[ROM][Unofficial][11.0][microG][signed]hardened LineageOS 18.1 Oneplus 7T Pro

Search This thread
This applicable on Oneplus 7T as well right or is the partition layout of Oneplus 7T different from that of Oneplus 7T pro?
The Oneplus 7T (hotdogb) and 7T Pro (hotdog) belong to the same device family, but are different devices, requiring different ROMs to flash. This thread is about the 7T Pro (hotdog). DO NOT flash this ROM to a 7T (hotdogb)
 
  • Like
Reactions: steadfasterX

old-Silver

Member
Jun 20, 2022
5
5
Have had no issues during update or running over the last couple of days.
Just Greeeeat as ever :D

New build with August 2022 ASB patches available
Hi,
a new build with the August 2022 ASB patches is available for download and also offered by the Updater app:
  • Security string 2022-08-05
  • Bromite Browser and Webview updated to 103.0.5060.140
  • Some kernel patches
Happy flashing!
Regards, M.
 
Have had no issues during update or running over the last couple of days.
Just Greeeeat as ever :D
Thanks for the feedback - just a comment: I expect that the OTA updates simply work, my post about the 'error 7' may have been misunderstood.
Nevertheless, I doing development on this device and flash stuff for test purposes (even resulting in test builds sometimes not booting), so I seem to have 'managed' to screw the logical partition scheme in the so-called 'Super partition'. So I published the way, how to fix that - I am pretty sure, that the vast majority of you will never face such an issue, but at least some of you may sometimes try out other builds etc., and then such things could occur, and I simply thought, that it is a good idea to publish the solution for that issue, as I myself had so spend some time to find it.
 

martisBU

New member
Aug 23, 2022
2
0
Does Google Pay work on this build? I am new to custom ROMS and want to distance myself from Google, but I use Gpay on the daily basis.
 
Does Google Pay work on this build? I am new to custom ROMS and want to distance myself from Google, but I use Gpay on the daily basis.
I don't know as a matter of fact, but I am pretty sure that the answer is no.

However, I am currently working on a 2nd build variant with the ported "sandbox jail" for Google Play from GrapheneOS and I am looking for volunteers to test that for me (more to follow later today), as I can't do that on my own device, which is my daily driver (and there is no working TWRP for our device being able to decrypt the /data partition on A11), as this would screw up my setup... That thing could be your solution, I think...
EDIT: AFAIK, G*Pay requires passed safety net attestation, which is not the case for this device with this ROM. I have no idea, whether it's possible to pass SN with this device and LineageOS. Maybe others can step in here?
EDIT2: Apart from the technical answers given by me before: distancing from G* on the one hand side, whilst still using G*Pay on a daily basis, is a significant and unsolvable contradiction, so you may want to think about this topic, too...?
 
Last edited:
  • Like
Reactions: alleykat2561
Volunteers wanted - Test build for 'sandboxed play services'

Hi all,

I have created (and also briefly tested myself on a different device) a test build of this ROM with an Android 11/LineageOS 18.1 port of GrapheneOS's Sandboxed Play services .

The test build - clean-flash strongly recommended - does not contain any microG app (but besides all other existing hardening measures and features of this ROM) and you would have to install the respective Google apps (GSF proxy, Play services and Play store) manually as ordinary apps - this means: NO FLASHING ANY ZIP, but manually installing the three apps as APK files or bundles. [You could either try to extract the APK files from a flashable Gapps ZIP (make sure to choose Android 11 and arm64) or to e.g. look at apkmirror.com - once again: DON'T flash any Gapps.zip!].

Whilst the current microG ROM offered in this thread mainly aims at users not really keen on using Google, but still providing a basic compatibility to many apps with G* dependencies without truly integrating with G* - this could become an option for those willing to use G* (and tolerating the known negative impacts), whilst not having to live with Google's infamous "kill switch" (factually allowing them to take over your device at any time and/or secretly replacing your installed apps with "crafted" ones) and ability to track you 24/7 (you however still choose to share information with them, don't ignore that fact!)

I frankly admit, that I did not test this on my own 7T Pro device (but on my 3T device, where it worked OK), as this is my daily driver and I don't want to loose my setup (and as we all know, there is no working TWRP for the 7T Pro, which can decrypt the /data partition on Android 11, so no full backup), so relying on your input for now.

I would be interested to see, to what extent this approach is usable and whether this would be interesting for you as an offered 2nd build variant or not.

