[MODULE/SYSTEM] NanoDroid (microG, pseudo-debloat, F-Droid + apps) 2019 - Lenovo P2 Questions & Answers

NANODROİD
NanoDroid is a installer for various OpenSource related things, most noticably microG and F-Droid. It supports direct /system installation, both devices with or without A/B partition scheme are supported, aswell as Magisk Mode (module) installation. It also includes several tools (eg. GNU Bash, GNU Nano, more), scripts, fonts, sounds and additional features (system debloating, init scripts, automatic logcat creation), aswell as a companion F-Droid Repository.
Furthermore it allows the user to do fine-graded installations using configuration files, which allow to choose what to install, or if several alternatives are available, which of them, see Alter Installation below.
NanoDroid allows you to choose between the official microG GmsCore and a custom microG GmsCore (default).
In order for full microG experience NanoDroid contains a modified Play Store which allows (in-)app-purchases with microG, which would normally not be possible. It also tries to remove all previously installed GApps on it's own. For ROMs without builtin signature spoofing support NanoDroid includes an on-device Patcher which tries to patch your ROM from TWRP.
Versions until 15.1 were called NanoMod, starting with 16.0 they're called NanoDroid.
NanoDroid does now have a companion F-Droid Repository for easy updates of it's custom microG GmsCore, microG DroidGuard Helper, Play Store, OmniJAWS, OpenLauncher and MPV builds Repository Info-Page
DOWNLOAD LİNK -->androidfilehost.com/?fid=11410963190603861413[/url]

Related

[CLOSED]EOL [ROM][Unofficial][8.1.0][signed][OTA] LineageOS 15.1 for Xperia Z1 compact

Thread Closed Per OP Request
This thread is dedicated to provide Lineage-OS 15.1 builds for the Sony Xperia Z1 compact with current security patches.
This thread is discontinued - please visit the LineageOS 16.0 successor thread
This is the joint effort of 115ek and MSe1969 (contributions welcome).
There are two build flavors available, both are signed (see further below):
A. Standard LineageOS 15.1
This build flavor aims at providing LineageOS 15.1 "as is" with most recent security patches.
Consider this flavor as continuation of the thread here by 115ek.
Download here
B. Security hardened microG build
For the security/privacy focused
Download here
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed AuroraStore
[*]Pre-Installed pre-release of microG DroidGuard helper to have a working SafetyNet attestation (see comments below!)
Additional security hardening features listed below
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disable captive portal detection
Option to set own DNS
Option to deny new USB connections
Increased max. password length of 64
No submission of IMSI/phone number to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Additional restriction options for secondary users
Current release levels
Security string: 2020-02-05
AOSP tag: 8.1.0_r52
System Webview: M79 (Standard build)
Bromite Webview: M79 (microG build)
Source-code and build instructions
Kernel: https://github.com/lin15-microG/kernel_sony_msm8974/tree/lineage-15.1
Build manifest: https://github.com/lin15-microG/local_manifests
TWRP Recovery
Please use the TWRP recovery referred to in this thread
Limitations
Following limitations are known:
NFC-HCE does not work (needed for example for google pay)
FM does not work in stereo mode (mono works fine, though)
Problems with some 5 GHz Wifi channels (can be avoided by not using autochanneling) fixed with 20190408 build
MHL does not work
5 GHz hotspot does not work (2.4 GHz hotspot works fine)
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - we won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty information available.
Pre-Requisites
Get familiar with the hardware keys of the Xperia Z1 compact device, especially how to enter fastboot mode and recovery mode
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
Download the most current .ZIP file of our ROM and place it to your phone's internal memory or SD card
Only valid for the "standard build flavor": If you wish to install Google apps (GApps), please refer to the GApps section further below
An unlocked bootloader (read the warnings carefully and backup your data!)
Only in case your device is still with the pre-delivered Sony Stock ROM: It is recommended that you have updated the Stock ROM to the latest version offered by Sony to make sure that the bootloader has the needed capabilities (see also 'trouble-shooting' below)
Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. If you have already a working custom recovery on your device, there is no necessity to replace it. However - we recommend to use the TWRP recovery linked in this thread. The following instructions are based on TWRP.
To install TWRP, download the TWRP.img file (Note: replace "TWRP.img" in the following instructions with the real file name) from this section to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
Code:
fastboot flash FOTAKernel TWRP.img
Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and use the right hardware keys to get into recovery mode) - we recommend not to boot the phone's Android system after having flashed TWRP. Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP should be TWRP in recovery mode.
Trouble-shooting:
Depending on the Stock ROM you are on, you may face some difficulties to get the phone into recovery after flashing TWRP. If you are facing such difficulties (i.e. phone always boots into Stock ROM), get into fastboot mode, and manually boot into TWRP by entering the below command:
Code:
fastboot boot TWRP.img
If that also does not help you, it could be that the firmware, you have previously used, included an outdated bootloader. In that case, use the Sony flash tool (Windows only) or Androxyde's Open source flshtool to flash a more current Sony firmware image.
Both approaches can also help to "unbrick" your device.
Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory" or "SD Card". Swipe to confirm the deletion and get back into the main menu.
GApps
DO NOT attempt to flash GApps on the "microG" build variant!
For the "Standard" variant, the following applies:
You do not need to install GApps, but you may wish to do so. In that case, download GApps from here and put the .ZIP also to the SD card or Internal memory of your device. Choose ARM as platform, Android 8.1 and the flavor of your choice. We recommend "pico", as this leaves you the most freedom to only install, what you really need; you can later still install all the Google products you want and do not need to live with pre-installed Google applications you have no use for.
Install our ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard) or your SD card (path /external_sd). Choose the .ZIP file of our ROM and swipe to flash.
If you update from a previous version of our ROM, you don't need to perform a wipe. If you had GApps already installed before the update, there is no need to flash them again. They will be automatically restored during the flash process. (Note: If you wish to get rid of GApps, navigate to TWRP's file manager in the Advanced section of the main menu, go to path /system/addon.d and delete the file 70-gapps.sh, before flashing the ROM update)
If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above. If you wish to install GApps, select the respective .ZIP file directly afterwards, do not boot into Android before having flashed GApps.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!
microG
Only valid for the "microG" build variant: After the first installation of this ROM, you need to setup microG.
Please read the instructions given on the LineageOS for microG site, section "Post Install - UnifiedNlp"
Encryption
Encryption works, however - please consider the below important information:
If you have previously encrypted your device with a "Lollipop" (Android 5.x) based ROM (e.g. this one), our ROM unfortunately cannot decrypt and you will have to format the data partition and encrypt again. Be aware, that your 'Internal Memory' will be lost in that case, so don't forget to make a backup!
If the device has been encrypted with a "Nougat" (Android 7.x) based ROM, there won't be any issues, even if you switch between different Android releases including Android 8.x and 5.x for testing purposes
If you encrypt the device with our LineageOS 15.1 ROM, you will not be able to decrypt the /data partition with TWRP and have to 'sideload' any updates instead
We consider this as a still open issue. We will be grateful for any advice on how to solve these compatibility issues.
For the time being, it seems that flashing a naked Nougat-ROM (e.g. this one) to perform the encryption and then wipe and install LineageOS 15.1 will leave you with the most flexibility.
Dealing with signed builds
Please note, that our builds are signed with our own key. When you come from a different build, you cannot directly "dirty-flash" our build. You either have to perform a "clean flash" (recommended), or - if you e.g. would like to update from one of 115ek's previous builds, you need to follow below instructions.
Coming from 115ek's Lineage 15.1 build:
Download and extract the file migration.sh from this archive
boot into TWRP
push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
(In case you receive an error, try sh ./migration.sh official instead)
flash the ROM .zip
wipe Cache and Dalvik/ART Cache
reboot system
More background information "theory behind" can be found in the LineageOS wiki and AOSP reference.
Switching between build flavors
You can easily do so via clean-install. However, if you want to switch between the standard build and the microG build and vice-versa without wiping your data, please follow the below instructions:
Standard build => microG build
De-install any of the following apps, in case you have manual installations of them: Yalpstore, Privacy-friendly netmonitor, microG Services Core, microG Services Framework Proxy, Fake Store, F-Droid, Mozilla Unified NLP Backend, Nominatim Geocoder Backend
Deactivate System Webview
If you have flashed GApps before, deactivate all of them to remove any installed updates
Boot into TWRP recovery
If you have flashed GApps before, delete the file /system/addon.d/70-gapps.sh
Flash the microG ROM ZIP (make sure not to use an older version than the current standard build)
Wipe Cache & Dalvik and reboot
Follow the 'Post-install' steps outlined here
microG build => standard build
Deactivate the following apps: Yalpstore, Privacy-friendly netmonitor, microG Services Core, microG Services Framework Proxy, Fake Store, F-Droid, Mozilla Unified NLP Backend, Nominatim Geocoder Backend, Bromite System Webview
Boot into TWRP recovery
Flash the standard ROM ZIP (make sure not to use an older version than the current microG build)
If you want to flash GApps, do it before re-boot
Wipe Cache & Dalvik and reboot
Please note, that you may face issues with some apps, which depend on play services. In that case, try solving them in the following order: 1. delete app cache, 2. delete app data, 3. de-install and re-install app
Weather Widget
LineageOS does currently not offer Weather provider apps for LineageOS 15.1 for download (only for LineageOS 14.1)
We've have built an APK for OpenWeatherMap for download from the LineageOS sources here, which works well with LineageOS 15.1
SafetyNet
Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.
The below information is only relevant for the microG build. In the standard build, you have SafetyNet, if you flash Gapps. Whether the SN attestation passes or not is completely out of our influence!
If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)
If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.
The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.
microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system. A sandboxed version of DroidGuard has been added to this microG build as a prebuilt “DroidGuard Helper” app to run the Google code in an isolated environment. The chosen approach in my build is proposed and discussed within the microG project, but not yet officially implemented by microG.
As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
So, if you need SafetyNet and you also need root, Magisk would be the way to go.
To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
Note: Currently, the DroidGuard helper app is not part of the build, as it currently does not work any more.
There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)
IMPORTANT
I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
(Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we? - At least I, besides others, exactly for that reason, do not use Gapps!)
Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.
Usage of ANT+
You need the 2 apps:
ANT Radio Service (Github) / (Google play)
ANT+ Plugin Service (Github) / (Google play)
afterwards setting proper permissions is essential!
Go to Apps & Notifications -> See All Apps
Select 'ANT Radio Service'
Select Permissions
Select Additional permissions
Slide switch to allow using of ANT hardware
This refers to those instructions.
