DivestOS: long term device support with enhanced privacy and security

@fossys
bonito/sargo is currently failing to compile on 18.1

Well, you will find a solution sooner or later. CalyxOS 2.5.0 and GrapheneOS (Android 11) work very precisely on the ‘bonito’.

Today marks one year since the public release of DivestOS.

In this time:

• the number of devices tested working has doubled
• the amount of CVE patches applied to devices has nearly tripled
• many issues have been fixed all around
• Hypatia and Mull each have over 4,000 monthly active installs
• DivestOS itself likely has at least 600 monthly active installs
• Hypatia has been translated into six languages thanks to generous contributors
• Four of our apps have been made available on official F-Droid repository
• the XMPP chat room has between 3-8 users around

If you haven’t visited the site in a while, please do so as many pages have been updated.

Thanks,
Tad.

Great work! Hope it’s going as well as you anticipated!!

GMaps WV is awesome too, for rare (ab)use of Gmaps!

Hi, I have a problem with mull. I want to sync my bookmarks and history with my Mozilla account, but no matter what I try, it only says: “Last sync: never”.

What I’ve tried:

• Logging out and back into account
• Disabling and enabling sync in android system settings
• Force close mull and deleted cache in app-info
• Restarted phone a couple times

Am I doing something wrong or is it a bug of mull/downtime of Mozilla’s servers?

@start

Mozilla Account with Mull is not something I’ve tested.
And if it was easier to remove, I would.

Try setting identity.fxaccounts.enabled to true in about:config

Hasn’t worked, sadly. Tryed again with logging out and back in and restarting the phone, but nothing.

Well I can imagine that you’re not to happy about another proprietary part (that’s hard to remove). I do not plan to use Mozilla’s walled garden forever, but at least for now there is no easy way (that I know of) to switch to an OSS-alternative. Yes, xBrowserSync exists and that would be a perfect replacement, but there’s no way of importing a Firefox bookmarks.json file, yet. And entering hundreds of bookmarks manually is out of question. But that problem hopefully resolves itself in the foreseeable future.

Small promo:
I have recently updated my website to make my other FOSS offerings more accessible and prominent: https://divested.dev

And I have also created a new and dedicated donation page: Donate - Divested Computing

Kindly,
Tad.

• Testing: @fossys was added to credits on About page. Kudos!

@SkewedZeppelin
HI, I am very impressed by your work and I appreciate your approach with modifying lineageos in a quite clear way even for a beginner like me.
I am trying to build DivestOS for my oneplus7tpro (hotdog), it’s the only spare phone I have and it’s more or less similar to guacamole.
I modified some of your scripts to try compile it but I run in a quagmire I had to fix in a rather unorthodox way.
Here we go…
Hi, I am following this Guide:
https://divestos.org/index.php?page=build
But I have some trouble with it.
I am building on Linuxmint 20.2

(I tried to simplify instructions by not using firejail, and adapting it for LIneage18.1 and hotdog but I face the same problem with every phone)

I am in the DivestOS /Build?LineageOS-18.1 root
I edited init.sh in Scripts
I edited Generate_Signing_Keys.sh in Scripts
I run ‘sh […/…/Scripts/]Generate_Signing_Keys.sh hotdog’

but some exported variables are missing:
“$DOS_SIGNING_KEYS’ and ‘$DOS_BUILD_BASE’ as well as ‘$DOS_WORKSPACE_ROOT’ and ‘$BUILD_WORKING_DIR’
and some folders in my recetly mounted gocrypted Signkey folder
both 4096Pro gnupg folders referred in the variables
export DOS_SIGNING_KEYS=$DOS_WORKSPACE_ROOT"Signing_Keys/4096pro”;
export DOS_SIGNING_GPG=$DOS_WORKSPACE_ROOT"Signing_Keys/gnupg";

and the NEW folder referred in Generate_Signing_Keys.sh a “$DOS_SIGNING_KEYS/NEW”

Even if I manually export the variables and create
4096pro
4096pro/NEW
and
gnupg
folders

the key generation script generates a hotdog folder inside 4096pro/NEW and some signatures but fails
with a …/…/Scripts/Generate_Signing_Keys.sh: 45: {…}DivestOS/Build/LineageOS-18.1//out/host/linux-x86/bin/generate_verity_key: not found
then I had to make ‘generate_verity_key’
passing
build/soong/soong_ui.bash --make-mode generate_verity_key
since a direct make is not supported anymore…

when I try to build generate_verity_key I am greeted by a bunch of errors related to cuttlefish and wayland libs.

