-
sklv1
hmm, it's nice but in what case is it useful? you can choose not to trust an update consisting of a signed binary blob that you can't audit anyway
-
strcat[m]
I think you're missing the point
-
sklv1
probably - which is why i'm asking
-
strcat[m]
if the NSA gets your phone (assume it's powered off / main profile isn't active), they cannot bypass the throttling by coercing the company that makes the secure element firmware or infiltrating them to get access to their signing HSM, etc.
-
strcat[m]
they can't demand it, it can't be given to them
-
strcat[m]
they actually have to exploit the secure element somehow which is a substantial task to do
-
strcat[m]
and has a good chance of failing+ destroying the data if it involves a physical attack
-
strcat[m]
* and has a good chance of failing + destroying the data if it involves a physical attack
-
strcat[m]
* if the NSA gets your phone (assume main profile isn't active), they cannot bypass the throttling by coercing the company that makes the secure element firmware or infiltrating them to get access to their signing HSM, etc.
-
strcat[m]
sklv1: it's a protection against the FBI vs. Apple situation
-
strcat[m]
that's one of the reasons it's better, not the only one
-
sklv1
but on iPhone to update the firmware, it has to be on, and unlocked. I guess the difference is exploiting the OS vs exploiting the secure element.
-
strcat[m]
sklv1: exploiting the OS is not hard for a sophisticated attacker with physical access
-
strcat[m]
they can just not update the phone for a month
-
strcat[m]
they don't need any 0 days
-
sklv1
ok different question - how much longer will my phone be supported if I get pixel 5 instead of a pixel 4A
-
strcat[m]
they can happily use old, public vulnerabilities
-
strcat[m]
they could use some PoC a researcher published on their blog from 2 months ago, just wait long enough
-
strcat[m]
sklv1: Pixel 5 and 4a (5G) are supported for the same time period
-
strcat[m]
sklv1: Pixel 4a *guaranteed* support is a few months lower
-
strcat[m]
but in practice it may be more of a difference than that
-
strcat[m]
because if they ended up being able to extent support for 6+ months for Pixel 5 / 4a (5G) past guarantee that doesn't apply to 4a
-
strcat[m]
4a already got released really late compared to when it was supposed to be
-
strcat[m]
it's unlikely to get a single month of extra support, I think
-
deadlydata[m]
can someone help me with a build issue, i'm running "script/release.sh blueline" and everything seems to be fine but in the end i get a weird error, heres a link to the output. help would be appreciated.
pastebin.com/stRTKfip
-
strcat[m]
out/target/product/blueline/obj/PACKAGING/target_files_intermediates/aosp_blueline-target_files-2021.04.27.14.zip
-
strcat[m]
that file is missing
-
strcat[m]
did you run `m target-files-package` when you did your build?
-
strcat[m]
you can look for yourself at the directory and see what's in there
-
deadlydata[m]
ah no
-
deadlydata[m]
can i run it now after the build?
-
strcat[m]
yes
-
deadlydata[m]
or do i have to run and rebuild.
-
strcat[m]
no just run it now
-
deadlydata[m]
ah ok thanks
-
strcat[m]
it'll figure it out it has no work to do for the rest of the build (since nothing changed) and just make the target-files-package
-
deadlydata[m]
love the swift response 🙂
-
strcat[m]
for dev builds you generally just use `m` and flash the non-release-signed images
-
strcat[m]
for release builds you use `m target-files-package` to get the stuff packaged up into a target-files-package zip
-
strcat[m]
because the signing scripts work by converting target files package -> signed target files package, then generating factory images and signed OTA from that
-
deadlydata[m]
ah ok so i don't have to sign for dev builds
-
deadlydata[m]
that makes it easier
-
deadlydata[m]
Also GrapheneOS disables updatable APEX components for the officially supported devices and targets inheriting from the mainline target, so APEX signing keys are not needed and this section can be ignored for unmodified builds.
-
strcat[m]
yes for dev builds just do `m` and flash the images and leave it unlocked (you could technically lock, it's signed with the publicly available AOSP test keys, but it's useless)
-
deadlydata[m]
this was a bit confusing
-
strcat[m]
also `m` doesn't generate a target files package, OTA package, etc. which is a huge waste of time
-
strcat[m]
for dev
-
strcat[m]
because if you change one tiny thing and rebuild, `m` is pretty fast (incremental build) if your change doesn't require rebuilding much
-
strcat[m]
but if you add the work of generating all those zips/packages, signing, generating more, it's a lot of time
-
strcat[m]
so for example if you rebuilt the kernel, and did `m`, it's going to figure out it only has to regenerate boot.img
-
strcat[m]
if you tested with signed builds... you have to do the whole target-files-package generation (takes a while), sign everything (huge waste of time) and generate OTA and/or factory images from that to use it
-
deadlydata[m]
ok yes that is much more efficient
-
deadlydata[m]
with the dev builds do i have to sign Apex components
-
deadlydata[m]
or can i leave that the way it is
-
strcat[m]
deadlydata: we use flattened APEX, they don't need to be signed ever
-
strcat[m]
deadlydata: even if we didn't, for a dev build, they'd just be signed with AOSP test keys
-
strcat[m]
you don't need to sign anything unless you're making a secure a release build
-
deadlydata[m]
ok so i'm good to start modifying and building it would seem
-
strcat[m]
`m` makes a build that is signed with AOSP test keys, it's usable as is
-
strcat[m]
target files is just the way that the build is packaged up to be used in other ways, it just bundles everything up into a huge zip
-
strcat[m]
release signing is implemented in a way that you can do it on a different machine, etc. using the target files package and ota tools package made by those commands
-
strcat[m]
release signing is a post-build step
-
strcat[m]
it's not part of the build
-
strcat[m]
and you can use the build as-is, without release signing, always
-
strcat[m]
you can make a `release` and `user` build and use the result directly and then decide to sign it with release keys too
-
strcat[m]
separate tasks
-
deadlydata[m]
strcat: Can you reccomend me a good Emulator setup to effeciently test the rom builds fast
-
strcat[m]
deadlydata: just build for the x86_64 generic / sdk target
-
strcat[m]
the source tree comes with an emulator that understands how to run a build
-
strcat[m]
you can use an arm one too but x86_64 one is nice since then it's fully hardware accelerated
-
strcat[m]
source script/envsetup.sh
-
strcat[m]
choosecombo release sdk_phone_x86_64 userdebug
-
strcat[m]
m
-
strcat[m]
emulator
-
strcat[m]
deadlydata: I would recommend clearing `out` between switching targets although it's not strictly required (it doesn't share much between totally different targets anyway)
-
strcat[m]
deadlydata: and then leave that shell open, and just `m` and run `emulator` again to test
-
strcat[m]
deadlydata: if you close the shell, open one up again, source script/envsetup.sh, choosecombo release sdk_phone_x86_64 userdebug and it has picked up the stuff for the previous build
-
strcat[m]
and you can run `emulator` again or `m` to rebuild
-
strcat[m]
there is a way to package up images for use in the Android SDK emulator but it's not worth it, just use the one in the source tree, it knows how to use the build output directly instead of packaging it up
-
strcat[m]
deadlydata: we only provide Vanadium prebuilts for arm64 and x86_64 so x86_64 is the way to go for emulator, if you did x86 you'd have to build Vanadium 1st (or omit it)
-
deadlydata[m]
thanks for the info dude, this helped so much , :)
-
strcat[m]
deadlydata: in many cases you can just make changes + rebuild (incremental build)
-
strcat[m]
in some cases your changes will require a massive rebuild anyway (changing some compiler thing, core build infra, something like libc headers, etc.)
