{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Features overviewGrapheneOS is a private and secure mobile operating system with great functionality and usability. It starts from the strong baseline of the Android Open Source Project (AOSP) and takes great care to avoid increasing attack surface or hurting the strong security model. GrapheneOS makes substantial improvements to both privacy and security through many carefully designed features built to function against real adversaries. The project cares a lot about usability and app compatibility so those are taken into account for all of our features.
GrapheneOS is focused on substance rather than branding and marketing. It doesn't take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It's a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices.
GrapheneOS is also hard at work on filling in gaps from not bundling Google apps and services into the OS. We aren't against users using Google services but it doesn't belong integrated into the OS in an invasive way. GrapheneOS won't take the shortcut of simply bundling a very incomplete and poorly secured third party reimplementation of Google services into the OS. That wouldn't ever be something users could rely upon. It will also always be chasing a moving target while offering poorer security than the real thing if the focus is on simply getting things working without great care for doing it robustly and securely.
This page provides an overview of currently implemented features differentiating GrapheneOS from AOSP. It doesn't document our many historical features that are no longer included for one reason or another. Many of our features were implemented in AOSP, Linux, LLVM and other projects GrapheneOS is based on and those aren't listed here. In many cases, we've been involved in getting those features implemented in core infrastructure projects.
GrapheneOS
Partial list of GrapheneOS features beyond what AOSP 12 provides:
Hardened app runtime
Stronger app sandbox
Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory. The hardened_malloc README has extensive documentation on it. The hardened_malloc project is portable to other Linux-based operating systems and is being adopted by other security-focused operating systems like Whonix. Our allocator also heavily influenced the design of the next-generation musl malloc implementationwhich offers substantially better security than musl's previous malloc while still having minimal memory usage and code size.
Fully out-of-line metadata with protection from corruption, ruling out traditional allocator exploitation
Separate memory regions for metadata, large allocations and each slab allocation size class with high entropy random bases and no address space reuse between the different regions
Deterministic detection of any invalid free
Zero-on-free with detection of write-after-free via checking that memory is still zeroed before handing it out again
Delayed reuse of address space and memory allocations through the combination of deterministic and randomized quarantines to mitigate use-after-free vulnerabilities
Fine-grained randomization
Aggressive consistency checks
Memory protected guard regions around allocations larger than 16k with randomization of guard region sizes for 128k and above
Allocations smaller than 16k have guard regions around each of the slabs containing allocations (for example, 16 byte allocations are in 4096 byte slabs with 4096 byte guard regions before and after)
Random canaries with a leading zero are added to these smaller allocations to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (primarily on free)
Hardened compiler toolchain
Hardened kernel
Support for dynamically loaded kernel modules is disabled and the minimal set of modules for the device model are built into the kernel to substantially improve the granularity of Control Flow Integrity (CFI) and reduce attack surface.
4-level page tables are enabled on arm64 to provide a much larger address space (48-bit instead of 39-bit) with significantly higher entropy Address Space Layout Randomization (33-bit instead of 24-bit).
Random canaries with a leading zero are added to the kernel heap (slub) to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (on free, copies to/from userspace, etc.).
Memory is wiped (zeroed) as soon as it's released in both the low-level kernel page allocator and higher level kernel heap allocator (slub). This substantially reduces the lifetime of sensitive data in memory, mitigates use-after-free vulnerabilities and makes most uninitialized data usage vulnerabilities harmless. Without our changes, memory that's released retains data indefinitely until the memory is handed out for other uses and gets partially or fully overwritten by new data.
Kernel stack allocations are zeroed to make most uninitialized data usage vulnerabilities harmless.
Assorted attack surface reduction through disabling features or setting up infrastructure to dynamically enable/disable them only as needed (perf, ptrace).
Assorted upstream hardening features are enabled, including many which we played a part in developing and landing upstream as part of our linux-hardened project (which we intend to revive as a more active project again).
Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
Filesystem access hardening
Enhanced verified boot with better security properties and reduced attack surface
Enhanced hardware-based attestation with more precise version information
Eliminates remaining holes for apps to access hardware-based identifiers
Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.), when the screen is locked (connecting new USB peripherals, camera access) and optionally after a timeout (Bluetooth, Wi-Fi)
Option to disable native debugging (ptrace) to reduce local attack surface (still enabled by default for compatibility)
Low-level improvements to the filesystem-based full disk encryption used on modern Android
Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
Option to enable automatically rebooting the device when no profile has been unlocked for the configured time period to put the device fully at rest again.
