security/hakurei.app
security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

static: replace install
All checks were successful
Static / Flake checks (push) Successful in 21s
Details
Static / Create distribution (push) Successful in 44s
Details

Browse Source 
Also get rid of many unused pages and assets.
This commit is contained in:
Ophestra 2025-06-29 03:14:12 +09:00
parent ae2ce60893
commit ae9ca7d568
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
21 changed files with 53 additions and 2061 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
generate-sitemap.py
View File

@ -8,16 +8,11 @@ pages = [
["/", 0.5],
["/LICENSE.txt", 0.0],
["/build", 0.5],
["/camera-privacy-policy", 0.0],
["/contact", 0.5],
["/faq", 1.0],
["/package", 1.0],
["/hiring", 0.2],
["/humans.txt", 0.0],
["/pdfviewer-privacy-policy", 0.0],
["/install/", 0.5],
["/install/cli", 0.5],
["/install/web", 0.5],
["/install", 0.5],
["/usage", 1.0]
]

1
static/build.html
View File

@ -28,7 +28,6 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="build" %}

66
static/camera-privacy-policy.html
View File

@ -1,66 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Camera privacy policy | GrapheneOS</title>
<meta name="description" content="Privacy policy for the GrapheneOS Camera app."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="Camera privacy policy"/>
<meta property="og:description" content="Privacy policy for the GrapheneOS Camera app."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/camera-privacy-policy"/>
<link rel="canonical" href="https://grapheneos.org/camera-privacy-policy"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="camera-privacy-policy">
<h1><a href="#camera-privacy-policy">Camera privacy policy</a></h1>
<p>This app requires the Camera permission for the core functionality of the app. The
Microphone permission is optional and only requested when starting video recording
without disabling "Include Audio". Video can be recorded without granting Microphone
access as long as "Include Audio" is disabled. Geotagging is disabled by default and
enabling it will request the Location permission. The app doesn't require access to
your media or other files. It stores files to the profile's Media Store and requests
that they be placed in DCIM/Camera which doesn't require a permission. You can also
choose to change the directory which will have you choose a directory for it to use
via the system file manager.</p>
<p>This app implements the system camera intent interfaces enabling other apps to use
it to take pictures or record videos with explicit user consent. Only the resulting
image or video explicitly captured by the user is given to the app. On Android 11 and
later, only a system camera app can provide the system camera intents. This app is the
system camera app on GrapheneOS where it provides that functionality. The handling of
the intents is carefully designed to make it harder to trick users into accidentally
capturing an image by implementing a delay.</p>
<p>This app does not make any network connections and doesn't use any services. The
app will never include any analytics/telemetry or any form of data collection. No
connections will ever be made to a service without the user requesting it. It stores
settings internally and pictures/videos captured by the user in Android's media store
for the profile.</p>
<p>Unlike nearly any other QR/barcode scanning apps, QR/barcode scanning does not open
the resulting URL automatically.</p>
</main>
{% include "footer.html" %}
</body>
</html>

1
static/faq.html
View File

@ -28,7 +28,6 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="faq" %}

86
static/hiring.html
View File

@ -1,86 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Hiring | GrapheneOS</title>
<meta name="description" content="GrapheneOS job opportunities."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS Hiring"/>
<meta property="og:description" content="GrapheneOS job opportunities."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/hiring"/>
<link rel="canonical" href="https://grapheneos.org/hiring"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% with current_page="hiring" %}
{% include "header.html" %}
{% endwith %}
<main id="hiring">
<h1><a href="#hiring">GrapheneOS Remote Developer</a></h1>
<p><strong>Location:</strong> Remote</p>
<p><strong>Position Type:</strong> Independent Contractor</p>
<p>We are seeking a highly skilled and self-directed developer to contribute to our open source project, someone who shares our passion for enhancing the privacy and security of mobile devices. The ideal candidate will have experience working with Android-based operating systems, the Linux kernel and its hardening, memory allocators, or extensive experience in Android app development. In this role, you will play a key role in the development and maintenance of our <a href="https://github.com/GrapheneOS">existing projects</a>, and will be expected to commit a minimum of 80 hours per month. The role will require a high level of autonomy and the ability to independently manage workloads.</p>
<section id="responsibilities">
<h2><a href="#responsibilities">Responsibilities</a></h2>
<ul>
<li>Manage a specific aspect of the project, such as the kernel, memory allocator, custom OS features, or apps like Vanadium, Auditor, Camera, PDFViewer. Your time will be spent improving them, porting them to new Android versions, reviewing code contributions etc.</li>
<li>Adhere to our development guidelines, available <a href="https://grapheneos.org/build#development-guidelines">here</a></li>
<li>Collaborate with the development team to address bugs, vulnerabilities, and performance issues</li>
</ul>
</section>
<section id="qualifications">
<h2><a href="#qualifications">Qualifications</a></h2>
<ul>
<li>Prior experience working on one or more of Android/AOSP-based operating systems, the Linux kernel and its hardening, memory allocators, or Android app development</li>
<li>Strong programming skills in relevant languages (in order from most to least common: Java, Kotlin, C++, C, Rust, JavaScript, TypeScript, arm64 assembly, Bash, Python)</li>
<li>Need to have enough experience to be comfortable to self direct workloads and submit finished features and fixes ready for review</li>
<li>Commitment to privacy and security principles</li>
<li>Ideally prior experience contributing to free and open source projects</li>
</ul>
</section>
<section id="time">
<h2><a href="#time">Time Commitment</a></h2>
<p>Must be able to commit to spending 80 hours or more a month, but we are extremely flexible about how you want to structure your working times. There is, however, a significant workload porting GrapheneOS forward when each new Android version is released. Having the capacity to focus and/or increase work hours during these periods is a great advantage.</p>
</section>
<section id="salary">
<h2><a href="#salary">Salary</a></h2>
<p>Salary and remuneration will be commensurate with experience and aligned with industry standards. You will be employed as an independent contractor.</p>
</section>
<section id="about">
<h2><a href="#about">About GrapheneOS</a></h2>
<p>GrapheneOS is a privacy and security-focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology, including substantial improvements to sandboxing, exploit mitigations, and the permission model. It was founded in 2014 and was formerly known as CopperheadOS. In 2023, the GrapheneOS Foundation was established as a non-profit to help steward development over the long term.</p>
</section>
<section id="apply">
<h2><a href="#apply">How to Apply</a></h2>
<p>Send an email to <a href="mailto:hiring@grapheneos.org">hiring@grapheneos.org</a> with a description of your background and explain why you are interested in GrapheneOS. Additionally, please share any examples of relevant work or FOSS contributions.</p>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

1
static/index.html
View File

@ -26,7 +26,6 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://port.mk/@hakurei"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="/" %}

50
static/install.html Normal file
View File

@ -0,0 +1,50 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Install | Hakurei</title>
<meta name="description" content="Installation instructions for Hakurei, a security-focused Linux container runtime for desktop applications."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta property="og:title" content="Hakurei installation"/>
<meta property="og:description" content="Installation instructions for Hakurei, a security-focused Linux container runtime for desktop applications."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://hakurei.app/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="Hakurei logo"/>
<meta property="og:site_name" content="Hakurei"/>
<meta property="og:url" content="https://hakurei.app/install/"/>
<link rel="canonical" href="https://hakurei.app/install/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://port.mk/@hakurei"/>
</head>
<body>
{% with current_page="install" %}
{% include "header.html" %}
{% endwith %}
<main id="install">
<h1><a href="#install">Install</a></h1>
<p>Hakurei can be installed to almost any Linux-based operating system by running
<code>install.sh</code> from a release tarball found <a
href="https://git.gensokyo.uk/security/hakurei/releases" target="_blank">here</a>.
With that said, the current easiest method for using Hakurei with desktop apps would be
via the <a href="https://git.gensokyo.uk/security/hakurei/src/branch/master/options.md"
target="_blank">companion NixOS module</a>.</p>
<p>We strongly recommend using one of the official installation methods. Third party
installation guides tend to be out-of-date and often contain misguided advice and
errors.</p>
</main>
{% include "footer.html" %}
</body>
</html>

