<redibc[m] "Do you think the nsa tries to br"> Well they probably try to break GrapheneOS but its a lot harder to do then to hack Stock Android and IOS also if they want to hack you they'll probably will

What are the methods they can use to break graphene currently

This is not the right place for speculation

<redibc[m] "What are the methods they can us"> The NSA keeps everything secret so it would be hard to know that (expect if you got access to their files in some ways but I doubt that)

* Well they probably try to break GrapheneOS but its a lot harder to do then to hack Stock Android and IOS also if they want to hack you they'll probably will (which they may not be able to currently)

If you want to research what police departments are actually using, search for Cellebrite's UFED, but that is off-topic here

* As long as the malware isn't on the hardware then yes

<redibc[m] "What are the methods they can us"> coerce the user into unlocking the phone

or phishing

What about if they had physical access to it? Can anything be installed or can they break the password easy?

<redibc[m] "What about if they had physical "> No

a really advanced technique i read is, obtained while phone unlocked, flash freeze RAM to retain the states persistently and bring to a lab for extraction.

but you must be pretty high up on a wanted list to warrant this

Someone posted this link a couple of days ago and I found it had a lot of useful information redibc

if paranoid users are interested ^

sorry, we cant beat the laws of thermodyanmics

Paranoid users won't open a PDF

Yea you are talking about a cold boot extraction right

That paper was written for laptops, it's probably 1000 times more difficult to remove RAM from a phone and install it somewhere else while keeping the low temperatures

:shrugs: i imagine an expert can de-assemble quite quickly if they practiced

the point is that these vectors exist.

<renlord[m] "a really advanced technique i re"> Cold boot attacks aren't really viable, especially when it comes to modern phones. RAM usually clears within seconds. The attacker would have to rip out the RAM sticks from the phone and stick them inside a freezer all within a few seconds and without the user noticing. GrapheneOS also zeroes memory after it's freed which makes this even harder. Cold boot attacks are

pretty circumstantial.

good points

The idea is of course to freeze the RAM or the entire phone before turning it off and removing the RAM, but it's still almost impossible to perform. Much more difficult than removing the RAM sticks from a Thinkpad

I recall watching a spy show where the protagonist used an upside down canister of compressed air to freeze laptop RAM prior to removing it for a cold boot attack. But on a phone, where RAM would have to be de-soldered, the heat from that process would probably make it very difficult.

Especially since compressed air propellants are usually flammable.

It seems to me that guys have misconceptions about thermodynamics

Tho explaining that would take too much time and words. And gonna go to off-topic channel.

So I'm not gonna do that

* It seems to me that you guys have misconceptions about thermodynamics

<cicadasolver[m] "It seems to me that guys have mi"> i'll admit that i probably have a misconception. I'm not a physics major.

you can ping me privately to correct my misconceptions.

What about them installing hardware on the phone or a computer without your knowledge before you get it. I heard about tao doing that

Buying from a local store can help defeat that type of targeted attack.

Those already have the big box backdoors in. No specialized hardware either.

I am new here. Hi. Appreciate if you can point me to documentation with the best practice to install known good secure apps on GrapheneOS. Thanks.

Verify the application from the vendor, usually via OpenPGP signatures, although GrapheneOS uses signify of OpenBSD project

ok step 1. Verify sign or hash from creator/vendor. Step 2. put on a USB drive. Step 3. Sideload via USB drive onto GrapheneOS without the need of any app store.

Did I get it right?

Thanks.

or did I overlook something critical?

Yes, if your GrapheneOS isn't verified correctly though, it wouldn't be that important as it would be compromised at a system level

No USB device is needed, you can sideload on the device

true. I verified GrapheneOS before install using signify.

USB drive might make it easy to store my personal collection of trusted apps.

There are apps that can help manage PGP verification, I would start with the verification of F-Droid, an app store, if your threat model allows it.

:)

Thanks

Another topic: I had to manually apply OTA update via USB cable. I was expecting OTA update to arrive via WiFi but it wouldn't for some reason. It is fair to expect OTA updates over the WiFi air?

You should save installers if you want to yes, but no need to use it to sideload

how will the installer arrive on the phone in that case without USB?

probably a silly question

You can download APK directly from F-Droid, or if the vendor supplies an APK, you can just save that one

anyone here installed Tails? looking for hashes to verify the .iso file

sorry, I mean Qubes OS *

I also don't know if GrapheneOS can update itself, I'd assume it can be, but maybe the infrastructure is not configured by the developer

First time hearing about F-Droid. Now exploring. Looks interesting.... YAY!

