Hi all, I'm new to both GOS and Android. It seems like the background connection for signal does not connect after a restart until I open the app for the first time. Is there a way to auto start that connection so I can disable the notification?

javashin: the g7 line doesn't support custom verified boot last I heard

<fomijafi[m] "Hi all, I'm new to both GOS and "> Tell me is your goal to hide Signal?

If so how much or you just want the the push notification disabled completely?

No just to hide the always present notification. I find it obnoxious coming from iphone

But when its hidden I sometimes forget to open the app after a restart and miss a bunch of messagea

* But when its hidden I sometimes forget to open the app after a restart and miss a bunch of messages

fomijafi: Go into app settings by holding the app. An option should pop up. You should see notifications at the top and you can go from there.

down*

I know how to disable the notification. When it's disabled, I sometimes don't realize I have no background connection. Do I just need to grow up and live with the notification?

fomijafi: Um I have an idea. When you are on WiFi you can use put yourself in airplane mode. Shut down Signal completely cause it is uneeded.

It is unclear what you want fomijafi:

ELI5?

cn3m[m], how

A process to automatically start the background connection after a restart

fomijafi: To clarify you can use WiFi with Airplane Mode.

javashin: to have meaningful security on Android you want verified boot, remote attestation, rollback protection. All things you can only get a "stock OS"

fomijafi: You would have to live with the background connection notification when you use data of course.

Pixels let you change the key so GrapheneOS is the "stock" OS

Using Airplane mode also turns off your radios.

/etc/init.mmi.hab.rc ?

cn3m[m] well but i only want to patch the kernel

<defconanon010102 "Using Airplane mode also turns o"> That's a creative idea! Probably just as much trouble to remember to do that, though

and be secure

while using the phone

with any rom

javashin: you are by far more secure on the stock OS

Unlocking the bootloader is not wise for security

Unless your device supports custom verified boot keys

<fomijafi[m] "That's a creative idea! Probably"> It takes practice but you will get it in grained in your memory. I believing you. ^^

The Motorola X4 is the only Motorola phone confirmed to do so and that was an Android One device. javashin: It is possible the G7 could support it

it is not confirmed and there is no evidence

in general you are best off with the stock OS for security

unless you are on a Pixel

javashin: hub.libranet.de/wiki/and-priv-sec/wiki/verified-boot#Motorola

javashin: madaidans-insecurities.github.io/an…droid.html#unlocking-the-bootloader

unless you have a Pixel(and a limited selection of other devices. "hardening" does more harm than good

oh gosh

4real

javashin: buy a supported device

Or find one that meets the requirements

which are ?

The pixels

Android one maybe in the future

Oneplus has support through glassrom

Pixel 3, 3a, and 4

4 is in the works apparently. But just buy a 3 or 3a

Or if you can wait for 4a

(But not guaranteed will be supported that quickly)

I love my 3a with GrapheneOS, has worked great. It's going to be a diceroll now finding one with OEM Unlocking but its worth it

I bought mine at Best Buy brand new

Same. Best buy was the only place i had luck with after trying a few from amazon and ebay

<BalooRJ "4 is in the works apparently. Bu"> grapheneos.org/releases

didn't realize 4 came out, thanks

nitroneurons: yes try the x4

ok

It shouldn't be that hard

javashin: sorry for the bad news

He has corona cn3m ?

<anupritaisno1[m] "He has corona cn3m ?"> yes I am a doctor

let me inject him with hydroxychloroquine

Makes sense

Who wrote that Android privacy and security wiki?

dazinism: iirc

cn3m: GrapheneOS/os_issue_tracker #27

I just pick random issues these days and try to fix them the crash log tell you anything?

thanks for your efforts dazinism

looking

if I ordered a Pixel 3a from Amazon that was labelled as unlocked, should it be OEM unlocked as well and not just carrier unlocked?

<botter_otter "if I ordered a Pixel 3a from Ama"> Yeah

good, ty. was kinda worried, looking in the chat log it seems like a few people have had trouble with that

ask for pics

It should be. If you're buying second hand on there make sure that it's not a verizon model and you should be fine

Ask them to update the Pixel, then check OEM unlock (this is the pic that you need)

wasn't second-hand, looks like it went right from Google to Amazon

<CaptainPicard[m] "It should be. If you're buying s"> Also, ask for pics on regulatory labels

If it's new just make sure it's an unlocked model and you should be fine

For 3a, it shoudn't end in E

The important thing is know there's a difference between BOOTLOADER unlocked and CARRIER unlocked

yeah

model is labelled as unlocked so I kinda assumed it was both, didn't really think to check ahead of time

at the very least it's definitely carrier unlocked

usually only refer carrier unlock

most dont know what bootloader unlock is

dang

I hope this refers to both since it's brand new and not second-hand

ig I'll find out when it arrives

As long as it's not a verizon model I think it's fine. I guess just make sure you can get a refund if you don't trust the seller

far as I can tell it should be a fully unlocked model

ty guys for responding lol

No problem! Feel freee to hit us up with any other GrapheneOS related questions

will do, ty

Google ‘accidentally’ leaks the Pixel 4a in its own store. $350??? :-o thenextweb.com/plugged/2020/07/13/g…leaks-the-pixel-4a-in-its-own-store

jalb: There is a rumor going around saying that Google is not even going to make the Pixel 4a XL. Cause they want you to use Pixel 5 XL instead.

defconanon010102, interesting, who knows

Even a possible Pixel 3a 5G?... WTF

defconanon010102: I've read this. For marketing Google will wait for the 5 to release 5G

I guess they think that's clever. Not sure if that's solid

Pixel 4 doesn't even have a fingerprint scanner. Is Google taking a different security route for future devices?