666
static/install/cli.html
View File

@ -1,666 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>CLI install guide | Install | GrapheneOS</title>
<meta name="description" content="Command-line installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS CLI install guide"/>
<meta property="og:description" content="Command-line installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/install/cli"/>
<link rel="canonical" href="https://grapheneos.org/install/cli"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% include "header.html" %}
<main id="cli-install">
<h1><a href="#cli-install">CLI install guide</a></h1>
<p>This is a guide on installing GrapheneOS on the
<a href="/faq#supported-devices">officially supported devices</a>. It can be followed
for both the <a href="/releases">official releases</a> and <a href="/build">custom
builds</a>. The <a href="/install/web">web installer</a> is an
easier approach to installing the official releases via a browser with WebUSB
support.</p>
<p>We strongly recommend following these official instructions. The official guide has
a lot of collaborative effort put into covering all of the edge cases and is regularly
tested by many people on each supported OS. Following these instructions to the letter
without skipping, reordering or adding any steps will give you a proper GrapheneOS
installation unless there's a hardware issue. We strongly recommend against following
unofficial guides deviating in any way from the official instructions.</p>
<p>If you have trouble with the installation process, ask for help on the
<a href="/contact#community">official GrapheneOS chat channel</a>. There are almost
always people around willing to help with it. Before asking for help, make an attempt
to follow the guide on your own and then ask for help with anything you get stuck
on.</p>
<nav id="table-of-contents">
<h2><a href="#table-of-contents">Table of contents</a></h2>
<ul>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></li>
<li><a href="#opening-terminal">Opening terminal</a></li>
<li>
<a href="#obtaining-fastboot">Obtaining fastboot</a>
<ul>
<li><a href="#standalone-platform-tools">Standalone platform-tools</a></li>
</ul>
</li>
<li><a href="#checking-fastboot-version">Checking fastboot version</a></li>
<li><a href="#flashing-as-non-root">Flashing as non-root</a></li>
<li><a href="#working-around-fwupd-bugs-on-linux-distributions">Working around fwupd bugs on Linux distributions</a></li>
<li><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></li>
<li><a href="#connecting-device">Connecting the device</a></li>
<li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li>
<li><a href="#obtaining-openssh">Obtaining OpenSSH</a></li>
<li><a href="#obtaining-factory-images">Obtaining factory images</a></li>
<li>
<a href="#flashing-factory-images">Flashing factory images</a>
<ul>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
<li><a href="#locking-the-bootloader">Locking the bootloader</a></li>
<li>
<a href="#post-installation">Post-installation</a>
<ul>
<li><a href="#booting">Booting</a></li>
<li><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></li>
<li>
<a href="#verifying-installation">Verifying installation</a>
<ul>
<li><a href="#verified-boot-key-hash">Verified boot key hash</a></li>
<li><a href="#hardware-based-attestation">Hardware-based attestation</a></li>
</ul>
</li>
<li><a href="#further-information">Further information</a></li>
<li><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></li>
</ul>
</li>
</ul>
</nav>
<section id="prerequisites">
<h2><a href="#prerequisites">Prerequisites</a></h2>
<p>You need a computer for running the CLI install process with at least 2GB of free
memory available and 32GB of free storage space. The web installer can be run on an
Android phone or tablet, unlike the command-line installation.</p>
<p>You need a USB cable for attaching the device to the computer performing the
installation. Whenever possible, use the high quality standards compliant USB-C
cable packaged with the device. If your computer doesn't have any USB-C ports,
you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub
such as the front panel on a desktop computer case. Connect directly to a rear port
on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs
are broken and are the most common source of issues for installing GrapheneOS.</p>
<p>Installing from an OS in a virtual machine is not recommended. USB passthrough
is often not reliable. To rule out these problems, install from an OS running on
bare metal. Virtual machines are also often configured to have overly limited
memory and storage space.</p>
<p>Officially supported operating systems for the CLI install method:</p>
<ul>
<li>Windows 10</li>
<li>Windows 11</li>
<li>macOS Ventura (13)</li>
<li>macOS Sonoma (14)</li>
<li>macOS Sequoia (15)</li>
<li>Arch Linux</li>
<li>Debian 11 (bullseye)</li>
<li>Debian 12 (bookworm)</li>
<li>Ubuntu 20.04 LTS</li>
<li>Ubuntu 22.04 LTS</li>
<li>Ubuntu 24.04 LTS</li>
<li>Ubuntu 24.10</li>
<li>Linux Mint 20 (follow Ubuntu 20.04 LTS instructions)</li>
<li>Linux Mint 21 (follow Ubuntu 22.04 LTS instructions)</li>
<li>Linux Mint 22 (follow Ubuntu 24.04 LTS instructions)</li>
<li>Linux Mint Debian Edition 6 (follow Debian 12 instructions)</li>
</ul>
<p>Make sure your operating system is up-to-date before proceeding.</p>
<p>The <a href="/install/web">web installer</a> is more portable and can be used
from Android, ChromeOS and GrapheneOS itself since it can run anywhere with a
browser with working WebUSB support.</p>
<p>You need one of the <a href="/faq#supported-devices">officially supported
devices</a>. To make sure that the device can be unlocked to install GrapheneOS,
avoid carrier variants of the devices. Carrier variants of Pixels use the same stock
OS and firmware with a non-zero carrier id flashed onto the persist partition in the
factory. The carrier id activates carrier-specific configuration in the stock OS
including disabling carrier and bootloader unlocking. The carrier may be able to
remotely disable this, but their support staff may not be aware and they probably
won't do it. Get a carrier agnostic device to avoid the risk and potential hassle.
If you CAN figure out a way to unlock a carrier device, it isn't a problem as
GrapheneOS can just ignore the carrier id and the hardware is the same.</p>
<p>It's best practice to update the device before installing GrapheneOS to have
the latest firmware for connecting the device to the computer and performing the
early flashing process. Either way, GrapheneOS flashes the latest firmware early
in the installation process.</p>
</section>
<section id="enabling-oem-unlocking">
<h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
<p>OEM unlocking needs to be enabled from within the operating system.</p>
<p>Enable the developer options menu by going to <b>Settings&#160;<span
aria-label="and then">></span> About phone/tablet</b> and repeatedly
pressing the <b>Build number</b> menu entry until developer mode is enabled.</p>
<p>Next, go to <b>Settings&#160;<span aria-label="and then">></span>
System&#160;<span aria-label="and then">></span> Developer options</b> and
toggle on the <b>OEM unlocking</b> setting. On device model variants (SKUs) which
support being sold as locked devices by carriers, enabling <b>OEM unlocking</b>
requires internet access so that the stock OS can check if the device was sold as
locked by a carrier.</p>
<p>For the Pixel 6a, OEM unlocking won't work with the version of the stock OS
from the factory. You need to update it to the June 2022 release or later via an
over-the-air update. After you've updated it you'll also need to factory reset
the device to fix OEM unlocking.</p>
</section>
<section id="opening-terminal">
<h2><a href="#opening-terminal">Opening terminal</a></h2>
<p>These instructions use command-line tools. Launch the terminal as you would any
other application. On Windows, launch a regular non-administrator instance of the
PowerShell terminal. Do not use the legacy Command Prompt or administrator variant
of PowerShell.</p>
<p>Use the same terminal for the whole installation process. If you close it,
you'll lose the setup of the environment for the installation.</p>
<p>On Windows, run the following command to remove PowerShell's legacy curl alias
for the current shell to avoid needing to reference it as <code>curl.exe</code>
instead of <code>curl</code>:</p>
<pre>Remove-Item Alias:Curl</pre>
</section>
<section id="obtaining-fastboot">
<h2><a href="#obtaining-fastboot">Obtaining fastboot</a></h2>
<p>You need an updated copy of the <code>fastboot</code> tool and the
directory containing it needs to be included in the <code>PATH</code>
environment variable. You can run <code>fastboot --version</code> to determine
the current version. It must be at least <code>35.0.1</code>. You can use a
distribution package for this, but most of them mistakenly package development
snapshots of fastboot, clobber the standard version scheme for platform-tools
(adb, fastboot, etc.) with their own scheme and don't keep it up-to-date
despite that being crucial.</p>
<p>On Arch Linux, install <code>android-tools</code> and skip the section below on
using the standalone release of platform-tools from Android:</p>
<pre>sudo pacman -S android-tools</pre>
<p>Debian and Ubuntu do not have a usable package for fastboot. Their packages for
these tools are both broken and many years out-of-date. Follow the instructions
below for platforms without a proper package.</p>
<section id="standalone-platform-tools">
<h3><a href="#standalone-platform-tools">Standalone platform-tools</a></h3>
<!-- https://developer.android.com/studio/releases/platform-tools -->
<p>If your operating system doesn't include a usable version of fastboot,
you can use the official standalone releases of platform-tools. This is
our recommendation for most users. The flashing process won't work unless
you follow these instructions including setting up PATH.</p>
<p>To download, verify and extract the standalone platform-tools on Debian and
Ubuntu:</p>
<pre>sudo apt install libarchive-tools
curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-linux.zip
echo 'acfdcccb123a8718c46c46c059b2f621140194e5ec1ac9d81715be3d6ab6cd0a platform-tools_r35.0.2-linux.zip' | sha256sum -c
bsdtar xvf platform-tools_r35.0.2-linux.zip</pre>
<p>To download, verify and extract the standalone platform-tools on macOS:</p>
<pre>curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-darwin.zip
echo 'SHA256 (platform-tools_r35.0.2-darwin.zip) = 1820078db90bf21628d257ff052528af1c61bb48f754b3555648f5652fa35d78' | shasum -c
tar xvf platform-tools_r35.0.2-darwin.zip</pre>
<p>To download, verify and extract the standalone platform-tools on Windows:</p>
<pre>curl -O https://dl.google.com/android/repository/platform-tools_r35.0.2-win.zip
(Get-FileHash platform-tools_r35.0.2-win.zip).hash -eq "2975a3eac0b19182748d64195375ad056986561d994fffbdc64332a516300bb9"
tar xvf platform-tools_r35.0.2-win.zip</pre>
<p>Next, add the tools to your <code>PATH</code> in the current shell so they can be
used without referencing them by file path, enabling usage by the flashing script.</p>
<p>On Debian, Ubuntu and macOS:</p>
<pre>export PATH="$PWD/platform-tools:$PATH"</pre>
<p>On Windows:</p>
<pre>$env:Path = "$pwd\platform-tools;$env:Path"</pre>
<p>This only changes <code>PATH</code> for the current shell and will need
to be done again if you open a new terminal.</p>
</section>
</section>
<section id="checking-fastboot-version">
<h2><a href="#checking-fastboot-version">Checking fastboot version</a></h2>
<p>Check the output of <code>fastboot --version</code> before continuing.</p>
<p>Example of the output after following the instructions above for the
standalone platform-tools:</p>
<pre>fastboot version 35.0.2-12147458
Installed as /home/username/platform-tools/fastboot</pre>
</section>
<section id="flashing-as-non-root">
<h2><a href="#flashing-as-non-root">Flashing as non-root</a></h2>
<p>On traditional Linux distributions, USB devices cannot be used as non-root
without udev rules for each type of device. This is not an issue for other
platforms.</p>
<p>On Arch Linux:</p>
<pre>sudo pacman -S android-udev</pre>
<p>On Debian and Ubuntu:</p>
<pre>sudo apt install android-sdk-platform-tools-common</pre>
<p>The udev rules on Debian and Ubuntu are very out-of-date but the package has
the rules needed for Pixel devices since the same USB IDs have been used for many
years.</p>
</section>
<section id="working-around-fwupd-bugs-on-linux-distributions">
<h2><a href="#working-around-fwupd-bugs-on-linux-distributions">Working around fwupd bugs on Linux distributions</a></h2>
<p>The fwupd software often used on Linux distributions for updating firmware is
known to incorrectly connect to arbitrary devices using the fastboot protocol which
will block using them for the intended purpose. This can result in receiving an
error about the USB device already being in use (claimed) when trying to connect to
it for the intended purpose.</p>
<p>You can stop fwupd with the following command:</p>
<pre>sudo systemctl stop fwupd.service</pre>
<p>This doesn't disable the service and it will start again on reboot.</p>
</section>
<section id="booting-into-the-bootloader-interface">
<h2><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></h2>
<p>You need to boot your device into the bootloader interface. To do this, you need
to hold the volume down button while the device boots.</p>
<p>The easiest approach is to reboot the device and begin holding the volume down
button until it boots up into the bootloader interface.</p>
<p>Alternatively, turn off the device, then boot it up while holding the volume
down button during the boot process. You can either boot it with the power button
or by plugging it in as required in the next section.</p>
<p>This step is not complete until your device displays a red warning triangle
and the words "Fastboot Mode". You must not press the device's power button
to activate the "Start" menu item, because the device must remain paused in
Fastboot mode for the <code>fastboot</code> command to connect to it.</p>
</section>
<section id="connecting-device">
<h2><a href="#connecting-device">Connecting the device</a></h2>
<p>Connect the device to the computer. On Linux, you'll need to do this again if
you didn't have the udev rules set up when you connected it.</p>
<p>Current Windows 10 and Windows 11 include a generic driver usable for fastboot
and no longer require installing a driver for installation on the Pixel 4a (5G) or