Improved user visibility into persistent firmware security through version and configuration verification with reporting of inconsistencies and debug features being enabled.
Support longer passwords by default (64 characters) without a device manager
Stricter implementation of the optional fingerprint unlock feature permitting only 5 attempts rather than 20 before permanent lockout (our recommendation is still keeping sensitive data in user profiles without fingerprint unlock)
Support for using the fingerprint scanner only for authentication in apps and unlocking hardware keystore keys by toggling off support for unlocking.
PIN scrambling option
LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
Per-connection MAC randomization option (enabled by default) as a more private option than the standard persistent per-network random MAC.
When the per-connection MAC randomization added by GrapheneOS is being used, DHCP client state is flushed before reconnecting to a network to avoid revealing that it's likely the same device as before.
Improved IPv6 privacy addresses to prevent tracking across networks
Vanadium: hardened WebView and default browser — the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
Hardware-based security verification and monitoring: the Auditor app app and attestation service provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device. A strong pairing-based approach is used which also provides verification of the device's identity based on the hardware backed key generated for each pairing. Software-based checks are layered on top with trust securely chained from the hardware. For more details, see the about page and tutorial.
PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
Encrypted backups via integration of the Seedvault app with support for local backups and any cloud storage provider with a storage provider app
Secure application spawning system avoiding sharing address space layout and other secrets across applications
Network permission toggle for disallowing both direct and indirect access to any of the available networks. The device-local network (localhost) is also guarded by this permission, which is important for preventing apps from using it to communicate between profiles. Unlike a firewall-based implementation, the Network permission toggle prevents apps from using the network via APIs provided by the OS or other apps in the same profile as long as they're marked appropriately.
The standard INTERNET permission used as the basis for the Network permission toggle is enhanced with a second layer of enforcement and proper support for granting/revoking it on a per-profile basis.
Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (Camera, Microphone, Body Sensors, Activity Recognition) including an accelerometer, gyroscope, compass, barometer, thermometer and any other sensors present on a given device. To avoid breaking compatibility with Android apps, the added permission is enabled by default.
Authenticated encryption for network time updates via a first party server to prevent attackers from changing the time and enabling attacks based on bypassing certificate / key expiry, etc.
Proper support for disabling network time updates rather than just not using the results
Connectivity checks via a first party server with the option to revert to the standard checks (to blend in) or to fully disable them
Hardened local build / signing infrastructure
Seamless automatic OS update system that just works and stays out of the way in the background without disrupting device usage, with full support for the standard automatic rollback if the first boot of the updated OS fails
Require unlocking to access sensitive functionality via quick tiles
Minor changes to default settings to prefer privacy over small conveniences: personalized keyboard suggestions based on gathering input history are disabled by default, sensitive notifications are hidden on the lockscreen by default and passwords are hidden during entry by default
Minimal bundled apps and services. Only essential apps are integrated into the OS. We don't make partnerships with apps and services to bundle them into the OS. An app may be the best choice today and poor choice in the future. Our approach will be recommending certain apps during the initial setup, not hard-wiring them into the OS.
No Google apps and services. These can be used on GrapheneOS but only if they avoid requiring invasive OS integration. Building privileged support for Google services into the OS isn't something we're going to be doing, even if that's partially open source like microG.
Compatibility layer for coercing user installed Google Play services into running as sandboxed apps without any special privileges.
Fixes for multiple serious vulnerabilities not yet fixed upstream due to a flexible release cycle / process prioritizing security.
ServicesService infrastructure features:
Strict privacy and security practices for our infrastructure
Unnecessary logging is avoided and logs are automatically purged after 10 days
Services are hosted entirely via our own dedicated servers and virtual machines from OVH without involving any additional parties for CDNs, SaaS platforms, mirrors or other services
Our services are built with open technology stacks to avoid being locked in to any particular hosting provider or vendor
Open documentation on our infrastructure including listing out all of our services, guides on making similar setups, published configurations for each of our web services, etc.
