Releases
These releases are available as both tags in the source code repositories and official builds.
The factory images are used for the initial installation and can be verified with GPG. See the installation guide for details.
GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.
The update packages have a internal signature verified by the update client (or
recovery image when sideloading). Downgrade attacks are also prevented, and downgrades
cannot be done unless a special downgrade update package has been signed with the
release key. The internal payload for update_engine is also signed,
providing another layer of signature verification and downgrade protection. Verified
boot and the hardware-backed keystore also act as a final layer of protection.
Releases are tested by the developers and are then pushed out via the Beta channel. The release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.
Stable channel
Pixel 3a XL (experimental)
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3a (experimental)
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3 XL
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3
Version: PQ3A.190605.003.2019.06.03.18
Pixel 2 XL
Version: PQ3A.190605.003.2019.06.03.18
Pixel 2
Version: PQ3A.190605.003.2019.06.03.18
Pixel XL (legacy)
Version: PQ3A.190605.003.2019.06.03.18
Pixel (legacy)
Version: PQ3A.190605.003.2019.06.03.18
Beta channel
Pixel 3a XL (experimental)
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3a (experimental)
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3 XL
Version: PQ3A.190605.003.2019.06.03.18
Pixel 3
Version: PQ3A.190605.003.2019.06.03.18
Pixel 2 XL
Version: PQ3A.190605.003.2019.06.03.18
Pixel 2
Version: PQ3A.190605.003.2019.06.03.18
Pixel XL (legacy)
Version: PQ3A.190605.003.2019.06.03.18
Pixel (legacy)
Version: PQ3A.190605.003.2019.06.03.18
Changelog
List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.
2019.06.03.18
Tags:
- PQ3A.190605.003.2019.06.03.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)
Changes since the 2019.05.18.20 release:
- full 2019-06-01 security patch level
- full 2019-06-05 security patch level
- rebased onto PQ3A.190605.003 release
- Auditor: update to version 12
- hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues
Restoration of past features since the 2019.05.18.20 release:
- disable exec spawning when using debugging options
- enable exec spawning by default
- enable Verizon visual voicemail support
- kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices
- add properties for controlling deny_new_usb
- implement dynamic deny_new_usb toggle mode
- set deny_new_usb feature to dynamic by default
- sepolicy: deny_new_usb sysctl and system property policy
2019.05.18.20
Tags:
- PQ3A.190505.001.2019.05.18.20 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)
- PQ3A.190505.002.2019.05.18.20 (Pixel 3, Pixel 3 XL, other devices)
Changes since the 2019.05.08.15 release:
- GrapheneOS logo mask
- Auditor: update to version 10
- add preload parameter for avoiding full preload with exec
- raise maximum users to 16
- Vanadium (browser and WebView): update Chromium base to 74.0.3729.157
- hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)
Restoration of past features since the 2019.05.08.15 release:
- disable OpenGL preloading for exec spawning
- disable resource preloading for exec spawning
- disable ICU cache pinning for exec spawning
- disable class preloading for exec spawning
- disable WebView reservation for exec spawning
- disable JCA provider warm up for exec spawning
- avoid AssetManager errors with exec spawning
2019.05.08.15
Tags:
- PQ3A.190505.001.2019.05.08.15 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)
- PQ3A.190505.002.2019.05.08.15 (Pixel 3, Pixel 3 XL, other devices)
Changes since the 2019.05.07.00 release:
- fix cellular, hotspot and battery saver quick settings tiles (they became no-ops when unlocked)
2019.05.07.00
Tags:
- PQ3A.190505.001.2019.05.07.00 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)
- PQ3A.190505.002.2019.05.07.00 (Pixel 3, Pixel 3 XL, other devices)
Changes since the 2019.04.01.19 release:
- full 2019-05-01 security patch level
- full 2019-05-05 security patch level
- rebased onto PQ3A.190505.001/PQ3A.190505.002 releases
- add Pixel and Pixel XL support including standard changes to kernel and device code
- Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions
- bundle Auditor (version 9)
- Chromium (browser and WebView): update to 74.0.3729.136
- Chromium: enable strict site isolation by default
- Chromium: initial rebranding to Vanadium including icon recolor
- hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)
- hardened_malloc: implement mallinfo and mallinfo extensions for Android
- hardened_malloc: implement Android API for requesting purging
- hardened_malloc: implement the option of large size classes (enabled by default)
- hardened_malloc: support extended range of small size classes (enabled by default)
- hardened_malloc: support for slabs with 1 slot for largest sizes
- hardened_malloc: use round-robin assignment to arenas
- hardened_malloc: disable current in-place growth code path
- hardened_malloc: harden arena implementation
- hardened_malloc: fix non-init size for malloc_object_size extension
- hardened_malloc: shrink initial region table size to fit in 1 page
- hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues
- Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI
Restoration of past features since the 2019.04.01.19 release:
- use -fwrapv when signed overflow checking is off
- add exec-based spawning support (disabled by default for now)
- require unlocking to use battery saver quick tile
- require unlocking to use cellular quick tile
- require unlocking to use hotspot quick tile
- require unlocking to use data saver quick tile
- require unlocking to use rotation lock quick tile
- require unlocking to use wifi quick tile
- require unlocking to use airplane mode quick tile
- require unlocking to use bluetooth quick tile
- require unlocking to use nfc quick tile
- add support for kernels without module support enabled to the VTS and compatibility tests
- Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL kernels: disable slab merging
- Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL kernels: disable loadable kernel module support
- Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL kernels: mark qcedev data const
- Pixel 2, Pixel 2 XL: disable unused ramdisk compression formats
- SELinux policy: remove priv_app app_data_file execute
- SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
- SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
- SELinux policy: auditallow app execmem (moving back towards an exception system)
- SELinux policy: auditallow app ashmem execute (moving back towards an exception system)
- SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)
- SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)
- SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)
- SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)
2019.04.01.19
Tags:
- PQ2A.190405.003.2019.04.01.19 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)
Initial release of GrapheneOS. Detailed changelogs were not written at this point.
2019.03.05.03
Tags:
- PQ2A.190305.002.2019.03.05.03 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)
Final and only tagged release of the AndroidHardening project before it became GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Detailed changelogs were not written at this point.