Bug reports:
If you have a problem please create a post with these information:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Credits
In continuation of the previous thread, we would like to acknowledge:
Android Open Source project (AOSP)
LineageOS project
AICP project
SpiritCroc: big thanks to him for maintaining the device trees and a lot of very useful hints
rcstar6696
SuperLamic
drakonizer
AdrianDC
munjeni: thanks for tips and tricks
nailyk: thanks for tips and tricks
All the other contributors on sony msm8974 platform
microG project
CopperheadOS project
csagan5 (Bromite)
Yeriomin (Yalp)
XDA:DevDB Information
[ROM][Unofficial][8.1.0][signed] LineageOS 15.1 for Xperia Z1 compact, ROM for the Sony Xperia Z1 Compact
Contributors
MSe1969, 115ek
Source Code: https://github.com/lin15-microG/local_manifests
ROM OS Version: 8.x Oreo
ROM Kernel: Linux 3.4.x
Based On: LineageOS
Version Information
Status: Stable
Stable Release Date: 2020-02-09
Created 2018-12-29
Last Updated 2020-03-09
Change log
March 9th, 2020
Announcement to discontinue this thread - please visit the LineageOS 16.0 successor thread
February 9th, 2020
ASB Security string 2020-02-05
Replaced DRM lib (fixes issues with Netflix)
Standard flavor: System Webview on 79.0.3945.136
microG flavor: Bromite Webview on 79.0.3945.139
microG flavor: Updated AuroraStore to 3.1.8
January 14th, 2020
ASB Security string 2020-01-05
Standard flavor: System Webview on 79.0.3945.116
microG flavor: Bromite Webview on 79.0.3945.107
microG flavor: Updated AuroraStore to 3.1.7
microG flavor: Updated AuroraServices to 1.0.5
December 7th, 2019
ASB Security string 2019-12-05
Standard flavor: System Webview on 78.0.3904.96
microG flavor: Bromite Webview on 78.0.3904.119
microG flavor: Updated AuroraStore to 3.1.5
November 10th, 2019
ASB Security string 2019-11-05
Standard flavor: System Webview on 77.0.3865.116
microG flavor: Bromite Webview on 78.0.3904.72
microG flavor: Updated microG GMS core 0.2.9.x
October 14th, 2019
ASB Security string 2019-10-05
Standard flavor: System Webview on 77.0.3865.92
microG flavor: Bromite Webview on 77.0.3865.104
microG flavor: AuroraStore updated to 3.1.3
September 10th, 2019
ASB Security string 2019-09-05
Standard flavor: System Webview on 76.0.3809.111
microG flavor: AuroraServices updated to 1.0.4
August 11th, 2019
ASB Security string 2019-08-05
OTA Support
Standard flavor: System Webview on 76.0.3809.89
microG flavor: Bromite Webview on 76.0.3809.100
microG flavor: Aurorastore 3.0.9 with AuroraServices install method
microG flavor: Updated microG GMS core 0.2.8.x
July 5th, 2019
ASB Security string 2019-07-05
microG flavor only: Bromite Webview on 75.0.3770.109
June 12th, 2019
ASB Security string 2019-06-05
Recovery boot fix for Magisk 19.x
System Webview updated to 74.0.3729.157 (non-microG flavor)
microG flavor only: Bromite Webview on 75.0.3770.86
microG flavor only: Replaced Yalpstore with Aurorastore
microG flavor only: Removed RemoteDroidGuard
microG flavor only: Updated F-Droid & priv. extension
microG flavor only: Updated microG GMS core 0.2.7.x
May 9th, 2019
ASB Security string 2019-05-05
System Webview / Bromite Webview both on M74
microG flavor only: Option to set own DNS
microG flavor only: Backport of 'Deny new USB' feature
microG flavor only: Additional options for secondary users
microG flavor only: Increased max. password length 64
April 8th, 2019
ASB Security string 2019-04-05
Solved WLAN 5GHz channel issue (see thread discussion)
microG flavor only: Control switch in dev. settings for hosts file update
March 11th, 2019
ASB Security string 2019-03-05
SystemWebView updated (includes CVE-2019-5786): M72 (standard flavor) / M73-Bromite (microG flavor)
microG flavor only: Prebuilt microG DroidGuard helper app to pass SafetyNet attestation
February 10th, 2019
ASB Security string 2019-02-05
Kernel: Various Security Patches and some additional 'spectre' mitigations
microG flavor: Bromite SystemWebView updated to M72
Standard Flavor: Fix of Eleven and LockClock app taken over from microG flavor
January 14th, 2019
ASB Security string 2019-01-05
SystemWebView updated to M71 in Standard flavor
Various Kernel security fixes
December 29th, 2018
Initial load
ASB Security string 2018-12-05
AOSP tag android-8.1.0_r52
SystemWebView: M69 (Standard flavor) / M71-Bromite (microG flavor)
Initial feature list of microG flavor:
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed YalpStore (Version 0.45)
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disable captive portal detection
No submission of IMSI/IMEI to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Information about Privacy/Security Hardening in microG build flavor
As announced in the OP, the microG build flavor contains a couple of specific features, which are explained in more detail in this section:
1. Pre-installed microG and F-Droid
same as the LineageOS for microG project
2. Pre-installed AuroraStore
works w/o having to enable "unknown sources"
3. Restrict access to /proc/net for user apps
An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitor has been bundled.
4. Enhanced Privacy Guard - Sensor permission switches and background control
An own sensor template to control access to motion sensors ('ask' mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Further, the following background activities can be restricted in Privacy guard:
Background Clipboad access (forbidden by default, can be allowed per app)
Background Location access (allowed by default, if location access as such is allowed, can be forbidden per app)
Background Audio recording (allowed by default, if microphone access as such is allowed, can be forbidden per app)
5. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
6. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 15.1 (all settings can be changed at any time later):
Privacy Guard is enabled on install (proposal during Setup)
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Camera app: Location tagging disabled by default
Apps having the PACKAGE_USAGE_STATS permission appear by default as "not allowed" under Settings => Security & privacy => Apps with usage access (instead of opting out here, the user needs to explicitly opt-in in order to have the app collecting this data)
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without
7. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet => Data usage => Menu => "Apply iptables block script"
When activated, all outgoing connection attempts to Facebook servers will be suppressed.
Same applies to Google, but apps on an internal exception list will still be able to connect (Yalpstore, microG, or e.g. NewPipe, if installed)
8. Optional disable captive portal detection
Settings => Network & Internet => Data usage => Menu => "Disable Captive Portal"
When activated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used.
9. No submission of IMSI or phone number to Google/Sony when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
10. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)
11. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
12. Deny new USB option
Settings => Security & Privacy
Control, what happens, if a USB device is connected to the device: Allow, allow when unlocked or block.
13. Option to define an own DNS
Settings => Network & Internet (scroll down)
You can optionally define an own DNS, which is used instead of the default DNS of the ISP (uses iptables)
Note: If your ISP intercepts DNS queries to enforce their own ISP - e.g. to enforce surveillance/censorship - this option won't work . . .
14. Maximum password length increased to 64
15. Additional restriction options for secondary users
- Disallow app installation option
- Disallow audio recording option
Cool, thanks for keeping these ROM versions alive.
Is there a difference between the version here (los standard build 20181229) and the one from 115ek's old thread (build 20181213)?
lm089 said:
Cool, thanks for keeping these ROM versions alive.
Is there a difference between the version here (los standard build 20181229) and the one from 115ek's old thread (build 20181213)?
Click to expand...
Click to collapse
Not really: The Updater is not anymore part of this build (as it was anyhow useless given that you can't download this build from LineageOS) and as explained in the OP, our build is signed with our own key. (We'll provide a flashable ZIP for the migration soon)
Good firmware! All with the coming!
MSe1969 said:
Dealing with signed builds
Please note, that our builds are signed with our own key. When you come from a different build, you cannot directly "dirty-flash" our build. You either have to perform a "clean flash" (recommended), or - if you e.g. would like to update from one of 115ek's previous builds, you need to follow below instructions.
Click to expand...
Click to collapse
Hmm - can't see those instructions mentioned in op
lm089 said:
Hmm - can't see those instructions mentioned in op
Click to expand...
Click to collapse
I just added them
there are no mirrors to download the standard version
UPDATE: now, yes
115ek said:
I just added them
Click to expand...
Click to collapse
Thanks,
gave it a try just after migration info.
Migrated from November-build to Standard-Version.
Everything seems to work. Great! (because i know about problems with different keys )
Btw one question: From the beginning of 115eks rom i have several (not every time the same) FCs at startup and on the run occasionnal FCs.
(No such FCs with the great lollipop version, neither with the nougat rom. Clean install.)
No great problem, since all this programs work perfect on next start, but a little bit annoying. May i be of any help to find the reason?
PS: Rhein-Main rules
CyanoFriend said:
Thanks,
gave it a try just after migration info.
Migrated from November-build to Standard-Version.
Everything seems to work. Great! (because i know about problems with different keys )
Btw one question: From the beginning of 115eks rom i have several (not every time the same) FCs at startup and on the run occasionnal FCs.
(No such FCs with the great lollipop version, neither with the nougat rom. Clean install.)
No great problem, since all this programs work perfect on next start, but a little bit annoying. May i be of any help to find the reason?
PS: Rhein-Main rules
Click to expand...
Click to collapse
Regarding the FCs, I did not experience such things recently (using the microG variant myself from the beginning), do you have specific examples or a log?
P.S.: You also in the Rhein-Main area?
CyanoFriend said:
Thanks,
gave it a try just after migration info.
Migrated from November-build to Standard-Version.
Everything seems to work. Great! (because i know about problems with different keys )
Btw one question: From the beginning of 115eks rom i have several (not every time the same) FCs at startup and on the run occasionnal FCs.
(No such FCs with the great lollipop version, neither with the nougat rom. Clean install.)
No great problem, since all this programs work perfect on next start, but a little bit annoying. May i be of any help to find the reason?
PS: Rhein-Main rules
Click to expand...
Click to collapse
Sure you can do something: get logs (logcat and dmesg) after you experience these FCs. We'll have a look then.
Do you use third party software like Magisk or exposed framework? Do you use Gapps (if yes, what size)?
NFC google pay
Sorry for my english.
This rom i great, but I have a problem with recognise NFC by payement apps (google pay). NFC i working fine, but google pay and my bank's apk says "Your phone don't have NFC" and I can't pay via phone.
MSe1969 said:
Regarding the FCs, I did not experience such things recently (using the microG variant myself from the beginning), do you have specific examples or a log?
P.S.: You also in the Rhein-Main area?
Click to expand...
Click to collapse
Hello,
i will try to answer you, 115ek and also kamikaze1204 in one text:
- xposed: yes
- magisk: no
- su-addon: yes
- opengapps pico
- rhine-main (rhein-main): yes
- dmesg via adb: yes
- logcat via adb: failure
- logcat other way: yes
- nfc since cm-lollipop working: no
trying to send dmesg and logcat via pm to you and 115ek
and coming to the end:
Happy new year and 42
CyanoFriend said:
Hello,
i will try to answer you, 115ek and also kamikaze1204 in one text:
- xposed: yes
- magisk: no
- su-addon: yes
- opengapps pico
- rhine-main (rhein-main): yes
- dmesg via adb: yes
- logcat via adb: failure
- logcat other way: yes
- nfc since cm-lollipop working: no
trying to send dmesg and logcat via pm to you and 115ek
and coming to the end:
Happy new year and 42
Click to expand...
Click to collapse
But nfc and magisk are working
115ek said:
I just added them
Click to expand...
Click to collapse
Just tried to to execute migration.sh but it's not working. Here's what I did, but let me explain first that I'm a real noob when it comes to Linux. So please excuse me if the following should contain irrelevant info...
1. copied your tar.gz file to /data/local
2. Booted into twrp
3. Opened zero's terminal
4. Executed 'mount' to see the current mount status
5. Executed 'mount /system' then again 'mount' > apparently /system is now mounted
6. Changed into /data/local
7. Executed 'tar - xzvf adb-key-migration.tar.gz' > thus extracted migration.sh to same dir
8. Executed 'ls - l' to see full file settings
9. Executed 'chmod +x migration.sh'
10. Executed 'ls - l' again to see that file status has changed to '-rwxr-xr-x 1 system system'
11. Executed './migration.sh official'
Result are 3 lines of error telling me something like
CANNOT LINK EXECUTABLE "/system/bin/sh" : cannot locate symbol "__register_atfork" referenced by "/system/bin/sh"...
Libc: CANNOT LINK EXECUTABLE "/system/bin/sh" : cannot locate symbol "__register_atfork" referenced by "/system/bin/sh"...
Libc: fatal signal 6 (SIGABRT), code - 6 in tid 243 (migration.sh), pid 243 (migration.sh)
Then after a while twrp gets into a bootloop which I can only end by a hard reset.
What am I doing wrong?
Edit: twrp version is 3.2.2.0, installed ROM is 115ek's version build 20181213
Edit#2: got it! Step 11 in my case should have been 'sh migration.sh official' instead; this way it worked, and flashing signed ROM build 20181229 then worked as expected. :good:
kamikaze1204 said:
Sorry for my english.
This rom i great, but I have a problem with recognise NFC by payement apps (google pay). NFC i working fine, but google pay and my bank's apk says "Your phone don't have NFC" and I can't pay via phone.
Click to expand...
Click to collapse
Easiest way of being able to use google pay is using Stock android lollipop. Payment with custom ROMs is generally tricky, especially if you're rooted.
The problem now is: Neither MSe nor myself are using google services, so there's not that big interest in getting this working. TWRP decryption has higher priority.
And if you don't supply any logs then there's nothing we can do. Sorry.
CyanoFriend said:
Hello,
i will try to answer you, 115ek and also kamikaze1204 in one text:
- xposed: yes
- magisk: no
- su-addon: yes
- opengapps pico
- rhine-main (rhein-main): yes
- dmesg via adb: yes
- logcat via adb: failure
- logcat other way: yes
- nfc since cm-lollipop working: no
trying to send dmesg and logcat via pm to you and 115ek
and coming to the end:
Happy new year and 42
Click to expand...
