hmm, it's nice but in what case is it useful? you can choose not to trust an update consisting of a signed binary blob that you can't audit anyway

I think you're missing the point

probably - which is why i'm asking

if the NSA gets your phone (assume it's powered off / main profile isn't active), they cannot bypass the throttling by coercing the company that makes the secure element firmware or infiltrating them to get access to their signing HSM, etc.

they can't demand it, it can't be given to them

they actually have to exploit the secure element somehow which is a substantial task to do

and has a good chance of failing+ destroying the data if it involves a physical attack

* and has a good chance of failing + destroying the data if it involves a physical attack

* if the NSA gets your phone (assume main profile isn't active), they cannot bypass the throttling by coercing the company that makes the secure element firmware or infiltrating them to get access to their signing HSM, etc.

sklv1: it's a protection against the FBI vs. Apple situation

that's one of the reasons it's better, not the only one

but on iPhone to update the firmware, it has to be on, and unlocked. I guess the difference is exploiting the OS vs exploiting the secure element.

sklv1: exploiting the OS is not hard for a sophisticated attacker with physical access

they can just not update the phone for a month

they don't need any 0 days

ok different question - how much longer will my phone be supported if I get pixel 5 instead of a pixel 4A

they can happily use old, public vulnerabilities

they could use some PoC a researcher published on their blog from 2 months ago, just wait long enough

sklv1: Pixel 5 and 4a (5G) are supported for the same time period

sklv1: Pixel 4a *guaranteed* support is a few months lower

but in practice it may be more of a difference than that

because if they ended up being able to extent support for 6+ months for Pixel 5 / 4a (5G) past guarantee that doesn't apply to 4a

4a already got released really late compared to when it was supposed to be

it's unlikely to get a single month of extra support, I think

can someone help me with a build issue, i'm running "script/release.sh blueline" and everything seems to be fine but in the end i get a weird error, heres a link to the output. help would be appreciated. pastebin.com/stRTKfip

out/target/product/blueline/obj/PACKAGING/target_files_intermediates/aosp_blueline-target_files-2021.04.27.14.zip

that file is missing

did you run `m target-files-package` when you did your build?

you can look for yourself at the directory and see what's in there

ah no

can i run it now after the build?

yes

or do i have to run and rebuild.

no just run it now

ah ok thanks

it'll figure it out it has no work to do for the rest of the build (since nothing changed) and just make the target-files-package

love the swift response 🙂

for dev builds you generally just use `m` and flash the non-release-signed images

for release builds you use `m target-files-package` to get the stuff packaged up into a target-files-package zip

because the signing scripts work by converting target files package -> signed target files package, then generating factory images and signed OTA from that

ah ok so i don't have to sign for dev builds

that makes it easier

Also GrapheneOS disables updatable APEX components for the officially supported devices and targets inheriting from the mainline target, so APEX signing keys are not needed and this section can be ignored for unmodified builds.

yes for dev builds just do `m` and flash the images and leave it unlocked (you could technically lock, it's signed with the publicly available AOSP test keys, but it's useless)

this was a bit confusing

also `m` doesn't generate a target files package, OTA package, etc. which is a huge waste of time

for dev

because if you change one tiny thing and rebuild, `m` is pretty fast (incremental build) if your change doesn't require rebuilding much

but if you add the work of generating all those zips/packages, signing, generating more, it's a lot of time

so for example if you rebuilt the kernel, and did `m`, it's going to figure out it only has to regenerate boot.img

if you tested with signed builds... you have to do the whole target-files-package generation (takes a while), sign everything (huge waste of time) and generate OTA and/or factory images from that to use it

ok yes that is much more efficient

with the dev builds do i have to sign Apex components

or can i leave that the way it is

deadlydata: we use flattened APEX, they don't need to be signed ever

deadlydata: even if we didn't, for a dev build, they'd just be signed with AOSP test keys

you don't need to sign anything unless you're making a secure a release build

ok so i'm good to start modifying and building it would seem

`m` makes a build that is signed with AOSP test keys, it's usable as is

target files is just the way that the build is packaged up to be used in other ways, it just bundles everything up into a huge zip

release signing is implemented in a way that you can do it on a different machine, etc. using the target files package and ota tools package made by those commands

release signing is a post-build step

it's not part of the build

and you can use the build as-is, without release signing, always

you can make a `release` and `user` build and use the result directly and then decide to sign it with release keys too

separate tasks

strcat: Can you reccomend me a good Emulator setup to effeciently test the rom builds fast

deadlydata: just build for the x86_64 generic / sdk target

the source tree comes with an emulator that understands how to run a build

you can use an arm one too but x86_64 one is nice since then it's fully hardware accelerated

source script/envsetup.sh

choosecombo release sdk_phone_x86_64 userdebug

m

emulator

deadlydata: I would recommend clearing `out` between switching targets although it's not strictly required (it doesn't share much between totally different targets anyway)

deadlydata: and then leave that shell open, and just `m` and run `emulator` again to test

deadlydata: if you close the shell, open one up again, source script/envsetup.sh, choosecombo release sdk_phone_x86_64 userdebug and it has picked up the stuff for the previous build

and you can run `emulator` again or `m` to rebuild

there is a way to package up images for use in the Android SDK emulator but it's not worth it, just use the one in the source tree, it knows how to use the build output directly instead of packaging it up

deadlydata: we only provide Vanadium prebuilts for arm64 and x86_64 so x86_64 is the way to go for emulator, if you did x86 you'd have to build Vanadium 1st (or omit it)

thanks for the info dude, this helped so much , :)

deadlydata: in many cases you can just make changes + rebuild (incremental build)

in some cases your changes will require a massive rebuild anyway (changing some compiler thing, core build infra, something like libc headers, etc.)

