed them here, because they also apply to this ROM and are hopefully helpful.

1. AuroraStore
I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:

Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!

Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!


2. Google/Facebook iptables blocking
Q: How does the Google/Facebook blocking work?
A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!

Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".

Q: Which apps are on your exception list?
A: see here

Q: But if Google is blocked for almost every app, can I still get push messages?
A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.


3. etc/hosts ad blocking
Q: What is the etc/hosts ad-blocking and how does it work?
A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).

Q: Which anti-tracker lists do you use?
A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.

4. Firewall UI
Q: What is the Firewall UI and how does it work?
A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.

Q: How do I use it? What are the typical use-cases:
A: It of course depends on your specific requirement, but below some very typical use-cases:
a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data

5. Privacy features / data privacy of this ROM
Q: Does this ROM protect my privacy by design/default?
A: First of all, you will never get any "auto-protection" without having to take care, what you do!
What this ROM provides to you in addition to an "official" LineageOS:
  • This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
  • You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
  • Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
  • Some hardening measures known from the GrapheneOS project have been added
HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
  • You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
  • If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
  • Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
  • Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
  • And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...

6. Major Android upgrades for this ROM
Q: Why still on LineageOS 18.1 (Android 11) and not on LineageOS 19.1 (Android 12) ?
A: The LineageOS project does not offer yet LineageOS 19.1 builds for this device!




Dealing with signed builds​

Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".

Why still LineageOS 18.1 (Android 11) ?​

My aim is to provide stable, daily-driver capable builds. So the major pre-requisite (besides other considerations) to upgrade my builds to the next big Android release (here: Android 12 / LineageOS 19) is, that there is an official LineageOS build for this release. This primary pre-requisite is not fulfilled for this device, so I am not even considering to work on LineageOS 19 for the OP7T Pro! When LineageOS ships a LineageOS 19 build for this device in future, I will start to think about it...
Update 29-10-2022: Meanwhile, an official LineageOS 19.1 build is available, so I am starting to look at it . . .

Bug reports:​

If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

Credits​

AOSP project
LineageOS project
microG project
Graphene OS project
csagan5 (Bromite)
WhyOrean (Aurora)
SkewedZeppelin (Kernel patches)
 
Last edited:
Change Log

November 2022

  • Security string 2022-11-05
  • Bromite Browser and Webview updated to 106.0.5249.163
  • Some kernel patches
  • microG 0.2.25.223616-10

October 2022
  • Security string 2022-10-05
  • Bromite Browser and Webview updated to 105.0.5195.147
  • Some kernel patches
  • microG 0.2.24.223616-61

September 9th, 2022
  • Security string 2022-09-05
  • Bromite Browser and Webview updated to 104.0.5112.91
  • Kernel: Some patches and also hardening (GrpaheneOS patches)
  • microG 0.2.24.214816-30
  • Contacts app slightly 'de-Googled'
  • Updated vendor blobs from OOS 11.0.9.1 (vendor sec. string 2022-06-01)
August 6th, 2022
  • Security string 2022-08-05
  • Bromite Browser and Webview updated to 103.0.5060.140
  • Some kernel patches

July 12th, 2022
  • Security string 2022-07-05
  • Some kernel patches

June 14th, 2022
  • Security string 2022-06-05
  • Some kernel patches
  • Bromite Browser and Webview on 102.0.5005.96
  • microG updated to 0.2.24.214816-11
May 7th, 2022
  • Security string 2022-05-05
  • Some kernel patches
  • Bromite Browser and Webview on 101.0.4951.53
  • microG updated to 0.2.24.214816-10
  • Mozilla Location provider on 1.5.0

April 11th, 2022
  • Security string 2022-04-05
  • Some kernel patches
  • Bromite Browser and Webview on 100.0.4896.57

March 15th, 2022
  • Bromite Browser and Webview on 99.0.4844.58 (bugfix build)

March 11th, 2022
  • Security string 2022-03-05
  • Some kernel patches
  • Bromite Browser and Webview on 99.0.4844.55
  • microG 0.2.24.214816-2
  • AuroraStore 4.1.1

Janaury 20th, 2022
  • Security string 2022-01-05
  • Some kernel patches
  • A couple of patches and fixes from LineageOS

December 19th, 2021
  • Security string 2021-12-05
  • Bromite System Webview and Browser updated to 96.0.4664.54
  • microG 0.22.214516-21

November 16th, 2021
  • Security string 2021-11-05
  • Bromite System Webview and Browser updated to 94.0.4606.109
  • Recovery will not be overwritten any more when flashing

