CLI install guide

Prerequisites

You should have at least 2GB of free memory available and 8GB of free storage space.

You need a USB cable for attaching the device to a laptop or desktop. Whenever possible, use the high quality standards compliant USB-C cable packaged with the device. If your computer doesn't have any USB-C ports, you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on a desktop computer case. Connect directly to a rear port on a desktop or the ports on a laptop. Many widely distributed USB cables and hubs are broken and are the most common source of issues for installing GrapheneOS.

Installing from an OS in a virtual machine is not recommended. USB passthrough is often not reliable. To rule out these problems, install from an OS running on bare metal. Virtual machines are also often configured to have overly limited memory and storage space.

Officially supported operating systems for the CLI install method:

• Windows 10
• Windows 11
• macOS Big Sur
• macOS Monterey
• Arch Linux
• Debian 10 (buster)
• Debian 11 (bullseye)
• Ubuntu 20.04 LTS
• Ubuntu 20.10

Make sure your operating system is up-to-date before proceeding.

The web installer is more portable and can be used from Android, ChromeOS and GrapheneOS itself since it can run anywhere with a browser with working WebUSB support.

You need one of the officially supported devices. To make sure that the device can be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier variants of Pixels use the same stock OS and firmware with a non-zero carrier id flashed onto the persist partition in the factory. The carrier id activates carrier-specific configuration in the stock OS including disabling carrier and bootloader unlocking. The carrier may be able to remotely disable this, but their support staff may not be aware and they probably won't do it. Get a carrier agnostic device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id and the hardware is the same.

It's best practice to update the device before installing GrapheneOS to have the latest firmware for connecting the phone to the computer and performing the early flashing process. Either way, GrapheneOS flashes the latest firmware early in the installation process.

Enabling OEM unlocking

OEM unlocking needs to be enabled from within the operating system.

Enable the developer options menu by going to Settings ➔ About phone and repeatedly pressing the build number menu entry until developer mode is enabled.

Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the 'OEM unlocking' setting. This requires internet access on devices with Google Play services as part of Factory Reset Protection (FRP) for anti-theft protection.

Opening terminal

These instructions use command-line tools. Launch the terminal as you would any other application. On Windows, launch a regular non-administrator instance of the PowerShell terminal. Do not use the legacy Command Prompt or administrator variant of PowerShell.

Use the same terminal for the whole installation process. If you close it, you'll lose the setup of the environment for the installation.

On Windows, run the following command to remove PowerShell's legacy curl alias for the current shell to avoid needing to reference it as curl.exe instead of curl:

Remove-Item Alias:Curl

Obtaining fastboot

You need an updated copy of the fastboot tool and the directory containing it needs to be included in the PATH environment variable. You can run fastboot --version to determine the current version. It must be at least 29.0.6. You can use a distribution package for this, but most of them mistakenly package development snapshots of fastboot, clobber the standard version scheme for platform-tools (adb, fastboot, etc.) with their own scheme and don't keep it up-to-date despite that being crucial.

On Arch Linux, install android-tools and skip the section below on using the standalone release of platform-tools from Android:

sudo pacman -S android-tools

Debian and Ubuntu do not have a usable package for fastboot. Their packages for these tools are both broken and many years out-of-date. Follow the instructions below for platforms without a proper package.

sudo apt install libarchive-tools
curl -O https://dl.google.com/android/repository/platform-tools_r31.0.3-linux.zip
echo 'e6cb61b92b5669ed6fd9645fad836d8f888321cd3098b75588a54679c204b7dc  platform-tools_r31.0.3-linux.zip' | sha256sum -c
bsdtar xvf platform-tools_r31.0.3-linux.zip

curl -O https://dl.google.com/android/repository/e8b2b4cbe47c728c1e54c5f524440b52d4e1a33c.platform-tools_r31.0.3-darwin.zip
echo 'SHA256 (e8b2b4cbe47c728c1e54c5f524440b52d4e1a33c.platform-tools_r31.0.3-darwin.zip) = 773c08cfa31cec1bb4568ce5b374366e6310a5ffc21875024604a0f65bc831b1' | shasum -c
tar xvf e8b2b4cbe47c728c1e54c5f524440b52d4e1a33c.platform-tools_r31.0.3-darwin.zip

curl -O https://dl.google.com/android/repository/platform-tools_r31.0.3-windows.zip
(Get-FileHash platform-tools_r31.0.3-windows.zip).hash -eq "0f4b8fdd26af2c3733539d6eebb3c2ed499ea1d4bb1f4e0ecc2d6016961a6e24"
tar xvf platform-tools_r31.0.3-windows.zip

export PATH="$PWD/platform-tools:$PATH"

$env:Path = "$pwd\platform-tools;$env:Path"

Checking fastboot version

Check the output of fastboot --version before continuing.