later. It isn't enough for legacy 4th generation Pixels due to the driver not
handling fastbootd, so you still need the driver for those. Outdated Windows
versions will still need the driver for non-obsolete devices too. You can obtain the
driver from Windows Update which will detect it as an optional update when the
device is booted into the bootloader interface and connected to the computer. Open
Windows Update, run a check for updates and then open the "View optional updates"
interface. Install the driver for the Android bootloader interface as an optional
update, which will show up as "LeMobile Android Device" due to USB ID overlap. An
alternative approach to obtaining the Windows fastboot driver is to obtain the <a
href="https://developer.android.com/studio/run/win-usb">latest driver for
Pixels</a> from Google and then <a href="https://developer.android.com/studio/run/oem-usb#InstallingDriver">manually
install it with the Windows Device Manager</a>.</p>
<p>For the Pixel Tablet, disconnect it from the stand before continuing. The stand
uses USB to provide charging and audio output, but the tablet lacks support for
using both the stand and USB port at the same time.</p>
</section>
<section id="unlocking-the-bootloader">
<h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
<p>Unlock the bootloader to allow flashing the OS and firmware:</p>
<pre>fastboot flashing unlock</pre>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume buttons to switch the selection to accepting it and the power button
to confirm.</p>
</section>
<section id="obtaining-openssh">
<h2><a href="#obtaining-openssh">Obtaining openssh</a></h2>
<p>OpenSSH is used to verify the download of the OS beyond the security offered by
HTTPS.</p>
<p>macOS and Windows include OpenSSH in their base install so this isn't needed.</p>
<p>On Arch Linux:</p>
<pre>sudo pacman -S openssh</pre>
<p>On Debian and Ubuntu:</p>
<pre>sudo apt install openssh-client</pre>
</section>
<section id="obtaining-factory-images">
<h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
<p>You need to obtain the GrapheneOS factory images for your device to proceed with
the installation process.</p>
<p>You can either download the files with your browser or using a command like
<code>curl</code>. It's generally easier to use the command-line since you're already
using it for the rest of the installation process, so these instructions use
<code>curl</code>.</p>
<p>Download <a href="https://releases.grapheneos.org/allowed_signers">the factory images
public key (allowed_signers)</a> in order to verify the factory images:</p>
<pre>curl -O https://releases.grapheneos.org/allowed_signers</pre>
<p>This is the content of <code>allowed_signers</code>:</p>
<pre>contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE</pre>
<p>Other locations to obtain the signing key:</p>
<ul>
<li><a href="https://bsky.app/profile/grapheneos.org/post/3kleyygkptm2x">Bluesky</a></li>
<li><a href="https://x.com/GrapheneOS/status/1757758688952009209">Twitter</a></li>
<li><a href="https://github.com/GrapheneOS/releases.grapheneos.org/blob/main/static/allowed_signers">GitHub</a></li>
</ul>
<p>When the current signing key is replaced, the new key will be signed with it.</p>
<p>Download the factory images for the device from <a href="/releases">the releases
page</a>. For example, to download the <code><var>VERSION</var></code> release for
a device with the codename <code><var>DEVICE_NAME</var></code>:</p>
<pre>curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip
curl -O https://releases.grapheneos.org/<var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip.sig</pre>
<p>Next, verify the factory images using the signature.</p>
<p>On Linux and macOS:</p>
<pre>ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip.sig &lt; <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip</pre>
<p>On Windows:</p>
<pre>cmd /c 'ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip.sig &lt; <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip'</pre>
<p>This will produce the following output when successful:</p>
<pre>Good "factory images" signature for contact@grapheneos.org with ED25519 key SHA256:AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM</pre>
</section>
<section id="flashing-factory-images">
<h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
<p>The initial install will be performed by flashing the factory images. This will
replace the existing OS installation and wipe all the existing data.</p>
<p>Next, extract the factory images.</p>
<p>On Linux:</p>
<pre>bsdtar xvf <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip</pre>
<p>On macOS and Windows:</p>
<pre>tar xvf <var>DEVICE_NAME</var>-install-<var>VERSION</var>.zip</pre>
<p>Move into the directory:</p>
<pre>cd <var>DEVICE_NAME</var>-install-<var>VERSION</var></pre>
<p>Flash the images with the flash-all script in the directory.</p>
<p>On Linux and macOS:</p>
<pre>bash flash-all.sh</pre>
<p>On Windows:</p>
<pre>./flash-all.bat</pre>
<p>Wait for the flashing process to complete. It will automatically handle
flashing the firmware, rebooting into the bootloader interface and flashing the OS.
Avoid interacting with the device until the flashing script is finished. Then,
proceed to <a href="#locking-the-bootloader">locking the bootloader</a> before using
the device as locking wipes the data again.</p>
<section id="troubleshooting">
<h3><a href="#troubleshooting">Troubleshooting</a></h3>
<p>The text output from a failed attempt at flashing will contain valuable
diagnostic information which is essential in knowing where and how the process
went wrong. Please provide this information when asking for help on the
<a href="/contact#community">GrapheneOS chat room</a>.</p>
<p>A common issue on Linux distributions is that they mount the default temporary file
directory <code>/tmp</code> as tmpfs which results in it being backed by memory and
swap rather than persistent storage. By default, the size is 50% of the available
virtual memory. This is often not enough for the flashing process, especially since
<code>/tmp</code> is shared between applications and users. To use a different
temporary directory if your <code>/tmp</code> doesn't have enough space available:</p>
<pre>mkdir tmp &amp;&amp; TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
</section>
</section>
<section id="locking-the-bootloader">
<h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
<p>Locking the bootloader is important as it enables full verified boot. It also
prevents using fastboot to flash, format or erase partitions. Verified boot will
detect modifications to any of the OS partitions and it will prevent reading any
modified / corrupted data. If changes are detected, error correction data is used
to attempt to obtain the original data at which point it's verified again which
makes verified boot robust to non-malicious corruption.</p>
<p>In the bootloader interface, set it to locked:</p>
<pre>fastboot flashing lock</pre>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume buttons to switch the selection to accepting it and the power button
to confirm.</p>
</section>
<section id="post-installation">
<h2><a href="#post-installation">Post-installation</a></h2>
<section id="booting">
<h3><a href="#booting">Booting</a></h3>
<p>You've now successfully installed GrapheneOS and can boot it. Pressing the
power button with the default Start option selected in the bootloader
interface will boot the OS.</p>
</section>
<section id="disabling-oem-unlocking">
<h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
<p>During first setup, the final screen will contain a toggle regarding OEM
unlocking which is checked by default. This will disable OEM unlocking, which is
recommended.</p>
<p>If you need to enable or disable OEM unlocking in the future, it can be done
in the developer settings menu within the operating system.</p>
</section>
<section id="verifying-installation">
<h3><a href="#verifying-installation">Verifying installation</a></h3>
<p>The verified boot and attestation features provided by the supported
devices can be used to verify that the hardware, firmware and GrapheneOS
installation are genuine. Even if the computer you used to flash GrapheneOS
was compromised and an attacker replaced GrapheneOS with their own malicious
OS, it can be detected with these features.</p>
<p>Verified boot verifies the entirety of the firmware and OS images on every
boot. The public key for the firmware images is burned into fuses in the SoC at
the factory. Firmware security updates also update the rollback index burned
into fuses to provide rollback protection.</p>
<p>The final firmware boot stage before the OS is responsible for verifying
it. For the stock OS, it uses a hard-wired public key. Installing GrapheneOS
flashes the GrapheneOS verified boot public key to the secure element. Each
boot, this key is loaded and used to verify the OS. For both the stock OS and
GrapheneOS, a rollback index based on the security patch level is loaded from
the secure element to provide rollback protection.</p>
<section id="verified-boot-key-hash">
<h3><a href="#verified-boot-key-hash">Verified boot key hash</a></h3>
<p>When loading an alternate OS, the device shows a yellow notice on boot
with the ID of the alternate OS based on the sha256 of the verified boot
public key. 4th and 5th generation Pixels only show the first 32 bits of
the hash so you can't use this approach. 6th generation Pixels onwards
show the full hash and you can compare it against the official GrapheneOS
verified boot key hashes below:</p>
<ul>
<li>Pixel 9a: <code>0508de44ee00bfb49ece32c418af1896391abde0f05b64f41bc9a2dfb589445b</code></li>
<li>Pixel 9 Pro Fold: <code>af4d2c6e62be0fec54f0271b9776ff061dd8392d9f51cf6ab1551d346679e24c</code></li>
<li>Pixel 9 Pro XL: <code>55d3c2323db91bb91f20d38d015e85112d038f6b6b5738fe352c1a80dba57023</code></li>
<li>Pixel 9 Pro: <code>f729cab861da1b83fdfab402fc9480758f2ae78ee0b61c1f2137dd1ab7076e86</code></li>
<li>Pixel 9: <code>9e6a8f3e0d761a780179f93acd5721ba1ab7c8c537c7761073c0a754b0e932de</code></li>
<li>Pixel 8a: <code>096b8bd6d44527a24ac1564b308839f67e78202185cbff9cfdcb10e63250bc5e</code></li>
<li>Pixel 8 Pro: <code>896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c</code></li>
<li>Pixel 8: <code>cd7479653aa88208f9f03034810ef9b7b0af8a9d41e2000e458ac403a2acb233</code></li>
<li>Pixel Fold: <code>ee0c9dfef6f55a878538b0dbf7e78e3bc3f1a13c8c44839b095fe26dd5fe2842</code></li>
<li>Pixel Tablet: <code>94df136e6c6aa08dc26580af46f36419b5f9baf46039db076f5295b91aaff230</code></li>
<li>Pixel 7a: <code>508d75dea10c5cbc3e7632260fc0b59f6055a8a49dd84e693b6d8899edbb01e4</code></li>
<li>Pixel 7 Pro: <code>bc1c0dd95664604382bb888412026422742eb333071ea0b2d19036217d49182f</code></li>
<li>Pixel 7: <code>3efe5392be3ac38afb894d13de639e521675e62571a8a9b3ef9fc8c44fd17fa1</code></li>
<li>Pixel 6a: <code>08c860350a9600692d10c8512f7b8e80707757468e8fbfeea2a870c0a83d6031</code></li>
<li>Pixel 6 Pro: <code>439b76524d94c40652ce1bf0d8243773c634d2f99ba3160d8d02aa5e29ff925c</code></li>
<li>Pixel 6: <code>f0a890375d1405e62ebfd87e8d3f475f948ef031bbf9ddd516d5f600a23677e8</code></li>
</ul>
<p>Checking this is useful after installation, but you don't need to check
it manually for verified boot to work. The verified boot public key
flashed to the secure element can only be changed when the device is
unlocked. Unlocking the device performs the same wiping of the secure
element as a factory reset and prevents data from being recovered even if
the SSD was cloned and your passphrase(s) are obtained because the
encryption keys can no longer be derived anymore. The verified boot key is
also one of the inputs for deriving the encryption keys in addition to the
user's lock method(s) and random token(s) on the secure element.</p>
</section>
<section id="hardware-based-attestation">
<h3><a href="#hardware-based-attestation">Hardware-based attestation</a></h3>
<p>GrapheneOS provides our Auditor app for using a combination of the
verified boot and attestation features to verify that the hardware,
firmware and operating system are genuine along with providing other
useful data from the hardware and operating system.</p>
<p>Since the purpose of Auditor is to obtain information about the device
without trusting it to be honest, results aren't shown on the device being
verified. You need a 2nd Android device running Auditor for local QR code
based verification. You can also use our optional device integrity
monitoring service for automatic scheduled verifications with support for
email alerts.</p>
<p>See the <a href="https://attestation.app/tutorial">Auditor tutorial</a>
for a guide.</p>
<p>Auditor is primarily based on a pairing model where it generates a
hardware backed signing key and hardware backed attestation signing key
and pins them as part of the initial verification. The first verification
is bootstrapped based on chaining trust to one of the Android attestation
roots. After the first verification, it provides a highly secure system
for obtaining information about the device going forward. An attacker
could bypass the initial verification with a leaked attestation key or by
proxying to another device with the device model, OS and patch level that
the user is expecting. Proxying to another device will be addressed in the
future with optional support for the hardware serial number attestation
feature.</p>
</section>
</section>
<section id="further-information">
<h3><a href="#further-information">Further information</a></h3>
<p>Please look through the <a href="/usage">usage guide</a> and
<a href="/faq">FAQ</a> for more information. If you have further questions not
covered by the site, join the <a href="/contact#community">official GrapheneOS
chat channels</a> and ask the questions in the appropriate channel.</p>
</section>
<section id="replacing-grapheneos-with-the-stock-os">
<h3><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h3>
<p>Installation of the stock OS via the stock factory images is the same process
described above. However, before flashing and locking, there's an additional step
to fully revert the device to a clean factory state.</p>
<p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
needs to be erased to fully revert back to a stock device state. Before flashing the
stock factory images, you should boot the device into fastboot mode and make sure the
bootloader is unlocked. Then erase the custom Android Verified Boot key to untrust it:</p>
<pre>fastboot erase avb_custom_key</pre>
</section>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

