DivestOS: long term device support with enhanced privacy and security

I am releasing DivestOS.
It is an aftermarket system for many devices.
Based on LineageOS with many security and privacy features.
Unmodified F-Droid is included.

Site: https://divestos.org
Source: DivestOS Mobile · GitHub (also mirrored on GitLab)
Credits: About - DivestOS Mobile

Any and all feedback is much appreciated.
Thanks!

34 Likes

This looks really good! Sadly my device is not supported and I don’t have the knowledge to build one.
The only bad thing is that in LineageOS 17 they removed Privacy Guard, it was really useful for me

3 Likes

If you would ever like to learn, I have an entire YouTube channel with over 24 hours of video dedicated to how to do that:

All the videos are under the creative common license and also available at my gitlab if you don’t use YouTube.

As for DivestOS, it looks really good. Might have to give it a try myself…

12 Likes

I’ll take a look at that, thanks.

1 Like

How can I check a downloaded file from divestos.org?
I cannot find a checksum or PGP signature.

1 Like

Signatures are not yet available, but there are checksums for all files.
Both .md5sum and .sha512sum

eg. https://divestos.org/builds/LineageOS/angler/divested-15.1-20200510-dos-angler.zip.sha512sum

edit: checksums are broken and will require manual editing until next builds
see Fixup broken checksum generation · Divested-Mobile/DivestOS-Build@5b9e447 · GitHub

1 Like

Thanks, it would be helpful to put the checksums directly on the download page.
But I cannot find a checksum for the recovery file.

1 Like

Links have been added.

3 Likes

That’s good, thank you.

2 Likes

I like the info’ on the site, the smaller number of default installed apps, hosts file blocking, and minimal microG/UnifiedNLP/location setup. There’s a lot more features I don’t know enough to fully appreciate. I’d prefer Orbot included in VPN mode from the start, but I could always download to PC and local install that apk before turning on cell and wifi. No offense to f-droid, but I don’t usually install the privileged extension.

On Nexus 6 shamu (listed as Untested), microphone does not work when making a call. This is a show stopper for a phone obviously. Simple voice recorder from f-droid records voice OK. Phone permissions settings show phone Microphone as “never accessed”. I rebooted a couple times as suggested some places but no luck so far. Oddly there is a voice “echo” in the earpiece or speaker, but no voice is heard at the other phone in a call. Lineage 17.1 was working.

Comment/Question on bootloader relocking: Post-install instructions say “Relock your bootloader. This is an absolute necessary for maximum security. Be sure to flash our recovery first!” This is to prevent “recurring” system modifications from malicious apps or remote or local attacks, if I understand correctly. However, soon after startup F-droid auto-runs and checks for updates. So I’m trusting a few things before I have time to get the bootloader relocked? Oh well, if I can’t trust f-droid, who can I trust?! :smiley:

2 Likes

Relocking your bootloader cannot protect from apps, Verified Boot will however protect against that on devices where it is supported/enabled.
It however for example can protect against someone with physical access from flashing a modified keyguard that saves your password or other nefarious things.

As for the microphone on shamu, that is likely broken by the deblobber.
For shamu it removes libmotaudioutils.so and libspeakerbundle.so
Can you post the output of:
abd logcat -b all -d | grep -i -e dlopen -e .so

1 Like

GPG signatures are now available in all .sha512sum files.
Fingerprint: B874 4D67 F9F1 E14E 145D FD8E 7F62 7E92 0F31 6994
Key (2020 #1):

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEXupIxBYJKwYBBAHaRw8BAQdAC1RiTvrqJaAQ4FIHsxX+gzEgdT4mspISS+p0
y847Nge0SERpdmVzdE9TIFJlbGVhc2UgU2lnbmluZyAoMjAyMCAjMSkgPHN1cHBv
cnQrcmVsZWFzZXNpZ25pbmdAZGl2ZXN0b3Mub3JnPoiQBBMWCAA4FiEEuHRNZ/nx
4U4UXf2Of2J+kg8xaZQFAl7qSMQCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQf2J+kg8xaZR1BgEAwwLVVsG7kbp8M3GTV987XpVl5cZeTtDc/g+66briCHUB
APiuH/dk8eRnhFnq4Up2/j7uD/8FtSvxPbHiz6t1MdgB
=VzP2
-----END PGP PUBLIC KEY BLOCK-----
1 Like

adb^… gives 919 lines, which is a lot to post here. Any other way? To be clear I did not install the “extra” deblobber because it was shown as “broken”. Only recovery and ROM.

