if you are in the bootloader, adb doesnt work because you are in fastboot not the android os

* [correction] if you are in the bootloader, adb doesnt work because you are in bootloader not the android os; fastboot works in the bootloader

how do i get back out of here so i can retry from the beginning of the instructions?

turn off the phone and boot to the bootloader

step 1

close all your windows on your computer

there is no way to backtrack, if you messed up. you have to start from scratch

step 2

open up powershell

if you are not in the home directory, you need to change the directory to Downloads

make sure you dont have anything in there so we can avoid confusing you

cd ~/Downloads

*i do this when helping troubleshoot so that way we are all on the same page and avoid misunderstandings

some peoples home directory is full of stuff

ok 2 seconds

step 3

install the platform tools again grapheneos.org/install#standalone-platform-tools

* [correction] download the platform tools again grapheneos.org/install#standalone-platform-tools

sorry, i'm completely new to all of this, including powershell etc

thats ok

i open powershell and type 'cd ~/Downloads'?

just get in the habbit of if something messes up, just start over

yes

the PATH part is what gets most people

the PATH is temporarily set, so if you do something wrong or open up a new shell thinking itll work because you followed the steps

then thats the issue most of the time

ah, i've already re-downloaded everything. so i should type the path into powershell of where platform tools is?

like this? ' C:\Users\NAME\Desktop\Phone\platform-tools '

why would it be downloaded there

i asked you to download it to the Downloads folder

ah, will do that now

please follow the steps

im being redundant on purpose to avoid confusion and collisions with your past downloads

ok so i have the rom and platform tools in my downloads folder

in two seperate zip files

please delete the factory-images

it should only be the platform tools in there

done

run `fastboot --version`

'astboot : The term 'astboot' is not recognized as the name of a cmdlet, function, script file, or operable program.

CommandNotFoundException

you typed: fastboot --version

and that happened

??

yes

you ran this command before: $env:Path = "$pwd\platform-tools;$env:Path"

no

i cant help you if you cant follow the instructions from the website

sorry, i was following a video from youtube as the instructions on the site were hard for me to understand. as i said, i've never used cmd or powershell etc

you need to do everything here, i am only here to guide you if you get stuck or dont understand what to do next

stop using the video, its what messed you up to begin with

i'll have another attempt at the instructions on the website and come back with any questions, thanks

please dont use the videos, they all do a poor job of explaining the instructions

okay, managed to get 'fastboot version 30.0.4-6686687' returned

So is it workin now?

no, phone still shows no os

i'm unsure whether i should continue through with the instructions or if there's something else i need to do as my phone isn't running an os currently

the OS isnt showing because you havent flashed the factory-image again

ok will try that now

follow the instructions on the website

I've used graphene as a dd since the copperhead fiasco and I just want to say thank u daniel and all who have contributed. it's wildly easy to install and use. The OTA updated have made it a breeze.

strcat

when i run './flash-all.bat' i get '< waiting for any device >'

* I've used graphene as a dd since the copperhead fiasco and I just want to say thank u daniel and all who have contributed. it's wildly easy to install and use. The OTA updates have made it a breeze.

reading through the context of my post, and i couldn't have picked a poorer time to say that lmao

lol no problem, it gives me hope

glad to hear it. when I've flashed two devices with graphene, including my current 3a. If you mess up, you can always start from the top and try again. if you're still stuck later i can pop back here tomorrow and help during work lol

* glad to hear it. I've flashed two devices with graphene, including my current 3a. If you mess up, you can always start from the top and try again. if you're still stuck later i can pop back here tomorrow and help during work lol

thanks, i imagine i'll still be here

wow, i managed it

Test

How does grapheneOS mitigate the attack vector edl presents?

I.e. can grapheneOS stop exploits from edl, or atleast, refuse to boot if it somehow realizes its been exploited

Idk how to word this, since im not really a a phone nerd, but I believe that edl presents a significant security risk, so I was wondering if GOS has measures against i to

* Idk how to word this, since im not really a a phone nerd, but I believe that edl presents a significant security risk, so I was wondering if GOS has measures against it

As I understand it (could be wrong here). EDL mode to dump NAND requires you to decrypt the resulting image afterwards, which with recent Pixels isn't possible with past methods.