Your feedback is appreciated.
Thanks & regards - M.
 

martisBU

New member
Aug 23, 2022
2
0
I don't know as a matter of fact, but I am pretty sure that the answer is no.

However, I am currently working on a 2nd build variant with the ported "sandbox jail" for Google Play from GrapheneOS and I am looking for volunteers to test that for me (more to follow later today), as I can't do that on my own device, which is my daily driver (and there is no working TWRP for our device being able to decrypt the /data partition on A11), as this would screw up my setup... That thing could be your solution, I think...
EDIT: AFAIK, G*Pay requires passed safety net attestation, which is not the case for this device with this ROM. I have no idea, whether it's possible to pass SN with this device and LineageOS. Maybe others can step in here?
EDIT2: Apart from the technical answers given by me before: distancing from G* on the one hand side, whilst still using G*Pay on a daily basis, is a significant and unsolvable contradiction, so you may want to think about this topic, too...?
I know that with LineageOS it is possible to make GPay work, but I am not educated enough to know how they do it. Also, I wish I didn't need to use GPay, but most of the time the only thing I have on me is my phone. Also, if GPay isn't working, I can't use my banking app due to the same check they do behind the hood.

I am new to this whole custom ROM community, but due to recent things, I really want to distance myself from Google services. Although this build isn't for me, I really love what you are doing, and I appreciate your work. I hope that one day I will be able to use this on my daily driver OP 7T pro.
 
I know that with LineageOS it is possible to make GPay work, but I am not educated enough to know how they do it.
G*Pay is deeply integrated with the Google Play services, and this ROM uses microG and not the genuine Google Spy services. Further, G*Pay needs the 'SafetyNet' attestation to pass, and on this device using this ROM, this check fails. There are LineageOS devices (especially with older hardware) still passing 'SafetyNet', as the checks are more relaxed on older hardware, due to compatibility reasons. That is why.

Also, I wish I didn't need to use GPay, but most of the time the only thing I have on me is my phone.
Of course, you decide about your life and what is important to you. And everybody has different priorities. I for myself have decided, that I prefer not to use my phone to pay in shops or restaurants. Cash and/or plastic cards work quite well, too. :) For sure, I don't want "big G*" to spy on all my finance transactions, analyze and profile them and report "suspicious activities" to any US authority.

Also, if GPay isn't working, I can't use my banking app due to the same check they do behind the hood.
Most probably "SafetyNet", as explained above. That depends of course on each bank, and how they implement two-factor authentication (2FA) etc. - My bank e.g. lets me still use their app for read access, which is fair enough. Using 2FA on the same device voids the whole concept and unfortunately, many banking apps are mainly designed to make it very difficult for security researchers to find and publish all the loopholes rather than implementing proper security, but that is another story.

I am new to this whole custom ROM community, but due to recent things, I really want to distance myself from Google services. Although this build isn't for me, I really love what you are doing, and I appreciate your work. I hope that one day I will be able to use this on my daily driver OP 7T pro.
Thanks for your feedback - I see you have started to think about "big G*", which is good. As said, all up to you and your preferences. Just a general non-technical advice from my side: Maybe somehow consider it similar to fast food vs. healthy nutrition. There is no 'magic pill' to convert fast food into healthy food - if you e.g. understand that too much fast food is not good for you, you have to actively change your diet. This is work, requires to to get familiar with nutrition and alternatives, but at the end, you'll see that you won't really miss the fast food...
 

bestouff

Senior Member
Mar 9, 2014
96
33
Grenoble
Volunteers wanted - Test build for 'sandboxed play services'

Hi all,

I have created (and also briefly tested myself on a different device) a test build of this ROM with an Android 11/LineageOS 18.1 port of GrapheneOS's Sandboxed Play services .

[...]

I would be interested to see, to what extent this approach is usable and whether this would be interesting for you as an offered 2nd build variant or not.

Your feedback is appreciated.
Thanks & regards - M.

Hi @MSe1969,

I won't use it, I prefer if Google Play doesn't run on my device. Even if I have no precise idea what it takes to MicroG to run properly; maybe it shares already too much information with the mothership. And even if I'd really want to have Android Auto work on my device (even better, an AA lookalike that enables Organic Maps to run on my car head unit).

That said I still find this is a nice idea, and again thank you for all your work.
 