-
strcat[m]
in some cases you do need a clean build because the incremental build stuff isn't perfect (removing a package, changing build definition stuff, etc.)
-
strcat[m]
you should always do a totally clean build for an actual release
-
strcat[m]
i.e. remove out
-
strcat[m]
first
-
deadlydata[m]
ah ok so i can mess about with the debug builds and i don't have to worry about the out folder when switching targets etc, but when building for release it's important to start with a fresh out folder.
-
deadlydata[m]
i've understood this correctly right
-
deadlydata[m]
* i've understood this correctly right?
-
strcat[m]
deadlydata: you may want to clear it if you're switching targets because it can hardly reuse anything so it's wasting a ton of space + there could potentially be issues from it
-
strcat[m]
deadlydata: there are *likely* issues from it, depends on the exact details
-
deadlydata[m]
i had the target on blueline
-
strcat[m]
by switching targets I mean a different choosecombo target beyond just switch user <-> userdebug, etc.
-
deadlydata[m]
but i switched it to sdk_phone_x86_64
-
strcat[m]
deadlydata: yeah so if you're going to be doing x86_64 sdk build I'd definitely clear out/ first just because it can hardly reuse anything anyway + it avoids any potential issues
-
strcat[m]
there will be hardly anything in the 'common' build output
-
strcat[m]
deadlydata: nearly all build output for you atm will be in out/target/product/blueline
-
strcat[m]
it can only reuse stuff in out/target/common
-
deadlydata[m]
i should delete everything in out folder right?
-
deadlydata[m]
/out/
-
strcat[m]
deadlydata: so, it's fine to just build x86_64 target with that already there, but unless you're going to build blueline again incrementally just remove out/
-
strcat[m]
if you ARE going to build blueline again incrementally (i.e. another dev build) you might as well keep it
-
strcat[m]
just be aware in theory it could have something non-portable with the stuff in common
-
deadlydata[m]
yeah my goal was to edit blueline, because that's the device i hold
-
deadlydata[m]
in the end i want to flash a modified image on to my pixel 3
-
deadlydata[m]
but that's after developing allot of stuff first. ofcourse haha
-
deadlydata[m]
could i run choosecombo release aosp_blueline userdebug
-
deadlydata[m]
choosecombo release aosp_blueline userdebug
-
deadlydata[m]
m
-
deadlydata[m]
emulator
-
deadlydata[m]
this would work also right?
-
strcat[m]
you can't run a build for the device like that in the emulator
-
strcat[m]
you need either generic or sdk targets
-
strcat[m]
you can run an arm64 build in the emulator but it won't be hardware accelerated
-
strcat[m]
but you can't use a blueline one
-
ATTNSA
Any reccomendations on Pixel 4a Vs 5
-
GhostSplinterSix
I use a 4a and have enjoyed it.
-
ATTNSA
Nice
-
ATTNSA
Get a Otterbox case and Glass Screen protector
-
ATTNSA
for maximum protection
-
ATTNSA
And camera blocker stickers
-
ATTNSA
And cover the fingerprint scanner
-
ATTNSA
LTE Only mode
-
ATTNSA
And VPN
-
ATTNSA
Signal for encrypted calls and texts
-
ATTNSA
= Secure
-
pentoo_user[m]
Why no finger print?
-
ATTNSA
Finger Print identifies my body
-
ATTNSA
my fingers
-
ATTNSA
So the fingerprint scanner could be hacked to scan and send my fingerprint to NSA
-
ATTNSA
to identify the phone user
-
b1101
also police can have you use your fingerprint to unlock your phone, but can't force you to enter a code
-
ATTNSA
^^^
-
pentoo_user[m]
Hmmm
-
pentoo_user[m]
I see
-
Thatcher[m]
<ATTNSA "my fingers"> I unlock my phone with my toe
-
ATTNSA
still personally identifyable
-
ATTNSA
id reccomend a 12 didgit pin or password
-
Thatcher[m]
Seems very inconvenient to ditch fingerprint due to fear of the NSA. That level of tinfoil hattery would just get me off smartphones completely.
-
ATTNSA
exactly
-
ATTNSA
its easy to just use a pin
-
ATTNSA
Graphene OS should let us VPN the hotspot wifi
-
ATTNSA
so we have VPN enabled on GOS
-
ATTNSA
then setup hotspot
-
ATTNSA
connecting devices route through our GOS VPN
-
Thatcher[m]
All this fingerprint awareness makes me wonder: Does the OS store physical fingerprints as visual images in the OS as references for the fingerprint sensor, and/or are they converted to cryptographic salted-hashes that hide the true fingerprint hashes from the rest of the system?
-
ATTNSA
hopefully the second way
-
strcat[m]
Thatcher: the OS does not have access to fingerprints
-
Thatcher[m]
Even better
-
strcat[m]
fingerprint fuzzy hashes are stored via TEE or secure element
-
Thatcher[m]
Shit, I keep forgetting about the secure element. Doh
-
ATTNSA
-
ATTNSA
Truely unlimited LTE data > 50 Gigs LTe per month for $45
-
ATTNSA
USA Verizon or Tmobile
-
graphics-card[m]
You can set up a passcode and fingerprint as 2FA for unlocking the phone right?
-
timetravelingman
No
-
timetravelingman
Not in the way you're thinking
-
ATTNSA
Its either PIN, password, pattern, or FINGERPRINT
-
ATTNSA
Yes Goyim, use a fingerprint password so the police can unlock your phone
-
Thatcher[m]
Much more than police actually. You could be asleep or passed out drunk and someone could snag your print while you are in lala land.
-
ATTNSA
yes
-
ATTNSA
I've had my phone stingrayed 10 times per minute the past few days
-
ATTNSA
Ever since I uploaded images of children in the biden smuggling fema camps
-
Thatcher[m]
Let's move to off topic channel
-
ATTNSA
My phone has been getting hacked
-
ATTNSA
ok
-
Thatcher[m]
#grapheneos-offtopic:matrix.org
-
Ed[m]
<ATTNSA "Ever since I uploaded images of "> The don trump uses graphene
-
Cliff[m]
<Ed[m] "The don trump uses graphene"> Source?
-
Cliff[m]
Dont know if real or trolling XD
-
tkennedy365[m]
Hey guys
-
tkennedy365[m]
I read in a reddit post that there was a system app for recording calls? Is it still available? And how does one access it?
-
tkennedy365[m]
If not, any way I can record calls? Tried an app, the recording is there but its silent
-
Thatcher[m]
Off topic
-
akc3n[m]
tkennedy365: I do not see an option for recording calls using the phone app, even after adding a sip account in settings -> calls -> calling accounts.
-
akc3n[m]
Also #grapheneos-offtopic:matrix.org is better suited for this.
-
tkennedy365[m]
Okay sorry. FYI you can try using the screen recorder app but unfortunately calls still seem to be silent
-
LinusSexTips[m]
there's a screen record quick tile
-
LinusSexTips[m]
you shouldn't need a third party app
-
akc3n[m]
-
akc3n[m]
-
akc3n[m]
However, as far I know, it was disabled due to privacy laws if I'm not mistaken.
-
-
nonie689[m]
Since this update I cant install any new update
-
nonie689[m]
It downloads and them it restart in the update boot process
-
nscnt[m]
nonie689: Which device? Which release are you on currently?