Click to collapse
Xposed is generally bad for people like us. It is able to modify the system in way no one can predict. If you load some "strange modules" you shouldn't wonder if something crashes.
My recommendation: clean installation with following observation if errors/FCs still occur. If yes -> it's probably a fault on our side. If not -> exposed does unwanted things.
From my experience: clean installation is really stable and reliable.
Anything you add or modify can cause additional problems - easy rule of thumb.
And for exposed and co. I can't give any help.
Androidfilehost download issue
MSe1969 said:
December 29th, 2018
Initial load
ASB Security string 2018-12-05
AOSP tag android-8.1.0_r52
SystemWebView: M69 (Standard flavor) / M71-Bromite (microG flavor)
Initial feature list of microG flavor:
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed YalpStore (Version 0.45)
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disable captive portal detection
No submission of IMSI/IMEI to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Click to expand...
Click to collapse
Great to see this development of ROM for Amami. Not sure what the reason might be, having trouble to download from Androidfilehost. No issue with the microG version but the vanilla one. Tried couple of days, different times but same issue: no download mirror found! Can you please take a look? Thanks in advance.
Royal.Bengal said:
Great to see this development of ROM for Amami. Not sure what the reason might be, having trouble to download from Androidfilehost. No issue with the microG version but the vanilla one. Tried couple of days, different times but same issue: no download mirror found! Can you please take a look? Thanks in advance.
Click to expand...
Click to collapse
Can confirm, getting the same error right now from both my tablet and a PC browser. Been able to d'load yesterday, though.
lm089 said:
Edit#2: got it! Step 11 in my case should have been 'sh migration.sh official' instead; this way it worked, and flashing signed ROM build 20181229 then worked as expected. :good:
Click to expand...
Click to collapse
Hmm, okay, will update the OP accordingly. Thanks

[CLOSED] EOL [ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T

Moderator Announcement: THREAD CLOSED on request of OP. If you're interested in the hardened LOS for the OnePlus 3 or 3T please follow this thread in the cross-device section in future: https://forum.xda-developers.com/oneplus-3/oneplus-3--3t-cross-device-development/rom-hardened-lineageos-16-0-oneplus-3t-t4034869
This thread is dedicated to provide hardened Lineage-OS 15.1 builds with microG included for the OnePlus 3/3T with current security patches.
This thread is discontinued, please visit the LineageOS 16.0 successor thread
Features of this ROM
Download here
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed AuroraStore
[*]Pre-Installed pre-release of microG DroidGuard helper to have a working SafetyNet attestation (see comments below!)
Adapted LockClock app without wake-locks (fix of frozen weather widget after boot)
OTA Support
Additional security hardening features listed below
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disabling of captive portal detection
Option to define own DNS
No submission of IMSI/phone number to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Option to deny new USB connections
Additional restrictions for secondary users
Increased password length
Kernel kept up to date with ASB patches and Google kernel/common 'android-3.18' branch
Current release levels
Security string: 2020-01-05
AOSP tag: 8.1.0_r52
Bromite System Webview: M79
Source-code and build instructions
Kernel: https://github.com/lin15-microG/android_kernel_oneplus_msm8996/tree/lin-15.1-microG
Build manifest: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
Download the most current .ZIP file of the ROM and place it to your phone's internal memory
An unlocked bootloader (see e.g. LineageOS install instructions)
You need at least OxygenOS 5.0 firmware, otherwise you'll get error 7 when installing the zip. (Recommended 5.0.8 - DO NOT use 9.x firmware)
Install TWRP recovery
If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
IMPORTANT NOTE - The official TWRP 3.2.3-1 is broken - DO NOT USE!
Please use the TWRP link in the official LineageOS install instructions instead.
To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
Code:
fastboot flash recovery twrp-x.x.x-x-oneplus3.img
Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and hold Power and vol.down) - DO NOT boot into the phone's Android system after having flashed TWRP! Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP must be TWRP in recovery mode.
Advanced Wipe
ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
Install ROM
In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
If you update from a previous version of our ROM, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!
Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.
This happens at your own risk - make a backup with TWRP before!
Download and extract the file migration.sh from this archive
This file helps you to migrate from a build signed with the publicly available test keys (i.e. all builds around, which do not state that they are signed). If you come from another signed build (e.g. official LineageOS), you have to adapt the file accordingly (see below links).
boot into TWRP
push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
(In case you receive an error, try sh ./migration.sh official instead)
flash the ROM .zip
wipe Cache and Dalvik/ART Cache
reboot system
More background information and the "theory behind" can be found in the LineageOS wiki and AOSP reference.
SafetyNet:
Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.
If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)
If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.
The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.
microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system. A sandboxed version of DroidGuard has been added to this microG build as a prebuilt “DroidGuard Helper” app to run the Google code in an isolated environment. The chosen approach in my build is proposed and discussed within the microG project, but not yet officially implemented by microG.
As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
So, if you need SafetyNet and you also need root, Magisk would be the way to go.
To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
Currently not working, hence not bundled
There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)
IMPORTANT
I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
(Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we? - At least I, besides others, exactly for that reason, do not use Gapps!)
Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.
Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits
AOSP project
LineageOS project
microG project
CopperheadOS project
csagan5 (Bromite)
Yeriomin (Yalp)
XDA:DevDB Information
[ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T, ROM for the OnePlus 3T
Contributors
MSe1969
Source Code: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG
ROM OS Version: 8.x Oreo
ROM Kernel: Linux 3.x
Based On: LineageOS
Version Information
Status: Stable
Stable Release Date: 2020-01-13
Created 2019-01-21
Last Updated 2020-04-30
Change Log
February 7th, 2020
Announcement to discontinue the LineageOS 15.1 builds - Please visit my LineageOS 16.0 thread, which continues with LineageOS 16.0 builds
January 14th, 2020
ASB Security string 2020-01-05
Bromite Webview on 79.0.3945.107
AuroraStore updated to 3.1.7
AuroraServices updated to 1.0.5
December 7th, 2019
ASB Security string 2019-12-05
Bromite Webview on 78.0.3904.119
AuroraStore updated to 3.1.5
November 10th, 2019
ASB Security string 2019-11-05
Bromite Webview on 78.0.3904.72
Updated microG GMS core 0.2.9.x
October 13th, 2019
ASB Security string 2019-10-06
AuroraStore updated to 3.1.3
Bromite Webview on 77.0.3865.104
September 10th, 2019
ASB Security string 2019-09-05
AuroraServices updated to 1.0.4
August 11th, 2019
ASB Security string 2019-08-05
Bromite Webview on 76.0.3809.100
Aurorastore 3.0.9 with AuroraServices install method
Updated microG GMS core 0.2.8.x
OTA Support
July 4th, 2019
ASB Security string 2019-07-05
Bromite Webview on 75.0.3770.109
June 12th, 2019
ASB Security string 2019-06-05
Kernel upstreamed to 3.18.140
Bromite Webview on 75.0.3770.86
Replaced Yalpstore with Aurorastore
Removed RemoteDroidGuard
Updated F-Droid & priv. extension
Updated microG GMS core 0.2.7.x
May 9th, 2019
ASB Security string 2019-05-05
SystemWebView: Bromite updated to 74.0.3729.106
Kernel: Upstreamed to 3.18.139
Backport of 'Deny new USB' feature
Option to set own DNS
Additional options for secondary users
Increased password length
April 8th, 2019
ASB Security string 2019-04-05
SystemWebView: Bromite updated to 73.0.3683.97
Kernel: Upstreamed to 3.18.138
Control switch in dev. settings for hosts file update
March 11th, 2019
ASB Security string 2019-03-05
SystemWebView: M73-Bromite (includes CVE-2019-5786)
Kernel: Upstreamed to 3.18.136
February 19th, 2019 - 2nd interim release
New upstreamed kernel (3.18.134) from here (yet w/o CAF tag LA.UM.6.5.r1-10600-8x96.0)
February 13th, 2019 - interim release
Reverted Kernel fixes, which seem to have caused crashes after wiping cache&dalvik
Prebuilt microG DroidGuard helper app to pass SafetyNet attestation
February 9th, 2019
ASB Security string 2019-02-05
SystemWebView: M72-Bromite
Kernel: CAF tag LA.UM.6.5.r1-10600-8x96.0
January 21st, 2019
Initial load
ASB Security string 2019-01-05
AOSP tag android-8.1.0_r52
SystemWebView: M71-Bromite
Initial feature list:
Pre-installed microG and F-Droid same as the LineageOS for microG project
Pre-installed YalpStore (Version 0.45)
Access to /proc/net blocked for user apps
Bundled netmonitor app to allow network monitoring
Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking
Optional disable captive portal detection
No submission of IMSI/IMEI to Google/Sony when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Security Hardening Features - Details
1. Pre-installed microG and F-Droid
same as the LineageOS for microG project
2. Pre-installed AuroraStore
works w/o having to enable the "unknown sources feature"
3. Restrict access to /proc/net for user apps
An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitor has been bundled.
4. Enhanced Privacy Guard - Sensor permission switches and background control
An own sensor template to control access to motion sensors ('ask' mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Further, the following background activities can be restricted in Privacy guard:
Background Clipboad access (forbidden by default, can be allowed per app)
Background Location access (allowed by default, if location access as such is allowed, can be forbidden per app)
Background Audio recording (allowed by default, if microphone access as such is allowed, can be forbidden per app)
5. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
6. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 15.1 (all settings can be changed at any time later):
Privacy Guard is enabled on install (proposal during Setup)
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Camera app: Location tagging disabled by default
Apps having the PACKAGE_USAGE_STATS permission appear by default as "not allowed" under Settings => Security & privacy => Apps with usage access (instead of opting out here, the user needs to explicitly opt-in in order to have the app collecting this data)
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without
7. Optional blocking of Facebook- and Google-Tracking
Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Apply iptables block script"
Starting with May 2019 build: Settings => Network & Internet (scroll down)
When activated, all outgoing connection attempts to Facebook servers will be suppressed.
Same applies to Google, but certain apps on an internal exception list will still be able to connect (Yalpstore, microG, or e.g. NewPipe, if installed)
8. Optional disable captive portal detection
Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Disable Captive Portal"
Starting with May 2019 build: Settings => Network & Internet (scroll down)
When activated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used.
9. No submission of IMSI or phone number to Google/Sony when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
10. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)
11. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
12. Deny new USB option
Settings => Security & Privacy
Control, what happens, if a USB device is connected to the device: Allow, allow when unlocked or block.
13. Option to define an own DNS
Settings => Network & Internet (scroll down)
You can optionally define an own DNS, which is used instead of the default DNS of the ISP (uses iptables)
Note: If your ISP intercepts DNS queries to enforce their own ISP - e.g. to enforce surveillance/censorship - this option won't work . . .
14. Maximum password length increased to 64
15. Additional restriction options for secondary users
- Disallow app installation option
- Disallow audio recording option
Further tips & tricks
Root
The ROM does not come with root baked in. A couple of features in this ROM even reduces the usual need for root.
Nevertheless, if you need/want to grant root permissions to some of your apps, the most popular options are:
Official LineageOS su addon (use 'addonsu-15.1-arm64-signed.zip')
Magisk (please search XDA on your own)
SuperSU
Note that I cannot and will not support any issues related to Magisk and/or SuperSU
Weather Widget
LineageOS does currently not offer Weather provider apps for LineageOS 15.1 for download (only for LineageOS 14.1)
I have built an APK for OpenWeatherMap for download from the LineageOS sources here, which works well with LineageOS 15.1
microG initial configuration after 1st install
After the first installation of this ROM, you need to setup microG.
Please read the instructions given on the LineageOS for microG site, section "Post Install - UnifiedNlp"
Firmware
You need at least OxygenOS 5.0 firmware, latest firmware recommended. Firmware updates (or downgrades, if needed) as flashable ZIP can be obtained e.g. here or here.
Do not confuse OnePlus 3 and OnePLus 3T firmware or you will brick your device!
Oooh thanks. I'll be having that!
Do you expect to release the 9.0 version when LOS 16 for 3T is ready?
sysak said:
Oooh thanks. I'll be having that!
Do you expect to release the 9.0 version when LOS 16 for 3T is ready?
Click to expand...
