DivestOS: long term device support with enhanced privacy and security

Hello SkewedZeppelin,

If on occasion, you feel like looking into adding emerald teracube 2nd batch to your list of devices, I would be very grateful.
It is not developed on lineageos but on /e/ Info about Teracube Teracube 2e (2021) - emerald where I saw that you were very active on their forum.
Hence this request, because I am disappointed by the security and other problems not corrected, that you have often listed.
And I am far from being competent to develop a secure rom.

I thank you for this.

@c777
Sadly that is a no-go as I won’t add MediaTek devices due to various reasons.

Ok no problem I respect your choice.
To refine my knowledge, your aversion to mediatek, are they rather security, technical or both?

I mainly use LineageOS/crDroid on various devices (mainly Xiaomi), also with microG (hence crDroid for signature spoofing). Other Apps I already use beside F-Droid and Aurora: Anysoftkeyboard, Blokada, Conversations, DAVdroid, Fennec, MyPhoneExplorer, OsmAnd, VLC. So beside Blokada most seem to be listed on the Recommended Apps - DivestOS Mobile page - would be interested why Blokada is not there. The limitation only one App using VPN can be active is a big limitation as I understand but Ad-Track-Blocking seems more important then Firewall etc. to me.
I would be interested in a more hardened CustomROM focusing on privacy and security. I’m having a hard time finding reviews or comparisons of DivestOS compared to LineageOS. I would like to install on one of the more performant devices but since those are daily driver I’m hesitant to straight jump on a new ROM, and for potter unfortunately no ROM is provided.
On XDA there is no lavender or vayu thread about DivestOS - would have preferred to discuss there but maybe here is ok.

DivestOS already has a built-in tracker blocker.

https://divestos.org/index.php?page=home#hosts

I’m sorry being not really informed at this but is a host file able to block Trackers (and Ads) as much as an App like Blokada acting over VPN? And another interesting question is if updates can be done without system restart?

You talk about Blokada VPN as in you route all your traffic through their servers or about local blocking (based still on host files too)?

I mean Blokada using the Android VPN service so that basically the systems internet access gets filtered by Blokada locally (I think without hosts file, so no root or restart necessary).

@chrifos

I understand but Ad-Track-Blocking seems more important then Firewall etc. to me

The content blocker on DivestOS works without root, doesn’t need restarts, doesn’t rely on any external service, is more effective due to its use of wildcards, has a disable option in Settings, doesn’t take the VPN slot, and doesn’t take any resources in the background. The downside is the list is only updated on system update, and cannot exclude hosts on-demand (you have to report them to me).

DivestOS also inherits the data restrictions (block app access on wifi/cell/vpn) from LineageOS and also adds the robust Network permission (complete denial) from GrapheneOS.

Please also see:

• Should I use Private DNS?
• Should I use Private DNS when using a VPN/Tor?
• Information about the used blocklist: Dnsbl - Divested Computing

would be interested why Blokada is not there

I won’t comment why I don’t recommend Blokada.

comparisons of DivestOS compared

Please read this: Patch Levels - DivestOS Mobile

On XDA there

I don’t see a good reason to make threads for every single device, there are already many options to talk about DivestOS: Community - DivestOS Mobile

The chat room for example has 130-200 users in it depending on time of day.

microG

Just to reiterate, DivestOS has no support for Play Services in any form including via microG.

ok thanks for the time to explain. I would like to try, but as said on the supported devices I have, those are daily drivers and need microG. I may be able to get an additional lavender to try. The G5+/2 and S5 Mini I have seem to become almost obsolete unfortunately.

How does it know WHAT to block if it does not have a list of hosts that you’d want blocked?

/PS: Hope this is not a confusion regarding the text hosts list, as is there’s a system hosts file but having a list of hosts anywhere else on you device is still a list of hosts or a hosts list. And yes, Blokada and the better apps use lists of hosts to block ads and whatnot, eg like GitHub - StevenBlack/hosts: 🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

Yes I did mean the systems hosts file. Until now I did think having a system wide content blocker works only by either the system hosts file or the VPN slot way. If DivestOS (and others?) use a different way this is interesting.

Other question: what about GCam (with GCam Service Provider) under DivestOS? I very much need Video+EIS and good Pic Shoot Setups (XML) on two of the daily drivers I care for (for work, but also good for private use). So without Stock (ANX Cam) or a good working GCam I do not know how I could migrate, despite wanting to improve privacy and security. I also use post-processing on device, for images Snapseed. I have blocked Internet access for such post-processing Video/Media-Edit-Apps as fortunately most of them still work fine.