-
nonie689[m]
4 flame
-
nonie689[m]
Look at the Screenshot
-
GrapheneOS-Teleg
Box In A Box™ (@Box_Boi) has joined the Telegram Group!
-
GrapheneOS-Teleg
<Box_Boi> 🏃
-
nscnt[m]
nonie689: What should I see at the screenshot? It doesn't include what I asked for
-
nonie689[m]
I have sideloadet the latest Version
-
nonie689[m]
Same error
-
nonie689[m]
Its reboot on the installing process
-
nonie689[m]
and then i can login
-
nonie689[m]
after the sideload it doesnt retry the Download and install maybe it is fixes
-
nonie689[m]
D
-
nonie689[m]
Is it normal that the device reboots?
-
nscnt[m]
nonie689: Rebooting while it's rebooting? No. Sounds like it's rolling back
-
nscnt[m]
* nonie689: Rebooting while it's booting? No. Sounds like it's rolling back
-
catfish[m]
akc3n: tkennedy365
play.google.com/store/apps/details?id=com.google.android.dialer recording 1Available only on some devices that have Phone pre-installed. Screen recorder works but you have to put speaker phone on and turn volume right up. Not ideal 🤣
-
GrapheneOS-Teleg
Ashwaq (@AshwaqHussain) has joined the Telegram Group!
-
came2complain[m]
can someone tell me where in the source code I can find the boot animation?
-
came2complain[m]
* Could someone please tell me where in the source code I can find the original graphene OS boot animation?
-
GrapheneOS-Teleg
<L73689> Whats the secure element?
-
GrapheneOS-Teleg
<L73689> So I don't use a pin, I use a long password, this still uses the secure element doesn't it?
-
duck[m]
rate limiting is enforced by titan m yes
-
GrapheneOS-Teleg
<L73689> Rate limiting ? Is this the " wait 6 hours to retry" thing
-
GrapheneOS-Teleg
<L73689> Not gonna lie I absolutely love graphene os on the pixel 5
-
duck[m]
yes
-
nonie689[m]
<nscnt[m] "nonie689: Rebooting while it's b"> How can i fix it
-
helloworldkk87[m
<nonie689[m] "How can i fix it"> You should not sideload updates, I think its rolling back because the update failed. Correct me if im from nscnt
-
helloworldkk87[m
* You should not sideload updates, I think its rolling back because the update failed. Correct me if im wrong nscnt
-
nscnt[m]
Well, it rolls back _for a reason_. I don't know what's wrong for nonie689, though. Updates are tested to be able to update to another future release
-
nscnt[m]
and because sideloading didn't work as well, there's nothing wrong with the Updater
-
nscnt[m]
An update has certainly not caused this
-
marcus_
o/
-
nonie689[m]
nscnt: hm... what can i do?
-
strcat[m]
nonie689: sounds like your device may be broken and has failed storage or something like that
-
strcat[m]
you're not providing enough information
-
strcat[m]
what version are you on right now?
-
strcat[m]
for starters
-
concerntroll[m]
hi
-
khalefa
Hello, Need help getting sellinux permissive to work on "eng" build type, I modified this file: device/google/redbull/BoardConfig-common.mk, added: BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive, the problem the generated factory image will not boot due to this error: fastboot: error: Failed to boot into userspace fastboot; one or more
-
khalefa
components might be unbootable. .. appreciate any help in getting selinux to permssive mode in "eng" build type
-
strcat[m]
SELinux permissive isn't supported
-
khalefa
even in "eng" build type?
-
strcat[m]
you would have to build a kernel with support for it
-
strcat[m]
it's not useful since that's the basis of most of the security model, what's the point? it's like turning off uid/gid support in the Linux kernel
-
strcat[m]
user and userdebug builds are also really the only build types we test/support
-
strcat[m]
userdebug for development
-
strcat[m]
what does eng do that you want which isn't provided by userdebug for development?
-
khalefa
I just want to figure out an issue I'm facing, it would be much easier in permissive mode to know the root cause of the issue, I have a service running with its own domain as permssive. its working fine in executing any command, excepts for command using the binary "/system/bin/cmd". Anything related to this will not work. howevern, if I run my
-
khalefa
service by just calling it from shell: /system/bin/myservice, it works find even while executing commands like "am" "pm"\
-
khalefa
the service written in golang. any command executing by the service using: os.exec works fine, except if I'm invking commands related to: /system/bin/cmd
-
strcat[m]
if there are SELinux errors you can see those in the kernel log, etc.
-
strcat[m]
* if there are SELinux denials you can see those in the kernel log, etc.
-
strcat[m]
if you want permissive you'll need to build a kernel with support for it
-
strcat[m]
SELinux is part of the core permission model and you have to build things with it in mind, it's not simply an extra layer of security
-
panoramics[m]
Hey everyone. I would like to ask: if I give permission to an app to access media on my device, what exactly does that mean. Which folder or elements will that app be allowed to access?
-
panoramics[m]
Its probably not even a grapheme specific question, is it? I could just look it up on android help page?
-
panoramics[m]
*graphene
-
strcat[m]
not GrapheneOS specific in any way
-
strcat[m]
as a general rule, don't give apps blanket access to photos and other media / files
-
panoramics[m]
But the real question would be: its an all or nothing access right?
-
strcat[m]
they can request case-by-case access
-
panoramics[m]
Couldn't be granular?
-
strcat[m]
panoramics: no, they can certainly request case by case access
-
strcat[m]
panoramics: open a file with the PDF Viewer app
-
strcat[m]
doesn't ask for a permission, uses the file manager to open files
-
strcat[m]
apps can also open directories and save files that way
-
strcat[m]
they do not need to ask for coarse access
-
panoramics[m]
OK, interesting
-
panoramics[m]
My goal would be to give let's say an app like WhatsApp only access to certain photos but not to others.
-
strcat[m]
apps don't need permissions to save / open files and directories, they can ask you to choose what to allow instead
-
strcat[m]
and they can ask for persistent access, it's not just temporary
-
panoramics[m]
So its like an always ask permission?
-
strcat[m]
panoramics: so don't give it access, and if they don't support case-by-case access, so be it, give a 1 star review
-
strcat[m]
panoramics: I don't know what you mean
-
strcat[m]
as I said, apps can request case-by-case access to open / save files/directories
-
strcat[m]
they do not need to request bulk access to your profile's photos/media/files
-
strcat[m]
if you don't want to grant the app what it requests, don't grant it
-
strcat[m]
if the app doesn't provide a way to give case-by-case access, complain to them
-
strcat[m]
you can see how case-by-case access works with apps that respect privacy and user consent like our PDF Viewer and many others
-
strcat[m]
apps do not need to request coarse access to all photos, etc.
-
strcat[m]
they can, but absolutely do not need to
-
strcat[m]
they can request access to a specific photo or a directory of them, they should be giving you the choice
-
strcat[m]
please take it up with app devs, leave reviews on the stores about it
-
strcat[m]
not respecting privacy / user consent is worthy of a 1 star review
-
panoramics[m]
OK. So of course a shitty app would ask for the broadest access possible and then I could only say yes to all or no to all
-
strcat[m]
panoramics: yes
-
strcat[m]
panoramics: although the OS is phasing out being able to request access to ALL your profile directory's files
-
strcat[m]
panoramics: it is gone for API 30+ (which is becoming mandatory for both new and updated Play Store apps soon)
-
strcat[m]
for API 29+ it's gone by default but apps can opt-in to legacy shared storage access
-
strcat[m]
panoramics: so, similarly, an app can request that you pick a contact for them to use, they do not need to request access to ALL contacts
-
strcat[m]
panoramics: and, as another example, an app can request that you take a photo, it just opens up your chosen camera app and you can take a photo with it, they do not need to request camera permission access other than to provide their own camera UI and do real-time filters, etc.