No proprietary services
Authenticated encryption for all of our services
Strong cipher configurations for all of our services (SSH, TLS, etc.) with only modern AEAD ciphers providing forward secrecy
Our web sites do not include any third party content and entirely forbid it via strict Content Security Policy rules
Our web sites disable referrer headers to maximize privacy
Our web sites fully enable cross origin isolation and disable embedding in other content
DNSSEC implemented for all of our domains to provide a root of trust for encryption and authentication for domain/server configuration
DNS Certification Authority Authorization (CAA) records for all of our domains permitting only Let's Encrypt to issue certificates with fully integrated support for the experimental accounturi and validationmethods pinning our Let's Encrypt accounts as the only ones allowed to issue certificates
DANE TLSA records for pinning keys for all our TLS services
Our mail server enforces DNSSEC/DANE to provide authenticated encryption when sending mail including alert messages from the attestation service
SSHFP across all domains for pinning SSH keys
Static key pinning for our services in apps like Auditor
Our web services use robust OCSP stapling with Must-Staple
No persistent cookies or similar client-side state for anything other than login sessions, which are set up via SameSite=strict cookies and have server-side session tracking with the ability to log out of other sessions
scrypt-based password hashing (likely Argon2 when the available implementations are more mature)
ProjectBeyond the technical features of the OS:
Collaborative, open source project with a very active community and contributors
Can make your own builds and make desired changes, so you aren't stuck with the decisions made by the upstream project
Non-profit project avoiding conflicts of interest by keeping commercialization at a distance. Companies support the project rather than the project serving the needs of any particular company
Strong privacy policies across all our software and services
Proven track record of the team standing up against attempts to compromise the integrity of the project and placing it above personal gain
Click to expand...
Click to collapse
Installation Instruction and downloads
Dwonload for pixel 5 and other Releases
https://grapheneos.org/releases
GrapheneOS has two officially supported installation methods. You can either use the WebUSB-based installer recommended for most users or the command-line installation guide aimed at more technical users.
We strongly recommend using one of the official installation methods. Third party installation guides tend to be out-of-date and often contain misguided advice and errors.
If you have trouble with the installation process, ask for help on the official GrapheneOS chat channel. There are almost always people around willing to help with it. Before asking for help, make an attempt to follow the guide on your own and then ask for help with anything you get stuck on.
The command-line approach offers a way to install GrapheneOS without trusting our server infrastructure. This requires being on an OS with proper fastboot and signify packages along with understanding the process enough to avoid blindly trusting the instructions from our site. For most users, the web-based installation approach is no less secure and avoids needing any software beyond a browser with WebUSB support.
For those who wants google play store apps please watch this video, Its not recommended but i use it myself on this rom.
GrapheneOS - Full Post Install Setup Guide - Maximize Security and Privacy On Your Android Phone
Source code
https://github.com/GrapheneOS
https://github.com/GrapheneOS/kernel_google_redbull
https://github.com/GrapheneOS/device_google_redfin-kernel
https://github.com/GrapheneOS/device_google_redfin
Credits and Thanks
We would like to give thanks to everyone in the Android community, big or small.
That said, we would like to Thank all These Teams for their contribution to the Open Source Community. Special Thanks to Daniel Micay
MOD EDIT: This is an UnOfficial thread and isn't run by the GrapheneOS team
times out and doesn't flash "system"
jorgeccastro said:
times out and doesn't flash "system"
Click to expand...
Click to collapse
Follow the instructions properly it will flash I am using it right now.
What method did you use to flash the rom?
Use web installer it's easy.
I want to say thank you so much for all of the work on this ROM, it is awesome!
Has anybody gotten root to work on this? I tried patching the boot.img with Magisk, but after I flash the patched boot.img, the bootloader says it can't find a valid operating system?
jailbird2 said:
I want to say thank you so much for all of the work on this ROM, it is awesome!
Has anybody gotten root to work on this? I tried patching the boot.img with Magisk, but after I flash the patched boot.img, the bootloader says it can't find a valid operating system?
Click to expand...
Click to collapse
The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
SyntaxError said:
The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
Click to expand...
Click to collapse
Yep, I know. As the phone mainly stays connected in my vehicle, I was using a framework that allowed me to trigger actions when the charging power comes on (eg, vehicle is started) and goes away (vehicle is turned off). I was hoping to be able to keep that AND keep the extra security .