October 11th, 2021
  • Security string 2021-10-01
  • AOSP tag 11.0.0_r46
  • Bromite System Webview and Browser updated to 93.0.4577.83

September 17th, 2021
Initial build:
  • Security string 2021-09-05
  • AOSP tag 11.0.0_r43
  • Vendor blobs based on OOS 11.0.3.1
  • Pre-installed microG (0.2.22.212658-2) like LineageOS for microG project (own fork)
  • Pre-installed AuroraStore (4.0.7), AuroraDroid (1.0.8) and AuroraServices (1.1.1)
  • OTA Support
  • eSpeakTTS engine
  • Bromite (92.0.4515.134) as default browser
  • Additional security hardening features listed below:
  • Cloudflare as default DNS (instead of Google)
  • Privacy-preferred default settings
  • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
  • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
  • Firewall UI (under Trust)
  • Increased max. password length of 64
  • No submission of IMSI/phone number to Google when GPS is in use
  • Default hosts file with many blocked ad/tracking sites
  • Privacy-enhanced Bromite SystemWebView (92.0.4515.134)
  • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
  • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
  • Debloated from Oneplus blobs for Soter and IFAA
  • Hardened bionic lib and constified JNI method tables
  • Option to only use fingerprint unlock for apps and not for the device
  • Optional timeout for Bluetooth and WLAN connections
  • Per connection WiFi randomization option
 
Last edited:
  • Like
Reactions: molekular
Security Hardening Features - Details

1. Pre-installed microG

same as the LineageOS for microG project

2. Pre-installed AuroraStore and AuroraDroid
works w/o having to enable the "unknown sources feature"

3. Extra control of sensor access for additionally installed user apps
Special access under app permissions

4. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

5. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later - credits go to the GrapheneOS project):
  • Anonymous LineageOS statistics disabled (proposal during Setup)
  • The standard browsing app does not get the location runtime permission automatically assigned
  • Sensitive information is hidden on the lock screen
  • Camera app: Location tagging disabled by default
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without

6. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet (scroll down)
When activated, outgoing connection attempts to Facebook servers and to Google servers will be suppressed. Certain apps on an internal exception list will still be able to connect (e.g. AuroraStore, microG, or NewPipe, if installed)

7. Optional disable captive portal detection and to select Captive portal server URL provider
Settings => Network & Internet (scroll down)
When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)

8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties :rolleyes:) to provide this data . . .

9. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)

10. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.

11. Bromite as shipped Browser
A chromium based browser with many privacy features.

12. Firewall UI
Settings => Privacy - Firewall
Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)

13. Maximum password length increased to 64

14. Debloated from Oneplus blobs for Soter and IFAA
Unnecessary privacy intrusive vendor blobs are not included in the build

15. Hardened bionic lib and constified JNI method tables
This has been taken over from GrapheneOS

16. Option to only use fingerprint unlock for apps and not for the device
An option in the fingerprint settings, also taken from GrapheneOS

17. Optional timeout for Bluetooth and WLAN connections
See respective settings, also a GrapheneOS feature

18. Per connection WiFi randomization option
A further GrapheneOS feature - improved randomization to make tracking more difficult.
 
Last edited:
Tips & tricks

Recovery Error 7 when installing

If you aim at installing this ROM for the 1st time (e.g. you come from Stock or other Custom ROM), please check this FAQ section in the LineageOS wiki.

Recovery Error 7 when updating this ROM

If OTA update fails, try manually sideloading (see OP).
If you see some error like ErrorCode::kInstallDeviceOpenError (7) then do the following:
  • In Recovery, switch to fastbootd (do not 'reboot to bootloader', really choose the fastboot option in recovery)
  • Connect your device via USB to your PC and run the following commands:
    Code:
    fastboot delete-logical-partition system_a
    fastboot delete-logical-partition system_ext_a
    fastboot delete-logical-partition product_a
    fastboot delete-logical-partition vendor_a
    fastboot delete-logical-partition odm_a
    fastboot delete-logical-partition system_b
    fastboot delete-logical-partition system_ext_b
    fastboot delete-logical-partition product_b
    fastboot delete-logical-partition vendor_b
    fastboot delete-logical-partition odm_b
  • Return to recovery from fastbootd mode
  • Do 'adb sideload' again, it should work now
 
Last edited:
  • Like
Reactions: alleykat2561
This got released like just now lmao. Have you experienced any bugs thus far? @MSe1969
No bugs so far.
As described in the OP, it is the successor of my 17.1 hardened LineageOS and I used it as my daily driver. (It took me a while to get rid of quite a few annoying bugs, while I was testing it and providing test builds in my 17.1 thread).

Hoping to see a working TWRP for this device some day...
 