Example of the output after following the instructions above for the standalone platform-tools:

fastboot version 31.0.3-7562133
Installed as /home/username/platform-tools/fastboot

Flashing as non-root

On traditional Linux distributions, USB devices cannot be used as non-root without udev rules for each type of device. This is not an issue for other platforms.

On Arch Linux:

sudo pacman -S android-udev

On Debian and Ubuntu:

sudo apt install android-sdk-platform-tools-common

The udev rules on Debian and Ubuntu are very out-of-date but the package has the rules needed for Pixel phones since the same USB IDs have been used for many years.

Booting into the bootloader interface

You need to boot your phone into the bootloader interface. To do this, you need to hold the volume down button while the phone boots.

The easiest approach is to reboot the phone and begin holding the volume down button until it boots up into the bootloader interface.

Alternatively, turn off the phone, then boot it up while holding the volume down button during the boot process. You can either boot it with the power button or by plugging it in as required in the next section.

Connecting the phone

Connect the phone to the computer. On Linux, you'll need to do this again if you didn't have the udev rules set up when you connected it.

On Windows, you may need to install a driver for fastboot now: In Windows Update, click Check for updates. After that there might be a link "View optional updates." Download and install any driver updates. If there are no optional updates, simply continue with the installation instructions.

Unlocking the bootloader

Unlock the bootloader to allow flashing the OS and firmware:

fastboot flashing unlock

The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.

Obtaining signify

On the supported Linux distributions, the signify tool is used to verify the download of the OS beyond the security offered by HTTPS. You should skip this on macOS and Windows. It only makes sense to do this if you can obtain signify from the distribution package repositories. GrapheneOS releases are hosted on our servers and we do not have third party mirrors.

On Arch Linux:

sudo pacman -S signify

On Debian and Ubuntu:

sudo apt install signify-openbsd
alias signify=signify-openbsd

On Debian-based distributions, the signify package and command are an unmaintained mail-related tool for generating mail signatures (not cryptographic signatures). Make sure to install signify-openbsd.

Obtaining factory images

You need to obtain the GrapheneOS factory images for your device to proceed with the installation process.

You can either download the files with your browser or using a command like curl. It's generally easier to use the command-line since you're already using it for the rest of the installation process, so these instructions use curl.

Download the factory images public key (factory.pub) in order to verify the factory images:

curl -O https://releases.grapheneos.org/factory.pub

This is the content of factory.pub:

untrusted comment: GrapheneOS factory images public key
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3

The public key has also been published via the official @GrapheneOS Twitter account, the /u/GrapheneOS Reddit account and is available on GitHub. When the current signing key is replaced, the new key will be signed with it.

Download the factory images for the device from the releases page. For example, to download the 2021110122 release for a device with the codename DEVICE_NAME:

curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-2021110122.zip
curl -O https://releases.grapheneos.org/DEVICE_NAME-factory-2021110122.zip.sig

Verify the factory images using the signature if you were able to obtain signify from trusted package repositories (see above), otherwise continue on to the next section without this:

signify -Cqp factory.pub -x DEVICE_NAME-factory-2021110122.zip.sig && echo verified

This will output verified if verification is successful. If something goes wrong, it will output an error message rather than verified.

Flashing factory images

The initial install will be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.

Next, extract the factory images.

On Linux:

bsdtar xvf DEVICE_NAME-factory-2021110122.zip

On macOS and Windows:

tar xvf DEVICE_NAME-factory-2021110122.zip

Move into the directory:

cd DEVICE_NAME-factory-2021110122

Flash the images with the flash-all script in the directory.

On Linux and macOS:

./flash-all.sh

On Windows:

./flash-all.bat

Wait for the flashing process to complete. It will automatically handle flashing the firmware, rebooting into the bootloader interface, flashing the core OS, rebooting into the userspace fastboot mode, flashing the rest of the OS and finally rebooting back into the bootloader interface. Avoid interacting with the device until the flashing script is finished and the device is back at the bootloader interface. Then, proceed to locking the bootloader before using the device as locking wipes the data again.

mkdir tmp && TMPDIR="$PWD/tmp" ./flash-all.sh

Locking the bootloader

Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.

In the bootloader interface, set it to locked:

fastboot flashing lock

The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.

Post-installation

fastboot erase avb_custom_key