63
static/install/index.html
View File

@ -1,63 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Install | GrapheneOS</title>
<meta name="description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS installation"/>
<meta property="og:description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/install/"/>
<link rel="canonical" href="https://grapheneos.org/install/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="install" %}
{% include "header.html" %}
{% endwith %}
<main id="install">
<h1><a href="#install">Install</a></h1>
<p>GrapheneOS has two officially supported installation methods. You can either use
the <a href="/install/web">WebUSB-based installer</a> recommended for most users or
the <a href="/install/cli">command-line installation guide</a> aimed at more technical
users.</p>
<p>We strongly recommend using one of the official installation methods. Third party
installation guides tend to be out-of-date and often contain misguided advice and
errors.</p>
<p>If you have trouble with the installation process, ask for help on the
<a href="/contact#community">official GrapheneOS chat channel</a>. There are almost
always people around willing to help with it. Before asking for help, make an attempt
to follow the guide on your own and then ask for help with anything you get stuck
on.</p>
<p>The command-line approach requires being on an OS with proper fastboot and OpenSSH
packages, along with understanding the process enough to avoid blindly trusting the
instructions from our site. The web-based installation approach avoids needing any
software beyond a browser with WebUSB support and you can still avoid trusting our
server infrastructure by checking the verified boot key hash.</p>
</main>
{% include "footer.html" %}
</body>
</html>