L4WL13T

Senior Member
Dec 13, 2013
103
30
Cambridge
Are there any issues related to running microG instead of Play Services? Or does everything pretty much work as intended?
 
Are there any issues related to running microG instead of Play Services? Or does everything pretty much work as intended?
Not an easy "yes" answer - so let me give you two answers:

a. Official information sources:
Especially the 2nd link shows you, what works, what partially works and what does not work.

b. My personal point of view
I consider the genuine play services as efficient spyware, which I personally do not want to use at all. microG cannot fully replace them (and does not aim at). As such, it does not make sense to continue using your G* account and all the genuine G* apps. So if you want to use the e.g. Gmail app to access your Gmail account, you're better off with the genuine G* spy services, as G* anyhow scans all your Gmail stuff for whatever purposes and you don't really gain back a lot of privacy by using microG instead of the G* spy services.
However - if you anyhow aim at getting away from G*, and you start focusing on the already available alternatives (and those do exist and are partly better), especially in the FOSS area, then I personally would highlight the below functionalities, where microG will provide a great value:
- Coarse location functionality with options to be anonymous (different from G* knowing at any time, where you are)
- Cloud messaging
- Exposure notifications (for Covid tracing apps)
- Most apps using Google dependencies and libraries, whose primary focus is not a deep G* integration mostly work flawlessly
 

L4WL13T

Senior Member
Dec 13, 2013
103
30
Cambridge
Not an easy "yes" answer - so let me give you two answers:

a. Official information sources:
Especially the 2nd link shows you, what works, what partially works and what does not work.

b. My personal point of view
I consider the genuine play services as efficient spyware, which I personally do not want to use at all. microG cannot fully replace them (and does not aim at). As such, it does not make sense to continue using your G* account and all the genuine G* apps. So if you want to use the e.g. Gmail app to access your Gmail account, you're better off with the genuine G* spy services, as G* anyhow scans all your Gmail stuff for whatever purposes and you don't really gain back a lot of privacy by using microG instead of the G* spy services.
However - if you anyhow aim at getting away from G*, and you start focusing on the already available alternatives (and those do exist and are partly better), especially in the FOSS area, then I personally would highlight the below functionalities, where microG will provide a great value:
- Coarse location functionality with options to be anonymous (different from G* knowing at any time, where you are)
- Cloud messaging
- Exposure notifications (for Covid tracing apps)
- Most apps using Google dependencies and libraries, whose primary focus is not a deep G* integration mostly work flawlessly
Thank you for your indepth response, it was really enlightening, the web page you linked made it a lot easier for me to understand.
One more question I have is what's the impact on battery life? Is it better? The same? Or worse?
Thank you!
 

NTOP

Senior Member
Jun 16, 2008
186
11
Thank you for your indepth response, it was really enlightening, the web page you linked made it a lot easier for me to understand.
One more question I have is what's the impact on battery life? Is it better? The same? Or worse?
Thank you!
I have been running it few days and battery seems to be fine and better then OxygenOS
 
  • Like
Reactions: L4WL13T and MSe1969

pa.trick

Member
Nov 2, 2017
11
3
Tempted to update to this new version, coming from your splendid 17.1 ROM :)

In order not to mess up the updating process I kindly ask the OP to clarify the following points (which may seem trivial for more tech-savy users than myself).

  1. When starting the Oxygen-Updates App: is "Oneplus 7T Pro" (= Chinese Version?!) the correct device name? (that's what it says about my device in the "about the phone" section of your 17.1 ROM)
  2. What 11.x OOS firmware version should I download via Oxygen-Updates? Latest regular one or latest beta?
  3. When it comes to extracting the stock ROM via payload-dumper-go: is it save to download the most recent version of the payload-dumper-go-software (1.2.0-1) from the AUR (I'm running Manjaro Linux)?
  4. What folder do I need to copy the extracted stock ROM to in order to execute the commands given here https://wiki.lineageos.org/devices/hotdog/fw_update in the LineageOS Wiki?
Thanks in advance for any help.
 
  1. When starting the Oxygen-Updates App: is "Oneplus 7T Pro" (= Chinese Version?!) the correct device name? (that's what it says about my device in the "about the phone" section of your 17.1 ROM)
To be on the safe side, look at the model code on the backside of the device:

HD1910Chinese / HK
HD1911Indian
HD1913Europe
  1. What 11.x OOS firmware version should I download via Oxygen-Updates? Latest regular one or latest beta?
Regular; it should be dated around July or August this year, depending on which version.
  1. When it comes to extracting the stock ROM via payload-dumper-go: is it save to download the most recent version of the payload-dumper-go-software (1.2.0-1) from the AUR (I'm running Manjaro Linux)?
I have downloaded manually from the GH repo. Look at the version number.
  1. What folder do I need to copy the extracted stock ROM to in order to execute the commands given here https://wiki.lineageos.org/devices/hotdog/fw_update in the LineageOS Wiki?
Does not matter, simply run fastboot from the same directory.
 
