HELLO ALL MEMEBERS

Has anyone applied the microG cert spoofing patch?

Dylanger: no

Also anyone know how the OTA Updater server works? I can't seem to find any doc's on running the server

<renlord[m] "Dylanger: no"> I've applied them, about to build

Hello, anyone have a Pixel 4a who has flashed their device with GrapheneOS? If so, how has it been working for you?

Commits aren't signed ☹️ - only the manifest repo is signed

so what if commits are signed, when was the last time people checked commit signatures?

or even bothered to verify if commits are correctly signed

Anyone know how this works? github.com/GrapheneOS/releases.grapheneos.org

?

yea, it works

how to set up your private release server is not documented

from the script, you can see its assumed that you have a `www-data` user and at the homedir you should have `html_a` and `html_b` and `html (symlink)`

Ah got it

Any idea why running a private release server isn't documented?

Just not enough interest?

if you're going to self-build, you're just going to use it privately for yourself

so what's the point of documenting how to setup a private release server?

<digitalfrontier[ "Hello, anyone have a Pixel 4a wh"> Going to build this now

Dylanger nice, hopefully it works well for you. I flashed it this morning, just about everything pretty much works like it should. Only issues I have seen were with the default SMS app and F-Droid. Upon launching the Messages app, I got a message which read "this app was built for a previous version of Android..." Same with F-Droid.

I was able to install apps from F-Droid just fine regardless, but went with Aurora Droid instead which gave me no errors. There was also some weird graphical issue with F-Droid, hard to describe. Between switching to different screens within the app the screen would go black for a beat and then load whatever content needed to be loaded. Almost like a lag for loading content? In any case, I did forget that for

whatever reason dark mode isn't universally applied. That is to say, to all stock apps. Just the settings related things in GrapheneOS. Other than that pretty happy with it on my Pixel 4a.

Long story short, no major show stopping bugs on Pixel 4a.

renlord[m]: commit sigs could be useful in court cases :p

that itself is a can of worms

maybe

yea lol

non-repudiation is often disputed

since key management is a dark art

How is Daniel managing key right now?

Anyone know?

Does anyone know where the production builds take place?

yes. Daniel's computer

Ah cool, so not some VPS/server somewhere

and then he signs then with his keys

of course not a random VPS

Okay cool

Does `OFFICIAL_BUILD` do anything else aside from disable/enable updater?

<Dylanger[m] "Does `OFFICIAL_BUILD` do anythin"> Yes

<digitalfrontier[ "I was able to install apps from "> Fdroid is just a very buggy client and is not really recommended

<anupritaisno1[m] "Yes"> Do you know what specific?

> <@anupritaisno1:m.apex.to> Yes

* Do you know what specifically?

<Dylanger[m] "Do you know what specific?"> I believe you've already seen it yourself

I want a user build, but don't want the updater

If `OFFICIAL_BUILD=false` is enabling other debug features I need to know about it

Just don't set it at all

anupritaisno1 do you personally use another method to install your apps? Perhaps grabbing the apks straight from the source or a site like APK Mirror?

F-Droid

Aurora Store

> Aurora Store 👌

I installed Aurora on a second User. Cause of the apps

Aurora is really nic

* Aurora is really nice

Has anyone managed to get an eSIM LPA working on Graphene?

Guess there aren't any open source LPAs

<Dylanger[m] "Has anyone managed to get an eSI"> IIRC, no

Ah, Aurora Store is nice. No doubt. I try to rely only on FOSS apps though. The only app I have from Aurora is my banking app and Here We Go maps, no account. Don't @ me! But OSMand is just not good IMO.

*apps

If using OSMand, is one of the biggest problems that you don't have street numbers and there are fewer POIs than in other apps?

Usability is one thing but yes also just finding places even with the map for my area downloaded.

Also the limited voice navigation with no TTS installed.

Minor gripes, sure, but in the end OSMand isn't my cup of tea for navigation.

It's been a little difficult trading in Waze, which was my old "go to" for navigation.

The "Force 90Hz" option is missing on the Pixel 4

I hear you. A maps app is that one thing that just needs to be a great experience in all aspects. Google Maps is insanely good, Waze too. But we all got away from old Googs for a reason, right? It's just too bad we don't have a FOSS alternative that can match those two apps yet.

<renlord[m] "so what's the point of documenti"> It's not possible to update via fastboot when the bootloader is locked, so without your own Release Server, you can't re-lock the bootloader with your own fork/version of Graphene

(YELLOW State)

you can relock the bootloader with your own build

if you sign with your own custom key

all custom keys will yield the yellow state

including daniel's

How do you do updates then?

Without a release server?

* Without a release server/updater app?

`adb sideload OTAPACKAGE` ?

🤔

actually dont use that

<renlord[m] "actually dont use that "> That's the correct way

i was just unsure if you needed to unlock bootloader or not

i've never done it myself

<Dylanger[m] "The "Force 90Hz" option is missi"> Yes. We don't ship that weird app

You know what it's called?

I'll RE it and see what it's actually doing

So we can implement it properly

If screen brightness is low, it'll always stay at 60Hz

Meaning shitty scrolling of twitter in bed

with faster refresh rate, would i enjoy scrolling twitter more?

🤔

You tried on 90Hz? It's butter smooth

no i havent

<Dylanger[m] "So we can implement it properly"> We are not implementing it

That app has several dependencies on code not publicly available in AOSP

And it just repeatedly crashes

I don't mean add the app, if you give me the name of the app, I can figure out what it's actually doing to force 90Hz

It'll be a prop or something

ty

Ah neat, I'll prob just force 90 on my own dt

Pixel 4a is smoothly running 👌

Great job with the documentation

heh

Glorious notifications

Nice! The thing that surprises me most is battery life. It was already impressive stock but on GrapheneOS the battery life is bonkers.

Are carrier variants still a concern on `Pixel 4` and subsequent models?

I don't have many apps aside from the stock apps though. Literally just 11 more.

<anupritaisno1[m] "That's the correct way"> So `adb sideload` is a go? lol if I relock and can't update I have a ~~brick~~ shipment to Google

> <@anupritaisno1:m.apex.to> That's the correct way

* So `adb sideload` is a go? lol if I relock and can't update I have a ~brick~ shipment to Google

* So `adb sideload` is a go? lol if I relock and can't update I have a <del>brick</del> shipment to Google

<nsgl[m] "Are carrier variants still a con"> If you can figure out a way to unlock them, go ahead

There's no real hardware difference between a carrier and a normal variant

<nsgl[m] "Are carrier variants still a con"> I think that is still a problem...namely Verizon versions.

<Dylanger[m] "So `adb sideload` is a go? lol i"> Yes so don't turn off OEM unlocking

Turning it off really doesn't give you much security on graphene

Anyone can reset the phone and turn it on again

Ah right, good point

Yeah it'll reset if anyone `flashing unlock`'s it

And unlocking the bootloader resets the phone anyway

Now to test GMS/FCM notifications

Is ccache dead?

Wasn't used at all during my build

I can bytepatch vendorRIL now lol

<Dylanger[m] "Is ccache dead?"> Useless

Fair

Yaaaas

Threema notifications are working 🎉

And ProtonMail

💦

<anupritaisno1[m] "There's no real hardware differe"> What I meant is whether I still need to be careful not to accidentaly buy one. I'm in europe currently looking to get a second/new phone (4 or 4a) and aim to avoid the headache.

Good seller communication and reputation are usually good signals that you're getting what you want.

wut, protonmail requires play services?

that'd be ironic

protonmail.uservoice.com/forums/284…0against%20privacy%20and%20security.