Follow the first step of verifying F-Droid itself and there should be no worries, it doesn't seem like you have a strict threat model.

no strictness. I am just a dude. experimenting

anon_reee: I have the verified PGP keys, I will download the hash and check and relay them to you

with an interest in learning to be strict

when needed

If you trust me, of course

<anon_reee "sorry, I mean Qubes OS *"> They provide PGP signatures and hashes on the download page. Also, totally off-topic. This group isn't for Qubes support.

Of course, Verify. Don't trust. Indeed.

Also probably a good idea to look in a more Qubes focused room as well

OTA updates would need backend infrastructure that the developers may not have provided. So the burden is on the user to manually apply OTA updates via USB cable as and when updates arrive.

I was sure Android could also flash itself from a file, but maybe a computer is needed to assist

Thanks a lot @rose

Thanks a lot rosebushactivism:

madaidan[m]: they do, but they say to not trust the website and verify it from multiple sources. the website could be compromised

sorry, I'll switch to the other channel

As a follow up, there may not actually be an application for verifying PGP signatures on F-Droid, I thought there would be, it still has other good apps. I think you could probably get a terminal emulator like termux and run something like gpg if you can build it for Android, though I'm also not sure how the filesystem access of the terminal emulators work.

OpenKeychain still seems like a very powerful app.

Maybe I'm wrong about being wrong, and OpenKeychain actually can verify files, it does seem like an odd omission for a PGP app, but I saw a GitHub issue saying it lacked this feature, but other sources give it the feature in the description.

I love conflicting information about potentially important software.

anonhat[m]: what do you love about it

Has anyone with newpipe been directed to a Github webpage to download an update?

I was directed to github webpage to download an update the other day and it warned me the signing certificate was different etc..

Fdroid cert different than the GitHub cert

Though they have started building with the same cert on fdroid

The github notice is verified. It's genuine.

Newpipe has its own fdroid repo that gets updates quicker than the fdroid repo.

May have to reinstall if you've already got it from fdroid, as it could be signed with a different cert.

As mentioned its now available from the fdroid repo with Newpipes cert,but also different build with an fdroid cert

lvnilesh: check out hub.libranet.de/wiki/graphene-os/wiki/Apps

Hello

I am trying to reset my pixel 3a and getting the following error message:

So I don't have to worry about it.

I'm assuming other people have had the same thing happen..

E: can´t send spi message: Try again

is this something to worry about?

this message appears when resetting within the recovery menu

If you can't reset dev I'd day its a doozy

Why not reset in settings?

well it says Data wipe complete and it seems to reset the device

but i am just unsure if this is intended behaviour

have not had this before

If its reset to factory gos I think ur OK

Maybe a recent update specific bug

and when resetting from the settings it shows a new resetting animation which i also have not seen before

I dunno I've had too many beers tonight to compute properly honestly

Oh ???

Is this a newly updated android 11 device?

<CarpeDiem[m] "Is this a newly updated android "> yes, newest gos

I think ur Gucci.

I reset mine and the reset thing changed

As in the animation right ?

yes

it s like a circle

Yea seemslegit.jpg

Its a11 mate

ok

thanks

NP have a good nyte/day

Me needs sleep lel

good night 😴

I'm an intermediate level infosec professional with little programming knowledge, but I want to contribute to grapheneos. Eventually maybe even with commits. Where do you guys recommend I start?

start by learning how to sync and build the whole OS

learn how to do signed, production builds by following the full guide and also try doing development builds (i.e. not using target-files-package or signing)

and then you can choose an area to start contributing

Is it all written in C/C++?

I know the kernel is. *shivers*

no

mostly Java that's being replaced with Kotlin

Android Studio can automatically convert Java to Kotlin that's generally shorter than the Java it was translated from despite not being at all idiomatic Kotlin

anonhat[m]: infosec does that mean pentesting?

I don't know if they're using the automatic tooling for the AOSP transition

anonhat: low-level code is mostly C++ (other than external projects that are C)

Android itself uses C++17 for most low-level code

can u fuzz/hammer grapheneos from all angles and find vulns :)

although it is mostly not brand new code so don't expect anything but newer things to be at all modern C++

[anonhat](matrix.to/#/@anonhat:matrix.org) just pm me for help with getting started

grapheneos.org/build#programming-languages is our own guidelines

* grapheneos.org/build#programming-languages are our own guidelines

<strcat[m] "Android Studio can automatically"> Actually it's pretty bad

> although it is mostly not brand new code so don't expect anything but newer things to be at all modern C++

is knowledge of rust needed / preferred?