(in the context of data extraction)

(Been a while since I've looked into this)

Yeah it is not an attack vector

<Vappy[m] "I.e. can grapheneOS stop exploit"> persistent attacks wouldn't work against a Pixel unless you hacked it badly

Wdym by "hacking it badly"

Titan M enforces the boot integrity. Google offers $1,000,000 in bounty for persistent attacks against it.

the much easier attack would be to swap out your phone

and give you another that steals your password and phones it home

then use that to open your device that they kept

if they were able to exploit the system they would still need to break the encryption

assuming they can't bypass the hardware timer

you are looking at up to 650 years to crack a truly random 4 digit PIN

<cn3m[m] "Titan M enforces the boot integr"> Titan M chip makes sure you cant flash a modded bl right

<Vappy[m] "Titan M chip makes sure you cant"> Yes(ish) standard feature with the Qualcomm TEE on Android

Titan M expands and strengthens the stock Android security features

Ah alright

So its not possible to flash a modded BL throgh edl, atleast not on pixel devices

If I got rhag right

* If I got that right

What are the chances you can backdoor or exploit a Pixel vs a Pinephone?

GrapheneOS will not accept and update without it being signed by strcat

Titan M also enforces user consent for firmware upgrades

<Vappy[m] "So its not possible to flash a m"> correct unless you wipe it first

I don't get how Pinephone doesn't meet security features, of something like Pixel, OS security issues aside of Linux vs Android

<d64qoc8432li8p9o "What are the chances you can bac"> Pinephone is much more likely to be backdoored in transit due to lack of verified boot

you could replace the OS and still not be sure it is untampered with

<cn3m[m] "Pinephone is much more likely to"> This is important. Many OEMs in the past have faced such supply chain issues.

Pixel has none of these issues and pushes it further. The Titan M security chip can't load firmware without user permission so even with Google and GrapheneOS fully cooperating with whoever wants to break into a seized phone they would be sore out of luck.

<theultron[m] "This is important. Many OEMs in "> If I am a government I can intercept the package too

<d64qoc8432li8p9o "I don't get how Pinephone doesn'"> A security research from Whonix went into a deep dive madaidans-insecurities.github.io/linux-phones.html

PinePhones have a deeply flawed security model and no developer team

they use Allwinner CPUs which lack the rigor used on seriously privacy and security focused SoC makers(pretty much just Qualcomm or Apple)

@d64qoc8432li8p9ouijtv:matrix.org: please read the FAQ

<strcat[m] "@d64qoc8432li8p9ouijtv:matrix.or"> I partly read the one where it doesn't meet the security standards

IOMMU configuration, SoC CPU exploit mitigations, full firmware upgrades, the hardware encryption support, verified boot, anti-tampering if you care about that aspect (an iPhone is better in that regard), etc.

read the FAQ as your first step

read first

I am not sure what's unclear

grapheneos.org/faq#future-devices covers the basics but of course it's a complex topic and Pixels have a ton of work put into security to make them how they are

you don't get that simply as a baseline especially with an SoC not meant for smartphones or focused on security

strcat: May be there is a need of a graphical faq?

and especially when not set up to use the security features that do exist

hardware and firmware security matters as much as the OS

<theultron[m] "strcat: May be there is a need o"> no if you can't read an FAQ this is probably not the project for you to use

my opinion of course

need to read the FAQ before posting topics here

Those security requirements in the FAQ are there for very good reason

koolpepsi: please check the log

new users can't see the history in this room

though it is logged on the irc side

You're welcome

Ah, you didn't see the answer...

<CoffeeWhore[m] "You're welcome"> Well, there are logs here...