Click to collapse
Eventually yes - but not immediately, as I need some time to investigate to port the features.
MSe1969 said:
Eventually yes - but not immediately, as I need some time to investigate to port the features.
Click to expand...
Click to collapse
Maybe you can work together with nvertigo67, he has a rock solid los16 build. In the past, he has also promoted Android without Google Apps.
His thread: https://forum.xda-developers.com/on...oss-device-development/rom-nlos-16-0-t3879405
phoberus said:
Maybe you can work together with nvertigo67, he has a rock solid los16 build. In the past, he has also promoted Android without Google Apps.
His thread: https://forum.xda-developers.com/on...oss-device-development/rom-nlos-16-0-t3879405
Click to expand...
Click to collapse
Thanks for the information. I am aware of his thread and also his very knowledgeable feedbacks in the 'official' OP3T thread and I think I'll definitely try to get in touch with him.
For the time being however, I would like to concentrate on the "stable" LineageOS 15.1 (building also for the 'amami' device from same sources) to be used as a daily driver rather than bringing up a device for a new android version (I am actually not that good in this area). So I am somehow a little bit more "conservative"
this is something new ?
I'm new to this so my question is google playstore included??
and how is the gaming performance
Playstore not included
vip57 said:
this is something new
I'm new to this so my question is google playstore included??
and how is the gaming performance
Click to expand...
Click to collapse
Google play store is not included, but it had Pre installed yalp store. About gaming performance I can't comment because I don't play games.
Incase you are Intrested more info regarding micro g can be found here. https://microg.org/
Can you provide some additional information on how each step was done?
I'm specifically curious about the changes to Privacy Guard, changing the default DNS, and not submitting IMEI/IMSI/phone number on GPS requests
Thank you!
MXIIA said:
Can you provide some additional information on how each step was done?
I'm specifically curious about the changes to Privacy Guard, changing the default DNS, and not submitting IMEI/IMSI/phone number on GPS requests
Thank you!
Click to expand...
Click to collapse
The source code is linked in the OP (the link leads to the local build manifest) - you will find the commits for the features you've asked for always in the 'lin-15.1-microG' branch of my frameworks/base fork, for the sensors in PG additionally in frameworks/native and to make the PG switches visible, obviously packages/apps/Settings, always the 'lin-15.1-microG' branch.
Location services doesn't seem to be working and trying to access the location settings just fc the settings app.
Ahki767 said:
Location services doesn't seem to be working and trying to access the location settings just fc the settings app.
Click to expand...
Click to collapse
I am using this build myself w/o issues. Do you have a log?
One general advice: After 1st install, you should enter the microG settings and perform the setup as described in the link "LineageOS for microG" in OP. (I'll add a line telling this to the installation instructions)
EDIT: In short, click on 'unified NLP' and configure the location providers. Afterwards go to 'Self test' and click on each "unchecked" item and follow the instructions.
Huge thanks for the extra effort you gave to this. I was so excited when I week ago found this thread and yesterday got my Oneplus 3T and installed this.
Few questions: When I activate Iptables block script it breaks Spotify. I know spotify tries to connect graph.facebook.com so is this the cause? And can I edit iptables script somehow? I am quite newb with this stuff. Or maybe just disable script and edit Hosts file to add graph.facebook.com (its not there)? Though I would like to use this script.
eightfiveseven said:
Huge thanks for the extra effort you gave to this. I was so excited when I week ago found this thread and yesterday got my Oneplus 3T and installed this.
Few questions: When I activate Iptables block script it breaks Spotify. I know spotify tries to connect graph.facebook.com so is this the cause? And can I edit iptables script somehow? I am quite newb with this stuff. Or maybe just disable script and edit Hosts file to add graph.facebook.com (its not there)? Though I would like to use this script.
Click to expand...
Click to collapse
graph.facebook.com is FB's track&spy server, so unless you use an "original" FB product like their spy app or one of their messengers, there is no reason to allow any connection to FB. (OK, some people also allow their Login services spying on them...)
The reason, why Spotify breaks, is that Spotify is hosted on Google servers. I may think about adding the Spotify app to the exception list for Google (from its permissions however, this app seems also quite invasive, so not sure yet) This would mean that this app would still send tracking data to the Google trackers Ads, Crashlytics and DoubleClick and others (Spotify uses 9 trackers, according to Exodus, which is a lot!)
Yes, you can edit the script, but for this you need a root shell (e.g. via adb) - the script file is /system/bin/z_iptables and you would need to add the line com.spotify.music into the list under list_apps()
Regards, M.
MSe1969 said:
graph.facebook.com is FB's track&spy server, so unless you use an "original" FB product like their spy app or one of their messengers, there is no reason to allow any connection to FB. (OK, some people also allow their Login services spying on them...)
The reason, why Spotify breaks, is that Spotify is hosted on Google servers. I may think about adding the Spotify app to the exception list for Google (from its permissions however, this app seems also quite invasive, so not sure yet) This would mean that this app would still send tracking data to the Google trackers Ads, Crashlytics and DoubleClick and others (Spotify uses 9 trackers, according to Exodus, which is a lot!)
Yes, you can edit the script, but for this you need a root shell (e.g. via adb) - the script file is /system/bin/z_iptables and you would need to add the line com.spotify.music into the list under list_apps()
Regards, M.
Click to expand...
Click to collapse
Thanks for the info! I edited z_iptables to bypass Spotify and now its working. I also added graph.facebook.com to hosts file and to the z_iptables (graph.facebook.com IP is 31.13.71.1 and it was missing from iptables) and now its blocked (dont know which one is blocking it). Btw what does the number after IP mean? Example 31.13.24.0/21
But I still get some calling to settings.crashlytics.com, app.adjust.com and clients3.google.com according to my Pi-hole (which are blocked in it).
Might have to add them too.
Though my adb pull command for the Hosts file stopped working... (freezes in 14%) Any ideas why? This is first time I am doing anything like this so I'm bit nervous.
eightfiveseven said:
Thanks for the info! I edited z_iptables to bypass Spotify and now its working. I also added graph.facebook.com to hosts file and to the z_iptables (graph.facebook.com IP is 31.13.71.1 and it was missing from iptables) and now its blocked (dont know which one is blocking it). Btw what does the number after IP mean? Example 31.13.24.0/21
But I still get some calling to settings.crashlytics.com, app.adjust.com and clients3.google.com according to my Pi-hole (which are blocked in it).
Might have to add them too.
Though my adb pull command for the Hosts file stopped working... (freezes in 14%) Any ideas why? This is first time I am doing anything like this so I'm bit nervous.
Click to expand...
Click to collapse
Be careful!
The "/21" in 31.12.24.0/21 means range 31.12.24.0 . . . 31.12.31.255 and the also specified blocking entry 31.13.64.0/18 means 31.13.64.0 . . . 31.13.127.255, which includes 31.13.71.1 - further explanation of the subnets can be found e.g. here
Therefore, if you could still reach graph.facebook.com resolving to 31.13.71.1, the iptables config may not be effective at all (the calls to adjust and goole indicate so)! Please open a browser on your device and simply enter 'facebook.com' as address - if you are redirected to FB for logon, the firewall-blocking is inactive - in that case, please try to deactivate and reactivate the iptables block script and try again. If it persists, open an adb root shell, cd to /system/bin and execute the command ./z_iptables set and watch out for error messages.
MSe1969 said:
Be careful!
The "/21" in 31.12.24.0/21 means range 31.12.24.0 . . . 31.12.31.255 and the also specified blocking entry 31.13.64.0/18 means 31.13.64.0 . . . 31.13.127.255, which includes 31.13.71.1 - further explanation of the subnets can be found e.g.
Therefore, if you could still reach graph.facebook.com resolving to 31.13.71.1, the iptables config may not be effective at all (the calls to adjust and goole indicate so)! Please open a browser on your device and simply enter 'facebook.com' as address - if you are redirected to FB for logon, the firewall-blocking is inactive - in that case, please try to deactivate and reactivate the iptables block script and try again. If it persists, open an adb root shell, cd to /system/bin and execute the command ./z_iptables set and watch out for error messages.
Click to expand...
Click to collapse
Yes you were correct. Script was inactive but after I removed the IP I added the script started working again. Thanks again!
Hi,
Thank you for your work! I just have two questions: do you spread updates via normal OTA or do we have to go to this thread to check for updates? I will definitely root it too with Magisk, would I need to redo this after every update?

[CLOSED]EOL [ROM][Unofficial][10.0][microG][signed]hardened LineageOS 17.1 Oneplus 7T Pro

This thread is deprecated, please look at the 18.1 successor thread.
This thread is dedicated to provide hardened Lineage-OS 17.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
Features of this ROM
Download here
Pre-installed microG and F-Droid like LineageOS for microG project (own fork)
Pre-installed AuroraStore
OTA Support
eSpeakTTS engine
Bromite as default browser
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
Firewall UI (under Trust)
Increased max. password length of 64
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
Debloated from Oneplus blobs for Soter and IFAA
Hardened bionic lib and constified JNI method tables
Current release levels
Security string: 2021-10-01
AOSP tag: 10.0.0_r41
Bromite System Webview: M93
Source-code and build instructions
Kernel: https://github.com/lin17-microg/android_kernel_oneplus_sm8150/tree/lin-17.1-mse
Build manifest: https://github.com/lin17-microg/local_manifests/tree/lin-17.1-hmalloc
Installation Instructions
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
An unlocked bootloader (see e.g. LineageOS install instructions)
If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])
Please read carefully:
I refer in general to the LineageOS install instructions, but there are some deviations!
It is recommended to really go through the instructions once, before doing anything. You have been warned.
Install the dedicated Lineage recovery for this ROM
For the Oneplus 7T Pro (hotdog), there is currently no official TWRP available! The unofficial TWRP did not work for me.
Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
Flash this specific recovery with the below commands:
Code:
fastboot flash recovery_a lineage-17.1-20210118-recovery-microG-signed-hotdog.img
fastboot flash recovery_b lineage-17.1-20210118-recovery-microG-signed-hotdog.img
Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.
If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
Please note, that you may get error messages stating
Partition product_b dd: /dev/block/dm-1: write error: No space left on device
Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
You can ignore those, as long as it is product or vendor.
Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP.
It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
Update Instructions
This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
IMPORTANT:
If you would like to manually update by sideloading the ROM, you need to first flash the linked recovery image (see install instructions) again via fastboot! Recovery is always updated when flashing a new ROM version, and that updated recovery can't sideload this ROM version. Don't ask me, why. I will have to find out, how to solve that issue.
Frequently asked Questions
1. AuroraStore
I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:
Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!
Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!
2. Google/Facebook iptables blocking
Q: How does the Google/Facebook blocking work?
A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!
Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".
Q: Which apps are on your exception list?
A: see here
Q: But if Google is blocked for almost every app, can I still get push messages?
A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.
3. etc/hosts ad blocking
Q: What is the etc/hosts ad-blocking and how does it work?
A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).
Q: Which anti-tracker lists do you use?
A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.
4. Firewall UI
Q: What is the Firewall UI and how does it work?
A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.
Q: How do I use it? What are the typical use-cases:
A: It of course depends on your specific requirement, but below some very typical use-cases:
a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data
5. Privacy features / data privacy of this ROM
Q: Does this ROM protect my privacy by design/default?
A: First of all, you will never get any "auto-protection" without having to take care, what you do!
What this ROM provides to you in addition to an "official" LineageOS:
This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
Some hardening measures known from the GrapheneOS project have been added
HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...
Dealing with signed builds
Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".
Bug reports:
If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits
AOSP project
LineageOS project
microG project
Graphene OS project
csagan5 (Bromite)
WhyOrean (Aurora)
SkewedZeppelin (Kernel patches)
Change log
2021-10-12 - FINAL build
Security String 2021-10-01
Bromite System Webview and Browser updated to 93.0.4577.83
2021-09-10
ASB Security string 2021-09-05
microG 0.2.22.212658-2
2021-08-07
ASB Security string 2021-08-05
Bromite System Webview and Browser updated to 92.0.4515.134
F-Droid updated to 1.13
Fix in WiFi randomization
2021-07-10
ASB Security string 2021-07-05
Bromite System Webview and Browser updated to 91.0.4472.146
microG 0.2.21.212158-2
Kernel: Many sec. patches applied (taken from Divest-OS)
AuroraStore 4.0.7
2021-06-13
ASB Security string 2021-06-05
Bromite System Webview and Browser updated to 91.0.4472.102
microG 0.2.19211515-9
Kernel WLAN driver (qcacld-3.0) patched to include mitigations against "Frag" vuln.