It seems like it.

There is no 4 XL at the moment

4a I would say

there is a 4 XL

cn3m: correct

4a doesn't

yeah sadly

I'm having something trippy happening after downloading KeePass DX. I keep getting the error that auditor has stopped working. I haven't used the auditor app yet though?

Haven't had that happen for three months

Should I make a bug report?

Will GrapheneOS be redundant post Android 11?

Could be a fluke

theultron: no because GOS is a trend setter

wd40: I used KeePass DX and haven't had this issue. Pretty interesting. Though I have used Auditor. I really wonder if Auditor bugs you if you haven't used it?

defconanon010102: interesting

wd40: Mind if I give you a tip if you ever do decide to use Auditor?

defconanon010102: I did open the app to check it out a week ago just to look at it

<theultron[m] "Will GrapheneOS be redundant pos"> Not really, scudo is not as hardened as harden-malloc?

Please

wd40: Okay I learned this the hard way but for people like you this will help. When using the Auditor app in a local setting meaning using two physical phones never have an Auditor phone facing down on the second QR code it won't work. The first one will but never the second. Hold the phone upwards to get it to scan right.

defconanon010102: OK. That's a trip

<wd40[m] "defconanon010102: OK. That's a t"> I know but you will understand once you use it. If you use it at all.

Can I ask a lame question? If I'm listening to music o Vanadium do have to worry about adversaries locating my device through signal 7? I want to blend

Maybe before I had GOS I start listening again to the same soundtracks

I do have a iPhone and ipad I use for distraction

Right now I want to listen to Bob Marley . Will Vanadium help me yo lose the old trail?

wd40: Really this depends on your threat model. You should trust Vanadium when it comes to security and read into Vanadium a lot more honestly if you are truly if afraid of listening to music through Vanadium.

Will I stand out on the network?

* wd40: Really this depends on your threat model. You should trust Vanadium when it comes to security and read into Vanadium a lot more honestly if you are truly afraid of listening to music through Vanadium.

I have read about V and know there is no way to stop a true enemy. I haven't had any phone hacking since I flashed GOS. IM AFRAID TO LOSE A GOOD THING. Had 4 Iphones hacked and this is the first time things have been good. Don't want to ruin it

<wd40[m] "I have read about V and know the"> Why not download the mp3/songs through Newpipe then use VLC to listen offline?

But love music and starting to see how fingerprinting works

Yeah, I mean you can do it offline and less risks

Less connections too

Also, restart frequently when leaving phone, or when switching profiles, or using password managers

f8sai: OK friend. What is new pipe?

It's an open source frontend for youtube

And soundcloud

Idk if that helps, on your song problem

I listen offline mostly to minimize connections

Is that Fadroid or maybe Aurora?

Fdroid

Do you use SD?

SD?

<f8sai[m] "Fdroid"> Or on their github releases

I bought a SD. Are reader and use the adapter from my 3a to put pics and other info from my PC and Pixel back and forth

Honestly, I wish Aurora Droid added fingerprints cause that would be great. Take a lesson from APKmirror.

<defconanon010102 "Honestly, I wish Aurora Droid ad"> Really

i agree

<wd40[m] "I bought a SD. Are reader and us"> Yeah, otg works btw, (like thumb drives but sd card readers)

I can't wait til Graphene OS has it's own app ecosystem.

* I can't wait til Graphene OS has it's own apps ecosystem.

I love the adapter to transfer without connecting me device to my PC. That sounds cool

My^

<defconanon010102 "Honestly, I wish Aurora Droid ad"> How do you verify the apk? I have not seen hashes anywhere on the play store app page.

<theultron[m] "How do you verify the apk? I hav"> It's on the website of apkmirror

Could you please tell me the best way to not lose passwords using keepass? Do you just use a made up password without the two step file? I'm thinking I could use that adapter to save that second master key to a SD card?

Also, you can through classyshark3xodud

<wd40[m] "Could you please tell me the bes"> Yeah, password works

<f8sai[m] "Yeah, password works"> Password-only*

f8sai: If you are on the go.

Probably, tho, you can open files through aosp files, idk

The safest option as of now is to build your own.

<f8sai[m] "Probably, tho, you can open file"> (From keepass)

Was playing with the file backup and it seems dangerous if not using a backup

<defconanon010102 "The safest option as of now is t"> If you have the capacity (on your pc), that is

(It needs some cpu power and ram tbh)

wd40: very dangerous

<f8sai[m] "It's on the website of apkmirror"> Let's say I want to download X app from APKmirror. How do I verify the same is the authentic apk as on Google Play?