I completely understand though, thanks!
jailbird2 said:
Yep, I know. As the phone mainly stays connected in my vehicle, I was using a framework that allowed me to trigger actions when the charging power comes on (eg, vehicle is started) and goes away (vehicle is turned off). I was hoping to be able to keep that AND keep the extra security .
I completely understand though, thanks!
Click to expand...
Click to collapse
Aha well there are certain things we have to sacrifice lol for security sake.
SyntaxError said:
Follow the instructions properly it will flash I am using it right now.
What method did you use to flash the rom?
Use web installer it's easy.
Click to expand...
Click to collapse
oh ok, thanks for that info. i was using a screwdriver and hammer...
how to install google playstore
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
williejack619 said:
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
Click to expand...
Click to collapse
Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
williejack619 said:
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
Click to expand...
Click to collapse
you can install fdroid and from fdroid install https://f-droid.org/en/packages/com.aurora.store/ and you can have all play store apps without any account or you can sign in and still retain your privacy.
beggar23 said:
Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
Click to expand...
Click to collapse
They've documented how to install Google services:
GrapheneOS usage guide
Usage instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
grapheneos.org
williejack619 said:
how to install google playstore
Click to expand...
Click to collapse
was this a troll?
xstrifey said:
was this a troll?
Click to expand...
Click to collapse
maybe lol
SyntaxError said:
The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
Click to expand...
Click to collapse
The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
adamf663b said:
The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
Click to expand...
Click to collapse
I just don't understand why no one understands the meaning of privacy?
This rom is made for privacy and security without Google as in degoogled phone so no root access because the bootloader will be locked after flashing this rom.
And yes you can install play store apps my way or the official way and there is a link to that provided by @k0rner . And yes I understand backup and restoring from Google is a pain so just do a manual restore like I did if you want privacy and if you want root and Google services then this rom is not meant for you and to be used with Google services.
Can I change the aspect ratio to 16:9 in this custom rom?
works long press power turns flashlight on this rom ?
switcher said:
works long press power turns flashlight on this rom ?
Click to expand...
Click to collapse
No. It brings up the shutdown/reboot screen as seen in the stock image.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Introduction
iodéOS is a privacy-focused operating system powered by LineageOS and based on the Android mobile platform. iodéOS aims at protecting the user's privacy with a built-in adblocker and by freeing the smartphone from snitches.
The objectives in the conception of this ROM are threefold:
To keep the stability and security level of LineageOS, by minimizing the modifications made to the system. Apart the system modifications required by the adblocker, we mainly only added a few useful options commonly found in other custom ROMs, made some cosmetic changes, modified a few default settings to prevent data leaks to Google servers.
To ease a quick adoption of this ROM by new users. We especially target users that are concerned by the protection of their privacy, but are not reluctant to still use inquisitive apps like Google ones. We thus included MicroG as well as a coherent set of default apps (all open source, with one exception), and simplified the initial setup of the system. Particularly, an initialization of MicroG has been made with GCM notifications allowed by default, a privacy-friendly network location provider (DéjàVu) pre-selected, as well as Nominatim Geocoder.
To provide a new and powerful way of blocking ads, malwares, data leaks of all kinds to many intrusive servers. We are developing an analyzer, tightly integrated into the system, that captures all DNS requests and network traffic, as well as a user interface (the iodé app). Compared to some other well-known adblockers, this has the advantages of:
Avoiding to lock the VPN for that use. You can even use another adblocker that uses VPN technology alongside our blocker.
Being independent of the kind of DNS server used by the system or set by an independent app: classical DNS on UDP port 53 or any other one, DNS over TLS (DoT), DNS over HTTPS (DoH), ..., as we capture the DNS requests before they are transmitted to the system function that emits the DNS request. What we do not support, is DoH when it is natively built into applications, i.e. when an app communicates directly with a DoH server, without asking name resolution to the system. It would require to decrypt HTTPS packets between such an app and the DoH server, which may create a big security hole.
Precisely mapping DNS requests and network packets to the Android apps that emitted (or received) them.
Deciding which apps have a filtered network usage (by default, all apps), and which ones can communicate with blacklisted servers.