2021-05-10
ASB Security string 2021-05-05
Bromite System Webview and Browser updated to 90.0.4430.204
Upstreamed microG (no new version)
Update: AuroraServices 1.1.1
2021-04-10
ASB Security string 2021-04-01
Bromite System Webview and Browser updated to 90.0.4430.59
F-Droid updated to 1.12
Update: AuroraStore 4.0.4 with AuroraServices 1.1.0
2021-03-08
Security string 2021-03-05
Kernel slightly patched
Bromite System Webview updated to 88.0.4324.207
Bromite Browser updated to 88.0.4324.207
F-Droid 1.11
microG 0.2.18.204714
2021-02-05
Security string 2021-02-05
Kernel slightly patched
Bromite System webview updated to 88.0.4324.141
Bromite Browser updated to 88.0.4324.141
F-Droid 1.10-alpha-234
microG 0.2.17.204714-5
2021-01-22 - Initial build
Security string 2020-01-05
Pre-installed microG (0.2.16.204713-10) and F-Droid like the LineageOS for microG project (own fork)
Pre-installed AuroraStore
Bromite as default browser (87.0.4280.106)
eSpeak TTS engine (FOSS TTS solution)
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
Firewall UI (under Trust)
Increased max. password length of 64
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView (87.0.4280.131)
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Constified JNI method tables and hardened bionic lib
Security Hardening Features - Details
1. Pre-installed microG and F-Droid
same as the LineageOS for microG project
2. Pre-installed AuroraStore
works w/o having to enable the "unknown sources feature"
3. Extra control of sensor access for additionally installed user apps
Special access under app permissions
4. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
5. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later):
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Camera app: Location tagging disabled by default
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without
6. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet (scroll down)
When activated, all outgoing connection attempts to Facebook servers will be suppressed.
Same applies to Google, but certain apps on an internal exception list will still be able to connect (AuroraStore, microG, or e.g. NewPipe, if installed)
7. Optional disable captive portal detection and to select Captive portal server URL provider
Settings => Network & Internet (scroll down)
When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)
8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
9. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)
10. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
11. Bromite as shipped Browser
A chromium based browser with many privacy features.
12. Firewall UI
Settings => Privacy - Firewall
Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)
13. Maximum password length increased to 64
Bash:
OnePlus7TPro:/proc # zcat config.gz | grep USB_ACM
# CONFIG_USB_ACM is not set
What a shame. Can you set ACM support in kernel config?
Wow, what a work!! Thank you for this.
todevrandom said:
Bash:
OnePlus7TPro:/proc # zcat config.gz | grep USB_ACM
# CONFIG_USB_ACM is not set
What a shame. Can you set ACM support in kernel config?
Click to expand...
Click to collapse
Will have a look this week - the kernel right now is identical to the LineageOS "official" kernel (plus some patches). Is my understanding correct, that this is needed for USB tethering?
@MSe1969 wow.. Ok first of all thanks ! It's great seeing another privacy lover put there !
2 questions:
1. Why not going with /e/ ? Or at least push your great extensions (like firewall ui etc etc) upstream there? Just curious if there is anything preventing you going that route
2. Did you ever tried locking the bootloader with the OP 7t pro? I have read that it is possible when saving the signing key via fastboot
steadfasterX said:
@MSe1969 wow.. Ok first of all thanks ! It's great seeing another privacy lover put there !
2 questions:
1. Why not going with /e/ ? Or at least push your great extensions (like firewall ui etc etc) upstream there? Just curious if there is anything preventing you going that route
2. Did you ever tried locking the bootloader with the OP 7t pro? I have read that it is possible when saving the signing key via fastboot
Click to expand...
Click to collapse
Hi, thanks for the positive feedback.
I know /e/ and I also watch their repositories from time to time to obtain new ideas or simply see, what they do (same I do e.g. with GlassROM, GrapheneOS, divestos, ...). More a question of my personal taste to have my own build variant, which I provide meanwhile for a couple of devices (LineageOS 14.1 f. falcon & peregrine, a 16.0 treble build for Huawei P9 and 17.1 builds f. oneplus3, osprey and hotdog), but definitely no "hard" reason or any negative attitude towards /e/.
Regarding locking BL, well - as I develop for this device, locking the BL does not provide any advantage for me, in the contrary...
MSe1969 said:
Will have a look this week - the kernel right now is identical to the LineageOS "official" kernel (plus some patches). Is my understanding correct, that this is needed for USB tethering?
Click to expand...
Click to collapse
Yeah, for communicating with Arduino/Discovery board from Linux Deploy. It works in lieage16 for samsung. I had tried to build Lineage18.1 today following official guide but run in some issues while building (maybe openjdk version). Next try will be the next weekend.
MSe1969 said:
Will have a look this week
Click to expand...
Click to collapse
Many thank's!
Anyway, thank's for this ROM
MSe1969 said:
Hi, thanks for the positive feedback.
I know /e/ and I also watch their repositories from time to time to obtain new ideas or simply see, what they do (same I do e.g. with GlassROM, GrapheneOS, divestos, ...). More a question of my personal taste to have my own build variant, which I provide meanwhile for a couple of devices (LineageOS 14.1 f. falcon & peregrine, a 16.0 treble build for Huawei P9 and 17.1 builds f. oneplus3, osprey and hotdog), but definitely no "hard" reason or any negative attitude towards /e/.
Regarding locking BL, well - as I develop for this device, locking the BL does not provide any advantage for me, in the contrary...
Click to expand...
Click to collapse
Afaik it is possible to lock the bootloader when using own signing keys (which you do) and just enabling the signature in fastboot. A big advantage and you won't loose anything as you can still put custom ROMs on it as long as they have the enabled signature .. Or what do i miss here?
I have tried to root it but i'm in infinite loop and power 20 s can't stop it
Edit power + volume up works
steadfasterX said:
Afaik it is possible to lock the bootloader when using own signing keys (which you do) and just enabling the signature in fastboot. A big advantage and you won't loose anything as you can still put custom ROMs on it as long as they have the enabled signature .. Or what do i miss here?
Click to expand...
Click to collapse
Well, for example fastboot boot testkernel.img wouldn't work any more. As said, "me doing development work" - for a user of my ROM it definitely would be beneficial. To be honest - I am not 100% sure, whether it really works (I would have to gain more information first, the 7T is brand new to me, I know it is possible with the 3T).
Would you mind testing it and confirming? (I know: If it doesn't work - you may end up in having to fully wipe, so not an easy answer - you wanted also to re-assure before simply doing it)
Azev_new said:
I have tried to root it but i'm in infinite loop and power 20 s can't stop it
Edit power + volume up works
Click to expand...
Click to collapse
OK, glad you've found the way to stop the loop.
What exactly have you done (step by step), when you attempted to root the device?
MSe1969 said:
OK, glad you've found the way to stop the loop.
What exactly have you done (step by step), when you attempted to root the device?
Click to expand...
Click to collapse
- Transfer Boot.img from your rom to phone
- Flash boot.img with latest Magisk Manager
- Transfer patched-magisk.img to PC
- Connected phone to PC with cable
- Launch Power shell Windows
- Command > ./adb reboot bootloader
- Command > ./fastboot boot magisk_patched.img
- Bootlop before i can start for flash definitively
BTW great rom, smooth and battery friendly.
Since i have changed accent color with Styles and Wallpapers in settings, the app crash. I have reboot the phone many times. I have used this option 4 times after a reboot, you will can see it in the logcat
I put a screenshot and a locat file
MSe1969 said:
Well, for example fastboot boot testkernel.img wouldn't work any more. As said, "me doing development work" - for a user of my ROM it definitely would be beneficial. To be honest - I am not 100% sure, whether it really works (I would have to gain more information first, the 7T is brand new to me, I know it is possible with the 3T).
Would you mind testing it and confirming? (I know: If it doesn't work - you may end up in having to fully wipe, so not an easy answer - you wanted also to re-assure before simply doing it)
Click to expand...
Click to collapse
Ah ok i see. Well.. Its my DD and so nothing i can do easily. I'll build /e/ for this device as soon as my time permits as the plan was to go with /e/.. Now with the appearance of your ROM I am not sure which to choose lol
Brightness doesn't drop below 33% as seen in Settings while slider at it's minimum position
todevrandom said:
Brightness doesn't drop below 33% as seen in Settings while slider at it's minimum position
Click to expand...
Click to collapse
I haven't changed any display settings compared to the original LineageOS device config, so I assume the official LineageOS ROM behaves the same.
Azev_new said:
Since i have changed accent color with Styles and Wallpapers in settings, the app crash. I have reboot the phone many times. I have used this option 4 times after a reboot, you will can see it in the logcat
I put a screenshot and a locat file and a screenshot
Click to expand...
Click to collapse
Thanks for the log - will have a look later
I have problems with notifications too, if the screen is off, i dont have notifications from SMS and chats (telegram, Signal)
Edit: Notifications fixed, my bad
Re-Edit: second attempt for root was the good one

[CLOSED][ROM][Unofficial][11.0][microG][signed]hardened LineageOS 18.1 Oneplus 7T Pro

This thread is deprecated, please look at its successor thread.
This thread is dedicated to provide hardened Lineage-OS 18.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
You can consider this thread as the successor of my respective LineageOS 17.1 thread.
Features of this ROM​Download here
Pre-installed microG like LineageOS for microG project (own fork)
Pre-installed AuroraStore, AuroraDroid and AuroraServices
OTA Support
eSpeakTTS engine
Bromite as default browser
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
Firewall UI (under Trust)
Increased max. password length of 64
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
Debloated from Oneplus blobs for Soter and IFAA
Hardened bionic lib and constified JNI method tables
Option to only use fingerprint unlock for apps and not for the device
Optional timeout for Bluetooth and WLAN connections
Per connection WiFi randomization option
Current release levels​Security string: 2023-01-01
AOSP tag: 11.0.0_r46
Bromite System Webview & Browser: M108
Source-code and build instructions​Kernel: https://github.com/lin18-microg/android_kernel_oneplus_sm8150/tree/lin-18.1-mse2
Build manifest: https://github.com/lin18-microg/local_manifests/tree/lin-18.1-hmalloc
Installation Instructions​
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites​
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
An unlocked bootloader (see e.g. LineageOS install instructions)
If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])
Please read carefully:​I refer in general to the LineageOS install instructions, but there are some deviations!
It is recommended to really go through the instructions once, before doing anything. You have been warned.
Let's go!​Install the dedicated Lineage recovery for this ROM​For the Oneplus 7T Pro (hotdog), there is currently no fully working official TWRP available! The offered official one can't decrypt the /data partition and I don't fully trust the rest.
Please download the specific Lineage revocery for this build. It has been built using this ROM's signing key, because the official Lineage recovery did not work either for me (the official Lineage recovery works with the official build, this one works for this specific build).
Unzip and flash this specific recovery with the below commands (your device must be in 'fastboot mode'):
Code:
fastboot flash recovery_a lineage-18.1-recovery-20210903.img
fastboot flash recovery_b lineage-18.1-recovery-20210903.img
Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.
If you come from Stock ROM, synchronize the a/b partitions​If you come from Stock ROM, sideload the "copy partitions" script referred and described in the LineageOS install instructions.
Please note, that you may get error messages stating
Partition product_b dd: /dev/block/dm-1: write error: No space left on device
Partition vendor_b dd: /dev/block/dm-2: write error: No space left on device
You can ignore those, as long as it is product or vendor.
Upgrade the firmware​Please refer to the LineageOS documentation on upgrading the firmware
BTW, this thread contains a huge collection of OOS images.
Install the ROM​Continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP (download link above).
It is normal, that you observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
Please note: Even if you come from my previous hardened LineageOS 17.1 ROM, you can't "dirty-flash" - the device encryption is not compatible. You must format the /data partition! Please keep in mind, that formatting the /data partition also wipes the shared internal memory - backup first!
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps.
If Gapps is a 'must' for you, please use the official LineageOS build for this device.