in some cases you do need a clean build because the incremental build stuff isn't perfect (removing a package, changing build definition stuff, etc.)

you should always do a totally clean build for an actual release

i.e. remove out

first

ah ok so i can mess about with the debug builds and i don't have to worry about the out folder when switching targets etc, but when building for release it's important to start with a fresh out folder.

i've understood this correctly right

* i've understood this correctly right?

deadlydata: you may want to clear it if you're switching targets because it can hardly reuse anything so it's wasting a ton of space + there could potentially be issues from it

deadlydata: there are *likely* issues from it, depends on the exact details

i had the target on blueline

by switching targets I mean a different choosecombo target beyond just switch user <-> userdebug, etc.

but i switched it to sdk_phone_x86_64

deadlydata: yeah so if you're going to be doing x86_64 sdk build I'd definitely clear out/ first just because it can hardly reuse anything anyway + it avoids any potential issues

there will be hardly anything in the 'common' build output

deadlydata: nearly all build output for you atm will be in out/target/product/blueline

it can only reuse stuff in out/target/common

i should delete everything in out folder right?

/out/

deadlydata: so, it's fine to just build x86_64 target with that already there, but unless you're going to build blueline again incrementally just remove out/

if you ARE going to build blueline again incrementally (i.e. another dev build) you might as well keep it

just be aware in theory it could have something non-portable with the stuff in common

yeah my goal was to edit blueline, because that's the device i hold

in the end i want to flash a modified image on to my pixel 3

but that's after developing allot of stuff first. ofcourse haha

could i run choosecombo release aosp_blueline userdebug

choosecombo release aosp_blueline userdebug

m

emulator

this would work also right?

you can't run a build for the device like that in the emulator

you need either generic or sdk targets

you can run an arm64 build in the emulator but it won't be hardware accelerated

but you can't use a blueline one

Any reccomendations on Pixel 4a Vs 5

I use a 4a and have enjoyed it.

Nice

Get a Otterbox case and Glass Screen protector

for maximum protection

And camera blocker stickers

And cover the fingerprint scanner

LTE Only mode

And VPN

Signal for encrypted calls and texts

= Secure

Why no finger print?

 Finger Print identifies my body

my fingers

So the fingerprint scanner could be hacked to scan and send my fingerprint to NSA

to identify the phone user

also police can have you use your fingerprint to unlock your phone, but can't force you to enter a code

^^^

Hmmm

I see

<ATTNSA "my fingers"> I unlock my phone with my toe

still personally identifyable

id reccomend a 12 didgit pin or password

Seems very inconvenient to ditch fingerprint due to fear of the NSA. That level of tinfoil hattery would just get me off smartphones completely.

exactly

its easy to just use a pin

Graphene OS should let us VPN the hotspot wifi

so we have VPN enabled on GOS

then setup hotspot

connecting devices route through our GOS VPN

All this fingerprint awareness makes me wonder: Does the OS store physical fingerprints as visual images in the OS as references for the fingerprint sensor, and/or are they converted to cryptographic salted-hashes that hide the true fingerprint hashes from the rest of the system?

hopefully the second way

Thatcher: the OS does not have access to fingerprints

Even better

fingerprint fuzzy hashes are stored via TEE or secure element

Shit, I keep forgetting about the secure element. Doh

Truely unlimited LTE data > 50 Gigs LTe per month for $45

USA Verizon or Tmobile

You can set up a passcode and fingerprint as 2FA for unlocking the phone right?

No

Not in the way you're thinking

Its either PIN, password, pattern, or FINGERPRINT

Yes Goyim, use a fingerprint password so the police can unlock your phone

Much more than police actually. You could be asleep or passed out drunk and someone could snag your print while you are in lala land.

yes

I've had my phone stingrayed 10 times per minute the past few days

Ever since I uploaded images of children in the biden smuggling fema camps

Let's move to off topic channel

My phone has been getting hacked

ok

#grapheneos-offtopic:matrix.org

<ATTNSA "Ever since I uploaded images of "> The don trump uses graphene

<Ed[m] "The don trump uses graphene"> Source?

Dont know if real or trolling XD

Hey guys

I read in a reddit post that there was a system app for recording calls? Is it still available? And how does one access it?

If not, any way I can record calls? Tried an app, the recording is there but its silent

Off topic

tkennedy365: I do not see an option for recording calls using the phone app, even after adding a sip account in settings -> calls -> calling accounts.

Also #grapheneos-offtopic:matrix.org is better suited for this.

Okay sorry. FYI you can try using the screen recorder app but unfortunately calls still seem to be silent

there's a screen record quick tile

you shouldn't need a third party app

tkennedy365: I did come across this support.google.com/phoneapp/answer/9803950?hl=en

 

However, as far I know, it was disabled due to privacy laws if I'm not mistaken.