489
static/install/web.html
View File

@ -1,489 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Web installer | Install | GrapheneOS</title>
<meta name="description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS web installer"/>
<meta property="og:description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/install/web"/>
<link rel="canonical" href="https://grapheneos.org/install/web"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
<script type="module" src="/js/fastboot/ffe7e270/fastboot.min.mjs" integrity="sha256-/TM74wkIOUV1rXRSGlzJPb4ZjBA52fzUW3aSypxxtwc="></script>
[[js|/js/web-install.js]]
</head>
<body>
{% include "header.html" %}
<main id="web-install">
<h1><a href="#web-install">Web installer</a></h1>
<p>This is the WebUSB-based installer for GrapheneOS and is the recommended approach
for most users. The <a href="/install/cli">command-line installation guide</a> is the
more traditional approach to installing GrapheneOS.</p>
<p>If you have trouble with the installation process, ask for help on the
<a href="/contact#community">official GrapheneOS chat channel</a>. There are almost
always people around willing to help with it. Before asking for help, make an attempt
to follow the guide on your own and then ask for help with anything you get stuck
on.</p>
<nav id="table-of-contents">
<h2><a href="#table-of-contents">Table of contents</a></h2>
<ul>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></li>
<li><a href="#flashing-as-non-root">Flashing as non-root</a></li>
<li><a href="#working-around-fwupd-bugs-on-linux-distributions">Working around fwupd bugs on Linux distributions</a></li>
<li><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></li>
<li><a href="#connecting-device">Connecting the device</a></li>
<li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li>
<li><a href="#obtaining-factory-images">Obtaining factory images</a></li>
<li><a href="#flashing-factory-images">Flashing factory images</a></li>
<li><a href="#locking-the-bootloader">Locking the bootloader</a></li>
<li>
<a href="#post-installation">Post-installation</a>
<ul>
<li><a href="#booting">Booting</a></li>
<li><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></li>
<li>
<a href="#verifying-installation">Verifying installation</a>
<ul>
<li><a href="#verified-boot-key-hash">Verified boot key hash</a></li>
<li><a href="#hardware-based-attestation">Hardware-based attestation</a></li>
</ul>
</li>
<li><a href="#further-information">Further information</a></li>
<li><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></li>
</ul>
</li>
</ul>
</nav>
<section id="prerequisites">
<h2><a href="#prerequisites">Prerequisites</a></h2>
<p>You need a computer for running the web installer with at least 2GB of free
memory available and 32GB of free storage space. The web installer can be run on an
Android phone or tablet, unlike the command-line installation.</p>
<p>You need a USB cable for attaching the device to the computer performing the
installation. Whenever possible, use the high quality standards compliant USB-C
cable packaged with the device. If your computer doesn't have any USB-C ports,
you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub
such as the front panel on a desktop computer case. Connect directly to a rear port
on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs
are broken and are the most common source of issues for installing GrapheneOS.</p>
<p>Installing from an OS in a virtual machine is not recommended. USB passthrough
is often not reliable. To rule out these problems, install from an OS running on
bare metal. Virtual machines are also often configured to have overly limited
memory and storage space.</p>
<p>Officially supported operating systems for the web install method:</p>
<ul>
<li>Windows 10</li>
<li>Windows 11</li>
<li>macOS Ventura (13)</li>
<li>macOS Sonoma (14)</li>
<li>macOS Sequoia (15)</li>
<li>Arch Linux</li>
<li>Debian 11 (bullseye)</li>
<li>Debian 12 (bookworm)</li>
<li>Ubuntu 20.04 LTS</li>
<li>Ubuntu 22.04 LTS</li>
<li>Ubuntu 24.04 LTS</li>
<li>Ubuntu 24.10</li>
<li>Linux Mint 20 (follow Ubuntu 20.04 LTS instructions)</li>
<li>Linux Mint 21 (follow Ubuntu 22.04 LTS instructions)</li>
<li>Linux Mint 22 (follow Ubuntu 24.04 LTS instructions)</li>
<li>Linux Mint Debian Edition 6 (follow Debian 12 instructions)</li>
<li>ChromeOS</li>
<li>GrapheneOS</li>
<li>Android 12 with Play Protect certification</li>
<li>Android 13 with Play Protect certification</li>
<li>Android 14 with Play Protect certification</li>
<li>Android 15 with Play Protect certification</li>
</ul>
<p>Make sure your operating system is up-to-date before proceeding.</p>
<p>Officially supported browsers for the web install method:</p>
<ul>
<li>Chromium (outside Ubuntu, since they ship a broken Snap package without working WebUSB)</li>
<li>Vanadium (GrapheneOS)</li>
<li>Google Chrome</li>
<li>Microsoft Edge</li>
<li>Brave (with Brave Shields disabled, since it caps storage usage at a low value to avoid fingerprinting available storage)</li>
</ul>
<p>On Android, disable desktop mode for the browser since it currently prevents our
web installer from detecting Android and handling needing to request permission to
reconnect to the device after each reboot. Desktop mode is enabled by default on
large tablets with at least 8GB of RAM such as the Pixel Tablet.</p>
<p>You should avoid Flatpak and Snap versions of browsers, as they're known to cause issues during the installation process.</p>
<p>Make sure your browser is up-to-date before proceeding.</p>
<p>Do not use Incognito or other private browsing modes. These modes usually
prevent the web installer from having enough storage space to extract the
downloaded release.</p>
<p>You need one of the <a href="/faq#supported-devices">officially supported
devices</a>. To make sure that the device can be unlocked to install GrapheneOS,
avoid carrier variants of the devices. Carrier variants of Pixels use the same stock
OS and firmware with a non-zero carrier id flashed onto the persist partition in the
factory. The carrier id activates carrier-specific configuration in the stock OS
including disabling carrier and bootloader unlocking. The carrier may be able to
remotely disable this, but their support staff may not be aware and they probably
won't do it. Get a carrier agnostic device to avoid the risk and potential hassle.
If you CAN figure out a way to unlock a carrier device, it isn't a problem as
GrapheneOS can just ignore the carrier id and the hardware is the same.</p>
<p>It's best practice to update the device before installing GrapheneOS to have
the latest firmware for connecting the device to the computer and performing the
early flashing process. Either way, GrapheneOS flashes the latest firmware early
in the installation process.</p>
</section>
<section id="enabling-oem-unlocking">
<h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
<p>OEM unlocking needs to be enabled from within the operating system.</p>
<p>Enable the developer options menu by going to <b>Settings&#160;<span
aria-label="and then">></span> About phone/tablet</b> and repeatedly
pressing the <b>Build number</b> menu entry until developer mode is enabled.</p>
<p>Next, go to <b>Settings&#160;<span aria-label="and then">></span>
System&#160;<span aria-label="and then">></span> Developer options</b> and
toggle on the <b>OEM unlocking</b> setting. On device model variants (SKUs) which
support being sold as locked devices by carriers, enabling <b>OEM unlocking</b>
requires internet access so that the stock OS can check if the device was sold as
locked by a carrier.</p>
<p>For the Pixel 6a, OEM unlocking won't work with the version of the stock OS
from the factory. You need to update it to the June 2022 release or later via an
over-the-air update. After you've updated it you'll also need to factory reset
the device to fix OEM unlocking.</p>
</section>
<section id="flashing-as-non-root">
<h2><a href="#flashing-as-non-root">Flashing as non-root</a></h2>
<p>On traditional Linux distributions, USB devices cannot be used as non-root
without udev rules for each type of device. This is not an issue for other
platforms.</p>
<p>On Arch Linux, install the <code>android-udev</code> package. On Debian and
Ubuntu, install the <code>android-sdk-platform-tools-common</code> package.</p>
</section>
<section id="working-around-fwupd-bugs-on-linux-distributions">
<h2><a href="#working-around-fwupd-bug-on-linux-distributions">Working around fwupd bugs on Linux distributions</a></h2>
<p>The fwupd software often used on Linux distributions for updating firmware is
known to incorrectly connect to arbitrary devices using the fastboot protocol which
will block using them for the intended purpose. This can result in receiving an
error about the USB device already being in use (claimed) when trying to connect to
it for the intended purpose.</p>
<p>You can stop fwupd with the following command:</p>
<pre>sudo systemctl stop fwupd.service</pre>
<p>This doesn't disable the service and it will start again on reboot.</p>
</section>
<section id="booting-into-the-bootloader-interface">
<h2><a href="#booting-into-the-bootloader-interface">Booting into the bootloader interface</a></h2>
<p>You need to boot your device into the bootloader interface. To do this, you need
to hold the volume down button while the device boots.</p>
<p>The easiest approach is to reboot the device and begin holding the volume down
button until it boots up into the bootloader interface.</p>
<p>Alternatively, turn off the device, then boot it up while holding the volume
down button during the boot process. You can either boot it with the power button
or by plugging it in as required in the next section.</p>
<p>This step is not complete until your device displays a red warning triangle
and the words "Fastboot Mode". You must not press the device's power button
to activate the "Start" menu item, because the device must remain paused in
Fastboot mode for the installer to connect to it.</p>
</section>
<section id="connecting-device">
<h2><a href="#connecting-device">Connecting the device</a></h2>
<p>Connect the device to the computer. On Linux, you'll need to do this again if
you didn't have the udev rules set up when you connected it.</p>
<p>Current Windows 10 and Windows 11 include a generic driver usable for fastboot
and no longer require installing a driver for installation on the Pixel 4a (5G) or
later. It isn't enough for legacy 4th generation Pixels due to the driver not
handling fastbootd, so you still need the driver for those. Outdated Windows
versions will still need the driver for non-obsolete devices too. You can obtain the
driver from Windows Update which will detect it as an optional update when the
device is booted into the bootloader interface and connected to the computer. Open
Windows Update, run a check for updates and then open the "View optional updates"
interface. Install the driver for the Android bootloader interface as an optional
update, which will show up as "LeMobile Android Device" due to USB ID overlap. An
alternative approach to obtaining the Windows fastboot driver is to obtain the <a
href="https://developer.android.com/studio/run/win-usb">latest driver for
Pixels</a> from Google and then <a href="https://developer.android.com/studio/run/oem-usb#InstallingDriver">manually
install it with the Windows Device Manager</a>.</p>
<p>For the Pixel Tablet, disconnect it from the stand before continuing. The stand
uses USB to provide charging and audio output, but the tablet lacks support for
using both the stand and USB port at the same time.</p>
</section>
<section id="unlocking-the-bootloader">
<h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
<p>Unlock the bootloader to allow flashing the OS and firmware:</p>
<button id="unlock-bootloader-button" disabled="">Unlock bootloader</button>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume buttons to switch the selection to accepting it and the power button to
confirm.</p>
<p><strong id="unlock-bootloader-status"></strong></p>
</section>
<section id="obtaining-factory-images">
<h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
<p>You need to obtain the GrapheneOS factory images for your device to proceed with
the installation process.</p>
<p>Press the button below to start the download:</p>
<button id="download-release-button" disabled="">Download release</button>
<p id="download-release-status-container" hidden="hidden">
<strong id="download-release-status"></strong>
<br/>
<progress id="download-release-progress" hidden="hidden" max="1" value="0"></progress>
</p>
</section>
<section id="flashing-factory-images">
<h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
<p>The initial install will be performed by flashing the factory images. This will
replace the existing OS installation and wipe all the existing data.</p>
<button id="flash-release-button" disabled="">Flash release</button>
<p>Wait for the flashing process to complete. It will automatically handle
flashing the firmware, rebooting into the bootloader interface and flashing the OS.
Avoid interacting with the device until the flashing script is finished. Then,
proceed to <a href="#locking-the-bootloader">locking the bootloader</a> before using
the device as locking wipes the data again.</p>
<p id="flash-release-status-container" hidden="hidden">
<strong id="flash-release-status"></strong>
<br/>
<!-- These appear as part of the status, one at a time -->
<progress id="flash-release-progress" hidden="hidden" max="1" value="0"></progress>
<button id="flash-reconnect-button" hidden="hidden"><strong>Reconnect device</strong></button>
</p>
</section>
<section id="locking-the-bootloader">
<h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
<p>Locking the bootloader is important as it enables full verified boot. It also
prevents using fastboot to flash, format or erase partitions. Verified boot will
detect modifications to any of the OS partitions and it will prevent reading any
modified / corrupted data. If changes are detected, error correction data is used
to attempt to obtain the original data at which point it's verified again which
makes verified boot robust to non-malicious corruption.</p>
<p>In the bootloader interface, set it to locked:</p>
<button id="lock-bootloader-button" disabled="">Lock bootloader</button>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume buttons to switch the selection to accepting it and the power button
to confirm.</p>
<p><strong id="lock-bootloader-status"></strong></p>
</section>
<section id="post-installation">
<h2><a href="#post-installation">Post-installation</a></h2>
<section id="booting">
<h3><a href="#booting">Booting</a></h3>
<p>You've now successfully installed GrapheneOS and can boot it. Pressing the
power button with the default Start option selected in the bootloader
interface will boot the OS.</p>
</section>
<section id="disabling-oem-unlocking">
<h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
<p>During first setup, the final screen will contain a toggle regarding OEM
unlocking which is checked by default. This will disable OEM unlocking, which is
recommended.</p>
<p>If you need to enable or disable OEM unlocking in the future, it can be done
in the developer settings menu within the operating system.</p>
</section>
<section id="verifying-installation">
<h3><a href="#verifying-installation">Verifying installation</a></h3>
<p>The verified boot and attestation features provided by the supported
devices can be used to verify that the hardware, firmware and GrapheneOS
installation are genuine. Even if the computer you used to flash GrapheneOS
was compromised and an attacker replaced GrapheneOS with their own malicious
OS, it can be detected with these features.</p>
<p>Verified boot verifies the entirety of the firmware and OS images on every
boot. The public key for the firmware images is burned into fuses in the SoC at
the factory. Firmware security updates also update the rollback index burned
into fuses to provide rollback protection.</p>
<p>The final firmware boot stage before the OS is responsible for verifying
it. For the stock OS, it uses a hard-wired public key. Installing GrapheneOS
flashes the GrapheneOS verified boot public key to the secure element. Each
boot, this key is loaded and used to verify the OS. For both the stock OS and
GrapheneOS, a rollback index based on the security patch level is loaded from
the secure element to provide rollback protection.</p>
<section id="verified-boot-key-hash">
<h3><a href="#verified-boot-key-hash">Verified boot key hash</a></h3>
<p>When loading an alternate OS, the device shows a yellow notice on boot
with the ID of the alternate OS based on the sha256 of the verified boot
public key. 4th and 5th generation Pixels only show the first 32 bits of
the hash so you can't use this approach. 6th generation Pixels onwards
show the full hash and you can compare it against the official GrapheneOS
verified boot key hashes below:</p>
<ul>
<li>Pixel 9a: <code>0508de44ee00bfb49ece32c418af1896391abde0f05b64f41bc9a2dfb589445b</code></li>
<li>Pixel 9 Pro Fold: <code>af4d2c6e62be0fec54f0271b9776ff061dd8392d9f51cf6ab1551d346679e24c</code></li>
<li>Pixel 9 Pro XL: <code>55d3c2323db91bb91f20d38d015e85112d038f6b6b5738fe352c1a80dba57023</code></li>
<li>Pixel 9 Pro: <code>f729cab861da1b83fdfab402fc9480758f2ae78ee0b61c1f2137dd1ab7076e86</code></li>
<li>Pixel 9: <code>9e6a8f3e0d761a780179f93acd5721ba1ab7c8c537c7761073c0a754b0e932de</code></li>
<li>Pixel 8a: <code>096b8bd6d44527a24ac1564b308839f67e78202185cbff9cfdcb10e63250bc5e</code></li>
<li>Pixel 8 Pro: <code>896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c</code></li>
<li>Pixel 8: <code>cd7479653aa88208f9f03034810ef9b7b0af8a9d41e2000e458ac403a2acb233</code></li>
<li>Pixel Fold: <code>ee0c9dfef6f55a878538b0dbf7e78e3bc3f1a13c8c44839b095fe26dd5fe2842</code></li>
<li>Pixel Tablet: <code>94df136e6c6aa08dc26580af46f36419b5f9baf46039db076f5295b91aaff230</code></li>
<li>Pixel 7a: <code>508d75dea10c5cbc3e7632260fc0b59f6055a8a49dd84e693b6d8899edbb01e4</code></li>
<li>Pixel 7 Pro: <code>bc1c0dd95664604382bb888412026422742eb333071ea0b2d19036217d49182f</code></li>
<li>Pixel 7: <code>3efe5392be3ac38afb894d13de639e521675e62571a8a9b3ef9fc8c44fd17fa1</code></li>
<li>Pixel 6a: <code>08c860350a9600692d10c8512f7b8e80707757468e8fbfeea2a870c0a83d6031</code></li>
<li>Pixel 6 Pro: <code>439b76524d94c40652ce1bf0d8243773c634d2f99ba3160d8d02aa5e29ff925c</code></li>
<li>Pixel 6: <code>f0a890375d1405e62ebfd87e8d3f475f948ef031bbf9ddd516d5f600a23677e8</code></li>
</ul>
<p>Checking this is useful after installation, but you don't need to check
it manually for verified boot to work. The verified boot public key
flashed to the secure element can only be changed when the device is
unlocked. Unlocking the device performs the same wiping of the secure
element as a factory reset and prevents data from being recovered even if
the SSD was cloned and your passphrase(s) are obtained because the
encryption keys can no longer be derived anymore. The verified boot key is
also one of the inputs for deriving the encryption keys in addition to the
user's lock method(s) and random token(s) on the secure element.</p>
</section>
<section id="hardware-based-attestation">
<h3><a href="#hardware-based-attestation">Hardware-based attestation</a></h3>
<p>GrapheneOS provides our Auditor app for using a combination of the
verified boot and attestation features to verify that the hardware,
firmware and operating system are genuine along with providing other
useful data from the hardware and operating system.</p>
<p>Since the purpose of Auditor is to obtain information about the device
without trusting it to be honest, results aren't shown on the device being
verified. You need a 2nd Android device running Auditor for local QR code
based verification. You can also use our optional device integrity
monitoring service for automatic scheduled verifications with support for
email alerts.</p>
<p>See the <a href="https://attestation.app/tutorial">Auditor tutorial</a>
for a guide.</p>
<p>Auditor is primarily based on a pairing model where it generates a
hardware backed signing key and hardware backed attestation signing key
and pins them as part of the initial verification. The first verification
is bootstrapped based on chaining trust to one of the Android attestation
roots. After the first verification, it provides a highly secure system
for obtaining information about the device going forward. An attacker
could bypass the initial verification with a leaked attestation key or by
proxying to another device with the device model, OS and patch level that
the user is expecting. Proxying to another device will be addressed in the
future with optional support for the hardware serial number attestation
feature.</p>
</section>
</section>
<section id="further-information">
<h3><a href="#further-information">Further information</a></h3>
<p>Please look through the <a href="/usage">usage guide</a> and
<a href="/faq">FAQ</a> for more information. If you have further questions not
covered by the site, join the <a href="/contact#community">official GrapheneOS
chat channels</a> and ask the questions in the appropriate channel.</p>
</section>
<section id="replacing-grapheneos-with-the-stock-os">
<h3><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h3>
<p>Installation of the stock OS via the stock factory images is similar to the
process described above but with
<a href="https://flash.android.com/back-to-public">Google's web flashing
tool</a>. However, before flashing and locking, there's an additional step to
fully revert the device to a clean factory state.</p>
<p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
needs to be erased to fully revert back to a stock device state. Before flashing the
stock factory images, you should boot the device into fastboot mode and make sure the
bootloader is unlocked. Then erase the custom Android Verified Boot key to untrust it:</p>
<button id="remove-custom-key-button" disabled="">Remove non-stock key</button>
<p><strong id="remove-custom-key-status"></strong></p>
</section>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