-
panoramics[m]
<strcat[m] "panoramics: so, similarly, an ap"> I was hoping that there would be a way to enforce that but I understand that isn't possible. Got it
-
strcat[m]
although if they do ask for camera permission access, you can just grant one-time access
-
strcat[m]
same with microphone
-
strcat[m]
panoramics: I mean, you can enforce it
-
strcat[m]
panoramics: just don't say yes, you're enforcing it
-
panoramics[m]
😄
-
strcat[m]
panoramics: of course, that doesn't force the app developers to implement another way of doing it that's more privacy respecting
-
panoramics[m]
Yeah, unfortunately it would have to be a case by case, sometimes I would need it, sometimes not. But the way I understand it, that won't really work. So I'll have to adjust. That's fine
-
strcat[m]
the OS can't force app developers to implement something, it can just take away options from them
-
grapher
hi - is it possible to prevent the Google logo displaying when you boot up Grapheneos? Is it coming from the kernel or from some device firmware?
-
strcat[m]
such as how the option to request full shared storage access is being removed
-
strcat[m]
grapher: it's the UEFI boot splash for Pixels
-
panoramics[m]
<strcat[m] "the OS can't force app developer"> Got it. The a lot
-
strcat[m]
grapher: it's not tied to GrapheneOS
-
panoramics[m]
Thanks
-
strcat[m]
grapher: there's no Google boot splash on non-Google branded hardware
-
strcat[m]
there's instead an HTC boot splash, or Samsung boot splash, etc.
-
strcat[m]
and no, you can't remove it
-
grapher
Ah I see thank you
-
strcat[m]
it would be a vulnerability if you could since an attacker could display arbitrary data there if it wasn't verified
-
strcat[m]
and it's displayed before it has loaded the OS verified boot key
-
strcat[m]
* it would be a vulnerability if you could since an attacker could display arbitrary data there if it wasn't verified (in the verified boot threat model)
-
strcat[m]
once the OS has booted up it displays the OS boot splash
-
grapheneosisamaz
You can verify the OS, but can you verify the UEFI? Checkmate
-
grapheneosisamaz
just kidding
-
strcat[m]
the whole boot chain is verified, that's the point
-
grapheneosisamaz
right
-
grapheneosisamaz
I'm guessing the first step would be the Titan M?
-
strcat[m]
no
-
strcat[m]
there's a tiny boot ROM hard-wired into the SoC
-
annochris
Hi, can I have some advise? I have this app from f-droid called libreAV it scans for malware etc, I selected the 'scan system apps' option and the grapheneos, downloader, and aload of other system apps have shown up as malware? Since I installed grap evrytime I turn on my phone it first shows up as ' booting from a different os ' then the google
-
annochris
logo appears and the grap logo? Is this normal? And do I have malware? Thanks, noob by the way
-
grapheneosisamaz
<strcat[m] "there's a tiny boot ROM hard-wir"> ah
-
grapheneosisamaz
didn't know, thanks
-
grapheneosisamaz
And that can't be changed?
-
strcat[m]
annochris: don't use broken apps
-
strcat[m]
that app is security theater and doesn't work, don't use it
-
strcat[m]
grapheneosisamazing: ROM means cannot be changed
-
entry1
<annochris "logo appears and the grap logo? "> No need for AV in Android/GrapheneOS. Probably don't need anything other than the built in AV for Windows either.
-
strcat[m]
(GrapheneOS is not a ROM)
-
grapheneosisamaz
Oh yeah that's right, read-only memory
-
strcat[m]
(obviously.. I think, and it's misuse of the term when people say that)
-
strcat[m]
* (obviously... and it's misuse of the term when people say that)
-
grapheneosisamaz
Why do people call custom Androids a ROM anyway...writing to the read-only memory is a misnomer lol
-
grapher
Okay so even Google couldn't update that logo through a UEFI update?
-
strcat[m]
grapheneosisamazing: because they don't know what it means
-
annochris
Yeah, first the google shows then the grap logo, is that normal?
-
strcat[m]
grapher: no
-
strcat[m]
grapher: never said that
-
grapheneosisamaz
<annochris "Yeah, first the google shows the"> is normal, convo above
-
strcat[m]
annochris: the brand of the device is displayed as a boot splash by the UEFI implementation
-
strcat[m]
if you have a Samsung device, no, that isn't normal, it will say Samsung
-
strcat[m]
not part of GrapheneOS beyond GrapheneOS shipping updates for all the firmware
-
annochris
OK but I should delete that app yes
-
strcat[m]
annochris: yes remove the broken security theater app
-
strcat[m]
-
grapher
Okay I dont understand is it the keys required for UEFI update that are in the ROM?
-
strcat[m]
just a totally broken security theater app
-
strcat[m]
it cannot identify if software is malicious
-
strcat[m]
it just guesses based on dumb heuristics which are often wrong
-
strcat[m]
grapher: not quite, but I didn't get to finish explaining
-
strcat[m]
annochris:
projectmatris/antimalwareapp #4 linked that after you left
-
strcat[m]
just a totally broken security theater app
-
strcat[m]
it cannot identify if software is malicious
-
strcat[m]
it just guesses based on dumb heuristics which are often wrong
-
strcat[m]
just don't use AV, it doesn't work
-
strcat[m]
shrug
-
strcat[m]
grapher: there is a verified boot chain from the SoC to the OS
-
strcat[m]
all firmware and the entire OS are verified
-
strcat[m]
grapher: for everything prior to the OS, that's verified from the immutable hardware root of trust
-
strcat[m]
the UEFI implementation displays a boot splash and that's built into it
-
strcat[m]
it would be a security vulnerability if it wasn't verified
-
strcat[m]
the UEFI implementation has the stock OS signing key built into it too
-
strcat[m]
for an alternate OS, it loads the key from a secure element (Titan M on Pixels)
-
strcat[m]
the Titan M is only involved for the OS stuff: lock state, user chosen OS signing key, etc.
-
strcat[m]
has no involvement in the earlier stuff, since that's just immutable
-
strcat[m]
if it was a Samsung branded phone, it would have a Samsung boot splash
-
strcat[m]
if it was an HTC phone, it would have an HTC boot splash
-
strcat[m]
it's not part of the OS
-
strcat[m]
it's not for the OS to decide
-
strcat[m]
the OS displays a boot splash once it loads
-
strcat[m]
the only way there's going to be a GrapheneOS firmware boot splash is if we have our own hardware, that's how things work
-
strcat[m]
same as your laptop saying "Dell" or whatever when it boots up
-
grapher
Okay thanks I understand. If someone hypothetically wanted to write a custom self signed UEFI firmware update that changed the boot logo would it be possible to flash it onto the Pixel and verified boot to work? Or would the firmware update have to be signed by Google?