Update Instructions​
This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
Frequently asked Questions​
These questions come from various threads for my hardened microG ROMs. I have listed them here, because they also apply to this ROM and are hopefully helpful.
1. AuroraStore
I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:
Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!
Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!
2. Google/Facebook iptables blocking
Q: How does the Google/Facebook blocking work?
A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!
Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".
Q: Which apps are on your exception list?
A: see here
Q: But if Google is blocked for almost every app, can I still get push messages?
A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.
3. etc/hosts ad blocking
Q: What is the etc/hosts ad-blocking and how does it work?
A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).
Q: Which anti-tracker lists do you use?
A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.
4. Firewall UI
Q: What is the Firewall UI and how does it work?
A: Under Settings - Data privacy - Trust, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.
Q: How do I use it? What are the typical use-cases:
A: It of course depends on your specific requirement, but below some very typical use-cases:
a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data
5. Privacy features / data privacy of this ROM
Q: Does this ROM protect my privacy by design/default?
A: First of all, you will never get any "auto-protection" without having to take care, what you do!
What this ROM provides to you in addition to an "official" LineageOS:
This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
Some hardening measures known from the GrapheneOS project have been added
HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...
Dealing with signed builds​Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".
Bug reports:​If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits​AOSP project
LineageOS project
microG project
Graphene OS project
csagan5 (Bromite)
WhyOrean (Aurora)
SkewedZeppelin (Kernel patches)
Change Log
January 2023 - FINAL build
Security string 2023-01-01
Bromite Browser and Webview updated to 108.0.5359.156
microG 0.2.26.223616-16
December 2022
Security string 2022-12-05
Bromite Browser and Webview updated to 108.0.5359.106
Some kernel patches
microG 0.2.26.223616-2
November 2022
Security string 2022-11-05
Bromite Browser and Webview updated to 106.0.5249.163
Some kernel patches
microG 0.2.25.223616-10
October 2022
Security string 2022-10-05
Bromite Browser and Webview updated to 105.0.5195.147
Some kernel patches
microG 0.2.24.223616-61
September 9th, 2022
Security string 2022-09-05
Bromite Browser and Webview updated to 104.0.5112.91
Kernel: Some patches and also hardening (GrpaheneOS patches)
microG 0.2.24.214816-30
Contacts app slightly 'de-Googled'
Updated vendor blobs from OOS 11.0.9.1 (vendor sec. string 2022-06-01)
August 6th, 2022
Security string 2022-08-05
Bromite Browser and Webview updated to 103.0.5060.140
Some kernel patches
July 12th, 2022
Security string 2022-07-05
Some kernel patches
June 14th, 2022
Security string 2022-06-05
Some kernel patches
Bromite Browser and Webview on 102.0.5005.96
microG updated to 0.2.24.214816-11
May 7th, 2022
Security string 2022-05-05
Some kernel patches
Bromite Browser and Webview on 101.0.4951.53
microG updated to 0.2.24.214816-10
Mozilla Location provider on 1.5.0
April 11th, 2022
Security string 2022-04-05
Some kernel patches
Bromite Browser and Webview on 100.0.4896.57
March 15th, 2022
Bromite Browser and Webview on 99.0.4844.58 (bugfix build)
March 11th, 2022
Security string 2022-03-05
Some kernel patches
Bromite Browser and Webview on 99.0.4844.55
microG 0.2.24.214816-2
AuroraStore 4.1.1
Janaury 20th, 2022
Security string 2022-01-05
Some kernel patches
A couple of patches and fixes from LineageOS
December 19th, 2021
Security string 2021-12-05
Bromite System Webview and Browser updated to 96.0.4664.54
microG 0.22.214516-21
November 16th, 2021
Security string 2021-11-05
Bromite System Webview and Browser updated to 94.0.4606.109
Recovery will not be overwritten any more when flashing
October 11th, 2021
Security string 2021-10-01
AOSP tag 11.0.0_r46
Bromite System Webview and Browser updated to 93.0.4577.83
September 17th, 2021
Initial build:
Security string 2021-09-05
AOSP tag 11.0.0_r43
Vendor blobs based on OOS 11.0.3.1
Pre-installed microG (0.2.22.212658-2) like LineageOS for microG project (own fork)
Pre-installed AuroraStore (4.0.7), AuroraDroid (1.0.8) and AuroraServices (1.1.1)
OTA Support
eSpeakTTS engine
Bromite (92.0.4515.134) as default browser
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
Firewall UI (under Trust)
Increased max. password length of 64
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites
Privacy-enhanced Bromite SystemWebView (92.0.4515.134)
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
Debloated from Oneplus blobs for Soter and IFAA
Hardened bionic lib and constified JNI method tables
Option to only use fingerprint unlock for apps and not for the device
Optional timeout for Bluetooth and WLAN connections
Per connection WiFi randomization option
Security Hardening Features - Details
1. Pre-installed microG
same as the LineageOS for microG project
2. Pre-installed AuroraStore and AuroraDroid
works w/o having to enable the "unknown sources feature"
3. Extra control of sensor access for additionally installed user apps
Special access under app permissions
4. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
5. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later - credits go to the GrapheneOS project):
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Camera app: Location tagging disabled by default
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without
6. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet (scroll down)
When activated, outgoing connection attempts to Facebook servers and to Google servers will be suppressed. Certain apps on an internal exception list will still be able to connect (e.g. AuroraStore, microG, or NewPipe, if installed)
7. Optional disable captive portal detection and to select Captive portal server URL provider
Settings => Network & Internet (scroll down)
When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)
8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
9. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)
10. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
11. Bromite as shipped Browser
A chromium based browser with many privacy features.
12. Firewall UI
Settings => Privacy - Firewall
Lists all apps and allows to restrict Internet access per app in regards to WiFi, mobile network or VPN
This per-app feature is a standard feature in LineageOS, but the UI to show all apps is an Extra (taken from a topic in LineageOS's Gerrit - it may, or may not, become part of the official LineageOS one day)
13. Maximum password length increased to 64
14. Debloated from Oneplus blobs for Soter and IFAA
Unnecessary privacy intrusive vendor blobs are not included in the build
15. Hardened bionic lib and constified JNI method tables
This has been taken over from GrapheneOS
16. Option to only use fingerprint unlock for apps and not for the device
An option in the fingerprint settings, also taken from GrapheneOS
17. Optional timeout for Bluetooth and WLAN connections
See respective settings, also a GrapheneOS feature
18. Per connection WiFi randomization option
A further GrapheneOS feature - improved randomization to make tracking more difficult.
Tips & tricks
Recovery Error 7 when installing​If you aim at installing this ROM for the 1st time (e.g. you come from Stock or other Custom ROM), please check this FAQ section in the LineageOS wiki.
Recovery Error 7 when updating this ROM​If OTA update fails, try manually sideloading (see OP).
If you see some error like ErrorCode::kInstallDeviceOpenError (7) then do the following:
In Recovery, switch to fastbootd (do not 'reboot to bootloader', really choose the fastboot option in recovery)
Connect your device via USB to your PC and run the following commands:
Code:
fastboot delete-logical-partition system_a
fastboot delete-logical-partition system_ext_a
fastboot delete-logical-partition product_a
fastboot delete-logical-partition vendor_a
fastboot delete-logical-partition odm_a
fastboot delete-logical-partition system_b
fastboot delete-logical-partition system_ext_b
fastboot delete-logical-partition product_b
fastboot delete-logical-partition vendor_b
fastboot delete-logical-partition odm_b
Return to recovery from fastbootd mode
Do 'adb sideload' again, it should work now
This got released like just now lmao. Have you experienced any bugs thus far? @MSe1969
madscenes said:
This got released like just now lmao. Have you experienced any bugs thus far? @MSe1969
Click to expand...
Click to collapse
No bugs so far.
As described in the OP, it is the successor of my 17.1 hardened LineageOS and I used it as my daily driver. (It took me a while to get rid of quite a few annoying bugs, while I was testing it and providing test builds in my 17.1 thread).
Hoping to see a working TWRP for this device some day...
Ok, After 2 Days of use, there are no Problems. All works like a charm.
Thank you very much!
Are there any issues related to running microG instead of Play Services? Or does everything pretty much work as intended?
L4WL13T said:
Are there any issues related to running microG instead of Play Services? Or does everything pretty much work as intended?
Click to expand...
Click to collapse
Not an easy "yes" answer - so let me give you two answers:
a. Official information sources:
microG Project
Implementation Status
Free implementation of Play Services. Contribute to microg/GmsCore development by creating an account on GitHub.
github.com
Especially the 2nd link shows you, what works, what partially works and what does not work.
b. My personal point of view
I consider the genuine play services as efficient spyware, which I personally do not want to use at all. microG cannot fully replace them (and does not aim at). As such, it does not make sense to continue using your G* account and all the genuine G* apps. So if you want to use the e.g. Gmail app to access your Gmail account, you're better off with the genuine G* spy services, as G* anyhow scans all your Gmail stuff for whatever purposes and you don't really gain back a lot of privacy by using microG instead of the G* spy services.
However - if you anyhow aim at getting away from G*, and you start focusing on the already available alternatives (and those do exist and are partly better), especially in the FOSS area, then I personally would highlight the below functionalities, where microG will provide a great value:
- Coarse location functionality with options to be anonymous (different from G* knowing at any time, where you are)
- Cloud messaging
- Exposure notifications (for Covid tracing apps)
- Most apps using Google dependencies and libraries, whose primary focus is not a deep G* integration mostly work flawlessly
The king is dead, long live the king!​
Best ROM and reason to get this phone.
MSe1969 said:
Not an easy "yes" answer - so let me give you two answers:
a. Official information sources:
microG Project
Implementation Status
Free implementation of Play Services. Contribute to microg/GmsCore development by creating an account on GitHub.
github.com
Especially the 2nd link shows you, what works, what partially works and what does not work.
b. My personal point of view
I consider the genuine play services as efficient spyware, which I personally do not want to use at all. microG cannot fully replace them (and does not aim at). As such, it does not make sense to continue using your G* account and all the genuine G* apps. So if you want to use the e.g. Gmail app to access your Gmail account, you're better off with the genuine G* spy services, as G* anyhow scans all your Gmail stuff for whatever purposes and you don't really gain back a lot of privacy by using microG instead of the G* spy services.
However - if you anyhow aim at getting away from G*, and you start focusing on the already available alternatives (and those do exist and are partly better), especially in the FOSS area, then I personally would highlight the below functionalities, where microG will provide a great value:
- Coarse location functionality with options to be anonymous (different from G* knowing at any time, where you are)
- Cloud messaging
- Exposure notifications (for Covid tracing apps)
- Most apps using Google dependencies and libraries, whose primary focus is not a deep G* integration mostly work flawlessly
Click to expand...
Click to collapse
Thank you for your indepth response, it was really enlightening, the web page you linked made it a lot easier for me to understand.
One more question I have is what's the impact on battery life? Is it better? The same? Or worse?
Thank you!
L4WL13T said:
Thank you for your indepth response, it was really enlightening, the web page you linked made it a lot easier for me to understand.
One more question I have is what's the impact on battery life? Is it better? The same? Or worse?
Thank you!
Click to expand...
Click to collapse
I have been running it few days and battery seems to be fine and better then OxygenOS
L4WL13T said:
One more question I have is what's the impact on battery life? Is it better? The same? Or worse?
Click to expand...
Click to collapse
I'd say better. Depends of course on your specific setup, but not having Google play services is a solid starting point for better battery behavior and less data consumption.
What Camera app does it use?
iamaldrin08 said:
What Camera app does it use?
Click to expand...
Click to collapse
Snap, same as official LineageOS build f. hotdog device
Tempted to update to this new version, coming from your splendid 17.1 ROM
In order not to mess up the updating process I kindly ask the OP to clarify the following points (which may seem trivial for more tech-savy users than myself).
When starting the Oxygen-Updates App: is "Oneplus 7T Pro" (= Chinese Version?!) the correct device name? (that's what it says about my device in the "about the phone" section of your 17.1 ROM)
What 11.x OOS firmware version should I download via Oxygen-Updates? Latest regular one or latest beta?
When it comes to extracting the stock ROM via payload-dumper-go: is it save to download the most recent version of the payload-dumper-go-software (1.2.0-1) from the AUR (I'm running Manjaro Linux)?