1 Like

sorry the \ was clobbered to escape the .
abd logcat -b all -d | grep -i -e dlopen -e \.so

the extra firmware deblobber zip is there for archival purposes and shouldn’t be used. you are correct there.

1 Like

logcat-b-all-d-so-quoted.txt.gz.zip (3.8 KB)

The file is really gzip format… grep -i dlopen gave no results. This is from grep -i “\.so”. Let me know if you really need the unquoted version. It’s about 1k lines versus 200. HTH.

1 Like

There is a new version uploaded for shamu with a potential fix.
You can install the incremental via the updater.

2 Likes

Success! And incremental update worked too. :smiley:

3 Likes

BTW there’s already a project called glassrom that does this

How is yours different

Full disclosure: I’m the lead developer of glassrom

We’re already implementing most of your features
Deblobbed: we don’t ship DRM and other such blobs

Increase security: glassrom ports 90% of the grapheneos security patch set. Also glassrom fixes anywhere from 23k-63k security vulnerabilities per device (see past and current work)

Privacy: we disable analytics but otherwise let users decide on the hosts file

Free space eraser: not implemented. Instead glassrom uses hardware based data destruction, memory poisoning and key wrapping which are much better ways than free space wiping and can even resist cold boot and forensic based attacks

Malware scanner: not implemented and will never be

Browser: glassrom ships a modified version of bromite with the vanadium hardened patch set. It does not send any data to google and is significantly more secure than Firefox, protecting against non linear buffer overflows which even official chromium doesn’t

Fdroid privileged extension and a heavily cleaned and updated unifiednlp is shipped

3 Likes

Deblobbed: we don’t ship DRM and other such blobs

I was unable to find your source code that does so.
#!OS also claims to do the same, but I too didn’t find their source for deblobbing.
Here is the DivestOS deblobber with ~800 blobs.

23k-63k security vulnerabilities per device

You are going to need to provide strong evidence to back such a claim up.
I only know of a few auto-patchers, and mine has the most patches. And at most it can patch ~400 per device.

hardware based data destruction

Do you mean discard/continuous trim? DivestOS does that too

decide on the hosts file

How are you replacing the HOSTS file? Do you read it from /data instead of /system?

memory poisoning

DivestOS also does this via both via command line and GrapheneOS patches where possible

https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_google_marlin.sh

key wrapping

The thing Android already does? Or something else?

Browser

This browser? GitHub - GlassROM-Archive/browser: Browser for glassrom. No compilation help. No documentation. Just the source dumped from the build machine. Good luck
Code over the wall.

significantly more secure than Firefox

Chromium is indeed more secure then Gecko-based browser and it is explicitely mentioned on our site.
https://divestos.org/index.php?page=browsers

heavily cleaned and updated unifiednlp

Source? Oh wait this “Android Studio automatic cleanup”?

What even is this?

Going through your sparse sources, the biggest difference is that DivestOS attempts to apply all of its changes automatically to any given device of any Android version. Because 5 years ago when I was supporting a handful of devices it got too tedious, and I ended up automating as much as possible.

1 Like

Memory poisoning is a fairly new feature that just recently dropped in the 4.14 common kernel

I doubt you have a device that uses this

Also you are enabling kernel lockdown when selinux already does that

Same for page alloc shuffle, init_on_free/alloc. I don’t think tuna has a port of any of those on 3.10

The arm/arm64 kernel argument is kpti=on yet you also specify pti=on. Why?

Slub_debug=Z and init_on_alloc/free conflict with each other yet you enable them

You’re just sticking in flags that are NOPs

No I don’t ship a hosts file nor do I read it from /data. The hosts file is not meant for adblocking. Userspace applications like pdnsf are much more user friendly and handle this better

You can check the current glassrom kernel sources for those patches. There’s no automated “black magic” cve patcher

The patch to updater is just to allow developers to test updater functionality without running a full updater server