-
strcat[m]
I already said no
-
strcat[m]
> the only way there's going to be a GrapheneOS firmware boot splash is if we have our own hardware, that's how things work
-
strcat[m]
and my previous replies explaining why and more details about it
-
strcat[m]
the only way you'll have a custom boot splash for the firmware is if you have custom hardware
-
strcat[m]
or if there's a security vulnerability
-
ypm[m]
speaking of custom hw
-
ypm[m]
graphene project plans to eventually have their own custom hw right?
-
grapher
Right it wasnt clear to me if you meant 'no it's not possible for google to update the logo' or not?
-
ypm[m]
like way further down the line
-
strcat[m]
grapher: I explained it above
-
strcat[m]
there's only a tiny boot ROM, the rest can be updated, all explained above
-
grapher
and the boot splash is contained in the boot rom?
-
strcat[m]
no
-
strcat[m]
please, read what I said above
-
panoramics[m]
<strcat[m] "panoramics: so, similarly, an ap"> One follow up question: if I installed sth like an encryption supported file manager, I guess I could encrypt everything sensitive and just leave those media files unencrypted that I am OK sharing with. Couldn't that work? I do understand that as a tradeoff, I would have to give another app storage permission, which I guess is just shifting trust. But generally
-
panoramics[m]
speaking, could that work?
-
strcat[m]
panoramics: doesn't stop it from adding files or removing them, and most apps aren't going to store data with their own layer of encryption
-
strcat[m]
panoramics: doesn't really make sense
-
ypm[m]
sounds like profiles with extra steps
-
strcat[m]
panoramics: if you don't want to give apps access to data, DO NOT GIVE ACCESS
-
strcat[m]
panoramics: you're coming up with a really insecure, incomplete way to work around giving an app access to data you don't want to give it access to
-
strcat[m]
don't give it access to the data
-
strcat[m]
if it refuses to run without it, run it in a separate profile
-
grapher
Well I did I just don't understand what signatures are checked for UEFI firmware updates.
-
panoramics[m]
Yeah I get it, that's the clean way
-
strcat[m]
grapher: it's not simply for updates, it's for every boot
-
panoramics[m]
Cool. Thx
-
strcat[m]
I explained verified boot above
-
strcat[m]
I explained that it chains from an immutable hardware root of trust
-
strcat[m]
I explained that there's only a tiny boot ROM and the rest can be updated
-
strcat[m]
I explained that the UEFI implementation supports a custom verified boot key, which is the GrapheneOS boot key for that device with GrapheneOS, and that's in the secure element
-
strcat[m]
I do not understand what else you want to know or why this is such a big deal to you
-
strcat[m]
Samsung device -> Samsung boot splash
-
strcat[m]
HTC device -> HTC boot splash
-
strcat[m]
Google device -> Google boot splash
-
strcat[m]
grapher: I gave you all that info above
-
strcat[m]
for there to be a GrapheneOS firmware boot splash, it has to be GrapheneOS hardware
-
strcat[m]
i.e. we have to be the OEM
-
grapher
Thanks I am just trying to understand how it all works together but from what you are saying I understand it is hypothetically possible to flash new firmware with a different boot logo
-
grapher
but grapheneos would not do this
-
strcat[m]
no
-
strcat[m]
that isn't what I said, at all
-
strcat[m]
> for there to be a GrapheneOS firmware boot splash, it has to be GrapheneOS hardware
-
strcat[m]
I didn't say we won't do it, I said we can't without our own hardware
-
strcat[m]
we want our own hardware
-
strcat[m]
I could quote all of my previous messages too
-
strcat[m]
I don't see the point
-
strcat[m]
I think the discussion has touched on everything that can be said about it and can end
-
grapher
okay the thing im confused about is who can update the uefi firmware?
-
strcat[m]
all explained above
-
strcat[m]
GrapheneOS ships the updates for all the firmware, we don't make those updates, we ship them
-
strcat[m]
there is an immutable root of trust chained from hardware
-
strcat[m]
it's not our hardware, clearly it's not our key, and it depends on the SoC vendor and OEM of the device
-
strcat[m]
we don't have our own hardware atm
-
strcat[m]
if we had our own hardware, sure, we would be choosing the boot splash
-
strcat[m]
as I said above
-
strcat[m]
grapher: I really don't understand the need to continue this further
-
strcat[m]
I really think everything useful has been said
-
Railgun_Lover[m]
Will be fun when you do have your own hardware
-
strcat[m]
it seems you don't like the answer so you aren't listening
-
grapher
okay so firmware updates have to be signed by the device manufacturer key which is included in the phone's immutable root of trust, do I understand correct?
-
strcat[m]
grapher: yes, essentially
-
grapher
okay thank you that is what was not clear to me
-
strcat[m]
there is a key burned into fuses irreversibly
-
strcat[m]
the UEFI implementation supports a user defined key in the secure element
-
strcat[m]
that's how GrapheneOS is supported
-
grapher
I see
-
strcat[m]
if we had our own device, the key burned into fuses would be ours
-
strcat[m]
on any other device, it is not
-
grapher
understood
-
strcat[m]
so on any other device, if they choose to display a firmware boot splash, which they probably do, we can't change that unless there's a security vulnerability
-
grapher
I see
-
strcat[m]
and we wouldn't support a device with a broken secure boot chain
-
strcat[m]
and also we ship all the firmware updates so vulnerabilities get fixed
-
strcat[m]
only a vulnerability in the hardware or the tiny boot ROM couldn't get fixed
-
strcat[m]
and that's part of why new hardware is important, not everything can be fixed via microcode/firmware updates
-
strcat[m]
most stuff can be fixed or at least worked around, in practice
-
grapher
makes sense
-
Ed[m]
Just installed the new graphene update, whats changed?
-
grapher
thank you for taking your time to explain!
-
strcat[m]
-
Ed[m]
did you guys fix the camera crashing thing on the 4a
-
Ed[m]
I think its in the logs
-
strcat[m]
don't have a problem like that
-
strcat[m]
getting an error about being unable to connect to the camera is a symptom of hardware failure
-
Ed[m]
<strcat[m] "getting an error about being una"> Well ive been having occasional errors about that
-
strcat[m]
likely hardware failure
-
strcat[m]
it's one of the most common things that breaks from fall damage or water damage
-
Ed[m]
Anyway for me to get the logs and ask for help
-
strcat[m]
you can often confirm by switching to the other camera
-
strcat[m]
it usually gets increasingly worse than doesn't work anymore
-
Ed[m]
<strcat[m] "it's one of the most common thin"> I just got this phone, unlikely
-
strcat[m]
doesn't mean it's not broken
-
Ed[m]
<strcat[m] "you can often confirm by switchi"> 4a model, only one camera
-
strcat[m]
it has a front camera
-
Ed[m]
<strcat[m] "it usually gets increasingly wor"> Oddly enough, opendcam worked fine
-
strcat[m]
we don't have any known issues with camera crashes on current gen devices
-
strcat[m]
other people aren't experiencing it
-
strcat[m]
there are serious issues with the 3 and 3 XL (and perhaps 3a and 3a XL to a lesser extent) but we just worked around them and it isn't really more of an issue for us than the stock OS
-
strcat[m]
newer devices don't have the issues
-
strcat[m]
we're certainly aware that the Sony camera sensors in the supported devices are relatively fragile and are the one of the first components to break from fall damage / water damage
-
strcat[m]
look up the error message about camera not connecting
-
strcat[m]
it happens with the stock OS, and with other devices
-
annochris
Hello I have a question about something I have seen on port22, is there anyone that can tell me why i see ssh-2.0 dropbare on port 22? Has some one remotely connected to me via this port? Or is it normal to see that, I'm using a gl-mt1300 openwrt router
-
strcat[m]
because you're running ssh
-
strcat[m]
not really clear why you're asking about a router here or why you're concerned that it's running ssh
-
strcat[m]
probably because it's managed via ssh?