If anyone has any questions not covered in the FAQ, the chatlogs, check redditcommentsearch.com

searching a word topic and "DanielMicay" will do the trick

(My fault for not reading the FAQ fully, but I was curious what was missing besides the security model (which is clarified there) on Pinephones)

if something is offtopic join our offtopic chatroom(includes discussions of security and privacy outside of the scope of GrapheneOS)

<cn3m[m] "correct unless you wipe it first"> Making flashing anything through edl basically worthless on a pixel phone...

<CoffeeWhore[m] "You're welcome"> freenode.logbot.info/grapheneos

* Making flashing anything through edl basically worthless on a pixel phone...

This makes me wonder, is the Titan M googles implementation of the security enclave on iPhones? Better or worse?

you're making the Titan M sound like an indestructible shield and im a bit skeptical, although I dont know too much about it

Vappy: The Secure Enclave has a very strong track record and is over 7 years old and very well documented. It is probably to early to compare the Titan M definitively. Though the Titan M matches it on feature set and has had no issues so far

Consider them comparable

You will not lose anything to my knowledge using the Titan M instead

1 mill to any bugs found on the Titan M chip

Im assuming the dark web pays 10 times as much

Not saying you should fork it over to malicious parties, just trying to find a way to compare the prices in my head

Apple gives a quarter mill to any security bugs on its phone, but the dark web pays 4 times as much

For any grey hat who knows what they're doing, they'd brush aside the Apple reward for the larger one.

<Vappy[m] "Apple gives a quarter mill to an"> Apple gives $1 million and up to $1.5 million

IMO, the "<company> awards x cash to any security bugs" isnt really a talking point for the chip. It just seems like a confident claim

Google is similar

But yeah, I see the point you're making

<Vappy[m] "IMO, the "<company> awards x cas"> Maybe if exploit was found in the wild

Oh I can see that

Google has consistently shown they are the only vendor that cares about competing with Apple. Apple has been doing it longer sure. Though ever since the Pixel 2 hardware has been getting really close

this is quickly leaning off topic though

this comment from last year covers the topic of iOS vs GrapheneOS the best you will likely get

it is still relevant as the XR and Pixel 3 are still roughly equivalent to the latest versions

<cn3m[m] "Google has consistently shown th"> Yeah definitely, most other vendors will just lock the bootloader, give a statement about security and call it a day

After reading about the chip, im becoming more tempted to throw away my current device in favour of a pixel 3a/4a/Xa but i like to use my phones until they are no longer usable

At the bare minimum Pixels, iPhones, and Samsung Galaxy(S line and phones only) are the only devices that consistently patch on day one. Day 1 patches are an extremely basic first step for phone security. Only 2 1/2 out of hundreds of brands even try

* After reading about the chip, im becoming more tempted to throw away my current device in favour of a pixel 3a/4a/Xa but i like to use my phones until its at its the end of its lifetime

<Vappy[m] "After reading about the chip, im"> probably should switch this to offtopic

do you need an invite?

<cn3m[m] "do you need an invite?"> Nope, already there ty.

A reminder to everyone. This is for GrapheneOS topics. If you have a GrapheneOS topic this is the place. If you have a non GrapheneOS related topic then it goes to off topic.

I made a different user, but everytime I download something from vanadium it disappears. I don't understand what I'm doing wrong.

I click the download button after asking where to save and the box just disappears w/o doing anything.

So just to clarify: I push this button, the screen disappears but nothing happens.

The profile is useless like this because I can't install anything.

Have you allowed the browser to access storage?

I have toggled this on and off although I also read somewhere it shouldn't actually make a difference. It does download webpages, and the cache seems very high like it somehow does contain the apps I downloaded.

Can't really tell

Well, maybe use the release time of 3a and when was 3a supported

But the difference is there is a need for new maintainer so...

<fabilola[m] "I have toggled this on and off a"> OK, I made another user profile and now it works somehow, thanks for the help.

