Install
This is a guide on installing GrapheneOS for the officially supported devices. It can be followed for both the official releases and custom builds.
We strongly recommend following these official instructions. The official guide has a lot of collaborative effort put into covering all of the edge cases and is regularly tested by many people on each supported OS. Following these instructions to the letter without skipping, reordering or adding any steps will give you a proper GrapheneOS installation unless there's a hardware issue. We strongly recommend against following unofficial guides deviating in any way from the official instructions.
If you have trouble following this guide, ask for help on the official GrapheneOS chat channel. There are almost always people around willing to help with it. The official guide is the only supported installation method. Before asking for help, make an attempt to follow the guide on your own and then ask for help with anything you get stuck on.
Prerequisites
You should have at least 2GB of free memory available and 8GB of free storage space.
You need a USB cable for attaching the device to a laptop or desktop. Whenever possible, use the high quality standards compliant USB-C cable packaged with the device. If your computer doesn't have any USB-C ports, you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on a desktop computer case. Connect directly to a rear port on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs are broken and are the most common source of issues for installing GrapheneOS.
Windows 10, macOS Big Sur, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the officially supported operating systems for installing GrapheneOS. You should make sure your operating system is up-to-date before proceeding with these instructions. Older versions and other Linux distributions usually work, but if you encounter problems try using one of the officially supported options.
Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable. To rule out these problems, install from an OS running on bare metal. Virtual machines are also often configured to have overly limited memory and storage space.
You need one of the officially supported devices. To make sure that the device can be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier variants of Pixels use the same stock OS and firmware with a non-zero carrier id flashed onto the persist partition in the factory. The carrier id activates carrier-specific configuration in the stock OS including disabling carrier and bootloader unlocking. The carrier may be able to remotely disable this, but their support staff may not be aware and they probably won't do it. Get a carrier agnostic device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id and the hardware is the same.
It's best practice to update the stock OS on the device to make sure it's running the latest firmware before proceeding with these instructions. This avoids running into bugs, missing features or other differences in older firmware versions. You can either update the device via over-the-air updates or sideload a full update, which for Pixel phones can be obtained from the full update package page.
Enabling OEM unlocking
OEM unlocking needs to be enabled from within the operating system.
Enable the developer options menu by going to Settings ➔ About phone and pressing on the build number menu entry until developer mode is enabled.
Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the 'Enable OEM unlocking' setting. This requires internet access on devices with Google Play services as part of Factory Reset Protection (FRP) for anti-theft protection.
Opening terminal
These instructions use command-line tools. Launch the terminal as you would any other application. On Windows, launch a regular non-administrator instance of the PowerShell terminal. Do not use the legacy Command Prompt or administrator variant of PowerShell.
Use the same terminal for the whole installation process. If you close it, you'll lose the setup of the environment for the installation.
On Windows, run the following command to remove PowerShell's legacy curl alias
for the current shell to avoid needing to reference it as curl.exe
instead of curl:
Remove-Item Alias:Curl
Obtaining fastboot
You need an updated copy of the fastboot tool and the
directory containing it needs to be included in the PATH
environment variable. You can run fastboot --version to determine
the current version. It must be at least 29.0.6. You can use a
distribution package for this, but most of them mistakenly package development
snapshots of fastboot, clobber the standard version scheme for platform-tools
(adb, fastboot, etc.) with their own scheme and don't keep it up-to-date
despite that being crucial.
On Arch Linux, install android-tools and skip the section below on
using the standalone release of platform-tools from Android:
sudo pacman -S android-tools
Debian and Ubuntu do not have a usable package for fastboot. Their packages for these tools are both broken and many years out-of-date. Follow the instructions below for platforms without a proper package.
Standalone platform-tools
If your operating system doesn't include a usable version of fastboot, you can use the official standalone releases of platform-tools. This is our recommendation for most users. The flashing process won't work unless you follow these instructions including setting up PATH.