-
Ed[m]
Routers can be managed via ssh?
-
Ed[m]
they probably run linux or bsd right
-
strcat[m]
they said it has openwrt
-
annochris
In don't fully understand this stuff to be honest, but I know ssh is used to deliver packets, all I know is I see ssh on port 22 so that means some one is using ssh to connect to me right
-
annochris
I never set us ssh no
-
strcat[m]
no
-
strcat[m]
are you talking about your router
-
annochris
Yeah when I scan it with a port scanner I see port 22 ssh
-
annochris
Why?
-
strcat[m]
you said your router is running openwrt so I don't know why you'd be confused about it running ssh
-
strcat[m]
because it is managed via ssh
-
strcat[m]
that's how you log into it via CLI
-
Ed[m]
<annochris "Yeah when I scan it with a port "> The port being open doesn't necessarily mean someone is connected
-
strcat[m]
annochris: doesn't seem related to GrapheneOS
-
strcat[m]
there's #grapheneos-offtopic
-
strcat[m]
if it's not about GrapheneOS you should talk about it there
-
annochris
OK sorry its not related
-
strcat[m]
that's why it's confusing
-
strcat[m]
because it's implied you're talking about GrapheneOS here
-
Ed[m]
Also any news regarding the drama
-
annochris
Sorry I didn't think of any where else to ask live
-
Ed[m]
Are they still like harassing
-
strcat[m]
I thought you meant you had a service listening on your port on your phone implying having an app installed providing ssh
-
strcat[m]
Ed: there are still regular raids on the channel, lots of harassment, and people spreading lots of misinformation and false allegations against the project
-
strcat[m]
Ed: Copperhead is not doing it at the moment
-
strcat[m]
other people are doing it, more than Copperhead was doing it before
-
strcat[m]
don't really want to get into it right now
-
strcat[m]
if you're referring to the conflict with Copperhead, that conflict is currently on pause and may come to an end in the near future, has been the case for a bit over a month or so
-
strcat[m]
after that stopped, unfortunately, other people decided to start and drastically escalate their own harassment / bullying of people involved in the project and spreading misinformation about it
-
strcat[m]
it's not Copperhead doing it atm
-
Ed[m]
What about calyx?
-
Ed[m]
<strcat[m] "it's not Copperhead doing it atm"> Well thats good
-
strcat[m]
they're the main perpetrators of it right now, not Copperhead
-
strcat[m]
Copperhead stopped
-
strcat[m]
they had stopped before fairly recent major escalations of attacks on GrapheneOS
-
strcat[m]
and those aren't related, it's not them doing it secretly or something like that, the people doing it / leading it aren't making any secret of it
-
strcat[m]
so, it's possible Copperhead will start their attacks on the project again, but for now, they have stopped, and appear to want to end the conflict
-
strcat[m]
it is not ended, just paused
-
strcat[m]
they aren't attacking us, so while we still have to deal with cleaning up the massive mess they created, including people who got brainwashed / tricked by them and attack us now, it's not them doing it themselves
-
Ed[m]
<strcat[m] "it is not ended, just paused"> Thats good for now i suppose, the thing that matters at the end of the day is the software
-
strcat[m]
the recent escalations were not by them, but did primarily use their false claims / false narratives and drama they created previously to create new attacks on us
-
strcat[m]
but, wasn't them propagating / engaging in it
-
strcat[m]
was largely their fault for what they did previously
-
strcat[m]
was / is
-
strcat[m]
* is largely their fault for what they did previously
-
strcat[m]
Ed: the well-being of the people who work on the project and the ability of them to spend their time working on development and not being bullied/harassed/slandered is quite important too
-
ypm[m]
no software without devs bro. treat devs nicely esp if it's literally free/libre software
-
ypm[m]
my philosophy on it anyways
-
akc3n[m]
The concern trolling becomes emotionally exhausting after a while just to watch, as community member, I can only imagine how draining it maybe for the project team.
-
akc3n[m]
Thanks for all your guys hard work and that you guys keep pushing through it to make the best security mobile os possible.
-
annochris
Hello, I have heard about ways to make grap more secure, can some one tell me if this is true, also is it safe to download apps from the fdroid store
-
annochris
Thanks in advanced
-
annochris
No
-
ypm[m]
fdroid is safer than random apks and if you want you can always read the source yourself and personally verify
-
ypm[m]
and idk what you mean by making grapheneos more secure
-
annochris
I dont know how to do that
-
annochris
Some youtuber said there are ways to harden the is
-
annochris
The os *
-
ypm[m]
What do you want to "secure" because more secure is pretty vague
-
annochris
Basicly is had spyware put on my old phone so abit paronoid now
-
ypm[m]
just dont run things you dont trust idk what else to tell you
-
annochris
OK cool, f droid is OK yeah, and Aurora store is OK as long as you check there are no trackers right
-
annochris
I don't know touch about it tbh but thanks anyway
-
cryptokid777
Hi, i see there is a new option with graphene: enable native code debugging? What does this mean and do?
-
cryptokid777
It s enabled by default but dont know what it means and if i should keep it on or turn it off, hope someone can explain
-
strcat[m]
cryptokid777: disabling it will disable native code debugging features, reducing attack surface for the OS from apps
-
strcat[m]
will break debugging code as part of app development, will break apps capturing that kind of data to make bug reports and may reduce app compatibility if apps do that kind of thing in regular use
-
cryptokid777
Okey, but why is it on by default of disabling will reduce attack surface?
-
strcat[m]
it's enabled by default due to potential app compatibility issues from disallowing it
-
strcat[m]
because before we added the feature it's simply always enabled
-
strcat[m]
* because before we added the feature it's simply always available
-
strcat[m]
disabling it will break some apps if they can't work around it not being available
-
cryptokid777
Oww okey i understand thanxs for the quick respond
-
strcat[m]
some apps have crash reporting stuff, etc. which may actually be used in regular use
-
cryptokid777
I will try to disable it and see what apps still work
-
strcat[m]
sometimes to anticipate the fact that they are going to crash and be ready to figure out why it happened
-
strcat[m]
and they may not handle it not being allowed
-
strcat[m]
it's a toggle for whether the ptrace system call is available
-
strcat[m]
if you disable it, it's globally disabled across the whole OS
-
strcat[m]
apps can only ever ptrace themselves (their own processes) but it's still kernel attack surface
-
strcat[m]
it's a non-trivial API
-
strcat[m]
-
strcat[m]
I guess we could write "native debugging (ptrace)" instead of just native debugging to help clarify
-
strcat[m]
I don't know how to write it up better as a tiny description in Settings
-
strcat[m]
you only get ~70 characters or so
-
strcat[m]
if disabling it doesn't break stuff you can use it
-
cryptokid777
Well i was searching in releases changelog , but there was no explaination
-
strcat[m]
if an app crashes and you have it disabled, you won't get proper crash logs
-
strcat[m]
it prevents debugging crashes, etc. if it's disabled
-
cryptokid777
Maybe you could do it in changelog, sometimes explain the changes for the noobs
-
cryptokid777
I always check the changelog
-
strcat[m]
it is listed there further back
-
strcat[m]
-
cryptokid777
Yes it is listed, but i mean if there was a small explaination what it does if you enable or disable it, it would be cool. There are many people like me who use grapheneos but are not super tech
-
cryptokid777
But now i understand i hace disabled it and will see if my apps still work
-
cryptokid777
Thanks very much for the explaination
-
strcat[m]
just keep in mind if you have it disabled you don't get useful crash logs, etc.