It doesn't convert correctly [strcat](matrix.to/#/@strcat:matrix.org)

(it says for new code so I guess nvm)

<louipc_ "anonhat: infosec does that mean "> System auditing and secure network design, mostly.

auditing cool

<strcat[m] "grapheneos.org/build#pro"> I've heard Go is pretty security oriented. Would that be considered at some point due to its simplicity?

i bet some ppl wouldnt mind seeing an audit of grapheneos

i don't see the point in piling more languages onto the pile

I think gVisor (written in Go) is mentioned in the roadmap

louipc_: that would pretty much just be an audit of AOSP

unless it's limited to only auditing our changes

since 99.99% of the code is AOSP

<louipc_ "i don't see the point in piling "> I just prefer easier stuff. If it accomplishes the same goals as rust, I would prefer Go.

(including external projects like Linux)

strcat[m]: quite an undertaking :D

anonhat: we don't use Go, there isn't a use case for it in our work

Kotlin is a better fit

<strcat[m] "(including external projects lik"> that would take a while

it wouldn't make sense to use a less expressive language without official support and without support for calling all of the standard APIs

now it makes sense why Graphene would want to move away from linux

and server-side it still makes more sense for us to use Kotlin

anonhat[m]: youre looking to become a coder?

somenerd: I suggest reading about the topic

> somenerd: I suggest reading about the topic

which one?

[strcat](matrix.to/#/@strcat:matrix.org) let's say I know java, how much time would it take to learn kotlin?

the Linux kernel is highly insecure

it's written in a low-level, type and memory unsafe language with very lax code review

and it's designed as a monolithic kernel which means there are zero internal security boundaries

all of the code is fully trusted and privileged

a minor bug in miscellaneous, rarely used code is a full compromise of the kernel

I wonder if we can run NT kernel. LOL

lol

what about MINIX?

the Linux kernel design is equivalent to having userspace designed as a single process (init) having 100% of the code for the entire OS

lol

hurd

people complain about systemd but systemd is far less monolithic than the Linux kernel and covers drastically less functionality

[strcat](matrix.to/#/@strcat:matrix.org) anyway how much would it take to learn kotlin if one already knows java?

imagine if systemd was not modular (i.e. everything in the systemd process, not all those systemd-* services and various utilities) and contained the whole desktop environment, etc.

pretty much the entire OS other than applications in the init process

So how does gvisor fit into your intention to improve sandbox security and replace the kernel?

that's legitimately how the Linux kernel is designed

and how much code it has

<anonhat[m] "So how does gvisor fit into your"> Well gvisor becomes the one providing the Linux kernel API

* imagine if systemd was not modular (i.e. everything in the systemd process, not all those systemd-* services and various utilities) and contained the whole base OS / application layer, etc.

So the actual insecure kernel is protected

but linux does have modules

<louipc_ "but linux does have modules"> No

Just no

louipc_: those are just dynamic libraries, not isolated components

whats modprobe

louipc_: Linux kernel modules have no boundaries between them and the core kernel

<strcat[m] "louipc_: those are just dynamic "> Ah yeah and this

louipc_: they are just libraries loaded into the kernel

the Linux kernel is fully monolithic, supporting dynamic linking doesn't make it any less monolithic in that regard

ok they are modular, but not in an isolated sense

louipc_: they're dynamically loaded, not modular in the sense we are talking about

What about xen? It's mentioned in docs as well. Do you plan to have full hardware virtualization of apps? If so, how much overhead would that cause?

louipc_: they are dynamically loaded as part of the monolithic Linux kernel

sure

they became part of the monolithic kernel as part of loading them

they are in the same address space, with no boundaries between anything

they have no restrictions on them and they can do whatever they want to the core kernel

there is no stable API / ABI provided to modules either, which among other things means you cannot just implement a compatibility layer for Linux kernel modules with a defined scope, etc.

louipc_: so, you're probably aware there are projects taking Windows kernel drivers and running them elsewhere in an isolated environment

I think I heard something along those lines. Not really fully aware of it tho

you can't realistically do that for Linux kernel drivers because they are not divided from the core kernel beyond being dynamically linked to it

there isn't a limit on what they can do once loaded (statically or dynamically)

and there is no stable API / ABI for them

so it's an arbitrarily moving target

they are bound to the specific kernel

yes not just a specific version of the kernel

but a specific configuration of that specific version

the build itself

and the compiler has to match too

exact same compiler version

nice

they are libraries but unlike libraries there is no well defined API / ABI

yea thats pretty unmodular

yes they are just dynamically loaded

that's it

they are less modular than dynamic libraries

a lot less

and like dynamic libraries, they are fully trusted components of that program

wow

louipc_: there's little difference between building the code into the kernel vs. as a dynamic kernel module other than it being dynamically loaded and initialized

lot of trust in code

the Linux kernel is the most highly trusted component of the OS, it can do anything that the OS can do, it's in control of everything

and that applies to the entire thing

code in the network stack handling an obscure TCP extension is as trusted as anything else

if the programmer there makes a mistake like being off by one in a calculation that can easily end up being a remote code execution vulnerability where the attacker starts out with full privileges

since there is no privilege separation, no isolation, no security boundary at all

