
This isn't currently displayed in the Twitter cards despite it being in the official documentation for cards, but other crawlers are definitely using this metadata.
188 lines
12 KiB
HTML
188 lines
12 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" prefix="og: http://ogp.me/ns#">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<title>Install | GrapheneOS</title>
|
|
<meta name="description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta name="theme-color" content="#212121"/>
|
|
<meta name="msapplication-TileColor" content="#ffffff"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<meta name="twitter:site" content="@GrapheneOS"/>
|
|
<meta name="twitter:creator" content="@GrapheneOS"/>
|
|
<meta property="og:title" content="GrapheneOS install documentation"/>
|
|
<meta property="og:description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta property="og:type" content="website"/>
|
|
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
|
|
<meta property="og:image:width" content="512"/>
|
|
<meta property="og:image:height" content="512"/>
|
|
<meta property="og:image:alt" content="GrapheneOS logo"/>
|
|
<meta property="og:url" content="https://grapheneos.org/install"/>
|
|
<meta property="og:site_name" content="GrapheneOS"/>
|
|
<link rel="icon" type="image/vnd.microsoft.icon" href="/favicon.ico?0"/>
|
|
<link rel="mask-icon" href="/safari_pinned_tab_icon.svg" color="#000000"/>
|
|
<link rel="stylesheet" href="/grapheneos.css?8"/>
|
|
<link rel="manifest" href="/manifest.webmanifest"/>
|
|
<link rel="canonical" href="https://grapheneos.org/install"/>
|
|
</head>
|
|
<body>
|
|
<nav>
|
|
<ul>
|
|
<li><a href="/">GrapheneOS</a></li>
|
|
<li class="active"><a href="/install">Install</a></li>
|
|
<li><a href="/build">Build</a></li>
|
|
<li><a href="/usage">Usage</a></li>
|
|
<li><a href="/releases">Releases</a></li>
|
|
<li><a href="/source">Source</a></li>
|
|
<li><a href="/donate">Donate</a></li>
|
|
<li><a href="/contact">Contact</a></li>
|
|
</ul>
|
|
</nav>
|
|
<div id="content">
|
|
<h1 id="install">Install</h1>
|
|
<h2 id="prerequisites">
|
|
Prerequisites
|
|
<a href="#prerequisites">¶</a>
|
|
</h2>
|
|
<p>You should have at least 2GB of free memory available.</p>
|
|
<p>You need the unlocked variant of one of the supported devices, not a locked carrier
|
|
specific variant.</p>
|
|
<p>It's best practice to update the stock OS on the device to make sure it's running
|
|
the latest firmware before proceeding with these instructions. This avoids running
|
|
into bugs in older firmware versions. It's known that the early Pixel 2 and Pixel 2 XL
|
|
bootloader versions have weird quirks with unlocking. There aren't known issues on
|
|
other devices, but this is still a good idea. You can either do this via over-the-air
|
|
updates or sideload a full update from their
|
|
<a href="https://developers.google.com/android/ota">full update package page</a>.</p>
|
|
<p>You need an updated copy of the <code>fastboot</code> tool and it needs to be
|
|
included in your <code>PATH</code> environment variable. You can run <code>fastboot
|
|
--version</code> to determine the current version. It should be at least
|
|
<code>28.0.0</code>. Don't proceed with the installation process until this is set up
|
|
properly in your current shell. A very common mistake is using an outdated copy of
|
|
<code>fastboot</code> from a Linux distribution package not receiving regular updates.
|
|
Make sure that the <code>fastboot</code> found earliest in your <code>PATH</code> is
|
|
the correct one if you have multiple copies on your system. You can run <code>which
|
|
fastboot</code> to determine where the tool being used is coming from. Older versions
|
|
do not have support for current devices. Very old versions of <code>fastboot</code>
|
|
from several years ago are still shipped by Linux distributions like Debian and lack
|
|
the compatibility detection of modern versions so they can soft brick devices.</p>
|
|
<h2 id="enabling-oem-unlocking">
|
|
Enabling OEM unlocking
|
|
<a href="#enabling-oem-unlocking">¶</a>
|
|
</h2>
|
|
<p>OEM unlocking needs to be enabled from within the operating system.</p>
|
|
<p>Enable the developer settings menu by going to Settings ➔ System ➔ About phone and
|
|
pressing on the build number menu entry until developer mode is enabled.</p>
|
|
<p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer settings and toggle on the
|
|
'Enable OEM unlocking' setting. This requires internet access on devices with Google
|
|
Play Services.</p>
|
|
<h2 id="unlocking-the-bootloader">
|
|
Unlocking the bootloader
|
|
<a href="#unlocking-the-bootloader">¶</a>
|
|
</h2>
|
|
<p>First, boot into the bootloader interface. You can do this by turning off the
|
|
device and then turning it on by holding both the Volume Down and Power buttons.</p>
|
|
<p>The bootloader now needs to be unlocked to allow flashing new images:</p>
|
|
<pre>fastboot flashing unlock</pre>
|
|
<p>The command needs to be confirmed on the device.</p>
|
|
<h2 id="obtaining-factory-images">
|
|
Obtaining factory images
|
|
<a href="#obtaining-factory-images">¶</a>
|
|
</h2>
|
|
<p>The initial install will be performed by flashing the factory images. This will
|
|
replace the existing OS installation and wipe all the existing data.</p>
|
|
<p>You can download the factory images from <a href="/releases">the releases page</a>.</p>
|
|
<p>Verify the official factory images using the GPG signature:</p>
|
|