2
static/js/fastboot/ffe7e270/fastboot.min.mjs
View File

File diff suppressed because one or more lines are too long

1
static/js/fastboot/ffe7e270/fastboot.min.mjs.map
View File

File diff suppressed because one or more lines are too long

2
static/js/fastboot/ffe7e270/vendor/pako_inflate.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
static/js/fastboot/ffe7e270/vendor/z-worker-pako.js vendored
View File

File diff suppressed because one or more lines are too long

106
static/js/redirect.js
View File

@ -1,106 +0,0 @@
// @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT
// Client-side redirects for fragments (anchors)
//
// It should be possible to do this with either HTML or server-side redirects, but it was never
// implemented or standardized. For reference:
//
// https://www.w3.org/People/Bos/redirect
// https://www.w3.org/Protocols/HTTP/Fragment/draft-bos-http-redirect-00.txt
const redirects = new Map([
// removed main page sections
["/#copyright-and-licensing", "/faq#copyright-and-licensing"],
["/#history", "/history"],
["/#roadmap", "/faq#roadmap"],
["/#upstream", "/faq#upstream"],
["/usage#default-connections", "/faq#default-connections"],
["/usage#sandboxed-google-play-esim", "/usage#esim-support"],
["/usage#sandboxed-play-services", "/usage#sandboxed-google-play"],
["/usage#sandboxed-play-services-installation", "/usage#sandboxed-google-play-installation"],
["/usage#sandboxed-play-services-limitations", "/usage#sandboxed-google-play-limitations"],
["/usage#google-camera", "/usage#pixel-camera"],
["/usage#usb-peripherals", "/usage#usb-c-port-and-pogo-pins-control"],
["/faq#dns", "/faq#custom-dns"],
["/faq#when-devices", "/faq#future-devices"],
["/features#usb-c-port-control", "/features#usb-c-port-and-pogo-pins-control"],
["/features#Two-factor-fingerprint-unlock", "/features#two-factor-fingerprint-unlock"],
["/hiring#qualitifations", "/hiring#qualifications"],
["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"],
["/install/cli#obtaining-signify", "/install/cli#obtaining-openssh"],
["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"],
["/install/cli#working-around-fwupd-bug-on-linux-distributions", "/install/cli#working-around-fwupd-bugs-on-linux-distributions"],
["/install/web#working-around-fwupd-bug-on-linux-distributions", "/install/web#working-around-fwupd-bugs-on-linux-distributions"],
["/build#enabling-updatable-apex-components", "/build#apex-components"],
["/build#kernel-6th-generation-pixels", "/build#kernel-6th-through-9th-generation-pixels"],
["/build#kernel-7th-generation-pixels", "/build#kernel-6th-through-9th-generation-pixels"],
["/build#kernel-6th-and-7th-generation-pixels", "/build#kernel-6th-through-9th-generation-pixels"],
["/build#kernel-8th-generation-pixels", "/build#kernel-6th-through-9th-generation-pixels"],
["/build#kernel-9th-generation-pixels", "/build#kernel-6th-through-9th-generation-pixels"],
// legacy devices
["/releases#marlin-stable", "/faq#legacy-devices"],
["/releases#marlin-beta", "/faq#legacy-devices"],
["/releases#sailfish-stable", "/faq#legacy-devices"],
["/releases#sailfish-beta", "/faq#legacy-devices"],
["/releases#taimen-stable", "/faq#legacy-devices"],
["/releases#taimen-beta", "/faq#legacy-devices"],
["/releases#walleye-stable", "/faq#legacy-devices"],
["/releases#walleye-beta", "/faq#legacy-devices"],
["/releases#bonito-stable", "/faq#legacy-devices"],
["/releases#bonito-beta", "/faq#legacy-devices"],
["/releases#sargo-stable", "/faq#legacy-devices"],
["/releases#sargo-beta", "/faq#legacy-devices"],
["/releases#crosshatch-stable", "/faq#legacy-devices"],
["/releases#crosshatch-beta", "/faq#legacy-devices"],
["/releases#blueline-stable", "/faq#legacy-devices"],
["/releases#blueline-beta", "/faq#legacy-devices"],
// legacy servers
["/articles/grapheneos-servers#apps.grapheneos.org", "/articles/grapheneos-servers#releases.grapheneos.org"],
["/articles/grapheneos-servers#time.grapheneos.org", "/articles/grapheneos-servers#grapheneos.network"],
// preserve links to CLI install guide from when it was /install
["/install/#prerequisites", "/install/cli#prerequisites"],
["/install/#enabling-oem-unlocking", "/install/cli#enabling-oem-unlocking"],
["/install/#opening-terminal", "/install/cli#opening-terminal"],
["/install/#obtaining-fastboot", "/install/cli#obtaining-fastboot"],
["/install/#standalone-platform-tools", "/install/cli#standalone-platform-tools"],
["/install/#checking-fastboot-version", "/install/cli#checking-fastboot-version"],
["/install/#fastboot-as-non-root", "/install/cli#flashing-as-non-root"],
["/install/#connecting-phone", "/install/cli#connecting-phone"],
["/install/#unlocking-the-bootloader", "/install/cli#unlocking-the-bootloader"],
["/install/#obtaining-signify", "/install/cli#obtaining-openssh"],
["/install/#obtaining-factory-images", "/install/cli#obtaining-factory-images"],
["/install/#flashing-factory-images", "/install/cli#flashing-factory-images"],
["/install/#troubleshooting", "/install/cli#troubleshooting"],
["/install/#locking-the-bootloader", "/install/cli#locking-the-bootloader"],
["/install/#post-installation", "/install/cli#post-installation"],
["/install/#booting", "/install/cli#booting"],
["/install/#disabling-oem-unlocking", "/install/cli#disabling-oem-unlocking"],
["/install/#replacing-grapheneos-with-the-stock-os", "/install/cli#replacing-grapheneos-with-the-stock-os"],
["/install/#further-information", "/install/cli#further-information"],
["/install/web#connecting-phone", "/install/web#connecting-device"],
["/install/cli#connecting-phone", "/install/cli#connecting-device"],
]);
function handleHash() {
if (window.location.hash) {
const redirect = redirects.get(window.location.pathname + window.location.hash);
if (redirect) {
window.location.replace(redirect);
}
}
}
handleHash();
addEventListener("hashchange", handleHash, false);
// @license-end

