Web install
This is the beginning of a WebUSB-based installer for GrapheneOS. Very little has been implemented and it doesn't do anything useful yet. You should ignore this page and use the official install guide.
Prerequisites
You should have at least 2GB of free memory available and 8GB of free storage space.
You need a USB cable for attaching the device to a laptop or desktop. Whenever possible, use the high quality standards compliant USB-C cable packaged with the device. If your computer doesn't have any USB-C ports, you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on a desktop computer case. Connect directly to a rear port on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs are broken and are the most common source of issues for installing GrapheneOS.
Windows 10, macOS Big Sur, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the officially supported operating systems for installing GrapheneOS. You should make sure your operating system is up-to-date before proceeding with these instructions. Older versions and other Linux distributions usually work, but if you encounter problems try using one of the officially supported options.
For this web-based installation process, the latest stable release of Chromium or Chrome is recommended.
Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable. To rule out these problems, install from an OS running on bare metal. Virtual machines are also often configured to have overly limited memory and storage space.
You need one of the officially supported devices. To make sure that the device can be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier variants of Pixels use the same stock OS and firmware with a non-zero carrier id flashed onto the persist partition in the factory. The carrier id activates carrier-specific configuration in the stock OS including disabling carrier and bootloader unlocking. The carrier may be able to remotely disable this, but their support staff may not be aware and they probably won't do it. Get a carrier agnostic device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id and the hardware is the same.
It's best practice to update the stock OS on the device to make sure it's running the latest firmware before proceeding with these instructions. This avoids running into bugs, missing features or other differences in older firmware versions. You can either update the device via over-the-air updates or sideload a full update, which for Pixel phones can be obtained from the full update package page.
Enabling OEM unlocking
OEM unlocking needs to be enabled from within the operating system.
Enable the developer options menu by going to Settings ➔ About phone and pressing on the build number menu entry until developer mode is enabled.
Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the 'Enable OEM unlocking' setting. This requires internet access on devices with Google Play services as part of Factory Reset Protection (FRP) for anti-theft protection.
Connecting the phone
Connect the phone to the computer. On Linux, you'll need to do this again if you didn't have the udev rules set up when you connected it.
Unlocking the bootloader
First, boot into the bootloader interface. You can do this by turning off the device and then turning it on by holding both the Volume Down and Power buttons. Alternatively, use ADB to reboot to the bootloader with the button below:
Unlock the bootloader to allow flashing the OS and firmware:
The command needs to be confirmed on the device and will wipe all data. Use one of the volume keys to switch the selection to accepting it and the power button to confirm.
Obtaining factory images
You need to obtain the GrapheneOS factory images for your device to proceed with the installation process.
Press the button below to start the download:
Download not implemented yet.
Flashing factory images
The initial install will be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.
Needs to be implemented based on extracting and flashing images from the downloaded zip (or a split approach to downloading files).
Wait for the flashing process to complete and proceed to locking the bootloader before using the device as locking wipes the data again.
Locking the bootloader
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.
In the bootloader interface, set it to locked:
The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.