Yeah, theres no way to know when 4a will be supported

Just a reminder that it took 8 months to support Pixel 4

Checked it quicksies

Needs someone to step up as a maintainer, and as far as I know, nobody has suggested they want to do this

3 years is what Google guarantees

Devices could get longer

<dazinism "Devices could get longer"> Not too hopeful about that

Pixel got an update 2 months after guarantee

Only 4 months security update extension on Pixel

Pixel OG

<dazinism "Pixel got an update 2 months aft"> October 6th 2019 which they launched in December right?

<d64qoc8432li8p9o "Only 4 months security update ex"> it wasn't even that

Think there was a pixel tablet that got update 6 months after guarantee

Pixel C?

Cant remember, maybe?

I think the Sony camera is the issue

<cn3m[m] "I think the Sony camera is the i"> Hmm... Why Google don't they make their own camera

We don't talk about Pixel C here (no custom avb)

Was just suggesting that support can and does go longer than guaranteed period.

<dazinism "Was just suggesting that support"> It does, but too short

on the other hand it really doesn't make a whole lot of sense for GrapheneOS to support devices as long as Apple

Android has to use backporting to old kernels

Binder is a missed patch for the Pixel 2

cn3m: think the last updates for Pixel were they got October, missed November, then surprisingly got December update

<cn3m[m] "on the other hand it really does"> I blame the upstream support (stock Android support and closed components)

Android is not setup in a way to be supported as long especially 2+ years. The Pixel 2 is on an older kernel it has no CFI, no ShadowCallStack, etc

<cn3m[m] "Android is not setup in a way to"> So they had to use mainline kernel instead?

To actually have longer support?

Stuff is backported

just follow nitter.net/spendergrsec to see why backporting is a bad idea. The longer back you go the worse

All android kernels are 'old'. A load of work goes into doing the backporting

Odd that they prefer old kernel

Dont think theres any other way things could be done on android/Linux as getting support for new hardware into kernal takes too long.

Hopefully I'm not explaining it wrong.... they use kernels with long term support, patch them to get them to work with hardware, strip out unnecessary stuff. It all takes time

As theres no mainline support, new kernels break stuff, so they have to keep the device on the kernel it is launched with

Some projects / devices attempt to get support for android device hardware into mainline

It takes years

Even with mainline support moving to a new kernel can break stuff

Being on an older kernel isnt all bad. New kernels introduce more complexity and potential bugs. Older kernels have had more time to shake some of them out. Theres a reason grsec isnt based on the latest

dazinism: yeah you are right

backporting sucks

and it really doesn't work well

but it would do more harm than good switching as updating would take even more time

probably

this is the talk to watch if anyone is interested

slides if that is your thing

nitter.net/spendergrsec/search?f=tw…eets&q=backport&since=&until=&near= running a backports search on @spendergrsec shows how bad this can be

<dazinism "Being on an older kernel isnt al"> though grsec does do their own backports and they have bypassed a ton of these issues

and Android and GrapheneOS do remove a bit of the bloat

so newer kernels are pretty much a net positive

For example the oldest phone to get an update this month from Apple is the iPhone 5s. 7 years old like the Nexus 5. The iPhone SE has the JIT hardening support in the CPU, it has the SEP, and it has secure biometrics. It has been well updated for years.

If Google was still supporting the Nexus 5 with Linux 3.4 that wouldn't be pretty. Even with GrapheneOS patch sets.

Yeah, most everything is a bit crap. Just have to accept best efforts. Androids use of Linux is the weak point. Thankfully due to the way everything fits together still we have some pretty damn secure devices

dazinism: And with only 3 years of support that is totally fine I think

Apple is in a very unique position they were many years ahead on the hardware security front. They don't have backporting issues. They have very high marketshare per device. It is just not a fair comparison or even a good idea to compare the support right now

hopefully that changes if Google marketshare grows, mainline kernels get introduced, etc

Pixel 3 already has solid security features in hardware

Yeah. Guess if it wasnt for firmware security updates ending then the work on getting support for hardware in mainline could lead to more sensible longer support

yeah the other factor is Apple makes their own chips now

so the devices you see being supported for a long time

all A7s and whatnot

Google having their own chips, mainline kernels, and higher marketshare would be the key pieces

all three are current goals of the Pixel team

I guess with android devices it's economics, theres so many, and I dont imagine any are selling comparable volumes to iPhones.