49
static/js/releases.js
View File

@ -1,49 +0,0 @@
// @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT
const baseUrl = "https://releases.grapheneos.org/";
const devices = ["comet", "komodo", "caiman", "tokay", "akita", "husky", "shiba", "felix", "tangorpro", "lynx", "cheetah", "panther", "bluejay", "raven", "oriole", "barbet", "redfin", "bramble", "sunfish", "coral", "flame"];
const legacyFactoryDevices = new Set(["sunfish", "coral", "flame"]);
const channels = ["stable", "beta", "alpha"];
const delayMs = 1000 * 60 * 5;
async function updateReleases() {
const requests = [];
for (const channel of channels) {
for (const device of devices) {
requests.push(fetch(`${baseUrl}${device}-${channel}`).then(response => {
if (!response.ok) {
return Promise.reject();
}
return response.text();
}).then(text => {
const metadata = text.trim().split(" ");
const factoryFormat = legacyFactoryDevices.has(device) ? "factory" : "install";
const factoryFilename = `${device}-${factoryFormat}-${metadata[0]}.zip`;
const factoryUrl = baseUrl + factoryFilename;
const updateFilename = `${device}-ota_update-${metadata[0]}.zip`;
const updateUrl = baseUrl + updateFilename;
const release = document.getElementById(`${device}-${channel}`);
const links = release.querySelectorAll("a, span");
links[0].textContent = metadata[0];
if (links[0].nodeName == "A") {
links[0].setAttribute("href", "#" + metadata[0]);
}
links[1].setAttribute("href", factoryUrl);
links[2].setAttribute("href", factoryUrl + ".sig");
links[3].setAttribute("href", updateUrl);
}));
}
}
await Promise.allSettled(requests);
setTimeout(updateReleases, delayMs);
}
setTimeout(updateReleases, delayMs);
// @license-end