Since this update I cant install any new update

It downloads and them it restart in the update boot process

nonie689: Which device? Which release are you on currently?

4 flame

Look at the Screenshot

Box In A Box™ (@B​ox_Boi) has joined the Telegram Group!

<B​ox_Boi> 🏃

nonie689: What should I see at the screenshot? It doesn't include what I asked for

I have sideloadet the latest Version

Same error

Its reboot on the installing process

and then i can login

after the sideload it doesnt retry the Download and install maybe it is fixes

D

Is it normal that the device reboots?

nonie689: Rebooting while it's rebooting? No. Sounds like it's rolling back

* nonie689: Rebooting while it's booting? No. Sounds like it's rolling back

akc3n: tkennedy365 play.google.com/store/apps/details?id=com.google.android.dialer recording 1Available only on some devices that have Phone pre-installed. Screen recorder works but you have to put speaker phone on and turn volume right up. Not ideal 🤣

Ashwaq (@A​shwaqHussain) has joined the Telegram Group!

can someone tell me where in the source code I can find the boot animation?

* Could someone please tell me where in the source code I can find the original graphene OS boot animation?

<L​73689> Whats the secure element?

<L​73689> So I don't use a pin, I use a long password, this still uses the secure element doesn't it?

rate limiting is enforced by titan m yes

<L​73689> Rate limiting ? Is this the " wait 6 hours to retry" thing

<L​73689> Not gonna lie I absolutely love graphene os on the pixel 5

yes

<nscnt[m] "nonie689: Rebooting while it's b"> How can i fix it

<nonie689[m] "How can i fix it"> You should not sideload updates, I think its rolling back because the update failed. Correct me if im from nscnt

* You should not sideload updates, I think its rolling back because the update failed. Correct me if im wrong nscnt

Well, it rolls back _for a reason_. I don't know what's wrong for nonie689, though. Updates are tested to be able to update to another future release

and because sideloading didn't work as well, there's nothing wrong with the Updater

An update has certainly not caused this

o/

nscnt: hm... what can i do?

nonie689: sounds like your device may be broken and has failed storage or something like that

you're not providing enough information

what version are you on right now?

for starters

hi

Hello, Need help getting sellinux permissive to work on "eng" build type, I modified this file: device/google/redbull/BoardConfig-common.mk, added: BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive, the problem the generated factory image will not boot due to this error: fastboot: error: Failed to boot into userspace fastboot; one or more

components might be unbootable. .. appreciate any help in getting selinux to permssive mode in "eng" build type

SELinux permissive isn't supported

even in "eng" build type?

you would have to build a kernel with support for it

it's not useful since that's the basis of most of the security model, what's the point? it's like turning off uid/gid support in the Linux kernel

user and userdebug builds are also really the only build types we test/support

userdebug for development

what does eng do that you want which isn't provided by userdebug for development?

I just want to figure out an issue I'm facing, it would be much easier in permissive mode to know the root cause of the issue, I have a service running with its own domain as permssive. its working fine in executing any command, excepts for command using the binary "/system/bin/cmd". Anything related to this will not work. howevern, if I run my

service by just calling it from shell: /system/bin/myservice, it works find even while executing commands like "am" "pm"\

the service written in golang. any command executing by the service using: os.exec works fine, except if I'm invking commands related to: /system/bin/cmd

if there are SELinux errors you can see those in the kernel log, etc.

* if there are SELinux denials you can see those in the kernel log, etc.

if you want permissive you'll need to build a kernel with support for it

SELinux is part of the core permission model and you have to build things with it in mind, it's not simply an extra layer of security

Hey everyone. I would like to ask: if I give permission to an app to access media on my device, what exactly does that mean. Which folder or elements will that app be allowed to access?

Its probably not even a grapheme specific question, is it? I could just look it up on android help page?

*graphene

not GrapheneOS specific in any way

as a general rule, don't give apps blanket access to photos and other media / files

But the real question would be: its an all or nothing access right?

they can request case-by-case access

Couldn't be granular?

panoramics: no, they can certainly request case by case access

panoramics: open a file with the PDF Viewer app

doesn't ask for a permission, uses the file manager to open files

apps can also open directories and save files that way

they do not need to ask for coarse access

OK, interesting

My goal would be to give let's say an app like WhatsApp only access to certain photos but not to others.

apps don't need permissions to save / open files and directories, they can ask you to choose what to allow instead

and they can ask for persistent access, it's not just temporary

So its like an always ask permission?

panoramics: so don't give it access, and if they don't support case-by-case access, so be it, give a 1 star review

panoramics: I don't know what you mean

as I said, apps can request case-by-case access to open / save files/directories

they do not need to request bulk access to your profile's photos/media/files

if you don't want to grant the app what it requests, don't grant it

if the app doesn't provide a way to give case-by-case access, complain to them

you can see how case-by-case access works with apps that respect privacy and user consent like our PDF Viewer and many others

apps do not need to request coarse access to all photos, etc.

they can, but absolutely do not need to

they can request access to a specific photo or a directory of them, they should be giving you the choice

please take it up with app devs, leave reviews on the stores about it

not respecting privacy / user consent is worthy of a 1 star review

OK. So of course a shitty app would ask for the broadest access possible and then I could only say yes to all or no to all

panoramics: yes

panoramics: although the OS is phasing out being able to request access to ALL your profile directory's files

panoramics: it is gone for API 30+ (which is becoming mandatory for both new and updated Play Store apps soon)

for API 29+ it's gone by default but apps can opt-in to legacy shared storage access

panoramics: so, similarly, an app can request that you pick a contact for them to use, they do not need to request access to ALL contacts

panoramics: and, as another example, an app can request that you take a photo, it just opens up your chosen camera app and you can take a photo with it, they do not need to request camera permission access other than to provide their own camera UI and do real-time filters, etc.