Before installing, one can check (assuming from apkmirror) for the hashes

Like sha256

f8sai: Hmm I wonder how bad it would mess up on my older machine.

Compare it from the apkmirror to classyshark3xodus

I took a file from my download and renamed it DCIM and put it in my camera file and got locked out

<f8sai[m] "Compare it from the apkmirror to"> There maybe more secure and robust ways for that, but that's an option for android

<defconanon010102 "f8sai: Hmm I wonder how bad it w"> 4gb + intel pentium/celeron?

Good luck

Unless that works

f8sai: Nope 8gb and AMD.

Well at least that's a better specs

The hard thing is my GOS files are empty except for my Lee pass file.

Lee

Lee

<f8sai[m] "Compare it from the apkmirror to"> Does classyshark3xodus maintains a list of signature from Google Play?

Easy to locate

> <@f8sai:privacytools.io> Compare it from the apkmirror to classyshark3xodus

* Does classyshark3xodus maintains a list of signature from Google Play to verify the signature?

Or it is just gets it from the apk

(And you had to compare manually sadly)

Do you guys add to the password encryption? I read on GIT it said to do it without going to hardcore

Those are things I'm not too understanding about

The settings for encryption

On the wiki it tells us how to make security better through settings

Do you guys use the phone number from your SIM or use another number to keep your main line a ghost?

I've been using a service from Aurora and its cool like Metroid

<wd40[m] "Do you guys use the phone number"> No sims

No sims when I was being hacked like crazy. I own a iPhone. Use a different account and card and use Line 2. Set up an account then use prepaid iTunes cards . delete the account from your iPhone. Log in on GOS and enjoy Signal7 never knowing you

N

Check out the trackers

Best phone I ever had

With a prepaid friends Straight talk sim

wd40: what's signal7?

Signal 7 in the network you cannot escape from. But you can can blend and remove your name being smart. Look up signal 7

Its the phone lines and base stations with no firewalls

If you are not a TARGET still worry. Signal 7 is the problem we all have.

SS7 hack explained: what can you do about it? | Technology ...

Try not to give your sim # out

wd40: I'll search it up later, not from the US so I don't think it's a problem for me.

Its everywhere

Need a. New firewall for all communication

This is something no one can escape. That's why Daniel says blend

Interesting, I'll look it up.

Its heavy that this old technology is still used

Its Scarry cause your neighbors can do it easily

I admire Daniel for his fight for our freedoms and not just selling it to CO" s like that Butch that ripped him off for his genius.

This company is a cause

Is there any way to set up a number which can be called as well as emergency number when phone is locked? For example if I have a friend/relative who is with me in a situation which could be dangerous, and I dont want him to be able to unlock my device but would like him to be able to call say another number belonging to me, my next of kin, etc?

obviously doubt it, but wondered a few times if that was possible or might be a feature which could be considered later, if anyone else saw any use in it as I do (which i also doubt!!)

You'll always have to sacrifice for privacy.. If your not worried about being gangstalked fill out the safety info

<pikey[m] "Is there any way to set up a num"> Honesty, I would recommend getting a real cheap flip phone and change it in a ghost phone. That in itself is pretty interesting.

Some are worried about google but some have other worries. You have options

<wd40[m] "You'll always have to sacrifice"> don't know what gangstalked means, or "safety info"?

pikey: setup another user with call access

<defconanon010102 "Honesty, I would recommend getti"> "change it in a ghost phone" - ?

<cn3m[m] "pikey: setup another user with c"> they can use a pin they know(you don't need to know it)

<cn3m[m] "pikey: setup another user with c"> ha, taht can be done?! so they could unlock the phone if it was locked during my usage?

very interesting

<pikey[m] "ha, taht can be done?! so they c"> yes

from the lockscreen

switch users

wow. didn't know switch users could be done before unlocked. brill, will have a fiddle with it thanks

(and the phone)

pikey: people have different issues and need their phones

np

I think having multiple devices for different usage is a great strategy to have.

<defconanon010102 "I think having multiple devices "> it is not

defconanon010102:agreed

cn3m: I disagree.

random flipphones are very insecure

yeah i have other strategies, but i have a very specific need which i discovered the other night. I need my PIXEL to be able to be used by a dependant relative (for one example) just in event of emergency.

that could be a constant tracker

Take the secondary batters out

cn3m: You can make a flip phone pretty secure. Also, yeah you can take out of the battery for one.

<cn3m[m] "it is not"> I agree. It's like linux. It CAN be secured, if run by someone very competent of all the vulns and exploits. But for a dumb user, Linux is not a wise move for security. Similarly, multiple phones give me (and people I know) many more ways to be tracked in ways I wouldn't even have the konwledge to understand. So for ME, Pixel running Graphene, puts all my security eggs in one basket, a basket weaved

by someone I can trust rather than home brewed by me (and my lacking knowledge). So for me, I argee, more devices equals more risks, of mistakes by me if nothingt else. Thanks cn3m. this looks a workable solution. :)

anyway, this was a specific OS question hence why i posted it here instead of off topic room. Got my answer, cheers all

Just flash then watch the battery activity. Learn it screen on time and you'll know what's happening

This is a solid flash. Worst thing , flash again and fight back

Its a pain to park for an enemy to waste time . be prepared to reflash brothers and sisters.