475
static/js/web-install.js
View File

@ -1,475 +0,0 @@
// @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT
import * as fastboot from "./fastboot/ffe7e270/fastboot.min.mjs";
const RELEASES_URL = "https://releases.grapheneos.org";
const CACHE_DB_NAME = "BlobStore";
const CACHE_DB_VERSION = 1;
const Buttons = {
UNLOCK_BOOTLOADER: "unlock-bootloader",
DOWNLOAD_RELEASE: "download-release",
FLASH_RELEASE: "flash-release",
LOCK_BOOTLOADER: "lock-bootloader",
REMOVE_CUSTOM_KEY: "remove-custom-key"
};
const InstallerState = {
DOWNLOADING_RELEASE: 0x1,
INSTALLING_RELEASE: 0x2
};
let wakeLock = null;
const requestWakeLock = async () => {
try {
wakeLock = await navigator.wakeLock.request("screen");
console.log("Wake lock has been set");
wakeLock.addEventListener("release", async () => {
console.log("Wake lock has been released");
});
} catch (err) {
// if wake lock request fails - usually system related, such as battery
throw new Error(`${err.name}, ${err.message}`);
}
};
const releaseWakeLock = async () => {
if (wakeLock !== null) {
wakeLock.release().then(() => {
wakeLock = null;
});
}
};
// reacquires the wake lock should the visibility of the document change and the wake lock is released
document.addEventListener("visibilitychange", async () => {
if (wakeLock !== null && document.visibilityState === "visible") {
await requestWakeLock();
}
});
// This wraps XHR because getting progress updates with fetch() is overly complicated.
function fetchBlobWithProgress(url, onProgress) {
let xhr = new XMLHttpRequest();
xhr.open("GET", url);
xhr.responseType = "blob";
xhr.send();
return new Promise((resolve, reject) => {
xhr.onload = () => {
resolve(xhr.response);
};
xhr.onprogress = (event) => {
onProgress(event.loaded / event.total);
};
xhr.onerror = () => {
reject(`${xhr.status} ${xhr.statusText}`);
};
});
}
function setButtonState({ id, enabled }) {
const button = document.getElementById(`${id}-button`);
button.disabled = !enabled;
return button;
}
class BlobStore {
constructor() {
this.db = null;
}
async _wrapReq(request, onUpgrade = null) {
return new Promise((resolve, reject) => {
request.onsuccess = () => {
resolve(request.result);
};
request.oncomplete = () => {
resolve(request.result);
};
request.onerror = (event) => {
reject(event);
};
if (onUpgrade !== null) {
request.onupgradeneeded = onUpgrade;
}
});
}
async init() {
if (this.db === null) {
this.db = await this._wrapReq(
indexedDB.open(CACHE_DB_NAME, CACHE_DB_VERSION),
(event) => {
let db = event.target.result;
db.createObjectStore("files", { keyPath: "name" });
/* no index needed for such a small database */
}
);
}
}
async saveFile(name, blob) {
await this._wrapReq(
this.db.transaction(["files"], "readwrite").objectStore("files").add({
name: name,
blob: blob,
})
);
}
async loadFile(name) {
try {
let obj = await this._wrapReq(
this.db.transaction("files").objectStore("files").get(name)
);
return obj.blob;
} catch {
return null;
}
}
async close() {
this.db.close();
}
async download(url, onProgress = () => {}) {
let filename = url.split("/").pop();
let blob = await this.loadFile(filename);
if (blob === null) {
console.log(`Downloading ${url}`);
let blob = await fetchBlobWithProgress(url, onProgress);
console.log("File downloaded, saving...");
await this.saveFile(filename, blob);
console.log("File saved");
} else {
console.log(
`Loaded ${filename} from blob store, skipping download`
);
}
return blob;
}
}
class ButtonController {
#map;
constructor() {
this.#map = new Map();
}
setEnabled(...ids) {
ids.forEach((id) => {
// Only enable button if it won't be disabled.
if (!this.#map.has(id)) {
this.#map.set(id, /* enabled = */ true);
}
});
}
setDisabled(...ids) {
ids.forEach((id) => this.#map.set(id, /* enabled = */ false));
}
applyState() {
this.#map.forEach((enabled, id) => {
setButtonState({ id, enabled });
});
this.#map.clear();
}
}
let installerState = 0;
let device = new fastboot.FastbootDevice();
let blobStore = new BlobStore();
let buttonController = new ButtonController();
async function ensureConnected(setProgress) {
if (!device.isConnected) {
setProgress("Connecting to device...");
await device.connect();
}
}
async function unlockBootloader(setProgress) {
await ensureConnected(setProgress);
// Trying to unlock when the bootloader is already unlocked results in a FAIL,
// so don't try to do it.
if (await device.getVariable("unlocked") === "yes") {
return "Bootloader is already unlocked.";
}
setProgress("Unlocking bootloader...");
try {
await device.runCommand("flashing unlock");
} catch (error) {
// FAIL = user rejected unlock
if (error instanceof fastboot.FastbootError && error.status === "FAIL") {
throw new Error("Bootloader was not unlocked, please try again!");
} else {
throw error;
}
}
return "Bootloader unlocking triggered successfully.";
}
const supportedDevices = ["tegu", "comet", "komodo", "caiman", "tokay", "akita", "husky", "shiba", "felix", "tangorpro", "lynx", "cheetah", "panther", "bluejay", "raven", "oriole", "barbet", "redfin", "bramble", "sunfish", "coral", "flame"];
const legacyQualcommDevices = ["sunfish", "coral", "flame"];
const day1SnapshotCancelDevices = ["tegu", "comet", "komodo", "caiman", "tokay", "akita", "husky", "shiba", "felix", "tangorpro", "lynx", "cheetah", "panther", "bluejay", "raven", "oriole", "barbet", "redfin", "bramble"];
function hasOptimizedFactoryImage(product) {
return !legacyQualcommDevices.includes(product);
}
async function getLatestRelease() {
let product = await device.getVariable("product");
if (!supportedDevices.includes(product)) {
throw new Error(`device model (${product}) is not supported by the GrapheneOS web installer`);
}
let metadataResp = await fetch(`${RELEASES_URL}/${product}-stable`);
let metadata = await metadataResp.text();
let releaseId = metadata.split(" ")[0];
return [`${product}-${hasOptimizedFactoryImage(product) ? "install" : "factory"}-${releaseId}.zip`, product];
}
async function downloadRelease(setProgress) {
await requestWakeLock();
await ensureConnected(setProgress);
setProgress("Finding latest release...");
let [latestZip,] = await getLatestRelease();
// Download and cache the zip as a blob
setInstallerState({ state: InstallerState.DOWNLOADING_RELEASE, active: true });
setProgress(`Downloading ${latestZip}...`);
await blobStore.init();
try {
await blobStore.download(`${RELEASES_URL}/${latestZip}`, (progress) => {
setProgress(`Downloading ${latestZip}...`, progress);
});
} finally {
setInstallerState({ state: InstallerState.DOWNLOADING_RELEASE, active: false });
await releaseWakeLock();
}
setProgress(`Downloaded ${latestZip} release.`, 1.0);
}
async function reconnectCallback() {
let statusField = document.getElementById("flash-release-status");
statusField.textContent =
"To continue flashing, reconnect the device by tapping here:";
let reconnectButton = document.getElementById("flash-reconnect-button");
let progressBar = document.getElementById("flash-release-progress");
// Hide progress bar while waiting for reconnection
progressBar.hidden = true;
reconnectButton.hidden = false;
reconnectButton.onclick = async () => {
await device.connect();
reconnectButton.hidden = true;
progressBar.hidden = false;
};
}
async function flashRelease(setProgress) {
await requestWakeLock();
await ensureConnected(setProgress);
// Need to do this again because the user may not have clicked download if
// it was cached
setProgress("Finding latest release...");
let [latestZip, product] = await getLatestRelease();
await blobStore.init();
let blob = await blobStore.loadFile(latestZip);
if (blob === null) {
throw new Error("You need to download a release first!");
}
setProgress("Cancelling any pending OTAs...");
// Cancel snapshot update if in progress on devices which support it on all bootloader versions
if (day1SnapshotCancelDevices.includes(product)) {
let snapshotStatus = await device.getVariable("snapshot-update-status");
if (snapshotStatus !== null && snapshotStatus !== "none") {
await device.runCommand("snapshot-update:cancel");
}
}
setProgress("Flashing release...");
setInstallerState({ state: InstallerState.INSTALLING_RELEASE, active: true });
try {
await device.flashFactoryZip(blob, true, reconnectCallback,
(action, item, progress) => {
let userAction = fastboot.USER_ACTION_MAP[action];
let userItem = item === "avb_custom_key" ? "verified boot key" : item;
setProgress(`${userAction} ${userItem}...`, progress);
}
);
if (legacyQualcommDevices.includes(product)) {
setProgress("Disabling UART...");
// See https://android.googlesource.com/platform/system/core/+/eclair-release/fastboot/fastboot.c#532
// for context as to why the trailing space is needed.
await device.runCommand("oem uart disable ");
setProgress("Erasing apdp...");
// Both slots are wiped as even apdp on an inactive slot will modify /proc/cmdline
await device.runCommand("erase:apdp_a");
await device.runCommand("erase:apdp_b");
setProgress("Erasing msadp...");
await device.runCommand("erase:msadp_a");
await device.runCommand("erase:msadp_b");
}
} finally {
setInstallerState({ state: InstallerState.INSTALLING_RELEASE, active: false });
await releaseWakeLock();
}
return `Flashed ${latestZip} to device.`;
}
async function eraseNonStockKey(setProgress) {
await ensureConnected(setProgress);
setProgress("Erasing key...");
try {
await device.runCommand("erase:avb_custom_key");
} catch (error) {
console.log(error);
throw error;
}
return "Key erased.";
}
async function lockBootloader(setProgress) {
await ensureConnected(setProgress);
setProgress("Locking bootloader...");
try {
await device.runCommand("flashing lock");
} catch (error) {
// FAIL = user rejected lock
if (error instanceof fastboot.FastbootError && error.status === "FAIL") {
throw new Error("Bootloader was not locked, please try again!");
} else {
throw error;
}
}
return "Bootloader locking triggered successfully.";
}
function addButtonHook(id, callback) {
let statusContainer = document.getElementById(`${id}-status-container`);
let statusField = document.getElementById(`${id}-status`);
let progressBar = document.getElementById(`${id}-progress`);
let statusCallback = (status, progress) => {
if (statusContainer !== null) {
statusContainer.hidden = false;
}
statusField.className = "";
statusField.textContent = status;
if (progress !== undefined) {
progressBar.hidden = false;
progressBar.value = progress;
}
};
let button = setButtonState({ id, enabled: true });
button.onclick = async () => {
try {
let finalStatus = await callback(statusCallback);
if (finalStatus !== undefined) {
statusCallback(finalStatus);
}
} catch (error) {
statusCallback(`Error: ${error.message}`);
statusField.className = "error-text";
await releaseWakeLock();
// Rethrow the error so it shows up in the console
throw error;
}
};
}
function setInstallerState({ state, active }) {
if (active) {
installerState |= state;
} else {
installerState &= ~state;
}
invalidateInstallerState();
}
function isInstallerStateActive(state) {
return (installerState & state) === state;
}
function invalidateInstallerState() {
if (isInstallerStateActive(InstallerState.DOWNLOADING_RELEASE)) {
buttonController.setDisabled(Buttons.DOWNLOAD_RELEASE);
} else {
buttonController.setEnabled(Buttons.DOWNLOAD_RELEASE);
}
let disableWhileInstalling = [
Buttons.DOWNLOAD_RELEASE,
Buttons.FLASH_RELEASE,
Buttons.LOCK_BOOTLOADER,
Buttons.REMOVE_CUSTOM_KEY,
];
if (isInstallerStateActive(InstallerState.INSTALLING_RELEASE)) {
buttonController.setDisabled(...disableWhileInstalling);
} else {
buttonController.setEnabled(...disableWhileInstalling);
}
buttonController.applyState();
}
function safeToLeave() {
return installerState === 0;
}
// This doesn't really hurt, and because this page is exclusively for web install,
// we can tolerate extra logging in the console in case something goes wrong.
fastboot.setDebugLevel(2);
fastboot.configureZip({
workerScripts: {
inflate: ["/js/fastboot/ffe7e270/vendor/z-worker-pako.js", "pako_inflate.min.js"],
},
});
if ("usb" in navigator) {
addButtonHook(Buttons.UNLOCK_BOOTLOADER, unlockBootloader);
addButtonHook(Buttons.DOWNLOAD_RELEASE, downloadRelease);
addButtonHook(Buttons.FLASH_RELEASE, flashRelease);
addButtonHook(Buttons.LOCK_BOOTLOADER, lockBootloader);
addButtonHook(Buttons.REMOVE_CUSTOM_KEY, eraseNonStockKey);
} else {
console.log("WebUSB unavailable");
}
// This will create an alert box to stop the user from leaving the page during actions
window.addEventListener("beforeunload", event => {
if (!safeToLeave()) {
console.log("User tried to leave the page whilst unsafe to leave!");
event.returnValue = "";
}
});
// @license-end

3
static/package.html
View File

@ -3,7 +3,7 @@
<head>
<meta charset="utf-8"/>
<title>Package | Hakurei</title>
<meta name="description" content="Overview of the planterette package manager and its interactions with Hakurei.."/>
<meta name="description" content="Overview of the planterette package manager and its interactions with Hakurei."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
@ -26,7 +26,6 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://port.mk/@hakurei"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="package" %}

42
static/pdfviewer-privacy-policy.html
View File

@ -1,42 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>PDF Viewer privacy policy | GrapheneOS</title>
<meta name="description" content="Privacy policy for the GrapheneOS PDF Viewer app."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="PDF Viewer privacy policy"/>
<meta property="og:description" content="Privacy policy for the GrapheneOS PDF Viewer app."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/pdfviewer-privacy-policy"/>
<link rel="canonical" href="https://grapheneos.org/pdfviewer-privacy-policy"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="pdfviewer-privacy-policy">
<h1><a href="#pdfviewer-privacy-policy">PDF Viewer privacy policy</a></h1>
<p>This app does not use any sensitive permissions, makes no internet connections and
does not store any data other than preferences.</p>
<p>See the <a href="https://github.com/GrapheneOS/PdfViewer">project's page on GitHub</a> for more information.</p>
</main>
{% include "footer.html" %}
</body>
</html>

1
static/usage.html
View File

@ -28,7 +28,6 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="usage" %}

2
templates/header.html
View File

@ -3,7 +3,7 @@
<ul>
<li {% if current_page == "/" %}aria-current="page"{% endif %}><a href="/"><img src="[[path|/mask-icon.svg]]" alt=""/>Hakurei</a></li>
<li {% if current_page == "package" %}aria-current="page"{% endif %}><a href="/package.html">Package</a></li>
<li {% if current_page == "install" %}aria-current="page"{% endif %}><a href="/install/">Install</a></li>
<li {% if current_page == "install" %}aria-current="page"{% endif %}><a href="/install.html">Install</a></li>
<li {% if current_page == "build" %}aria-current="page"{% endif %}><a href="/build.html">Build</a></li>
<li {% if current_page == "usage" %}aria-current="page"{% endif %}><a href="/usage.html">Usage</a></li>
<li {% if current_page == "faq" %}aria-current="page"{% endif %}><a href="/faq.html">FAQ</a></li>