DivestOS: long term device support with enhanced privacy and security

SkewedZeppelin · April 18, 2021, 3:27pm

Captive Portal Check

DivestOS does not modify or disable the captive portal checks.
It still makes requests to various Google servers.
These requests contain no personal information.
On 14.1 and 15.1 you can disable via Settings > Network > Data usage > Disable Captive Portal.
For 11.0, 16.0, 17.1, and 18.1 you can disable via ADB:
adb shell settings put global captive_portal_mode 0;

See also Misc/Features/CaptivePortalCheck.txt · master · DivestOS Mobile / DivestOS-Build · GitLab

There are reasons to not change it, as in right now I cannot enumerate all DivestOS users. But if I changed the captive portal lookup, I’d be able to always maintain a count.
As is Google just sees captive portal requests like it does from the other billion devices.

fossys · April 27, 2021, 11:46pm

OnePlus 3T A3003 (oneplus3T) | DivestOS 17.1 / 10.0 / R

The starting point was an installed, well-functioning LineageOS 17.1.

First I installed DOS-Recovery divested-17.1-20210415-dos-oneplus3-recovery, then DOS-ROM divested-17.1-20210415-dos-oneplus3.

The device boots, shows the OnePlus+ logo very briefly. Then the screen goes black and stays black. DOS 17.1 does not appear. Only a white LED at the top left of the casing lights up. After pressing the power button for a few seconds, the LED goes out. To check, I repeated the entire installation procedure. The negative result isn’t a pleasant user experience.

So, to lighten the mood, I installed LineageOS-18.1-for-microG. It boots flawlessly and works fine. The commands fastboot flashing lock_critical and fastboot flashing lock were executed, but there was no ERASING and the system did not have to be set up again: Logical consequence: No Re-Locked Bootlaoder.

Log (short)

fastboot getvar all

(bootloader) version:0.5
(bootloader) battery-soc-ok:yes
(bootloader) battery-voltage:4177000
(bootloader) variant:MTP eMMC
(bootloader) unlocked:yes
(bootloader) secure:yes
(bootloader) version-baseband:
(bootloader) version-bootloader:

SkewedZeppelin · May 12, 2021, 8:30am

@fossys

The latest 18.1-20210512 build for oneplus3 should now boot, thanks to some testing from another user.

fossys · May 13, 2021, 1:59pm

OnePlus 3T A3003 (oneplus3T) | DivestOS 18.1 / 11.0 / R

The starting point was an installed, well-functioning Lineage-18.1-20210509-microG-oneplus3 with
SECURE BOOT - enabled | DEVICE STATE - unlocked

@SkewedZeppelin

Yes, my A3003 (oneplus3T) boots with DOS 18.1 aka divested-18.1-20210512-dos-oneplus3 without complications (in contrast to DOS 17.1) but two attempts to lock the bootloader again were unsuccessful.

Unlock Method: Fastboot
Relockable: Not Unlockable
Verified Boot: Yes

Very sad, that would have been the icing on the cake.

fossys · May 13, 2021, 2:42pm

@SkewedZeppelin,
can you build a DivestOS 18.1 / 11.0 / R build for the Google Pixel 3a XL (bonito) I’ve ‘bonito’ available for a few days for testing.

SkewedZeppelin · May 13, 2021, 2:57pm

@fossys
bonito/sargo is currently failing to compile on 18.1

fossys · May 13, 2021, 3:32pm

Well, you will find a solution sooner or later. CalyxOS 2.5.0 and GrapheneOS (Android 11) work very precisely on the ‘bonito’.

SkewedZeppelin · June 13, 2021, 6:53pm

Today marks one year since the public release of DivestOS.

In this time:

the number of devices tested working has doubled
the amount of CVE patches applied to devices has nearly tripled
many issues have been fixed all around
Hypatia and Mull each have over 4,000 monthly active installs
DivestOS itself likely has at least 600 monthly active installs
Hypatia has been translated into six languages thanks to generous contributors
Four of our apps have been made available on official F-Droid repository
the XMPP chat room has between 3-8 users around

If you haven’t visited the site in a while, please do so as many pages have been updated.

Thanks,
Tad.

anon46495926 · June 15, 2021, 5:10pm

Great work! Hope it’s going as well as you anticipated!!

GMaps WV is awesome too, for rare (ab)use of Gmaps!

start · July 1, 2021, 9:58pm

Hi, I have a problem with mull. I want to sync my bookmarks and history with my Mozilla account, but no matter what I try, it only says: “Last sync: never”.