Since its first versions, we added many features to the iodé blocker: several levels of protection, fine-grained control over the hosts that should be blocked or authorized, displaying statistics on a map to see the quantity of data exchanged to which countries, clearing statistics... We are actively developing the blocker, and new functionalities will be regularly added.
Features
Changes in LineageOS to prevent data leaks:
Default DNS server: Google's DNS replaced by Quad9's 'unblocked' servers in all parts of the system.
A-GPS: patches to avoid leaking personnal information like IMSI to supl server.
Captive portal login: connectivitycheck.gstatic.com replaced by captiveportal.kuketz.de for connectivity check.
Dialer: Google default option replaced by OpenStreetMap for phone number lookup.
Pre-installed apps:
We included many useful default apps, but our choice cannot suit everyone; so we added the possibility to remove them. It can be done at the end of the phone setup, or at any time by going to Parameters -> Apps & Notifications -> Preinstalled apps.
MicroG core apps: GmsCore, GsfProxy, FakeStore.
NLP backends for MicroG : DejaVuNLPBackend (default), MozillaNLPBackend, AppleNLPBackend, RadioCellsNLPBackend, Nominatim Geocoder.
App stores : FDroid (with F-Droid Privileged Extension) and Aurora Store.
Browser: our own fork of Firefox (with Qwant as default search engine, many other ones added, telemetry disabled, parts of telemetry code removed) instead of Lineage’s default browser Jelly.
SMS: QKSMS instead of Lineage's default SMS app.
Email: p≡p (Pretty Easy Privacy).
Camera: our own fork of Open Camera, with a few tweaks.
Maps/navigation: Magic Earth GPS & Navigation (the only one free but not open source).
Keyboard: OpenBoard instead of AOSP keyboard.
PDF: Pdf Viewer Plus.
Personnal notes: Carnet.
{Ad/Malware/Data leak}-blocker: iodé.
News: to keep users informed about our developments, as well as a FAQ.
Meteo: Geometric Weather.
Pre-included FDroid repository:
The apps that we tweak or develop (microG services, the browser based on Firefox, the News app, Open Camera ...) are available through a repository that we included in FDroid (check the "Apps for iodéOS" category). For this purpose and to avoid name conflicts of some apps, we also had to make a few changes in FDroid.
Useful options from other custom ROMs:
Smart charging (disables charging when a given level is reached, to protect battery health).
Fingerprint vibration toggle.
Installation Instructions
To download and flash our latest build, see https://gitlab.com/iode/ota.
You can also find here direct links to the latest builds.
Supported devices
Fairphone FP3/FP3+
Fairphone FP4
Google Pixel 3
Google Pixel 4
Google Pixel 5
Google Pixel 6
Google Pixel 6a
OnePlus 9
OnePlus 9 Pro
Samsung Galaxy A5/A7 2017 (a5j17lte/a7j17lte)
Samsung Galaxy S9/S9+ (starlte/star2lte)
Samsung Galaxy Note 9 (crownlte)
Samsung S10e/S10/S10+ (beyond{0,1,2}lte)
Samsung Note 10 (d1)
Samsung Note 10+ (d2s)
Sony Xperia XA2 (pioneer)
Sony Xperia XZ1 (poplar)
Sony Xperia XZ2 (akari)
Sony Xperia XZ3 (akatsuki)
Xiaomi Mi9 (cepheus)
Teracube 2e
Xiaomi Mi 10T 5G / Mi 10T Pro 5G
Xiaomi Mi 10 Lite 5G
Sources
iodéOS: https://gitlab.com/iode/os
LineageOS: https://github.com/lineageos
device tree: https://gitlab.com/iode/os/public/devices/oneplus/device_oneplus_lemonade
https://gitlab.com/iode/os/public/devices/oneplus/device_oneplus_sm8350-common
kernel: http://github.com/LineageOS/android_kernel_oneplus_sm8350[/URL]
Bug Reporting
You can post a message in this thread or (preferred) open an issue here.
Credits
LineageOS is a free, community built, aftermarket firmware distribution of android, which is designed to increase performance and reliability over stock android for your device.
All the source code for LineageOS is available in the LineageOS Github repo. If you would like to contribute to LineageOS, please visit their Wiki for more details.