So not as many resources to put into long term maintenance

But interesting that Samsung is now doing 4 years of security updates on their flagship

<dazinism "But interesting that Samsung is "> false and misinfo

please don't repeat that here

Oh, soz

they offer quarterlies only for the 4th year and it is exclusive only the the S line of phones

<dazinism "Oh, soz"> no problem man

non S line phones

so A series, M series, and the S series tablets only get 3 years of quarterlies

90 day patch times are horrible of course

Guess its kinda 4 years... just really not very good in the forth

<dazinism "So not as many resources to put "> But they get an OS delivered for free. That gotta save some resources.

on a minority of their devices and yeah it is not secure

it a roundabout way it kinda is 4 years I guess

Still its interesting they decided to offer longer update period (even if crap)

Samsung is the master of making their updates look impressive. Breaking embargo. Quarterly updates. Inconsistent support times

they are incredibly manipulative

<cn3m[m] "on a minority of their devices a"> Nothing is secure. GrapheneOS is not secure either.

<dazinism "Still its interesting they decid"> probably since they make their own lens, they use Qualcomm and their own chips only, and it looks good in the news(even if it is extremely misleading)

<d64qoc8432li8p9o "> <@djee737ejdd:matrix.org> Noth"> It indeed does. Something can be more secure or less secure compared to something else.

secure is a relative thing, but this is quickly drifting off topic

dazinism: sorry if I came off rude by the way. Just tired of these marketing ploys

I didn't mean tot be

If your threat model is an adversary with more than an million dollars, iOS isnt secure. If they got less, iOS is secure.

No sweat.

All fine

Because then they can just buy an exploit.

<djee737ejdd[m] "If your threat model is an adver"> Well yeah, try gaining persistence on iOS

<djee737ejdd[m] "If your threat model is an adver"> though free github exploit pwns Samsung. Multi-million dollar exploit pops iOS. Huge difference

<d64qoc8432li8p9o "Well yeah, try gaining persisten"> For one million dollars, you can. Exploits are being sold.

<d64qoc8432li8p9o "Well yeah, try gaining persisten"> if you are willing to throw millions you probably will at least until the next update

<djee737ejdd[m] "For one million dollars, you can"> well more than 1 million but again incredibly offtopic

move it to the other chat

<cn3m[m] "though free github exploit pwns "> I just stated than if something is secure, depends on your threat model.

<djee737ejdd[m] "I just stated than if something "> objectively security has to be relative

<cn3m[m] "objectively security has to be r"> Indeed

<cn3m[m] "objectively security has to be r"> Yeah

The off-topic chat should be in the description. A lot of people don't know that it exist and therefore this often goes off topic.

<djee737ejdd[m] "If your threat model is an adver"> No sir! I will spend 2000 USD to hire some goons to beat the shit out of you. 99.9% chance is that you will reveal your iOS pin or whatever device you got.

just recently there was a 1day for Chrome(which is delayed a few days on Play Store usually) on github. Assuming it works on the Android version you probably could find an android exploit on there that works on a Samsung A50. Then you use the root access to install an accessibility service. You get essentially a free exploit chain to persistent spyware. It is rare that the stars align like that, but possible. That is

night and day to something secure

Yeah could be useful. Although I'm not totally sure offtopic is an 'official' graphene channel. Folks get directed there pretty quick if chats veer off

<theultron[m] "No sir! I will spend 2000 USD to"> People like Snowden are under 0.1% where you need to buy expensive exploits to find out the whereabouts.