What I’ve tried:

Logging out and back into account
Disabling and enabling sync in android system settings
Force close mull and deleted cache in app-info
Restarted phone a couple times

Am I doing something wrong or is it a bug of mull/downtime of Mozilla’s servers?

SkewedZeppelin · July 1, 2021, 10:12pm

@start

Mozilla Account with Mull is not something I’ve tested.
And if it was easier to remove, I would.

Try setting identity.fxaccounts.enabled to true in about:config

start · July 1, 2021, 11:13pm

Hasn’t worked, sadly. Tryed again with logging out and back in and restarting the phone, but nothing.

Well I can imagine that you’re not to happy about another proprietary part (that’s hard to remove). I do not plan to use Mozilla’s walled garden forever, but at least for now there is no easy way (that I know of) to switch to an OSS-alternative. Yes, xBrowserSync exists and that would be a perfect replacement, but there’s no way of importing a Firefox bookmarks.json file, yet. And entering hundreds of bookmarks manually is out of question. But that problem hopefully resolves itself in the foreseeable future.

SkewedZeppelin · July 6, 2021, 10:31pm

Small promo:
I have recently updated my website to make my other FOSS offerings more accessible and prominent: https://divested.dev

And I have also created a new and dedicated donation page: Donate - Divested Computing

Kindly,
Tad.

anon46495926 · July 8, 2021, 1:06pm

Testing: @fossys was added to credits on About page. Kudos!

Androidiana · July 17, 2021, 8:46pm

@SkewedZeppelin
HI, I am very impressed by your work and I appreciate your approach with modifying lineageos in a quite clear way even for a beginner like me.
I am trying to build DivestOS for my oneplus7tpro (hotdog), it’s the only spare phone I have and it’s more or less similar to guacamole.
I modified some of your scripts to try compile it but I run in a quagmire I had to fix in a rather unorthodox way.
Here we go…
Hi, I am following this Guide:
https://divestos.org/index.php?page=build
But I have some trouble with it.
I am building on Linuxmint 20.2

(I tried to simplify instructions by not using firejail, and adapting it for LIneage18.1 and hotdog but I face the same problem with every phone)

I am in the DivestOS /Build?LineageOS-18.1 root
I edited init.sh in Scripts
I edited Generate_Signing_Keys.sh in Scripts
I run ‘sh […/…/Scripts/]Generate_Signing_Keys.sh hotdog’

but some exported variables are missing:
“$DOS_SIGNING_KEYS’ and ‘$DOS_BUILD_BASE’ as well as ‘$DOS_WORKSPACE_ROOT’ and ‘$BUILD_WORKING_DIR’
and some folders in my recetly mounted gocrypted Signkey folder
both 4096Pro gnupg folders referred in the variables
export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/4096pro”;
export DOS_SIGNING_GPG=$DOS_WORKSPACE_ROOT"Signing_Keys/gnupg";

and the NEW folder referred in Generate_Signing_Keys.sh a “$DOS_SIGNING_KEYS/NEW”

Even if I manually export the variables and create
4096pro
4096pro/NEW
and
gnupg
folders

the key generation script generates a hotdog folder inside 4096pro/NEW and some signatures but fails
with a …/…/Scripts/Generate_Signing_Keys.sh: 45: {…}DivestOS/Build/LineageOS-18.1//out/host/linux-x86/bin/generate_verity_key: not found
then I had to make ‘generate_verity_key’
passing
build/soong/soong_ui.bash --make-mode generate_verity_key
since a direct make is not supported anymore…

when I try to build generate_verity_key I am greeted by a bunch of errors related to cuttlefish and wayland libs.

error: device/google/cuttlefish/host/frontend/vnc_server/Android.bp:16:1: “vnc_server” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/vnc_server/Android.bp:16:1: “vnc_server” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:64:1: “webRTC” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:64:1: “webRTC” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:16:1: “libwebrtc” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:16:1: “libwebrtc” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/libs/wayland/Android.bp:16:1: “libcuttlefish_wayland_server” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/libs/wayland/Android.bp:16:1: “libcuttlefish_wayland_server” depends on undefined module “libwayland_extension_server_protocols”

If I kick out cuttlefish device from my build tree I am faced with another error

error: vendor/lineage/build/soong/Android.bp:24:8: module “generated_kernel_includes”: cmd: unknown variable ‘$(PATH_OVERRIDE_SOONG)’

rather than trying again I compiled generate_verity_key on another aosp rom tree (calyxos) and switched it in place.
in the end I could generate the required signatures.

