Hey all, I am trying to get GrapheneOS on a Pixel 4a. I went and downloaded the SDK Platform Tools (ADB, and Fastboot), and the release "sunfish-factory-2020.12.12.03.zip". I have unzipped them both to a folder on my desktop.

I followed two (2) youtube videos while reading through the instructions and I am stuck on the flashing part. The Pixel 4a in in the fastboot screen and unlocked.

When I click on "flash-all" windows comes up and says not to run the program as it isn't safe, I click "run anyway". Then the command screen pops up, then disappears. Can anyone try and help out with what I am doing wrong?

Also, I should mention that I am indeed in windows PowerShell.

Nevermind, I fixed it. I had a space in the folder name and things weren't working when I went to the folder in powershell. I made the space an underscore and lots of lines are now doing stuff.

givemefuckinggraphene: follow the official guide grapheneos.org/install

givemefuckinggraphene: you're following unofficial install videos using an incorrect installation process

Actually, I just did what I normally do when I download things. It was my own fault.

I do have a question that the website doesn't seem to answer. How do you verify/audit the phone if you only have one?

givemefuckinggraphene: you can use attestation.app although the trust model for Auditor in general is trust-on-first-use and that's even more true for the service

is grapheneos.org supposed to read as angry as it does for me? Asked another way, would patches to it be considered?

s/does/appears to

grayhatter: I'd never really thought of it as angry, except maybe some in the history part. Example?

there's a few spots that seems very heated for the landing page. Alone none of them are serious enough, but taken together they build on each other.

> [...] users don't understand the substantial [...]

> [...] rather than taking the monopolistic approach of forcing it to be bundled into the OS in a deeply integrated way [...]

> [...] mulit-year trainwreck [...]

<grayhatter "> [...] rather than taking the m"> That's fair on Google Play services tho

Cherrypicking lines out of context won't help anything

It doesn't read as angry to me personally, but I can see how lead dev's writing style and demeanor definitely can give that impression

<grayhatter "> [...] users don't understand t"> That's on the security model, and can't really expect average users to have a full understanding of such initially

Unsure what's wrong with that

Lia[m]: I could copy the whole paragraph into irc, but that seemed *less* helpful

I also think the home page probably needs some love, I've sent it to folks I'm trying to tempt away from android proper, and it's sort of an impenetrable wall of text to someone just getting acquainted with the project

that's why I mentioned it; it's clearly really passionate, which is a good thing... but it's not great as a landing page

What can you expect if even the devs can't handle properly implementing security practices on apps

it's very informative, and intelligently written, but it's not a great "elevator pitch"

Some of the devs, rather.

imo it needs to be punched up, and there should probably be some pretty images/screenshots to break up the text a bit better

Suggest doing a pull request to reword them to what you think is better.

Guess the project still isn't aimed at prime time...

is the site all in git?

I would love to submit edits for consideration

Ideally would have an integrated app store etc.

Yeah

github.com/GrapheneOS/grapheneos.org

...so maybe dont want it too attractive yet?

being ready for primetime isn't really the question

@DzzzzzzR:matrix.org fair enough

it's about avoiding putting up barriers to new users

presumably some attention to the project is wanted

more users, more attention, more donations, more interest, it's all good for the mission

There was a request not to have lots of pull requests for changes to the site a while back

Don't know if that still stands?

Unsure

Guess it depends if strcat is up for folks suggesting changes.

Probably best to wait to hear something here, before possibly spending time on something that maybe won't be looked at.

lev[m]: > ... it's all good for the mission

ehhh, the complaints : donations : devhours is hard to get right, and easy to fuck up

grayhatter: can't hurt to try submitting patches. It might take a long time to get them merged though

i actually rewrote irc rules to sound more direct and less pleading

because they're rules right? :p

original rules author was ok with it but not merged into website yet

the main page has to be redone completely

most stuff should be moved here

moved some of the content on the main page elsewhere, further help with that is welcome

initially the site only had 1 page and everything was there

sup

nm u

Anyone else not getting notifications for SMS?

<Golli[m]2 "Anyone else not getting notifica"> Yes, it tends to be random delays

Hi. Is Pixel 4A 5G supported ?

temp4244[m]: No, it isn't. See grapheneos.org/faq#supported-devices

Would i be able to flash grapheneOS on a pixel that is locked. And then unlocked ?