<anupritaisno1[m] "[strcat](matrix.to/#/@st"> it's very easy to pick up kotlin if you are proficient in java. a week or 2 to be productive i think, and maybe a few weeks after that to achieve full idiomatic enlightenment

or even less time to be productive, at least that was my experience

All I really know is python.

is the microkernel going to be custom-made or a currently existing one (ex: MINIX, RedoxOS)?

anonhat[m]: Go is not security-oriented

I read that it was designed to be memory safe.

go doesn't really have any particular memory safety features

Go has a garbage collector

it will happily let you shoot yourself in the foot with null pointers

Yes, but that doesn't security-oriented

Go is primarily designed with ease of use

But anyhow, -offtopic

<anonhat[m] "What about xen? It's mentioned i"> I still want to know this.

isn't there already a sandbox?

There is already a per app VM

Escape is possible due to its design.

Then report those as security vulnerabilities to google

collect your own dang garbage

I mean that it's not full hardware virtualization as xen offers, so by its nature it isn't as secure.

And even then, there are plenty of ways of escaping Xen

> And even then, there are plenty of ways of escaping Xen

WAIT WHAT????!?!??!

Anyway that's not the goal really

I agree...

We are not going to design our own VM per app

somenerd[m]: Do you realize that you say "wait what" a lot?

> somenerd: Do you realize that you say "wait what" a lot?

I say a lot of things a lot.

<jpds "And even then, there are plenty "> Someone should have told Gordon Freeman that.

(and no "a lot of things" isn't really one of them)

<anupritaisno1[m] "We are not going to design our o"> So what is the purpose of cen/gvisor in the roadmap, then?

* So what is the purpose of xen/gvisor in the roadmap, then?

I think to keep the os in a sandbox

>to leverage it for reinforcing existing security boundaries

<anonhat[m] "So what is the purpose of cen/gv"> To isolate the insecure Linux kernel

You are just misunderstanding what we want to do inside gvisor

and then replace linux as well? (with say a ,microkernel)

Eventually

It seems like gvisor is a project specifically designed to help system engineers actually sandbox their application containers. How do you plan to use it, if not for this 5

well, the roadmap seems really cool

* It seems like gvisor is a project specifically designed to help system engineers actually sandbox their application containers. How do you plan to use it, if not for this?

[anonhat](matrix.to/#/@anonhat:matrix.org) we are basically going to run the entirety of android inside it

That's the plan

How does that improve security in any meaningful way?

Are you just planning to use it as a syscall filter for the kernel? System-wide, everything shares the same instance of gvisor? Sounds marginally better, but not ideal.

It might be a Chromium upstream issue or a misconfiguration on my part: can you still open external apps from links in Vanadium?

Cannot do that since v86, and freshly installed Bromite is also affected. Opening external apps from links works on other apps though.

(Originally posted on off topic but go skipped, just wanted to know if someone can try so I can know how to fix the issue if it's on my end.)

File transfer is enabled, the MTP host is running on the phone.

Previously connecting my Huawei worked, however trying to open my GraphenOS 3a XL in the file manager on my Laptop isn't working.

Why is this happening? Any clues?

anonhat: per-app gvisor instance

replacement of the app sandbox

it's not a syscall filter

it's a reimplementation of the Linux kernel API in userspace

it could be ported to run on something other than Linux

it's a Linux kernel API reimplementation

anonhat: the point of it is having that implemented in memory / type safe Go in userspace and you can run multiple instances of it

IPC attack surface would be unchanged but it is a way of addressing the weaknesses of the OS sandbox relying on the Linux kernel

Oops

and it is a way of making things more portable in theory

anonhat: we aren't ready to do this largely because gvisor is not ready for this yet

anonhat: so we're keeping an eye on it and experimenting with it

we need it to fully support arm64 and we probably wouldn't consider using the ptrace-based implementation, we need the kvm-based implementation available for arm64

and stable

Hey

I've fixed some bugs on Gallery2

coffeebag: nice

I've increase the quality of the pics preview and i'm fixing the crop / styling crash

Gg [coffeebag](matrix.to/#/@ukah:matrix.org)

coffeebag: I tried reverted it to the Android 10 state already and it that was still broken so it seems like it had latent bugs uncovered by the Android 11 changes

unsure on the details

* coffeebag: I tried reverting it to the Android 10 state already and it that was still broken so it seems like it had latent bugs uncovered by the Android 11 changes

Do I need to install microG to make esim work on graphene?