LOL apparently so

very ironic, indeed.

i suppose users without play services can use IMAP/SMTP configurations on their MUA

wow

lol wut

you should just use a proper IMAP email client with IMAP push

IMAP IDLE is push

Tutanota is good if you need an email service without GSF dependence. They have an app on F-Droid.

so a proper email client can do push as long as the server has IMAP IDLE support

But they are based in Germany which is a 14 eyes country.

the only way to use FCM would be if the server supports FCM... how many email servers support FCM anyway?

protonmail went out of their way to do push via Google instead of IMAP

Personally I use Ctemplar. Baser out of Iceland. Also on F-Droid.

*based

kinda like how i like to bendover backwards sometimes

renlord[m]: hmm?

Anyone here try the Experimental 4a release?

Yep. No major issues.

Only things, Messages complains about being based on a previous version of Android, dark mode doesn't apply to all stock apps, F-Droid will also complain that it's based on a previous version of Android. But as someone else stated F-Droid is just buggy.

I've got a 4a and would like to try graphene, I've been using calyxos so far, but I like grapene's security a bit more.

You might want to switch to a different gallery app. I wasn't a fan and apparently others have had bugs crop up on it?

For SMS I just use Signal as my default app anyway so the Messages issue didn't bother me too much.

Ah and where CalyxOS is still on Android 10 the GrapheneOS build for the 4a is on Android 11.

That's one issue yeah, I just chalk that up to calyx being a bit more conservative in their release schedule

Right. I do find GrapheneOS to be just as smooth as CalyxOS on my 4a. Generally speaking. I was on CalyxOS before too.

I'd used graphene on a 3a a bit back and loved it, but I got a really good deal to trade in for the 4a

[prestocaso](matrix.to/#/@prestocaso:matrix.org) yeah don't

And I've just been monitoring the scene since

Pixel 4a is amazing and it has no business being as cheap as it is.

Go and physically verify the device before handing the 3a over

anupritaisno1: not sure what you mean, sorry

Like check that they have the device

<prestocaso[m] "anupritaisno1: not sure what you"> It means exactly what I said

You must go there and verify the OEM unlocking toggle is working

ohhh

We have records where a seller sent a fake screenshot

To one of the members here

I traded in my 3a to google

Then it's fine

<prestocaso[m] "Anyone here try the Experimental"> It's so good

Dylanger: so the issues you've encountered are negligible then

Not who you asked but in my opinion yes. No show stoppers at all.

anupritaisno1: and thanks for the heads up BTW

Battery life is insane too.

But I'm a light - mid user, YMMV.

prestocaso: full security updates for Pixels aren't available for Android 10, it's not conservative to stay on Android 10

we had to put in a huge amount of work to migrate to Android 11 promptly

Flashed device at 8am with full charge. Now at 59%.

prestocaso: it's offensive to suggest that it's because we aren't careful

rather than we put in the work to provide a secure, up-to-date OS

<prestocaso[m] "That's one issue yeah, I just ch"> Not really

2020-09-05, 2020-10-01 and 2020-10-05 patch levels require moving to Android 11 since the device support code for Pixels isn't updated anymore for Android 10

Calyx has external dependencies on projects like lineage for their new base

we put in an enormous amount of work in September to migrate

We don't

digitalfrontier: sorry for the confusion, I'd seen Dylanger comment as well and I thought I'd get a second opinion

<strcat[m] "we put in an enormous amount of "> Also yeah that

No worries, lad!

* prestocaso No worries, lad!

if an OS targeting Pixels is not on Android 11 you should question how it can claim to be private or secure

and whether the patch levels are accurate if they are claiming to have the latest patch levels

strcat: I didn't mean to be offensive, I'd incorrectly used conservative in reference to their using things like microg for those that are new or need apps or services that rely on play services

I honestly didn't read what prestocaso as if they meant any harm either.

* I honestly didn't read what prestocaso said as if they meant any harm either.

NP!

Is there a big difference in security between the Pixel 3a and 4a? If i want graphene on it does it matter wich phone is better in case of security?

<redu321[m] "Is there a big difference in sec"> The 4a has more memory and storage and a bigger display.

And I believe more update support

yes, although I suppose with graphene that doesn't matter

> <@cubegame:matrix.org> The 4a has more memory and storage and a bigger display.

> In general, newer hardware is more secure, so the 4a is probably better for security.

❗️just looking on the grapheneos.org and it says 4a support is experimental

* yes, although I suppose with graphene that doesn't matter as much

Yeah nothing broken yet with me

Me too, working fine on the 4a until now

it doesn't make sense to get a 3, 3 XL or 3a at this point

if you get a 3 or 3 XL, be prepared to replace it in a year

we've been recommending only the 4 and 4 XL for a while now

and 4a is now listed there

Does the 4a have the Titan M?

Sure

<anupritaisno1[m] "github.com/GlassROM-devi"> Huh, this applied cleanly

<digitalfrontier[ "Only things, Messages complains "> Just a note that it is not unexpected that GrapheneOS warns you about apps that are targeting an old API level. That is fully as intended.

Alright installed graphene and so far so good. The only error is on the SMS app so far and I'm using signal instead so no worries

that's not an error

GrapheneOS tells you if apps target an API level below 28

it is not a bug or an error, it's an intended feature, as was explained above

AOSP does the same thing for API levels below 23, we increase it to match the requirement enforced for new apps and app updates by the Play Store

strcat: do you work on graphene, it seems like you really know your stuff

<prestocaso[m] "strcat: do you work on graphene,"> He's the main developer.

Daniel what hardware are you using to build on? Just like a laptop or?

a workstation

don't really understand the purpose of the question

Just curious is all

I'm in the process of getting a new workstation

and retiring this one from development work

Fedora Silverblue is good

Podman works a treat

That uses the new package architecture .tree or something similar correct?

ostree yeah

I'd looked at Fedora silver blue during the 32 beta and the potential seeming really cool. It was just a bit much for me

```

podman run --rm -it -v ~/Projects/AOSP/Graphene/ccache:/ccache:Z -v ~/Projects/AOSP/Graphene/ssh:/root/.ssh:Z -v ~/Projects/AOSP/Graphene/aosp:/build:Z --pids-limit=999999 c54f0ac2949 bash

```

Takes about 1 hour to build Graphene

AMD Ryzen 9 3950X 16-Core Processor, 64GB RAM

that's only for a clean build

an incremental build is much faster

you aren't doing clean builds every time for development

Yeah fair

Again, thanks everyone for the feedback, and thanks Daniel for all the hard work. I'm poking around post flash and this really feels clean and fast

Is building Graphene with 32GB of RAM borderline ok or borderline not ok?

read the documentation

16GB is adequate for building the OS with few jobs

it isn't adequate for building the Linux kernel

you need over 32GB of memory to build the Linux kernel with LTO

of course you could use any amount of swap and accept it being slow

alex-resist_ it's fine unless your CPU is too overpowered

strcat I have read it, it says 16 GB or more, and I just wanted to hear about some dev's experience with a certain amount of RAM

the documentation is written by the developers

if you trying to be productive doing many clean and incremental builds then I recommend a very powerful CPU with many cores and 64GB of memory

strcat ok thanks, that answers my question :) Currently I have a 32 GB machine, so it's somewhere in between

the memory is needed to support more jobs

32GB + 32GB swapfile should be fine for building the Linux kernel and it won't actually have to use much swap

32GB without swap probably can't link Linux with LTO

[alex-resist_](matrix.to/#/@freenode_alex-resist_:matrix.org) so I do like 64gb + 32gb ram/swap

I'll try with 32GB of RAM and 32GB swap on SSD. See how far I can get

With 20 jobs I can easily hit 50+ GB

Maybe I should buy a cheap poweredge workstation

Turn off all spectre mitigations.