What are the carriers confirmed to be compatible with Graphene for US?

I'm on T-mobile and everything works great, except visual voicemail

Anyone else here using other carriers besides T-mobile?

buffmuffin[m]: You need to unlock the bootloader before flashing GrapheneOS. If you're done, you need to relock it (important!)

So GrapheneOS is more or less wanting to implement a hypervisor-like system, would the new Snapdragon 888 make this goal inevitable?

btw i mean a carrier locked phone

buffmuffin[m]: You mean whether you can install GrapheneOS after a carrier locked phone gets unlocked by the carrier? Then yes, you can. Read the 4th paragraph at grapheneos.org/install#prerequisites

Golli: my guess is that thats not gonna happen in the near future as

firstly the hypervisor implementation might still not be a full fledged completely usable for a project as big as grapheneOS

secondly that would require some sort of partnering with qualcomm (entirely my guess good chances i am wrong here ) but they still dont support the proper development of a strongbox like the titan M implemented by google

Mind you , take my comment with heaps of salt

But i do look forward to being a working part of the process ! Just scaling the learning curve right now.

Well just search for snapdragon in this room and youd get the answet to what you asked

Im inaccurate for the most part

there you go strcat's comment maybe a bit out of context :

Weaver is the main feature we'd be missing if we simply partnered with a company to produce a high quality Snapdragon device based on a reference design, with a focus on security, because as far as I know the Snapdragon SPU doesn't provide a secure timer for Weaver - not sure if that has been addressed for the upcoming generation

hope that helps you Golli

Greetings. Just found Graphene, and I was actually thinking of getting a Pixel for a secondary device for stuff that might require a bit more secrecy.

Though I've been eyeing the Librem Mini for such a task too, so it would be nice if I could get a bit of an opinion.

Apologies though if this sort of comparison type of question isn't encouraged.

welcome and great that you got to know of grapheneOS! Although we have the room

#grapheneos-offtopic:matrix.org

which is for discussion relevant to grapheneOS but still not just about it that is a bit on the periphery whh dont you try that out ? Pretty much everyine who hanga out here can also be found there

the Librem is far less secure than GrapheneOS or even stock AOSP

bit off topic though

#grapheneos-offtopic:matrix.org ?

Google, Qualcomm lay the technical groundwork for 4 years of Android updates

Starting with the Snapdragon 888. Exciting news, bringing AOSP (and presumably GrapheneOS) support more in line with iPhones.

He joined it already somenerd

yeah I just saw it

Why isnt the auditor app in f-droid ?

> Why isnt the auditor app in f-droid ?

wasn't built yet ig

Would you guys recommend LineageOS for my gf's pixel 2XL, since the EoL of graphene

<theinstallationw "Would you guys recommend Lineage"> I would rather use GOS than Lineage even if support for the device was at EoL.

Why is that?

Well, can't find security and privacy enhancements there in LineageOS

lineageos breaks the security model of android as welll

I assumed that an up to date system was going to be more secure. I also thing she doesn't need t switch now, but in a few months she should probably either buy a new phone or switch to a supported OS, no?

* I assumed that an up to date system was going to be more secure. I also think she doesn't need t switch now, but in a few months she should probably either buy a new phone or switch to a supported OS, no?

That as well

Yeah

If the source level support and all security updates to firmware of GPU etc. is dropped, in what way could LineageOS provide a more secure operating system? (Actual humble question)

Because isn't the thing:

Every extended support (what you would call "more up to date") wouldn't provide a newer patch level. That's the reason why GrapheneOS dropped the support; it's not possible to properly secure the device (anymore)

None? They aren't aimed for security and privacy in the first place, but for tinkerers and those who dislike stock OS without that much options

The only "privacy" they had is it's based on AOSP, no google stuffs, and they can also remove privileged carrier apks

Other than that, userdebug and unlocked bootloader alone already causes security and privacy holes due to weakened sandboxing, lack of software integrity protection (as in malwares can persist properly), adb on by default, exposing root at adb, etc

Quite offtopic, but just answering this today for safekeeping in logs

Nvm, bridge broke again apparently

I got a question, what was your guy's experience booting Graphene OS for the first time.