@jur

jur: grapheneos.org CTRL+F microg

Also, reddit.com/r/GrapheneOS/comments/c1…eneos_for_me_questions_and_concerns

Hi guys, when you guys have a 'release' for the pixel 5?

strcat: What do you think about using using androidx for Gallery2 ?

coffeebag: that's fine, but don't want to make a ton of changes / refactor it

coffeebag: also worth noting that we should probably submit fixes upstream to AOSP and try to get them merged

strcat: Yep sure, i will see that

Hello all, might I inquire as to the best android tablet to attempt a grapheneos install on? Thank you kindly. P.s. I love this os.

we don't currently support any tablets officially

it can be built and run on tablets and all our changes should be compatible with them

but we don't have official support for any ourselves

OK, makes sense. If I were to attempt this build, would I want to stick to Google tablets for hardware compatability?

In an unoffcial capacity, of course

there aren't Pixel Android tablets and no you wouldn't have to stick to those if there were

read grapheneos.org/faq#device-support

devices need to meet the requirements for them to be a proper target for GrapheneOS

you need to identify a device that ideally meets the requirements

and bring the AOSP support code for that device into GrapheneOS along with porting all of the upstream and downstream hardening features over to it

that is, if you want a proper build of it for a device capable of meeting the requirements

Yup, thank you, I started reading it previously and then went looking for Google pixel tablets and got lost along the way. As I read farther it seems I'll wait for a pixel type tablet. Best phone I ever had now, though. Love it.

cossmic_wray: I don't really think there will be a Pixel Android tablet

gitlab.com/CalyxOS/platform_frameworks_base/-/merge_requests/2/diffs

someone is welcome to submit a pull request for this

our focus is not on changing things unrelated to privacy/security from how they work in AOSP and the stock OS

so if you users want build configuration changes like that they need to implement and test it (cannot blindly submit it without testing)

<strcat[m] "our focus is not on changing thi"> yeah i know, And i fully understand your reasons behind that. but changing a single variable regarding screen color temperature shouldn't have any security implications

<ultracard[m] "yeah i know, And i fully underst"> Again, not really possible

if i was a dev i'd do this right away, but sadyl i cannot code

but to me it doesn't seem that difficult

maybe i'll be able to make a pull request on gitlab

Could not replicate my issue on Chromium v85 so it's related to 86. Should I open an issue on Vanadium or Chromium issue tracker since it should be upstream? I see no one complaining about this but it's impacting me, I used to have Slide open automatically when browsing reddit.

Wonderfall: can you install Chrome and try with that

which is not quite as good as testing on the stock OS

but useful nonetheless

can do it in a user profile

if you want

I'm doing that

Okay, it works in Chrome 86.0.4240.110

And not in Vanadium 86.0.4240.99, same profile (which is a brand new one)

And doesn't work either in Bromite 86.0.4240.112, interesting.

How much of a compromise is made using the SIM from my old Googled phone in the new GrapheneOS phone? How much data from the past will be connected to me on the new phon? Would it even be feasible to leave that behind with a new sim/phone? Asking because I need to use things like whatsapp for the time being anyways.

the SIM card uniquely identifies itself to the carrier as part of authenticating

a SIM card is a little secure element for authenticating on a network

you can think of it like your private key to authenticate you on the network, although in a way that it doesn't trust the OS, etc. with the private key

eSIM functionality works by using a secure element that's built-in to the phone (Qualcomm SPU provides eSIM) and just puts the carrier secure element applet(s) there

strcat: So the real problems arise when I keep using whatsapp and all that other services and stuff that has my sim tied to it like telegram too.

At least my browsing will be more secure if I use some countermeasures from now on.

What happens with banking apps? Not much, right? Just more securely sandboxed in graphene?

so, essentially the same thing, just using a secure element built into the phone instead of the SIM card

we just don't have the high-level code for setting up eSIM

yarimob838: you're venturing off into other topics and it's too general / vague

strcat: Ah yes, sorry, I got carried away. This is all so new to me.

the answer to the question is the SIM card uniquely identifies you to the network, that's the fundamental purpose of it

Okay, so on the rest I have to be the judge of where I gave away my data when tied to it.

if you give apps your phone number (they can't get that by default), then they have your phone number

many apps requiring a phone number also allow entering one instead of giving the permission to get it automatically

and it could actually be a different phone number

eSim seems like a cool concept.

it's a nice convenience

I will go to OT to ask about it

but unfortunately we don't support it yet

the hardware and OS have support for it but we're missing the high-level app functionality to set it up

strcat: But eventually it'll be in an upcoming google pixel, right?