Especially when it gets to the java part

my recommendation is to build with purchased parts

it depends on how much money you have to spend

Poweredge backdoored!?

<renlord[m] "Turn off all spectre mitigations"> BTW does this actually work

a lot of the spectre stuff is in microcode / hardware now

so you can't avoid the performance hit

I turned off all mitigations and I don't see an improvement of more than a minute

My old intel it makes a difference on ryzen not at all

I was planning on re-running `repo init` every new release/tag and update via `adb sideload`, can take advantage of incremental updates?

> Incremental updates shipping only the changes between two versions

if you're making production builds for actual usage, you should do clean builds

Can I still use incremental updates if I repo init'd with a tag?

read the documentation at grapheneos.org/build

Dylanger: sure but you shouldn't be doing incremental builds for production use

build documentation covers all this

I'll RTFM

for a production build you should clear `out/` as it documents before building

otherwise you can generally use incremental builds for development

RTFM is always good

if ppl had to trust root CAs vs. DNS root authorities, which one?

Root CAs

Correct me if wrong

[strcat](matrix.to/#/@strcat:matrix.org)

renlord: why not use DANE only for pinning and verify both?

Hmmmmmmm

Yeah

and btw we have DANE set up for the attestation.app, grapheneos.org and releases.grapheneos.org web servers

although it isn't used by browsers or most other kinds of clients

unlike the mail.grapheneos.org server where DANE is actually widely adopted for SMTP and is important for having TLS authentication at all (since by default there is no CA system unless you use MTA-STS which is like dynamic HSTS only)

dnssec adoption is not widespread yet though

and dane enforcement iiuc is opportunisitc

i.e. even if dane verification failed, emails still get sent in the clear

whereas MTA-STS has strict enforcement policy if the receiving server insists

not quite related to the trust factor, but there's that difference between mta-sts and dane at least

I am a bit worried about the auto update of graphene. What if Graphene chooses to do a update with some security leak, because a government for example is saying they need to do that. Is it maybe secure om not put your phone in auto update mode but to do i manually?

if i'm in charge of releases, you should be very worried

hehe

renlord: you're incorrect about how DANE works

"i.e. even if dane verification failed, emails still get sent in the clear" is not accurate

if DANE is present in DNS, it is enforced, in a proper implementation

redu321: your reasoning doesn don't make any sense

redu321: your reasoning doesn't make any sense

redu321: please read grapheneos.org/usage#updates and grapheneos.org/releases#about-the-releases

if you want to disable automatic updates, you're free to do that per the documentation

how are you going to be secure if you don't install the updates?

but you're free to have an insecure device if you want, you can disable updates and avoid installing them, or you can sideload updates, I don't see how it provides you any protection against an insider attack but you do you

renlord: opportunistic in regards to DANE means that if DANE is not present, it's not a failure, if it is present then it is enforced

renlord: DNSSEC makes it so that you can securely check whether a record is present, lack of presence is signed

so this is not a security hole in any way, it just means that servers not using DANE aren't unsupported

renlord: and DNSSEC adoption doesn't really matter - if a domain is using DNSSEC / DANE, it works fine

> but you're free to have an insecure device if you want, you can disable updates and avoid installing them, or you can sideload updates, I don't see how it provides you any protection against an insider attack but you do you

maybe a chance to audit?

* > but you're free to have an insecure device if you want, you can disable updates and avoid installing them, or you can sideload updates, I don't see how it provides you any protection against an insider attack but you do you

maybe a chance to audit before updating?

not sure though tbh

Look at the git history and reuse one of our old kernels and match the build date and number exactly

You should have identical builds

Only difference may be some bug in clang sometimes compiles some code differently. Though this is very rare

somenerd: you're free to use your own builds and "audit" changes

somenerd: I don't see what any of this has to do with the way the Updater UX works

if you want to disable updates, disable them

[somenerd](matrix.to/#/@lelmister101:matrix.org) I really recommend you run official

highly recommended to leave updates enabled

not my argument

just trying to see what he meant

somenerd: you're not making an argument, you made a statement that doesn't make sense

hmm

You could follow the instructions incorrectly and mess up unofficial and you won't have auditor support unless you run your own

strcat: Is there a way I can get an alert when there's an update? I guess just watching reddit

Now that I'll be manually updating

Dylanger: it just downloads when there's an update

[somenerd](matrix.to/#/@lelmister101:matrix.org) well none of those are real issues

Dylanger: twitter, github

<Dylanger[m] "strcat: Is there a way I can get"> Watch for new tags

👍️

ty

strcat: GrapheneOS/platform_packages_apps_Updater #14

no good?

:(

i think should nag if no update

following unix principles

renlord: it needs to be rebased

you have to open a new PR targeting the 11 branch

and rebase

oh no i got rid of gos-10

ok i'll do it some time

oh wait

the remote branch still exists LOL

anyway people need to read grapheneos.org/usage#updates and grapheneos.org/releases#about-the-releases

if you want to disable updates temporarily, follow the guide there

[renlord](matrix.to/#/@renlord:matrix.org) I can rebase it and send it if you want

I don't see any reason to change how it works, no one has presented one

anupritaisno1: sounds good!

i like how it works now

if you're getting your updates through Updater then that implies Updater downloading it, verifying the signature and installing it

if it works, it should just stay quiet

<renlord[m] "anupritaisno1: sounds good!"> Yeah I have a bunch of other changes I need to send for updater too

So if there's any changes strcat needs I'll do those in separate commits

Besides that code is pretty simple

I'm curious if there is any decent open source gallery app we could use instead of the legacy Gallery2 sample app

doesn't need that stupid filter stuff

which ones have you tried so far? just wondering

just basic editing (cropping, rotate, flip, etc.)

none, haven't found one that implements the required APIs and is permissively licensed

hmm

maybe improve the present one?

no one has expressed any interest in doing that

are you volunteering?

no, I can't as I have no dev experience

<somenerd[m] "maybe improve the present one?"> And who will do that?

yeah

didn't think that through

the sample Gallery2 app from AOSP has serious bugs and is essentially just a pile of legacy code gradually being stripped down as it rots awahy

* the sample Gallery2 app from AOSP has serious bugs and is essentially just a pile of legacy code gradually being stripped down as it rots away

github.com/SimpleMobileTools/Simple-Gallery switched to GPLv3 and then also started using a proprietary photo editing library so I think the days of it being an open source app are numbered anyway

it supports doing an open source build without that library

also I think it's in violation of the GPLv3

so yeah, it's problematic

wait what

<somenerd[m] "didn't think that through"> The problem is that there's more serious issues that need to be worked on right now

because it loads a proprietary library but yet the developer made it GPLv3

which is not allowed - so they are accepting code from people as GPLv3

wait

also I don't see how they just changed the license like that without copyright assignment from contributors

f-droid still allows this????

somenerd: there is an alternate build of the app without the proprietary library

If people want to volunteer to pick up on work we can't do right away

missing the photo editor

Go ahead

somenerd: F-Droid temporarily stopped updating it

anyway we can't include GPLv3 code regardless because it conflicts with what we want to provide

ohh

GPLv2 is fine

<strcat[m] "GPLv2 is fine"> What about confidential and proprietary?

Hello guys, currently working on Gallery issues crash (when cropping, filtering...)