<theultron[m] "People like Snowden are under 0."> He is not the kind of mastermind people make him to be. He just uses Qubes OS and an dump phone.

djee737ejdd[m]: already in the topic

if people cant control themselves, i can step in to help control them

<renlord "djee737ejdd: already in the topi"> Is the off topic linked or what do you mean?

djee737ejdd[m]: mentioned in the topic

Namespace Channels offtopic: #grapheneos-offtopic"

<renlord "djee737ejdd: mentioned in the to"> I'm not quite sure what we're taking about, but sure

does it not show on matrix?

<theultron[m] "No sir! I will spend 2000 USD to"> Yeah but why?

Please come over to off-topic.

d64qoc8432li8p9o: this is your last warning

<renlord "does it not show on matrix?"> No

Yeah, deleted here

I was reading the Vanadium build instructions and...

im not a moderator on the matrix side so i cant fix it

Is depot-tools dependency needed to be installed first?

d64qoc8432li8p9o: read the chromium build instructions

and install dependencies required for chromium

Offtopic not mentioned in description in matrix

dazinism: sad :(

Showing for me.

hmm ok

odd that people repeatedly suggest that its not there

maybe not on mobile since its so long

Sorry I'm completely new to building stuffs

<renlord "maybe not on mobile since its so"> Actually, I do see it in Fluffychat, just not in Element. Guess for some reason the description in Element hasnt updated yet.

Imagine it'll be there for new folks that join.

hello

Any idea why would I get a failed signature verification when I try to install over OTA even thou it worked a week ago and now I downloed the file many times over and tried from 2 different laptops and every time I get the same error. I managed to install the version with the script but I haven t checked the signature.

I need a little help

fetch doesn't work on Ubuntu

`fetch --nohooks android` results to

`Command "fetch" not found...`

sudo apt install fetch

I would not ask if it was as simple as that

Maybe I forgotten some python dependencies let me check

<d64qoc8432li8p9o "I would not ask if it was as sim"> Sorry, it was the first thought. Maybe an issue with PATH?

<trismous[m] "Sorry, it was the first thought."> I did the PATH already

<trismous[m] "sudo apt install fetch"> It ends up in an error by the way

And have Python installed

Sorry for the questions

I have like 0 experience in this

Hi all, just wondering with the pixel 4 having a neural chip instead of visual does grapheneos still support the built in hardware HDR+ processing?

does anyone have details on what pieces of non-OSS are included in grapheneOS for the pixel devices? the FAQ says that these devices are recommended because of the "best firmware security", but I assume that cellular data and wifi still require non-free drivers, at minimum.

mvdan: the baseband is the big 👾

hi, does someone know how long it'll take to update fdroid? I can't download any apps

stewjes: a few minutes



Hey all curious if anyone has used jmp.chat with grapheneos? Currently trying it out and running into some problems receiving and making phone calls, curious if other folks ran into problems and fixed it

alex-aN -soto No but you can get them to route calls via xmpp/conversations, which sounds interesting. You tried that?

Found that I get notifications pretty quick when using conversations, so suspect it may work well for call initiation

dazinism:

For US folks jmp.chat looks like it could be a real nice service, especially if calls will work reliably

dazinism: I just set-it up to route calls, still no quite working for me, not sure if it's grapheneos, the SIM provider I'm using, my wireless provider at home, or if it's a step where I don't something quite configured correctly. Text messages sending and receiving works great

Kinda in a weird place where I can use the twinkle client on desktop make calls but cannot receive calls, and then when using the pixel3a with graphene I'm able to make and receive phone calls when I hit "answer" the call ends..

Thats using SIP

?

You using the built in android SIP stuff?

dazinism Yeah, using the built in android 10 SIP

Heard some folks have had more joy using an app for SIP (not on GrapheneOS)

Think maybe it was Linphone

Linphone was a pain in the ass to get working

Going to try again with it

<alex-a-soto[m] "Linphone was a pain in the ass t"> Not sure if you are doing SIP but just to let you know, have started using Sipnetic with my VOIP account recently and am extremely impressed, 100%. (GrapheneOS)

Wow....

brenneke: Thank you so much for suggesting sipnetic, worked right away without any problems, able to make and receive phone calls

Wow...