Even though privacy and security are important, for me getting out of a proprietary ecosystem was the most important thing. If they can get into my phone with physical access, I don't care. As long as they can't get in remote.

<sejiyis[m] "I got a question, what was your "> Exciting, takes a whilt to boot though

> <@sejiyis:matrix.org> I got a question, what was your guy's experience booting Graphene OS for the first time.

* Exciting, takes a while to boot though

<Lia[m] "> <@kopolee11:matrix.org> Google"> Does that benefit GrapheneOS at all? Can we have build for an additional year based on that?

* Even though privacy and security are important, for me getting out of a proprietary/google ecosystem was the most important thing. If they can get into my phone with physical access, I don't care. As long as they can't get in remote.

<theinstallationw "Exciting, takes a whilt to boot "> I havent noticed this

Depends on the hardware I guess

theinstallationw: A lot of security implementations are complementary, I guess. If you e.g. completely destroy your bootloader security, changes that are made through remote explotations will remain, too

Just undermining basic security features to be proprietary free is not quite rational imo

You make the premise that you won't be hit by remote explotations (yea, arguably low probability), but pretty much everything in the Pixels hardware and security is built to put as little trust in networks, apps, etc.

hardware and *software

That's a fact, but since I only have basic/intermediate linux and sysadmin skills, I can't really see for myself how secure an OS is. I have to trust that graphene or even lineage are secure enough, just as I would have to trust google with a stock android. Except I don't trust google, but I do trust a big enough FOSS userbase

These are the reasons why they are considered secure

That's why we try to teach the actual underlying technical details (see long conversations that strcat is willing to take part in and GrapheneOS' documentation), so you may be able to judge on your own

That's why I appreciate this community so much.

And it's why I'm on the beta version. I might not know how to write complex code, but I can contribute by reporting bugs. Although I need to stop using my phone as an alarm clock. Overslept a few times too many this month because my alarm didn't go off ;)

It may create an image that GrapheneOS is talking badly about other projects, but I don't know how you could address it in another way. Especially when people are searching for a secure and private OS. If GrapheneOS puts so much work in it and tries to e.g. provide bootloader security (which is so important in so many ways) and there's another project that doesn't care about it and just

undermines it, I don't know how you could label the other project as being a secure OS. Ofc, if you actually want something else than a secure system you may go for it (the other project <whatever it might be> isn't intrinsically bad)

i guess just choose words carefully and specifically

stick to the specs

Right, that's what I try to do

And I'm open to be proved wrong if I say something wrong

yea

we'll see when that device is supported

I will never be resentful if a user says something wrong, because I could be this one user

Ideally, this can also mean that GrapheneOS dev team can take time to port a 4th OS update too

That opinion is solely mine though.

What's wrong with saying something as is

nscnt: I understand and thank you for your explanation. I might not be an android dev, but I understand some of the basics of cybersec. And since graphene OS is unique as a custom rom in their security approach, you wouldn't be 'talking badly' about other projects. You're just comparing and pointing out some of the possible security issues.

Well... It's not only what you say, but how you say it that matters

Agreed on that, focus on what they offer on their OS.

<theinstallationw "That's a fact, but since I only "> You don't trust Google to preserve your privacy. You probably do trust Google to engineer an OS that is relatively secure though.

<hypokeimenon[m] "You don't trust Google to preser"> but if that would be the case graphene would be obsolete

<r0tt0r[m] "but if that would be the case gr"> Graphene as a project takes what Google has done and further improves it.

<r0tt0r[m] "but if that would be the case gr"> That IS the case. But that doesn't make GrapheneOS obsolete.

The target audience of GrapheneOS is different though + GrapheneOS also has a focus on privacy alongside security.

Privacy can be thought of as an extension of security.

The less parties have access to your data the less chance there is of compromise.

Yes no real privacy without fundamental security

* The fewer parties have access to your data the less chance there is of compromise.

* The fewer the number of parties that have access to your data the less chance there is of compromise.