In the end of this wall of words I am suggesting you try to review the build instructions, maybe starting from a fresh install just to take note of all the things and tweaks are needed!
If I can produce a working build for hot dog I’ll let you know.
all the Best!!

SkewedZeppelin · July 17, 2021, 9:17pm

@Androidiana

To start, I plan on adding hotdog and redbull and their variants soon (next build cycle).
I also eventually plan on making a video of this process, similar to my OpenWrt one.

Once you have DivestOS checked out, LineageOS-XXX in Build/:

#Edit Scripts/init.sh as needed
#Create or mount $DOS_SIGNING_KEYS
#setup $DOS_SIGNING_GPG or disable it
#Add hotdog to the manifests, and ensure it is in the local manifest for your repo
cd Build/LineageOS-18.1
source …/…/Scripts/init.sh; #<<<this is what I seem to have missed
source build/envsetup.sh && breakfast lineage_hotdog-user && make -j20 generate_verity_key;
source …/…/Scripts/Generate_Signing_Keys.sh hotdog;
#Verify the creation of the hotdog folder in $DOS_SIGNING_KEYS/new/ and move it up a level
buildDevice hotdog;

If you want to make use of the CVE patcher (sm8150 is already supported fwiw):

#download this Artifacts · build (#4820813129) · Jobs · DivestOS Mobile / CVE Checker · GitLab
#put it in your env as $DOS_BINARY_PATCHER
cd Build/LineageOS-18.1
source …/…/Scripts/init.sh;
startPatcher “kernel_oneplus_sm8150”
resetWorkspace
buildDevice hotdog;

Additionally I recommend starting a new fresh shell after running resetWorkspace and before running init.sh

Any other questions, please ask.

Edit: It does seem I actually left out the source ../../Scripts/init.sh; before generate, apologies.
Edit 2: Fixed here Small tweaks (94e1a004) · Commits · DivestOS Mobile / DivestOS-Website · GitLab

Androidiana · July 18, 2021, 6:40am

@SkewedZeppelin
thank you for the clarifications!
BTW I am just an old school guy I prefer written instructions rather than a video.
I like to go back and understand what’s going on especially in building things.
(that’s why I don’t like docker build instructions without any info of the process)
A video, maybe, is fine for the rom flasher/user audience but, please, think about reviewing the build instructions page without giving for acquired any basic skill on the part of the reader!

I believe, adding some notes on what is the general approach on lineage modification you had with divestos (I already told you I appreciate the clean and almost linear approach) and what’s going on in each main script it will be highly educative.

I am happy to read you will support hotdog officially (having already supported guacamole i.e. SM8150 chip, I suppose it’s quite easy, so easy I took the plunge!).

I am still going to build it by myself since I would like to add phonesky instead of fakestore (I need it for some fundamental apps I paid for) without having to root my phone and I understand it’s a very shaky ground to have it in a distributed rom.

Thank you again for your insights I’ll try to organize the info you’ve given me in my notebook…

SkewedZeppelin · July 18, 2021, 2:35pm

@Androidiana

I will always keep a written build guide, video is just extra.

There was at one point (2018 or so) a detailed list of the changes, but
it was a chore to maintain, so I dropped it. It would only be more so,
as now I support 6 branches of Lineage.

I have no intent of Docker or AWS or other handwavey stuff.

The build guide as it stands should be enough, and I’ve seen device
update checks to my server for a handful of devices I do not support,
so it must be reasonable enough.

I did not know phonesky was still functional? I’m happy to add it as an
option in init.sh.

Androidiana · July 18, 2021, 6:39pm

I assure you it’s working with no issue at all, with microg it’s just a drop-in replacement instead of fakestore (if you compile any microg compliant rom you just swap the apk in the prebuilts folder) if you use the one in nanolx repository you can also update from f-droid.

BTW I read the updated instructions and I cannot understand this line

source venv/bin/activate; #Only for python3 default systems, not needed for 18.1 and higher*
It means the 18.1 script is fine even without this line even if you have python3 as default (most distro by now have python3 as default)?

SkewedZeppelin · July 18, 2021, 6:53pm

@Androidiana

It means the 18.1 script is fine even without this line even if you have python3 as default (most distro by now have python3 as default)?

Correct, that is only needed for compiling 14.1-17.1.
18.1 fully supports python3 for compiling.

it’s just a drop-in replacement instead of fakestore

Nice to know, ty.