<strcat[m] "panoramics: so, similarly, an ap"> I was hoping that there would be a way to enforce that but I understand that isn't possible. Got it

although if they do ask for camera permission access, you can just grant one-time access

same with microphone

panoramics: I mean, you can enforce it

panoramics: just don't say yes, you're enforcing it

😄

panoramics: of course, that doesn't force the app developers to implement another way of doing it that's more privacy respecting

Yeah, unfortunately it would have to be a case by case, sometimes I would need it, sometimes not. But the way I understand it, that won't really work. So I'll have to adjust. That's fine

the OS can't force app developers to implement something, it can just take away options from them

hi - is it possible to prevent the Google logo displaying when you boot up Grapheneos? Is it coming from the kernel or from some device firmware?

such as how the option to request full shared storage access is being removed

grapher: it's the UEFI boot splash for Pixels

<strcat[m] "the OS can't force app developer"> Got it. The a lot

grapher: it's not tied to GrapheneOS

Thanks

grapher: there's no Google boot splash on non-Google branded hardware

there's instead an HTC boot splash, or Samsung boot splash, etc.

and no, you can't remove it

Ah I see thank you

it would be a vulnerability if you could since an attacker could display arbitrary data there if it wasn't verified

and it's displayed before it has loaded the OS verified boot key

* it would be a vulnerability if you could since an attacker could display arbitrary data there if it wasn't verified (in the verified boot threat model)

once the OS has booted up it displays the OS boot splash

You can verify the OS, but can you verify the UEFI? Checkmate

just kidding

the whole boot chain is verified, that's the point

right

I'm guessing the first step would be the Titan M?

no

there's a tiny boot ROM hard-wired into the SoC

Hi, can I have some advise? I have this app from f-droid called libreAV it scans for malware etc, I selected the 'scan system apps' option and the grapheneos, downloader, and aload of other system apps have shown up as malware? Since I installed grap evrytime I turn on my phone it first shows up as ' booting from a different os ' then the google

logo appears and the grap logo? Is this normal? And do I have malware? Thanks, noob by the way

<strcat[m] "there's a tiny boot ROM hard-wir"> ah

didn't know, thanks

And that can't be changed?

annochris: don't use broken apps

that app is security theater and doesn't work, don't use it

grapheneosisamazing: ROM means cannot be changed

<annochris "logo appears and the grap logo? "> No need for AV in Android/GrapheneOS. Probably don't need anything other than the built in AV for Windows either.

(GrapheneOS is not a ROM)

Oh yeah that's right, read-only memory

(obviously.. I think, and it's misuse of the term when people say that)

* (obviously... and it's misuse of the term when people say that)

Why do people call custom Androids a ROM anyway...writing to the read-only memory is a misnomer lol

Okay so even Google couldn't update that logo through a UEFI update?

grapheneosisamazing: because they don't know what it means

Yeah, first the google shows then the grap logo, is that normal?

grapher: no

grapher: never said that

<annochris "Yeah, first the google shows the"> is normal, convo above

annochris: the brand of the device is displayed as a boot splash by the UEFI implementation

if you have a Samsung device, no, that isn't normal, it will say Samsung

not part of GrapheneOS beyond GrapheneOS shipping updates for all the firmware

OK but I should delete that app yes

annochris: yes remove the broken security theater app

Okay I dont understand is it the keys required for UEFI update that are in the ROM?

just a totally broken security theater app

it cannot identify if software is malicious

it just guesses based on dumb heuristics which are often wrong

grapher: not quite, but I didn't get to finish explaining

annochris: projectmatris/antimalwareapp #4 linked that after you left

just a totally broken security theater app

it cannot identify if software is malicious

it just guesses based on dumb heuristics which are often wrong

just don't use AV, it doesn't work

shrug

grapher: there is a verified boot chain from the SoC to the OS

all firmware and the entire OS are verified

grapher: for everything prior to the OS, that's verified from the immutable hardware root of trust

the UEFI implementation displays a boot splash and that's built into it

it would be a security vulnerability if it wasn't verified

the UEFI implementation has the stock OS signing key built into it too

for an alternate OS, it loads the key from a secure element (Titan M on Pixels)

the Titan M is only involved for the OS stuff: lock state, user chosen OS signing key, etc.

has no involvement in the earlier stuff, since that's just immutable

if it was a Samsung branded phone, it would have a Samsung boot splash

if it was an HTC phone, it would have an HTC boot splash

it's not part of the OS

it's not for the OS to decide

the OS displays a boot splash once it loads

the only way there's going to be a GrapheneOS firmware boot splash is if we have our own hardware, that's how things work

same as your laptop saying "Dell" or whatever when it boots up

Okay thanks I understand. If someone hypothetically wanted to write a custom self signed UEFI firmware update that changed the boot logo would it be possible to flash it onto the Pixel and verified boot to work? Or would the firmware update have to be signed by Google?

