DivestOS: long term device support with enhanced privacy and security

SkewedZeppelin · September 1, 2020, 11:05am

It’s been over a month since I’ve responded here, so some updates and responses:

The CVE patch database now has many more patches thanks to importing data from the Civil Infrastructure Platform CVE tracker
The CVE patcher has had some minor fixes to improve output reliability
There have been some GPS fixes for all branches, will be available in the next rebuilds
Many new (untested) devices: pro1, enchilada, fajita, guacamole, guacamoleb, and broken beryllium
Mull is likely on its last release due to ESR 68 branch being closed off
Hypatia now supports an extra malware hash database from ESET
Credits and screenshots on the website have been updated

Watch previous step repeat (G logo,…

Should never happen, very strange.

I’m wondering: If you want your Mull, Extirpator and Hypatia apps to be more widely used, why not put them in F-Droid’s repo

Mull is deprecated as it stands so there is no point there.
I have a fdroid metadata yml for Extirpater lying around somewhere that I need to make a MR for.
I also need to write one for Hypatia.

@fossys

today I started a second attempt, and - even if only with your trick³ - got my “herolte” to start

Using DivestOS like that is not ideal

the two “F-Droid Repos DivestOS Official & DivestOS Unofficial” are not available to me

That is as expected, @forrest and @marzzzello are correct.
However you are right in that it could be made more apparent like Briar has done.

@m1k

As for the i9300 logs

I’ve seen some very weird out of memory situations under some msm8974 devices that I’ve never been able to track down.
This could potentially be related.

@nexcus

Thanks for bring in POCO F1 support

beryllium is currently broken by the deblobber.
I likely can make a 16.0 build, but that is not ideal.

nexcus · September 1, 2020, 3:28pm

Thank you for the update. Yes. Building on an outdated version isn’t ideal. Let me know if I can help with beryllium. Xiaomi fill in a lot of bloatware in their vendor. I don’t know what is causing problem for you. Also is there any other channel to contact you? I could not find any email on the website.

anon46495926 · September 3, 2020, 4:18am

Latest strange thing, puts me on the verge of uninstalling and giving up on it - One device started slowly ringing, for no apparent reason. No phone call interface popup, no timer popup, nothing. Just ring… ring… ring… until I shut the fscker down. I got video, log, and bug report, but not sure I want to post it anywhere. And yes, GPS performance is sucking. Life on the edge. LOL

fossys · September 4, 2020, 7:47am

I do not use DivestOS!
The DOS installation should exclude you as feedback, because you have no own devices to test.

fossys · September 20, 2020, 8:43am

Galaxy S5 SM-G900F (klte)

Starting point was firmware divested-16.0-20200912-dos-klte

Since months unfortunately the same problem. After the ‘clean install’ my KLTE boots up to the Samsung logo and a permanent boot loop takes place.

dos_12092020_1 dos_12092020_2 dos_12092020_3

As soon as a current boot.img from the "N "ightly LOS 16.0 build is installed afterwards, the DOS boots, shows the DivestOS logo for a longer time and is then operational.

I didn’t do further tests and installed the official LOS 16.0 again.

m1k · September 21, 2020, 7:44pm

I’ve managed to discover REPIT partition resizer script and ran it on i9300.

It’s not that fearsome an operation, as REPIT comes in flashable zip that does things for you, though one should read the manual very carefully in case of Samsung S3 (as I had to work through the entire “in case the script fails to start” section).

Okay, so I’ve
increased /system to 3G,
reduced /cache to 125M,
and minimized /preload to 8M,
shrinking /data at 9G.

And the phone acts generally the same with mull, firefox, chromium and bromite crashing still.

Though, it may very well be due to the recently updated i9300 build that Tor Browser works!

I’m glad to see you help prolonging a life of old devices.
~5 or more year old Android smartphone can do all the essential smartphone stuff one ever need,
aside from cool photoes and fancy videogames.

It’s not that new phones with amazing shots and fast complexly blazing screens are bad, rather their release and life cycle are too artificially short (with few to none ubiquitous practices of recycling).

And it’s a cool idea to place properly organized credits - that should be a bit more ubiquitous practice generally among people, too.

Best regards,
m1k.

CRTComputer · September 24, 2020, 1:51am

The rom is amazing! However, as my phone is klte I need to use the boot.img trick. The only thing doesn’t work is GPS, and one thing to request is replacing UnifiedNLP to microG, you can use Lineage for microG’s patch to allow for System Privileged apps to use Signature Spoofing only. Other than that, it’s great.