This ROM would be nothing without the tremendous work made on MicroG, and all the other open source apps that we included. We are very grateful to their authors.
Contributors
Direct contributors: @iodeOS, @vince31fr
Indirect contributors (too numerous to list): All the people that contributed to the device tree, to LineageOS, and to the included open source apps.
Sponsoring
You can help in the development of this ROM by paying us a coffee here: https://paypal.me/iodeOS.
Screenshots
Downloads :
iodéOS
04/04/2023 (build 20230401):
Installation procedure: move to a fastboot script (read instructions: https://gitlab.com/iode/ota)
Blocker: improved use of blocking lists (sub-domains blocking)
FDroid: fixes an issue on apps update
LineageOS synchronized with March security patch included
All apps updated
07/02/2023 (build 20230131):
Upgrade to iodéOS 4.0 based on Android 13 / LineageOS 20
Blocker:
Improved blocking settings. You can now choose 'Standard' blocking (ads, trackers, malwares, etc) or 'Reinforced' blocking (same objective but more extensive), and then select additional categories.
The 'Porn' category has been extended to a wider 'Sensitive content' one, that also includes fake news, gambling, drugs, piracy, torrent..., with mainly child protection in mind.
The 'Extreme' category has been removed, as it is now part of the reinforced blocking.
Improved blocking lists. We merge several acknowledged and up-to-date sources, and have diversified our sources to produce more complete lists. The standard list has however been reduced a bit, to avoid as much as possible interference with apps expected behavior.
Added a new network location provider: Local NLP Backend. It is an improved version of the DéjàVu NLP backend which was already available in iodéOS. Like DéjàVu, it builds a local database connecting localizations learned from other NLP backends and apps using GPS, and mobile antennas/Wifi; but also has an active mode (not preselected) that can trigger GPS requests. To configure it: Settings -> System -> microG -> Location modules
LineageOS synchronized with January security patch included
All apps updated
New devices support: Pixel 3, 6, 6a
16/12/2022 (build 20221215):
Blocker: added multiple selection in settings / domain customization. Long-press on a domain, select several domains or all, apply actions (block all, authorize all...)
PdfViewerPlus: improved security by updating core libraries
Network settings: added a switch to disable connectivity check (and thus captive portal detection)
LineageOS synchronized with December security patch included
All apps updated
New devices support: Pixel 4 & 5, OnePlus 9 & 9 Pro
10/12/2022 (build 20221210): initial publicly available build of iodéOS for OnePlus 9.
for oneplus 9pro please
bluebirdsysx said:
for oneplus 9pro please
Click to expand...
Click to collapse
I am with you on that one. Need this rom for Oneplus 9pro @vince31fr really enjoyed on samsung 9+.
break.cold said:
I am with you on that one. Need this rom for Oneplus 9pro @vince31fr really enjoyed on samsung 9+.
Click to expand...
Click to collapse
bluebirdsysx said:
for oneplus 9pro please
Click to expand...
Click to collapse
soon !
vince31fr said:
soon !
Click to expand...
Click to collapse
great.
Thank you so much... been trying to do MicroG on my own but can be confusing trying to figure it all out and where to go for the various items needed. Glad to see all in one and will try this with excitement! Coming from an Android 13 custom rom should be no issues if I follow instructions correct?
lorilucille9 said:
Thank you so much... been trying to do MicroG on my own but can be confusing trying to figure it all out and where to go for the various items needed. Glad to see all in one and will try this with excitement! Coming from an Android 13 custom rom should be no issues if I follow instructions correct?
Click to expand...
Click to collapse
This should be work yes. The low-level A12 firmware is embedded in the ROM, so it should be flashable in any situation.
bluebirdsysx said:
for oneplus 9pro please
Click to expand...
Click to collapse
break.cold said:
great.
Click to expand...
Click to collapse
There is an untested blind build for 9 pro here:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep.zip
Recovey:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep-recovery.img
dtbo:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep-dtbo.img
Use at your own risk!
vince31fr said:
There is an untested blind build for 9 pro here:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep.zip
Recovey:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep-recovery.img
dtbo:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.3-20221212-lemonadep-dtbo.img
Use at your own risk!
Click to expand...