  • Like
Reactions: pa.trick

zxcasdqwe123

New member
Sep 21, 2021
1
1
Has anybody had success installing Magisk? How did you do it?
I had LOS 18.1 for microG previously and I just flashed Magisk-v23.0.zip right after having installed that OS and that worked, but with this it doesn't.

EDIT: nvm I'm an idiot and forgot to reboot before installing. Can confirm ROM works with Magisk.
 
Last edited:
  • Like
Reactions: MSe1969

bestouff

Senior Member
Mar 9, 2014
96
33
Grenoble
I'll be honest, I'm not yet ready to do the backup/restore/fail/fix dance but I intend to do it as soon as I can; thanks a lot for your work anyways !
If one of these days you come in the French Alps, just message me beforehand ! Beers are due.
 
  • Like
Reactions: MSe1969

theguy369

New member
Sep 21, 2021
1
0
This applicable on Oneplus 7T as well right or is the partition layout of Oneplus 7T different from that of Oneplus 7T pro?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    New build with November 2022 ASB patches available

    Hi all,
    a new build with the November 2022 ASB patches is available for download and also offered by the Updater app:

    • Security string 2022-11-05
    • Bromite Browser and Webview updated to 106.0.5249.163
    • Some kernel patches
    • microG 0.2.25.223616-10

    Happy flashing!
    Regards, M.
    1
    Perfect, thank you. I had since found a couple of others but do not know the sources, most of which stored on google drives etc which always makes me slightly wary.
    1
    No. All I did was export my contacts.vcf from my old phone (3T), copied that file to the new phone (7T pro) then imported contacts.vcf to the Contacts app. Worked fine. No issues since then.
    Thanks for the feedback alleykat:

    It is an odd one, seems anything I install from the Aurora store is doing the same thing, F-Driod apps are fine.
    On further testing:

    I added a dummy contact direct on the phone (not from my .vcf) and installed another app.​
    The dummy contact was the only one left following an app install.​
    Re-created the same issue running the same tests on my second McLaren 7T Pro? covers it off from being just the device it's self.​

    My initial thoughts are it is something in the store app not the ROM (MSe1969), if I get the time I will dig in and see if I can initiate or find some logging of the install process and feed back.

    Not a major issue for me, this is the first time I have used the Aurora store, will take this as a warning and not use it going forward either :D
    Thought I should bring it forward in case others see something similar
  • 7
    This thread is dedicated to provide hardened Lineage-OS 18.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
    You can consider this thread as the successor of my respective LineageOS 17.1 thread.

    Features of this ROM

    Download here

    • Pre-installed microG like LineageOS for microG project (own fork)
    • Pre-installed AuroraStore, AuroraDroid and AuroraServices
    • OTA Support
    • eSpeakTTS engine
    • Bromite as default browser
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
    • Debloated from Oneplus blobs for Soter and IFAA
    • Hardened bionic lib and constified JNI method tables
    • Option to only use fingerprint unlock for apps and not for the device
    • Optional timeout for Bluetooth and WLAN connections
    • Per connection WiFi randomization option

    Current release levels

    Security string: 2022-11-05
    AOSP tag: 11.0.0_r46
    Bromite System Webview & Browser: M106


    Source-code and build instructions

    Kernel: https://github.com/lin18-microg/android_kernel_oneplus_sm8150/tree/lin-18.1-mse2
    Build manifest: https://github.com/lin18-microg/local_manifests/tree/lin-18.1-hmalloc


    Installation Instructions​


    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites​

    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
    • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

    Please read carefully:​

    I refer in general to the LineageOS install instructions, but there are some deviations!
    It is recommended to really go through the instructions once, before doing anything. You have been warned.

    Let's go!​

    Install the dedicated Lineage recovery for this ROM​

    For the Oneplus 7T Pro (hotdog), there is currently no fully working official TWRP available! The offered official one can't decrypt the /data partition and I don't fully trust the rest.
    Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
    Unzip and flash this specific recovery with the below commands (your device must be in 'fastboot mode'):
    Code:
    fastboot flash recovery_a lineage-18.1-recovery-20210903.img
    fastboot flash recovery_b lineage-18.1-recovery-20210903.img
    Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

    If you come from Stock ROM, synchronize the a/b partitions​

    If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
    Please note, that you may get error messages stating
    Partition product_b dd: /dev/block/dm-1: write error: No space left on device Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
    You can ignore those, as long as it is product or vendor.