To download, verify and extract the standalone platform-tools on Debian and Ubuntu:
sudo apt install bsdtar curl -O https://dl.google.com/android/repository/platform-tools_r30.0.5-linux.zip echo 'd6d72d006c03bd55d49b6cef9f00295db02f0a31da10e121427e1f4cb43e7cb9 platform-tools_r30.0.5-linux.zip' | sha256sum -c bsdtar xvf platform-tools_r30.0.5-linux.zip
To download, verify and extract the standalone platform-tools on macOS:
curl -O https://dl.google.com/android/repository/eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip echo 'SHA256 (eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip) = e5780bad71a53cf9d693e1053a0748f49e4a67cc1f71d16a94ab4c943af3345f' | shasum -c tar xvf eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip
To download, verify and extract the standalone platform-tools on Windows:
curl -O https://dl.google.com/android/repository/platform-tools_r30.0.5-windows.zip (Get-FileHash platform-tools_r30.0.5-windows.zip).hash -eq "549ba2bdc31f335eb8a504f005f77606a479cc216d6b64a3e8b64c780003661f" tar xvf platform-tools_r30.0.5-windows.zip
Next, add the tools to your PATH in the current shell so they can be
used without referencing them by file path, enabling usage by the flashing script.
On Debian, Ubuntu and macOS:
export PATH="$PWD/platform-tools:$PATH"
On Windows:
$env:Path = "$pwd\platform-tools;$env:Path"
This only changes PATH for the current shell and will need
to be done again if you open a new terminal.
Checking fastboot version
Check the output of fastboot --version before continuing.
Example of the output after following the instructions above for the standalone platform-tools:
fastboot version 30.0.5-6877874 Installed as /home/username/platform-tools/fastboot
Fastboot as non-root
On Linux, in order for the fastboot command to connect to a device
as non-root, the appropriate udev rules need to be set up. This is not an issue on
either macOS or Windows.
On Arch Linux:
sudo pacman -S android-udev
On Debian and Ubuntu:
sudo apt install android-sdk-platform-tools-common
The udev rules on Debian and Ubuntu are very out-of-date but the package has the rules needed for Pixel phones since the same USB IDs have been used for many years.
Connecting the phone
Connect the phone to the computer. On Linux, you'll need to do this again if you didn't have the udev rules set up when you connected it.
Unlocking the bootloader
First, boot into the bootloader interface. You can do this by turning off the device and then turning it on by holding both the Volume Down and Power buttons.
Unlock the bootloader to allow flashing the OS and firmware:
fastboot flashing unlock
The command needs to be confirmed on the device and will wipe all data.
Obtaining signify
On the supported Linux distributions, the signify tool is used to verify the download of the OS beyond the security offered by HTTPS. You should skip this on macOS and Windows. It only makes sense to do this if you can obtain signify from the distribution package repositories. GrapheneOS releases are hosted on our servers and we do not have third party mirrors.
On Arch Linux:
sudo pacman -S signify
On Debian and Ubuntu:
sudo apt install signify-openbsd alias signify=signify-openbsd
On Debian-based distributions, the signify package and command are an
unmaintained mail-related
tool for generating mail signatures (not cryptographic signatures) with the final
releases from 2003-2004 made directly by the developer via the Debian package without
upstream releases. Make sure to install signify-openbsd.
Obtaining factory images
You need to obtain the GrapheneOS factory images for your device to proceed with the installation process.
You can either download the files with your browser or using a command like
curl. It's generally easier to use the command-line since you're already
using it for the rest of the installation process, so these instructions use
curl.
Download the factory images public key (factory.pub) in order to verify the factory images:
curl -O https://releases.grapheneos.org/factory.pub
This is the content of factory.pub:
untrusted comment: GrapheneOS factory images public key RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3
The public key has also been published via the official @GrapheneOS Twitter account, the /u/GrapheneOS Reddit account and is available on GitHub. When the current signing key is replaced, the new key will be signed with it.