-
strcat[m]
so if you're running into crashes and are asked to get logs, etc. or capture a bug report with that tool you should disable this 1st
-
cryptokid777
Okeey i understand
-
cryptokid777
One more question, i always used outlook app for my hotmail account
-
cryptokid777
Now it just s crashing
-
cryptokid777
I tried several email apps for my hotmail but they all struggle to get my mail,
-
cryptokid777
Is there an alternative app for outlook thats works with graphene?
-
strcat[m]
lots of mail apps that work well
-
strcat[m]
Outlook should work fine but maybe they accidentally have a dependency on Play services, etc.
-
strcat[m]
there's an example where you should file a bug report with the developer and ideally provide a useful crash log
-
cryptokid777
I tried aquamail also, it logs in but doesnt refresh, canary mail also
-
cryptokid777
Outlook always worked, till last month i updated to new graphebeos version amd since then it crashes,
-
cryptokid777
I had this also with my bank app, and after 3 montha of grapheneos updates it staryed working again, but outlook still nothing
-
strcat[m]
probably from an app update not an OS update
-
strcat[m]
very unlikely it had to do with an OS update
-
strcat[m]
you really need to report app issues to app developers and ideally provide logs
-
strcat[m]
if you don't report issues they won't get fixed
-
cryptokid777
Where can i report this
-
cryptokid777
?
-
cryptokid777
And how can i see crash logs for outlook mail? So i can send that also
-
strcat[m]
trigger the bug, then use the capture bug report tool in developer option, then send it to yourself via email client, Element, etc. and ideally copy paste the relevant portion with a fair bit of context from the log inside it to give to the app developers
-
strcat[m]
that's the ideal way to report a bug
-
strcat[m]
the problem is likely obvious
-
strcat[m]
probably something like it breaking without Play services
-
strcat[m]
have you tried a version of the app not from the Play Store? they may have multiple versions
-
cryptokid777
No i only tried outlook from auroraos
-
cryptokid777
AuroraOS is play store right?
-
cryptokid777
Maybe f droid has other version let me see
-
cryptokid777
Cant find outlook on f droid, dont now where to download it without play services
-
cryptokid777
I only know auroraos and f droid for apps
-
jpds
cryptokid777: f-droid only hosts open source apps
-
cryptokid777
Okey, so where can i find outlook withoit play services?
-
cryptokid777
Struggling to use my hotmail on graphene
-
freefolk[m]
cryptokid777: should be possible to use K-9 to connect to hotmail via imap/smtp
-
freefolk[m]
K-9 is available on F-Droid
-
cryptokid777
Ok thanx, will try that
-
Ed[m]
<jpds "cryptokid777: f-droid only hosts"> untrue, partially open source apps too
-
Croat
Hi All, I am trying to reflash Google Firmware on my Pixel 4a but I cannot find the web installer website for the life of me. Anyone have a link?
-
sphinx[m]
-
Railgun_Lover[m]
-
Croat
THANK YOUJ SPHIX!!!!!!! MAn, been searching like an hour
-
Croat
RAilgun, they shoudl have Sphinx's link there. That page was no help
-
Railgun_Lover[m]
<Croat "RAilgun, they shoudl have Sphinx"> Ah
-
jpds
-
Croat
Sorry, that was some developer version. I am looking for STOCK google firmware
-
Railgun_Lover[m]
Croat: developers.google.com/android/images
-
Railgun_Lover[m]
It's developer stuff yes, but probably the only good place to get it
-
Railgun_Lover[m]
It has the factory images
-
Croat
I have reflashed it back to stock before. It was not like this
-
Railgun_Lover[m]
Croat Then idk where it is
-
Railgun_Lover[m]
Or how to do it
-
Railgun_Lover[m]
* Or how to do it the way you did
-
Railgun_Lover[m]
This will probably work anyway, so...
-
Croat
I do not want ASOP, I want the google branded versone for an unlocked pixel 4a
-
Croat
version
-
Railgun_Lover[m]
Croat These are factory images
-
Railgun_Lover[m]
Croat: FACTORY
-
Railgun_Lover[m]
Croat: this is what was on your phone when it came from the factory
-
Croat
I installed it and it does not look like factory
-
Croat
it is ASOP
-
Railgun_Lover[m]
Croat On the webpage it says factory images
-
Croat
The only buildtype I get is ASOP-SUNFISH_USERDEBUG
-
Railgun_Lover[m]
Huh
-
Railgun_Lover[m]
Not sure then
-
Croat
crap....
-
Railgun_Lover[m]
Well now you're stuck with GrapheneOS then
-
Railgun_Lover[m]
Well, it's a good OD
-
GhostSplinterSix
Welcome to the dark side.😎
-
Croat
No, I have asop-master-with-phone
-
Railgun_Lover[m]
* Well, it's a good OS
-
Railgun_Lover[m]
Vendor lock-in
-
Railgun_Lover[m]
:P
-
Croat
Trying to sell it so no, not good
-
Railgun_Lover[m]
Well maybe GrapheneOS could get you a higher price
-
Croat
No vedor lock it. I have flashed back and forth before
-
Railgun_Lover[m]
<Croat "No vedor lock it. I have flashed"> I know I was joking
-
Croat
If you cannot help railgun I would apprecaite you not saying anything since this is sucking
-
sphinx[m]
Croat: go to the sunfish section in the developers link Railgun sent earlier and click Flash next to the latest version
-
GrapheneOS-Teleg
!hermanito has joined the Telegram Group!
-
Lexington12
Hi
-
Lexington12
Pixel 4A or Pixel 5?
-
GrapheneOS-Teleg
<Phenix0> 5 will be supported longer than 4a
-
GrapheneOS-Teleg
<Phenix0> But 4a is cheaper and has a headphone jack
-
Lexington12
5 only supported like 2 months longer than 4a
-
theogrelord[m]
<Lexington12 "Pixel 4A or Pixel 5?"> The Pixel 4a is the cost-effective solution imo
-
Lexington12
yes i agree
-
Lexington12
if pixel 5 has better battery
-
Lexington12
and is water resistant
-
Lexington12
pixel 5 has better gorilla glass
-
Lexington12
pixel 5 has about 1/4th 1/5th larger battery
-
Lexington12
pixel 5 has, 1/4th 1/5th larger battery, stronger gorilla glass, and metal chasis
-
jpds
Lexington12: Then just get it
-
Lexington12
is there any downside to pixel 5
-
Lexington12
does the 5 drain battery faster?
-
Thatcher[m]
Only in 90hz screen mode
-
Lexington12
nice
-
Lexington12
so is the 5 better in every way just more expensive
-
Lexington12
?
-
Thatcher[m]
Twice the price of a 4a but has waterproofing, better processor, larger battery, 0.2" larger screen with stronger glass
-
Lexington12
and metal chasis
-
Lexington12
can i disable 5g and use lte only
-
Lexington12
how does lte only work on the pixel 5
-
Lexington12
i want to use just 4g lte
-
strcat[m]
4a (5G) and 5 are the same generation
-
strcat[m]
4a is an earlier generation
-
strcat[m]
4a (5G) and 5 have a newer generation SoC than the 4a, not just faster
-
strcat[m]
5 vs. 4a (5G) is about the fancier screen (90 Hz, better overall), water/dust proofing, wireless charging, etc.