I already said no

> the only way there's going to be a GrapheneOS firmware boot splash is if we have our own hardware, that's how things work

and my previous replies explaining why and more details about it

the only way you'll have a custom boot splash for the firmware is if you have custom hardware

or if there's a security vulnerability

speaking of custom hw

graphene project plans to eventually have their own custom hw right?

Right it wasnt clear to me if you meant 'no it's not possible for google to update the logo' or not?

like way further down the line

grapher: I explained it above

there's only a tiny boot ROM, the rest can be updated, all explained above

and the boot splash is contained in the boot rom?

no

please, read what I said above

<strcat[m] "panoramics: so, similarly, an ap"> One follow up question: if I installed sth like an encryption supported file manager, I guess I could encrypt everything sensitive and just leave those media files unencrypted that I am OK sharing with. Couldn't that work? I do understand that as a tradeoff, I would have to give another app storage permission, which I guess is just shifting trust. But generally

speaking, could that work?

panoramics: doesn't stop it from adding files or removing them, and most apps aren't going to store data with their own layer of encryption

panoramics: doesn't really make sense

sounds like profiles with extra steps

panoramics: if you don't want to give apps access to data, DO NOT GIVE ACCESS

panoramics: you're coming up with a really insecure, incomplete way to work around giving an app access to data you don't want to give it access to

don't give it access to the data

if it refuses to run without it, run it in a separate profile

Well I did I just don't understand what signatures are checked for UEFI firmware updates.

Yeah I get it, that's the clean way

grapher: it's not simply for updates, it's for every boot

Cool. Thx

I explained verified boot above

I explained that it chains from an immutable hardware root of trust

I explained that there's only a tiny boot ROM and the rest can be updated

I explained that the UEFI implementation supports a custom verified boot key, which is the GrapheneOS boot key for that device with GrapheneOS, and that's in the secure element

I do not understand what else you want to know or why this is such a big deal to you

Samsung device -> Samsung boot splash

HTC device -> HTC boot splash

Google device -> Google boot splash

grapher: I gave you all that info above

for there to be a GrapheneOS firmware boot splash, it has to be GrapheneOS hardware

i.e. we have to be the OEM

Thanks I am just trying to understand how it all works together but from what you are saying I understand it is hypothetically possible to flash new firmware with a different boot logo

but grapheneos would not do this

no

that isn't what I said, at all

> for there to be a GrapheneOS firmware boot splash, it has to be GrapheneOS hardware

I didn't say we won't do it, I said we can't without our own hardware

we want our own hardware

I could quote all of my previous messages too

I don't see the point

I think the discussion has touched on everything that can be said about it and can end

okay the thing im confused about is who can update the uefi firmware?

all explained above

GrapheneOS ships the updates for all the firmware, we don't make those updates, we ship them

there is an immutable root of trust chained from hardware

it's not our hardware, clearly it's not our key, and it depends on the SoC vendor and OEM of the device

we don't have our own hardware atm

if we had our own hardware, sure, we would be choosing the boot splash

as I said above

grapher: I really don't understand the need to continue this further

I really think everything useful has been said

Will be fun when you do have your own hardware

it seems you don't like the answer so you aren't listening

okay so firmware updates have to be signed by the device manufacturer key which is included in the phone's immutable root of trust, do I understand correct?

grapher: yes, essentially

okay thank you that is what was not clear to me

there is a key burned into fuses irreversibly

the UEFI implementation supports a user defined key in the secure element

that's how GrapheneOS is supported

I see

if we had our own device, the key burned into fuses would be ours

on any other device, it is not

understood

so on any other device, if they choose to display a firmware boot splash, which they probably do, we can't change that unless there's a security vulnerability

I see

and we wouldn't support a device with a broken secure boot chain

and also we ship all the firmware updates so vulnerabilities get fixed

only a vulnerability in the hardware or the tiny boot ROM couldn't get fixed

and that's part of why new hardware is important, not everything can be fixed via microcode/firmware updates

most stuff can be fixed or at least worked around, in practice

makes sense

Just installed the new graphene update, whats changed?

thank you for taking your time to explain!

Ed: grapheneos.org/releases#changelog

did you guys fix the camera crashing thing on the 4a

I think its in the logs

don't have a problem like that

getting an error about being unable to connect to the camera is a symptom of hardware failure

<strcat[m] "getting an error about being una"> Well ive been having occasional errors about that

likely hardware failure

it's one of the most common things that breaks from fall damage or water damage

Anyway for me to get the logs and ask for help

you can often confirm by switching to the other camera

it usually gets increasingly worse than doesn't work anymore

<strcat[m] "it's one of the most common thin"> I just got this phone, unlikely

doesn't mean it's not broken

<strcat[m] "you can often confirm by switchi"> 4a model, only one camera

it has a front camera

<strcat[m] "it usually gets increasingly wor"> Oddly enough, opendcam worked fine

we don't have any known issues with camera crashes on current gen devices

other people aren't experiencing it

there are serious issues with the 3 and 3 XL (and perhaps 3a and 3a XL to a lesser extent) but we just worked around them and it isn't really more of an issue for us than the stock OS

newer devices don't have the issues

we're certainly aware that the Sony camera sensors in the supported devices are relatively fragile and are the one of the first components to break from fall damage / water damage

look up the error message about camera not connecting

it happens with the stock OS, and with other devices

Hello I have a question about something I have seen on port22, is there anyone that can tell me why i see ssh-2.0 dropbare on port 22? Has some one remotely connected to me via this port? Or is it normal to see that, I'm using a gl-mt1300 openwrt router

because you're running ssh

not really clear why you're asking about a router here or why you're concerned that it's running ssh

probably because it's managed via ssh?