Download the factory images for the device from the releases page. For example, to download the 2020.12.12.03 release for the Pixel 4a (sunfish):
curl -O https://releases.grapheneos.org/sunfish-factory-2020.12.12.03.zip curl -O https://releases.grapheneos.org/sunfish-factory-2020.12.12.03.zip.sig
Verify the factory images using the signature if you were able to obtain
signify from trusted package repositories (see above), otherwise
continue on to the next section without this:
signify -Cqp factory.pub -x sunfish-factory-2020.12.12.03.zip.sig && echo verified
This will output verified if verification is successful. If something
goes wrong, it will output an error message rather than verified.
Flashing factory images
The initial install will be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.
Next, extract the factory images.
On Linux:
bsdtar xvf sunfish-factory-2020.12.12.03.zip
On macOS and Windows:
tar xvf sunfish-factory-2020.12.12.03.zip
Move into the directory:
cd sunfish-factory-2020.12.12.03
Flash the images with the flash-all script in the directory.
On Linux and macOS:
./flash-all.sh
On Windows:
./flash-all.bat
Wait for the flashing process to complete and proceed to locking the bootloader before using the device as locking wipes the data again.
Troubleshooting
The text output from a failed attempt at flashing will contain valuable diagnostic information which is essential in knowing where and how the process went wrong. Please provide this information when asking for help on the GrapheneOS IRC / Matrix channel.
A common issue on Linux distributions is that they mount the default temporary file
directory /tmp as tmpfs which results in it being backed by memory and
swap rather than persistent storage. By default, the size is 50% of the available
virtual memory. This is often not enough for the flashing process, especially since
/tmp is shared between applications and users. To use a different
temporary directory if your /tmp doesn't have enough space available:
mkdir tmp && TMPDIR="$PWD/tmp" ./flash-all.sh
Locking the bootloader
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.
In the bootloader interface, set it to locked:
fastboot flashing lock
The command needs to be confirmed on the device and will wipe all data.
Post-installation
Booting
You've now successfully installed GrapheneOS and can boot it. Pressing the power button with the default Start option selected in the bootloader menu will boot the OS.
Disabling OEM unlocking
OEM unlocking can be disabled again in the developer settings menu within the operating system after booting it up again.
Verifying installation
Verified boot authenticates and validates the firmware images and OS from the hardware root of trust. Since GrapheneOS supports full verified boot, the OS images are entirely verified. However, it's possible that the computer you used to flash the OS was compromised, leading to flashing a malicious verified boot public key and images. To detect this kind of attack, you can use the Auditor app included in GrapheneOS in the Auditee mode and verify it with another Android device in the Auditor mode. The Auditor app works best once it's already paired with a device and has pinned a persistent hardware-backed key and the attestation certificate chain. However, it can still provide a bit of security for the initial verification via the attestation root. Ideally, you should also do this before connecting the device to the network, so an attacker can't proxy to another device (which stops being possible after the initial verification). Further protection against proxying the initial pairing will be provided in the future via optional support for ID attestation to include the serial number in the hardware verified information to allow checking against the one on the box / displayed in the bootloader. See the Auditor tutorial for a guide.
After the initial verification, which results in pairing, performing verification against between the same Auditor and Auditee (as long as the app data hasn't been cleared) will provide strong validation of the identity and integrity of the device. That makes it best to get the pairing done right after installation. You can also consider setting up the optional remote attestation service.
Replacing GrapheneOS with the stock OS
Installation of the stock OS via the stock factory images is the same process described above. However, before locking, there's an additional step to fully revert the device to a clean factory state.
The GrapheneOS factory images flash a non-stock Android Verified Boot key which needs to be erased to fully revert back to a stock device state. After flashing the stock factory images and before locking the bootloader, you should erase the custom Android Verified Boot key to untrust it:
fastboot erase avb_custom_key
Further information
Please look through the usage guide and FAQ for more information. If you have further questions not covered by the site, join the official GrapheneOS chat channels and ask the questions in the appropriate channel.