Sarcasm ^

anupritaisno1: I said above it has to be permissively licensed

what is the problem with GPLv3?

too non-free for us

We want to make devices that users cannot unlock

doesn't permit making a device with an immutable root of trust

And install other operating systems

we want it to be possible to take GrapheneOS and make a device with an immutable root of trust

like with custom hardware?

if we include GPLv3 code, we're forbidding people from using GrapheneOS that way

somenerd: yes

so we won't include any GPLv3 code in the OS

hmm

yeah

<somenerd[m] "like with custom hardware?"> Basically the project needs to move in the hardware space too

yeah

it was in the roadmap right?

if we have custom hardware we want to be able to sell a variant of it with an immutable root of trust

and we want it to be possible for others to make devices

with an immutable root of trust

GPLv3 code is off the table

that sounds really cool

There's a lot of stuff in the roadmap

(as far as I understand)

its an infinitely long roadmap

<strcat[m] "if we have custom hardware we wa"> RISC-V?

Open SoC?

not relevant to the topic

That's basically it already done

yeah but the whole thing has to be

Dylanger: that's an open source secure element and I wouldn't call it done considering that we need an implementation of the Citadel APIs

No

I believe I saw a post from u/GrapheneOS on custom open hardware

Dylanger: it's not a general purpose SoC, it's a secure element like the Titan M

Proper hardware security is not just slapping a strongbox on

that is a peripheral device essentially

there isn't a RISC-V smartphone SoC and we're obviously not going to be designing an SoC

in all likelihood we'd just use the SoC secure element implementation anyway

like the Qualcomm SPU

ECC ram too? ^

it's unrealistic to make our own security chip, we'd need an off-the-shelf one, so sure an off-the-shelf one based on OpenTitan / RISC-V with the full Citadel API would be fine...

but there isn't one

can't use things that do not exist...

Citadel... I have that bad boi in IDA somewhere

Dylanger: the firmware?

[strcat](matrix.to/#/@strcat:matrix.org) but how do developers unbrick these phones?

the OS parts are open source

Yeah

FW

anupritaisno1: don't see the relevance to the discussion

Cortex-M3 or something iirc

anupritaisno1: phones with the immutable root of trust flashed would be the production ones not the development devices

would this happen after the move to a microkernel

?

you would not be doing development on a production model

somenerd: it's not tied to that

and I'd suggest carefully reading what's written on the site about that

you seem to have the wrong impression

let me reread

cuz I am kinda confused

ohhh

don't see what that has to do with the topic

so these are unrelated

wonder why I thought they were...

I should really read the docs carefully

If you used a SuzieQ (Orange dev cable from Google), you could interact directly with Citadel

Dylanger: the orange cable you're talking about is not from Google

and that only implements the ChromeOS Suzy-Q protocol

the Android cables are extended

Ah yeah that's the one

Android version requires more to get logs from Android

TIL: google makes a lot of open source things

the cable you're talking about would only give you firmware logs, it's missing the other half (i.e. the OS logs)

It dropped me into a fully interactive shell

Wasn't like root or anything

But let me see fw versions etc

I think Google removed it

In 4

I should check

I'm aware of what it provides but you're talking about using it via an incomplete way

it works differently based on whether the device is unlocked and there are fastboot oem commands

we have proper complete debug cables

unlike those ChromeOS ones

we have someone that can make them

<strcat[m] "it works differently based on wh"> Pixel 3 _totally_ didn't

I remember doing it to a friends device that was locke

* I remember doing it to a friends device that was locked

read what I wrote

> works differently

adb not enabled etc

it's not related to adb in any way

you seem really confused about what it does

there's no point in explaining to someone that knows what it does how it works

and we have proper cables with all the functionality rather than just basic firmware logs

i.e. being able to toggle on the OS logs from the kernel with fastboot

<strcat[m] "> works differently"> I know that these 2 things are totally seperate, the shell I was dropped into was some sort of UART terminal, the cable itself added resistance to D- line, muxing me to the Titan M, I only mentioned adb was disabled because I was able to take his _totally untouced Pixel 3, and interact with the (debatable) most IC of the device_

it has nothing to do with adb

> <@strcat:matrix.org> > works differently

* I know that these 2 things are totally seperate, the shell I was dropped into was some sort of UART terminal, the cable itself added resistance to D- line, muxing me to the Titan M, I only mentioned adb was disabled because I was able to take his _totally untouced Pixel 3, and interact with the (debatable) most important/private IC in the device_

and it doesn't give any sensitive information without being unlocked and enabling the full logs

It's still a vector

as I said above it works differently when you actually enable the sensitive logging when unlocked

a vector for what?

you don't seem to understand what it's providing to you

you can't "interact" with the Titan M using it

you can get very basic status information from firmware, that's it

I'm fully aware of what it makes available and how the access controls on it work

<strcat[m] "I'm fully aware of what it makes"> Oooo great, please expand on this

and you also seem confused about what the Titan M provides

Dylanger: expand on what?

if the device isn't unlocked you can't use it to get sensitive logs

that's how it works

there are fastboot oem commands tied to the debugging features

you can't use them when locked

even when unlocked it doesn't offer that much functionality on a production device

mostly you can just get the rest of the logs including the OS logs

useful for debugging early boot issues

I have a question about GrapheneOS on 4a : is it normal that i don't have notifications on my apps ?

and again it has nothing to do with adb

coffeebag: be specific about what you mean

which apps

notifications work fine on GrapheneOS

All

coffeebag: you probably turned on DND then

turn off do not disturb

Nope it's off

doesn't align with what you said above

be specific about which apps don't provide notifications

For exemple : Signal

if you use the built-in clock app for example, those notifications work fine right?

coffeebag: Signal notifications work fine on GrapheneOS

it sounds like you've changed the notification settings or have DND enabled in some form

check

I have notifications but not thz dot

I will double check

what do you mean dot

A dot on top of the app logo

Notification dot

What

To Signal that there is notifications unread for this app

You mean unread counters?

yeah, I think they meant that

coffeebag: so notifications do work fine, you're talking about the launcher notification dot?

I mean on home screen, my apps with unread messages don't have Dot Notification (the dot on top of the logo of the app)

sorry my english is crap

make sure you have that option enabled

in the launcher settings

Yeah notification dot

long press on the home screen and go to settings

[coffeebag](matrix.to/#/@ukah:matrix.org) if you're lost, go to settings, reset app preferences and reboot

That resets notifications too

Erf ok i found

look at Advanced in the Notifications Settings

sorry for that

thx a lot

it has an option for the dot on lockscreen

afaik that's enabled by default

didn't know this option for graphene

it's default on Stock rom

mb ! thx

it's the default in GrapheneOS too

you disabled it

wut

weird, peraps

(btw i use the 4A)

perhaps you switched launchers and switched back, might have disabled it

or you disabled it specifically

but it's enabled by default

Micay please enlighten us : is Ultrasonic beacon tracking possible or is it total bs?

It is totally possible and it is used by many advertising and tracking companies

* It is totally possible and it is used by many advertising and tracking companies at the moment

<engulf[m] "It is totally possible and it is"> Hmm

On r/privacy they posted a youtube video claiming a Tv it can connect to a phone via ultrasonic beacons

Here is a study of 'Privacy Threats through Ultrasonic Side Channels on Mobile Devices' christian.wressnegger.info/content/…ojects/sidechannels/2017-eurosp.pdf

<engulf[m] "Here is a study of 'Privacy Thre"> Thank you

there's also a paper on using lasers to issue commands to your voice assistant

over kilometers of distance

zugzwang: usenix.org/system/files/sec20-sugawara.pdf

LOL

> there's also a paper on using lasers to issue commands to your voice assistant

wait WHAT???????

It even goes on as to that the dogs can sense them and jump at the tv when its happening

meh, all kinds of side-channels exist

wow

<renlord[m] "there's also a paper on using la"> Thank you

maybe kilometers was an exaggeration

Siri is vulnerable too!

lulululul

lol

<renlord[m] "there's also a paper on using la"> That's not really something that would affect most of us, although that might change.