I won't use it, I prefer if Google Play doesn't run on my device.
Me neither for now, as I have already mentioned (major reason is that I don't want to wipe my device) - so this is not for everyone, but it may be interesting for some people.

The idea behind, as also explained in the GrapheneOS docu (which however reflects Android 12 and not 11, like this build - the 11-backport using the 11 commits from GrapheneOS is still much more "basic"), is that you could further restrict your setup by e.g. using the "Shelter" app to create a separate work-profile, in which you would "sandbox" G*Play - so when your main profile is active, the 2nd profile sleeps and anyhow, only in your 2nd work profile, where you have an own address book and own apps etc., the sandboxed G*Play would exist...

Even if I have no precise idea what it takes to MicroG to run properly; maybe it shares already too much information with the mothership.
https://microg.org/ and https://calyxos.org/docs/guide/microg/ might give you more insight on that.

And even if I'd really want to have Android Auto work on my device (even better, an AA lookalike that enables Organic Maps to run on my car head unit).
When I was playing around with AA (scroll back in this thread), I wasn't too impressed either - wasn't e.g. too much amused about the requirement to install G*Maps and have it actively spying your location, while using AA, even if you weren't using it or even had a different GPS app...
 
  • Like
Reactions: alleykat2561
New build with September 2022 ASB patches available

Hi all,
a new build with the September 2022 ASB patches is available for download and also offered by the Updater app:
  • Security string 2022-09-05
  • Bromite Browser and Webview updated to 104.0.5112.91
  • Kernel: Some patches and also hardening (GrpaheneOS patches)
  • microG 0.2.24.214816-30
  • Contacts app slightly 'de-Googled'
  • Updated vendor blobs from OOS 11.0.9.1 (vendor sec. string 2022-06-01)
Happy flashing!
Regards, M.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    New build with September 2022 ASB patches available

    Hi all,
    a new build with the September 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-09-05
    • Bromite Browser and Webview updated to 104.0.5112.91
    • Kernel: Some patches and also hardening (GrpaheneOS patches)
    • microG 0.2.24.214816-30
    • Contacts app slightly 'de-Googled'
    • Updated vendor blobs from OOS 11.0.9.1 (vendor sec. string 2022-06-01)
    Happy flashing!
    Regards, M.
  • 7
    This thread is dedicated to provide hardened Lineage-OS 18.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
    You can consider this thread as the successor of my respective LineageOS 17.1 thread.

    Features of this ROM

    Download here

    • Pre-installed microG like LineageOS for microG project (own fork)
    • Pre-installed AuroraStore, AuroraDroid and AuroraServices
    • OTA Support
    • eSpeakTTS engine
    • Bromite as default browser
    • Additional security hardening features listed below:
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
    • Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
    • Firewall UI (under Trust)
    • Increased max. password length of 64
    • No submission of IMSI/phone number to Google when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Extra control of sensor access for additionally installed user apps (Special access under app permissions)
    • Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
    • Debloated from Oneplus blobs for Soter and IFAA
    • Hardened bionic lib and constified JNI method tables
    • Option to only use fingerprint unlock for apps and not for the device
    • Optional timeout for Bluetooth and WLAN connections
    • Per connection WiFi randomization option

    Current release levels

    Security string: 2022-09-05
    AOSP tag: 11.0.0_r46
    Bromite System Webview & Browser: M104


    Source-code and build instructions

    Kernel: https://github.com/lin18-microg/android_kernel_oneplus_sm8150/tree/lin-18.1-mse2
    Build manifest: https://github.com/lin18-microg/local_manifests/tree/lin-18.1-hmalloc


    Installation Instructions​


    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites​

    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
    • Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])

    Please read carefully:​

    I refer in general to the LineageOS install instructions, but there are some deviations!
    It is recommended to really go through the instructions once, before doing anything. You have been warned.

    Let's go!​

    Install the dedicated Lineage recovery for this ROM​

    For the Oneplus 7T Pro (hotdog), there is currently no fully working official TWRP available! The offered official one can't decrypt the /data partition and I don't fully trust the rest.
    Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
    Unzip and flash this specific recovery with the below commands (your device must be in 'fastboot mode'):
    Code:
    fastboot flash recovery_a lineage-18.1-recovery-20210903.img
    fastboot flash recovery_b lineage-18.1-recovery-20210903.img
    Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.

    If you come from Stock ROM, synchronize the a/b partitions​

    If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
    Please note, that you may get error messages stating
    Partition product_b dd: /dev/block/dm-1: write error: No space left on device Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
    You can ignore those, as long as it is product or vendor.