    Upgrade the firmware​

    Please refer to the LineageOS documentation on upgrading the firmware
    BTW, this thread contains a huge collection of OOS images.

    Install the ROM​

    Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP (download link above).
    It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
    Please note: Even if you come from my previous hardened LineageOS 17.1 ROM, you can't "dirty-flash" - the device encryption is not compatible. You must format the /data partition! Please keep in mind, that formatting the /data partition also wipes the shared internal memory - backup first!

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
    If Gapps is a 'must' for you, please use the official LineageOS build for this device.


    Update Instructions​


    This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
    You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
    IMPORTANT:
    If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot!
    Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version.


    Frequently asked Questions​


    These questions come from various threads for my hardened microG ROMs. I have listed them here, because they also apply to this ROM and are hopefully helpful.

    1. AuroraStore
    I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:

    Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
    A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!

    Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
    A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
    If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!


    2. Google/Facebook iptables blocking
    Q: How does the Google/Facebook blocking work?
    A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!

    Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
    A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".

    Q: Which apps are on your exception list?
    A: see here

    Q: But if Google is blocked for almost every app, can I still get push messages?
    A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.


    3. etc/hosts ad blocking
    Q: What is the etc/hosts ad-blocking and how does it work?
    A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).

    Q: Which anti-tracker lists do you use?
    A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.

    4. Firewall UI
    Q: What is the Firewall UI and how does it work?
    A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.

    Q: How do I use it? What are the typical use-cases:
    A: It of course depends on your specific requirement, but below some very typical use-cases:
    a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
    This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
    b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
    c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data

    5. Privacy features / data privacy of this ROM
    Q: Does this ROM protect my privacy by design/default?
    A: First of all, you will never get any "auto-protection" without having to take care, what you do!
    What this ROM provides to you in addition to an "official" LineageOS:
    • This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
    • You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
    • Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
    • Some hardening measures known from the GrapheneOS project have been added
    HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
    • You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
    • If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
    • Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
    • Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
    • And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...

    6. Major Android upgrades for this ROM
    Q: Why still on LineageOS 18.1 (Android 11) and not on LineageOS 19.1 (Android 12) ?
    A: The LineageOS project does not offer yet LineageOS 19.1 builds for this device!




    Dealing with signed builds​

    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".

    Why still LineageOS 18.1 (Android 11) ?​

    My aim is to provide stable, daily-driver capable builds. So the major pre-requisite (besides other considerations) to upgrade my builds to the next big Android release (here: Android 12 / LineageOS 19) is, that there is an official LineageOS build for this release. This primary pre-requisite is not fulfilled for this device, so I am not even considering to work on LineageOS 19 for the OP7T Pro! When LineageOS ships a LineageOS 19 build for this device in future, I will start to think about it...
    Update 29-10-2022: Meanwhile, an official LineageOS 19.1 build is available, so I am starting to look at it . . .

    Bug reports:​

    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits​

    AOSP project
    LineageOS project
    microG project
    Graphene OS project
    csagan5 (Bromite)
    WhyOrean (Aurora)
    SkewedZeppelin (Kernel patches)
    6
    New build with June 2022 ASB patches available
    Hi all, a new build with the June 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-06-05
    • Some kernel patches
    • Bromite Browser and Webview on 102.0.5005.96
    • microG updated to 0.2.24.214816-11
    Happy flashing,
    regards, M.
    6
    New build with November 2022 ASB patches available

    Hi all,
    a new build with the November 2022 ASB patches is available for download and also offered by the Updater app:

    • Security string 2022-11-05
    • Bromite Browser and Webview updated to 106.0.5249.163
    • Some kernel patches
    • microG 0.2.25.223616-10

    Happy flashing!
    Regards, M.
    5
    New build with September 2022 ASB patches available

    Hi all,
    a new build with the September 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-09-05
    • Bromite Browser and Webview updated to 104.0.5112.91
    • Kernel: Some patches and also hardening (GrpaheneOS patches)
    • microG 0.2.24.214816-30
    • Contacts app slightly 'de-Googled'
    • Updated vendor blobs from OOS 11.0.9.1 (vendor sec. string 2022-06-01)
    Happy flashing!
    Regards, M.
    5
    New build with October 2022 ASB patches available

    Hi all,
    a new build with the October 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-10-05
    • Bromite Browser and Webview updated to 105.0.5195.147
    • Some kernel patches
    • microG 0.2.24.223616-61

    Happy flashing!
    Regards, M.