Here is a Blackhat talk about Ultrasonic Cross-Device tracking

But if you want to have more specific conversation about Ultrasonic tracking, I would suggest Techlore group as this is intended for GrapheneOS

or the off topic one

zugzwang: we have the added Sensors permission for very good reasons

So when my alarm triggers it seems like I have to unlock my phone to dismiss it (default app, Pixel 4 XL) anyone experience this also?

strcat: Is it "normal" that apps like `10062`, `10152` and `10190` have all used way over 10MB (in some cases over 50MB) of WiFi in last 30 days?

Yes

what are those apps anyway?

Can you explain what kind of data is transferred, to where and why?

First tell me how you got said "data"

You go to: Setting->Network & internet->Wi-Fi->Wi-Fi data usage?

* By going to: Setting->Network & internet->Wi-Fi->Wi-Fi data usage?

I want to improve my privacy in 2021 and atm I'm used to the conveniance of iPhones, I'd like to switch to Pixel with grapheneOS tho. How long does it "usually" take until there is a grapheneOS for a "new" Pixel phone? For example when can we "expect" a grapheneOS for the Pixel 5?

I know you cant tell for sure. I'm simply interested in an educated guess from someone who has witnessed the release of for example the Pixel 4 and can tell me how long it took them there

> <@kopolee11:matrix.org> Just a note that it is not unexpected that GrapheneOS warns you about apps that are targeting an old API level. That is fully as intended.

> And many of the default apps are really just placeholders for comparability reasons, not meant to actually be used.

Thanks for the detailed explanation! My thanks to strcat as well for clarifying further.

> meh, all kinds of side-channels exist

the sad part is that the tone seems like this is normal

* > meh, all kinds of side-channels exist

the sad part is that the tone makes this seem like it's normal

Guest26643: it will take *forever* if people never step up to do the work

Guest26643: there is no guarantee of support for newer Pixels

so far no one is working on those and we still need more people helping with the 4a

Understood thanks

<strcat[m] "I'm curious if there is any dece"> What about Simple Gallery Pro?

Unless the Apache 2.0 license puts people off?

<digitalfrontier[ "Unless the Apache 2.0 license pu"> the first thing i do on a fresh android install is to replace the default gallery app with Simple Gallery Pro

it's amazing

Same here.

Agreed. It's really good. Skimming over the Apache 2.0 license the only thing that stands out is the following "This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file."

But it does state "reasonable and customary use." I don't know, I'm not sure how to interpret that.

It says GNU GPL v3 in GitHub.

It was changed from Apache v2 to GPL v3 in 2019. F-Droid is not up to date here.

yeah

and apparently GPLv3 is a problem

> we want it to be possible to take GrapheneOS and make a device with an immutable root of trust

> so we won't include any GPLv3 code in the OS

> GPLv3 code is off the table

from Daniel MIcay

* from Daniel Micay

* and GPLv3 is a problem

digitalfrontier: Simple Gallery Pro is GPLv3 and uses a proprietary library incompatible with GPLv3 for photo editing (which is quite strange)

it doesn't have a proper photo editor in a build without that

and they've stated they won't be developing one

<revelation1318[m "It was changed from Apache v2 to"> Thanks mate!

<strcat[m] "digitalfrontier: Simple Gallery "> Well that's not just strange but also a bit depressing.

we won't include GPLv3 code but even if we were willing to do that I am concerned about the future of all those simple mobile tools apps

yeah that proprietary library is rather concerning

I think Gallery2 broke because of OS changes rather than internal changes

backwards incompatible change somewhere

it was likely already doing something incorrectly and it broke

depending on some implementation detail or something like that

really?

it's a really crufty old app

it was likely doing something really wrong

wow there are no more options then...?

that's sad

and now it broke

I don't know what you mean by that

in the short term someone could fix Gallery2

> I don't know what you mean by that

I meant no more FOSS and good gallery options

Hello. I found a good offer for a used Pixel 2. Is it good enough or should I wait for a bargain on a newer model?

Pixel 4a is only $ tree fiddy.

Plus taxes obviously but come on that's cheap.

I just got a used pixel 3 for 130 us

Pixels don't have a very long software life. Best get the newest one you can.

<redibc[m] "I just got a used pixel 3 for 13"> Not bad. I don't trust anything used though. But that's just me.

After installing Simple Gallery Pro, is it good to disable the stock Gallery?

I did so and have had zero issues.

It will just be hidden if you disable it.

How do you re-enable it later if you want to go back to it later and it's hidden?

Settings, Apps & Notifications, See all apps

Thanks!

You're welcome!

Found a good offer for a used Pixel 2. Is it good enough or should I wait for a bargain on a newer model?

Pixel 2 is almost dropped

get a Pixel 4a, nothing else should be considered for a budget device

OK ty

Is there any plan on expanding the docs?

docs about what?

the docs are regularly being expanded

people tend to just not read them

about GrapheneOS

The Google Pixel so expensive for its specs...

about what specifically?

DonaldBiden: which device are you talking about

not really anything spacific

* not really anything specific

the Pixel 4a is the budget device

somenerd: they're being regularly expanded, your question is strange

oh ok

pixel 4a is $350. pixel 3 $213. pixel 2 $201.

somenerd: You need a specific information which isn't on the website ?

Pixel 2 is obsolete and about to be dropped

I would expect it to be really cheap when it's more than 3 years old

I doubt it is a new Pixel 2 for $201

it sounds like you're comparing a new Pixel 4a to a used Pixel 2

> somenerd: You need a specific information which isn't on the website ?

no, not yet

DonaldBiden: same with that Pixel 3 - you can't really compare prices of a new device to used ones

and a Pixel 3 is a bit over 2 years old, Pixel 2 is a bit over 3 years old

@strcat[m] no, these are used prices

4a is from August this year

including shipping and taxes it can be more

DonaldBiden: $350 USD is the price of a *new* Pixel 4a

it was released a few months ago so there are probably not many used ones

strcat[m] I just checked ebay, that's the bottom price for a used one.

exactly

if you buy a Pixel 2 you'll need to replace it in a month

So Pixel 3 is the only budget viable option?

you won't be getting competitive security day one and it'll be dropped soon

Pixel 3 is not a budget option, it's a 2 year old flagship device

They should say that in the FAQ

buying old devices is not a good way to save money

DonaldBiden: we do

Idk, they break fast.

4, 4 XL, 4a are the only recommended devices

I was looking for a phone with cracked glass but even those are expensive...

They cost so much more than Redmi

I have never had a Nexus or Pixel phone die before it became end-of-life

Ppl crack the glass all the time

I had a Samsung which I bricked, idk even know how

I've had a Nexus 5, Nexus 7, Nexus 10, Nexus 6, Nexus 9, Pixel C, Nexus 5X, Nexus 6P, Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL

none have died early

DonaldBiden: Hardware randomly dies all the time

the only one that has broken at all is the Nexus 5 because that thing was poorly built and the USB port wore out during development + after it was already EOL the screen broke just from the whole thing starting to fall apart

but the devices now are much better built

that was a lower end plastic phone

with really weak thin glass for the screen in comparison

jpds that's what I was trying to say, it's better to buy a cheap old one which is supposed to last only a year

jpds: a small percent of hardware

and there's a warranty

I buy them cheap without a warranty...

in my experience, when hardware dies in ~4-5 years, it's almost always in the first couple months (unless you're talking about breaking it)

I don't remember the last time I owned a new device...

DonaldBiden: well, Pixel 2 is essentially unsupported at this point already

Gotcha

it might not get an update next month, we don't know how much longer it'll be supported

Pixel 3 has a year of guaranteed updates left, Pixel 3a somewhat longer

Why did the devs choose the Pixel?

atm the devices have 3 years guaranteed support on release

Because it's well documented?