My favorite flash isolated apk

theultron: some details of how to verify apps hub.libranet.de/wiki/graphene-os/wi…i/Apps#Verifying_apk_files_and_apps

I read that crazy shit about how thin argumentative man Dan did this cool shit. All you you guys have got me stoked. I'm lame so money is all I have to offer. All love devs

<wd40[m] "Its a pain to park for an enemy "> I don't think I have understood a single one of your messages! Have you joined the off topic room? I think your posts would be better placed there

Haha. I'm at a party trying to tell my bros why our privacy is so important.

<wd40[m] "Haha. I'm at a party trying to t"> Figures.

pikey: talking about bakers using base stations

cn3m: Glad you got me looking at user switching from lock screen! I just found Guest, I tapped on it and got a new user account, but in teh calls I could see all calls made and received from my main profile. Time to turn that shit off perhaps!! thanks - you're idea will work a treat. Its mainly for family to be able to call other family, but wkthout having to learn my crazy long pin or adding fingerprint.

These guys don't care at all

Yeah Bakers

Apps using permissions to exploit otherbapps and use side channels

Any idea why so many well known apps in F-droid are described as unknown ?

wd40: This room is for dev and help with installs/usage of Graphene. They just set up riot.im/app/#/room/#freenode_#grapheneos-offtopic:matrix.org to give GOS users a place to chat about other stuff, I recommend you shift over there

(Consider the devs who support Graphene, they have to skim through all of this every day to check for real support queries and bugs etc )

I'll. Exit was learning but im dumb. Love you . thanks

Funny my band is played on ClearChannel and I promote this cause.

I set up a second user for family. I found that fingerprints can be setup, but with the obligatory passcode for first time use (which will be the one they use in emergency, so fingerprint not much use really). I am a bit concerned though, I found that the second user can view all SMS messages I have received and sent on main account, yet the phone call history is not shown (which is good). I doubt it but if there is any

way around that I would love to know.

I will have a very unsecure pin code for family which means my texts will be easily viewed, I may even have to stick a label on back of phone with that pin code which i hoped would only allow access to a fresh user account with no access to any data from my main account.

damn it also has access to all calls made/received

pikey: think you can maybe add a contact to emergency information then anyone can call them from your lock screen

I've never tried

Settings > about phone > emergency info

That's EXACTLY what I was wanting to do but didn't think you could. I dont need second accounts for others. Basically just wanted a way for someone like my friends kids to call not just emergency but my family if I fell off a bridge or something ilke that. I dont intend to of course :D. Something simple for a kid, i.e. not a complex password and second account etc. An added emergency number would be damn perfect!

* That's EXACTLY what I was wanting to do but didn't think you could. An added emergency number would be damn perfect!

Daz, as usual, you're a diamond. That's working nicely thanks!

pikey: if someone has physical control of your SIM card they can send/receive calls and texts as you

you shouldn't do sensitive things via traditional calls and texts for other reasons because they are unencrypted and texts are stored by carriers / intermediaries

they could do the same for calls, they certainly do for all the metadata

they aren't end-to-end encrypted but not just that: there is no real semblance of privacy for traditional calls / texts

if you use multiple user accounts, the secondary accounts don't change which SIM card is inserted into your phone

you can see in the user configuration options there are related options for this

anyway someone can just take that out and put it in another phone

just stop thinking your traditional calls/texts are private, at the very least assume some nosy person at the carrier will misuse their access to look at people's conversations and pictures they send

don't have conversations with ppl via traditional texts

traditional calls / texts are a legacy feature for backwards compatibility not something you should use whenever not dealing with something like a government agency stuck in their ways

<strcat[m] "don't have conversations with pp"> Problem with the USA as a whole. When I lived there, everyone still loves using SMS.

if you're talking to a friend, family, your lawyer or whatever there is no reason you should be using traditional telephony texts / calls

SchismXL: maybe for people 30+

Shh, now you're showing my age!

But yeah, not sure about the young hip kids and their communication, but I assume it'd be other systems that can be snooped on. WhatsApp, Facebook, Instagram, Snapchat etc.

WhatsApp is E2E encrypted

facebook said they're going to do E2E encryption for all their messaging systems so they can't moderate it and can save money

where people in the chat can still report something via the client (gives them decryption keys for that)

but they can't actively moderate it which I think is why they like E2E encryption

so they can absolve themselves of that responsibility

also they're merging all their chat clients into facebook to bypass regulation where they get in trouble for merging contacts / metadata across them etc.

Good to know about Facebook. Knew about WhatsApp, but there is an inherent distrust that I can't shake off. Such as the app being closed source and apparently reporting back metadata, such as who was communicating with who, where, when, how many times you open the app etc.