SkewedZeppelin · September 24, 2020, 2:15am

@CRTComputer I uploaded a new klte build on 09/21, does that one boot normally?

For GPS can you test outdoors with clear line of sky and wait at least four minutes running GPSTest app to see if it acquires a lock? Or if it even sees the satellites at all? Thanks

Also DivestOS already has included microG support in the build system (and website) for a few years now. It’s been a while, so I don’t exactly remember my reasoning, but it was something I played a bit with.

github.com

Divested-Mobile/DivestOS-Build/blob/master/Scripts/init.sh#L58


      
          export DOS_DEBLOBBER_REMOVE_FACE=false; #Set true to remove all face unlock blobs
          export DOS_DEBLOBBER_REMOVE_FP=false; #Set true to remove all fingerprint reader blobs
          export DOS_DEBLOBBER_REMOVE_GRAPHICS=false; #Set true to remove all graphics blobs and use SwiftShader CPU renderer #TODO: Needs work
          export DOS_DEBLOBBER_REMOVE_EUICC=true; #Set true to remove all Google eUICC blobs
          export DOS_DEBLOBBER_REMOVE_EUICC_FULL=false; #Set true to remove all hardware eUICC blobs
          export DOS_DEBLOBBER_REMOVE_IMS=false; #Set true to remove all IMS blobs #XXX: Carriers are phasing out 3G, making IMS mandatory for calls
          export DOS_DEBLOBBER_REMOVE_IPA=false; #Set true to remove all IPA blobs
          export DOS_DEBLOBBER_REMOVE_IR=false; #Set true to remove all IR blobs
          export DOS_DEBLOBBER_REMOVE_RCS=true; #Set true to remove all RCS blobs
          export DOS_DEBLOBBER_REMOVE_RENDERSCRIPT=false; #Set true to remove RenderScript blobs
          export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Services with the open source Sony TimeKeep reimplementation #TODO: Needs testing
          
          #Features
          export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
          export DOS_DEFCONFIG_DISABLER=true; #Enables the disablement of various kernel options
          export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+17.1+18.1+19.1+20.0
          export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1+19.1+20.0
          export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1+19.1+20.0
          export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1+19.1+20.0
          export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
          export DOS_HOSTS_BLOCKING_LIST="https://divested.dev/hosts-wildcards"; #Must be in the format "127.0.0.1 bad.domain.tld"

https://github.com/Divested-Mobile/divestos-website/blob/master/pages/home.html#L37

fossys · September 24, 2020, 7:52am

Sorry, I’m not @ CRTComputer but I’m still giving feedback to the ROM builder.

No, also the DOS-ROM divested-16.0-20200921-dos-klte only boots with the ’ boot.img trick.’

kltedos210920201 kltedos210920202 kltedos210920203

‘Signature Spoofing Checker’ App reports signature spoofing : Disabeld. Nevertheless I was able to install microG and its companions without error messages, even without patching the ROM (Deodex).

kltedos210920204 kltedos210920205 kltedos210920206

microG suite version 0.2.12.203315

kltedos210920207 kltedos210920208 kltedos210920209

Further tests could be done if the DOS ROM boots independently (that means without borrowed boot.img), because “that is not ideal”.

CRTComputer · September 24, 2020, 11:21am

Nope, GPS doesn’t work, it detect satellite but both GPSTest and UnifiedNLP still said no location found after rebooting, re-enabling, disabling, etc.

Also for microG to work I root and use Edxposed and enable the FakeGapps module, not ideal but it works.

Edit: Boot didn’t work, using Lineage’s boot.img works, maybe look at DivestOS’s boot.img and compare?

SkewedZeppelin · September 24, 2020, 12:09pm

Here is boot.img for klte to test:
https://divestos.org/testing/boot-klte-20200924.img

SkewedZeppelin · September 24, 2020, 12:12pm

Official DivestOS builds do not include microG or signature spoofing.
It is however supported and has been for many years.
Change one line, rebuild, and it is included.
If there is enough demand I am willing to enable full microG inclusion.

Should DivestOS include microG?