Routers can be managed via ssh?

they probably run linux or bsd right

they said it has openwrt

In don't fully understand this stuff to be honest, but I know ssh is used to deliver packets, all I know is I see ssh on port 22 so that means some one is using ssh to connect to me right

I never set us ssh no

no

are you talking about your router

Yeah when I scan it with a port scanner I see port 22 ssh

Why?

you said your router is running openwrt so I don't know why you'd be confused about it running ssh

because it is managed via ssh

that's how you log into it via CLI

<annochris "Yeah when I scan it with a port "> The port being open doesn't necessarily mean someone is connected

annochris: doesn't seem related to GrapheneOS

there's #grapheneos-offtopic

if it's not about GrapheneOS you should talk about it there

OK sorry its not related

that's why it's confusing

because it's implied you're talking about GrapheneOS here

Also any news regarding the drama

Sorry I didn't think of any where else to ask live

Are they still like harassing

I thought you meant you had a service listening on your port on your phone implying having an app installed providing ssh

Ed: there are still regular raids on the channel, lots of harassment, and people spreading lots of misinformation and false allegations against the project

Ed: Copperhead is not doing it at the moment

other people are doing it, more than Copperhead was doing it before

don't really want to get into it right now

if you're referring to the conflict with Copperhead, that conflict is currently on pause and may come to an end in the near future, has been the case for a bit over a month or so

after that stopped, unfortunately, other people decided to start and drastically escalate their own harassment / bullying of people involved in the project and spreading misinformation about it

it's not Copperhead doing it atm

What about calyx?

<strcat[m] "it's not Copperhead doing it atm"> Well thats good

they're the main perpetrators of it right now, not Copperhead

Copperhead stopped

they had stopped before fairly recent major escalations of attacks on GrapheneOS

and those aren't related, it's not them doing it secretly or something like that, the people doing it / leading it aren't making any secret of it

so, it's possible Copperhead will start their attacks on the project again, but for now, they have stopped, and appear to want to end the conflict

it is not ended, just paused

they aren't attacking us, so while we still have to deal with cleaning up the massive mess they created, including people who got brainwashed / tricked by them and attack us now, it's not them doing it themselves

<strcat[m] "it is not ended, just paused"> Thats good for now i suppose, the thing that matters at the end of the day is the software

the recent escalations were not by them, but did primarily use their false claims / false narratives and drama they created previously to create new attacks on us

but, wasn't them propagating / engaging in it

was largely their fault for what they did previously

was / is

* is largely their fault for what they did previously

Ed: the well-being of the people who work on the project and the ability of them to spend their time working on development and not being bullied/harassed/slandered is quite important too

no software without devs bro. treat devs nicely esp if it's literally free/libre software

my philosophy on it anyways

The concern trolling becomes emotionally exhausting after a while just to watch, as community member, I can only imagine how draining it maybe for the project team.

Thanks for all your guys hard work and that you guys keep pushing through it to make the best security mobile os possible.

Hello, I have heard about ways to make grap more secure, can some one tell me if this is true, also is it safe to download apps from the fdroid store

Thanks in advanced

No

fdroid is safer than random apks and if you want you can always read the source yourself and personally verify

and idk what you mean by making grapheneos more secure

I dont know how to do that

Some youtuber said there are ways to harden the is

The os *

What do you want to "secure" because more secure is pretty vague

Basicly is had spyware put on my old phone so abit paronoid now

just dont run things you dont trust idk what else to tell you

OK cool, f droid is OK yeah, and Aurora store is OK as long as you check there are no trackers right

I don't know touch about it tbh but thanks anyway

Hi, i see there is a new option with graphene: enable native code debugging? What does this mean and do?

It s enabled by default but dont know what it means and if i should keep it on or turn it off, hope someone can explain

cryptokid777: disabling it will disable native code debugging features, reducing attack surface for the OS from apps

will break debugging code as part of app development, will break apps capturing that kind of data to make bug reports and may reduce app compatibility if apps do that kind of thing in regular use

Okey, but why is it on by default of disabling will reduce attack surface?

it's enabled by default due to potential app compatibility issues from disallowing it

because before we added the feature it's simply always enabled

* because before we added the feature it's simply always available

disabling it will break some apps if they can't work around it not being available

Oww okey i understand thanxs for the quick respond

some apps have crash reporting stuff, etc. which may actually be used in regular use

I will try to disable it and see what apps still work

sometimes to anticipate the fact that they are going to crash and be ready to figure out why it happened

and they may not handle it not being allowed

it's a toggle for whether the ptrace system call is available

if you disable it, it's globally disabled across the whole OS

apps can only ever ptrace themselves (their own processes) but it's still kernel attack surface

it's a non-trivial API

I guess we could write "native debugging (ptrace)" instead of just native debugging to help clarify