In the "wrong" hands, a picture could be built up of your communication methods and could potentially be used as evidence. Not that my memes would be cause for concern, but that's not the point

sure but the messages themselves are e2e encrypted

and not available to tons of carriers and people working for them

* rather than not just metadata but also data being available to tons of carriers and people working for them

Yeah, gotcha

using SMS is way, way worse

the 'security'

of the traditional telephony system is non-existent

Which makes me laugh with 2FA using SMS

Some companies using SMS for 2FA*

lots of people can intercept your messages, send fake messages as you, obtain the logs

not just your carrier

Oh, absolutely

Stingray, whatever it is called is just one. Your carrier would be able to see all anyways.

<strcat[m] "pikey: if someone has physical c"> ha, I never even thought of that. Yes I get all of that about calls/texts being open. I am not having any sensitive calls/texts as such, I put all that through signal etc. But I still like to not have random people able to view my calls and texts, however few of them there are, they are still mine. Hence I didn't like the fact a guest accohut could be set up and view all

those calls, durations, times etc. It's not the end of the world, but would prefer not to have that available. I found that you can turn off the guest account which sorted that anyway :). I took a friend's kids somewhere the other day, rock climbing. It occurred to me that I was the only one with a phone, left in my bag. I wanted a way (for that situagtion and others simiar) for anyone to use my phone to make a call, but

not only to 911, also maybe to their parents or whatever. That's where this came from. Dazinism's suggestion sorted it nicely. I can add emergency contacts as and when needed which is very cool :)

guest account is off by default

I will never, no matter how long I live, use any product owned by Facebook! E2E means nothing when it's spoken by the likes of MS or FB. Even if it is 100% secure, at the very least I wont use it on principal of their business model and past history of snooping. Even if they stopped doing it, which I am certain they never will

<strcat[m] "guest account is off by default"> yes I must have turned it on when I was playing around after installation.

pikey: then you might as well not use grapheneos

Because parts of Linux are written by Facebook

Seriously. Such made up ad hominems don't really belong here

> <@byolog:matrix.org> May I ask whether it's safe or not to install some apps like Gboard from Aurora store without network permission in grapheneos?

> Thanks

I have heard of others installing that from Aurora so I know some consider it safe enough. I haven't tried it myself

As long as you don't have the network permissions switched on, @byolog:matrix.org, you should be fine.

default keyboard / Anysoftkeyboard are good enough though

whats better about gboard

more permissions to get tracked, probably

> <@byolog:matrix.org> May I ask whether it's safe or not to install some apps like Gboard from Aurora store without network permission in grapheneos?

> Thanks

Mostly it's for missing languagues tbh

<byolog[m] "I'm using it now without any per"> Nice

Idk, fb-owned apps aren't really welcomed here.

Contributions by them are quite inevitable due to open source nature of aosp

<anupritaisno1[m] "> <@pikey:matrix.org> is graphen"> Quite obvious lol, Google kills Google afaik

Just kill the network permission

Probably, but inter-app communication may bypass that INTERNET (Network) permission

<anupritaisno1[m] "Just kill the network permission"> But this is the best one can do

you can also avoid said app so you're sure you aren't getting tracked 🤔

<g65434-2[m] "you can also avoid said app so y"> Or isolate it in one profile where you need it, unless you want it as main keyboard

AOSP keyboard is good enough, idk what they are looking for besides the swipe

byolog: apps can still see stuff about the system they are running on

hub.libranet.de/wiki/and-priv-sec/wiki/what-can-apps-see

And they can communicate with other apps

Its possible that they can reach the internet by another app. But both apps have to allow this

Try again.

Otherwise, reflasj

<f8sai[m] "Try again."> if it still fails, reflash

But it seems the date isn't synchronized?

On both devices

<gretai[m] "i did try many times, then i ref"> Do you have different pc? Or you may want to redownload

(It could be that the flashed os is potentially compromised)

<anupritaisno1[m] "> <@pikey:matrix.org> is graphen"> I think I explained my position well enough to make that question purely rhetorical. I don't use the android created by google, i use the one which has passed through the hands of people I trust to remove the scary parts of google's OS, one which was given a new name and logo and is very different, which you of course know. I wouldn't use the one created by google

without such modifications, hence I use a thing called "Graphene OS", instead of stock Android OS. If Graphene didn't exist, I wouldn't be using Google's Android. I did clearly say "owned by" not "has a historical connection to". Enough said I think.

Strange. Maybe try audit with another device or with attestation.app

<gretai[m] "i verified with signify-openbsd "> Hmmm

gretai: may have to wait for strcat to turn up, they wrote auditor and best understand it.

<gretai[m] "i tried another device, same pro"> (On attestation?)

Don't remember anyone else having this problem

I'm willing to offer some help to scan your code if you need it

(It has to be screenshot btw)

(Kinda tested it on three devices, auditor, auditee and the channel of message)

I had a lot of problems getting attestation to work on one pixel, but not the other. I never confirmed the problem but its working now. I was using PIA VPN app and I think that was part of the problem (if not all of it). I changed ports a few times and its worked since then. Are you using VPN by any chance?

oh, don't you need to connect to submit the remote attestation?