Both privacy and security involve not just software choices but user best practices even with grapheneOS not very difficult to land in some rrouble

*trouble

theinstallationwizard: Pixel 2 cannot receive full security updates anymore, there is no solution to that, there is no OS that will provide them

theinstallationwizard: it's an insecure device now

Is there a reason why this group is not encrypted?

theinstallationwizard: it no longer receives patches for remote code execution vulnerabilities, it is certainly not just an issue for physical access

theinstallationwizard: recommend an iPhone if you want to use devices longer than 3 (soon 4) years

theinstallationwizard: also, it's off-topic for this channel, since it's not actually about GrapheneOS

theinstallationwizard: also you're stating something that isn't actually accurate: we haven't completely dropped the Pixel 2, but it is no longer possible for us or others to update the security patch level beyond 2020-11-01, anything claiming to be higher is just being represented dishonestly

<aosp[m]1 "Is there a reason why this group"> Public room. No need because people can come and go.

which is unfortunately an issue with pretty much every single other aftermarket Android OS, they put a false security patch level despite knowing it's inaccurate

and they try to play games arguing that what they do isn't wrong even though there is a clear way it is defined

and it is clearly defined that what they are doing is misrepresenting it to users

and if an OEM did it they would get in trouble

<strcat[m] "which is unfortunately an issue "> Does this include vendors like Samsung that provide 'quarterly updates' after the initial 3-year period? That's scummy

no

it doesn't

I'm talking about aftermarket operating systems setting an inaccurate patch level, I think I was pretty clear about what I said

* Does this include vendors like Samsung that provide 'quarterly updates' after the initial 3-year period?

they aren't misrepresenting the patch level

Yeah, I misunderstood

providing full security updates for longer than 3 years is of course fine...

misrepresenting incomplete updates not covering half of the security updates as full security updates

and setting an inaccurate patch level

is the problem

providing incomplete updates and freezing the patch level at the final obtainable one is fine - the device is still insecure, but it's not misrepresented as secure

there is a clear definition for the patch level

the patch level covers a lot more than AOSP security updates

and a patch level like 2020-12-01 includes all previous patch levels: 2020-11-05, 2020-11-01, etc.

if you are missing a single 2020-11-05 patch then you are stuck on 2020-11-01, the patch level is supposed to communicate to users the full security update patch level

and if you only have AOSP security updates, you're missing half of the overall security updates

and it's incredibly misleading to be incrementing the patch level anyway

not just misleading but a direct violation of how the patch level is defined

How would you know if the patch level / date includes the complete security updates or not?

and an OEM doing that would get in trouble

hypokeimenon: the purpose of the patch level is to communicate that

if you use an aftermarket OS other than GrapheneOS, in general, the patch level is set inaccurately

it is mostly set accurately by OEMs - not always

<hypokeimenon[m] "Public room. No need because peo"> Thnx

I just realised all this time I wasn't actually thinking about aftermarket OSes

Just OEM skins of AOSP

<strcat[m] "theinstallationwizard: also you'"> If for example LineageOS developer takes last Android with all security updates and adapts it to any abandoned device. At what stage here security updates are lost, not implemented?

Or those required updates are specific to the part of device software and font come with Android update?

Could you clarify?

* Or those required updates are specific to device software and dont come with Android update?

Could you clarify?

Desktopian: please fully read what I wrote above, thanks

did you miss that half of the security updates are not available via AOSP?

if you don't have security updates from the vendor, you are missing half of the security updates, and they are not making replacements for those (and can't, when it comes to firmware, which is most of what's required)

Desktopian: take a look at a some of the monthly security updates

take note of how many of the updates are to firmware components like the GPU and many others

Desktopian: I think I was very clear with what I said above

Desktopian: and I hope you can see why misleading users with an inaccurate patch level is harmful and dishonest

you're demonstrating that it misleads users into thinking they are receiving the security updates when they aren't

the patch level is defined as covering everything in the bulletins

if you ship only the AOSP security updates, the patch level ends up frozen at an old value

so, for the Pixel 2, the final full patch level with the stock OS was 2020-10-05

getting to 2020-11-01 from there is covered by AOSP security updates, and that is the final achievable security patch level

now, most aftermarket OSes will continue incrementing it beyond that even though they aren't providing half of the security updates

which is harmful to users, incredibly misleading and is not justified by them trying to redefine what the patch level means

the patch level has a clear meaning understood by everyone - it means that you have all the security patches up to that point in the bulletins

2020-11-05 (and beyond) requires a bunch of firmware updates including new GPU firmware (and driver changes to go along with that), etc.