What folder do I need to copy the extracted stock ROM to in order to execute the commands given here https://wiki.lineageos.org/devices/hotdog/fw_update in the LineageOS Wiki?
Thanks in advance for any help.
pa.trick said:
When starting the Oxygen-Updates App: is "Oneplus 7T Pro" (= Chinese Version?!) the correct device name? (that's what it says about my device in the "about the phone" section of your 17.1 ROM)
Click to expand...
Click to collapse
To be on the safe side, look at the model code on the backside of the device:
HD1910Chinese / HKHD1911IndianHD1913Europe
pa.trick said:
What 11.x OOS firmware version should I download via Oxygen-Updates? Latest regular one or latest beta?
Click to expand...
Click to collapse
Regular; it should be dated around July or August this year, depending on which version.
pa.trick said:
When it comes to extracting the stock ROM via payload-dumper-go: is it save to download the most recent version of the payload-dumper-go-software (1.2.0-1) from the AUR (I'm running Manjaro Linux)?
Click to expand...
Click to collapse
I have downloaded manually from the GH repo. Look at the version number.
pa.trick said:
What folder do I need to copy the extracted stock ROM to in order to execute the commands given here https://wiki.lineageos.org/devices/hotdog/fw_update in the LineageOS Wiki?
Click to expand...
Click to collapse
Does not matter, simply run fastboot from the same directory.
Has anybody had success installing Magisk? How did you do it?
I had LOS 18.1 for microG previously and I just flashed Magisk-v23.0.zip right after having installed that OS and that worked, but with this it doesn't.
EDIT: nvm I'm an idiot and forgot to reboot before installing. Can confirm ROM works with Magisk.
I'll be honest, I'm not yet ready to do the backup/restore/fail/fix dance but I intend to do it as soon as I can; thanks a lot for your work anyways !
If one of these days you come in the French Alps, just message me beforehand ! Beers are due.
This applicable on Oneplus 7T as well right or is the partition layout of Oneplus 7T different from that of Oneplus 7T pro?

[ROM][Unofficial][12.1][microG][signed]hardened LineageOS 19.1 Oneplus 7T Pro

This thread is dedicated to provide hardened Lineage-OS 19.1 builds with microG included for the OnePlus 7T Pro (hotdog) with current security patches.
You can consider this thread as the successor of my respective LineageOS 18.1 thread.
Features of this ROM​Download here
Pre-installed microG like LineageOS for microG project (own fork)
Pre-installed AuroraStore, AuroraDroid and AuroraServices
OTA Support
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose from various providers (default is GrapheneOS and not Google; Settings - Network & Internet)
Increased max. password length of 64
Enhanced controls for secondary users
Exec spawning (ported from GrapheneOS)
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites (can be disabled)
Privacy-enhanced Bromite SystemWebView Mulch System Webview
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Kernel kept up to date with ASB patches of Google kernel/common 'android-4.14-q-release' branch
Debloated from Oneplus blobs for Soter and IFAA
Hardened bionic lib and constified JNI method tables
Optional timeout for Bluetooth and WLAN connections
Optional auto-reboot if device not unlocked for defined timeframe
Option to only use fingerprint unlock for apps and not for the device
Optional timeout for Bluetooth and WLAN connections
Per connection WiFi randomization option
Sensitive QS Tiles require unlocking
Native debugging
Ability to disable non-system apps from the "App info" screen
Scoped storage (ported from GrapheneOS)
Firewall UI (Settings - Network & Internet - Manage data restrictions)
Current release levels​Security string: 2023-06-05
AOSP tag: 12.1.0_r22
Mulch System Webview M114
Source-code and build instructions​Kernel: https://github.com/lin19-microg/android_kernel_oneplus_sm8150/tree/lin-19.1-mse
Build manifest: https://github.com/lin19-microg/local_manifests/tree/lin-19.1-microG
Installation Instructions​
YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!
Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.
Pre-Requisites​
Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
An unlocked bootloader (see e.g. LineageOS install instructions)
If you come from Stock ROM, make sure to upgrade your device to the latest offered software version
Know, how to boot into fastboot mode (with powered off device press [Power]+[Vol.down]+[Vol.up])
Please read carefully:​I refer in general to the LineageOS install instructions, but there are some deviations!
It is recommended to really carefully go completely through the instructions below once, before doing anything. You have been warned!
Let's go!​
Install the dedicated Lineage 19.1 recovery for this ROM​For the Oneplus 7T Pro (hotdog), there is currently no fully working official TWRP available! The offered official one can't decrypt the /data partition and I am not 100% sure about the rest.
Please download and unpack the specific Lineage revocery for this build. It has been built using this ROM's signing key. Unzip and flash this specific recovery with the below commands (your device must be in 'fastboot mode'):
Code:
fastboot flash recovery_a lineage-19.1-20221222-recovery-hotdog.img
fastboot flash recovery_b lineage-19.1-20221222-recovery-hotdog.img
Reboot now into recovery from fastboot (follow the menu options) - DO NOT boot into your OS yet.
Make sure, your firmware is on Android 12​If you are already on Android 12 with Stock OxygenOS and are on the latest offered patch level, be happy and proceed with the next chapter. Same applies, if you come from a different Android 12 based Custom ROM and you know for sure, that the firmware has been updated to Android 12.
In all other cases, you must update the firmware before proceeding. Please refer to the LineageOS documentation on upgrading the firmware - the best source right now seems to be the linked Oxygen Updater app (obtain and download the file only). If you have a European 7T Pro (HD1913), you can unpack the firmware file here and follow the README instead.
Please note: If the touch screen does not work after booting up to the Lineage 19.1 recovery, then it is a clear sign, that you need to update the firmware (the touch screen also won't work in that case, when you boot the OS). The recovery also lets you navigate with vol-up/vol-down and select via Power key, so you can proceed. However - but if you prefer, you can temporarily also flash the LineageOS 18.1 recovery from the above linked 18.1 predecessor thread, but then make sure, that after having upgraded the firmware, you will flash the 19.1 recovery again as explained above. Reboot into the recovery after having updated the firmware.
Install the ROM​If you come from my previous LineageOS 18.1 ROM, you can simply sideload the 19.1 ROM on top of my 18.1 ROM, so don't format the /data partition (unless you really want to get rid of your data). In all other cases, you have no choice than formatting /data, so continue as described in the LineageOS installation instructions with formatting /data and sideloading the ROM ZIP (download link above).
It is normal, that you may observe at 47% progress a longer break, followed by a step 1/2 and finally 2/2 before a success message appears.
In case you need to format /data:
Please keep in mind, that formatting the /data partition also wipes the shared internal memory - backup first!
DO NOT flash Gapps!
This ROM comes with pre-installed microG. So don't attempt to flash Gapps. If Gapps is a 'must' for you, please use the official LineageOS build for this device.
Update Instructions​
This ROM offers OTA updates through the Updater app. Therefore, normally, no further activities necessary.
You can however also manually update the ROM by sideloading a newer version of this ROM via recovery.
Frequently asked Questions​
These questions come from various threads for my hardened microG ROMs. I have listed them here, because they also apply to this ROM and are hopefully helpful.
1. AuroraStore
I bundle AuroraStore with my build, but I am in no way associated with its development. The first place to look for support is the AuroraStore XDA thread and its excellent FAQ Section. Nevertheless, I would like to answer some frequently asked questions in conjunction to my ROM:
Q: AuroraStore offers an update to "Google play services" - I thought your ROM is "Google-free"?
A: The bundled microG application spoofs the existence of Google play services. This is a necessary part of microG's design. In AuroraStore, please add the Play Services to the ignore list. You won't be able to "update" them anyhow, but better do not even try to do so!
Q: I can't connect, Aurora claims "no network" - but I can normally use my browser and other apps to connect to the internet.
A: If the "iptables block script" of my ROM is active, try to deactivating and immediately after re-activating it.
If that does not help or you don't use the iptables block script of tis ROM, you may try to force-close the app or logoff/logon again. However, the Aurora support thread will be your primary point to look at!
2. Google/Facebook iptables blocking
Q: How does the Google/Facebook blocking work?
A: Via the 'iptables'/'ip6tables' functionality of the Linux layer of Android, the ip4/ip6 address range of Google and Facebook is blocked on a per app base (in fact, it is generally blocked, but some apps on an internal exception list are still allowed to connect). This means, that apps (or spyware components thereof) cannot send/receive data to/from Google/Facebook. Btw, certain connections to X-mode and Palantir are also blocked, but I am not sure, whether this is enough - any qualified information to improve this are very welcome!
Q: I like this Google/Facebook blocking approach, but my favourite <xyz> app needs to be able to connect to Google/Facebook. Can you please add this app to your exception list?
A: Please read this comprehensive information. In short: If you have a trustworthy FOSS project aiming at connecting to Google/Facebook via Webview as 'mobile browser' with (almost) no permissions or you have a tracker-free app to connect to a proprietary service, which simply is hosted on a Google webspace, I am happy to discuss this, but I will definitely not allow any "Playstore top ten genuine spyware app".
Q: Which apps are on your exception list?
A: see here
Q: But if Google is blocked for almost every app, can I still get push messages?
A: Yes, you can! Push messages are routed and controlled through the microG functionality, which stil can connect to Google.
3. etc/hosts ad blocking
Q: What is the etc/hosts ad-blocking and how does it work?
A: I deliver a monthly-updated /system/etc/hosts file from the AdAway app which lists a comprehensive selection of known ad/spyware addresses. Any attempt to connect to those sites is redirected to the local OS, so a positive connection is reported, but no content is transmitted. (See linked explanation).
Q: Which anti-tracker lists do you use?
A: The same defaulted by the AdAway app, plus in addition Microsoft's 'Hockey Stick' stuff.
4. Firewall UI
Q: What is the Firewall UI and how does it work?
A: Under Settings - Network & Internet - Manage data restrictions, you'll find a list of all installed apps (optionally, you can also show the shipped system apps), which lets you control - per app - whether the app can connect via WiFi, Mobile data or VPN. In fact, you can in any LineageOS individually control this in the app details (Settings), this option simply gives you a comprehensive view for all apps.
Q: How do I use it? What are the typical use-cases:
A: It of course depends on your specific requirement, but below some very typical use-cases:
a. Disallow internet access completely (uncheck WiFi, mobile data and VPN)
This might be useful for an app, which does not need internet access to work, but uses internet access to e.g. nag you with ad-crap (some games on the play store, for example)
b. Make sure, that an app only uses WiFi (in order to avoid costs when using mobile data) - uncheck mobile data
c. Make sure, that an app only has internet, when connected via VPN - uncheck WiFi and mobile data
5. Privacy features / data privacy of this ROM
Q: Does this ROM protect my privacy by design/default?
A: First of all, you will never get any "auto-protection" without having to take care, what you do!
What this ROM provides to you in addition to an "official" LineageOS:
This ROM comes with microG, to avoid the necessity of having to flash the Google apps, with the "mother of all spyware" called Google Play services. So many apps with that dependency would still work, either fully, or with their core-functionality, but without "extra Google convenience" features.
You can optionally block Google/Facbebook connections, which can add a further protecion layer (see the specific FAQ section about that feature)
Many nasty ad-servers, which are embedded into shady apps or websites are blocked by default
Some hardening measures known from the GrapheneOS project have been added
HOWEVER - just some examples, how you can easily screw up any privacy gain (this list is by far not even near to comprehensive):
You still CAN install all kinds of shady apps and use privacy-ignoring services. If you e.g. install the genuine Facebook or Instagram app, the majority of your private data on your phone will be immediately uploaded to Facebook servers, as those apps even refuse to start, if you do not grant all the sensitive permissions! (Note: Yes, afterwards, when your data has already been stolen, you can revoke those permissions again. And yes, Whatsapp seems maybe 'slightly' better in this regard, but if you really believe, that WA isn't fully integrated into the FB ecosystem, you must be living on another planet).
If you use the Microsoft Outlook app to connect to any "non-Microsoft" e-mail provider, your logon credentials to that other mail provider are stored on Microsoft servers factually allowing Microsoft to steal your identity. Using Microsoft e-mail services or GMail discloses all your e-mails to automated scanning for "suspicious activities"; this has nothing to do with your phone, but outlines, how you can void even the most secure device by making use of privacy-ignoring services.
Making use of Genuine Google-apps with microG also isn't a good idea - make use of alternatives.