error: device/google/cuttlefish/host/frontend/vnc_server/Android.bp:16:1: “vnc_server” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/vnc_server/Android.bp:16:1: “vnc_server” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:64:1: “webRTC” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:64:1: “webRTC” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:16:1: “libwebrtc” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/frontend/gcastv2/webrtc/Android.bp:16:1: “libwebrtc” depends on undefined module “libwayland_extension_server_protocols”
error: device/google/cuttlefish/host/libs/wayland/Android.bp:16:1: “libcuttlefish_wayland_server” depends on undefined module “libwayland_server”
error: device/google/cuttlefish/host/libs/wayland/Android.bp:16:1: “libcuttlefish_wayland_server” depends on undefined module “libwayland_extension_server_protocols”

If I kick out cuttlefish device from my build tree I am faced with another error

error: vendor/lineage/build/soong/Android.bp:24:8: module “generated_kernel_includes”: cmd: unknown variable ‘$(PATH_OVERRIDE_SOONG)’

rather than trying again I compiled generate_verity_key on another aosp rom tree (calyxos) and switched it in place.
in the end I could generate the required signatures.

In the end of this wall of words I am suggesting you try to review the build instructions, maybe starting from a fresh install just to take note of all the things and tweaks are needed!
If I can produce a working build for hot dog I’ll let you know.
all the Best!!

@Androidiana

To start, I plan on adding hotdog and redbull and their variants soon (next build cycle).
I also eventually plan on making a video of this process, similar to my OpenWrt one.

Once you have DivestOS checked out, LineageOS-XXX in Build/:

• #Edit Scripts/init.sh as needed
• #Create or mount $DOS_SIGNING_KEYS
• #setup $DOS_SIGNING_GPG or disable it
• #Add hotdog to the manifests, and ensure it is in the local manifest for your repo
• cd Build/LineageOS-18.1
• source …/…/Scripts/init.sh; #<<<this is what I seem to have missed
• source build/envsetup.sh && breakfast lineage_hotdog-user && make -j20 generate_verity_key;
• source …/…/Scripts/Generate_Signing_Keys.sh hotdog;
• #Verify the creation of the hotdog folder in $DOS_SIGNING_KEYS/new/ and move it up a level
• buildDevice hotdog;

If you want to make use of the CVE patcher (sm8150 is already supported fwiw):

• #download this Artifacts · build (#4820813129) · Jobs · DivestOS Mobile / CVE Checker · GitLab
• #put it in your env as $DOS_BINARY_PATCHER
• cd Build/LineageOS-18.1
• source …/…/Scripts/init.sh;
• startPatcher “kernel_oneplus_sm8150”
• resetWorkspace
• buildDevice hotdog;

Additionally I recommend starting a new fresh shell after running resetWorkspace and before running init.sh

Any other questions, please ask.

Edit: It does seem I actually left out the source ../../Scripts/init.sh; before generate, apologies.
Edit 2: Fixed here Small tweaks (94e1a004) · Commits · DivestOS Mobile / DivestOS-Website · GitLab

@SkewedZeppelin
thank you for the clarifications!
BTW I am just an old school guy I prefer written instructions rather than a video.
I like to go back and understand what’s going on especially in building things.
(that’s why I don’t like docker build instructions without any info of the process)
A video, maybe, is fine for the rom flasher/user audience but, please, think about reviewing the build instructions page without giving for acquired any basic skill on the part of the reader!

I believe, adding some notes on what is the general approach on lineage modification you had with divestos (I already told you I appreciate the clean and almost linear approach) and what’s going on in each main script it will be highly educative.

I am happy to read you will support hotdog officially (having already supported guacamole i.e. SM8150 chip, I suppose it’s quite easy, so easy I took the plunge!).

I am still going to build it by myself since I would like to add phonesky instead of fakestore (I need it for some fundamental apps I paid for) without having to root my phone and I understand it’s a very shaky ground to have it in a distributed rom.

Thank you again for your insights I’ll try to organize the info you’ve given me in my notebook…

@Androidiana

I will always keep a written build guide, video is just extra.

There was at one point (2018 or so) a detailed list of the changes, but
it was a chore to maintain, so I dropped it. It would only be more so,
as now I support 6 branches of Lineage.

I have no intent of Docker or AWS or other handwavey stuff.

The build guide as it stands should be enough, and I’ve seen device
update checks to my server for a handful of devices I do not support,
so it must be reasonable enough.

I did not know phonesky was still functional? I’m happy to add it as an
option in init.sh.