<pikey[m] "oh, don't you need to connect to"> For remote, connection is required ofc

<gretai[m] "booting now. do i immediately di"> i would

Yes

Don't connect to internet first ofc

If local attestation would be done

wouldn't have thought that would prevent it checking the OS, but try adding it anyway

<gretai[m] "do i need a screen lock?"> Not exactly

It scans it whenever you have it or not on a normal attestation

<f8sai[m] "It scans it whenever you have it"> Auditor scans it*

Good luck ^^

<gretai[m] "maybe the zip was corrupted when"> Probably

I use winrar

<gretai[m] "i only need to run flash-all.sh "> Afaik yes

Alright

Pm me

gretai: safest is to closely follow the install instructions on grapheneos.org for extracting the zip

...well for the whole installation

Although if its booting with the bootloader locked, you pretty much are guaranteed to have the exact same OS as everyone else on GrapheneOS

Unless you've been exploited by a pro

given you've checked with signify

Dont recall there being any real problems with any version.

???

People using the 3 or 3XL with GrapheneOS, can you use both of the front camera ? The normal and the wide angle ?

That may do it. You need to see the yellow warning screen while it boots

mrxx_0: yeah

<mrxx_0[m] "People using the 3 or 3XL with G"> ha, i didn't know it had two!}

Maybe even three front cameras?

camera problems are one of the few persistent ones i have with Graphene. I can certainly live with it but would be great if that was solved at some point

<mrxx_0[m] "People using the 3 or 3XL with G"> Yes, but thb I only realized it once when doing a video call with Conversations, which is able to jump through all cameras.

On open camera you can cycle thru the cameras (it often crashes my 3xl doing this)

<dazinism "On open camera you can cycle thr"> Indeed! Never realized that... but it works.

<dazinism "On open camera you can cycle thr"> me too.

gretai: if you are seeing the yellow screen, I think that you can only have the GrapheneOS signing key stored, not the android 11 one. Thats flashed during flash-all.sh

gretai: its a weird issue and if you see the yellow boot screen (not the orange one)I think much more likely to be something to do with auditor than your installation

Possibly otherwise dodgy camera hardware?

dazinism:

Yellow means booting with a custom key

anupritaisno1: yeah exactly

No

gretai: make sure you verified your download

gretai: think if the GrapheneOS install worked you'll be on the latest firmware & that is just to ensure that all known bug fixes for flashing are in the device

I'm really grasping at straws, but wonder if installing android 11 changed something that flashing GrapheneOS didnt change back

But feels unlikely

gretai: best bet is to wait for strcat to comment... or maybe open an issue on the auditor github giving all details

comment on what?

not reading scrollback

as you can see it failed to flash the bootloader

above

and then failed because it failed to flash the bootloader

strcat: apparently the device is booting and showing yellow screen but phone <>phone auditor is failing

makes sense if it's got the wrong firmware version

that boot screen shows you if the OS is verified

has nothing to do with firmware

I don't see anything weird

gretai: it's letting you know something is wrong, and something is wrong

I'd suggest flashing GrapheneOS and then trying to sideload the latest GrapheneOS OTA (corresponding to the version you flashed) two times

gretai: well in the output you can see it didn't flash properly

did you use fastboot by hand the first time instead of the flash-all script?

I don't know what you mean

what do you have installed?

sounds like you somehow how a screwed up inconsistent install

maybe you used an out-of-date fastboot? I don't know

flash GrapheneOS again

look at the output from flash-all.sh though

it's important to look at the output

it's possible your device just won't work properly until Android R stable is released and we move to it

if the bootloader can't be properly downgraded or it did some weird migration

maybe the Android R beta has a serious bug

maybe the device is just screwed over now

I don't know

dunno what you did

and I wouldn't recommend using the developer previews

if your device doesn't pass Auditor checks it has something wrong

firmware releases have a low-level rollback index that's irreversible

can't always roll back to arbitrary versions of firmware

there are rollback fuses for firmware

if you flash experimental firmware you're taking a risk

you need to flash the stable GrapheneOS release and show the output

now boot up recovery and sideload the GrapheneOS full OTA update package 2x

just to flash all the stuff again via the OS

in both slots

well

boot up recovery, sideload, then reboot into the OS

then boot up recovery and sideload again

hope that makes sense

like it's totally possible the beta had screwed up Titan M firmware and triggered some tamper thing

you didn't show the error you got from Auditor

it does show the error

strcat: most likely some kind of rollback index in titan itself?

perhaps, I don't know what happened

gretai: you can try formatting data in recovery?

if they had a serial debug cable they could get Titan M logs (there's a way to get them)

<strcat[m] "like it's totally possible the b"> Does flashing the os on your storage alter the titan firmware..?