DonaldBiden: grapheneos.org/faq#device-support

because they offer the best privacy and security

most devices don't have full security updates available let alone being competitive on firmware/hardware privacy and security

I wish that they had more years of support though

How ironic for a Google device

the vast majority of devices don't support all the hardware-based security features for another OS

probably good reasons as to why there are less years of support compared to iPhones though

Gotcha, so what you're saying is Google tried to do an iPhone competitor

just bear in mind that's the minimum guarantee

Ty

for example Pixel 1 got last update December 2019

the date when it's actually dropped isn't known

Pixel 4, 4 XL and 4a are also the most secure among what we support

and we have the best maintenance for those

Looks like only Lineage phones are an option for me...

we have higher standards for maintenance teams than we used to

not really a good idea though...

-_-

this channel is only about GrapheneOS

yeah

I'll move to offtopic

Let me put it this way: are the NSO guys only hacking Androids?

DonaldBiden: not sure what the relevance is to the discussion, and no

How is the Pixel 4 without fingerprint the 'most secure among we support'?

There's something called security by obscurity

read that grapheneos.org/faq#device-support section in the FAQ I linked earlier

DonaldBiden: 'security through obscurity' is primarily referred to as a way of criticizing weak approaches to security... and again I'm not seeing the connection to the discussion

nicob: fingerprint scanning and the Pixel 4 IR-based facial scanning is a very similar system

nicob: it doesn't really have much to do with the security we're talking about there

OK, thanks

biometric security is an optional secondary unlock option for each profile

we'd like to implement our planned 2 factor secondary unlock option

That would be ideal, something you know and something you have, until then, can you point me a source where it says it is as secure as the fingerprint on the 3? As I seem to recall it is not...But apparently I am off

you seem to be confusing it with camera-based facial recognition

which is not what it is

if you want to do research on it, go ahead

it's the same kind of approach that modern iPhones use for facial scanning

and it's very unlike using a camera for it

it's much easier to fool a fingerprint scanner than the iPhone / Pixel 4 facial scanning, it has advantages and disadvantages

Ok

Facial scanning is nice, too bad it works from hardly to not at all with masks ; that was to be expected.

This is what scared me when looking into pixel face unlock the first time.. The bulletpoints under 'How face unlock works' - important support.google.com/pixelphone/answer/9517039?hl=en&ref_topic=7083614

Of course there are downsides to the fingerprintsensor but they are generally more in the users control..

there are people with similar enough fingerprints that it collides

the face scanning is much more unique than fingerprint scanning

as I said earlier

<nicob[m] "This is what scared me when look"> there are settings that mitigate the accidental unlock (i.e. face unlocks the phone, but you still have to swipe up to get to the home screen)

also if you are captured, they could also hold the the phone to your finger

you'd need to restart the phone before you were restrained in either case

I dunno how to help you if you have an evil twin though lol

I want to fix bugs on the gallery2 app. But i don't have enough resources to build the entire GrapheneOS. Is the following thing is possible to do ? : Get the kernel then ONLY build gallery2. Disable my gallery2 app then install it on my device (which have grapheneOS) to test

you can build only gallery2

you seem to have a misunderstanding about what a kernel is and it's not relevant to this

you need to change the app id to something else if you want to install it on GrapheneOS

since you don't have our release keys

i'm talking about the kernel google sunfish for example

it's a kernel right ?

the normal way to do development is just to do an initial build, then start making changes, then do incremental builds

and test your changes

incremental builds only rebuild what changed and then make new images with those changes

you can develop most apps without building the whole OS

if you really want there are commands for building specific apps in the AOSP tree, etc.

And i was asking if i need it in order to build Gallery2 bcs Gallery2 use internal apis no ?

ok

change to the directory of Gallery2 and run `mm` instead of `m` at the top level

after setting up the environment and choosing target

ok thks i will do this

Hi, on my 3a,I can't get the last update. Seamless update clients keep stopping. I clear the storage and cache. But seems this doesn't help. Can I update with adb maybe without losing data?

* Hi, on my 3a,I can't get the last update. Seamless update clients keep stopping. I clear the storage and cache. But seems this doesn't help. Can I update with adb maybe without losing data? (I use stable version)

get logs from `adb logcat`

can figure out what's going wrong

it's possible to sideload the update with adb but it's important to figure out what the issue is

those logs came from adb logcat | grep -i seamless

* those logs came from adb logcat | grep -i seamless, will try to reboot and retrigger the bug

Cyrinux: you need to provide more of the logs

you aren't providing enough

use a paste site

yep will do this

* Hi, on my 3a,I can't get the last update, i'm stuck on the 6 oct. Seamless update clients keep stopping. I clear the storage and cache. But seems this doesn't help. Can I update with adb maybe without losing data? (I use stable version)

* yep will do this, strcat pastebin.com/kQbE59u0

* yep will do this, strcat pastebin.com/kQbE59u0 , i can read a dns cache problem and selinux denied? I use a vpn + custom dns if this can help.

[Cyrinux](matrix.to/#/@cyril:levis.name) I'll read your logs. Pm me and send the entire thing to me

Then if there is some bug I'll open an issue so that we'll get it fixed

Cyrinux: you're not providing all the relevant log content

don't use grep

run adb logcat -c to clear logs

trigger the issue

run adb logcat -d to dump logs

and copy the relevant portion with the exception with full information / context

Ok

[strcat](matrix.to/#/@strcat:matrix.org) I'm helping him in private

I'll have a look at his logs and let you know

strcat:

* strcat: its good, thx guy, will try to get more logs the next time i know what you need now, the last monkey pressing on update button trigger the service update but the ui was crash i understand

Hey guys, I am currently running Calyx OS on my pixel 4a. But now I want to switch to graphene OS. But I have a few questions: 1. should i flash stock android before installing Graphene OS and install all updates to update to the latest firmware or is graphene OS itself able to update the devices firmware via OTA updates. 2. Is there anything i need to do differently when installing graphene OS over a Calyx OS

installation compared to when the phone is running stock android.

<ultracard[m] "Hey guys, I am currently running"> Just flash grapheneos directly

ultracard: GrapheneOS has all the firmware in the factory images and updates

also, does anyone know a bit about android user profiles. Because I would like to install whatsapp on a seperate user account because I would imagine that having several security privacy benefits. But I' don't know what a different user account does. For example: can whatsapp read files stored on another users account if i give it permission to access external storage?

<ultracard[m] "also, does anyone know a bit abo"> nice, sounds great

<anupritaisno1[m] "Just flash grapheneos directly"> thanks, will do that

<ultracard[m] "also, does anyone know a bit abo"> and also: can an app installed on another user account run in the background while I'm on a different user profile?

so: is whatsapp able to send out data to mark zuckerberg if I am logged into another user account or is the app suspended while i'm not on teh user account it's installed on

I know i should stop using this creepy application anyways, but some people are simply not willing to use signal messenger and don't care about privacy because they think that only criminals like drug dealers need privacy

ultracard: apps can't share data or communicate across profiles regardless of what permissions you give them (other than via the network)

that's what profiles are: isolated workspaces, with their own shared data (such as their own home directory, contacts, etc.) and apps can only communicate with mutual consent within a profile

not across them

and apps are installed separately within each profile

wow

impressive

amazing

thanks

i love that

so excited, gonna go ahead and install graphene os right now

it's a separate installation of the app - although for efficiency the OS shares the actual apk installation across them (so updating an app in one profile updates it for all profiles - which is safe due to the OS pinning signing keys and preventing downgrades for apps in general)

this is just how user profiles work in AOSP

ultracard: it can keep running in a different profile, but will only have access to data from that profile.