<pre>gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
|
|
gpg --verify blueline-factory-2019.04.01.19.zip.sig blueline-factory-2019.04.01.19.zip</pre>
|
|
<p>When this signing key is replaced, the new key will be signed with it.</p>
|
|
<h2 id="flashing-factory-images">
|
|
Flashing factory images
|
|
<a href="#flashing-factory-images">¶</a>
|
|
</h2>
|
|
<p>Reboot into the bootloader interface to begin the flashing procedure.</p>
|
|
<p>Next, extract the factory images and run the script to flash them. Note that the
|
|
<code>fastboot</code> command run by the flashing script requires a fair bit of free
|
|
space in a temporary directory, which defaults to <code>/tmp</code>:<p>
|
|
<pre>unzip blueline-factory-2019.04.01.19.zip
|
|
cd blueline-pq2a.190405.003
|
|
./flash-all.sh</pre>
|
|
<p>Use a different temporary directory if your <code>/tmp</code> doesn't have enough
|
|
space available:</p>
|
|
<pre>mkdir tmp
|
|
TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
|
|
<p>Wait for the flashing process to complete and for the device to boot up using the
|
|
new operating system.</p>
|
|
<p>You should now proceed to locking the bootloader before using the device as locking
|
|
wipes the data again.</p>
|
|
<h2 id="locking-the-bootloader">
|
|
Locking the bootloader
|
|
<a href="#locking-the-bootloader">¶</a>
|
|
</h2>
|
|
<p>Locking the bootloader is important as it enables full verified boot. It also
|
|
prevents using fastboot to flash, format or erase partitions. Verified boot will
|
|
detect modifications to any of the OS partitions (vbmeta, boot/dtbo, product, system,
|
|
vendor) and it will prevent reading any modified / corrupted data. If changes are
|
|
detected, error correction data is used to attempt to obtain the original data at
|
|
which point it's verified again which makes verified boot robust to non-malicious
|
|
corruption.</p>
|
|
<p>Reboot into the bootloader interface and set it to locked:</p>
|
|
<pre>fastboot flashing lock</pre>
|
|
<p>The command needs to be confirmed on the device since it needs to perform a factory
|
|
reset.</p>
|
|
<p>Unlocking the bootloader again will perform a factory reset.</p>
|
|
<h2 id="disabling-oem-unlocking">
|
|
Disabling OEM unlocking
|
|
<a href="#disabling-oem-unlocking">¶</a>
|
|
</h2>
|
|
<p>OEM unlocking can be disabled again in the developer settings menu within the
|
|
operating system after booting it up again.</p>
|
|
<h2 id="verifying-installation">
|
|
Verifying installation
|
|
<a href="#verifying-installation">¶</a>
|
|
</h2>
|
|
<p>Verified boot authenticates and validates the firmware images and OS from the
|
|
hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
|
|
are entirely verified. However, it's possible that the computer you used to flash the
|
|
OS was compromised, leading to flashing a malicious verified boot public key and
|
|
images. To detect this kind of attack, you can use the Auditor app included in
|
|
GrapheneOS in the Auditee mode and verify it with another Android device in the
|
|
Auditor mode. The Auditor app works best once it's already paired with a device and
|
|
has pinned a persistent hardware-backed key and the attestation certificate chain.
|
|
However, it can still provide a bit of security for the initial verification via the
|
|
attestation root. Ideally, you should also do this before connecting the device to the
|
|
network, so an attacker can't proxy to another device (which stops being possible
|
|
after the initial verification). Further protection against proxying the initial
|
|
pairing will be provided in the future via optional support for ID attestation to
|
|
include the serial number in the hardware verified information to allow checking
|
|
against the one on the box / displayed in the bootloader. See the
|
|
<a href="https://attestation.app/tutorial">Auditor tutorial</a> for a guide.</p>
|
|
<p>After the initial verification, which results in pairing, performing verification
|
|
against between the same Auditor and Auditee (as long as the app data hasn't been
|
|
cleared) will provide strong validation of the identity and integrity of the
|
|
device. That makes it best to get the pairing done right after installation. You can
|
|
also consider setting up the optional remote attestation service.</p>
|
|
<h2 id="replacing-grapheneos-with-the-stock-os">
|
|
Replacing GrapheneOS with the stock OS
|
|
<a href="#replacing-grapheneos-with-the-stock-os">¶</a>
|
|
</h2>
|
|
<p>Installation of the stock OS via the stock factory images is the same process
|
|
described above. However, before locking, there's an additional step to fully revert
|
|
the device to a clean factory state on modern devices with Android Verified Boot 2.0
|
|
(AVB) like the Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL. It isn't necessary for
|
|
devices with legacy verified boot like the Pixel and Pixel XL.</p>
|
|
<p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
|
|
needs to be erased to fully revert back to a stock device state. After flashing the
|
|
stock factory images and before locking the bootloader, you should erase the custom
|
|
Android Verified Boot key to untrust it:</p>
|
|
<pre>fastboot erase avb_custom_key</pre>
|
|
</div>
|
|
<footer>
|
|
<a href="/"><img src="https://grapheneos.org/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
|
|
<ul id="social">
|
|
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
|
|
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
|
|
</ul>
|
|
</footer>
|
|
</body>
|
|
</html>
|