-
strcat[m]
Lexington12: means LTE (4G) only
-
onyxrubber
you can specify in setting, which network u prefer. U can set LTE to prefer network connetion
-
strcat[m]
-
strcat[m]
LTE and LTE only are different modes
-
strcat[m]
LTE only is a GrapheneOS added feature
-
Lexington12
So LTE only blocks 2g 3g 4g and 5g and has just 4g LTE right?
-
strcat[m]
setting it to LTE means "LTE and below"
-
strcat[m]
LTE only means LTE only
-
Lexington12
nice
-
Lexington12
do u think the pixel 5 is superior in every way?
-
Lexington12
Metal Chasis, Better Gorilla Glass Screen, water resistant
-
Lexington12
Larger battery
-
strcat[m]
Pixel 5 is superior in every way to a 4a (5G) and especially 4a aside from price
-
onyxrubber
it is not metal in the way u think
-
Lexington12
aluminum chasis right
-
Lexington12
great
-
Lexington12
I'll get the pixel 5 mostly for its waterproofing and larger battery
-
Lexington12
waterresistance
-
Lexington12
Donate to Graphene os!
-
onyxrubber
hey, did you gus know how can i build app from source? Any advices?
-
onyxrubber
-
strcat[m]
./gradlew assembleRelease and sign it
-
onyxrubber
hope it will work on ubuntu
-
Lexington13
Hi
-
Lexington13
Im trying to use my phone without being wiretapped
-
Lexington13
Is Signal.apk the best strategy
-
Lexington13
for encrypted calls and texts
-
Lexington13
I also want to hide Who I'm calling
-
Lexington13
From the Mobile carrier surveillience
-
nscnt[m]
^ the same troll as always, not sure whether it was already Lexington12 or whether they wanted to impersonate a generous user
-
sphinx[m]
poor adam
-
nscnt[m]
yea, I think it was already them
-
Cliff[m]
I don't have a lte only mode it says 4g only is that different?
-
Railgun_Lover[m]
I always loved the "$Moderator kicked $User. Reason: $User"
-
Railgun_Lover[m]
It's like
-
Railgun_Lover[m]
We kicked you because you're you
-
GrapheneOS-Teleg
<!hermanito> Ist hier jemand der deutsch kann und mir Schritt für Schritt die Installation von Grapheneos auf Pixel 3
-
Railgun_Lover[m]
I know the format is probably automatic but it's still funny
-
Railgun_Lover[m]
<GrapheneOS-Teleg "<!hermanito> Ist hier jemand der"> One sec need to translate
-
jpds
Well, one of the Germans I know on here just left
-
GrapheneOS-Teleg
<!hermanito> Okay thank you
-
Railgun_Lover[m]
Wait, I know some german
-
Railgun_Lover[m]
This will be painful but I'll do it manually
-
jpds
-
jpds
Probably the easiest is to copy and paste paragraphs into deepl.com
-
Railgun_Lover[m]
Is there someone here who can speak German and guide me step by step through GrapheneOS installation on Pixel 3
-
jpds
Ja, ich weiss
-
jpds
Hence the link, and copying the paragraphs into a translator
-
Railgun_Lover[m]
<jpds "Ja, ich weiss"> Ja! Ich habe gute Deutsch gelernt!
-
Railgun_Lover[m]
<jpds "Hence the link, and copying the "> I know but more fun to manually do it
-
Railgun_Lover[m]
Plus now I know some more German
-
onyxrubber
can i access developer options on second profile?
-
Railgun_Lover[m]
<jpds "Probably the easiest is to copy "> Or Google translate
-
Railgun_Lover[m]
<onyxrubber "can i access developer options o"> Only do it if you're a developer
-
Railgun_Lover[m]
They make it less secure
-
onyxrubber
i know, but i can't access it on second profile :C
-
onyxrubber
i want to install some "less secure" apps, and testing. I don't want do this on main profile
-
Railgun_Lover[m]
Ah
-
Railgun_Lover[m]
Oh wait I'm dumb, what you do in secondary profiles doesn't affect other profiles
-
Railgun_Lover[m]
Pardon me
-
jpds
Should probably get the web installer translated actually
-
onyxrubber
it is all right. I am so confused, I can't access dev options on other profiles
-
Railgun_Lover[m]
onyxrubber: probably the same way as stock
-
Railgun_Lover[m]
Spam the build number
-
onyxrubber
dosen't work
-
Railgun_Lover[m]
Oh
-
Railgun_Lover[m]
Then idj
-
Railgun_Lover[m]
* Then idk
-
onyxrubber
could anyone check it for me?
-
nscnt[m]
onyxrubber: Only the owner user can access them
-
Railgun_Lover[m]
nscnt: oh so it's impossible to enable developer options in specific profiles?
-
nscnt[m]
Only the owner user can access them, but the settings are applied (maybe not all?) to secondary users as well
-
nscnt[m]
For example, you can also debug in a second user if you enabled it as the owner user
-
onyxrubber
"USB debugging is not allowed"
-
onyxrubber
"The user currently signed in to this device can't turn on USB debugging. To use this feature, switch to the primary user"
-
onyxrubber
so there is no way to debug on other profiles
-
nscnt
Matrix is lagging...
-
nscnt
it works
-
nscnt[m]
onyxrubber: Are you in the guest user?
-
onyxrubber
i created new profile, not guest
-
nscnt[m]
onyxrubber: Allow the connection before switching
-
onyxrubber
conntection to?
-
nscnt[m]
onyxrubber: your pc
-
onyxrubber
I allowed debug on main profile, and then swich to test profile. Is that ok?
-
onyxrubber
wire was connected before allowing debug
-
nscnt[m]
Not just enabling USB debugging, but also allowing it. Did you do that?
-
nscnt[m]
You need to allow every connection
-
onyxrubber
yes, phone asks me to allow debug for this session, and I allowed it. Then I swiched to test profile
-
nscnt[m]
That's how I can debug in a secondary user. You trusted a very insecure device (your PC) anyway. Therefore I see no point in doing it in a secondary user because the _app_ is "less secure"
-
onyxrubber
I was trying to install google camera and it's open source service providers...
-
onyxrubber
the version on stock os didn't work, so I don't want to install and uninstall plenty of apk's, to check which one will work on my device
-
onyxrubber
finally 7.5 version works ok
-
onyxrubber
stock os on pixel 4a 5g working with 7.6 google camera version
-
Thatcher[m]
I've finally taken the plunge into enhanced anti-fingerprinting by ditching NextDNS with custom blocklists for a well-known vpn and using their included adblocking feature. I've completely cleared the storage for Vanadium, resetting all Vanadium settings to default and I intend on keeping it that way. Before this, I've had custom site settings to block everything that is 'Ask first' by default. Now everything is at
-
Thatcher[m]
default, as recommended. I figure that since I will be using Vanadium's default settings from now on, when I need to clear my history, cache, and cookies, I will just clear the app storage entirely, ensuring all data is erased and all settings default.
-
Thatcher[m]
I just wanted to share that.
-
Thatcher[m]
The vpn uses this blocklist exclusively:
github.com/StevenBlack/hosts
-
Thatcher[m]
A popular blocklist