anupritaisno1: they should follow my suggestion 1st

strcat: k

blacklight447: flashing GrapheneOS factory images is not just flashing the OS

it's flashing all of the SoC firmware too

Titan M firmware is uploaded by the OS

it can't necessarily be downgraded in certain cases where vulnerabilities are fixed even when unlocked

it's also possible whatever developer preview they flashed triggered some anti-tamper feature due to a bug

I don't know

they didn't post an error message from Auditor

I can only guess / speculate

I'm not psychic

I've seen 1 other person who had Auditor failing with the stock OS on Pixel 3 and it may be a similar situation where dev preview screwed something up

but I was unable to debug it since I don't have the device and debugging remotely through a non-developer doesn't really work

strcat: how to see titan M logs?

use debug cable

when unlocked

you may have to flip it backwards, forget

Ah right

it calls itself "citadel"

anupritaisno1: the debug cable provides output from firmware, citadel and kernel but not necessarily in same mode

I don't know if the debug cables TheJollyRoger makes provide citadel output on Pixel 3 atm

but you can try

there may also be a fastboot oem command to run when unlocked

grep -i citadel?

anupritaisno1: possible you can get some output when locked too

anupritaisno1: it won't be in the kernel logs, it will look different

strcat: does fastboot -w wipe titan M like recovery?

gretai: try a simple data wipe in recovery

anupritaisno1: it gets wiped when locking/unlocking or doing factory reset - but wiped means wiping the regular persistent state

there are fuses that can't be wiped just like the firmware on the SoC

they can only be set, not unset

I mean you have 30 minutes anyway

gretai: don't care what's faster

he'll have to lock again to see if auditor works

Locking from recovery doesn't need relock and tbh

Stock OS seems to force a recovery wipe to downgrade to the best of my knowledge

* Wiping from recovery doesn't need relock and tbh

he needs to relock to test if Auditor works or he can't see if it's fixed

and I don't really think wiping is going to do anything

I don't think it will be fixable but it depends on what the Auditor error was - they didn't show that, so seeing it would be useful

maybe it just failed because the clock was set wrong - don't know why at this point without seeing the error

strcat: their auditor screen shot matrix.to/#/!omAJrepvwSfkXJrqbK:mat…org/$15947280072134biZMs:librem.one

which says certificate verification failed

which is very strange

makes it seem like the device is either broken or compromised

it's not a failure based on the attestation data but rather the attestation certificate chain not validating

maybe some newer devices have a new attestation root but I haven't seen that myself

not much I can about it

I can't debug remotely

sorry

yes it appears that there's a new root certificate that they added

which we haven't whitelisted yet

that could be the issue

something for someone to work on

could be that

help wanted, Auditor isn't really actively developed atm

gretai: lock the device with GrapheneOS again

I have an Auditor build to install on both devices to test

can you do that?

I need someone impacted by this to test it or I can't resolve it

let me know

moving on to something else for now

gretai: flash GrapheneOS + lock bootloader again

and I'll have a new auditor version to test on both devices

working on it

gretai: can you submit a sample right now?

let me know when it's submitted

gretai: also which device do you have specifically

ok

ok

meh

I don't see what's wrong

I'm not seeing gretai's messages. It's essentially a monologue by strcat[m]. Am I doing something wrong?

doesn't look like it

don't know why it's not working for you

gretai: it's an australian pixel right?

oceanic model or w/e

want to make sure I'm looking at the correct sample

paintedman GlassROM-devices/device_google_coral f5bf6b7

yeah afaict the root is fine

Test this on your pixel 4 xl it might fix half of the issue on the issue tracker

gretai: okay well

I took the submitted sample

and it doesn't pass verification

07-14 11:42:59.346 10611 10611 E AttestationProtocol: Caused by: java.security.cert.CertificateException: error:1a000064:ECDSA routines:OPENSSL_internal:BAD_SIGNATURE

Is the Graphene off topic on matrix?

gretai: no

gretai: the TEE samples pass verification

StrongBox (i.e. secure element, which is the Titan M on a Pixel) does not

yes

there are 2 keystores, the traditional one is TEE

we use StrongBox on devices where it's available instead

on Pixels StrongBox is provided by the Titan M

gretai: so your device passes attestation checks with the TEE keystore but not the StrongBox keystore

alex-resist: I don't see them either, just a matrix irc bridge issue.

gretai: seems like a bug though

gretai: can you flash the stock OS and see if it fails there too?

since Auditor can also verify stock

that would be useful

<strcat[m] "gretai: can you flash the stock "> What if we just ship him with 11 firmware?

I don't know why it's failing

it seems like his Titan M is broken

Or he could flash just the firmware part from 11?

he flashed the firmware already

afaik it's the OS that updates the firmware on the Titan M anyway

it gets uploaded from the OS

yeah that's right, the OS does it

anupritaisno1: I don't know what the issue is

but it seems like his Titan M has broken firmware

strcat: has he tried the recovery wipe that I suggested?

Is Android 11 based GrapheneOS already in the works?

Good night

theultron: no but you can help

Actually I don't own a pixel device.