I don't know how to write it up better as a tiny description in Settings

you only get ~70 characters or so

if disabling it doesn't break stuff you can use it

Well i was searching in releases changelog , but there was no explaination

if an app crashes and you have it disabled, you won't get proper crash logs

it prevents debugging crashes, etc. if it's disabled

Maybe you could do it in changelog, sometimes explain the changes for the noobs

I always check the changelog

it is listed there further back

Yes it is listed, but i mean if there was a small explaination what it does if you enable or disable it, it would be cool. There are many people like me who use grapheneos but are not super tech

But now i understand i hace disabled it and will see if my apps still work

Thanks very much for the explaination

just keep in mind if you have it disabled you don't get useful crash logs, etc.

so if you're running into crashes and are asked to get logs, etc. or capture a bug report with that tool you should disable this 1st

Okeey i understand

One more question, i always used outlook app for my hotmail account

Now it just s crashing

I tried several email apps for my hotmail but they all struggle to get my mail,

Is there an alternative app for outlook thats works with graphene?

lots of mail apps that work well

Outlook should work fine but maybe they accidentally have a dependency on Play services, etc.

there's an example where you should file a bug report with the developer and ideally provide a useful crash log

I tried aquamail also, it logs in but doesnt refresh, canary mail also

Outlook always worked, till last month i updated to new graphebeos version amd since then it crashes,

I had this also with my bank app, and after 3 montha of grapheneos updates it staryed working again, but outlook still nothing

probably from an app update not an OS update

very unlikely it had to do with an OS update

you really need to report app issues to app developers and ideally provide logs

if you don't report issues they won't get fixed

Where can i report this

?

And how can i see crash logs for outlook mail? So i can send that also

trigger the bug, then use the capture bug report tool in developer option, then send it to yourself via email client, Element, etc. and ideally copy paste the relevant portion with a fair bit of context from the log inside it to give to the app developers

that's the ideal way to report a bug

the problem is likely obvious

probably something like it breaking without Play services

have you tried a version of the app not from the Play Store? they may have multiple versions

No i only tried outlook from auroraos

AuroraOS is play store right?

Maybe f droid has other version let me see

Cant find outlook on f droid, dont now where to download it without play services

I only know auroraos and f droid for apps

cryptokid777: f-droid only hosts open source apps

Okey, so where can i find outlook withoit play services?

Struggling to use my hotmail on graphene

cryptokid777: should be possible to use K-9 to connect to hotmail via imap/smtp

K-9 is available on F-Droid

Ok thanx, will try that

<jpds "cryptokid777: f-droid only hosts"> untrue, partially open source apps too

Hi All, I am trying to reflash Google Firmware on my Pixel 4a but I cannot find the web installer website for the life of me. Anyone have a link?

Croat: stock OS? flash.android.com/welcome

Croat: grapheneos.org/install/web#replacing-grapheneos-with-the-stock-os

THANK YOUJ SPHIX!!!!!!! MAn, been searching like an hour

RAilgun, they shoudl have Sphinx's link there. That page was no help

<Croat "RAilgun, they shoudl have Sphinx"> Ah

Ed[m]: f-droid.org/en/docs/Inclusion_Policy

Sorry, that was some developer version. I am looking for STOCK google firmware

Croat: developers.google.com/android/images

It's developer stuff yes, but probably the only good place to get it

It has the factory images

I have reflashed it back to stock before. It was not like this

Croat Then idk where it is

Or how to do it

* Or how to do it the way you did

This will probably work anyway, so...

I do not want ASOP, I want the google branded versone for an unlocked pixel 4a

version

Croat These are factory images

Croat: FACTORY

Croat: this is what was on your phone when it came from the factory

I installed it and it does not look like factory

it is ASOP

Croat On the webpage it says factory images

The only buildtype I get is ASOP-SUNFISH_USERDEBUG

Huh

Not sure then

crap....

Well now you're stuck with GrapheneOS then

Well, it's a good OD

Welcome to the dark side.😎

No, I have asop-master-with-phone

* Well, it's a good OS

Vendor lock-in

:P

Trying to sell it so no, not good

Well maybe GrapheneOS could get you a higher price

No vedor lock it. I have flashed back and forth before

<Croat "No vedor lock it. I have flashed"> I know I was joking

If you cannot help railgun I would apprecaite you not saying anything since this is sucking

Croat: go to the sunfish section in the developers link Railgun sent earlier and click Flash next to the latest version

!hermanito has joined the Telegram Group!

Hi

Pixel 4A or Pixel 5?

<P​henix0> 5 will be supported longer than 4a

<P​henix0> But 4a is cheaper and has a headphone jack

5 only supported like 2 months longer than 4a

<Lexington12 "Pixel 4A or Pixel 5?"> The Pixel 4a is the cost-effective solution imo

yes i agree

if pixel 5 has better battery

and is water resistant

pixel 5 has better gorilla glass

pixel 5 has about 1/4th 1/5th larger battery

pixel 5 has, 1/4th 1/5th larger battery, stronger gorilla glass, and metal chasis

Lexington12: Then just get it

is there any downside to pixel 5

does the 5 drain battery faster?

Only in 90hz screen mode

nice

so is the 5 better in every way just more expensive

?