Half of it went completely over my head but reading the GrapheneOS raodmap - the goals seem pretty impressive

eSIM is already supported by Pixels

and the low-level implementation in GrapheneOS works

as I said above we're missing high-level app code for setting it up

Ah sorry, I misread you.

the issue is that this is provided by Google apps on the stock OS

which we don't include

so we need an alternate implementation of that functionality

That's cool to hear. Will SIM trays eventually vanish completely?

probably

some carriers may be reluctant to implement eSIM

it's important to get this working but we lack resources to implement alternate implementations for all the Play services, etc. functionality in the short term

So basically the GrapheneOS devteam needs to mirror what that gapp is doing... that's a steep goal.

we need help with things like this, or collaboration with other projects

this is relevant to any OS without Play services

* this is relevant to any OS without Play services / Google apps

Can we just remove the code that checks for gms?

But since it's all open the efforts never run into thin air, right?

I remember putting in a blank app there with the package name of gms

And from what I remember esim stopped crashing

anupritaisno1: it sounds like you're talking about bundling the Google apps for this

which isn't what we do

No

I just put in a dummy app in

you'll need to better explain what you're talking about then

Nvm

what code crashes?

Yeah you're right

as far as I know we're not including the apps with high-level eSIM support

I was using the official esim apps

we need our own implementation which can be shared with other projects

I don't think we can simply include those

and we do not want to hack things into working that are not meant to work

that's not our approach, it is bound to break in the future

that is how we would get stuck unable to upgrade to a new major release without dropping the feature and breaking carrier support for everyone relying on that hack

we can't do that stuff

need a proper implementation of this that can be relied upon to keep working and that's not unsupported

collaboration with other projects that need the same thing makes sense

hopefully they just add support for this to AOSP but remains to be seen

they've been adding RCS support, etc. not that we really want it

We can add the so called AOSP RCS packages

<anupritaisno1[m] "We can add the so called AOSP RC"> Does the useShimServer app count as RCS?

useShimService*

uceshimservice*

<anupritaisno1[m] "uceshimservice*"> Well, not sure if it's an intended system app in GrapheneOS

It is

I opened an issue on the Vanadium tracker: GrapheneOS/Vanadium #84

Help is needed for fixing/replication.

coffeebag: could you split your changes into 2 separate commits in 2 separate pull requests?

coffeebag: also look at android-review.googlesource.com/c/p…rm/packages/apps/Gallery2/+/1471522

there's a pending upstream fix from NXP

you could try that instead of your crash fix

coffeebag: I just applied that upstream fix - worth trying that

Hi, I don't know if this is the best place to ask but I'm wanting to build a grapheneOs rom for my device which isn't a supported one and because this is the first time I'm trying to create a custom rom I'm having some problems about it which I wanted a bit of help

So I wanted to know if I can ask here or if you guys know anywhere better to seek help

hello everybody, is here any admin of Grapahene OS online?

what is your question

I have one, when I was doing some reading about how to compile the rom for my phone, they said to put this repo github.com/HarukeyUA/android_device_xiaomi_sm6125-common on "device/xiaomi/sm6125-common", but how do I make to choosecombo to use it?

And this repo github.com/PMS22/android_device_xiaomi_laurel_sprout on "device/xiaomi/laurel_sprout/"

is there a way i could test the quality of my usb cable before trying to flash? i'm a bit anxious

we would like to talk about a possibilty to do a partnership with you. We read all the subreddit and we had a fuill pic about the community of Graphene OS. We understood you have a lack of resources and developers. We're privacy GEEK working on a encrypted phone centered mostly on the privacy, we also integrate privacy for blockchain and some other

features. We're also working together with Incognito and theirs developers and we want to find a way to integrate a Cold wallet for incognito chain with titan-M chip. As we know, company like Omerta used and sell smartphone with you OS. We would like to do similar but before that, we would like to make a partnership and work together with you to

make a bigger and more solid fondation. Are you might be interested in it?

Why don't you just email Micay?

mateusfmcota: what thats not a grapheneos repo though

I know, I'm using the generic aosp repo

louipc_: It's the device they're targetting

And adding the aosp tree

incognitopeople: yes I think you better email Daniel Micay about any partnership, but stay in the chat anyways

Sorry, what I've done is to clone the generic repo("RP1A.201005.006.2020.10.23.04") and add these trees there

But I didn't understood if I have to specify the build process to use the sm6125-common or not

E-mail could easily end up in spam. It's fine to express interest here, imo

incognitopeople: strcat[m] is the one you need to talk to

incognitopeople: i think any partnership is unlikely without any upfront monetary or code contributions though

he has lot of people asking him, or even 'imposing' partnerships

most go nowhere and some become nuisances

so you should prove you are neither

Even if it's true, I think we shouldn't speak for him

incognitopeople: do you have a website or some kind of online profile about your group?

how can i test the quality of my usb cable before flashing?

incognitopeople: Omerta is not partnered with us btw

GrapheneOS is an open source project

cark: it's highly unlikely that you'll permanently brick a device as long as you're following the official instructions

yeah, i'm following the install guide, i've just never done anything like this before so i'm a bit anxious

thanks

cark: I actually installed it on a Pixel 3a XL yesterday and I literally never did something like this either. The phone works and it went right on the first try.