Click to collapse
Will try. Great
break.cold said:
Will try. Great
Click to expand...
Click to collapse
New version:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.4-20221215-lemonadep.zip
Recovey:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.4-20221215-lemonadep-recovery.img
dtbo:
https://github.com/vincentvidal/iode_ota/releases/download/v1/iode-3.4-20221215-lemonadep-dtbo.img
Did someone try the previous build ?
vince31fr said:
Did someone try the previous build ?
Click to expand...
Click to collapse
I tried. Battery life was poor and smoothness with performance it's bit more optimzation.
If you don't mind can you upload on Oneplus 9 Pro forum you will get more users than over here.
*** New Update : 16/12/2022 ***
Available as OTA (see OP)
Hello
Would you write installation instructions? Follow the steps one by one. Oneplus 9 12/256, My current system: Android 12.1
Waiting for help. Pls.
Numberslevin said:
Hello
Would you write installation instructions? Follow the steps one by one. Oneplus 9 12/256, My current system: Android 12.1
Waiting for help. Pls.
Click to expand...
Click to collapse
Instructions for op9 are already here, read OP
vince31fr said:
Instructions for op9 are already here, read OP
Click to expand...
Click to collapse
Thank you.
Hello
Does this system have call recording?
Numberslevin said:
Hello
Does this system have call recording?
Click to expand...
Click to collapse
yes
vince31fr said:
Introduction
iodéOS is a privacy-focused operating system powered by LineageOS and based on the Android mobile platform. iodéOS aims at protecting the user's privacy with a built-in adblocker and by freeing the smartphone from snitches.
The objectives in the conception of this ROM are threefold:
To keep the stability and security level of LineageOS, by minimizing the modifications made to the system. Apart the system modifications required by the adblocker, we mainly only added a few useful options commonly found in other custom ROMs, made some cosmetic changes, modified a few default settings to prevent data leaks to Google servers.
To ease a quick adoption of this ROM by new users. We especially target users that are concerned by the protection of their privacy, but are not reluctant to still use inquisitive apps like Google ones. We thus included MicroG as well as a coherent set of default apps (all open source, with one exception), and simplified the initial setup of the system. Particularly, an initialization of MicroG has been made with GCM notifications allowed by default, a privacy-friendly network location provider (DéjàVu) pre-selected, as well as Nominatim Geocoder.
To provide a new and powerful way of blocking ads, malwares, data leaks of all kinds to many intrusive servers. We are developing an analyzer, tightly integrated into the system, that captures all DNS requests and network traffic, as well as a user interface (the iodé app). Compared to some other well-known adblockers, this has the advantages of:
Avoiding to lock the VPN for that use. You can even use another adblocker that uses VPN technology alongside our blocker.
Being independent of the kind of DNS server used by the system or set by an independent app: classical DNS on UDP port 53 or any other one, DNS over TLS (DoT), DNS over HTTPS (DoH), ..., as we capture the DNS requests before they are transmitted to the system function that emits the DNS request. What we do not support, is DoH when it is natively built into applications, i.e. when an app communicates directly with a DoH server, without asking name resolution to the system. It would require to decrypt HTTPS packets between such an app and the DoH server, which may create a big security hole.
Precisely mapping DNS requests and network packets to the Android apps that emitted (or received) them.
Deciding which apps have a filtered network usage (by default, all apps), and which ones can communicate with blacklisted servers.
Since its first versions, we added many features to the iodé blocker: several levels of protection, fine-grained control over the hosts that should be blocked or authorized, displaying statistics on a map to see the quantity of data exchanged to which countries, clearing statistics... We are actively developing the blocker, and new functionalities will be regularly added.
Features
Changes in LineageOS to prevent data leaks:
Default DNS server: Google's DNS replaced by Quad9's 'unblocked' servers in all parts of the system.
A-GPS: patches to avoid leaking personnal information like IMSI to supl server.
Captive portal login: connectivitycheck.gstatic.com replaced by captiveportal.kuketz.de for connectivity check.
Dialer: Google default option replaced by OpenStreetMap for phone number lookup.
Pre-installed apps:
We included many useful default apps, but our choice cannot suit everyone; so we added the possibility to remove them. It can be done at the end of the phone setup, or at any time by going to Parameters -> Apps & Notifications -> Preinstalled apps.