Any app, which you install on your device, could misuse its needed privileges! So try to stick to FOSS apps.
And last, but not least, if you are a 'dissident' or fear otherwise any targeted or comprehensive surveillance, this ROM isn't for you either...
Dealing with signed builds​Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash".
Bug reports:​If you have a problem, please create a post with these informations:
Original Kernel shipped with this rom:
Build Date:
And try to get log as described here
Please note that I can't and won't support issues with builds using a different kernel or Xposed.
In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.
Credits​AOSP project
LineageOS project
microG project
Graphene OS project (many privacy and security features have been ported)
csagan5 (Bromite)
WhyOrean (Aurora)
SkewedZeppelin (Kernel patches and some good ideas of Divest-OS)
Change Log​08-06-2023
ASB Security string 2023-06-05
Some kernel patches
Mulch Webview 114.0.5735.61
microG on 0.2.28.231657-5
FakeStore 0.2.0
AuroraStore 4.2.3
09-05-2023
ASB Security string 2023-05-05
Some kernel patches
Mulch Webview 113.0.5672.77
13-04-2023
ASB Security string 2023-04-05
Some kernel patches
Removed Bromite browser and shipped LineageOS' Jelly instead
Mulch Webview 112.0.5615.48
19-03-2023
ASB Security string 2023-03-05
Some kernel patches
Vendor blobs and sec. patch updated from HD1913_11.F.20
Bromite Webview replaced by Mulch Webview 111.0.5563.58
12-02-2023
ASB Security string 2023-02-05
microG on 0.2.27.223616-3
Firewall UI moved to Privacy Dashboard
Some kernel patches
Spoof apps installed by G*PlayStore
06-01-2023
ASB Security string 2023-01-05
microG on 0.2.26.223616-16
Bromite Browser and Webview updated to 108.0.5359.156
Firewall UI (Settings - Network & Internet - Manage data restrictions)
Some kernel patches
French translation for ported features
29-12-2022 - 1st 'official' build
Port of GrapheneOS' 'Scoped storage' feature
27-12-2022 - INITIAL BUILD (Beta)
Pre-installed microG 0.2.26.223616-2
Pre-installed AuroraStore 4.1.1, AuroraDroid and AuroraServices
OTA Support
Bromite as default browser, 108.0.5359.156
Additional security hardening features listed below:
Cloudflare as default DNS (instead of Google)
Privacy-preferred default settings
Optional blocking of Facebook- and Google-Tracking (Settings - Network & Internet)
Optional disable captive portal detection or choose provider (default is GrapheneOS and not Google; Settings - Network & Internet)
Increased max. password length of 64
Enhaced controls for secondary users
Secure application spawning
No submission of IMSI/phone number to Google when GPS is in use
Default hosts file with many blocked ad/tracking sites (can be disabled)
Privacy-enhanced Bromite SystemWebView, 108.0.5359.156
Extra control of sensor access for additionally installed user apps (Special access under app permissions)
Kernel kept up to date with ASB and other patches
Debloated Oneplus blobs (removed Soter and and Google hotword recognition)
Hardened bionic lib and constified JNI method tables
Optional timeout for Bluetooth and WLAN connections
Optional auto-reboot if device not unlocked for defined timeframe
Per connection WiFi randomization option
Sensitive QS Tiles require unlocking
Native debugging
Ability to disable non-system apps from the "App info" screen
Security Hardening Features - Details​
1. Pre-installed microG
same as the LineageOS for microG project
2. Pre-installed AuroraStore and AuroraDroid
works w/o having to enable the "unknown sources feature"
3. Extra control of sensor access for additionally installed user apps
Special access under app permissions
4. Cloudflare (instead of Google) default DNS
Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)
5. Privacy-preferred default settings
When newly installed, the below settings are defaulted, different from standard LineageOS 17.1 (all settings can be changed at any time later - credits go to the GrapheneOS project):
Anonymous LineageOS statistics disabled (proposal during Setup)
The standard browsing app does not get the location runtime permission automatically assigned
Sensitive information is hidden on the lock screen
Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode and many further tiles require authentication and cannot be set without
6. Optional blocking of Facebook- and Google-Tracking
Settings => Network & Internet (scroll down)
When activated, outgoing connection attempts to Facebook servers and to Google servers will be suppressed. Certain apps on an internal exception list will still be able to connect (e.g. AuroraStore, microG, or NewPipe, if installed)
7. Optional disable captive portal detection and to select Captive portal server URL provider
Settings => Network & Internet (scroll down)
When deactivated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used. Further, the captive portal URL provider can be set (default is GrapheneOS and not Google; Settings - Network & Internet)
8. No submission of IMSI or phone number to Google when GPS is in use
GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties ) to provide this data . . .
9. Default hosts file with many blocked ad/tracking sites
The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6) - this option can be switched off under Settings - Security
10. Privacy-enhanced Bromite SystemWebView
Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.
11. Bromite as shipped Browser
A chromium based browser with many privacy features.
12. Maximum password length increased to 64
14. Debloated from Oneplus blobs for Soter and Google hotword recognition
Unnecessary privacy intrusive vendor blobs are not included in the build
15. Hardened bionic lib and constified JNI method tables
This has been taken over from GrapheneOS
16. Option to only use fingerprint unlock for apps and not for the device
An option in the fingerprint settings, also taken from GrapheneOS
17. Optional timeout for Bluetooth and WLAN connections
See respective settings, also a GrapheneOS feature
18. Optional reboot timeout
See respective settings, also a GrapheneOS feature
19. Per connection WiFi randomization option
A further GrapheneOS feature - improved randomization to make tracking more difficult.
20. Ability to disable user-installed apps
Ported from GrapheneOS - this feature normally only applies to system apps.
21. Port of GrapheneOS' Scoped storage functionality
See original documentation
Tips & tricks​Recovery Error 7 when installing​If you aim at installing this ROM for the 1st time (e.g. you come from Stock or other Custom ROM), please check this FAQ section in the LineageOS wiki.
Recovery Error 7 when updating this ROM​If OTA update fails, try manually sideloading (see OP).
If you see some error like ErrorCode::kInstallDeviceOpenError (7) then do the following:
In Recovery, switch to fastbootd (do not 'reboot to bootloader', really choose the fastboot option in recovery)
Connect your device via USB to your PC and run the following commands:
Code:
fastboot delete-logical-partition system_a
fastboot delete-logical-partition system_ext_a
fastboot delete-logical-partition product_a
fastboot delete-logical-partition vendor_a
fastboot delete-logical-partition odm_a
fastboot delete-logical-partition system_b
fastboot delete-logical-partition system_ext_b
fastboot delete-logical-partition product_b
fastboot delete-logical-partition vendor_b
fastboot delete-logical-partition odm_b
Return to recovery from fastbootd mode
Do 'adb sideload' again, it should work now
TTS Engine / Speech service​The following is a working option for this device to use Google TTS without big G* spying on you:
Launch Aurora Store and search Google TTS, but DO NOT install
Instead manually download version 210354702 (the most recent version does not work)
Put this app on the ignore list to make sure it won't ever get updated
Enable it in the Settings and download the language files of your choice for offline use
Go to the app settings and disallow any internet connectivity
Translation of ported features - help needed​Whilst the features available in LineageOS are widely translated and those translations obviously will find their way into this build, certain features ported e.g. from GrapheneOS or developed by myself lack a translation and appear only in English or German (I took care about the German translation).
If I don't have anything better to do (ok, just kidding ), I may consider doing the French translation as well - however, if you want to see certain menu items in Settings also in your own language, please contact me via PM.
Thanks a lot for this Christmas/New Year present !
appreciate the work!
just wondered, how difficult is it to approach microg and suggest/incorporate most or all of these sensible privacy features in their main build? would this save you and all users a ton of trouble?
Hello MSe1969
For Optional blocking of Facebook- and Google-Tracking
Can you add in the application radarbot and waze in the exception application.
Thanks in advance
@MSe1969
Man, you rock and rule the forum!
That is absolutely phantastic. I installed da rom and even the vowifi works fluently.
There aren no isuues. I had to play around with openvpn a while, before it worked, but in the end it's done.
Only in the updater section there is a rom shown off, which could be installed??? I can not delete it, it stays there.
But this is nittykritty....
A huge huge thank you very very much and a hug. Have a nice start into 2023, you sweetened mine.
Ta, Ray
nico21311 said:
Hello MSe1969
For Optional blocking of Facebook- and Google-Tracking
Can you add in the application radarbot and waze in the exception application.
Thanks in advance
Click to expand...
Click to collapse
Short answer: Hell, No!
Long answer: Please have a look at this post, which explains the background.
ewong3 said:
appreciate the work!
just wondered, how difficult is it to approach microg and suggest/incorporate most or all of these sensible privacy features in their main build? would this save you and all users a ton of trouble?
Click to expand...
Click to collapse
I assume you mean the 'lineageos4microg' project (as microG itself is the privacy-aware Gapps alternative and they do not provide any Custom ROM builds) - the scope of that project is to simply take LineageOS "as is" and ship it with microG pre-installed. They for sure won't alter their project scope.
There are already similar projects, such as Calyx or /e/, which aim into a similar direction (microG and privacy/security focused with different priorities), or Divest-OS (no microG, but also privacy/security focused) or GrapheneOS (holistic and very strict approach on security/privacy, no microG - many of their innovative features are ported by other projects and devs like me) - these projects are aware of each other.
bestouff said:
Thanks a lot for this Christmas/New Year present !
Click to expand...
Click to collapse
Maybe you could also contribute:
If I sent you (e.g. via PM) some text (xml) files with English text strings, and you replace those with a French translation and sent them back, the respective menu entries would appear in one of the next builds in French (instead of English), if you use your phone in French language... - Would that be OK?
@All - see post #5
I am interested in further languages, so everybody willing to support is more than welcome.
Hey you seemed to want to do the French yourself, I didn't want to steal your work !
Anyway no problem, I don't have much time but I can make/review some translations.
Safetynet fix on magisk seems to make the phone get stuck on boot every time it is installed
MSe1969 said:
Maybe you could also contribute:
If I sent you (e.g. via PM) some text (xml) files with English text strings, and you replace those with a French translation and sent them back, the respective menu entries would appear in one of the next builds in French (instead of English), if you use your phone in French language... - Would that be OK?
@All - see post #5
I am interested in further languages, so everybody willing to support is more than welcome.
Click to expand...
Click to collapse
Me too I can review it
Ok, Gents. I have serious problems with openvpn and my synology. The connection works in the beginning one time. After a disconnection or change of network, it does not reconnect and i have to delete vpn connection completely. I have to disconnect from Internet (mobile and wlan) after i switched it on again i can reestablish the vpn and it works til next switch of networks. I try to get logs from it the next time, the problem occures and i will post it here or the solution, if i could fix it.
"Edit" In addition of that, i do not receive any messages with iptables script and openvpn on with my synology chat.
With lineageosmicrog 18.1on my second phone ist everything ok and all works fine.
Edit number 2..... I have a third phone.... and everything works fine with openvpn and chat.. so it must be an installation failure in Main Software.... I'll reinstall clean again. I will post a statement when done.....
Have a happy new year in several hours.
ruicardona said:
Safetynet fix on magisk seems to make the phone get stuck on boot every time it is installed
Click to expand...
Click to collapse
This build is hardened, especially kernel hardening, hardened_malloc integrated in bionic / libc. So it may very well be, that specific Magisk modules won't work...
MSe1969 said:
This build is hardened, especially kernel hardening, hardened_malloc integrated in bionic / libc. So it may very well be, that specific Magisk modules won't work...
Click to expand...
Click to collapse
I have no idea what you just told me means but i kinda understood that last part, the stock lineage os also has the same behavior.
ruicardona said:
I have no idea what you just told me means but i kinda understood that last part, the stock lineage os also has the same behavior.
Click to expand...
Click to collapse
OK, if the Magisk module even does not work with the official LineageOS ROM for this device, it is not related to the hardening features of this specific build. Either way, I don't have a solution for you.
MSe1969 said:
OK, if the Magisk module even does not work with the official LineageOS ROM for this device, it is not related to the hardening features of this specific build. Either way, I don't have a solution for you.
Click to expand...
Click to collapse
Thank you for replying either way!

Categories

Resources