    Upgrade the firmware​

    Please refer to the LineageOS documentation on upgrading the firmware
    BTW, this thread contains a huge collection of OOS images.

    Install the ROM​

    Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP (download link above).
    It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
    Please note: Even if you come from my previous hardened LineageOS 17.1 ROM, you can't "dirty-flash" - the device encryption is not compatible. You must format the /data partition! Please keep in mind, that formatting the /data partition also wipes the shared internal memory - backup first!

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
    If Gapps is a 'must' for you, please use the official LineageOS build for this device.


    Update Instructions​


    This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
    You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
    IMPORTANT:
    If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot!
    Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version.


    Frequently asked Questions​


    These questions come from various threads for my hardened microG ROMs. I have listed them here, because they also apply to this ROM and are hopefully helpful.

    1. AuroraStore
    I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:

    Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
    A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!

    Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
    A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
    If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!


    2. Google/Facebook iptables blocking
    Q: How does the Google/Facebook blocking work?
    A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!

    Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
    A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".

    Q: Which apps are on your exception list?
    A: see here

    Q: But if Google is blocked for almost every app, can I still get push messages?
    A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.


    3. etc/hosts ad blocking
    Q: What is the etc/hosts ad-blocking and how does it work?
    A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).

    Q: Which anti-tracker lists do you use?
    A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.

    4. Firewall UI
    Q: What is the Firewall UI and how does it work?
    A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.

    Q: How do I use it? What are the typical use-cases:
    A: It of course depends on your specific requirement, but below some very typical use-cases:
    a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
    This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
    b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
    c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data

    5. Privacy features / data privacy of this ROM
    Q: Does this ROM protect my privacy by design/default?
    A: First of all, you will never get any "auto-protection" without having to take care, what you do!
    What this ROM provides to you in addition to an "official" LineageOS:
    • This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
    • You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
    • Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
    • Some hardening measures known from the GrapheneOS project have been added
    HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
    • You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
    • If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
    • Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
    • Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
    • And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...

    6. Major Android upgrades for this ROM
    Q: Why still on LineageOS 18.1 (Android 11) and not on LineageOS 19.1 (Android 12) ?
    A: The LineageOS project does not offer yet LineageOS 19.1 builds for this device!




    Dealing with signed builds​

    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".

    Why still LineageOS 18.1 (Android 11) ?​

    My aim is to provide stable, daily-driver capable builds. So the major pre-requisite (besides other considerations) to upgrade my builds to the next big Android release (here: Android 12 / LineageOS 19) is, that there is an official LineageOS build for this release. This primary pre-requisite is not fulfilled for this device, so I am not even considering to work on LineageOS 19 for the OP7T Pro! When LineageOS ships a LineageOS 19 build for this device in future, I will start to think about it...

    Bug reports:​

    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits​

    AOSP project
    LineageOS project
    microG project
    Graphene OS project
    csagan5 (Bromite)
    WhyOrean (Aurora)
    SkewedZeppelin (Kernel patches)
    6
    New build with June 2022 ASB patches available
    Hi all, a new build with the June 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-06-05
    • Some kernel patches
    • Bromite Browser and Webview on 102.0.5005.96
    • microG updated to 0.2.24.214816-11
    Happy flashing,
    regards, M.
    4
    thanks dev for the great work... all working fine.

    often when performing aurora updates, one gets google play services install errror 'conflicting package exists', wondering if anyone has seen this and how to get round it?

    looking at apkmirror, the one in aurora is already the latest non-beta version of gps, presumably this is an aurora issue, but just wanted to see if there is quick solution given this error happens on this rom on this phone for me...
    Don't "update" Google Play Services! This ROM comes with microG, which spoofs the existence of G* play services, but you can't "update" those, and in fact you don't really want to (if you understand the technical background).

    EDIT: See also FAQ section in OP
    4
    New build with April ASB patches

    A new build with April 2022 ASB patches is available for download and also offered via the Updater app:
    • Security string 2022-04-05
    • Some kernel patches
    • Bromite Browser and Webview on 100.0.4896.57
    Happy flashing - cheers, M.
    4
    New build with July 2022 ASB patches available
    Hi,
    a new build with the July 2022 ASB patches is available for download and also offered by the Updater app:
    • Security string 2022-07-05
    • Some kernel patches
    Happy flashing!
    Regards, M.