I’m sorry but I could not found additional info on AVB Key and A/B Sync which are listed both for Devices lavender and vayu.
Under Bootloader - DivestOS Mobile

AVB devices only:

1. Reboot to the bootloader
2. $ fastboot erase avb_custom_key
3. $ fastboot flash avb_custom_key avb_pkmd-device.bin

On A/B systems firmware in both slots must be in sync/latest! Or else next installed update might be unbootable, and potentially brick.

Since I will get a locked lavender and plan to unlock for divestOS and also have unlocked lavender (not sure yet if divestOS will land on those also) I would like to understand this process better. Can anybody link a description or explain? Thx

@chrisfos

locking is NOT supported on those two devices and will likely brick if you try it.
those keys are provided for all devices that could be locked regardless of if they actually can, you can skip the step for AVB key

you should use A/B regardless of locking to ensure the latest firmware from current slot is made available on the inactive slot, but be sure to follow that step in order, ie. before sideloading DivestOS.

I’m sorry for my ignorance/inexperience but I was not able to find copy-partitions-lavender(.zip) which, as I understand, needs to be adb sideloaded before divested-18.1-20221209-dos-lavender-recovery.img
Is this partition zip to extract or copy from somewhere?
Latest Firmware according to Redmi Note 7/7S (lavender) Firmware Downloads | Xiaomi Firmware Updater for Global (I need that or Europe) is V12.5.3.0.QFGMIXM (A10) from 2021-12-15 - filename:
fw_lavender_miui_LAVENDERGlobal_V12.5.3.0.QFGMIXM_0baf420181_10.0.zip

Since I do not understand the A/B slot system clearly I guess using recovery to flash the fw.zip updates only the A slot and then the B slot needs also the updated/same version by adb sideload of a proper zip?

@chrifos

lavender doesn’t have slots, it doesn’t need sync.
There was however a bug with the website caused by a typo that caused it to improperly show the “A/B Sync” button: Fixup typo (ac068cb9) · Commits · DivestOS Mobile / DivestOS-Website · GitLab

Ok, got my lavender with Stock MIUI 12.5 (A10), unlocked (not so fast/easy with Mi account etc.) flashed divested-18.1-20221209-dos-lavender (A11)

I congratulate everyone involved and I like enhanced
security: Monthly Updates, Automated Kernel CVE Patching, System WebView Mulch
privacy: Tracker Blocker hosts file, Privacy Oriented Browser Mull, Malware Scanner Hypatia, encryption on
Freedom: F-Droid Included, proprietary blobs removed,
Documentation/Suggestions: the homepage with a clean structure and especially Recommended Apps is super and unique!
So far I installed: AnySoftKeyboard, Audio Recorder, Aurora Store (sorry), Conversations, DAVx5, Gcam Services Provider (Basic), Hypatia, K-9 Mail, KeePassDX, Mulch, Mull, VLC, GrapheneOS-PdfViewer, Signal, Snapseed, MPE, GCam (MGC 8.4.300 Parrot043 V1.5 Video EIS seems better then Open Camera one), GPSTest, WiFiAnalyzer
I plan to install: Nextcloud, OsmAnd, Telegram, Barcode Scanner: Binary Eye, Shelter, National VoIP App
First impressions: I’m not sure if I’m happy with Etar Calendar, Simple Gallery should be ok (still have not found a gallery app with included satisfying editor including rapid privacy face pixelation/blur etc.), do not understand why eSpeak is preinstalled, regarding Blocker hosts file some stats of blocked traffic would be good - also easy change of DNS or exceptions/whitelist might be desirable.
Minor things: LTE icon can not be changed to 4G, also found no possibility to show Download/Up Rates.
Need to test (if I need/if it works): UnifiedNlp/GPS Apps (Local Traffic, Local Pharmacies, Local Weather), G SafetyNet Apps (Banking, Local ID/OTP, Work related ID/Login 2Factor stuff incl. GAMAM big tech mainly Google, Microsoft and Meta), Best Private/Work Profile use with Dual SIM, Document/Book Scan App (Open Camera and the used GCam have no integrated function, on PC OCR planned), Cast to Android/Lineage TV, use of WhatsApp (without contact access or even better isolation).
What I would wish most from a ROM, probably related more to AOSP & Lineage OS but to note: integration of “PIM-Package” (IMAP, CalDAV+iCal, CardDAV, WebDAV, advanced Profile tweaking, Group Ringtones; SPAM filter for SMS, Calls, E-Mails, Messengers; STS/S2T “speech to text” functions for search and commands)

do not understand why eSpeak is preinstalled

So the maps app speaks the directions to you…

Ok, but there is no maps app preinstalled? And for example OsmAnd should have the own T2S system included.

Should? Not sure it does… and not for all locales.

Maps was an example, eg. Accessibility stuff needs that too