I read that even vpn on 2nd profile works well

although many OEM forks of AOSP disable user profiles

ultracard: we enable a non-standard AOSP feature which is being able to explicitly logout of profiles

ultracard: each profile has a separate disk encryption key based on the authentication method of that profile

and when you logout of a profile it becomes fully at rest as if you rebooted (for that profile)

You can log out of the profile and that will shut it down. If you are in a different profile, you wont get notifications from it.

can't logout of the main "Owner" profile since it handles things other profiles require (to do that, you reboot)

wow, omg i love graphene

<dazinism "You can log out of the profile a"> nice, wouldn't want notifications from whatsapp anyways

the only things we change about user profiles from AOSP are increasing the limit from 4 to 16 and enabling logout

logout plays really well with how per-profile encryption works

and AOSP supports properly purging keys from hardware / memory now

(hardware as in the CPU crypto acceleration registers etc)

<strcat[m] "logout plays really well with ho"> If i remember correctly you couldnt log out of profile on android 10?

zugzwang: logout is a feature we enabled downstream

zugzwang: AOSP 11 doesn't have a logout option except for device managers that enable it

so i do not have to worry about whatsapp collecting or using my data (except for the data it collects when i'm using the app) while i am logged into a different user where whatsapp is not installed?

we just set it to be available as a standard UI feature without needing a device manager - really minimal change

ultracard: you don't have to worry about it other than CPU timing side channel attacks, etc.

which I'm sure it doesn't do

<strcat[m] "we just set it to be available a"> cool, because on Lineage OS (at least LineageOS 16) that feature is missing

just put it in a dedicated profile and if you don't want it running, logout of that profile

you can leave it running in the background while you use another profile and the profiles are isolated

<strcat[m] "ultracard: you don't have to wor"> nice, yeah, if whatsapp did something that nefarious and someone would find out they'd be sued to the moon.

and profiles that are in the background can't do stuff like recording audio (apps can't record audio in the background anyway)

(but there's a separate restriction on profiles as a whole not being able to do that)

<strcat[m] "you can leave it running in the "> if the app running in the background cannot collect data from another users account i don't mind

If i use orbot always on block other traffic on 2nd profile. will that effect main profile?

yeah it can't do that, user profiles are isolated

ultracard: heres info about what apps can see hub.libranet.de/wiki/and-priv-sec/wiki/what-can-apps-see

zugzwang: the network connection is shared across profiles essentially

I searchef on here but its broken threads as element wont show full conversations

except for: if whatsapp can scan for nearby wifi networks in the background that would mean that it can track my location, and i wouldn't want mister zuckerman to know my location

Not sure exactly how having apps is a secndary, backgrounded profile would effect all those

ultracard: apps can't see Wi-Fi, Bluetooth, cell towers, etc. unless you grant them Location access

so if you don't want them tracking location, don't grant Location

Location covers seeing nearby Wi-Fi networks, cell towers and scanning for Bluetooth devices, along with using supplementary location services (which we don't have) not just GPS

and anyway the "GPS" is really GNSS

<dazinism "ultracard: heres info about what"> thanks, sounds interesting

ultracard: also this has info about profiles hub.libranet.de/wiki/and-priv-sec/wiki/user-profiles

<strcat[m] "ultracard: apps can't see Wi-Fi,"> Is it the same on ios?

<strcat[m] "so if you don't want them tracki"> really? I thought google was purposefully misleading users by allowing them to disable location services but not telling them that the app can still find out where they are using wifi/bluetooth

ultracard: that's not accurate

strcat: Do you know if apps in secondary profiles have device encrypted components if they would be active before logging into a secondary user?

and we don't have Play services anyway

but that is not accurate about Play services

logically sounds plausible

<strcat[m] "and anyway the "GPS" is really G"> Iirc GPS is within the modem on Qualcomm devices MPSS

<strcat[m] "ultracard: that's not accurate"> wow, I'm impressed. thanks. didn't think that google would ever surprise me in a positive way regarding privacy

Dont think many apps have device encrypted components though.

Anyone know any apps that do?

dazinism: I don't really think secondary profiles can use direct boot because they are inactive

dazinism: if you switch to them, before you have unlocked

that's the only time they would be active

so sure it can work in that case

switch to them to make them active and don't actually login

dazinism: not really sure secondary users support it that way though

they might become active after login

you'd need to test

I've never had a reason to look at that

Fair. Don't know of any apps that I could test with.

Its unusual for apps to use direct boot.

Hi, is it good to reboot my grapheneOS ones a day? Or it do not make a different?

thanks guys, realizing that i can still have privacy even when i'm using whatsapp made me smile because it makes me feel like we're not yet completely living in a technological dystopy

clox: yeah its useful. A reboot has kernal & system checked by verified boot and reloaded.

which factory image should i use for my pixel 4a? there is one with OTA and one without

Hi peoples. So i bought a 5 I needed the IPX rating instead of 4a from the specs the hardware looks extremely similar to 4a would sunfish work on the 5

ultracard: ota is an update

<ultracard[m] "which factory image should i use"> does that mean that the one version of graphene OS does have OTA updates and the other one doesn't or is the zip file wich OTA in it's name an additional file i need to flash if i want to have tha ability to get over the air updates

> <@ultracard:matrix.org> which factory image should i use for my pixel 4a? there is one with OTA and one without

* does that mean that the one version of graphene OS does have OTA updates and the other one doesn't or is the zip file with OTA in it's name an additional file i need to flash if i want to have tha ability to get over the air updates

<dazinism "clox: yeah its useful. A reboot "> Thx, dazinism

<Uberarchangel "Hi peoples. So i bought a 5 I ne"> I'm not a developer, but flashing it on the 5 shouldn't work

it has different hardware

<Uberarchangel "Hi peoples. So i bought a 5 I ne"> No it will not

Do not flash a factory image not meant for your device

Use the OTA files to update if GrapheneOS os already installed

<Uberarchangel "Hi peoples. So i bought a 5 I ne"> you could brick your phone in the process. wait until there's an official release of graphene OS for the pixel6

That is why I came and asked thank you.

> <@freenode_Uberarchangel:matrix.org> Hi peoples. So i bought a 5 I needed the IPX rating instead of 4a from the specs the hardware looks extremely similar to 4a would sunfish work on the 5

* you could brick your phone in the process. wait until there's an official release of graphene OS for the pixel5

<dazinism "Use the OTA files to update if G"> but I thought that OTA meant "Over The Air" updates, meaning that i don't have to manually download a file to update my phone

Its the same file as is served OTA. Just can download and sideload onto device if for some reason you don't want to connect the device to network, or maybe grapheneos server

<dazinism "Its the same file as is served O"> OK, now i get it. Thanks dazinism. You're amazing

Are there any people looking into the pixel 5 even for alpha/beta.

I didnt realise anyone had a 5 yet

[Uberarchangel](matrix.to/#/@freenode_Uberarchangel:matrix.org) not yet

I don't not yet 5ht or 6th is my eta

Actually, if you are up to date and going to the next update you will get a smaller delta OTA via seamless updater

Is there any more tinkering aside from extracting libs and bins from vendor and cloning the kernel? For the 5

Hrmm that sounds like that could be a fun weekend project

Porting all the grapheneos changes to the device.

Sorting out SELinux policies

Getting Auditor app to work with it

Fixing any bugs uncovered

I always thought Graphene itself was a GSI

But I guess GMS embeds itself into vendor

Then needs a maintainer/maintenance team to commit to looking after things for the device lifespan

<Dylanger[m] "I always thought Graphene itself"> It isn't

Grapheneos is compiled specifically for a given device

Think most of this is still relevant / current

I am still surprised there is that many hardware differences between the 4a and 5

Think 4a5G shares more with the 5.