I assure you it’s working with no issue at all, with microg it’s just a drop-in replacement instead of fakestore (if you compile any microg compliant rom you just swap the apk in the prebuilts folder) if you use the one in nanolx repository you can also update from f-droid.

BTW I read the updated instructions and I cannot understand this line

• source venv/bin/activate; #Only for python3 default systems, not needed for 18.1 and higher*
  It means the 18.1 script is fine even without this line even if you have python3 as default (most distro by now have python3 as default)?

@Androidiana

It means the 18.1 script is fine even without this line even if you have python3 as default (most distro by now have python3 as default)?

Correct, that is only needed for compiling 14.1-17.1.
18.1 fully supports python3 for compiling.

it’s just a drop-in replacement instead of fakestore

Nice to know, ty.

I am trying to build for hotdog.
I added in
./Scripts/LineageOS18.1/Functions.sh

under patchAllKernels() {
startPatcher “kernel … hotdog …”;
}
export -f patchAllKernels;

and under #SD855
buildDevice hotdog avb:

this way I won’t need to patch manually, am I right?

@SkewedZeppelin
sorry if I bother you again.
I am trying to build but I think I missed something regarding prebuiltapps.
I expected using FULL in Scripts/int.sh it will populate the right section in common_mobilr.mk
here…
ifneq ($(TARGET_EXCLUDES_AUDIOFX),true)
PRODUCT_PACKAGES +=
xxx
xxy
etc.
but I ended with nothing added.
What I am missing?

@Androidiana

this way I won’t need to patch manually

patchAllKernels is always run separetly as a distinct operating from
building.

prebuiltapps

you need git-lfs on your host and:
git submodule update --init --recursive

ifneq ($(TARGET_EXCLUDES_AUDIOFX),true)

Remove the PRODUCT_PACKAGES += line, I’ve been doing it manually,
need to write awk line for it.

Google Pixel 2 (walleye) | DivestOS 18.1 / 11.0 / R

Google’s Pixel 2 “walley” was tested by me with several CustumROMs. There is no official /e/ OS from the e.foundation because the migration attempts have failed so far.

The Project [UNOFFICIAL BUILD] Google Pixel 2 / 2 XL (walleye / taimen) is probably not continued since build e-0.11-q-20200917. Google’s Pixel 2 “walley” support was discontinued by Google in autumn 2020. GrapheneOS has now also discontinued its support in summer 2021.

It is very good that there are still up-to-date custom ROMs with Android security patch level July 5, 2021, such as LineageOS 18.1 and LineageOS-18.1-for-microG.

But it is fantastic that CalyxOS 2.7.0 and DivestOS Mobil [ 18.1 / 11.0 / R ] are releasing up-to-date builds where a Vervied Boot | Re-Locked Bootloader is also possible. CalyxOS is widely known and accepted not only in the US but also in my region. It seems to me that DivestOS is only recognised by insiders. I regret this very much, because DivestOS is like no other CustomROM and now takes the place of GraphenOS for me [Side note: I remain a big fan of GrapheneOS and its developer Daniel Micay].

The starting point was my Pixel 2 with LineageOS 18.1 and Lineage Recovery. The switch to DivestOS was therefore all the easier. Simply booted into the Lineage recovery, there a “Format Data” (This will remove encryption and delete all files stored in the internal storage), followed by an { adb sideload divested-18.1-20210720-dos-walleye.zip }. After setting up DOS came { fastboot erase avb_custom_key } and then { fastboot flash avb_custom_key avb_pkmd.bin } and finally { fastboot flashing lock }.

So that’s it. Hooray. Bravo(!) SkewedZeppelin aka Tad

Oh yes, I almost forgot: With the installation of divested-18.1-20210720-dos-walleye.zip, the Lineage Recovery was also replaced by Divest-Recovery, which looks a bit more purist.

@SkewedZeppelin: Original photos for documentation purposes for your personal use via PM.

Google Pixel 3a (sargo) | DivestOS 17.1 / 10.0 / Q

I wanted to test DOS & SARGO in a hurry. But it became a much longer test - ultimately without DOS success.

Starting point in the first test round was Stock Android 10 (10.0.0 (QQ3A.200805.001, Aug 2020), in the second test round Stock Android 11 (11.0.0 (RQ3A.210705.001, Jul 2021). But each time I got the same result:

/!\
Can't find valid operating system.
The device will not start.

CalxyOS, GraheneOS and LineageOS with builds 17.1 / 10.0 / Q and 18.1 / 11.0 / R, on the other hand, booted and set up on the first try in every test round.

Is the problem known and is there a solution in sight?