*a few days ago

Bricking a device unintentionally is pretty hard nowadays

good to hear

okay Gallery app is working again with this fix from NXP submitted upstream

coffeebag: can you check the latest Gallery code, seems it works fine now with this fix applied

I'll take a look at your other change

i've just got graphene running on my 4a! thanks for reassuring me

<strcat[m] "replacement of the app sandbox"> Is this also what you plan to use xen for? If so, what kind of overhead would that cause?

anonhat: I doubt there would be significant overhead

we already do hardening that does have significant overhead for C and C++ code heavily using malloc

and exec spawning has a noticeable impact on app spawning time but has substantial security benefits along with (less substantial, but still clear) privacy benefits

hi all, thx for this awesome rom

though one question i have, when searching for updates, just nothing is shown, no toast or anything like im on latest version. i know i ise latest though an indicator that search was successfull is missing somehow

* though one question i have, when searching for updates, just nothing is shown, no toast or anything like im on latest version. i know i use latest though an indicator that search was successfull is missing somehow

<r0tt0r[m] "though one question i have, when"> Compare the version number with those on grapheneos.org/releases

<madaidan[m] "Compare the version number with "> yes i mean that is clear, i have current latest but how do i verify update search was successfull?

it doesn't give feedback like that atm

we have to decide how to implement it

I also found it a bit confusing until I ran enough updates to have sufficient confidence that the updater will show an update when one is available

<strcat "it doesn't give feedback like th"> thanks for the info so im good that nothing is wrong if its currently as designed, a simple toast : check successful imho sufficient

it'd be a notification saying it was successful

the check for updates action just schedules it to happen as soon as possible

if you have it set to wifi only for example and aren't on a wifi network until 2 hours later

it's not going to check until then

we'd have to make it so that the job scheduled by the settings action is special and triggers a notification if no updates are available rather than just for downloading and installing one

I just got stuck during flash all of a 4a device at "waiting for any device" after super_empty.IMG dtep. The device rebooted and is in the fastbootd screen.

* I just got stuck during flash all of a 4a device at "waiting for any device" after super_empty.IMG step. The device rebooted and is in the fastbootd screen.

I am on Windows 10 using the latest platform tools

What info could the nsa get by pinning a phone number tied to a phone with graphene. Is your imsi tied to your imei?

<redibc[m] "What info could the nsa get by p"> Yep

IMSI is your service subscription number (SIM / eSIM) with the carrier

IMEI is the hardware identifier of the cellular baseband

IMSI is what's tied to your phone number in a sense (although getting your carrier to give you a new phone number wouldn't change it, it's your subscription id for your carrier service on that device basically)

if you got a new SIM card it presumably comes with a new one

it identifiers the SIM basically

I doubt they'd give you a SIM card provisioned to have the same ID - maybe, I guess

They can

<cark "i've just got graphene running o"> Did you get stuck during flashing?

<dar_gomml[m] "Did you get stuck during flashin"> You can get remote support if you need help

anupritaisno1: can i pm you?

Yes

<anupritaisno1[m] "Yes "> anupritaisno1 sorry first time on matrix... Is this a pm? :d

Your EID is tied to your eUICC as well, if you think using eSIMs to switch your IMSI

<dar_gomml[m] "anupritaisno1 sorry first time o"> No

OK got it 😀

Is the pixel 4a 5G currently or planning to be supported?

No

No maintainer

It's the same SoC right?

As something

4a 5G and 4a

Same SoC?

No

4a 5G and Pixel 5

Same SoC?

Should be really easy to support 4a 5G if only changes are dt and vendor blobs

<cark "i've just got graphene running o"> Great feeling isn't it! I was there not long ago. Considering trying a 4a now

Where is the best place to purchase a Google Pixel device?

In which country?

United States.

Is it better to go through the Google store itself, or through a third party?

Dylanger[m]: 4a 5G is more similar to 5 than 4a

it should be called the 5a, really

but perhaps they already have a 5a planned part of the way through the year

<rosebushactivism "Is it better to go through the G"> Doesn't matter so long as you can be sure its a factory unlocked device. I get mine on fleabay

Leaving pixel 3. Much prefer 4a to 5 but not sure if 4a is a safe bet for future support/maintenance. Any guidance appreciated.