* Actually I don't own a pixel device. My device is not compliant for GrapheneOS.

theultron: doesn't matter

You can still contribute

There's a bunch of ROM stuff that you can help in

Go on

When entering fastboot

One doesn't need to go enable adb. Just press off and down button

power and down button rather

Going to fastboot from adb sometimes screw things up

Have you tried fastboot --devices

Oops, without --

fastboot devices

That's what's only needed

As long as fastboot finds the device it's fine

(More or less)

(But you said you reflashed though, so there could be some issues now)

I assume fastboot is updated?

Just an idea though. How about trying to reflash now

Maybe now it got to fastboot directly, it'll flash without problems

(From what OS do you flash)

On what OS rather

<orbischlorbi[m] ""from what OS" you mean the vers"> Is your OS updated? Maybe you may want to reflash stock factory OS first

then remove custom avb key?

then reflash grapheneos to fix some components?

orbischlorbi: they are asking what OS are you using on the computer that you're flashing the phone with

Maybe others have better experience with this error, just trying to read what's in thr error

Is super_empty.img always in the flashing process though?

<f8sai[m] "Is super_empty.img always in the"> (Just asking, I somehow forgot, on successful flashes)

<orbischlorbi[m] "will try"> Stock factory img from google itself btw

Some Question about Seedvault if it says "App doesn't allow backup" does that mean the data is not saved and/or will the app just not be saved?

<twitx[m] "Some Question about Seedvault if"> Data not saved, apk is saved

> Some Question about Seedvault if it says "App doesn't allow backup" does that mean the data is not saved and/or will the app just not be saved?

It means the data

Afaik

But sometimes on restoration it gets corrupted on newly flashed Graphene/Calyx

Okay, thanks for the Info.

f8sai[m]: if by corrupt you mean that app crashes after restore, can you tell us what app it is?

Tracking this upstream

<cdesai "Tracking this upstream"> ProtonVPN

And where did you install it from?

Aurora

Iirc

it ils available on fdroid

Can you comment on the issue? That doesn't appear to be using bundles

Will try registering

g65434-2: it became available on f-droid recently. f8sai might not have been aware, I think.

Not exactly, just using github apks which have same sig as aurora

So I use aurora store apk

<anupritaisno1[m] "paintedman github.com/Gl"> Ok, thank you! I'll test

maybe your cable is bad.. or your serial port is bad. try to use a different usb port and a different cable

it shouldn't randomly fail in the middle of flashing, unless there is trouble with the usb port or cable

maybe the phone's storage is defective?

could try booting into recovery and then installing a full ota

fastboot has a 'start recovery' menu item, scroll using volume

download then, and adb sideload it.

<orbischlorbi[m] "recovery does not work, it says "> You have to boot into bootloader first then you can change with the volume buttons to recovery mode hit power and your in

Adb ist to use while your system is booted.

Fastboot is to use in bootloader

And in recovery for adb sideload

* And adb is for sideload in recovery

helped someone yesterday in this same situation. When you get back into bootloader, double check that it isnt locked. that was the case yesterday even though it had been unlocked before a bad flash. But crueltekk is right. pwr + Vol down

Is there really no way to use a passcode when closing the phone and its on standby mode?

Is the only way possible via fully restarting the phone? What if i just want to have double of the codes one when i restart and one when its on standby mode?

Who knows the answer to help me out ill pay for it

peter93: if you want robust device protection the ideal option is to reboot

peter93: not clear what you're talking about / what you want

feel free to work on GrapheneOS/os_issue_tracker #28

original filed in 2016: AndroidHardeningArchive/legacy_bugtracker #451

no one has ever even done basic initial work on it

so clearly interest in that is very low, sadly

peter93: if you set a passphrase as your lock method, that's what's used to unlock - really not clear what you mean

I think he means... Having two passphrases. Perhaps a more "secure" one at boot, then a more "convenient" one when using the phone?

0/

from the 3rd generation of pixel phones what would be the one to get for the best support?

<SchismXL[m] "I think he means... Having two p"> Couldn't a fingerprint be the "convenient" one? You would still need to enter the passphrase after boot

SchismXL: and I suggested looking at GrapheneOS/os_issue_tracker #28 and AndroidHardeningArchive/legacy_bugtracker #451

SchismXL: but I didn't really understand what he meant, just a vague idea

Will take a look, ta!

. ¦3<RELATIVISM: grapheneos.org/faq#recommended-devices

<I3^RELATIVISM "from the 3rd generation of pixel"> ^^ ?

<strcat[m] ". ¦3<RELATIVISM: graphen"> yeah I already looked at that page

but between 3rd generation\

which one is use for development xl astandartt?

. ¦3<RELATIVISM: the 3a and 3a XL were released later than the other 3 series, which may indicate they will have longer official support. Big screen? 3a XL. Smaller screen? 3a. Choose your poison.

sounds good cheers

what is the result of `fastboot --version`?

RedNovember: verified?

I've been unable to verify the package

when I do fastboot --version it outputs: fastboot version 30.0.3-6597393

* I've been unable to verify the installation file

That version is recent enough to pass the check in the script. Are the platform tools in your path?

RedNovember: check if the platform tools folder is somewhere when you run `echo $PATH`