MicroG core apps: GmsCore, GsfProxy, FakeStore.
NLP backends for MicroG : DejaVuNLPBackend (default), MozillaNLPBackend, AppleNLPBackend, RadioCellsNLPBackend, Nominatim Geocoder.
App stores : FDroid (with F-Droid Privileged Extension) and Aurora Store.
Browser: our own fork of Firefox (with Qwant as default search engine, many other ones added, telemetry disabled, parts of telemetry code removed) instead of Lineage’s default browser Jelly.
SMS: QKSMS instead of Lineage's default SMS app.
Email: p≡p (Pretty Easy Privacy).
Camera: our own fork of Open Camera, with a few tweaks.
Maps/navigation: Magic Earth GPS & Navigation (the only one free but not open source).
Keyboard: OpenBoard instead of AOSP keyboard.
PDF: Pdf Viewer Plus.
Personnal notes: Carnet.
{Ad/Malware/Data leak}-blocker: iodé.
News: to keep users informed about our developments, as well as a FAQ.
Meteo: Geometric Weather.
Pre-included FDroid repository:
The apps that we tweak or develop (microG services, the browser based on Firefox, the News app, Open Camera ...) are available through a repository that we included in FDroid (check the "Apps for iodéOS" category). For this purpose and to avoid name conflicts of some apps, we also had to make a few changes in FDroid.
Useful options from other custom ROMs:
Smart charging (disables charging when a given level is reached, to protect battery health).
Fingerprint vibration toggle.
Installation Instructions
To download and flash our latest build, see https://gitlab.com/iode/ota.
You can also find here direct links to the latest builds.
Supported devices
Fairphone FP3/FP3+
Fairphone FP4
Google Pixel 4
Google Pixel 5
OnePlus 9
OnePlus 9 Pro
Samsung Galaxy A5/A7 2017 (a5j17lte/a7j17lte)
Samsung Galaxy S9/S9+ (starlte/star2lte)
Samsung Galaxy Note 9 (crownlte)
Samsung S10e/S10/S10+ (beyond{0,1,2}lte)
Samsung Note 10 (d1)
Samsung Note 10+ (d2s)
Sony Xperia XA2 (pioneer)
Sony Xperia XZ1 (poplar)
Sony Xperia XZ2 (akari)
Sony Xperia XZ3 (akatsuki)
Xiaomi Mi9 (cepheus)
Teracube 2e
Xiaomi Mi 10T 5G / Mi 10T Pro 5G
Xiaomi Mi 10 Lite 5G
Sources
iodéOS: https://gitlab.com/iode/os
LineageOS: https://github.com/lineageos
device tree: https://gitlab.com/iode/os/public/devices/oneplus/device_oneplus_lemonade
https://gitlab.com/iode/os/public/devices/oneplus/device_oneplus_sm8350-common
kernel: http://github.com/LineageOS/android_kernel_oneplus_sm8350[/URL]
Bug Reporting
You can post a message in this thread or (preferred) open an issue here.
Credits
LineageOS is a free, community built, aftermarket firmware distribution of android, which is designed to increase performance and reliability over stock android for your device.
All the source code for LineageOS is available in the LineageOS Github repo. If you would like to contribute to LineageOS, please visit their Wiki for more details.
This ROM would be nothing without the tremendous work made on MicroG, and all the other open source apps that we included. We are very grateful to their authors.
Contributors
Direct contributors: @iodeOS, @vince31fr
Indirect contributors (too numerous to list): All the people that contributed to the device tree, to LineageOS, and to the included open source apps.
Sponsoring
You can help in the development of this ROM by paying us a coffee here: https://paypal.me/iodeOS.
Screenshots
Click to expand...
Click to collapse
there is no vendor_boot.img which is ranked 5th in the install configs. How can I be procured?
fastboot flash vendor_boot <recovery for OnePlus 9 | Recovery for OnePlus 9 Pro>
incesu571 said:
there is no vendor_boot.img which is ranked 5th in the install configs. How can I be procured?
fastboot flash vendor_boot <recovery for OnePlus 9 | Recovery for OnePlus 9 Pro>
Click to expand...
Click to collapse
It is the file containing 'recovery' in its name.