Yes
No

0 voters

anon46495926 · September 24, 2020, 4:18pm

Re: GPS Testing, FYI. I’ve recently un-installed three apps that showed GPS status, because they seemed to take resources in background and slow down OSMAnd’s location fixes. It is still a little slow, but is working much faster now without those extra apps.

Re: NLP. It seems odd for DivestOS installed version of UnifiedNLP to be “GAPPS” not “no GAPPS” version. I prefer No Gapps. Either way, they (version 1.6.8) are 3 years old, and MicroG’s Github and microG’s F-Droid repo have much newer versions of the “no GAPPS” version. So I’d support trying those.

Re: Full microG. DivestOS is in a “sweet spot” between LineageOS for microG, and Replicant. I’d rather see time used on reverse engineering GPS (or WiFi) drivers, and stay away from supporting Gapps or Signature spoofing.

CRTComputer · September 24, 2020, 5:21pm

I think this will be to why replacing UnitfiedNLP to microG is a good choice. I checked on F-Droid, its 3 years not updated, microG seems to have the latest UnifiedNLP with Mapbox installed, so thats a plus.

Anyway whenever included or not, not big deal to me.

CRTComputer · September 24, 2020, 5:31pm

Test with boot-klte-img (dirty flash with Lineage boot previously flashed):

It boots just fine, but until unlocking the phone, it is continuously looping “Phone is starting…”, after a reboot the PIN disappears, setted to the default swipe, it still does the “Phone is starting…” loop, and after 1 more reboot the “Phone is starting…” is gone, but the Permission Denied message still in.

Test with boot-klte-img (clean flash):
It boots just fine, Permission Denied message still in.

Edit: Random restarts happened multiple times. With PIN removed like the dirty flash

One thing: Why is TWRP tell me why no OS is installed while Divest is installed?

m1k · October 5, 2020, 12:37pm

2020-10-05 edit on i9300:
false alarm - Tor Browser insists on crashing after working okay-ish for some time.

I’m a bit ashamed not to provide logs this time - just a subjective experience.

SkewedZeppelin · October 10, 2020, 8:51pm

October builds are up

Most 3.4 devices should expect 40-100 more kernel CVE patches, https://gitlab.com/divested-mobile/kernel_patches/commit/4f9f775f05c4feea9fabeaa61658be027571b4a6
Most 3.18 devices should expect 10-40 more kernel CVE patches, Import data from stable branches as of 2020-10-03 (5a078672) · Commits · cip-project / cip-kernel / cip-kernel-sec · GitLab
A handful of other kernel CVE patches are available for all other devices as per usual
Lots of work has been done on making the CVE patcher easier for other projects to use, see: DivestOS Mobile / CVE Checker · GitLab
Mull is now severly out of date. I haven’t had the time to rebase it. I strongly suggest using Bromite or the new Fennec F-Droid until then. Bromite repo is already included in DivestOS F-Droid.
victara build failed last month due to recovery image being too large, however it is now once again available
h850 and zenfone3 builds have been pulled as they were last updated in 2018 and 2019 respectively
[Upstream] Updated to October security bulletin
[Upstream] Updated WebView to Chromium 86.0.4240.75, has many security fixes
[Upstream] klte and shamu have had many upstream changes, worth testing if you have the time
11/R builds will likely not be available until March with most devices hopefully being updated by May

CRTComputer · October 11, 2020, 4:53am

KLTE test with latest build (clean flash)

Boot didn’t work, resort to the boot.img from the website, seems like the random reboots are gone now.
Edit: Random reboots happened again.

For the location, it still didn’t work. Others are working fine.
Edit: There is still the READ_EXTERNAL_STORAGE problem

Suggestions:

Replace Offline Calendar and stock Calendar with Etar
Fix the location problem

SkewedZeppelin · October 11, 2020, 10:15am

Calendar has been replaced with Etar for 14.1, 15.1, and 16.0 branches.

17.1 already includes the Lineage fork of Etar.

READ_EXTERNAL_STORAGE is likely to do with the permission whitelist, but I’ve yet to get a log of what package wants it.

There a very few changes made to location stack for samsung/msm8974-common. So I’m not sure about that.

Here is a new build of 17.1 for klte you can try, but backup first: https://divestos.org/mirror.php?base=LineageOS&f=klte/divested-17.1-20201011-dos-klte.zip

CRTComputer · October 11, 2020, 11:49am

oh sweet dude, gonna try later

Finally really switching from LineageOS 17.1 unofficial to this

Edit: Download failed