Twice the price of a 4a but has waterproofing, better processor, larger battery, 0.2" larger screen with stronger glass

and metal chasis

can i disable 5g and use lte only

how does lte only work on the pixel 5

i want to use just 4g lte

4a (5G) and 5 are the same generation

4a is an earlier generation

4a (5G) and 5 have a newer generation SoC than the 4a, not just faster

5 vs. 4a (5G) is about the fancier screen (90 Hz, better overall), water/dust proofing, wireless charging, etc.

Lexington12: means LTE (4G) only

you can specify in setting, which network u prefer. U can set LTE to prefer network connetion

LTE and LTE only are different modes

LTE only is a GrapheneOS added feature

So LTE only blocks 2g 3g 4g and 5g and has just 4g LTE right?

setting it to LTE means "LTE and below"

LTE only means LTE only

nice

do u think the pixel 5 is superior in every way?

Metal Chasis, Better Gorilla Glass Screen, water resistant

Larger battery

Pixel 5 is superior in every way to a 4a (5G) and especially 4a aside from price

it is not metal in the way u think

aluminum chasis right

great

I'll get the pixel 5 mostly for its waterproofing and larger battery

waterresistance

Donate to Graphene os!

hey, did you gus know how can i build app from source? Any advices?

./gradlew assembleRelease and sign it

hope it will work on ubuntu

Hi

Im trying to use my phone without being wiretapped

Is Signal.apk the best strategy

for encrypted calls and texts

I also want to hide Who I'm calling

From the Mobile carrier surveillience

^ the same troll as always, not sure whether it was already Lexington12 or whether they wanted to impersonate a generous user

poor adam

yea, I think it was already them

I don't have a lte only mode it says 4g only is that different?

I always loved the "$Moderator kicked $User. Reason: $User"

It's like

We kicked you because you're you

<!hermanito> Ist hier jemand der deutsch kann und mir Schritt für Schritt die Installation von Grapheneos auf Pixel 3

I know the format is probably automatic but it's still funny

<GrapheneOS-Teleg "<!hermanito> Ist hier jemand der"> One sec need to translate

Well, one of the Germans I know on here just left

<!hermanito> Okay thank you

Wait, I know some german

This will be painful but I'll do it manually

hermanito: grapheneos.org/install/web

Probably the easiest is to copy and paste paragraphs into deepl.com

Is there someone here who can speak German and guide me step by step through GrapheneOS installation on Pixel 3

Ja, ich weiss

Hence the link, and copying the paragraphs into a translator

<jpds "Ja, ich weiss"> Ja! Ich habe gute Deutsch gelernt!

<jpds "Hence the link, and copying the "> I know but more fun to manually do it

Plus now I know some more German

can i access developer options on second profile?

<jpds "Probably the easiest is to copy "> Or Google translate

<onyxrubber "can i access developer options o"> Only do it if you're a developer

They make it less secure

i know, but i can't access it on second profile :C

i want to install some "less secure" apps, and testing. I don't want do this on main profile

Ah

Oh wait I'm dumb, what you do in secondary profiles doesn't affect other profiles

Pardon me

Should probably get the web installer translated actually

it is all right. I am so confused, I can't access dev options on other profiles

onyxrubber: probably the same way as stock

Spam the build number

dosen't work

Oh

Then idj

* Then idk

could anyone check it for me?

onyxrubber: Only the owner user can access them

nscnt: oh so it's impossible to enable developer options in specific profiles?

Only the owner user can access them, but the settings are applied (maybe not all?) to secondary users as well

For example, you can also debug in a second user if you enabled it as the owner user

"USB debugging is not allowed"

"The user currently signed in to this device can't turn on USB debugging. To use this feature, switch to the primary user"

so there is no way to debug on other profiles

Matrix is lagging...

it works

onyxrubber: Are you in the guest user?

i created new profile, not guest

onyxrubber: Allow the connection before switching

conntection to?

onyxrubber: your pc

I allowed debug on main profile, and then swich to test profile. Is that ok?

wire was connected before allowing debug

Not just enabling USB debugging, but also allowing it. Did you do that?

You need to allow every connection

yes, phone asks me to allow debug for this session, and I allowed it. Then I swiched to test profile

That's how I can debug in a secondary user. You trusted a very insecure device (your PC) anyway. Therefore I see no point in doing it in a secondary user because the _app_ is "less secure"

I was trying to install google camera and it's open source service providers...

the version on stock os didn't work, so I don't want to install and uninstall plenty of apk's, to check which one will work on my device

finally 7.5 version works ok

stock os on pixel 4a 5g working with 7.6 google camera version

I've finally taken the plunge into enhanced anti-fingerprinting by ditching NextDNS with custom blocklists for a well-known vpn and using their included adblocking feature. I've completely cleared the storage for Vanadium, resetting all Vanadium settings to default and I intend on keeping it that way. Before this, I've had custom site settings to block everything that is 'Ask first' by default. Now everything is at

default, as recommended. I figure that since I will be using Vanadium's default settings from now on, when I need to clear my history, cache, and cookies, I will just clear the app storage entirely, ensuring all data is erased and all settings default.

I just wanted to share that.

The vpn uses this blocklist exclusively: github.com/StevenBlack/hosts

A popular blocklist