the overall patch level refers to everything as a whole

so, go look at the update Google released in December for the Pixel 2

2020-10-05 patch level (they could have gone to 2020-11-01 as we did though)

in the future, please refer to past discussions (such as this one) for topics like this that are brought up repeatedly

apologies if this isnold and resolved, i have been away a few days

is this guy for real a founder? you will need a translater web site to read, unless you speak danish

sloppy journalism if not outright fraud, he quotes the webbsite extensively (interview reads like the site actually)

<jayell[m] "is this guy for real a founder? "> That's Dutch, not Danish.

guess could ask for a retractment

jayell: no, he's not a founder / co-founder

strcat: now understand.

he was selling phones with our permission and sending a portion of the money to us, and he did help the project in various ways

but, unfortunately, he seemed to get the wrong idea of his involvement and misrepresented it

I repeatedly asked him to stop, and to some extent he seems to have stopped, but not entirely

it's pretty unfortunate because he was actually providing help and some money, but he was also still being misleading / cagey to people and he kept delaying updating things / turning things over to me

jayell: the fact that this was happening in the Netherlands mostly in a language I don't know (Dutch) and with me having very little insight into what he was doing

Does Omerta donate money? They sell phones with GOS

is part of the problem

joehandcockandjames: no, they don't donate or help us

That's such a shitty thing to do smh

Ncryptcellular is on good terms with us and supporting us, SPP is moving towards that - neither is us though, they are their own companies

Abdoul Rasnab was genuinely giving us money and helping us but at the same time he wasn't properly conveying what his connection to the project, and he did listen to me to some extent but not fully

he wanted to make a company with me but I don't want to make a company

and essentially he proceeded as if we were doing that

didn't accept the boundaries I set and what I said no to

he did help us though, and I think he just has issues

I've tried to avoid personally calling him out on stuff

was trying to address this with him

however does not appear that I can keep doing that, it's unfortunate

I don't understand why people have to cause these problems shrug

Is there a list somewhere of Ncryptcellular, SPP, Rasnab etc.

hypokeimenon: not right now

Why is the subreddit marked as NSFW right now?

thanks strcat. i KNEW you were sole founder, had to live thru having your previous partner ruin it.he still owes me if you asked me. :(

so i do not get notification dots for phone app or signal, is this a known issue? i am on verizon but cant imagine this is a carrier issue.

I created the project in 2014, as my open source project, and yes there were 2 people that I worked with to try to build a company around it - but the initial creation of the open source project was me, James never had any involvement in the open source project

jayell: make sure it is enabled for your launcher

it's a toggle

it should be enabled by default but maybe you've had the install since before it was

haven't checked if it's enabled by default after a fresh install

i am able to help with testing, but not an android dev. if that knd of help is needed.

Pm me for testing

strcat: i believe its on in any setting i can see. ill check again later (after an appt)

anupritaisno1: i sure will. be a little later this evening thought.

Is it just me or is the subreddit marked NSFW right now?

flabbergasted: I'll take a look

Hey strcat, what's the scope on the Graphene OS development for pixel 5 devices and if theres no development being done on the pixel 5, will there ever any development for it?

* Hey strcat, what's the scope on the Graphene OS development for pixel 5 devices and if there's no development being done on the pixel 5, will there ever any development for it?

devices require a maintenance team

sejiyis: there is no vendor support for it yet

all the information we have available is on the site

okay, thanks

Does verified boot / locked bootloader protect against evil maid attacks?

the primary purpose is mitigating attacker persistence with privileged code

the secondary purpose is making compromising the device with physical access more difficult - but it's not the main benefit

hey fellas just wondering for those in the US what phone plans / telecom companies do yall use for your phone plan?

offtopic

Hi , i have an issue with installing google pixel 4a

I had a custom grapheneos software and i want to put the official one in, but i cant install it without putting this command in terminal

fastboot snapshot-update cancel

After doing that i can install, but am i now cancelling updates of something is this going 2 be repared after ota update later?

did you try the install script?

What do you mean, i downloaded the file from grapheneos, but when installing i get a error port b or something, i googled the error and saw on reddit that fastboot snapshot-update cancel wil solve the problem, so when i did that i could continue installation and finish

but i dont know what the command means because i googled it,

Maybe i canceled some updates for future i dont know,