The only requirement is that it is not a used device.

<rosebushactivism "The only requirement is that it "> Mine are all used

I can't trust used devices.

I can't trust shop devices. Go figure!

Oops I meant afford

If you pick the seller of a used device, it can't be a setup, and all money trails to device are in someone else's name. Get a friend to buy phone for you on eBay and I think that's pretty darn optimal. But to each his own

I'll buy the additional electron microscope to inspect the circuitry then.

I wasn't involved in the community for any other release cycle, how long on average were the previous Pixel devices supported by GrapheneOS? Reading the FAQ, and correlating the information provided by Google, it should be at the most 3 years with the phones being maintained by Google during this period, but how much of that period is filled by contributions of the project?

Finally 😀 4a running GrapheneOS

Google included a 3.5mm output on the 4a?

yes

Hallo, since grapheneos has been updated from Android 10 to 11, my bank app crashes. I have deleted and installed Again several times but stil same. The bank app had maybe 8 updates but stil crashing.

<rosebushactivism "I wasn't involved in the communi"> Not sure if I understand your question correctly but my guess would be, as long as their is a maintainer for that device. Support can continue

I was asking how long it had been maintained on average in the past.

Pixel 2 was released >3 years ago, still has legacy support. No guarantees given

So far, I think, once a device has GrapheneOS support it has stayed that way till device support was dropped by Google

Except the Pixel 1 which was dropped after October 2019

best thing to do if you care about privacy, is buy the next newest support device for graphenos. It's the only way to be certain

There was another update from Google in Decemeber, but if I remember correctly GrapheneOS didnt do a December release

How soon after device release do devices get GraphenOS? Think the 4a may be the quickest yet. The 4/4XL probably the longest

hey its still experimental lol whys it in stable

I may wait for the Pixel 5 to be supported then, the 4a having a 3.5mm output is nice, but not necessary on a phone.

Although support for new Pixel phones won't happen now unless someone/some people commit to maintaining the device for the duration.

why wait rosebushactivism. support it yourself :D

What is needed?

rosebushactivism: don't think theres anyone who's said they'll take on the 5 yet.

someone wants to make a partnership with grapheneos.. i'd recommend he volunteer for pixel5 too

Someone should also make a case for the Pixel phones that has a camera cover like the ones developed for the iPhone. Maybe I can do it in FreeCAD and have a file to send to a 3D printer.

rosebushactivism: you need to build and test grapheneos for the device then report issues

I will do it maybe. Still new to this though.

Need to get a 5 first.

how many cameras do these phones have now anyways

like 4? 5?

I'm not sure how well 3D printing would work for moving parts, some assembly required?

3d print is bad

you better off using an exacto knife and some thinn plastic or cardbord material

<dazinism "hub.libranet.de/wiki/gra"> Will look into this, thanks for posting!

a couple dots of super glue or something

I also wonder how invasive it would be to develop your own power switches for the components in a phone.

what components

Wanted to help with support for the 5 but was looking around where to find more info about maintaining and what exactly is required

Is it posible 2 change imeion grapheneos? That would give the ultimate privacy

The microphone, wireless, and extra sensors.

dazinism: im wondering if i could pull your whole wiki in git..

that will be extremely invasive

dont forget the speakers

they can be used as microphones

About the speakers, does anyone know how the mute button on an iPhone works?

mute switch is more specific

rosebushactivism: maybe you are talking about the Librem Purism phone

i think he wants to make a graphene phone with all the switches lol

or librem 5. That device has physical switches which you can disable to stop mic from working

oh lol

I am looking to replicate the functionality of those devices, but they do not contain the strict security of the operating system featured in GrapheneOS, and am wondering if there is a slight possibility to get away with a DIY modification.

i'd do it for fun

but thats #grapheneos-offtopic :p

I cannot contribute to the codebase of GrapheneOS, but I can offer DIY solutions.

get some busted phones to practice mods on

At this point we should really just develop our own phone.

sure

louipc: if you goto wiki in the menu top left theres an option to download the whole thing as a zip file

*menu top right

Is it possible to change imei with grapheneos?

dazinism: ok but not something you can push/pull to/from

i love graphmeme os

its good4u

How do i add this chat 2 revolution IRC? Anyone?

chamchi: grapheneos.org/faq#hardware-identifiers

chamchi: server is chat.freenode.net port 6697 channel is #grapheneos

And password? Authenficatioj mode? Or can i leave those blanl?

leave them blank until you register

please join #freenode for help on the irc stuff

louipc: the wiki is on a somewhat random Hubzilla server(not mine). Don't think that Hubzilla wikis support git pull/push