That is my bad that is what I meant

I would think those 2 could litterally run the same OS build

No they can't

The 4a5g and 5 can't run the same build?

Alright I am going to go thank you for the information gus I will likely be back once I get my phone to talk more

guys*

I'm like

Fuck you're gonna be back?

ultracard: you should follow grapheneos.org/install and use the factory images not the OTA

the OTA is just shown on the releases page for people who want it for some reason like sideloading it to recovery to update instead of updating via the automatic over-the-air updates

the update client in the OS uses the incremental updates (unless you fall behind updates) anyway, not those massive full updates for updating from any past version

we just don't bother listing those on the releases page

Is it worth removing Widevine etc from firmware/NON-HLOSS

Its still signed, but removing it could remove attack surface?

It sucks you don't have MRC blown into these devices

Anyone else having an issue with new pipe. Every video I select throws up a error report

Dylanger: Widevine is in TEE which is largely legacy now that there's a proper secure element

<prestocaso[m] "Anyone else having an issue with"> Known issue. Everyone is affected

Dylanger: so sure with custom hardware wouldn't include it but wouldn't really change anything

Dylanger: we can just finish removing support for it in the OS

doesn't matter

[strcat](matrix.to/#/@strcat:matrix.org) so I can't watch Netflix on grapheneos phone, sad

Sarcasm ^

I doubt you can anyway

I assume their app depends on Play Services and that they try to prevent using a web browser on mobile

<strcat[m] "I assume their app depends on Pl"> It works

the app?

It'll use DRM on vanadium in the browser

ah didn't realize they supported it

Vanadium (Chromium) just delegates to the OS

* It'll use DRM on vanadium so it does work in the browser

the DRM doesn't really do anything

I don't really understand how it's supposed to stop anything

<strcat[m] "Vanadium (Chromium) just delegat"> Glassrom doesn't do DRM. Remember a few months ago I gave you a crash log on how vanadium on glassrom crashed on Netflix because it couldn't find any DRM HALs on the device?

ah yeah

we need to properly disable it

not remove the generic HAL

we need to remove the widevine implementation not the generic HAL

Yeah

anyway atm we don't remove per-device functionality like that

we just don't include stuff in product like nasty Sprint stuff

we include all of the SoC vendor components

and widevine is basically part of that

BTW widevine is not just one blob

I know

There's other HALs that get the keys from the hardware and give it to widevine

And there's clearkey too

And there's also a huge amount of sepolicy that will have to go out

Remember how our isolated app updates in device trees are mostly DRM HAL?

the sepolicy doesn't really have to be removed if there is nothing set up that can use it

anupritaisno1: I don't think any Pixels support clearkey just widevine

DRM info app on pixel 4

Here's what it'd look like on glassrom

Has anyone done any side channel fun with Titan M?

I think it's time to blast some EM at it

<strcat[m] "anyway atm we don't remove per-d"> Wish you guys at MRC, you'd be able to make changes to ABL and XBL

* Wish you guys had MRC, you'd be able to make changes to ABL and XBL

anupritaisno1: ah so clearkey is just like a fake testing DRM?

didn't realize that

yeah

hey guys, just installed graphen OS on my google pixel 4a, and it worked. It's still a bit buggy, sometimes i have to tap on an application multiple times to open it, but i guess that's to be expected when installing a rom which is stilll "experimental"

you shouldn't ever have to tap multiple times to open something

unknown: also make sure to lock it

Hi I am trying to install on pixel 3a i unlocked but cant execute ./flash-all.sh

I'm on linux mint

<strcat[m] "unknown: also make sure to lock "> sure, did that

<mx[m] "Hi I am trying to install on pix"> had the same problem

probably don't have udev rules to run it as a non-privileged user

my problem was that i was using "sudo ./flash-all.sh"

but if you use sudo, your path variable will be different

i did with sudo

nice

than we know what the issue was

try without sudo

i also wanted to do it with sudo because i thought that would be safer

but it only works without sudo

mx: that won't work if you don't have fastboot accessible there

ultracard: using sudo without arguments runs stuff as root...

ultracard: opposite of safer

although there is no real distinction between a user with access to sudo as root, and root

I'm on fastboot mode with unlocked state

mx: you need to follow grapheneos.org/install as it's written there - you can't run flash-all.sh with sudo part of the way through the process

if you want to run it as root (rather than getting proper udev rules) you need to do the whole thing that way

so you have fastboot there

yes

i did step by step

including verification

how to check communication between device and terminal

?

I have < waiting for any device> message

mx what OS are you using to install? That sounds like you are not running as root or you haven't set up the udev rules

OK saw you are on Linux Mint

stable for 3a sargo-factory-2020.10.23.04

I would just become root (sudo -i) and do the entire process again

So instead of using sudo, do it as root

OK I will try

just go into folder and do ./flash-all.sh ?

or start from fastboot flashing unlock ?

it is unlocked anyway

<mx[m] "I have < waiting for any device>"> What were you doing when you got this message? Start from there

I'm in root now in sargo-factory-2020.10.23.04 and I will try ./flash-all.sh

which messages you get on your mobile phone screen ?

same issue stop on < waiting for any device>

no massage, just fastboot mode

massage is in terminal

you should unlock the bootloader

I did already, do this again?

i did fastboot flashing unlock and have same massage again

< waiting for any device>

come private

i pm you

<coffeebag[m] "come private"> Lewd

Does Graphene change any of the modem's NV?

Also does anyone know if GCam on the Pixel 4 is actually using the Visual Core and not cdsp?

`vendor/firmware/CAMERA_ICP.elf` has a REX section

Firmware for the Visual Core?

If I want to change the default font, can I just change the `frameworks/base/data/fonts/fonts.xml` file?

Just change this?

Hello Good GrapheneOS folks! =) I am desparately trying to find a Google Maps equivalent. I've tried OSM and MagicEarth apps but they are not terribly user-friendly. Suggestions?

BeingFrey: F-droid provides osmand+ for free which adds a few things

<prestocaso[m] "BeingFrey: F-droid provides osma"> Ha.. you're in many rooms/groups I see.

Thanks again! =)

Which custom ROM do you use?

No problem the aurora store within fdroid should allow you the install google maps go as well

<prestocaso[m] "No problem the aurora store with"> On GrapheneOS?

Thanks coffeebag. I am on the board with GrapheneOS.

BeingFrey: graphene at the moment but I've used both

<prestocaso[m] "BeingFrey: graphene at the momen"> And your preference?

np

!

BeingFrey: for my use case Graphene, but considering what you will need it may be different

<prestocaso[m] " BeingFrey: for my use case Grap"> Google Maps is extremely hard to beat.

<BeingFrey[m] "Google Maps is extremely hard to"> And when you NEED IT, you NEED IT!

BeingFrey: it is yeah they've clearly put the time into making it unbeatable

What about CityMapper ?

depends off your needs but it's a great app when you live in big cities

<coffeebag[m] "What about CityMapper ?"> Never hear of it but will certainly look into it. Thanks! =)

<BeingFrey[m] "And when you NEED IT, you NEED I"> You need a second phone for G Maps

Not familiar but I'll look into it

CityMapper is really strong for public transport, wayyyy better for google map on this point

I have been able to use g maps go in graphene

but i never try it on small towns / on the road

It works through your browser

<prestocaso[m] "It works through your browser"> How "private, secure" is it using Google Maps via the browser on GrapheneOS?

Are you compromising?

It doesn't require me to log in

Hmm

Interesting.. I'll look into it.

Thanks!

I appreciate all of your insight, feedback and suggestions folks! Unfortunately, I need to leave now for an appointment! All the best to you!

Bye for now